CN-121586003-B - Communication risk detection method, system, equipment and storage medium

Abstract

The application discloses a communication risk detection method, a system, equipment and a storage medium, which relate to the technical field of network security, solve the problem of difficult tracing of data by carrying out standardized processing on communication data and constructing a dynamic network in association with an abnormal list library, realize quick response by combining multi-time scale feature extraction with a parallel analysis framework, capture dynamic evolution rules by a hidden Markov model of a behavior pattern analysis layer, identify group risks by a space-time weighted model of an associated network analysis layer, jointly overcome the defects of poor adaptability and single dimension of the traditional method, and finally realize optimization of treatment efficiency while guaranteeing identification precision by a multi-engine decision and grading treatment mechanism, thereby realizing high-precision, low-delay identification and management and control of cross-border abnormal communication behaviors.

Inventors

• LIU PENG
• WANG GUAN
• ZHANG JIAN
• CHEN XIAO

Assignees

• 北京友坤科技有限责任公司

Dates

Publication Date

20260508

Application Date

20260127

Claims (9)

1. 1.A communication risk detection method, comprising: acquiring communication data, and cleaning and standardizing the communication data; correlating the processed communication data with a preset abnormal communication number list library to construct a dynamic correlation network; extracting behavior features on a plurality of preset time scales of the target number from the dynamic association network based on a plurality of preset time windows; The method comprises the steps of inputting behavior characteristics into at least two of a real-time rule matching layer, a behavior pattern analysis layer and a correlation network analysis layer in parallel for processing to obtain analysis results of the at least two layers, wherein the real-time rule matching layer is used for matching based on a multi-condition combination rule base comprising a communication frequency threshold, a time window characteristic and a behavior anomaly degree, rule weights of all conditions are dynamically adjusted according to hit accuracy, and a first analysis result is output; making a decision on the analysis results of the at least two layers to obtain a comprehensive risk score of the target number; performing corresponding hierarchical treatment operation on the target number according to the comprehensive risk score; The extracting, based on a plurality of preset time windows, behavioral features of the target number on a plurality of preset time scales from the dynamic association network includes: Extracting a first type of behavior characteristic of a target number from the dynamic association network based on a short-term time window, wherein the first type of behavior characteristic comprises at least one of call dispersion, communication success rate and time distribution anomaly; Extracting second class behavior characteristics of the target number from the dynamic association network based on a medium-term time window, wherein the second class behavior characteristics comprise at least one of number activity change rate, called number new increase rate and communication mode mutation index; And extracting a third class of behavior characteristics of the target number from the dynamic association network based on a long-term time window, wherein the third class of behavior characteristics comprises at least one of a behavior stability index and an association network evolution characteristic.
2. 2. The method according to claim 1, wherein the behavior pattern analysis layer is processed in a manner comprising: constructing a hidden Markov model with a normal state, a suspicious state, a low-risk state and a high-risk state; inputting an observation sequence comprising communication frequency, called dispersion and time distribution into the hidden Markov model; calculating the probability of the target number in each state under the observation sequence through a forward and backward algorithm; And calculating and determining a second analysis result of a behavior pattern analysis layer based on the probability that the target number is in the high risk state and the low risk state.
3. 3. The method according to claim 1, wherein the processing manner of the association network analysis layer includes: Carrying out risk propagation on the communication relation graph by adopting a risk propagation algorithm, calculating risk values of all nodes, and calculating risk propagation weights among all nodes based on time attenuation factors and intensity factors of communication relations, wherein the communication relation graph takes numbers as nodes, and communication relation as edges to construct the communication relation graph, and the weights of the edges are determined according to at least one of communication frequency, communication duration and communication time distribution; and identifying the suspicious population based on the node population in the communication relation map and the risk value of each node by using a community discovery algorithm, and calculating the density of the suspicious population as a third analysis result of the association network analysis layer.
4. 4. The method of claim 1, wherein said performing a respective hierarchical treatment operation on said target number in accordance with said composite risk score comprises: if the comprehensive risk score is greater than or equal to the first score, real-time interception is executed and reported; if the comprehensive risk score is smaller than the first score and larger than or equal to the second score, executing a delay call and pushing a reminder; if the comprehensive risk score is smaller than the second score and larger than or equal to the third score, performing key monitoring or sampling monitoring; And if the comprehensive risk score is smaller than the third score, normally releasing and continuously recording the behavior.
5. 5. The method according to claim 1, wherein the processing manner of the real-time rule matching layer includes: constructing a multi-condition combination rule base, wherein the rule base comprises combination conditions based on at least two of a communication frequency threshold value, a time window characteristic and a behavior anomaly degree; Matching the extracted behavior characteristics with rules in the multi-condition combination rule base; and dynamically adjusting the weight of each rule according to the hit accuracy of the rule, and obtaining a real-time rule risk score as a first analysis result based on weighted calculation.
6. 6. The method of claim 5, wherein the multi-condition combining rule base comprises at least one of the following rules: When the number of the unique called numbers of the target number is larger than a first threshold value, the average call duration is smaller than a second threshold value, and the communication behavior occurs in a preset night time period, the rule is hit; when the short message sending rate of the target number is larger than a third threshold value, the number dispersion of the receiver is larger than a fourth threshold value, and the content similarity of the short message is lower than a fifth threshold value, the rule is hit; when the target number is an international roaming number and the call failure rate is greater than a sixth threshold and the call frequency is greater than a seventh threshold, then the rule is hit.
7. 7. A communication risk detection system, comprising: The acquisition unit is used for acquiring communication data and carrying out cleaning and standardization processing on the communication data; The construction unit is used for associating the processed communication data with a preset abnormal communication number list library to construct a dynamic association network; the system comprises a dynamic association network, an extraction unit, a second type of behavior feature, a third type of behavior feature and a third type of behavior feature, wherein the dynamic association network is used for dynamically associating the target number with the target number, the extraction unit is used for extracting behavior features on a plurality of preset time scales of the target number from the dynamic association network based on a plurality of preset time windows, the extraction unit is used for extracting behavior features on the plurality of preset time scales of the target number from the dynamic association network based on the plurality of preset time windows, the first type of behavior features comprise at least one of call dispersion, communication success rate and time distribution anomaly degree from the dynamic association network based on a short-term time window, the second type of behavior features of the target number comprise at least one of number activity change rate, called number new increase rate and communication mode mutation index from the dynamic association network based on a medium-term time window, and the third type of behavior features comprise at least one of behavior stability index and association network evolution feature from the dynamic association network based on a long-term time window; The processing unit is used for inputting the behavior characteristics to at least two of the real-time rule matching layer, the behavior pattern analysis layer and the associated network analysis layer in parallel for processing, and obtaining analysis results of the at least two layers; the real-time rule matching layer is used for matching based on a multi-condition combination rule base comprising a communication frequency threshold, a time window characteristic and a behavior anomaly degree, wherein the rule weight of each condition is dynamically adjusted according to the hit accuracy, and a first analysis result is output; the behavior pattern analysis layer is used for constructing a hidden Markov model containing various risk states, calculating the probability of numbers in each state through a forward-backward algorithm to identify the dynamic evolution of the behavior pattern and output a second analysis result; The decision unit is used for deciding the analysis results of the at least two layers to obtain the comprehensive risk score of the target number; and the execution unit is used for executing corresponding grading treatment operation on the target number according to the comprehensive risk score.
8. 8. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the communication risk detection method according to any one of claims 1-6 when executing the computer program.
9. 9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein instructions, which when run on a terminal device, cause the terminal device to perform the communication risk detection method according to any of claims 1-6.

