[go: up one dir, main page]

TWI883938B - Abnormal transaction detection method and abnormal transaction detection device - Google Patents

Abnormal transaction detection method and abnormal transaction detection device Download PDF

Info

Publication number
TWI883938B
TWI883938B TW113115845A TW113115845A TWI883938B TW I883938 B TWI883938 B TW I883938B TW 113115845 A TW113115845 A TW 113115845A TW 113115845 A TW113115845 A TW 113115845A TW I883938 B TWI883938 B TW I883938B
Authority
TW
Taiwan
Prior art keywords
concept
risk
value
values
feature
Prior art date
Application number
TW113115845A
Other languages
Chinese (zh)
Other versions
TW202542812A (en
Inventor
彭雅瑜
劉士豪
林宗憲
張志祺
陳三權
Original Assignee
台灣大哥大股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 台灣大哥大股份有限公司 filed Critical 台灣大哥大股份有限公司
Priority to TW113115845A priority Critical patent/TWI883938B/en
Application granted granted Critical
Publication of TWI883938B publication Critical patent/TWI883938B/en
Publication of TW202542812A publication Critical patent/TW202542812A/en

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

An abnormal transaction detection method is disclosed. The method includes the following operations: analyzing a risk event to obtain several feature values; obtaining several correlation coefficients between several feature values and several concept values to calculate several concept scores of the several concept values; obtaining several representative concept values with high correlation with the risk event based on several correlation scores; obtaining several risk weighting values and several frequency weights corresponding to several feature values based on several feature values and several weight tables; calculating a risk score of the risk event based on several concept scores of the concept values, several risk weighting values, and several frequency weights; and determining the risk level of the risk event based on the risk score and updating the abnormal transaction detection database.

Description

異常交易偵測方法及異常交易偵測裝置Abnormal transaction detection method and abnormal transaction detection device

本案係有關於一種異常交易偵測方法及異常交易偵測裝置,且特別是關於一種風險等級監控的異常交易偵測方法及異常交易偵測裝置。This case is about an abnormal transaction detection method and an abnormal transaction detection device, and in particular, about an abnormal transaction detection method and an abnormal transaction detection device for risk level monitoring.

異常交易偵測,也稱為異常檢測或欺詐偵測,是一種安全技術,用於識別和防止不尋常的、可能表示欺詐、漏洞或內部錯誤的交易或行為模式。在電信服務的脈絡下,這通常涉及監控和分析用戶的付款行為、通話模式、上網數據使用等,以識別與正常行為模式顯著偏差的活動。Abnormal transaction detection, also known as anomaly detection or fraud detection, is a security technology used to identify and prevent unusual transactions or behavior patterns that may indicate fraud, vulnerabilities or internal errors. In the context of telecommunications services, this typically involves monitoring and analyzing users' payment behavior, calling patterns, Internet data usage, etc. to identify activities that deviate significantly from normal behavior patterns.

於異常交易偵測系統或是電信防詐騙系統中,常遇到以下幾個痛點:(一)風險規則由於需人工定義,難免會有遺漏。(二)風險規則有既定的流程,只能透過人工定義風險等級調整順序。(三)舊有不再使用的風險規則沒有一套良好的下線機制。因此,如何自動計算風險分數並自動更新風險規則,為本領域待解決的問題之一。In abnormal transaction detection systems or telecommunications anti-fraud systems, the following pain points are often encountered: (i) Risk rules need to be manually defined, so omissions are inevitable. (ii) Risk rules have a set process, and the order can only be adjusted by manually defining risk levels. (iii) There is no good offline mechanism for old risk rules that are no longer used. Therefore, how to automatically calculate risk scores and automatically update risk rules is one of the problems to be solved in this field.

發明內容旨在提供本揭示內容的簡化摘要,以使閱讀者對本揭示內容具備基本的理解。此發明內容並非本揭示內容的完整概述,且其用意並非在指出本案實施例的重要/關鍵元件或界定本案的範圍。The content of the invention is intended to provide a simplified summary of the disclosure so that readers can have a basic understanding of the disclosure. This content of the invention is not a complete overview of the disclosure, and it is not intended to point out the important/key elements of the embodiments of the present case or to define the scope of the present case.

本案內容之一技術態樣係關於一種異常交易偵測方法,適用於包含異常交易偵測資料庫的裝置。其中異常交易偵測資料庫包含多個特徵類別、多個概念值、多個驗證值以及對應於多個概念值與多個特徵類別的多個權重表。異常交易偵測分法包含以下步驟:分析風險事件以取得多個特徵值,其中多個特徵值中的每一者與多個特徵類別中的其中一者相對應;取得多個特徵值與多個概念值之間的多個關聯係數,以計算多個概念值的多個關聯分數;依據多個關聯分數將多個概念值排序,以取得與該風險事件之間關聯性較高的多個代表概念值;依據多個特徵值以及多個權重表取得與多個特徵值相對應的多個風險加權值以及多個頻率權重,其中多個權重表對應於多個概念值與多個特徵類別;依據多個代表概念值的多個概念分數、多個風險加權值以及多個頻率權重計算該風險事件的風險分數;以及依據風險分數判定風險事件的風險程度並更新異常交易偵測資料庫。One technical aspect of the present case is about an abnormal transaction detection method, which is applicable to a device including an abnormal transaction detection database. The abnormal transaction detection database includes multiple feature categories, multiple concept values, multiple verification values, and multiple weight tables corresponding to the multiple concept values and the multiple feature categories. The abnormal transaction detection method includes the following steps: analyzing risk events to obtain multiple feature values, wherein each of the multiple feature values corresponds to one of the multiple feature categories; obtaining multiple correlation coefficients between the multiple feature values and the multiple concept values to calculate multiple correlation scores for the multiple concept values; sorting the multiple concept values according to the multiple correlation scores to obtain multiple representative concept values with a higher correlation with the risk event; and sorting the representative concept values according to the multiple correlation scores. According to the plurality of eigenvalues and the plurality of weight tables, a plurality of risk weighted values and a plurality of frequency weights corresponding to the plurality of eigenvalues are obtained, wherein the plurality of weight tables correspond to the plurality of concept values and the plurality of eigenclasses; the risk score of the risk event is calculated according to the plurality of concept scores representing the plurality of concept values, the plurality of risk weighted values and the plurality of frequency weights; and the risk degree of the risk event is determined according to the risk score and an abnormal transaction detection database is updated.

本案內容之另一技術態樣係關於一種異常交易偵測裝置,包含記憶體與處理器。記憶體儲存有異常交易偵測資料庫,其中異常交易偵測資料庫包含多個特徵類別、多個概念值、多個驗證值以及對應於多個概念值與多個特徵類別的多個權重表。處理器耦接於記憶體,用以執行:分析風險事件以取得多個特徵值,其中多個特徵值中的每一者與多個特徵類別中的其中一者相對應;取得多個特徵值與多個概念值之間的多個關聯係數,以計算多個概念值的多個關聯分數;依據多個關聯分數將多個概念值排序,以取得與風險事件之間關聯性較高的多個代表概念值;依據多個特徵值以及多個權重表取得與多個特徵值相對應的多個風險加權值以及多個頻率權重,其中多個權重表對應於多個概念值與多個特徵類別;依據多個代表概念值的多個概念分數、多個風險加權值以及多個頻率權重計算該風險事件的風險分數;以及依據風險分數判定該風險事件的風險程度並更新異常交易偵測資料庫。Another technical aspect of the present case is about an abnormal transaction detection device, which includes a memory and a processor. The memory stores an abnormal transaction detection database, wherein the abnormal transaction detection database includes multiple feature categories, multiple concept values, multiple verification values, and multiple weight tables corresponding to the multiple concept values and the multiple feature categories. The processor is coupled to the memory to execute: analyzing risk events to obtain multiple feature values, wherein each of the multiple feature values corresponds to one of the multiple feature categories; obtaining multiple correlation coefficients between the multiple feature values and the multiple concept values to calculate multiple correlation scores for the multiple concept values; sorting the multiple concept values according to the multiple correlation scores to obtain multiple representative concept values with a higher correlation with the risk event; and sorting the multiple concept values according to the multiple correlation scores. A plurality of eigenvalues and a plurality of weight tables are used to obtain a plurality of risk weighted values and a plurality of frequency weights corresponding to the plurality of eigenvalues, wherein the plurality of weight tables correspond to the plurality of concept values and the plurality of eigenclasses; a risk score of the risk event is calculated based on a plurality of concept scores representing the plurality of concept values, the plurality of risk weighted values, and the plurality of frequency weights; and a risk level of the risk event is determined based on the risk score and an abnormal transaction detection database is updated.

