Intelligent Risk Control in Live Streaming: Algorithm Architecture and Practice at Douyu

Live‑streaming platforms face a wide range of security risks, including operational, activity, traffic, account, transaction, and content safety, while intelligent risk control must overcome high‑frequency adversarial attacks, numerous scenarios, and weak model interpretability.

01. Background of Intelligent Risk Control

The industry confronts over 1.5 million black‑market operators and a market size of billions of yuan. Douyu’s main risk‑control scenarios are divided into seven categories: operational safety, activity safety, traffic safety, account safety, transaction safety, content safety, and cross‑risk control.

Technical challenges include strong adversarial environments, a large number of diverse scenarios, and a trade‑off between robustness and interpretability.

02. Algorithm Architecture

1. Overview

Four abstract risk types are defined:

Content risk – illegal images, text, or video (e.g., advertising, porn).

User‑behavior risk – abnormal actions detected at the UID level.

Gang risk – coordinated accounts that hide behind multiple IDs.

Device risk – anomalies identified from device fingerprints.

These types are covered by a five‑layer architecture.

2. Core Algorithm Layer

Risk scoring – evolved from tree models to DeepFM, focusing on ordered scores.

Gang identification – a custom gang‑generation algorithm replaces traditional graph methods.

Spam text detection – progressed from handcrafted features to TextCNN, then to a hybrid Wide&Deep model that combines text and user behavior.

Device risk – uses Isolation Forest and a proprietary device‑fingerprint algorithm.

Abnormal sequence – a supplementary model that captures risky behavior sequences.

3. Business Integration Layer

Risk scoring – combines daily scores with historical weighting and gang scores to mitigate score decay.

Gang management – stores and queries large‑scale relationship data, providing real‑time explainability.

Spam text – pairs offline models with real‑time anti‑adversarial strategies.

Device risk – enriches device similarity, abnormal information, and risk scores.

4. Risk‑Control System Layer

Provides unified interception services, real‑time gang services, device‑risk services, scoring management, gang management, analysis platforms, and sequence queries.

5. Application Layer

Implements the seven concrete risk‑control scenarios on top of the system.

03. Model Practice

1. Challenges in Building the Risk‑Control System

Combating rapidly evolving spam text variants.

Constructing a full‑scene scoring system that reacts promptly to new risk behaviors.

Detecting weak risks that are dispersed across many UIDs.

Identifying abnormal behavior sequences.

Detecting device‑level risks.

Providing interpretable results.

2. Spam Text Evolution

Initial stage: manual feature engineering + shallow classifiers.

Second stage: TextCNN reduced feature work but struggled with homophones and similar‑looking characters.

Third stage: pyCNN transformed Chinese characters into pinyin and used convolution on both character and pinyin embeddings; cw2vec encoded stroke information for similar‑looking characters.

Final stage: Integrated user‑level features using a Wide&Deep architecture.

3. Risk Scoring Evolution

Early models: simple binary classifiers (tree, logistic regression) – limited ordering and accuracy.

First upgrade: GBDT + LR – GBDT for automatic feature extraction, LR for ordered scores.

Second upgrade: DNN replaces GBDT for higher‑order feature learning.

Third upgrade: FM replaces the Wide part, improving generalization.

Later upgrades: added sequence and graph embeddings to break the ROI bottleneck.

4. Gang Detection

Custom full‑scene gang (FSG) mining algorithm replaces traditional graph clustering, addressing large scale, script‑driven coordination, and lack of side‑information support.

5. Behavior Sequence Modeling

Initial model: C‑LSTM captured some anomalies but missed fine‑grained timing.

Improved model: added timestamp embeddings to C‑LSTM.

Current model: transformer encoder replaces CNN feature extractor, filters short (<5) sequences, achieving significant performance gains.

6. Device Fingerprint

Challenges: defining similarity operators for each feature module and fusing them into a comprehensive similarity score.

Solution: a modular architecture that computes per‑module similarity and aggregates them, with a visualized pipeline shown in the original figures.

7. Model Interpretability

Risk scoring: GBDT + LR interpreted via "Unpack Local Model Interpretation for GBDT".

DeepFM: uses mask‑based control variables to assess feature impact.

Thank you for listening.