核心内容摘要
CTF-攻防世界-Crypto:云影密码实战解析
淘宝返利软件后端架构中的防刷单风控规则引擎设计Drools 应用大家好我是 微赚淘客系统
0 的研发者省赚客在高并发返利场景下恶意用户通过脚本、虚拟设备、多账号等方式批量下单套取佣金严重侵蚀平台利润。
为应对复杂多变的刷单行为微赚淘客系统
0 引入基于Drools 规则引擎的动态风控体系实现规则热更新、多维度判定与毫秒级拦截。
风控对象建模首先定义风控上下文实体作为规则判断依据packagejuwatech.cn.risk.model;importjava.time.LocalDateTime;importjava.util.List;publicclassOrderRiskContext{privateLonguserId;privateStringdeviceId;privateStringip;privateLongorderId;privateLongorderAmount;// 订单金额分privateLocalDateTimecreateTime;privateListStringrecentOrderIps;// 近1小时订单IP列表privateintsameDeviceOrderCount24h;// 24小时内同设备订单数privatebooleanisNewUser;// 是否注册7天privatebooleanisHighRiskIp;// 是否高危IP来自情报库privatebooleanblocked;// 是否被拦截输出字段// getters setterspublicvoidblock(){this.blockedtrue;}}
Drools 规则文件示例规则文件fraud-rules.drl存放于resources/rules/目录支持动态加载package juwatech.cn.rules import juwatech.cn.risk.model.OrderRiskContext // 规则1新用户大额订单 rule NewUserLargeOrder when $ctx: OrderRiskContext( isNewUser true, orderAmount 50000, // 500元 !blocked ) then System.out.println(Blocked: New user large order, userId $ctx.getUserId()); $ctx.block(); end // 规则2同一设备高频下单 rule HighFrequencySameDevice when $ctx: OrderRiskContext( sameDeviceOrderCount24h 10, !blocked ) then System.out.println(Blocked: High frequency on device $ctx.getDeviceId()); $ctx.block(); end // 规则3IP异常跳转1小时内多个省份 rule MultiProvinceIpJump when $ctx: OrderRiskContext( recentOrderIps ! null, recentOrderIps.size 3, isHighRiskIp false, !blocked ) eval( hasDifferentProvinces($ctx.recentOrderIps) ) then System.out.println(Blocked: Multi-province IP jump for userId $ctx.getUserId()); $ctx.block(); end其中hasDifferentProvinces为自定义函数需在 DRL 中声明或通过 Java 调用packagejuwatech.cn.risk.util;importjuwatech.cn.geo.IpGeoService;publicclassRiskFunctions{publicstaticbooleanhasDifferentProvinces(ListStringips){IpGeoServicegeonewIpGeoService();longprovinceCountips.stream().map(geo::getProvince).filter(p-p!null!p.isEmpty()).distinct().count();returnprovinceCount2;}}并在 DRL 文件顶部导入import function juwatech.cn.risk.util.RiskFunctions.hasDifferentProvinces
Drools 引擎初始化与调用通过 Spring Boot 集成 Droolspackagejuwatech.cn.risk.config;importorg.kie.api.KieServices;importorg.kie.api.builder.KieBuilder;importorg.kie.api.builder.KieFileSystem;importorg.kie.api.runtime.KieContainer;importorg.kie.api.runtime.KieSession;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;ConfigurationpublicclassDroolsConfig{privatestaticfinalStringRULES_PATHrules/fraud-rules.drl;BeanpublicKieContainerkieContainer(){KieServicesksKieServices.Factory.get();KieFileSystemkfsks.newKieFileSystem();kfs.write(RULES_PATH,getResource(RULES_PATH));KieBuilderkbks.newKieBuilder(kfs);kb.buildAll();returnks.newKieContainer(ks.getRepository().getDefaultReleaseId());}privateStringgetResource(Stringpath){// 从 classpath 或远程配置中心加载规则内容returngetClass().getClassLoader().getResourceAsStream(path).readAllBytes();}BeanpublicKieSessionkieSession(KieContainerkieContainer){returnkieContainer.newKieSession();}}
风控服务调用流程在订单创建前插入风控检查packagejuwatech.cn.risk.service;importjuwatech.cn.risk.model.OrderRiskContext;importorg.kie.api.runtime.KieSession;importorg.springframework.stereotype.Service;ServicepublicclassFraudDetectionService{privatefinalKieSessionkieSession;privatefinalRiskDataEnricherenricher;publicFraudDetectionService(KieSessionkieSession,RiskDataEnricherenricher){this.kieSessionkieSession;this.enricherenricher;}publicbooleanisFraudulent(LonguserId,LongorderId){OrderRiskContextctxnewOrderRiskContext();ctx.setUserId(userId);ctx.setOrderId(orderId);// 填充基础字段enricher.enrich(ctx);// 补全IP、设备、历史行为等kieSession.insert(ctx);kieSession.fireAllRules();kieSession.dispose();// 注意生产环境应使用有状态会话池或无状态KieBasereturnctx.isBlocked();}}其中RiskDataEnricher负责从 Redis、MySQL、风控情报库中聚合数据packagejuwatech.cn.risk.service;importjuwatech.cn.risk.model.OrderRiskContext;importorg.springframework.data.redis.core.RedisTemplate;importorg.springframework.stereotype.Component;ComponentpublicclassRiskDataEnricher{privatefinalRedisTemplateString,ObjectredisTemplate;privatefinalIpRiskServiceipRiskService;publicvoidenrich(OrderRiskContextctx){StringdeviceKeydevice:orders:ctx.getDeviceId();Integercount(Integer)redisTemplate.opsForHash().get(deviceKey,count_24h);ctx.setSameDeviceOrderCount24h(count!null?count:
;ctx.setRecentOrderIps(getRecentIpsFromRedis(ctx.getUserId()));ctx.setIsHighRiskIp(ipRiskService.isHighRisk(ctx.getIp()));ctx.setIsNewUser(isNewUser(ctx.getUserId()));}// 省略具体实现}
规则热更新机制为避免重启服务我们监听 Nacos 或 Apollo 配置变更动态重载 KieContainerEventListenerpublicvoidonRuleUpdate(RuleConfigChangeEventevent){StringnewDrlevent.getNewContent();// 写入临时文件或直接构建 KieModuleKieServicesksKieServices.Factory.get();KieFileSystemkfsks.newKieFileSystem();kfs.write(rules/fraud-rules.drl,newDrl);KieBuilderkbks.newKieBuilder(kfs).buildAll();if(kb.getResults().hasMessages(org.kie.api.builder.Message.Level.ERROR)){log.error(Rule compile error: {},kb.getResults().getMessages());return;}KieContainernewContainerks.newKieContainer(ks.getRepository().getDefaultReleaseId());// 原子替换全局引用this.kieContainerRef.set(newContainer);}
性能与扩展性单次规则执行耗时 5msP99支持并行处理每个线程使用独立 KieSession规则版本可灰度发布按用户ID哈希分流。
通过 Drools 规则引擎风控策略从硬编码解耦运营人员可配合技术团队快速上线新规则有效应对新型刷单手段。
本文著作权归 微赚淘客系统