在參閱下文實施方式後,本案所屬技術領域中具有通常知識者當可輕易瞭解本案之基本精神及其他發明目的,以及本案所採用之技術手段與實施態樣。After reading the implementation method below, a person with ordinary knowledge in the technical field to which this case belongs can easily understand the basic spirit and other invention purposes of this case, as well as the technical means and implementation methods adopted in this case.

為了使本揭示內容的敘述更加詳盡與完備,下文針對了本案的實施態樣與具體實施例提出了說明性的描述;但這並非實施或運用本案具體實施例的唯一形式。實施方式中涵蓋了多個具體實施例的特徵以及用以建構與操作這些具體實施例的方法步驟與其順序。然而,亦可利用其他具體實施例來達成相同或均等的功能與步驟順序。In order to make the description of the disclosure more detailed and complete, the following provides an illustrative description of the implementation and specific embodiments of the present invention; however, this is not the only form of implementing or using the specific embodiments of the present invention. The implementation covers the features of multiple specific embodiments and the method steps and their sequence for constructing and operating these specific embodiments. However, other specific embodiments may also be used to achieve the same or equivalent functions and step sequences.

除非本說明書另有定義,此處所用的科學與技術詞彙之含義與本案所屬技術領域中具有通常知識者所理解與慣用的意義相同。此外,在不和上下文衝突的情形下,本說明書所用的單數名詞涵蓋該名詞的複數型;而所用的複數名詞時亦涵蓋該名詞的單數型。Unless otherwise defined in this specification, the scientific and technical terms used herein have the same meanings as those understood and used by persons of ordinary skill in the art to which this case belongs. In addition, singular terms used in this specification include the plural form of the terms, and plural terms also include the singular form of the terms, unless otherwise conflicting with the context.

另外,關於本文中所使用之「耦接」或「連接」,可指二或多個元件相互直接作實體或電性接觸,或是相互間接作實體或電性接觸,亦可指二或多個元件相互操作或動作。In addition, the term “coupled” or “connected” as used herein may refer to two or more elements being in direct physical or electrical contact with each other, or being in indirect physical or electrical contact with each other, or may refer to two or more elements operating or moving with each other.

在本文中,用語『裝置』泛指由一或多個電晶體與/或一或多個主被動元件按一定方式連接以處理訊號的物件。In this document, the term "device" refers to an object that is composed of one or more transistors and/or one or more active and passive components connected in a certain way to process signals.

在說明書及申請專利範圍中使用了某些詞彙來指稱特定的元件。然而,所屬技術領域中具有通常知識者應可理解,同樣的元件可能會用不同的名詞來稱呼。說明書及申請專利範圍並不以名稱的差異做為區分元件的方式,而是以元件在功能上的差異來做為區分的基準。在說明書及申請專利範圍所提及的「包含」為開放式的用語,故應解釋成「包含但不限定於」。Certain terms are used in the specification and patent application to refer to specific components. However, a person with ordinary knowledge in the art should understand that the same component may be referred to by different terms. The specification and patent application do not distinguish components by differences in name, but by differences in function. The term "including" mentioned in the specification and patent application is an open term and should be interpreted as "including but not limited to".

第1圖係依照本案一些實施例繪示一種異常交易偵測裝置100的方塊示意圖。如第1圖所示,在一些實施例中,異常交易偵測裝置100包含記憶體110和處理器130。記憶體110耦接於處理器130。FIG. 1 is a block diagram of an abnormal transaction detection device 100 according to some embodiments of the present invention. As shown in FIG. 1 , in some embodiments, the abnormal transaction detection device 100 includes a memory 110 and a processor 130. The memory 110 is coupled to the processor 130.

如第1圖所繪示,於部分實施例中,處理器130包含事件偵測模組131、風險解析模組133、風險告警模組135、反饋模組137以及優化模組139。As shown in FIG. 1 , in some embodiments, the processor 130 includes an event detection module 131 , a risk analysis module 133 , a risk alarm module 135 , a feedback module 137 , and an optimization module 139 .

於連接關係上,風險解析模組133耦接於事件偵測模組131,風險告警模組135耦接於風險解析模組133,反饋模組137耦接於風險告警模組135,而優化模組139耦接於風險解析模組133與反饋模組137。In terms of connection relationship, the risk analysis module 133 is coupled to the event detection module 131, the risk alarm module 135 is coupled to the risk analysis module 133, the feedback module 137 is coupled to the risk alarm module 135, and the optimization module 139 is coupled to the risk analysis module 133 and the feedback module 137.

於部分實施例中,異常交易偵測裝置100更包含輸入輸出裝置(未繪示),耦接於處理器130。輸入輸出裝置可以是具有資料傳送與接收或類似功能的電路或元件。例如鍵盤、喇叭、通訊電路、螢幕或是其他具有類似功能的電路或元件。In some embodiments, the abnormal transaction detection device 100 further includes an input/output device (not shown) coupled to the processor 130. The input/output device may be a circuit or component with data transmission and reception or similar functions, such as a keyboard, a speaker, a communication circuit, a screen, or other circuits or components with similar functions.

上述的耦接可以為電性耦接或通信耦接,通信耦接泛指透過實體線材進行的有線連接,例如,藉由有線網路進行連接,或透過無線連接媒介進行的無線連接,但本揭示內容不以此為限。The coupling mentioned above may be an electrical coupling or a communication coupling. The communication coupling generally refers to a wired connection through a physical wire, for example, a connection through a wired network, or a wireless connection through a wireless connection medium, but the present disclosure is not limited thereto.

關於第1圖中的異常交易偵測裝置100的詳細操作方式,將於以下參閱第2圖一併進行說明。The detailed operation method of the abnormal transaction detection device 100 in FIG. 1 will be described below together with FIG. 2 .

第2圖係依照本案一些實施例繪示一種異常交易偵測方法200的步驟流程圖。異常交易偵測方法200可應用於第1圖中的異常交易偵測裝置100或與其結構相同或相似之系統。而為使敘述簡單,以下將以第1圖為例執行對操作方法敘述,然本發明不以第1圖的應用為限。FIG. 2 is a flowchart of an abnormal transaction detection method 200 according to some embodiments of the present invention. The abnormal transaction detection method 200 can be applied to the abnormal transaction detection device 100 in FIG. 1 or a system having the same or similar structure as the abnormal transaction detection device 100. In order to simplify the description, the following description of the operation method will be performed using FIG. 1 as an example, but the present invention is not limited to the application of FIG. 1.

需注意的是,於一些實施例中,異常交易偵測方法200亦可實作為電腦程式或是指令,並儲存於如第1圖中的記憶體110中,而使如第1圖中的異常交易偵測裝置100中的處理器130讀取此電腦程式或指令後執行此一操作方法,處理器130可以由一或多個晶片組成。記憶體110可為唯讀記憶體、快閃記憶體、軟碟、硬碟、光碟、隨身碟、磁帶、可由網路存取之資料庫或熟悉此技藝者可輕易思及具有相同功能之非暫態電腦可讀取記錄媒體。It should be noted that in some embodiments, the abnormal transaction detection method 200 can also be implemented as a computer program or instruction and stored in the memory 110 as shown in FIG. 1, so that the processor 130 in the abnormal transaction detection device 100 as shown in FIG. 1 reads the computer program or instruction and executes the operation method. The processor 130 can be composed of one or more chips. The memory 110 can be a read-only memory, a flash memory, a floppy disk, a hard disk, an optical disk, a flash disk, a magnetic tape, a database accessible by a network, or a non-transient computer-readable recording medium with the same function that can be easily thought of by those familiar with the art.

另外,應瞭解到,在本實施方式中所提及的異常交易偵測方法200的操作,除特別敘明其順序者外,均可依實際需要調整其前後順序,甚至可同時或部分同時執行。In addition, it should be understood that the operations of the abnormal transaction detection method 200 mentioned in this embodiment, except for those specifically described in sequence, can be adjusted in sequence according to actual needs, and can even be executed simultaneously or partially simultaneously.

再者,在不同實施例中,此些操作亦可適應性地增加、置換、及/或省略。Furthermore, in different embodiments, these operations may be adaptively added, replaced, and/or omitted.

