Search

CN-122023031-A - Abnormality detection and early warning method, device, equipment and medium

CN122023031ACN 122023031 ACN122023031 ACN 122023031ACN-122023031-A

Abstract

The invention relates to the technical field of intelligent decision making and discloses an anomaly detection and early warning method, device, equipment and medium, comprising the steps of acquiring multi-source service data containing operation identifiers, carrying out standardized processing, and generating a standardized service data set and an audit trail record set; the method comprises the steps of extracting an abnormal feature set, inputting an abnormal analysis model to obtain an abnormal score, executing abnormal detection to generate an abnormal operation event set, generating and sending early warning information and abnormal report data according to the abnormal score and the abnormal operation event set, and continuously updating a risk result based on incremental business data. The method can be applied to business scenes such as financial science and technology, medical health and the like, and by combining unified identification association and standardization processing, abnormal feature extraction, model reasoning and abnormal detection, and continuously updating risk results by utilizing incremental business data, the accuracy, timeliness and traceability of abnormal identification are improved.

Inventors

  • YANG LINQING

Assignees

  • 平安健康保险股份有限公司

Dates

Publication Date
20260512
Application Date
20260303

Claims (10)

  1. 1. The abnormality detection and early warning method is characterized by comprising the following steps: Acquiring multi-source service data containing operation identification, wherein the multi-source service data comprises service operation record data and operation event log data; Carrying out standardization processing on the multi-source service data to generate a standardized service data set containing the operation identifier, and constructing an audit trail record set; Extracting an abnormal feature set aiming at the operation identifier based on the standardized service data set and the audit trail record set, inputting the abnormal feature set into a preset abnormal analysis model to output an abnormal score, and associating the abnormal score with the operation identifier; Performing anomaly detection on the standardized service data set to generate an abnormal operation event set associated with the operation identifier; Generating and sending early warning information and abnormal report data according to the abnormal score and the abnormal operation event set; And updating the standardized service data set and the audit trail record set based on incremental service data, re-determining an abnormal score and updating the abnormal operation event set so as to dynamically update the early warning message and the abnormal report data.
  2. 2. The anomaly detection and early warning method of claim 1, wherein obtaining multi-source business data including operation identifiers, the multi-source business data including business operation record data and operation event log data, comprises: A data reading interface used for connecting a service database is configured, and service operation record data is grabbed through the data reading interface according to a preset time slice window; Configuring a subscription monitor for connecting a log message queue, and capturing operation event log data in real time through the subscription monitor; extracting an operation identifier from the business operation record data and the operation event log data, and executing non-empty verification on the operation identifier; filtering out the service operation record data and the operation event log data with the operation identification being empty from the service operation record data and the operation event log data according to the non-empty verification result, and converging the service operation record data and the operation event log data with the operation identification being non-empty into an original data buffer pool; and taking the data set stored in the original data buffer pool as multi-source service data.
  3. 3. The anomaly detection and early warning method of claim 1, wherein normalizing the multi-source business data to generate a normalized business data set containing the operation identifier, and constructing an audit trail record set, comprises: Analyzing the multi-source business data to distinguish business operation record data from operation event log data; Traversing the business operation record data to identify null fields and non-standard format fields, correcting the null fields by using a preset cleaning rule and unifying the non-standard format fields; Mapping the corrected and uniformly processed business operation record data to a preset standard data model to generate a standardized business data set containing the operation identification; Performing standardized cleaning on the operation event log data, unifying a time stamp format and a behavior code, and generating standardized event records based on the unified time stamp and the behavior code, wherein each standardized event record in the standardized event records is associated with an operation identifier; and reorganizing the standardized event records into time sequence associated sequences according to the operation identification, and storing the time sequence associated sequences into an audit trail record set.
  4. 4. The anomaly detection and pre-warning method of claim 1, wherein extracting an anomaly feature set for the operation identifier based on the standardized business data set and the audit trail record set, inputting the anomaly feature set into a preset anomaly analysis model to output an anomaly score, and associating the anomaly score with the operation identifier, comprises: extracting business numerical value characteristics and business state change characteristics aiming at the operation identification from the standardized business data set; extracting operation time sequence interval characteristics and operation environment context characteristics aiming at the operation identification from the audit trail record set; Performing vectorization splicing processing on the business numerical value characteristic, the business state change characteristic, the operation time sequence interval characteristic and the operation environment context characteristic to generate an abnormal characteristic set; Loading the abnormal feature set into an abnormal analysis model constructed by adopting a gradient lifting decision tree algorithm for reasoning; obtaining an abnormal prediction probability value output by the abnormal analysis model, and mapping the abnormal prediction probability value to a preset numerical interval to obtain an abnormal score; And establishing a key value pair mapping relation between the abnormal score and the operation identifier in a data index table.
