CN113283902B - Multichannel blockchain phishing node detection method based on graphic neural network - Google Patents

Multichannel blockchain phishing node detection method based on graphic neural network Download PDF

Info

Publication number
CN113283902B
CN113283902B CN202110654086.XA CN202110654086A CN113283902B CN 113283902 B CN113283902 B CN 113283902B CN 202110654086 A CN202110654086 A CN 202110654086A CN 113283902 B CN113283902 B CN 113283902B
Authority
CN
China
Prior art keywords
transaction
node
network
blockchain
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110654086.XA
Other languages
Chinese (zh)
Other versions
CN113283902A (en
Inventor
陈晋音
张敦杰
黄国瀚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202110654086.XA priority Critical patent/CN113283902B/en
Publication of CN113283902A publication Critical patent/CN113283902A/en
Application granted granted Critical
Publication of CN113283902B publication Critical patent/CN113283902B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Finance (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • Artificial Intelligence (AREA)
  • General Business, Economics & Management (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a multichannel blockchain phishing node detection method based on a graph neural network, which comprises the following steps: constructing a network sequence type dynamic overall transaction network diagram and a dynamic transaction pattern subgraph according to the blockchain transaction information; obtaining a time weighted transaction link; learning user potential features and transaction pattern features of the target node; the obtained combined characteristics are input into a detection module to obtain a final detection result; and training the detection model by using the real class mark of the target node and the final detection result to obtain the multichannel blockchain phishing node detection model. According to the phishing node detection method, the node classification and node transaction mode identification dual channels based on the graphic neural network are adopted, so that the potential characteristics of the user node and the transaction mode characteristics of the user node can be effectively extracted, the effectiveness of a blockchain phishing node detection model is improved, and the detection of the blockchain phishing node is realized.