於部分實施例中,第1圖中的記憶體110中儲存有異常交易偵測資料庫。異常交易偵測資料庫中包含多個範例特徵值、多個特徵類別、多個概念值、多個驗證值以及對應於多個概念值與多個特徵類別的多個權重表。In some embodiments, the memory 110 in FIG. 1 stores an abnormal transaction detection database, which includes multiple example feature values, multiple feature categories, multiple concept values, multiple verification values, and multiple weight tables corresponding to the multiple concept values and the multiple feature categories.

於部分實施例中,異常交易偵測資料庫中的範例特徵值、概念值以及驗證值以5W1H的方式分類。舉例而言,範例特徵值包含A類(Who)、B類(Where)、C類(When)、D類(What)。概念值包含(Why)。驗證值包含(How)。In some embodiments, the example feature values, concept values, and verification values in the abnormal transaction detection database are classified in a 5W1H manner. For example, the example feature values include A (Who), B (Where), C (When), and D (What). The concept value includes (Why). The verification value includes (How).

於部分實施例中,異常交易偵測資料庫中的範例特徵值、概念值以及驗證值的建立係利用自然語言處理(NLP)解析行為描述(例如風險事件中的行為描述),使用工具包含OpenAI(開放人工智慧研究中心) 旗下的ChatGPT(聊天生成預訓練轉換器)搭配 LangChain框架(語言模型集成框架),以建立AI(人工智慧)異常交易偵測資料庫。In some embodiments, the establishment of example feature values, concept values, and verification values in the abnormal transaction detection database is to utilize natural language processing (NLP) to parse behavior descriptions (e.g., behavior descriptions in risk events), using tools including ChatGPT (Chat Generation Pre-trained Transformer) under OpenAI (Open Artificial Intelligence Research Center) and LangChain framework (language model integration framework) to establish an AI (artificial intelligence) abnormal transaction detection database.

關於多個範例特徵值、多個特徵類別、多個概念值、多個驗證值以及對應於多個概念值與多個特徵類別的多個權重表的詳細實施方式將於以下參照第2圖一併說明。The detailed implementation of multiple example feature values, multiple feature categories, multiple concept values, multiple verification values, and multiple weight tables corresponding to the multiple concept values and multiple feature categories will be described below with reference to FIG. 2.

請一併參閱第2圖。如第2圖所繪的異常交易偵測方法200包含步驟S210至S260。於部分實施例中,步驟S210至步驟S260由第1圖中的處理器130執行。Please refer to FIG. 2 . The abnormal transaction detection method 200 shown in FIG. 2 includes steps S210 to S260 . In some embodiments, steps S210 to S260 are executed by the processor 130 in FIG. 1 .

於步驟S210中,分析風險事件以取得多個特徵值,其中多個特徵值中的每一者與異常交易偵測資料庫中的多個特徵類別中的其中一者相對應。In step S210 , the risk event is analyzed to obtain a plurality of feature values, wherein each of the plurality of feature values corresponds to one of a plurality of feature categories in the abnormal transaction detection database.

於部分實施例中,風險事件係由異常交易偵測裝置100經由輸入輸出裝置接收。於其他實施例中,風險事件係由第1圖中的事件偵測模組131針對新聞或是公開案件,使用爬蟲技術取得。In some embodiments, the risk event is received by the abnormal transaction detection device 100 via the input and output device. In other embodiments, the risk event is obtained by the event detection module 131 in FIG. 1 using crawler technology for news or public cases.

於部分實施例中,於步驟S210中,第1圖中的風險解析模組133依據風險事件取得複數個關鍵字,將多個關鍵字與異常交易偵測資料庫中的多個範例特徵值進行比對,以取得關鍵字中與範例特徵值相類似的多個關鍵字以作為風險事件的特徵值。每個特徵值對應於特徵類別中的一者。In some embodiments, in step S210, the risk analysis module 133 in FIG. 1 obtains a plurality of keywords according to the risk event, and compares the plurality of keywords with a plurality of sample feature values in the abnormal transaction detection database to obtain a plurality of keywords in the keywords that are similar to the sample feature values as feature values of the risk event. Each feature value corresponds to one of the feature categories.

以下將以[實施例A]和[實施例B]為例進行說明。The following will be described using [Example A] and [Example B] as examples.

於[實施例A]中,風險事件包含「王老先生今年75歲,與16歲的孫子一同居住。日前發現於凌晨3點透過DCB交易購買網路遊戲點數,交易金額為2萬元。」,為了方便說明,以下將[實施例A]中的風險事件簡稱為「王老先生透過DCB交易疑似遭盜刷2萬元」。於步驟S210中,風險解析模組133所取得的特徵值及對應的特徵類別包含以下:(特徵值a1)男性[性別]、(特徵值a3)75歲[年齡]、(特徵值a4)同住親人為二等親[家庭結構]、(特徵值a6)小於18歲[年齡]、(特徵值b1)國內交易[交易地區]、(特徵值b2)DCB交易[交易方式]、(特徵值c1)冷門交易時段[時間]、(特徵值c2)非國定假日[日期]、(特徵值d1)購買線上遊戲點數[購買商品]、(特徵值d2)交易單筆≧2萬[金額]。上述[性別]、[年齡]、[家庭結構]等即為特徵類別。In [Example A], the risk event includes "Mr. Wang is 75 years old and lives with his 16-year-old grandson. A few days ago, he was found to have purchased online game points through DCB transactions at 3 a.m., and the transaction amount was 20,000 yuan." For the convenience of explanation, the risk event in [Example A] is hereinafter referred to as "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions." In step S210, the feature values and corresponding feature categories obtained by the risk analysis module 133 include the following: (feature value a1) male [gender], (feature value a3) 75 years old [age], (feature value a4) cohabiting relatives are second-degree relatives [family structure], (feature value a6) under 18 years old [age], (feature value b1) domestic transactions [transaction area], (feature value b2) DCB transactions [transaction method], (feature value c1) unpopular transaction time period [time], (feature value c2) non-national holidays [date], (feature value d1) purchase of online game points [purchase of goods], (feature value d2) single transaction ≧ 20,000 [amount]. The above-mentioned [gender], [age], [family structure], etc. are characteristic categories.

於[實施例B]中,風險事件簡稱為「+886 165不是反詐騙」。於步驟S210中,風險解析模組133所取得的特徵值及對應的特徵類別包含以下:(特徵值a13)電商客服人員[詐騙嫌疑人]、(特徵值a16)警方[詐騙嫌疑人]、(特徵值a2)上班族[族群]、(特徵值b4)疑似境內[交易地區]、(特徵值c3)無規律時間[時間]、(特徵值d5)發話端為+886電話[詐騙嫌疑]、(特徵d7)博取信任[詐騙嫌疑]、(特徵d8)要求ATM操作[詐騙嫌疑]。In [Example B], the risk event is abbreviated as "+886 165 is not anti-fraud". In step S210, the feature values and corresponding feature categories obtained by the risk analysis module 133 include the following: (feature value a13) e-commerce customer service staff [fraud suspect], (feature value a16) police [fraud suspect], (feature value a2) office workers [group], (feature value b4) suspected domestic [transaction area], (feature value c3) irregular time [time], (feature value d5) the caller is +886 phone [fraud suspect], (feature d7) gain trust [fraud suspect], (feature d8) request ATM operation [fraud suspect].

於步驟S220中,取得多個特徵值與異常交易偵測資料庫中的多個概念值之間的多個關聯係數,以計算多個概念值的多個關聯分數。於部分實施例中,步驟S220由第1圖中的風險解析模組133執行。於部分實施例中,關聯係數介於-1至1之間。關聯係數0表示無相關,關聯係數1表示完全正相關,關聯係數-1表示完全負相關。In step S220, multiple correlation coefficients between multiple feature values and multiple concept values in the abnormal transaction detection database are obtained to calculate multiple correlation scores of the multiple concept values. In some embodiments, step S220 is performed by the risk analysis module 133 in Figure 1. In some embodiments, the correlation coefficient is between -1 and 1. A correlation coefficient of 0 indicates no correlation, a correlation coefficient of 1 indicates a completely positive correlation, and a correlation coefficient of -1 indicates a completely negative correlation.