Description

Communication risk detection method, system, equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, and a storage medium for detecting communication risk. Background In recent years, with the rapid development of international communication services, cross-border communication activities are increasingly frequent, and accordingly, some phenomena of abnormal communication behaviors by using international roaming services are also generated. Such actions typically manifest as calls or messages being initiated into the environment using an overseas registered number (flooding in), or an abnormal communication activity by an overseas number during overseas use (flooding out). The communication mode has the characteristics of strong concealment, quick change of the behavior mode, high tracing difficulty and the like, and brings new challenges to the safety management of the communication network. At present, the existing abnormal communication identification method mainly has the following limitations that the traditional detection means depend on a static rule base and a fixed threshold value, and are difficult to adapt to a rapidly-evolving communication behavior mode, and the single-dimension detection method often cannot comprehensively capture multi-scale characteristics of the communication behavior, so that the identification capability of the novel abnormal mode is insufficient. Disclosure of Invention Based on the above problems, the application provides a communication risk detection method, a system, a device and a storage medium. The embodiment of the application discloses the following technical scheme: an embodiment of the present application provides a communication risk detection method, including: acquiring communication data, and cleaning and standardizing the communication data; correlating the processed communication data with a preset abnormal communication number list library to construct a dynamic correlation network; extracting behavior features on a plurality of preset time scales of the target number from the dynamic association network based on a plurality of preset time windows; The method comprises the steps of inputting behavior characteristics into at least two of a real-time rule matching layer, a behavior pattern analysis layer and a correlation network analysis layer in parallel for processing to obtain analysis results of the at least two layers, wherein the real-time rule matching layer is used for matching based on a multi-condition combination rule base comprising a communication frequency threshold, a time window characteristic and a behavior anomaly degree, rule weights of all conditions are dynamically adjusted according to hit accuracy, and a first analysis result is output; making a decision on the analysis results of the at least two layers to obtain a comprehensive risk score of the target number; And executing corresponding grading treatment operation on the target number according to the comprehensive risk score. In one possible implementation manner, the extracting, based on a plurality of preset time windows, behavioral characteristics of the target number on a plurality of preset time scales from the dynamic association network includes: Extracting a first type of behavior characteristic of a target number from the dynamic association network based on a short-term time window, wherein the first type of behavior characteristic comprises at least one of call dispersion, communication success rate and time distribution anomaly; Extracting second class behavior characteristics of the target number from the dynamic association network based on a medium-term time window, wherein the second class behavior characteristics comprise at least one of number activity change rate, called number new increase rate and communication mode mutation index; And extracting a third class of behavior characteristics of the target number from the dynamic association network based on a long-term time window, wherein the third class of behavior characteristics comprises at least one of a behavior stability index and an association network evolution characteristic. In one possible implementation manner, the processing manner of the behavior pattern analysis layer includes: constructing a hidden Markov model with a normal state, a suspicious state, a low-risk state and a high-risk state; inputting an observation sequence comprising communication frequency, called dispersion and time distribution into the hidden Markov model; calculating the probability of the target number in each state under the observation sequence through a forward and backward algorithm; And calculating and determining a second analysis result of a behavior pattern analysis layer based on the probability that the target number is in the high risk state and the low risk state. In one possible implem