CN114331593A - Malicious order identification and processing method, device, equipment and storage medium - Google Patents

Abstract

The invention discloses a method, device, equipment and storage medium for identifying and processing malicious orders, wherein the method includes: obtaining an IP address, a contact phone number, a delivery address and behavior data when a user places an order; inputting the behavior data into a pre-order The trained behavior analysis and prediction model obtains the probability that the behavior data is abnormal behavior; when the probability exceeds the preset probability threshold, it analyzes whether the IP address, contact number and delivery address are abnormal based on preset rules; when the IP address, contact number and When the delivery address is abnormal in more than one dimension, the order will be marked as malicious and the user will be blocked; when the IP address, contact number and delivery address are all normal, the order will be marked as suspicious. The present invention improves the accuracy of identifying malicious orders by analyzing behavior data with a high probability of malicious orders, and supplementing other multiple dimensions to analyze whether an order is a malicious order.

Description

Method, device, device and storage medium for identifying and processing malicious orders

technical field

The present application relates to the technical field of electronic commerce and data processing, and in particular, to a method, device, device and storage medium for identifying and processing malicious orders.

Background technique

With the development of the e-commerce industry, the traffic on the platform is getting higher and higher, and the malicious tactics of customers are also becoming more and more abundant. And the malicious orders actively reported by merchants only account for a part of the malicious orders themselves, and a large number of malicious orders are still growing wildly. If merchants encounter malicious orders, it will not only affect the backlog of commodity inventory, but also lead to merchants to suppliers. The increase in the return application of the order affects the evaluation of the merchant on the supplier.

At present, when customer service personnel identify malicious orders, they lack a comprehensive and objective analysis of all order information, resulting in inaccurate analysis results and a lot of manpower.

SUMMARY OF THE INVENTION

The present application provides a method, device, device and storage medium for identifying and processing malicious orders, so as to solve the problem of low identification accuracy of malicious orders.

In order to solve the above technical problems, a technical solution adopted in this application is to provide a method for identifying and processing malicious orders, including: obtaining the IP address, contact phone number, delivery address and behavior data of the user when placing the order; Input to the pre-trained behavior analysis and prediction model to obtain the probability that the behavior data is abnormal behavior. The behavior analysis and prediction model is trained according to the historical malicious order data in the pre-prepared group user samples; when the probability exceeds the preset probability threshold, based on The preset rules analyze whether the IP address, contact number and delivery address are abnormal; when more than one dimension of IP address, contact number and delivery address is abnormal, the order is marked as malicious and the user is blocked; When the shipping address and shipping address are OK, label the order suspicious.

As a further improvement of the present application, after obtaining the probability that the behavior data is an abnormal behavior, the method further includes: when the probability does not exceed the preset probability threshold, analyzing whether the IP address, contact number and delivery address are abnormal based on preset rules; When two or more dimensions are abnormal in , contact number and delivery address, mark the order as malicious and block the user; when there is an abnormality in one dimension in IP address, contact number and delivery address, mark the order as a malicious order Suspicious tags.

As a further improvement of this application, after marking an order with suspicious labels, it also includes: counting the number of orders marked with suspicious labels in all historical orders of the user; when the number of orders exceeds the preset number of orders, marking the order as malicious and pulling the black user.

As a further improvement of this application, analyzing IP addresses based on preset rules includes: matching the IP addresses with the historical IP addresses in the historical order data of all users to determine the number of users who have placed orders using the IP addresses; when the number of users When the number of users exceeds the preset number, the IP address is marked as abnormal; when the number of users does not exceed the preset number of users, the hierarchical relationship of IP addresses is analyzed and the IP address is marked as abnormal when it is confirmed that the IP address uses a proxy.

As a further improvement of the present application, analyzing the contact number based on the preset rules includes: matching the contact number with the virtual number segment obtained from the operator in advance to confirm whether the contact number is a virtual number; Mark as exception.

As a further improvement of this application, analyzing the delivery address based on preset rules includes: judging whether the delivery address has received normal historical orders; if not, confirming that the delivery address does not meet the preset delivery address conditions according to map data , marking the shipping address as exception.

As a further improvement of this application, after marking the order as suspicious, it also includes: transferring the order to manual verification, and blocking the user when the manual verification result is a malicious order.