於一實施例中,異常交易偵測資料庫中包含多個概念值e1至e8。概念值e1包含「台北市65歲以上男性DBC交易平均金額為3千」,概念值e2包含「未成年常使用DCB交易購買網路遊戲點數」,概念值e3包含「高中生常有熬夜跡象」,概念值e5包含「詐騙集團自導自演以+886詐騙電話讓民眾受騙」,概念值e7包含「通訊內容含易被詐騙字眼(如:重複扣款、ATM、系統人員疏忽)」,概念值e8包含「發話端可透過VoIP技術偽造為+886開頭的電話」。上述概念值的數量與內容僅為例示說明之用,本案的實施方式不以上述為限制。In one embodiment, the abnormal transaction detection database includes multiple concept values e1 to e8. Concept value e1 includes "the average DBC transaction amount of males over 65 years old in Taipei City is 3,000", concept value e2 includes "minors often use DCB transactions to purchase online game points", concept value e3 includes "high school students often have signs of staying up late", concept value e5 includes "fraud groups self-directed and staged +886 fraudulent calls to deceive the public", concept value e7 includes "communication content contains words that are easy to be deceived (such as: repeated deductions, ATM, system personnel negligence)", and concept value e8 includes "the caller can use VoIP technology to forge a phone number starting with +886". The quantity and content of the above-mentioned concept values are for illustrative purposes only, and the implementation of this case is not limited thereto.

以下將以[實施例A]中,風險事件為「王老先生透過DCB交易疑似遭盜刷2萬元」為例進行說明。The following will be explained using the risk event of "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" in [Implementation Example A].

風險解析模組133取得概念值e1與特徵值a1之間的關聯係數、概念值e1與特徵值a3之間的關聯係數、概念值e1與特徵值a4之間的關聯係數、概念值e1與特徵值a6之間的關聯係數、概念值e1與特徵值b1之間的關聯係數、概念值e1與特徵值b2之間的關聯係數、概念值e1與特徵值c1之間的關聯係數、概念值e1與特徵值c2之間的關聯係數、概念值e1與特徵值d1之間的關聯係數、概念值e1與特徵值d2之間的關聯係數。接著,風險解析模組133將上述概念值e1與風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值之間的多個關聯係數相加,以計算風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值與概念值e1之間的關聯分數。The risk analysis module 133 obtains the correlation coefficient between the concept value e1 and the characteristic value a1, the correlation coefficient between the concept value e1 and the characteristic value a3, the correlation coefficient between the concept value e1 and the characteristic value a4, the correlation coefficient between the concept value e1 and the characteristic value a6, the correlation coefficient between the concept value e1 and the characteristic value b1, the correlation coefficient between the concept value e1 and the characteristic value b2, the correlation coefficient between the concept value e1 and the characteristic value c1, the correlation coefficient between the concept value e1 and the characteristic value c2, the correlation coefficient between the concept value e1 and the characteristic value d1, and the correlation coefficient between the concept value e1 and the characteristic value d2. Next, the risk analysis module 133 adds up the multiple correlation coefficients between the above-mentioned concept value e1 and the multiple feature values of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" to calculate the correlation score between the multiple feature values of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" and the concept value e1.

類似地,風險解析模組133將概念值e2與風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值之間的多個關聯係數相加,以計算風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值與概念值e2之間的關聯分數。Similarly, the risk analysis module 133 adds up the multiple correlation coefficients between the concept value e2 and the multiple feature values of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" to calculate the correlation score between the multiple feature values of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" and the concept value e2.

類似地,風險解析模組133將概念值e3與風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值之間的多個關聯係數相加,以計算風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的多個特徵值與概念值e3之間的關聯分數。依此類推,風險解析模組133可計算概念值e1至e8與多個特徵值之間的關聯分數。Similarly, the risk analysis module 133 adds the multiple correlation coefficients between the concept value e3 and the multiple eigenvalues of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" to calculate the correlation score between the multiple eigenvalues of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" and the concept value e3. Similarly, the risk analysis module 133 can calculate the correlation scores between the concept values e1 to e8 and the multiple eigenvalues.

於步驟S230中,依據多個關聯分數將多個概念值排序,以取得與風險事件之間關聯性較高的多個代表概念值。於部分實施例中,於排序後,第1圖中的風險解析模組133以關聯分數最高的前幾個(例如前三個)概念值作為代表概念值。於部分實施例中,於排序後,風險解析模組133以關聯分數高於關聯分數閾值的概念值作為代表改念值。In step S230, the multiple concept values are sorted according to the multiple correlation scores to obtain multiple representative concept values with higher correlation with the risk event. In some embodiments, after sorting, the risk analysis module 133 in FIG. 1 uses the first few (e.g., first three) concept values with the highest correlation scores as representative concept values. In some embodiments, after sorting, the risk analysis module 133 uses the concept values with correlation scores higher than the correlation score threshold as representative concept values.

以下將以[實施例A]中的風險事件與多個概念值e1至e8為例進行說明。假設於步驟S220中,計算出概念值e1至e8與實施例A中的風險事件之間關聯分數最高的三者依序為概念值e2、概念值e1、概念值e3,則風險解析模組133以概念值e2、概念值e1、概念值e3作為代表概念值。The following will be explained using the risk events and multiple concept values e1 to e8 in [Implementation Example A] as an example. Assuming that in step S220, the three highest correlation scores between the concept values e1 to e8 and the risk events in Implementation Example A are calculated to be concept value e2, concept value e1, and concept value e3, the risk analysis module 133 uses concept value e2, concept value e1, and concept value e3 as representative concept values.

於步驟S240中,依據多個特徵值以及多個權重表取得與多個特徵值相對應的多個風險加權值以及多個頻率權重,其中多個權重表對應於多個概念值與多個特徵類別。In step S240, a plurality of risk weighted values and a plurality of frequency weights corresponding to the plurality of feature values are obtained according to the plurality of feature values and the plurality of weight tables, wherein the plurality of weight tables correspond to the plurality of concept values and the plurality of feature categories.

以下將舉出幾個權重表的為例。表一為對應於概念值e1與特徵類別[年齡]的權重表。Several weight tables are given as examples below. Table 1 is the weight table corresponding to the concept value e1 and the feature category [age].

表1 e1概念分數 對應於特徵類別[年齡]的特徵區間 風險加權值 頻率權重 說明 10 85以上 1.5 1.2 高齡 10 66至84 1.5 1.5 高齡 10 65 1 1 基準點 10 26至64 0.25 1 一般 10 18至25 1 1 成年但普遍無或低經濟能力 10 0至17 1.2 1 未成年 Table 1 e1 Concept Score The characteristic interval corresponding to the characteristic category [age] Risk Weighted Value Frequency weight instruction 10 85 and above 1.5 1.2 Old age 10 66 to 84 1.5 1.5 Old age 10 65 1 1 Benchmark 10 26 to 64 0.25 1 generally 10 18 to 25 1 1 Adults but generally have no or low economic ability 10 0 to 17 1.2 1 Minors

於部分實施例中,權重表可對應於多個特徵類別或者對應於特定特徵值。舉例而言,表二為對應於概念值e1與特徵類別[金額]加上特徵類別[交易方式]為DCB交易的權重表。即,表二的權重表係於[交易方式]為DCB交易的情況下所設置之對應於概念值e1與特徵類別[金額]的權重表。In some embodiments, the weight table may correspond to multiple feature categories or to specific feature values. For example, Table 2 is a weight table corresponding to the concept value e1 and the feature category [amount] plus the feature category [transaction method] of DCB transaction. That is, the weight table in Table 2 is a weight table corresponding to the concept value e1 and the feature category [amount] when [transaction method] is DCB transaction.

表二 e1概念分數 對應於特徵類別[金額]的特徵區間 風險加權值 頻率權重 說明 10 20000至30000 2.5 1 10 10000至20000 2 1.5 10 3000至10000 1.5 1.2 10 1000至3000 1 1 基準點 10 小於1000 0.1 0.1 Table 2 e1 Concept Score The characteristic interval corresponding to the characteristic category [amount] Risk Weighted Value Frequency weight instruction 10 20,000 to 30,000 2.5 1 10 10,000 to 20,000 2 1.5 10 3000 to 10000 1.5 1.2 10 1000 to 3000 1 1 Benchmark 10 Less than 1000 0.1 0.1

請一併參閱第3圖。第3圖係依照本案一些實施例繪示第2圖中的異常交易偵測方法200中的步驟S240的流程圖。如第3圖所繪示,步驟S240包含步驟S242和步驟S244。Please refer to FIG. 3 . FIG. 3 is a flow chart of step S240 in the abnormal transaction detection method 200 in FIG. 2 according to some embodiments of the present invention. As shown in FIG. 3 , step S240 includes step S242 and step S244 .

於步驟S242中,判定第一特徵值對應於多個特徵區間中的第一特徵區間。In step S242, it is determined that the first eigenvalue corresponds to the first feature interval among the plurality of feature intervals.