  5. 5. The anomaly detection and early warning method of claim 1, wherein anomaly detection is performed on the standardized business data set to generate a set of abnormal operation events associated with the operation identifier, comprising: Dividing the standardized service data set into a plurality of continuous time slice windows according to the time stamp sequence; Determining a statistical threshold based on the statistical distribution of the data within each time slice window; Traversing each record in the standardized service data set, determining a time slice window to which the record belongs according to the timestamp of the record, screening the record of which the value of a specified number field deviates from the statistical threshold value of the time slice window as an outlier record, and associating an operation identifier with each outlier record; generating an abnormal operation event containing an abnormal type identifier based on the outlier record; And collecting the abnormal operation events to an abnormal operation event set according to the operation identification.
  6. 6. The anomaly detection and early warning method of claim 1, wherein generating and transmitting an early warning message and anomaly report data based on the anomaly score and the set of anomaly operation events comprises: comparing the anomaly score with a preset anomaly early warning threshold value to determine a current anomaly early warning level; Constructing an early warning message containing an emergency notification text based on the abnormality early warning level and the abnormality score; performing serialization format conversion on the abnormal operation event set to obtain serialization event data; generating exception report data comprising an exception evidence chain based on the serialized event data, the exception pre-warning level and the exception score; And establishing a communication channel with a remote management and control terminal, and distributing the early warning message and the abnormal report data through the communication channel.
  7. 7. The anomaly detection and pre-warning method of claim 1, wherein updating the standardized business data set and the audit trail record set based on incremental business data, re-determining anomaly scores and updating the anomaly operational event set to dynamically update the pre-warning message and the anomaly reporting data comprises: receiving an incremental business data stream, wherein the incremental business data stream comprises newly added business operation record data and operation event log data; Respectively merging service operation record data and operation event log data in the incremental service data stream into the standardized service data set and the audit trail record set to generate an updated standardized service data set and an updated audit trail record set; extracting affected operation identifiers from the incremental service data stream; Based on the updated standardized business data set and the updated audit trail record set, performing abnormal feature set extraction and abnormal analysis model reasoning aiming at the affected operation identifier, and generating updated abnormal scores; Based on the updated standardized service data set, performing anomaly detection for the affected operation identifier, and generating an updated abnormal operation event set; triggering generation and sending of early warning information and abnormal report data according to the updated abnormal score and the updated abnormal operation event set.
  8. 8. An anomaly detection and early warning device, characterized in that the anomaly detection and early warning device comprises: the multi-source data acquisition module is used for acquiring multi-source business data containing operation identifiers, wherein the multi-source business data comprises business operation record data and operation event log data; The data standardization processing module is used for carrying out standardization processing on the multi-source service data, generating a standardized service data set containing the operation identifier and constructing an audit trail record set; The abnormal feature analysis module is used for extracting an abnormal feature set aiming at the operation identifier based on the standardized service data set and the audit trail record set, inputting the abnormal feature set into a preset abnormal analysis model to output an abnormal score, and associating the abnormal score with the operation identifier; The abnormal detection judging module is used for carrying out abnormal detection on the standardized service data set and generating an abnormal operation event set associated with the operation identifier; The early warning and report generating module is used for generating and sending early warning information and abnormal report data according to the abnormal score and the abnormal operation event set; and the incremental updating scheduling module is used for updating the standardized service data set and the audit trail record set based on incremental service data, re-determining the abnormal score and updating the abnormal operation event set so as to dynamically update the early warning message and the abnormal report data.
  9. 9. A computer device comprising a memory, a processor and an anomaly detection and warning program stored on the memory and executable on the processor, the anomaly detection and warning program implementing the steps of the anomaly detection and warning method of any one of claims 1 to 7 when executed by the processor.
  10. 10. A computer-readable storage medium, wherein an abnormality detection and warning program is stored on the storage medium, the abnormality detection and warning program implementing the steps of the abnormality detection and warning method according to any one of claims 1 to 7 when executed by a processor.