In order to solve the above technical problems, another technical solution adopted in this application is to provide a device for identifying and processing malicious orders, including: an acquisition module for acquiring the IP address, contact phone number, delivery address and Behavior data; the prediction module is used to input the behavior data into the pre-trained behavior analysis and prediction model to obtain the probability that the behavior data is abnormal behavior. The behavior analysis and prediction model is trained according to the historical malicious order data in the pre-prepared group user samples. ;The multi-dimensional analysis module is used to analyze whether the IP address, contact number and delivery address are abnormal based on preset rules when the probability exceeds the preset probability threshold; the first processing module is used to analyze whether the IP address, contact number and delivery address are abnormal When the address is abnormal in more than one dimension, the order will be marked as malicious and the user will be blocked; the second processing module is used to mark the order as suspicious when the IP address, contact number and delivery address are all normal.

In order to solve the above technical problem, another technical solution adopted in the present application is to provide a computer device, the computer device includes a processor and a memory coupled to the processor, the memory stores program instructions, and the When the program instructions are executed by the processor, the processor executes the steps of the method for identifying and processing malicious orders as described in any one of the above.

In order to solve the above technical problem, another technical solution adopted in the present application is to provide a storage medium storing program instructions capable of realizing the above method for identifying and processing malicious orders. The beneficial effects of the present application are as follows: the method for identifying and processing malicious orders of the present application first predicts the probability of abnormal behavior data when a user places an order by combining behavior data that is easy to identify abnormal operations, combined with a behavior analysis prediction model, and when the probability exceeds When the probability threshold is preset, the order is analyzed with the three dimensions of IP address, contact number and delivery address. When there is an abnormality in the three dimensions, it is directly confirmed whether the order is an abnormal order, so as to realize the user When placing an order, the behavior data is the main, and the IP address, contact number and delivery address are supplemented by the malicious order identification method, which greatly improves the identification accuracy of malicious orders. When there is no abnormality in these three dimensions, it is an order. Marking suspicious labels makes it easier for users to view and quickly find these orders for verification. Finally, users who have placed malicious orders can be blocked to prevent malicious harassment.

Description of drawings

1 is a schematic flowchart of a method for identifying and processing malicious orders according to a first embodiment of the present invention;

2 is a schematic diagram of functional modules of an apparatus for identifying and processing malicious orders according to an embodiment of the present invention;

3 is a schematic structural diagram of a computer device according to an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

The terms "first", "second" and "third" in this application are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as "first", "second", "third" may expressly or implicitly include at least one of that feature. In the description of the present application, "a plurality of" means at least two, such as two, three, etc., unless otherwise expressly and specifically defined. All directional indications (such as up, down, left, right, front, rear...) in the embodiments of the present application are only used to explain the relative positional relationship between components under a certain posture (as shown in the accompanying drawings). , motion situation, etc., if the specific posture changes, the directional indication also changes accordingly. Furthermore, the terms "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, or optionally also includes For other steps or units inherent to these processes, methods, products or devices.

Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. It is explicitly and implicitly understood by those skilled in the art that the embodiments described herein may be combined with other embodiments.

FIG. 1 is a schematic flowchart of a method for identifying and processing malicious orders according to an embodiment of the present invention. It should be noted that, if there is substantially the same result, the method of the present invention is not limited to the sequence of the processes shown in FIG. 1 . As shown in Figure 1, the method includes the steps:

Step S101: Obtain the IP address, contact phone number, delivery address and behavior data of the user when placing the order.

Specifically, after the user places an order on the shopping platform, the platform records the relevant data information of the order placed by the user, and the relevant data information includes but is not limited to IP address, contact number, delivery address and behavior data, wherein the behavior data includes the order commodities Quantity, order payment time, order payment method, order refund operation, etc. It should be understood that, under normal circumstances, the behavior data of the user when placing an order can determine whether the user's operation contains malicious intent. The IP address, contact phone number and delivery address have a relatively small role in judgment. For example, the user may accidentally fill in the wrong contact number or wrong address, but the user does not intend to place a malicious order, so the IP address, contact number and delivery address The delivery address is used as a secondary judgment criterion, and the judgment based on the behavior data and the judgment based on the IP address, contact number, and delivery address are comprehensively analyzed to confirm whether the order is a malicious order. Step S102: Input the behavior data into the pre-trained behavior analysis and prediction model to obtain the probability that the behavior data is an abnormal behavior. The behavior analysis and prediction model is trained according to the historical malicious order data in the pre-prepared group user samples.