Description

Multichannel blockchain phishing node detection method based on graphic neural network
Technical Field
The invention relates to the field of blockchain network security, in particular to a multichannel blockchain phishing node detection method based on a graph neural network.
Background
The blockchain technology originates from bitcoin, and aims to solve the problem that a trusted third party is excessively depended on in electronic payment to realize the decentralization of the electronic payment. The blockchain technology is a distributed account book with anonymity and non-falsification, and is successfully applied to the fields of finance, politics, commerce and the like. With the rapid development of blockchain technology in the financial field, the prevalence of cryptocurrency has also spawned a large number of phishing crimes. Blockchain technology, while ensuring that the cryptocurrency is held by the user himself, provides reliable transaction behavior. But on the other hand, due to its decentralised nature, the lack of a third party authority-regulated transaction environment places the user in the threat of phishing persons. Once the transfer action to the fraudster is confirmed by the blockchain, the electronic money lost by the user is almost impossible to retrieve.
Of the numerous blockchain financial fraud, more than 50% can be categorized as phishing fraud targeting cryptocurrency. ( Reference 1: M.Conti, E.S.Kumar, C.Lal, and S.Ruj, "A survey on security and privacy issues of bitcoin," IEEE Commun. Surv. Tut., vol.20, no.4, pp.3416-3452,2018. )
In order to provide some protection for normal users in a decentralised blockchain financial system, wu et al (ref 2:Wu J,Dan Lin,Zibin Zheng and Qi Yuan.Temporal WEighted MultiDiGraph Embedding[J, 2019.) have investigated anti-phishing problems in blockchain ecosystems. Considering the transaction time and transaction amount information that are functional in the financial transaction network, they model the identification of the ethernet phishing address as a two-class problem, providing a new technical means for identifying phishing nodes, or predicting potential fraudulent objects.
The graph data has wide application in real life due to its strong expressive power. The graph neural network is one of the main methods for processing graph type data, and the graph neural network can skillfully extract features from the graph data, and the extracted features can complete a plurality of graph data analysis tasks, such as: node classification, graph classification, link prediction, community discovery, and the like. The graph data analysis task is widely applied to actual scenes such as social networks, recommendation systems, e-commerce networks and the like, and excellent performance is achieved.
The disclosure of the blockchain transaction system provides a large data base for building a blockchain transaction network, which also makes the neural network a possible tool for detecting blockchain phishing fraud. A difficulty with applying the graph neural network to blockchain phishing fraud detection is that blockchain transaction networks often have complex transaction time and transaction amount information, and conventional graph neural networks are difficult to adapt to multilink transaction networks with time information. In addition, the graph information focused by the graph neural network under different graph data analysis tasks is also different, and the features of potential phishing fraud can not be comprehensively learned by a single node classification model. Therefore, for the multi-link blockchain transaction graph data with time information, how to utilize the graph neural network to more comprehensively extract the potential characteristics of the user nodes so as to accurately identify phishing fraud has important practical significance.
Disclosure of Invention
The invention aims to design a multichannel blockchain fishing node detection method based on a graphic neural network, wherein trainable time importance coefficients are utilized to carry out weighted summation on multi-link transactions in different transaction time periods, node classification and node transaction pattern recognition dual-channel based on the graphic neural network are adopted to respectively carry out dynamic node classification and dynamic graph classification on a blockchain dynamic overall transaction network graph-fish node transaction pattern sub-graph, finally, the characteristics of user nodes in different layers are fused, and the detection effectiveness of a blockchain fishing node detection model is improved.
In order to achieve the above purpose, the invention adopts the following technical scheme:
a multichannel blockchain phishing node detection method based on a graph neural network is characterized by comprising the following steps:
constructing a network sequence type dynamic overall transaction network diagram of a blockchain according to blockchain transaction information, and constructing a network sequence type dynamic transaction pattern sub-diagram of a target node aiming at each node in the network sequence type dynamic overall transaction network diagram; inputting the network sequence type dynamic overall transaction network diagram, the network sequence type dynamic transaction mode subgraph and the node real class mark of the blockchain into a detection model of a multichannel blockchain phishing node;
weighting and summing a plurality of transaction information between the same node pairs in different network sequences by using a trainable time importance coefficient to serve as a unique time weighted transaction connecting edge in the unified network sequence;
aiming at the network sequence type dynamic overall transaction network diagram, learning the user potential characteristics of the target node by utilizing a dynamic node classification channel in the detection model; aiming at the network sequence type dynamic transaction pattern subgraph, the transaction pattern characteristics of the target node are learned by utilizing a dynamic pattern classification channel in the detection model;
different attention coefficients are distributed to the user potential characteristics and the transaction mode characteristics of the target node by using an attention mechanism, so that combined characteristics are obtained; inputting the combined characteristics into a detection module to obtain a final detection result of the target node;
and training the detection model by using the real class mark of the target node and the final detection result to obtain a final multi-channel blockchain fishing node detection model.
Preferably, the process of building a network sequential dynamic global transaction network map of a blockchain:
selecting a certain number of phishing nodes and normal nodes as initial nodes, extracting the address of the other party account as a first-order transaction node according to the transaction records, then respectively taking each first-order transaction node as a central node, extracting the address of the other party account as a second-order transaction node according to the transaction records, and obtaining a time sequence type dynamic overall transaction network diagram with the total node number of N, wherein the time sequence type dynamic overall transaction network diagram is expressed as
Figure BDA0003113100370000031
Wherein V (|v|=n) represents a node set, E represents a link set, and X represents transaction amount W (E) and transaction time T (E) information corresponding to each link;
taking the time interval between the first transaction and the last transaction in the time sequence type dynamic integral transaction network diagram as the total transaction time length, dividing the time length into M transaction time periods equally, dividing the time sequence type dynamic integral transaction network diagram into fragments according to the divided time periods, forming a network fragment diagram by transaction information of each transaction time period, wherein the node number in each network fragment diagram is the same as the node number of the integral transaction network diagram, and finally obtaining a network sequence type dynamic integral transaction network diagram formed by the M network fragment diagrams, wherein the network sequence type dynamic integral transaction network diagram is expressed as
Figure BDA0003113100370000041
In the same transaction period, there may be L transaction links +.>
Figure BDA0003113100370000042
Preferably, the process of constructing a network sequential dynamic transaction pattern sub-graph of the target node includes:
