Evolution of Ctrip's Risk Defense Architecture: From 1.0 System to Ares Platform

With China's online travel market expanding dramatically (1301.2 billion CNY in Q1 2016, OTA revenue 64.6 billion CNY), black‑market actors have increasingly targeted the sector, prompting Ctrip's information security team to continuously evolve its risk defense mechanisms.

1.0 Era : A .NET‑based system comprising data collection, rule engine, and black/white‑list services, handling login, registration, SMS, and other controls. Advantages included real‑time rule configuration and bulk blacklist imports; disadvantages were DB‑Redis double‑write bottlenecks, rigid data preprocessing, limited dimension extensibility, and delayed blacklist expiration.

1.5 Era (Risk Library) : Introduced an offline risk‑library that aggregates long‑term business data, computes risk via SQL, and feeds results to the existing blacklist service. Benefits were flexible, complex SQL‑driven rules and long‑term risk persistence; drawbacks involved DB performance limits, lack of real‑time rule updates, and slower response to rapidly changing black‑market tactics.

2.0 Era – Ares Platform : A unified platform combining real‑time and offline scoring. It consists of a data layer (collection, cleaning, preprocessing of structured and unstructured user behavior), a rule‑engine layer (stream or batch jobs applying defined rules/models), an analysis‑model layer (refining results, building scoring cards), and an application layer (SOA APIs delivering risk decisions and recommendations). The architecture reuses existing API contracts while redesigning internal components, improving data volume handling, detection of low‑frequency attacks, and blending rule‑based and model‑based anomaly detection.

In conclusion, while the Ares platform markedly enhances detection accuracy and scalability, the ever‑evolving black‑market techniques demand ongoing innovation; Ctrip aims toward a future “3.0” era with comprehensive account risk profiling and adaptive security measures.