It should be noted that the behavior analysis and prediction model is trained according to the historical malicious order data in the pre-prepared group user samples. Preferably, the behavior analysis and prediction model is constructed based on a binary classification model, and analyzes the behavior data to obtain the probability of abnormal behavior and the probability of normal behavior. Common binary classification models include logistic regression algorithm, k nearest neighbor algorithm, decision tree algorithm, support vector machine algorithm and naive Bayesian algorithm. The binary classification model in this embodiment is implemented based on any of these algorithms. This embodiment No restrictions.

Further, analyze IP addresses based on preset rules, including:

1.1. Match the IP address with the historical IP address in the historical order data of all users to determine the number of users who have placed orders using the IP address.

1.2. When the number of users exceeds the preset number of users, the IP address will be marked as abnormal.

1.3. When the number of users does not exceed the preset number of users, analyze the hierarchical relationship of IP addresses and mark the IP address as abnormal when it is confirmed that the IP address uses a proxy.

Specifically, when analyzing the IP address dimension, first obtain the historical order data of all users, and obtain the historical IP addresses in the historical order data, and match all the historical IP addresses with the current IP addresses respectively, so as to find the IP address that matches the current IP address. For the target user corresponding to the historical IP address with the same address, it should be noted that the target user needs to place a certain number of orders at the IP address, and the number of users of the target user is obtained from statistics. When the number of users exceeds the preset number of users If the IP address dimension is abnormal, for example, when there are dozens of users under the same IP address and they have placed orders multiple times, the IP address is likely to be maliciously swiped through numerous user accounts. Behavior. When the number of users does not exceed the preset number, the IP address is further analyzed, and the hierarchical relationship of IP addresses and the physical address corresponding to the IP address are analyzed to analyze whether the hierarchical relationship of physical addresses is formal and reasonable. Foreign IP addresses appear in the access IP level, which is most likely due to hackers placing orders in batches.

Further, the contact numbers are analyzed based on preset rules, including:

2.1. Match the contact number with the virtual number segment obtained from the operator in advance to confirm whether the contact number is a virtual number.

2.2. If so, mark the contact phone dimension as abnormal.

Specifically, the mobile phone number, as the user's contact method when accepting express delivery, needs to be able to answer the phone normally. In the case of maliciously placing an order, the user will use a virtual number to register an account to place an order. The virtual number can be identified by obtaining the virtual number segment from the operator.

Further, other risk control channels can also be used to obtain the mobile phone number blacklist of online fraud. When placing an order using the contact number in the mobile phone number blacklist, it can also be regarded as an abnormal contact number dimension.

It should be noted that, in some embodiments, the contact number can also be dialed directly through the virtual dialing system. If the contact number is connected normally, it means that the contact number is normal, and if it cannot be connected, it means that the contact number is abnormal. .

Further, the delivery address is analyzed based on preset rules, including:

3.1. Determine whether the delivery address has received normal historical orders.

3.2. If not, according to the map data, when it is confirmed that the delivery address does not meet the preset delivery address conditions, the delivery address will be marked as abnormal.

It should be noted that the preset delivery address condition is preset, for example, the preset delivery address condition includes at least one of a community address, an office building address, a factory address, and a warehouse address.

Specifically, after obtaining the delivery address, query the historical delivery address in the historical order information to confirm whether the delivery address has received normal orders. If so, the delivery address dimension is regarded as normal. No, it means that the delivery address is a new address. According to the map data, confirm whether the delivery address meets the preset delivery address conditions, for example, whether the address is a normal residential address or an office address, and if so, The delivery address is marked as normal, if not, the delivery address is marked as abnormal. Step S103: When the probability exceeds a preset probability threshold, analyze whether the IP address, contact phone number and delivery address are abnormal based on preset rules. When more than one dimension of the IP address, contact phone number, and delivery address is abnormal, step S104 is performed; when the IP address, contact phone number, and delivery address are all normal, step S105 is performed.