以下以[實施例A]為例進行說明。對於[實施例A]中的(特徵值a3)75歲[年齡],風險解析模組133取得對應於概念值e1與特徵類別[年齡]的權重表(例如上述表一)。依據(特徵值a3)75歲,風險解析模組133判定與特徵值a3相對應的特徵區間為66歲至84歲。The following is an example of [Example A]. For [Embodiment A] (eigenvalue a3) 75 years old [age], the risk analysis module 133 obtains a weight table (such as the above Table 1) corresponding to the concept value e1 and the feature category [age]. Based on (eigenvalue a3) 75 years old, the risk analysis module 133 determines that the feature interval corresponding to the eigenvalue a3 is 66 to 84 years old.

於步驟S244中,取得與第一特徵區間相對應的第一風險加權值以及第一頻率權重。In step S244, a first risk weighted value and a first frequency weight corresponding to the first characteristic interval are obtained.

以下繼續以[實施例A]為例進行說明。於步驟S242中,風險解析模組133判定與特徵值a3相對應的特徵區間為66歲至84歲。接著,風險解析模組133依據上述表一取得對應於66歲至84歲的特徵區間的風險加權值為1.5,而對應於66歲至84歲的特徵區間的頻率權重為1.5。The following is further explained using [Example A] as an example. In step S242, the risk analysis module 133 determines that the characteristic interval corresponding to the characteristic value a3 is 66 to 84 years old. Then, the risk analysis module 133 obtains the risk weighted value corresponding to the characteristic interval of 66 to 84 years old as 1.5 according to the above Table 1, and the frequency weight corresponding to the characteristic interval of 66 to 84 years old is 1.5.

如上述步驟S242與步驟S244僅以[實施例A]中的概念值e1與特徵值a3為例進行說明。其餘概念值與特徵值取得風險加權值與頻率權重的方法與上述[實施例A]中的概念值e1與特徵值a3的實施方式相類似。As described above, step S242 and step S244 are only described by taking the concept value e1 and the characteristic value a3 in [Example A] as an example. The method of obtaining the risk weighted value and the frequency weight of the other concept values and characteristic values is similar to the implementation method of the concept value e1 and the characteristic value a3 in [Example A] described above.

於步驟S250中,依據多個代表概念值的多個概念分數、多個風險加權值以及多個頻率權重計算風險事件的風險分數。In step S250, the risk score of the risk event is calculated based on a plurality of concept scores representing the concept values, a plurality of risk weighted values, and a plurality of frequency weights.

於部分實施例中,於步驟S250中,風險解析模組133將概念值的概念分數與依據概念值、特徵值與特徵類別所取得的風險加權值與頻率權重相乘後取得子風險分數,再將對應於各個概念值與特徵值所取得的多個子風險分數相加以取得對應於風險事件的風險分數。In some embodiments, in step S250, the risk analysis module 133 multiplies the concept score of the concept value with the risk weighted value and frequency weight obtained based on the concept value, feature value and feature category to obtain a sub-risk score, and then adds up the multiple sub-risk scores corresponding to each concept value and feature value to obtain the risk score corresponding to the risk event.

舉例而言,以[實施例A]為例進行說明。於部分實施例中,[實施例A]中的風險事件對應的風險分數的計算如下: 風險分數= 概念值e1的概念分數 對應於概念值e1與特徵值a1的風險加權值 對應於概念值e1與特徵值a1的頻率權重+ 概念值e1的概念分數 對應於概念值e1與特徵值a3的風險加權值 對應於概念值e1與特徵值a1的頻率權重+ …… 概念值e1的概念分數 對應於概念值e1與特徵值d2的風險加權值 對應於概念值e1與特徵值d2的頻率權重+ 概念值e2的概念分數 對應於概念值e2與特徵值a1的風險加權值 對應於特徵值a1的頻率權重+ 概念值e2的概念分數 對應於概念值e2與特徵值a3的風險加權值 對應於特徵值a1的頻率權重+ …… 概念值e2的概念分數 對應於概念值e2與特徵值d2的風險加權值 對應於特徵值d2的頻率權重+ 概念值e3的概念分數 對應於概念值e3與特徵值a1的風險加權值 對應於特徵值a1的頻率權重+ 概念值e3的概念分數 對應於概念值e3與特徵值a3的風險加權值 對應於特徵值a1的頻率權重+ …… 概念值e3的概念分數 對應於概念值e3與特徵值d2的風險加權值 對應於特徵值d2的頻率權重 For example, [Example A] is used as an example for explanation. In some embodiments, the risk score corresponding to the risk event in [Example A] is calculated as follows: Risk score = Concept score of concept value e1 The risk weight corresponding to the concept value e1 and the eigenvalue a1 The frequency weight corresponding to the concept value e1 and the feature value a1 + the concept score of the concept value e1 The risk weight corresponding to the concept value e1 and the eigenvalue a3 The frequency weight corresponding to the concept value e1 and the eigenvalue a1 + ... the concept score of the concept value e1 The risk weight corresponding to the concept value e1 and the eigenvalue d2 The frequency weight corresponding to the concept value e1 and the feature value d2 + the concept score of the concept value e2 The risk weight corresponding to the concept value e2 and the eigenvalue a1 The frequency weight corresponding to the eigenvalue a1 + the concept score corresponding to the concept value e2 The risk weight corresponding to the concept value e2 and the eigenvalue a3 The frequency weight corresponding to the eigenvalue a1 + the concept score corresponding to the concept value e2 The risk weight corresponding to the concept value e2 and the eigenvalue d2 The frequency weight corresponding to the feature value d2 + the concept score of the concept value e3 The risk weight corresponding to the concept value e3 and the eigenvalue a1 The frequency weight corresponding to the eigenvalue a1 + the concept score corresponding to the concept value e3 The risk weight corresponding to the concept value e3 and the eigenvalue a3 The frequency weight corresponding to the eigenvalue a1 + the concept score corresponding to the concept value e3 The risk weight corresponding to the concept value e3 and the eigenvalue d2 The frequency weight corresponding to the eigenvalue d2

如上所述,於步驟S250中,透過將多個子風險分數相加,可取得[實施例A]中的風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」的風險分數。As described above, in step S250, by adding up the multiple sub-risk scores, the risk score of the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" in [Example A] can be obtained.

於部分實施例中,於步驟S240和S250中,風險解析模組133僅針對最具關鍵的特徵類別執行。以部分實施例中,風險解析模組133以特徵類別中與概念值之間的關聯係數較高者作為最具關鍵的特徵類別。In some embodiments, in steps S240 and S250, the risk analysis module 133 is executed only for the most critical feature category. In some embodiments, the risk analysis module 133 uses the feature category with a higher correlation coefficient with the concept value as the most critical feature category.

於步驟S260中,依據風險分數判定風險事件的風險程度並更新異常交易偵測資料庫。於部分實施例中,依據步驟S250中計算出的風險分數,第1圖中的風險告警模組135判定風險事件的風險程度,並依據風險事件的風險程度執行驗證值中的至少一者。於部分實施例中,當風險分數高於風險分數閾值時,風險告警模組135執行驗證值中的至少一者。In step S260, the risk level of the risk event is determined based on the risk score and the abnormal transaction detection database is updated. In some embodiments, the risk alarm module 135 in FIG. 1 determines the risk level of the risk event based on the risk score calculated in step S250, and performs at least one of the verification values based on the risk level of the risk event. In some embodiments, when the risk score is higher than the risk score threshold, the risk alarm module 135 performs at least one of the verification values.

於部分實施例中,依據風險事件,風險告警模組135由儲存在記憶體110中的多個驗證值選擇與風險事件關聯性較高者執行。In some embodiments, based on the risk event, the risk alarm module 135 selects a verification value with a higher correlation with the risk event from the multiple verification values stored in the memory 110 to execute.

舉例而言,以[實施例A]為例進行說明。依據[實施例A]中的風險事件「王老先生透過DCB交易疑似遭盜刷2萬元」,風險告警模組135執行驗證值包含以下:(驗證值f1)驗證是否為本人交易並採用生物辨識認證、(驗證值f2)驗證是否為本人授權交易且使用信用卡副卡。For example, let's take [Example A] as an example. According to the risk event "Mr. Wang was suspected of being robbed of 20,000 yuan through DCB transactions" in [Example A], the risk alarm module 135 executes the following verification values: (Verification value f1) Verification whether the transaction is made by the person himself and biometric authentication is used, (Verification value f2) Verification whether the transaction is authorized by the person himself and the credit card secondary card is used.

