Ctrip's Real-Time Anti-Fraud System: Architecture, Big Data, and AI Innovations

Author Background Liu Jiang, Risk Management Director at Ctrip Financial Management, brings nearly 15 years of experience in risk control policies, models, and big‑data credit systems from leading firms such as Guangfa Bank, Alibaba, and Tencent.

System Maturity After more than a decade of development, Ctrip's anti‑fraud system is highly mature in real‑time parallel computation and multidimensional correlation analysis, forming a stable foundation for the entire platform.

Recent R&D Focus In the past two years, Ctrip invested heavily in big data and artificial intelligence, delivering innovations such as device fingerprinting, CDNA, and a real‑time complex variable computation engine, which helped reduce overall BP by over 50% in 2017.

Performance Requirements Payment‑stage risk checks must complete within 1 s, often targeting under 100 ms to ensure optimal user experience. Order volume grows >50% annually, with rule count multiplying five‑fold in two years, and each transaction now triggers roughly 2,000 variables, most of which are velocity or ratio types.

Architecture Evolution Since its inception around 2011, Ctrip’s risk system underwent a major rewrite in 2015 when the tech stack shifted from .Net to Java. Continuous yearly major releases have kept the platform at industry‑leading performance levels.

Core Services Overview

The architecture consists of several key components:

Risk Engine (Matrix) : Executes thousands of distributed rules in parallel, isolates resources per business line, and supports dynamic grouping.

Rule Engine : Originally based on Drools, now replaced by a proprietary engine compatible with Drools scripts, delivering order‑of‑magnitude performance gains.

Model Execution Engine : Deploys models trained in SAS, Spark, etc., supporting DOT and PMML formats; a custom DOT interpreter runs >20× faster than Python.

Real‑Time Flow Service (Counter Server) : Built on a Redis cluster with a slide‑window mechanism, handling >100 billion queries daily at ~1 ms latency.

Device Fingerprinting : Goes beyond IP identification, using hardware IDs on mobile and proprietary techniques on web/PC to improve fraud detection accuracy.

CDNA Service : Aggregates all user‑related data across dimensions, processing >100 TB daily to uncover hidden fraud patterns.

Proxy & Emulator Detection : Analyzes TCP signatures, time gaps, and behavior to identify sophisticated evasion tactics.

Rule vs. Model Models complement manual rules by covering historical fraud features and reducing rule count, but both must be grounded in deep business context to avoid biased or ineffective outcomes.

Feature Extraction Ctrip derives thousands of variables per transaction, employing velocity, ratio, and precise per‑transaction metrics, all computed within the sub‑150 ms latency budget.

Conclusion With a mission to “Make the Travel More Freely and Securely,” Ctrip continues to lead anti‑fraud technology by leveraging big data, AI, and scalable architecture to meet growing global transaction volumes and evolving fraud tactics.