Specifically, when the probability that the behavior data is abnormal behavior exceeds the preset probability threshold, it indicates that the current possibility of malicious orders is high. Do further analysis and judgment to confirm whether the order is a malicious order. When there are more than one dimension anomalies in the IP address, contact phone number, and delivery address, the probability that the order is a malicious order is further increased. Therefore, step S104 is performed to mark the order as a malicious order. When the IP address, contact phone number and delivery address are all normal, although the probability of a malicious order in the order is further increased, the possibility that the order is a potential malicious order cannot be ruled out. Therefore, step S105 is executed to Orders are marked suspicious.

Further, in some embodiments, after step S102, the method further includes: when the probability does not exceed a preset probability threshold, analyzing whether the IP address, contact number and delivery address are abnormal based on preset rules. When two or more dimensions are abnormal in IP address, contact phone number, and delivery address, step S104 is performed; when one dimension is abnormal in IP address, contact phone number, and delivery address, step S105 is performed.

Specifically, when the probability does not exceed the preset probability threshold, although the probability of abnormal behavior predicted according to the user's behavior data is low, the possibility that the order is a malicious order cannot be ruled out. Therefore, the IP address, contact number and delivery address are further judged, and when two or more dimensions are abnormal in the IP address, contact number and delivery address, there are too many abnormal dimensions. Therefore, the order is malicious The probability of the order is high, so step S104 is performed to mark the order as malicious. When there is an abnormality in one dimension in the IP address, contact phone number and delivery address, the possibility that the order is a malicious order cannot be ruled out. Therefore, step S105 is performed to mark the order as suspicious.

In this embodiment, it should be understood that only when the probability of abnormal behavior predicted according to the behavior data is lower than the preset probability threshold, and the IP address, contact number and delivery address are all normal, the order can be regarded as normal. Order.

Step S104: Mark the order as a malicious order and block the user.

Step S105: Mark the order with a suspicious label. Further, for some customer orders, it is difficult to identify whether they are malicious orders, and the data in their historical orders can be used as further reference to improve the identification accuracy of malicious orders. Therefore, in some embodiments, After step S105, it also includes:

4.1. Count the number of orders marked with suspicious labels in all historical orders of the user.

It should be noted that all order records of users need to be saved.

4.2. When the order quantity exceeds the preset order quantity, mark the order as malicious and add the user to the preset blacklist.

Specifically, when a suspicious label is placed on an order currently placed by a user, all historical orders of the user are obtained, and then all historical orders marked with a suspicious label are screened out from all historical orders, and the number of orders is counted, and then the number of orders is determined. Whether it exceeds the preset number of orders, if it exceeds, it means that the user has placed suspicious orders many times, and the user may place a high possibility of malicious orders. Therefore, the current order placed by the customer is marked as malicious order and block the customer.

Further, in order to improve the accuracy of identifying malicious orders, in some embodiments, after step S105, the method further includes: transferring the order to manual verification, and blocking the user when the manual verification result is a malicious order.

Specifically, when the current order is identified as an order marked with a suspicious label, the order is transferred to manual verification, and the rich work experience of the staff is used to make judgments, so as to identify potential malicious orders in the suspicious orders, and, When the manual verification result is a malicious order, block the user.

Further, in some embodiments, the steps of marking the order as a malicious order and blocking the user may also be:

Mark the order as a malicious order, and then pull the IP address, contact number and delivery address corresponding to the order into the corresponding blacklist.

The IP address, contact phone number, and delivery address are preset with corresponding blacklists, which are used to record IP addresses, contact numbers, and delivery addresses that have placed malicious orders. Therefore, when an order is received, it can also be judged from the four dimensions of the user's ID information, IP address, contact number and delivery address. The order is marked as malicious.