上述僅針對[實施例A]中的風險事件的風險分數的計算方式進行詳細說明,[實施例B]中的風險事件的風險分數的計算方式與上述[實施例A]中的風險事件的風險分數的計算方式相類似。The above only describes in detail the method for calculating the risk score of the risk event in [Example A]. The method for calculating the risk score of the risk event in [Example B] is similar to the method for calculating the risk score of the risk event in [Example A] above.

於部分實施例中,依據風險事件的風險分數或風險程度,風險告警模組135判定是否需通報相關單位。於部分實施例中,於相關單位(例如風管人員)接收到通報後,相關單位針對風險事件進行調查,並產生反饋資訊。於部分實施例中,反饋模組137用以接收反饋資訊,並將反饋資訊傳送至優化模組139,以使優化模組139依據反饋資訊對異常交易偵測資料庫進行優化。In some embodiments, the risk alarm module 135 determines whether to notify the relevant units according to the risk score or risk level of the risk event. In some embodiments, after the relevant units (such as wind pipe personnel) receive the notification, the relevant units investigate the risk event and generate feedback information. In some embodiments, the feedback module 137 is used to receive the feedback information and transmit the feedback information to the optimization module 139, so that the optimization module 139 optimizes the abnormal transaction detection database according to the feedback information.

舉例而言,於部分實施例中,反饋模組137接收的反饋資訊包含驗證值是否適用。若是驗證值不適用,則優化模組139降低驗證值的相關係數。For example, in some embodiments, the feedback information received by the feedback module 137 includes whether the verification value is applicable. If the verification value is not applicable, the optimization module 139 reduces the correlation coefficient of the verification value.

於部分實施例中,優化模組139更用以每隔一固定時間判斷異常交易偵測資料庫中的特徵類別、概念值、驗證值或是範例特徵值是否仍有效並進行異常交易偵測資料庫的更新。In some embodiments, the optimization module 139 is further configured to determine whether the feature category, concept value, verification value, or example feature value in the abnormal transaction detection database is still valid at regular intervals and to update the abnormal transaction detection database.

於部分實施例中,優化模組139依據預設規則更新異常交易偵測資料庫。舉例而言,3G業務特許執照有效期間至西元2018年12月31日止,屆滿後失其效力。則於2019年1月1日時,優化模組139降低與3G業務特許執照相關之特徵類別、概念值、驗證值或是範例特徵值的相關係數。In some embodiments, the optimization module 139 updates the abnormal transaction detection database according to the preset rules. For example, the 3G business license is valid until December 31, 2018, and loses its validity after the expiration. On January 1, 2019, the optimization module 139 reduces the correlation coefficient of the feature category, concept value, verification value or example feature value related to the 3G business license.

在一些實施例中,第1圖中的處理器130可以為單一處理器或多個微處理器的整合裝置,例如中央處理器(central processing unit,CPU)、圖形處理器(graphics processing unit,GPU)或特殊應用積體電路(application-specific integrated circuit,ASIC)、伺服器或其他具有資料存取、資料計算、資料儲存、資料傳送與接收、或類似功能的運算電路或元件。此外,處理器130中的各個功能模塊亦能以具有資料存取、資料計算、資料儲存、資料傳送與接收、或類似功能的運算電路或元件實現。In some embodiments, the processor 130 in FIG. 1 may be a single processor or an integrated device of multiple microprocessors, such as a central processing unit (CPU), a graphics processing unit (GPU), or an application-specific integrated circuit (ASIC), a server, or other computing circuits or components with data access, data calculation, data storage, data transmission and reception, or similar functions. In addition, each functional module in the processor 130 may also be implemented with computing circuits or components with data access, data calculation, data storage, data transmission and reception, or similar functions.

由上述可知,本案實施方式提供了一種異常交易偵測方法及異常交易偵測裝置,可以自動化風險規則更新和生成、動態風險等級調整以及智能化的規則生命週期管理。詳細而言,本案的實施方式可以自動學習和更新風險規則,這樣可以減少人工遺漏的可能性。自動化不僅提高了偵測準確率,還確保了系統能夠及時響應新出現的欺詐模式和威脅。此外通過實施算法和模型,可以使風險等級的調整變得更加靈活和實時,而不再依賴於固定的、人工定義的流程。這樣可以更快地識別和應對新出現的或日益變化的威脅,從而增強系統的適應性和響應速度。再者,本案的實施方式可以自動識別並下線不再有效或不再使用的風險規則。這樣不僅可以提高系統的效率和性能,還可以避免因過時或無效的規則而導致的誤報和漏報。From the above, it can be seen that the implementation method of this case provides an abnormal transaction detection method and an abnormal transaction detection device, which can automate the update and generation of risk rules, dynamic risk level adjustment and intelligent rule life cycle management. In detail, the implementation method of this case can automatically learn and update risk rules, which can reduce the possibility of human omissions. Automation not only improves the accuracy of detection, but also ensures that the system can respond to emerging fraud patterns and threats in a timely manner. In addition, by implementing algorithms and models, the adjustment of risk levels can become more flexible and real-time, and no longer rely on fixed, manually defined processes. This allows for faster identification and response to new or evolving threats, thereby increasing the system's adaptability and responsiveness. Furthermore, the implementation of this case can automatically identify and remove risk rules that are no longer valid or in use. This not only improves the efficiency and performance of the system, but also avoids false positives and missed positives caused by outdated or invalid rules.

雖然上文實施方式中揭露了本案的具體實施例,然其並非用以限定本案,本案所屬技術領域中具有通常知識者,在不悖離本案之原理與精神的情形下,當可對其進行各種更動與修飾,因此本案之保護範圍當以附隨申請專利範圍所界定者為準。Although the above implementation method discloses a specific implementation example of the present case, it is not intended to limit the present case. A person with ordinary knowledge in the technical field to which the present case belongs can make various changes and modifications without deviating from the principle and spirit of the present case. Therefore, the scope of protection of the present case shall be based on that defined by the scope of the attached patent application.

100:異常交易偵測裝置 110:記憶體 130:處理器 131:事件偵測模組 133:風險解析模組 135:風險告警模組 137:反饋模組 139:優化模組 200:異常交易偵測方法 S210,S220,S230,S240,S250,S260:步驟 S242,S244:步驟100: Abnormal transaction detection device 110: Memory 130: Processor 131: Event detection module 133: Risk analysis module 135: Risk alarm module 137: Feedback module 139: Optimization module 200: Abnormal transaction detection method S210, S220, S230, S240, S250, S260: Steps S242, S244: Steps

為讓本案之上述和其他目的、特徵、優點與實施例能更明顯易懂,所附圖式之說明如下: 第1圖係依照本案一些實施例繪示一種異常交易偵測裝置的方塊示意圖。 第2圖係依照本案一些實施例繪示一種異常交易偵測方法的步驟流程圖。 第3圖係依照本案一些實施例繪示第2圖中的異常交易偵測方法中的其中一步驟的流程圖。 In order to make the above and other purposes, features, advantages and embodiments of the present invention more clearly understandable, the attached drawings are described as follows: Figure 1 is a block diagram of an abnormal transaction detection device according to some embodiments of the present invention. Figure 2 is a flow chart of the steps of an abnormal transaction detection method according to some embodiments of the present invention. Figure 3 is a flow chart of one step in the abnormal transaction detection method in Figure 2 according to some embodiments of the present invention.

