Intelligent Risk Control at 58.com: Architecture, Challenges, and Unknown Risk Detection

Guest: Zhang Peng, Head of Security Intelligence, 58.com Editor: KS Platforms: DataFunTalk, AI Enlightener

Overview: 58.com provides a wide range of local life services such as housing, recruitment, used cars, and local services. Because many of its transactions are low‑frequency and often completed offline, the platform has limited closed‑loop data, which creates opportunities for black‑market fraud. The article introduces the challenges of 58’s risk control and how AI and big‑data technologies are applied to address them.

01 58 Risk‑Control Business Background

58.com offers information‑classification services across many verticals, resulting in a complex product ecosystem that extends from online to offline. Low‑frequency transactions (e.g., buying a house or a car) mean that user credit accumulation and platform constraints are weak, making it difficult to obtain complete data and easy for fraudsters to operate.

Two typical fraud examples are presented:

Illegal diversion: A rental listing appears normal, but the landlord redirects the user to an external contact (e.g., a QR code) for fraudulent purposes.

Content violation: Images that embed contact information in various styles (solid background, natural background, rotated text) evade platform rules, illustrating the evolving tactics of fraudsters.

Overall, the platform faces three main challenges: business complexity, highly concealed black‑market behavior, and strong attack‑defense dynamics.

02 Intelligent Risk‑Control Architecture Design

The architecture consists of three layers to support both data organization and algorithmic detection capabilities:

Big‑Data Platform: Provides fundamental resources such as data assets, model assets, and inference frameworks.

Business Support Layer: Divided into behavior security and content security.

Behavior security includes a Data Center, Diagnosis Analysis Center, and Knowledge Center.

Content security uses algorithms to handle image, audio, and video risks (e.g., pornography, gambling, illegal advertising).

Public Application Layer: Hosts specific risk‑control applications tailored to different business scenarios.

The behavior security side is further split into:

Data Center: Ensures data compatibility, timeliness, and provides millisecond‑level access to petabyte‑scale datasets.

Diagnosis Analysis Center: Offers comprehensive data analysis, clue extraction, and helps define new risk patterns.

Knowledge Center: Consolidates risk‑control knowledge from reviewers, operators, data analysts, and algorithm engineers, enabling reuse across emerging threats.

Four core behavior‑security applications are built on this foundation: automated risk‑policy, anti‑fraud, anti‑cheat, and account security.

03 Unknown Risk Perception

1. How to perceive unknown risks – The risk‑control loop consists of four stages: (1) black‑market attack detection, (2) platform analysis and strategy generation, (3) defense deployment, and (4) attacker adaptation. Shortening stages 1 + 2 while lengthening 3 + 4 improves overall response time; neglecting stage 1 (risk perception) can add six hours to the response.

2. Difference between perception and identification strategies – Perception strategies guide downstream decisions and focus on coverage and noise‑tolerance, while identification strategies aim for precise, explainable recall of specific risks.

The technical stack for risk perception includes three layers:

Data Layer: Structures raw data, enriches external features, and stores detailed records for downstream computation.

Risk Recall Layer: Detects both regular and emergent risks. Regular risks are split into group‑level, individual‑level, and variant risks; emergent risks are captured via anomaly‑fluctuation detection and fed into the discovery layer.

Risk Discovery Layer: Refines fragmented risk signals through relational expansion and secondary algorithms.

For regular risk detection, 58.com uses Patchwork grid density clustering and Isolation Forest to handle arbitrary distributions and uncover undefined anomalies.

For unrecalled (PU) problems, a PU‑learning algorithm separates confirmed positives (P), massive unlabeled data (U), and confirmed negatives (RN) to generate suspected risks (U‑RN).

For anomaly‑fluctuation detection, Prophet provides dynamic thresholding and forecasting, while HotSpot performs root‑cause analysis using Monte‑Carlo tree search and hierarchical pruning.

04 Summary and Outlook

The presentation covered three aspects: the business background of 58.com, the design philosophy of its intelligent risk‑control architecture, and practical methods for unknown risk perception.

Key takeaways:

Complex business scenarios and concealed black‑market behavior create significant security challenges.

Effective risk control requires both strong data organization (upper bound) and robust algorithmic detection (baseline).

Risk perception shortens the time to generate effective defenses, while risk identification ensures precise recall.

Future work will focus on user‑behavior pre‑training models and reinforcement‑learning‑based risk engines, aiming to build reusable training models for diverse business lines and accelerate deployment of new risk‑control capabilities.

Thank you for listening.