How to establish an Internet risk control system

How to establish an Internet risk control system

I have been a startup for more than half a year. Over the past six months, I have been tired and productive, with pain and happiness. I don't have to mention it any more. It should be a common feeling of this industry. Every time I reflect on the past, I cannot summarize the shortcomings. One of them is that the technical team is too closed, working with a stuffy head, and the voice is insufficient, which is not conducive to introducing good experiences from others, nor can we take out our own achievements and accept criticism. This is actually not in line with our technical purpose. We still need to squeeze out time to look out and shout out.

This article will be an example of the Q & A technology team, which will lead to a summary and sharing by our partners. More importantly, we will be able to get criticism from the outside and help us make suggestions. There will be no good news in this article. I just want to give a general description of some risk-related concepts from my perspective. I hope to explain what problems we want to address, where are we positioned? What do we need to do from a technical perspective? Why? What is the difference between us and giants.

What is risk?

In my academic age, my boss was responsible for trusted computing, and my topic was trust and risk. As a result, I happened to be one of the people involved in the computer field in China, at that time, the biggest headache was that, although many people had relevant academic work in these directions, there were two vague concepts of "trust" and "risk, there has never been a clear and accepted definition. Everyone speaks their own words. In terms of concept, they all share their own work and have their own opinions on trust and risk, so far, there are hundreds of definitions summarized in the summary; now similar situations have emerged in the industry, e-commerce has been burning for many years, and internet finance has also become a fire recently, the word risk control for credit investigation is everywhere. After several transactions, we talk about risks on top of them, and seldom define and elaborate on them, the specific means are limited to the online copying of traditional financial industry experience, or the filling of specific vulnerabilities, some of which are like scanning arrows in their hands. I still insist that we must first understand what the problem we are facing, so that we can better understand what we are doing and what we are doing to be targeted, so as not to fall into a passive attack and defense war.

The following is a simple definition that I personally agree:

Risk = probability + outcome

This is a comprehensive explanation I have seen. Many people think that risk is the probability of a loss, and many people think that risk is the final loss. It is like many people think that the risk of a car ride is high (because the probability of a car accident is high ), another part of people think that planes are more dangerous (basically hanging up), and they have different focuses. As a risk-related practitioner, I personally think both of them need to be considered. Therefore, like many people, they have directly implemented addition, which includes both possibilities and potential losses.

What is risk control?

Risks are only an evaluation of objective facts. What is important is how to calculate them and how to use them to maximize the benefits, here is a simple abstract diagram to describe what the so-called risk control logic is like:

 

The definition of trust is extracted from the philosophical Paper in the past, which is a relatively reliable definition:

Trust = knowledge (weak) reduction

Brief Introduction:

The so-called trust refers to the use of all available knowledge (often referred to as evidence, or intelligence) to make a certain induction. These knowledge includes:

· Some routine checks mainly involve identity recognition and compliance. This is the most common. · Social Information is mainly related information. You can find information of a group of other individuals through transactions, ip addresses, and mobile phone numbers, which can effectively help you determine. · Historical behaviors: the historical behaviors of the evaluated person play an extremely important role. Context: the specific characteristics of the current transaction/activity are very important to the current judgment. Other information. In fact, it requires a lot of additional knowledge to make trust judgments. The more accurate the request is, the smaller the so-called uncertainty will be. The more accurate the subsequent decision-making will be. Now, the traditional practice is to perform some compliance operations, the most fashionable part is making a fuss about historical behaviors and social information to make up for the lack of information in traditional methods. We can also advertise "Big Data", and we are also the latter.

The so-called risk decision. It is to use the collected trust information to make a loss (loss is basically Objective) and probability (mainly inferred by trust information) Judgment on all possible results, finally, a risk profile is formed to facilitate decision-making. With a specific risk profile, it is easy to follow up. With the specific risk profile, it provides guidance based on the enterprise's risk tolerance and business model, you can make corresponding decisions. In general, if you need to reduce risks, you need to take measures to reduce risks or losses. Taking p2p as an example, either the borrower can provide more materials to prove that he has a low probability of default, or the platform will charge a certain proportion of the guarantee fee, to reduce the loss caused by default.