國內寄存資訊(請依寄存機構、日期、號碼順序註記) 無 國外寄存資訊(請依寄存國家、機構、日期、號碼順序註記) 無 Domestic storage information (please note in the order of storage institution, date, and number) None Foreign storage information (please note in the order of storage country, institution, date, and number) None

200:異常交易偵測方法 200: Abnormal transaction detection method

S210,S220,S230,S240,S250,S260:步驟 S210,S220,S230,S240,S250,S260: Steps

Claims (10)

一種異常交易偵測方法,適用於包含一異常交易偵測資料庫的裝置,其中該異常交易偵測資料庫包含複數個特徵類別、複數個概念值、複數個驗證值以及對應於該些概念值與該些特徵類別的複數個權重表,其中該異常交易偵測方法包含: 分析一風險事件以取得複數個特徵值,其中該些特徵值中的每一者與該些特徵類別中的其中一者相對應; 取得該些特徵值與該些概念值之間的複數個關聯係數,以計算該些概念值的複數個關聯分數; 依據該些關聯分數將該些概念值排序,以取得與該風險事件之間關聯性較高的複數個代表概念值; 依據該些特徵值以及該些權重表取得與該些特徵值相對應的複數個風險加權值以及複數個頻率權重,其中該些權重表對應於該些概念值與該些特徵類別; 依據該些代表概念值的複數個概念分數、該些風險加權值以及該些頻率權重計算該風險事件的一風險分數;以及 依據該風險分數判定該風險事件的一風險程度並更新該異常交易偵測資料庫。 An abnormal transaction detection method is applicable to a device including an abnormal transaction detection database, wherein the abnormal transaction detection database includes a plurality of feature categories, a plurality of concept values, a plurality of verification values, and a plurality of weight tables corresponding to the concept values and the feature categories, wherein the abnormal transaction detection method includes: Analyzing a risk event to obtain a plurality of feature values, wherein each of the feature values corresponds to one of the feature categories; Obtaining a plurality of correlation coefficients between the feature values and the concept values to calculate a plurality of correlation scores for the concept values; Sorting the concept values according to the correlation scores to obtain a plurality of representative concept values with a higher correlation with the risk event; According to the characteristic values and the weight tables, a plurality of risk weighted values and a plurality of frequency weights corresponding to the characteristic values are obtained, wherein the weight tables correspond to the concept values and the characteristic categories; According to the plurality of concept scores representing the concept values, the risk weighted values and the frequency weights, a risk score of the risk event is calculated; and According to the risk score, a risk level of the risk event is determined and the abnormal transaction detection database is updated. 如請求項1所述之異常交易偵測方法,其中該些特徵值包含一第一特徵值以及一第二特徵值,其中該些概念值包含一第一概念值,其中計算該些概念值的該些關聯分數包含: 取得該第一概念值與該第一特徵值之間的一第一關聯係數; 取得該第一概念值與該第二特徵值之間的一第二關聯係數;以及 將該第一關聯係數與該第二關聯係數相加以取得該第一概念值的一第一關聯分數。 An abnormal transaction detection method as described in claim 1, wherein the feature values include a first feature value and a second feature value, wherein the concept values include a first concept value, and wherein calculating the correlation scores of the concept values includes: Obtaining a first correlation coefficient between the first concept value and the first feature value; Obtaining a second correlation coefficient between the first concept value and the second feature value; and Adding the first correlation coefficient and the second correlation coefficient to obtain a first correlation score for the first concept value. 如請求項1所述之異常交易偵測方法,其中該些特徵值中的一第一特徵值與該些特徵類別中的一第一特徵類別相對應,其中該些代表概念值中的一第一代表概念值對應於該第一特徵類別包含複數個特徵區間,其中依據該些特徵值以及該些權重表取得與該些特徵值相對應的該些風險加權值以及該些頻率權重包含: 判定該第一特徵值對應於該些特徵區間中的一第一特徵區間;以及 取得與該第一特徵區間相對應的一第一風險加權值以及一第一頻率權重。 An abnormal transaction detection method as described in claim 1, wherein a first characteristic value among the characteristic values corresponds to a first characteristic category among the characteristic categories, wherein a first representative concept value among the representative concept values corresponds to the first characteristic category including a plurality of characteristic intervals, wherein obtaining the risk weighted values and the frequency weights corresponding to the characteristic values according to the characteristic values and the weight tables comprises: Determining that the first characteristic value corresponds to a first characteristic interval among the characteristic intervals; and Obtaining a first risk weighted value and a first frequency weight corresponding to the first characteristic interval. 如請求項3所述之異常交易偵測方法,其中依據該些代表概念值的該些概念分數、該些風險加權值以及該些頻率權重計算該風險事件的該風險分數包含: 將該第一代表概念值的一第一概念分數、該第一風險加權值以及該第一頻率權重相乘以取得一第一子風險分數; 將該第一代表概念值的該第一概念分數、一第二風險加權值以及一第二頻率權重相乘以取得一第二子風險分數,其中該第二風險加權值以及該第二頻率權重依據該第一代表概念值、一第二特徵值以及一第二特徵類別取得; 將一第二代表概念值的一第二概念分數、一第三風險加權值以及一第三頻率權重相乘以取得一第三子風險分數,其中該第三風險加權值以及該第三頻率權重依據該第二代表概念值、該第一特徵值以及該第一特徵類別取得; 將該第二代表概念值的該第二概念分數、一第四風險加權值以及一第四頻率權重相乘以取得一第四子風險分數,其中該第四風險加權值以及該第四頻率權重依據該第二代表概念值、該第二特徵值以及該第二特徵類別取得;以及 將該第一子風險分數、該第二子風險分數、該第三子風險分數以及該第四子風險分數相加以計算該風險分數。 The abnormal transaction detection method as described in claim 3, wherein the risk score of the risk event is calculated based on the concept scores of the representative concept values, the risk weighted values and the frequency weights, including: Multiplying a first concept score of the first representative concept value, the first risk weighted value and the first frequency weight to obtain a first sub-risk score; Multiplying the first concept score of the first representative concept value, a second risk weighted value and a second frequency weight to obtain a second sub-risk score, wherein the second risk weighted value and the second frequency weight are obtained based on the first representative concept value, a second feature value and a second feature category; A second concept score of a second representative concept value, a third risk weighted value, and a third frequency weight are multiplied to obtain a third sub-risk score, wherein the third risk weighted value and the third frequency weight are obtained according to the second representative concept value, the first feature value, and the first feature category; A second concept score of the second representative concept value, a fourth risk weighted value, and a fourth frequency weight are multiplied to obtain a fourth sub-risk score, wherein the fourth risk weighted value and the fourth frequency weight are obtained according to the second representative concept value, the second feature value, and the second feature category; and The first sub-risk score, the second sub-risk score, the third sub-risk score, and the fourth sub-risk score are added to calculate the risk score. 如請求項1所述之異常交易偵測方法,更包含: 於該風險分數高於一風險分數閾值時,依據該風險事件執行該些驗證值中的至少一者。 The abnormal transaction detection method as described in claim 1 further includes: When the risk score is higher than a risk score threshold, at least one of the verification values is executed according to the risk event. 一種異常交易偵測裝置,包含: 一記憶體,儲存有一異常交易偵測資料庫,其中該異常交易偵測資料庫包含複數個特徵類別、複數個概念值、複數個驗證值以及對應於該些概念值與該些特徵類別的複數個權重表;以及 一處理器,耦接於該記憶體,用以執行: 分析一風險事件以取得複數個特徵值,其中該些特徵值中的每一者與該些特徵類別中的其中一者相對應; 取得該些特徵值與該些概念值之間的複數個關聯係數,以計算該些概念值的複數個關聯分數; 依據該些關聯分數將該些概念值排序,以取得與該風險事件之間關聯性較高的複數個代表概念值; 依據該些特徵值以及該些權重表取得與該些特徵值相對應的複數個風險加權值以及複數個頻率權重,其中該些權重表對應於該些概念值與該些特徵類別; 依據該些代表概念值的複數個概念分數、該些風險加權值以及該些頻率權重計算該風險事件的一風險分數;以及 依據該風險分數判定該風險事件的一風險程度並更新該異常交易偵測資料庫。 An abnormal transaction detection device comprises: A memory storing an abnormal transaction detection database, wherein the abnormal transaction detection database comprises a plurality of feature categories, a plurality of concept values, a plurality of verification values, and a plurality of weight tables corresponding to the concept values and the feature categories; and A processor coupled to the memory for executing: Analyzing a risk event to obtain a plurality of feature values, wherein each of the feature values corresponds to one of the feature categories; Obtaining a plurality of correlation coefficients between the feature values and the concept values to calculate a plurality of correlation scores for the concept values; Sorting the concept values according to the correlation scores to obtain a plurality of representative concept values with a higher correlation with the risk event; According to the feature values and the weight tables, obtaining a plurality of risk weighted values and a plurality of frequency weights corresponding to the feature values, wherein the weight tables correspond to the concept values and the feature categories; Calculating a risk score of the risk event according to the plurality of concept scores of the representative concept values, the risk weighted values and the frequency weights; and Determining a risk level of the risk event according to the risk score and updating the abnormal transaction detection database. 如請求項6所述之異常交易偵測裝置,其中該些特徵值包含一第一特徵值以及一第二特徵值,其中該些概念值包含一第一概念值,其中該處理器更用以執行: 取得該第一概念值與該第一特徵值之間的一第一關聯係數; 取得該第一概念值與該第二特徵值之間的一第二關聯係數;以及 將該第一關聯係數與該第二關聯係數相加以取得該第一概念值的一第一關聯分數。 An abnormal transaction detection device as described in claim 6, wherein the characteristic values include a first characteristic value and a second characteristic value, wherein the concept values include a first concept value, and wherein the processor is further used to execute: Obtain a first correlation coefficient between the first concept value and the first characteristic value; Obtain a second correlation coefficient between the first concept value and the second characteristic value; and Add the first correlation coefficient and the second correlation coefficient to obtain a first correlation score for the first concept value. 如請求項6所述之異常交易偵測裝置,其中該些特徵值中的一第一特徵值與該些特徵類別中的一第一特徵類別相對應,其中該些代表概念值中的一第一代表概念值對應於該第一特徵類別包含複數個特徵區間,其中該處理器更用以: 判定該第一特徵值對應於該些特徵區間中的一第一特徵區間;以及 取得與該第一特徵區間相對應的一第一風險加權值以及一第一頻率權重。 An abnormal transaction detection device as described in claim 6, wherein a first characteristic value among the characteristic values corresponds to a first characteristic category among the characteristic categories, wherein a first representative concept value among the representative concept values corresponds to the first characteristic category including a plurality of characteristic intervals, wherein the processor is further used to: determine that the first characteristic value corresponds to a first characteristic interval among the characteristic intervals; and obtain a first risk weighted value and a first frequency weight corresponding to the first characteristic interval. 如請求項8所述之異常交易偵測裝置,其中該處理器更用以: 將該第一代表概念值的一第一概念分數、該第一風險加權值以及該第一頻率權重相乘以取得一第一子風險分數; 將該第一代表概念值的該第一概念分數、一第二風險加權值以及一第二頻率權重相乘以取得一第二子風險分數,其中該第二風險加權值以及該第二頻率權重依據該第一代表概念值、一第二特徵值以及一第二特徵類別取得; 將一第二代表概念值的一第二概念分數、一第三風險加權值以及一第三頻率權重相乘以取得一第三子風險分數,其中該第三風險加權值以及該第三頻率權重依據該第二代表概念值、該第一特徵值以及該第一特徵類別取得; 將該第二代表概念值的該第二概念分數、一第四風險加權值以及一第四頻率權重相乘以取得一第四子風險分數,其中該第四風險加權值以及該第四頻率權重依據該第二代表概念值、該第二特徵值以及該第二特徵類別取得;以及 將該第一子風險分數、該第二子風險分數、該第三子風險分數以及該第四子風險分數相加以計算該風險分數。 An abnormal transaction detection device as described in claim 8, wherein the processor is further used to: Multiply a first concept score of the first representative concept value, the first risk weighted value, and the first frequency weight to obtain a first sub-risk score; Multiply the first concept score of the first representative concept value, a second risk weighted value, and a second frequency weight to obtain a second sub-risk score, wherein the second risk weighted value and the second frequency weight are obtained based on the first representative concept value, a second feature value, and a second feature category; A second concept score of a second representative concept value, a third risk weighted value, and a third frequency weight are multiplied to obtain a third sub-risk score, wherein the third risk weighted value and the third frequency weight are obtained according to the second representative concept value, the first feature value, and the first feature category; A second concept score of the second representative concept value, a fourth risk weighted value, and a fourth frequency weight are multiplied to obtain a fourth sub-risk score, wherein the fourth risk weighted value and the fourth frequency weight are obtained according to the second representative concept value, the second feature value, and the second feature category; and The first sub-risk score, the second sub-risk score, the third sub-risk score, and the fourth sub-risk score are added to calculate the risk score. 如請求項6所述之異常交易偵測裝置,其中該處理器更用以: 於該風險分數高於一風險分數閾值時,依據該風險事件執行該些驗證值中的至少一者。 The abnormal transaction detection device as described in claim 6, wherein the processor is further used to: When the risk score is higher than a risk score threshold, execute at least one of the verification values according to the risk event.
TW113115845A 2024-04-26 2024-04-26 Abnormal transaction detection method and abnormal transaction detection device TWI883938B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW113115845A TWI883938B (en) 2024-04-26 2024-04-26 Abnormal transaction detection method and abnormal transaction detection device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW113115845A TWI883938B (en) 2024-04-26 2024-04-26 Abnormal transaction detection method and abnormal transaction detection device