The method for identifying and processing malicious orders according to the embodiment of the present invention predicts the probability that the behavior data is abnormal when the user places an order by first analyzing the behavior data that is easy to identify abnormal operations, and combining with the behavior analysis prediction model. When the probability exceeds a preset probability threshold , supplemented by the three dimensions of IP address, contact number and delivery address to analyze the order, when there is an abnormality in the three dimensions, it will directly confirm whether the order is an abnormal order, thus realizing the behavior of the user when placing an order The malicious order identification method based on data and supplemented by IP address, contact phone number and delivery address greatly improves the identification accuracy of malicious orders. Users can quickly find these orders for verification, and finally block users who have placed malicious orders to prevent malicious harassment. FIG. 2 is a schematic diagram of functional modules of an apparatus for identifying and processing malicious orders according to an embodiment of the present invention. As shown in FIG. 2 , the malicious order identification and processing device 50 includes an acquisition module 51 , a prediction module 52 , a multi-dimensional analysis module 53 , a first processing module 54 and a second processing module 55 .

The obtaining module 51 is used to obtain the IP address, contact phone number, delivery address and behavior data when the user places an order;

The prediction module 52 is used for inputting the behavior data into the pre-trained behavior analysis prediction model to obtain the probability that the behavior data is an abnormal behavior, and the behavior analysis prediction model is obtained by training according to the historical malicious order data in the pre-prepared group user samples;

A multi-dimensional analysis module 53, configured to analyze whether the IP address, contact number and delivery address are abnormal based on preset rules when the probability exceeds a preset probability threshold;

The first processing module 54 is used to mark the order as a malicious order and block the user when more than one dimension is abnormal in the IP address, contact phone number and delivery address;

The second processing module 55 is used to label the order suspicious when the IP address, contact phone number and delivery address are all normal.

Optionally, after the prediction module 52 performs the operation of inputting the behavioral data into the pre-trained behavioral analysis prediction model to obtain the probability that the behavioral data is an abnormal behavior, the multidimensional analysis module 53 is also used for: when the probability does not exceed the preset probability When the threshold is set, analyze whether the IP address, contact phone number and delivery address are abnormal based on preset rules; the first processing module 54 is also used for: when there are two or more dimension abnormalities in the IP address, contact phone number and delivery address , marking the order as a malicious order; the second processing module 55 is also used for marking the order as suspicious when there is a dimension abnormality in the IP address, contact number and delivery address.

Optionally, after the second processing module 55 performs the operation of marking the order with suspicious labels, it is also used to: count the number of orders marked with suspicious labels in all historical orders of the user; Flag as malicious and add users to a preset blacklist.

Optionally, the multi-dimensional analysis module 53 performs an operation of analyzing IP addresses based on preset rules, specifically including: matching the IP addresses with the historical IP addresses in the historical order data of all users, to determine those who have placed orders using the IP addresses. Number of users; when the number of users exceeds the preset number of users, the IP address is marked as abnormal; when the number of users does not exceed the preset number of users, the hierarchical relationship of IP addresses is analyzed and when it is confirmed that the IP address uses a proxy, the IP address is marked as abnormal. Mark as exception.

Optionally, the multi-dimensional analysis module 53 performs an operation of analyzing the contact phone number based on a preset rule, specifically including: matching the contact phone number with a virtual number segment obtained in advance from the operator to confirm whether the contact phone number is a virtual number; If so, mark the contact number as abnormal.

Optionally, the multi-dimensional analysis module 53 performs an operation of analyzing the delivery address based on preset rules, which specifically includes: judging whether the delivery address has received historical normal orders; if not, confirming that the delivery address does not meet the predetermined requirements according to map data. When setting the shipping address condition, mark the shipping address as abnormal.

Optionally, after the second processing module 55 performs the operation of labeling the order suspicious, it is further configured to: transfer the order to manual verification, and block the user when the manual verification result is a malicious order.

For other details of the technical solutions implemented by the modules in the device for identifying and processing malicious orders in the above embodiments, reference may be made to the description in the methods for identifying and processing malicious orders in the above embodiments, which will not be repeated here.

It should be noted that the various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. For the same and similar parts among the various embodiments, refer to each other Can. As for the apparatus type embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant part, please refer to the partial description of the method embodiment.

Please refer to FIG. 3 , which is a schematic structural diagram of a computer device according to an embodiment of the present invention. As shown in FIG. 3 , the computer device 60 includes a processor 61 and a memory 62 coupled to the processor 61. The memory 62 stores program instructions. When the program instructions are executed by the processor 61, the processor 61 executes any one of the above. The steps of the method for identifying and processing malicious orders described in the embodiment.

