开源 | HMGNN：异构小图神经网络及其在拉新裂变风控场景的应用

{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爱奇艺风控团队负责公司全业务风险防控，面向业务提供通用与定制相结合的一站式解决方案，为业务赋能，加强业务核心竞争力。风控中台提供涵盖账户安全、会员安全、内容生态保护、拉新裂变反作弊、营销活动、金融支付等各个互联网风险场景的专属解决方案，已接入30+业务线，300+业务风险点。本论文由爱奇艺与南京大学共同完成，是双方产学研合作的一部分，旨在探索图神经网络在拉新裂变反作弊场景的应用。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"背景"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在流量为王的时代，拉新裂变是各大互联网公司争夺新用户的重要手段。活动可观的用户奖励（现金、会员卡等），也使其成为黑灰产的重点攻击目标之一。为了保障活动效果及用户质量，高准召的风控也显得日益重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑灰产通常采用模拟器、多开分身、改机、设备农场、代理IP、接码平台、众包平台等工具批量伪造新用户参与活动，将活动奖励据为己有。造成公司资金损失、业务关键指标下降、正常用户体验受损等多方面影响。针对此类攻击，业界已有一些较为成熟的防御模型："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"频繁集检测（FP-Growth）：批量攻击往往会在设备、网络、时间、地点等维度或维度组合上出现大量聚集，此时频繁集检测是简单有效的检测与预警算法。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聚类\/无监督：K-means、iForest等，一般提取行为特征后进行聚类或异常点检测，以找到行为相似异常聚集或异于正常行为的用户。具有较高的鲁棒性，但是准确率不易掌控。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有监督模型：LR、XGBoost等，提取手工特征，根据已知正负样本训练模型。准确率一般较高，但是泛化能力很差。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"社区检测：Louvain、Fraudar、高密子图等，引入了关系信息，可提升对频繁换物料的攻击的识别能力，可以理解为频繁集检测的升级版，同时可以用于标签传播，提升召回。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"图神经网络：GCN，GraphSage等，能够使特征信息在节点间传播，并发挥出神经网络对于特征的抽象能力，同时也支持只有部分标签进行半监督学习。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文基于拉新裂变场景中普遍存在的关联数据（邀请关联、设备关联、网络关联等）以及业务场景特点，创新地提出了异构小图神经网络模型（HMGNN），进一步提升了对攻击的识别能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"简介"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"业务场景"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用户参加拉新活动，符合以下条件均可获得积分、奖品或现金："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"老用户邀请新用户达到一定数量"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用户参加各种激励活动（签到、下载、答题等）"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一些典型的攻击方式包括："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"伪造新设备：活动需通过设备id来判断新用户，通过模拟器、多开分身、改机、设备农场等，都可以伪装成新的设备，从而绕过一些简单的设备判新规则。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"伪造新用户：活动需要通过手机号来验证新用户，通过虚拟小号、海外黑卡、私域黑卡等物料，辅助猫池、接码平台等工具，攻击者可以全自动化完成的手机号验证。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IP：IP是经典的黑产与风控攻防维度，通过代理IP、秒拨IP等，可以绕过一些简单的IP策略。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"建模与挑战"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}