Ctrip Business Security: From Business‑Driven to Technology‑Driven Defense

Author Wang Runhui, senior manager of Ctrip Technology Center's Information Security Department, introduces the importance of business security for China’s largest OTA and his focus on vulnerability analysis, data modeling, and risk control architecture.

Ctrip faces four major business security risks: spam registration, account scanning (sweeping), "sheep‑stealing" fraud, and web crawlers, each with specific challenges such as phone‑number abuse, IP volume, credential cracking, and low‑visibility crawling.

To address these risks, Ctrip has built three core systems: (1) a unified captcha service that decouples difficulty, supports rapid configuration, and achieves a 90% success rate; (2) a risk control system with real‑time rule configuration, asynchronous response, and A/B testing, handling over 10 million requests per day with ~5 ms latency; (3) a risk data platform that processes offline rules, provides minute‑level analytics, and integrates external black‑market data, achieving near‑real‑time interception of fraudulent accounts.

Each system’s architecture is illustrated with diagrams (Figure 1–4) and configuration interfaces, highlighting issues such as single‑type captchas being easy to break, limited response parameters, and static rule engines.

A case study shows the risk data platform detecting a massive login‑request anomaly within minutes, automatically reducing malicious requests from thousands to single digits within 40 minutes without manual intervention.

Moving from business‑driven to technology‑driven defense, Ctrip proposes a layered architecture: a data layer for unified collection and cleaning of structured and unstructured data; a rule‑engine layer for real‑time and batch processing; an analysis‑model layer for scoring and model updates; and an application layer exposing risk scores via SOA APIs.

The new productized captcha service combines front‑end JavaScript, back‑end verification, and risk control, reducing integration effort for business units. It also introduces two user‑friendly yet secure captcha types—a slider captcha (1‑2 s input) and a character‑selection captcha with random positioning, enhancing both experience and resistance to automated attacks (Figure 8‑9).

Looking ahead, Ctrip plans to deepen its security capabilities by adopting Spark, Presto, and Impala for data processing, building security user profiles, a penalty center, and challenge services, continuously balancing security and user experience.

Finally, the article includes a recruitment notice for senior application security engineers, emphasizing requirements such as web vulnerability expertise, Python programming, and experience with security product development.