Intelligent Risk Control at 58.com: Architecture, Challenges, and Unknown‑Risk Detection

58.com provides a wide range of local‑life services (housing, recruitment, used cars, etc.) whose business scenarios are complex and often involve low‑frequency, offline transactions, making them vulnerable to black‑market fraud and other security threats.

The platform faces three main challenges: high business complexity, increasingly covert black‑market tactics, and a strong attack‑defense arms race.

To address these challenges, 58.com has designed a three‑layer intelligent risk‑control architecture consisting of a big‑data technical platform, a business‑support layer, and a public‑application layer. The big‑data platform supplies data resources, model resources, and inference frameworks, while the support layer is split into behavior‑security and content‑security components.

Within the behavior‑security side, three centers are defined: a Data Center that ensures data compatibility and millisecond‑level access for billions of daily queries; a Diagnosis & Analysis Center that provides comprehensive data‑driven risk assessment; and a Knowledge Center that aggregates and manages risk‑control knowledge from auditors, operators, analysts, and algorithm engineers.

The architecture supports four behavior‑security applications: automated risk‑policy generation, anti‑fraud, anti‑cheat, and account security. Content‑security relies on algorithms to handle image, audio, and video risks such as pornography, gambling, and malicious advertising.

Unknown‑risk perception is a critical yet often overlooked stage. The risk‑perception pipeline consists of a Data Layer (structuring and enriching raw data), a Risk‑Recall Layer (identifying both regular and emergent risks using methods like patchwork density clustering, Isolation Forest, and PU‑learning), and a Risk‑Discovery Layer (refining fragmented risk signals through relational expansion).

For regular risk detection, 58.com employs patchwork grid density clustering for its linear scalability and noise‑filtering capabilities, and Isolation Forest for uncovering undefined anomalies.

PU‑learning is used to recall unseen risks by separating confirmed positive samples (P), a massive unlabeled set (U), and confirmed negative samples (RN). The algorithm iteratively identifies “spy” samples to define a threshold that separates RN from U, yielding a set of suspected risks (U‑RN).

Abnormal traffic spikes are detected with Facebook’s Prophet for dynamic threshold prediction and HotSpot for root‑cause analysis. Prophet handles missing data and outliers without supervision, while HotSpot uses Monte‑Carlo tree search and hierarchical pruning to efficiently locate the most influential dimensions of a spike.

Overall, the presentation covered the business background, the design philosophy of the intelligent risk‑control architecture, and practical implementations for unknown‑risk perception, emphasizing the importance of shortening perception‑to‑identification time and extending the response cycle against adversaries.

Future directions include building pre‑trained user‑behavior models and reinforcement‑learning‑based risk engines to enable rapid deployment of security solutions across the hundreds of business lines within the 58 group.