Publications (2)

Publication Number Publication Date
TWI883938B true TWI883938B (en) 2025-05-11
TW202542812A TW202542812A (en) 2025-11-01

Family

ID=96582028

Family Applications (1)

Application Number Title Priority Date Filing Date
TW113115845A TWI883938B (en) 2024-04-26 2024-04-26 Abnormal transaction detection method and abnormal transaction detection device

Country Status (1)

Country Link
TW (1) TWI883938B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190043056A1 (en) * 2013-07-03 2019-02-07 Google Llc Fraud prevention based on user activity data
TWM588842U (en) * 2019-08-19 2020-01-01 國泰人壽保險股份有限公司 System of transaction monitor
TWI690884B (en) * 2016-12-30 2020-04-11 大陸商中國銀聯股份有限公司 Abnormal transfer detection method, device, storage medium, electronic equipment and products
TWM606890U (en) * 2020-09-30 2021-01-21 臺灣土地銀行股份有限公司 Transaction abnormality evaluation system
TWM647883U (en) * 2023-06-30 2023-11-01 臺灣土地銀行股份有限公司 Monitoring system for abnormal patterns in account transactions
CN117633683A (en) * 2023-11-29 2024-03-01 天翼电子商务有限公司 Abnormal transaction data detection methods, devices and electronic equipment
CN117911034A (en) * 2024-01-22 2024-04-19 中国工商银行股份有限公司 Credit card abnormal transaction detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190043056A1 (en) * 2013-07-03 2019-02-07 Google Llc Fraud prevention based on user activity data
TWI690884B (en) * 2016-12-30 2020-04-11 大陸商中國銀聯股份有限公司 Abnormal transfer detection method, device, storage medium, electronic equipment and products
TWM588842U (en) * 2019-08-19 2020-01-01 國泰人壽保險股份有限公司 System of transaction monitor
TWM606890U (en) * 2020-09-30 2021-01-21 臺灣土地銀行股份有限公司 Transaction abnormality evaluation system
TWM647883U (en) * 2023-06-30 2023-11-01 臺灣土地銀行股份有限公司 Monitoring system for abnormal patterns in account transactions
CN117633683A (en) * 2023-11-29 2024-03-01 天翼电子商务有限公司 Abnormal transaction data detection methods, devices and electronic equipment
CN117911034A (en) * 2024-01-22 2024-04-19 中国工商银行股份有限公司 Credit card abnormal transaction detection method and device

Also Published As

Publication number Publication date
TW202542812A (en) 2025-11-01

Similar Documents

Publication Publication Date Title
CN110324362B (en) Block chain user credibility evaluation method based on interactive behaviors
US11695755B2 (en) Identity proofing and portability on blockchain
US11550905B2 (en) Intelligent security risk assessment
CA2821095C (en) System and method for detecting fraudulent account access and transfers
US20220131844A1 (en) Identity access management using access attempts and profile updates
US10546099B2 (en) Method of personalizing, individualizing, and automating the management of healthcare fraud-waste-abuse to unique individual healthcare providers
US20190355058A1 (en) Method and apparatus for processing credit score real-time adjustment, and processing server
CN108765179A (en) A kind of credible social networks analysis method calculated based on figure
CN110830448A (en) Traffic anomaly detection method, device, electronic device and medium for target event
CN111260372B (en) Resource transfer user group determination method, device, computer equipment and storage medium
Weber et al. Black loans matter: Distributionally robust fairness for fighting subgroup discrimination
CN119363384A (en) Network risk quantification method, device, computer equipment and storage medium
CN120672350B (en) Big data-based recharging risk assessment method and system
CN111353147B (en) Password strength evaluation method, device, equipment and readable storage medium
TWI883938B (en) Abnormal transaction detection method and abnormal transaction detection device
CN112613231A (en) Track training data perturbation mechanism with balanced privacy in machine learning
CN117829987B (en) Real estate information management method and system
EP3882795B1 (en) Fraud detection system, fraud detection method, and program
CN115705412A (en) Object identification method and device, computing equipment and storage medium
CN117350461A (en) Enterprise abnormal behavior early warning method, system, computer equipment and storage medium
CN119963343B (en) Medical insurance anti-fraud intelligent management system and management method thereof
Chenab et al. Exposure to Discretionary Arrests Increases Support for Anti-Police Protests
TWM658546U (en) Vulnerable customer group analysis system
CN120765370A (en) Risk classification method, device, storage medium and electronic equipment
CN115169666A (en) Business forecasting method and device