What is the current risk control system?

The description of risk control is vague, but the logic concept is given. At present, most enterprises and institutions should do this, but some do better and some do better:

· Maturity. Large and new enterprises will have a complete risk control framework, with a large number of people and roles involved in the framework, which is relatively mature. Small companies tend to have insufficient investment, and their practices are also cheap. · Quantification capability. Small enterprises can only perform qualitative analysis and discuss things on their own. In the end, they rely mainly on their heads. You can perform quantitative analysis, so that you can have a scientific definition and computing model to make your head light. · Persistence. Smaller enterprises often only use the current case. The whole process of larger companies is continuous iteration and positive feedback, so that the entire risk control model can be continuously corrected and improved.

As for how to develop a sound risk control system, there has been a large amount of investment and experts in this field. You can refer to it for reference. My personal qualifications are relatively limited and I can only provide two references:

· If you want to improve the process, if you are interested in maturity models like CMM, do not refer to Ave ave (Operationally Critical Threat, Asset, and Vulnerability Evaluation ), this is also introduced by the SEI of CMU. It aims to propose a methodology to mitigate the information security risks of enterprises. It is not a computer system, however, it can be inspired by processes, concepts, logical structures, and methodologies.

· If you want to build a complete computing model, refer to the paypal architecture. Paypal should be the earliest and most mature company in risk control on the Internet. I also had the honor to become the first Development in China and learned a lot. The company's business model is based on risk control, so the investment is large. Although technically conservative, its overall framework is definitely worth mentioning:

 

· I have previously drawn my impression on how company P handles risk (still a simple concept chart ):

The biggest investment is manual analysis through operations. On the one hand, it can process various high-risk transactions more precisely and accurately. On the other hand, it finds many new attacks and manually generates many samples, this is the most critical. A large number of analysts make models and rules through data warehouses. At the earliest time, hadoop was not available. They relied on commercial teradata to do this, which was a pioneer. Most models and rules are simple. At most, logistic regression is used to develop the data required by the Model by supporting a considerable number of developers with a large data volume and a large ops team, it is calculated from the database to form a unified variable interface, and then the online system is continuously running. The entire process is cyclical. The high-risk transactions marked by the online system are manually analyzed, then it becomes a new round of material to realize the continuous evolution and improvement of the entire risk control system (Ocatave also proposed a model similar to this iteration ). The three roles of developers, ops, and analysts are clearly divided and combined. This is currently very lacking in most Chinese companies.

Each part of the entire system is conservative and has its own inherent problems, but it is better than the entire framework. The advantages of the system determine that it is still the most successful risk control system in existence. The two systems of Qian Technology (warden and redq) are also greatly affected.

However, the above only describes what a mature system for a rich company looks like. In the real world, only a few companies can do this. Many companies (especially small and medium-sized Internet companies) do this:

 

The system has many vulnerabilities, especially when the business is migrated to the Internet. Various vulnerabilities (technical and business) emerge one after another, and the increasingly developed black industry has brought more influence.

Fewer resources. Some financial-related companies may be okay, and most companies are too busy to invest.

Few existing technologies are available. Risk Control is usually complicated and expensive. It can only be used by large companies, and small companies cannot afford to invest. It is often because they have to face various attacks when wearing a pair of pants.

As a result, most companies do not have the ability to perform detailed data collection and quantitative computing, so it is difficult to have a mature risk control model or system to cope with frequent attacks on the Internet, in the end, it becomes the pattern of the hamster:

When a malicious (causing loss) event occurs, the system responds passively and can only handle the event. The processing of each event can only be used as a case-based precaution. This time, a hammer cannot help you lay down a hammer for quantitative analysis, but it is still difficult to make quantitative analysis on risks. The focus on indicators is only the hit rate (the bonus points to hit) it is difficult to distinguish the subjects that bring risks from the mistaken kill rate (How much blessings are scored). When the camouflage is good, this hammer won't be able to be knocked down. For example, it is difficult to distinguish the econnoisseurs from normal users, which makes it impossible to prevent frequent and fast risk attacks, and the hammers cannot be tapped. The recent SMS bombing attack suddenly took off. Without robust risk control system protection, it was only feasible.

This is what we feel.