Risk Control System for Live Streaming: Real‑time Interception (Pluto) and Big Data Analysis (Mars)

Hiro, an assistant researcher at iQIYI, has been involved in the development of iQIYI's live streaming business since 2014, focusing on backend services, risk control, and the big‑data platform for live streaming.

2016 was dubbed the "Internet Live‑Streaming Year," and while the technology and content have matured, the industry now faces serious security challenges. Live platforms host various monetization points such as rewards, free incentives, and fabricated popularity, which have attracted black‑market activities that have evolved from crude bot attacks to low‑frequency, human‑like behaviors.

iQIYI Qixiu Live (launched in 2014) has witnessed the entire evolution of black‑market tactics, prompting the construction of a dedicated risk‑control system. The most prominent black‑market characteristics are "registration" (挂号) and "red‑packet grabbing" (抢红包).

Feature 1 – Registration : External tools connect to the chatroom to fake room popularity, accounting for over 85% of online users at peak times. After targeted mitigation using chatroom log analysis, the proportion has been reduced to a reasonable range of 10%–30%.

Feature 2 – Red‑packet grabbing : Red packets, which contain monetary gifts, were initially captured by black‑market actors in more than 50% of cases, leaving ordinary users unable to obtain them. Through big‑data correlation and clustering analysis, the capture rate has been lowered to under 3%.

The risk‑control solution consists of two major components: the real‑time interception system Pluto and the big‑data analysis system Mars . User‑behavior feature engineering combines live‑stream data and chatroom interactions. Pluto now processes over 1 billion requests per day, while Mars handles more than 10 billion data items daily, covering over 10 million black‑market accounts.

Pluto integration methods include three approaches: API integration, log‑based integration, and MQ integration. Each method varies in latency and code intrusion, but all require the business side to provide accurate data such as user‑agent, platform, and fingerprint information.

The Pluto decision engine adopts a filter‑chain pattern, separating responsibilities across multiple filters, reducing system coupling. It supports asynchronous, multi‑threaded processing with connection‑pooling, allowing rule adjustments to be deployed within three seconds.

Typical filters include:

APS – token‑bucket rate limiting (e.g., 10 requests per minute).

Cooltime – cooldown interval enforcement (e.g., minimum 10‑second gap between requests).

Whitelist – business‑level whitelist for trusted entities such as anchors or high‑value users.

Blacklist – dynamically generated blacklist based on real‑time logs fed into Mars.

Mars data pipeline performs lightweight cleaning before routing data via Kafka to three channels: Spark for near‑real‑time computation, Hadoop for offline processing and storage, and Elasticsearch for hot‑data queries. Daily data volume exceeds 20 billion records and continues to grow. Recommendations include prioritizing server‑side data collection, retaining raw logs for a reasonable period, and using Elasticsearch only as a query layer alongside Hadoop/Spark for long‑term storage.

Mars computation aims to identify abnormal user behavior. Offline analysis leverages Hive/Impala for batch jobs, while Spark provides sub‑second analytics for scenarios such as registration and red‑packet risk. Core algorithms include correlation analysis (e.g., linking red‑packet flows to downstream entities) and clustering analysis (e.g., detecting concentrated registration activity by city or account).

Case study – Abnormal anchor analysis : By clustering black‑market behavior and correlating it with anchor revenue, the team built an engine that flags anchors whose abnormal income exceeds 100 k RMB within a half‑month, enabling rapid operational response.

In summary, the Qixiu risk‑control system has progressed from simple frequency limits to an intelligent, multi‑layered architecture that combines real‑time interception with large‑scale data analytics. The ongoing arms race between black‑market actors and security teams underscores the need for continuous innovation.