The processor 61 may also be referred to as a CPU (Central Processing Unit, central processing unit). The processor 61 may be an integrated circuit chip with signal processing capability. The processor 61 may also be a general purpose processor, digital signal processor (DSP), application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components . A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

Referring to FIG. 4, FIG. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present invention. The storage medium of this embodiment of the present invention stores program instructions 71 capable of implementing all the above methods, wherein the program instructions 71 may be stored in the above-mentioned storage medium in the form of a software product, including several instructions to enable a computer device (which may A personal computer, a server, or a network device, etc.) or a processor (processor) executes all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes , or computer equipment such as computers, servers, mobile phones, and tablets.

In the several embodiments provided in this application, it should be understood that the disclosed computer equipment, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units. The above are only the embodiments of the present application, and are not intended to limit the scope of the patent of the present application. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present application, or directly or indirectly applied in other related technical fields, All are similarly included in the scope of patent protection of the present application.

Claims (10)

1. A method for identifying and processing a malicious order is characterized by comprising the following steps:

acquiring related data information of a user order, wherein the related data information comprises an IP address, a contact telephone, a receiving address and behavior data;

inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, wherein the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance;

when the probability exceeds a preset probability threshold value, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule;

when more than one dimension of the IP address, the contact telephone and the receiving address is abnormal, marking the order as a malicious order and blacking out the user;

and when the IP address, the contact telephone and the receiving address are normal, printing a suspicious label on the order.

2. The malicious order identification and processing method according to claim 1, wherein after obtaining the probability that the behavior data is an abnormal behavior, the method further comprises:

when the probability does not exceed the preset probability threshold, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on the preset rule;

when two or more dimensions of the IP address, the contact telephone and the receiving address are abnormal, marking the order as a malicious order and blacking out the user;

and when one dimension among the IP address, the contact telephone and the receiving address is abnormal, marking the order with a suspicious label.

3. The malicious order identification and processing method according to claim 1 or 2, wherein after the order is labeled with a suspicious tag, the method further comprises:

counting the number of orders with suspicious labels in all historical orders of the user;

and when the order quantity exceeds a preset order quantity, marking the order as a malicious order and blacking out the user.

4. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the IP address based on the preset rule comprises:

matching the IP address with historical IP addresses in historical order data of all users to determine the number of users who have placed orders by using the IP address;

when the number of the users exceeds the preset number of the users, the IP address is marked as abnormal;

when the number of the users does not exceed the preset number of the users, analyzing the hierarchical relation of the IP address and marking the IP address as abnormal when confirming that the IP address uses the proxy.

5. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the contact call based on the preset rule comprises:

matching the contact telephone with a virtual number segment acquired from an operator in advance to confirm whether the contact telephone is a virtual number or not;

if yes, the contact telephone is marked as abnormal.

6. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the shipping address based on the preset rule comprises:

judging whether the receiving address receives a historical normal order or not;

if not, according to the map data, when the receiving address does not meet the preset receiving address condition, the receiving address is marked as abnormal.

7. The malicious order identification and processing method according to claim 1 or 2, wherein after the order is labeled with a suspicious tag, the method further comprises:

and converting the order into manual checking, and blacking the user when the manual checking result is a malicious order.

8. An apparatus for identifying and processing malicious orders, comprising:

the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring related data information of a user order, and the related data information comprises an IP address, a contact telephone, a receiving address and behavior data;

the prediction module is used for inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, and the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance;

the multidimensional analysis module is used for analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule when the probability exceeds a preset probability threshold;

the first processing module is used for marking the order as a malicious order and blacking out the user when more than one dimension of the IP address, the contact telephone and the receiving address is abnormal;

and the second processing module is used for marking the order with a suspicious label when the IP address, the contact telephone and the receiving address are normal.

9. A computer device comprising a processor, a memory coupled to the processor, the memory having stored therein program instructions which, when executed by the processor, cause the processor to carry out the steps of the method of identifying and processing a malicious order according to any of claims 1 to 7.

10. A storage medium storing program instructions capable of implementing the method for identifying and processing malicious orders according to any one of claims 1 to 7.

Images