Comprehensive Internet Risk Control: Overview, Precise Traffic Perception, and Full‑Scenario Joint Defense and Control

Guest speaker: Li Jiachen – Bilibili Risk‑Control Lead

Editor: Yin Pengqing – Hangzhou Normal University

Platform: DataFunTalk

Introduction: With the rise of the internet era, business models continuously innovate while facing unprecedented challenges such as virtual machines, virtual phone numbers, and information leakage. Precise and efficient risk control becomes a critical issue, and this talk uses Bilibili as a primary example to discuss full‑scenario joint defense and control measures.

Internet risk‑control overview

Precise traffic perception

Full‑scenario joint defense and control

Summary

01

Overview of Internet Risk Control

First, a macro‑level introduction to risk control.

1. Classification of Risk Control

Risk control (Risk Control) is generally divided into Internet and financial domains. In the Internet domain it can be further split into anti‑cheat/anti‑fraud and content‑safety sub‑categories.

Anti‑cheat: growth anti‑cheat (account theft, acquisition difficulty), e‑commerce anti‑cheat (discount abuse)

Anti‑fraud: payment risk control (card theft, payment fraud)

Content safety: text, image, video safety; tags such as pornography, politics, etc.

In the financial domain, risk control can be further divided into anti‑fraud and scoring cards.

Fraud: e.g., criminals collect ID information from rural areas and use it for bulk loan applications.

Scoring cards: combine bank credit data, third‑party data, and user behavior to decide credit limits and loan terms.

2. Full‑scenario cheat types in Internet risk control

Examples of risky scenarios include fake installations from app stores, reward‑driven viral growth ("sheep‑wool"), and artificial fan/like inflation.

3. Opponents of Risk Control

The main adversary is the “black industry” (black market). They possess resources such as leaked credential databases, proxy IP pools, emulators, and automation tools.

Real‑person “sheep‑wool”: users complete micro‑tasks for small cash rewards.

Bank‑card binding: linking multiple cards to funnel money.

Traffic manipulation: inflating rankings or likes to create a false influencer image.

4. Fake Devices

02

Precise Traffic Perception

1. Business value to the black industry

Understanding how valuable a business is to the black market helps prioritize protection; high‑reward viral campaigns are prime targets, while pure traffic metrics have lower direct value.

2. Data‑driven perception of black‑industry activity

Sudden spikes in daily active users (e.g., from 2,000 to 5,000) or hourly anomalies (10‑14 h) can indicate attacks. Further analysis using KL‑divergence or mean‑shift detection on sub‑segments (city, brand, OS version) refines the signal.

3. Black‑industry group flow

Identify suspect user groups, track their subsequent behavior, and intercept at strategic points (e.g., allow login but block withdrawals).

4. Automated anomaly flow mining

Build API‑level leakage monitoring for different scenarios, automatically mine abnormal flow patterns, and compare with a seven‑day baseline to locate outliers.

03

Full‑Scenario Joint Defense and Control

1. Layered identification against black‑grey industry

Risk perception via intelligence gathering, metric monitoring, and anomaly detection; risk identification through algorithmic recall; risk disposal via interception, account bans, and withdrawal blocks.

Perception also includes monitoring internal data (e.g., low‑ROI mentors, batch‑bound bank cards) and external data (withdrawal checks, IP checks, third‑party sentiment).

2. Single‑scene vs cross‑scene identification

Single‑scene: a dedicated strategy for one activity. Cross‑scene: sharing strategies across many Bilibili activities, linking black‑industry groups across registration, login, device binding, and withdrawal.

Cross‑scene example: a group registers, logs in, participates in many activities, binds devices, and then withdraws; shared blacklists improve detection.

Feature cross‑validation (e.g., Android version vs device model) helps verify authenticity.

Features are divided into three categories: A‑class: high‑entropy identifiers (user ID, IP). B‑class: enumerated or numeric attributes (city). C‑class: numeric metrics (proportion of low‑version Android).

Combining A‑class with B‑class distributions and A‑class with C‑class means reveals suspicious clusters.

3. Risk disposal

Soft measures: captcha rotation, SMS verification, challenge questions, ID binding. Hard measures: login denial, reward cancellation, withdrawal refusal. Delayed strike marks users for later blocking, raising black‑industry costs while preserving user experience.

4. Cold‑start control

For cold‑start services, specific business rules are required to bound risk.

04

Summary

The talk introduced risk‑control concepts, the black‑industry threat landscape, and the full‑chain risk‑control workflow. It demonstrated how statistical indicators, cross‑scene data, and third‑party intelligence can perceive risks, and how layered detection, delayed strike, and feature cross‑validation form an effective defense.

Full‑scenario joint defense is akin to city‑wide police coordination against a criminal gang, while delayed strike marks suspects for later capture, reducing the cost for the black market.