CN-122002290-A - Method and device for identifying abnormal telecommunication behaviors based on network action accompanied call

Abstract

The disclosure provides a method and a device for identifying abnormal telecommunication behaviors along with calls based on network actions, and relates to the technical fields of communication safety, wireless and artificial intelligence. The method comprises the steps of obtaining an initial object, presetting appointed network actions of a plurality of target application programs and attribute information corresponding to the appointed network actions, judging whether the initial object is a candidate object triggering abnormal behaviors based on the appointed network actions and the attribute information, responding to the initial object as the candidate object, positioning call data based on the appointed network actions, expanding the candidate object based on the call data, constructing a communication relation network diagram, identifying the communication relation network diagram according to a preset identification strategy, and determining a target object actively triggering the abnormal behaviors from the candidate object. The method and the device can effectively address the low-pass communication scene, apply fine-granularity internet surfing information and network actions, conduct abnormal telecom behavior identification in real time, and improve the efficiency of abnormal telecom behavior identification.

Inventors

• YE YUNFANG
• WANG CHANGXIAO
• CAI HONGXIANG
• HUANG DONG
• SHEN SHUO

Assignees

• 中国移动通信集团福建有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260508

Application Date

20241101

Claims (12)

1. 1. A method for identifying abnormal telecommunication behavior based on network action accompanying conversation, comprising the steps of: acquiring a designated network action of an initial object in a preset plurality of target application programs and attribute information corresponding to the designated network action, wherein the attribute information at least comprises time and first flow data corresponding to the designated network action; judging whether the initial object is a candidate object triggering abnormal behaviors or not based on the appointed network action and the attribute information; responding to the initial object as the candidate object, positioning call data based on the appointed network action, expanding the candidate object based on the call data, and constructing a communication relation network diagram; and identifying based on the communication relation network diagram according to a preset identification strategy, and determining a target object actively triggering abnormal behaviors from the candidate objects.
2. 2. The method of claim 1, wherein the determining whether the initial object is a candidate object for triggering an abnormal behavior based on the specified network action and the attribute information comprises: calling a preset analysis tool to convert the first flow data into a target packet length sequence according to a preset fixed length; Inputting the target packet length sequence into a preset target classification model, and determining whether the appointed network action of the initial object in the target application program is an abnormal internet surfing action or not; Responding to the initial object with at least two abnormal internet surfing actions, respectively matching the abnormal internet surfing actions with a plurality of preset abnormal internet surfing action combinations, and judging whether the abnormal internet surfing actions match any one of the abnormal internet surfing action combinations; and responding to the abnormal internet surfing action matched with any abnormal internet surfing action combination, and judging the initial object as the candidate object triggering abnormal behaviors.
3. 3. The method of claim 2, wherein the combination of abnormal surfing actions is affiliated with two combination types, the combination types including an active type and a passive type, The determining that the initial object is the candidate object triggering the abnormal behavior according to the response that the abnormal internet surfing action is matched with any one of the abnormal internet surfing action combinations further comprises: And responding to the abnormal internet surfing action combination matched with the abnormal internet surfing action and belonging to an active type, judging the initial object as a first candidate object for actively triggering abnormal behaviors, or, And responding to the abnormal internet surfing action combination matched with the abnormal internet surfing action and belonging to a passive type, and judging that the initial object is a second candidate object for passively triggering abnormal behaviors.
4. 4. A method according to any of claims 1-3, wherein said locating call data based on said specified network action and expanding said candidate object based on said call data to construct a communication relationship network graph comprises: Acquiring a call detail record of the initial object, and acquiring a first time range of abnormal internet surfing actions in the appointed network actions; Screening the call detail records of the initial object based on the first time range so as to locate call data; Determining that the opposite terminal number communicated with the initial object is the candidate object after expansion based on the call data; Continuing to acquire the call detail record of the expanded candidate object so as to locate call data and expand the expanded candidate object again until a preset expansion condition is met; And constructing a communication relation network diagram based on the initial object and the expanded candidate object.
5. 5. The method of claim 4, wherein the candidate objects comprise a first candidate object that actively triggers an abnormal behavior and a second candidate object that passively triggers an abnormal behavior, wherein in the communication relationship network graph, The opposite terminal number communicated with the first candidate object is the second candidate object, and the opposite terminal number communicated with the second candidate object is the first candidate object.
6. 6. The method according to claim 5, wherein the identifying according to the preset identifying policy based on the communication relation network graph, determining a target object that actively triggers abnormal behavior from the candidate objects, includes: acquiring node degrees of nodes where the first candidate objects are located in the communication relation network diagram; and determining the first candidate object with the node degree larger than a preset node degree threshold as the target object.
7. 7. The method of claim 4, wherein the identifying, based on the communication relationship network graph, according to a preset identification policy, determines a target object that actively triggers abnormal behavior from the candidate objects, including: Carrying out connectivity analysis on the communication relation network graph to obtain a maximum communication subgraph; Extracting features of the maximum connected subgraph to obtain a first feature representation; Respectively extracting features of the call data, the abnormal internet surfing action and attribute information of the abnormal internet surfing action to obtain a second feature representation; and calling a preset machine learning model or a graph neural network model to perform recognition analysis based on the first characteristic representation and the second characteristic representation so as to determine the target object from the candidate objects.
8. 8. The method of claim 2, wherein the training process of the object classification model comprises: obtaining an abnormal behavior case, and carrying out keyword recognition on the abnormal behavior case to obtain a candidate application program in the abnormal behavior case and a candidate network action corresponding to the candidate application program; Calling a preset automatic testing tool to repeatedly execute the candidate network actions, and starting a preset network data acquisition and analysis tool to acquire second flow data when executing the candidate network actions; Marking whether the second flow data is abnormal internet surfing action or not to obtain a reference label; calling the analysis tool to convert the second flow data into a candidate packet length sequence according to the fixed length; Inputting the candidate packet length sequence into a preset candidate classification model, and determining whether the candidate network action is an abnormal internet surfing action or not to obtain a prediction label; And acquiring a loss function based on the reference label and the prediction label so as to train the candidate classification model and obtain the trained target classification model.
9. 9. A telecommunications abnormal behavior recognition apparatus based on a network action accompanying a call, comprising: the acquisition module is used for acquiring the appointed network actions of the initial object in the preset multiple target application programs and the attribute information corresponding to the appointed network actions, wherein the attribute information at least comprises time and first flow data corresponding to the appointed network actions; The judging module is used for judging whether the initial object is a candidate object triggering abnormal behaviors or not based on the appointed network action and the attribute information; the construction module is used for responding to the initial object as the candidate object, positioning call data based on the appointed network action, expanding the candidate object based on the call data and constructing a communication relation network diagram; and the determining module is used for identifying based on the communication relation network diagram according to a preset identification strategy, and determining a target object actively triggering abnormal behaviors from the candidate objects.
10. 10. An electronic device, comprising: At least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-8.
11. 11. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the steps of the method according to any one of claims 1-8.
12. 12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any of claims 1-8.

