Design and Architecture of Ctrip's Aegis Risk Control System

Author: Yu Wei, Senior Development Manager, Ctrip Technology Center Risk Control Department.

Ctrip, as a leading OTA in China, faces severe fraud risks such as stolen credit cards, account hijacking, malicious order manipulation, and resource grabbing. Over five years, its self‑developed risk control system has evolved from simple rule‑based DB checks to an intelligent platform supporting 10× transaction growth, leveraging rule engines, real‑time model computation, stream processing, MapReduce, big data, data mining, and machine learning.

1. Aegis System Overview

The system consists of three major modules: Risk Engine, Data Service, Data Computation, plus auxiliary subsystems.

Risk Engine: Handles risk requests, performing preprocessing, rule execution, and model services, with data supplied by the Data Service module.

Data Service: Provides real‑time traffic statistics, risk profiles, device data, external data proxies, and RiskGraph. It serves data generated by the Data Computation layer.

Data Computation: Performs risk profile calculations, RiskSession handling, device fingerprinting, and both real‑time and batch processing, using event data such as orders, payments, device logs, etc.

The platform also includes comprehensive monitoring, alerting, manual review, and reporting systems.

2. Aegis System Architecture

Figure 2 illustrates the overall architecture.

3. Rule Engine

The rule engine, built on the open‑source Drools framework, provides fast rule deployment, isolation between rules and execution engine, and supports parallel‑serial execution with dependency analysis and short‑circuit mechanisms, achieving sub‑100 ms latency for thousands of rules.

Figure 3 shows rule execution flow.

The system combines rules (high flexibility, rapid rollout) with machine‑learning models (higher coverage). Currently used models include Logistic Regression and Random Forest, chosen based on feature discriminative power and efficiency.

4. Data Service Layer

This layer provides fast data access, primarily using Redis for caching high‑frequency data and local memory for static reference data (e.g., IP‑to‑city mappings). It also includes a data access proxy that pre‑loads external service data into Redis, with fallback to DB and external services when needed.

5. Chloro System

Chloro is the core analytics service that computes and supplies data to the risk engine. It processes data from Hermes, Hadoop, and front‑end events, routing results via Data Dispatcher to RiskProfile for engine consumption, while raw data is stored in Hadoop for batch analysis.

Figure 5 illustrates the data flow.

RiskSession quantifies user behavior across devices, defining a session from the first event to a 30‑minute inactivity gap, enabling cross‑platform analysis.

Figure 6 shows RiskGraph, a HBase‑based graph storage for user feature indexing.

6. Other Sub‑systems

Aegis includes configuration management, monitoring, and alerting, allowing users to define rules, tags, variables, and data cleaning logic.

7. Outlook

In version 3.0, Ctrip integrated rule engines and big‑data architectures; version 4.0 will further leverage machine learning, AI, and behavior features, and adopt technologies like Spark to enhance data processing capabilities.