Internet Risk Control: Overview, Precise Traffic Perception, and Full-Scenario Joint Defense (Bilibili Case)

Guest: Li Jiachen, Bilibili Risk Control Head

Editor: Yin Pengqing, Hangzhou Normal University

Platform: DataFunTalk

Introduction: With the rapid development of the Internet, business models are constantly innovating while facing unprecedented challenges. Real‑time information flow and ubiquitous access bring convenience but also introduce risks such as virtual machines, virtual phone numbers, and data leakage. Precise and efficient risk control has become a critical issue for the industry. This talk uses Bilibili as a case study to illustrate full‑scenario joint defense and control measures.

Outline:

Internet risk control overview

Precise traffic perception

Full‑scenario joint defense and control

Summary

01 Internet Risk Control Overview

Risk control (Risk Control) is divided into Internet and financial domains. In the Internet domain it further splits into anti‑cheating/fraud and content security.

1. Classification of Risk Control

Internet risk control includes:

Anti‑cheating: growth anti‑cheating (account theft, acquisition difficulty), e‑commerce anti‑cheating (discount abuse)

Anti‑fraud: payment risk control (card theft, payment fraud)

Content security: text, image, video safety; categories such as pornography, politics, etc.

Financial risk control further includes anti‑fraud and scoring cards.

Fraud: using harvested ID information for mass loan applications

Scoring cards: combining credit bureau data, third‑party data, and user behavior to determine credit limits and repayment terms

2. Internet Risk Control Full‑Scenario Cheating Types

Typical risk scenarios include:

App download cheating (paid fake installs)

Viral growth incentives attracting black‑market participants

Artificially inflating fans, views, and likes

3. Opponents of Risk Control

Black‑market actors (黑产) typically possess:

Credential databases (social‑engineer pools)

Proxy IP pools

Emulators and automation tools

Typical behaviors:

Real‑person “sheep‑wool” (crowdsourced task farms)

Binding stolen bank cards

Traffic manipulation (fake rankings, fake likes)

4. Fake Devices

02 Precise Traffic Perception

1. Business Value to Black‑Market

Understanding the monetary value of a business to black‑market actors helps prioritize protection. High‑reward activities (e.g., referral bonuses) attract more attacks than pure traffic metrics.

2. Data‑Driven Black‑Market Detection

Example: daily active users normally ~2,000; a sudden jump to 5,000 indicates possible attack. Hourly breakdown shows spikes between 10 am–2 pm.

Further analysis uses KL divergence on dimensions such as city or brand (e.g., Xiaomi brand traffic spikes) and mean‑shift detection on low‑version Android ratios.

3. Black‑Market Group Flow

Steps: identify suspect user groups, analyze subsequent behavior, and intercept at appropriate touchpoints (e.g., allow login but block withdrawal).

4. Automated Anomaly Flow Mining

Monitor API leakage, compare recent traffic with a 7‑day baseline, and flag flows exceeding three times the normal level.

03 Full‑Scenario Joint Defense and Control

1. Hierarchical Identification against Black‑Grey Market

Three‑step process: risk perception (intelligence gathering, metric monitoring, anomaly detection), risk identification (algorithmic recall), and risk mitigation (interception, account bans, withdrawal blocks).

Examples of perception include monitoring low‑ROI mentors, bulk‑binding of Alipay accounts, and low‑price membership sales.

2. Single‑Scene vs. Cross‑Scene Identification

Single‑scene: a dedicated strategy for one activity.

Cross‑scene: sharing risk signals across multiple activities (e.g., using a blacklist from activity 1 in activity 2). Data such as identical registration times, simultaneous activity participation, and coordinated withdrawals indicate coordinated attacks.

Cross‑validation combines features (e.g., device model vs. Android version) to verify authenticity.

Feature categories:

A‑class: high‑entropy identifiers (user ID, IP)

B‑class: enumerated or numeric attributes (city)

C‑class: numeric metrics (low‑version Android proportion)

Combining A‑class with B‑class distribution variance or A‑class with C‑class mean helps detect suspicious clusters.

3. Risk Mitigation

Soft measures: CAPTCHA (Geetest rotation), SMS verification, challenge questions, ID binding before participation.

Hard measures: login denial, reward cancellation, withdrawal blocking. Delayed mitigation marks users during login and only blocks high‑value withdrawals, raising the cost for attackers while preserving user experience.

4. Cold‑Start Handling

For newly launched services, specific business rules are required to constrain risk (e.g., strict onboarding checks).

Summary

The talk covered risk control concepts, black‑market tools and cases, full‑chain risk perception using statistical trends and third‑party intelligence, and strategies for joint defense across multiple scenarios. It emphasized the importance of full‑scenario joint defense for Internet platforms and introduced delayed mitigation and cross‑validation techniques.