Description

Method and device for identifying abnormal telecommunication behaviors based on network action accompanied call Technical Field The disclosure relates to the technical fields of communication safety, wireless and artificial intelligence, in particular to a method and a device for identifying abnormal telecommunication behaviors along with calls based on network actions. Background In the related art, telecommunication fraud recognition based on communication is difficult to distinguish from regular business such as promotion in mode, through a call ticket, a threshold model is simply constructed, so that abnormal communication actions of communication type telecommunication with increasingly complex call modes cannot be dealt with, when the number of calls is small, the recognition effect of a machine learning mechanism depending on voice information can be possibly influenced, a low-pass communication scene cannot be effectively inferred, and when a full-network data structure network is applied, the consumption of system performance is large, and the recognition efficiency of abnormal actions can be possibly influenced. Therefore, how to effectively cope with the low-pass communication scene, applying fine-granularity internet surfing information and network actions to identify abnormal telecommunication behaviors in real time, and improving the efficiency of identifying abnormal telecommunication behaviors have become one of important research directions. Disclosure of Invention The present disclosure aims to solve, at least to some extent, one of the technical problems in the related art. It is therefore an object of the present disclosure to provide a method for identifying abnormal behavior of a telecommunication based on a call accompanied by a network action. A second object of the present disclosure is to provide a device for identifying abnormal behavior of a telecommunication based on a call accompanied by a network action. A third object of the present disclosure is to propose an electronic device. A fourth object of the present disclosure is to propose a non-transitory computer readable storage medium. A fifth object of the present disclosure is to propose a computer programme product. To achieve the above objective, an embodiment of a first aspect of the present disclosure provides a method for identifying abnormal telecommunication behavior based on a call accompanied by a network action, including: Acquiring a designated network action of an initial object in a preset plurality of target application programs and attribute information corresponding to the designated network action, wherein the attribute information at least comprises time and first flow data corresponding to the designated network action; Judging whether the initial object is a candidate object triggering abnormal behaviors or not based on the appointed network actions and the attribute information; Responding to the initial object as a candidate object, positioning call data based on the appointed network action, and expanding the candidate object based on the call data to construct a communication relation network diagram; and identifying based on the communication relation network diagram according to a preset identification strategy, and determining a target object actively triggering abnormal behaviors from the candidate objects. In the embodiment of the disclosure, whether an initial object is a candidate object triggering abnormal behaviors is judged based on specified network actions and attribute information, call data is positioned based on the specified network actions in response to the initial object as the candidate object, the candidate object is expanded based on the call data, a communication relation network diagram is constructed, call data accompanying the initial object when actions occur are positioned on the basis of identifying the initial object fine-granularity abnormal internet surfing behavior, a high-risk communication relation network is constructed, a target object can be accurately mined in real time, identification is carried out based on the communication relation network diagram according to a preset identification strategy, the target object actively triggering the abnormal behaviors is determined from the candidate object, a low-pass communication scene can be effectively treated, the fine-granularity internet surfing information and the network actions are applied, the telecommunication abnormal behavior identification is carried out in real time, and the telecommunication abnormal behavior identification efficiency is improved. To achieve the above object, a second aspect of the present disclosure provides a device for identifying abnormal behavior of a telecommunication based on a call accompanied by a network action, including: The acquisition module is used for acquiring the appointed network actions of the initial object in the preset multiple target application programs and the attr