Description

Abnormality detection and early warning method, device, equipment and medium Technical Field The present invention relates to the field of intelligent decision making technologies, and in particular, to a method, an apparatus, a device, and a medium for anomaly detection and early warning. Background When the existing fund wind control technology processes complex service scenes, the problems that multi-source data is split, unified association between service behaviors and fund flows is difficult to establish, static rules are relied on in risk identification, whole process traceability is lacked and the like are commonly existed. Because of business operation records, log data and fund data scattered storage, the system is difficult to continuously analyze business behaviors under a unified data view, so that abnormal identification is subject to multi-dependence post-investigation, risk discovery has hysteresis, and early warning information is difficult to reflect a complete abnormal evidence chain. Meanwhile, as business data continues to grow, the prior art has obvious defects in the aspects of dynamic risk assessment and data security audit, and the requirements of fine fund risk management are difficult to meet. In the field of financial and scientific business, premium income, claim expenditure and refund operation of medical insurance policy are distributed among different systems, business records and log records lack of uniform identification for association, and it is difficult to form a complete data link for the same business behavior. The traditional wind control mode is mostly judged based on a single transaction or static rules, and the risks such as repeated fee refund, abnormal proportion fee refund and abnormal time period fee refund are difficult to recognize in time due to the lack of comprehensive analysis capability on the historical behavior mode and the multidimensional characteristics. In the early warning generation process, the existing system is often triggered only based on a single abnormal result, lacks a mechanism for comprehensively analyzing abnormal behaviors and abnormal degrees, and has insufficient early warning information support. In the field of medical health business, the diagnosis and treatment business process is complex, and relates to a plurality of links such as registration, treatment, settlement, cost adjustment and the like, and operation data and behavior logs generated by different business links are stored in a scattered manner, so that a complete behavior track is difficult to form. In the prior art, continuous recording and time sequence association of the whole business process are difficult, so that positioning and tracing of the business track layer are difficult when cost abnormality or operation abnormality occurs. Meanwhile, the medical service data is large in scale, frequent in operation and continuously changed in data, the traditional system lacks the capability of dynamically adjusting a risk assessment result along with the data change, hysteresis exists in risk monitoring, a perfect encryption and audit mechanism is lacking in the long-term data storage and access process, and a certain potential safety hazard exists. Disclosure of Invention The invention mainly aims to provide an anomaly detection and early warning method, device, equipment and storage medium, and aims to solve the technical problems that in the prior art, scattered business operation records and behavior logs are difficult to perform association analysis under uniform identification, and multi-dimensional identification of anomaly behaviors and risk assessment dynamically updated along with data changes are realized according to the association analysis. In order to achieve the above object, the present invention provides an anomaly detection and early warning method, including: Acquiring multi-source service data containing operation identification, wherein the multi-source service data comprises service operation record data and operation event log data; Carrying out standardization processing on the multi-source service data to generate a standardized service data set containing the operation identifier, and constructing an audit trail record set; Extracting an abnormal feature set aiming at the operation identifier based on the standardized service data set and the audit trail record set, inputting the abnormal feature set into a preset abnormal analysis model to output an abnormal score, and associating the abnormal score with the operation identifier; Performing anomaly detection on the standardized service data set to generate an abnormal operation event set associated with the operation identifier; Generating and sending early warning information and abnormal report data according to the abnormal score and the abnormal operation event set; And updating the standardized service data set and the audit trail record set based on incremental service data, re-determ