traversing each node in the time sequence type dynamic whole transaction network diagram, taking each node as a central node, extracting transaction information between a first-order transaction node and a second-order transaction node according to a transaction record, and obtaining a time sequence type transaction mode sub-graph of a target node
Figure BDA0003113100370000043
Expressed as:
Figure BDA0003113100370000044
wherein ,Vc Expressed in terms of node v c Node set in transaction pattern subgraph constructed as target node E c And X is c Respectively represent
Figure BDA0003113100370000045
Information of the transaction link set and each transaction;
then taking the time interval between the first transaction and the last transaction in the time sequence transaction pattern sub-graph as the total transaction time length, dividing the time length into M transaction time segments, dividing the time sequence transaction pattern sub-graph into pieces according to the divided time segments, forming a network segmentation graph according to the transaction information of each transaction time segment, wherein the node number in each network segmentation graph is the same as the node number of the transaction pattern sub-graph, and finally obtaining M network segmentation graphs to form a network sequence dynamic transaction pattern sub-graph set, which is expressed as G= { G 0 ,G 1 ,…,G N (c-th network sequential dynamic transaction pattern subgraph)
Figure BDA0003113100370000046
Preferably, the process of obtaining the unique time transaction connection edge in the unified network sequence is specifically as follows:
for each transaction period M e [0,1, …, M]Network sequential dynamic global transaction network map of blockchain
Figure BDA0003113100370000047
Network sequential dynamic transaction Pattern subgraph with target node->
Figure BDA0003113100370000048
With trainable time importance coefficients alpha e R M And allocating different time coefficients for the transaction links between different transaction time periods, and finally merging, weighting and summing to obtain a unique time weighted transaction continuous edge.
Preferably, the process of learning the user potential characteristics and transaction pattern characteristics of the target node comprises:
the detection model comprises a node classification channel and a dynamic graph classification channel, and for the whole transaction network fragment graphs of different transaction time periods, the node classification channel based on a graph rolling network (GCN) is adopted to learn the user potential characteristics of a target node at the current moment; aiming at target node transaction pattern subgraphs of different transaction time periods, extracting transaction pattern characteristics of a target node at the current moment by utilizing a transaction pattern recognition channel based on a differentiable hierarchical image pooling model (Diffpool);
preferably, after extracting the user potential characteristics and the transaction pattern characteristics of the target node, the time characteristics of the whole transaction network and the transaction pattern sub-graph are learned by adopting a gate control circulation unit (GRU) with the same structure in each channel, the gate control circulation unit is trained by utilizing the network sequence type dynamic whole transaction network graph and the transaction pattern sub-graph, and the hidden layer output at the last moment of the GRU is adopted as the final user potential characteristics and the final transaction pattern characteristics of the target node.
Preferably, the process of obtaining the final detection result specifically includes:
the fishing node detection method adopts the following formula to carry out weighted summation on the attention of the potential characteristics of the user and the characteristics of the transaction mode so as to obtain the combined characteristics
Figure BDA0003113100370000051
As input data of the phishing node detection module, a final detection result of the target node is obtained, and is expressed as:
Figure BDA0003113100370000052
wherein ,
Figure BDA0003113100370000053
representing the adoption of model parameters theta A Node classification lane f of (a) A (. About.) dynamic global transaction network diagram for blockchain>
Figure BDA0003113100370000054
Extracted user potential features, Z B =f B (G,Θ B ) Representing the adoption of model parameters theta B Transaction pattern recognition channel f of (2) B (. Cndot.) transaction pattern features extracted from dynamic transaction pattern subgraph G, γ= [ γ ] AB ]Is a matrix of attention coefficients.
Preferably, after the combined characteristics are obtained, the phishing node detection module adopts a fully-connected neural network as a classifier to realize classification prediction of the phishing nodes.
The process of obtaining the final multi-channel blockchain phishing node detection model includes: training the detection model by using the real class label of the target node and the final detection result, and obtaining the final dynamic whole transaction network diagram by taking the prediction confidence of the blockchain fishing detection model and the cross entropy of the node class label as loss functions
Figure BDA0003113100370000055
Multichannel blockchain fishing node detection model with dynamic transaction pattern sub-graph G as input>
Figure BDA0003113100370000056
Compared with the prior art, the invention has the following beneficial effects:
the multi-channel blockchain phishing node detection method based on the graphic neural network utilizes the trainable time importance coefficient to fuse time and transaction amount information of a plurality of transaction links in a blockchain transaction network. By adopting the node classification and node transaction mode identification dual channels based on the graph neural network, the potential characteristics of the user node and the transaction mode characteristics of the user node can be effectively extracted, the effectiveness of a blockchain phishing node detection model is improved, and the blockchain phishing node is detected.
Drawings
FIG. 1 is a system block diagram of a multi-channel blockchain phishing node detection method based on a graph neural network of the present invention.
Fig. 2 is a schematic diagram of an ethernet whole transaction network diagram construction process in an embodiment.
Fig. 3 is a schematic diagram of an ethernet node transaction pattern sub-graph construction process in an embodiment.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. Modifications and equivalents will occur to those skilled in the art upon understanding the present teachings without departing from the spirit and scope of the present teachings.
Fig. 1 is a system block diagram of a multi-channel blockchain phishing node detection method based on a graph neural network. The blockchain phishing node detection method provided by the embodiment comprises the following steps of:
step 1, constructing a network sequence type dynamic overall transaction network diagram of a blockchain according to blockchain transaction information, and constructing a network sequence type dynamic transaction pattern sub-diagram of a target node aiming at each node in the network sequence type dynamic overall transaction network diagram; inputting the network sequence type dynamic overall transaction network diagram, the network sequence type dynamic transaction mode subgraph and the node real class mark of the blockchain into a detection model of a multichannel blockchain phishing node;
the example obtains ethernet transaction data from the ethernet data query website etherscan disclosed. Each transaction data in the website contains tens of attributes, and only transaction nodes (from and to) in the transaction data, transaction time (time stamp) and transaction value (value) information are reserved as the basis for constructing the Ethernet transaction network.
Aiming at constructing a network sequence type blockchain integral transaction network diagram, the transaction data of an original Ethernet is too huge, and the phishing nodes only occupy the minimum part of all user nodes. And taking the given initial node as a central node, and extracting the address of the account of the other party as a first-order transaction node according to the transaction record. Then, each first-order transaction node is taken as a central node, the address of the other party account is extracted as a second-order transaction node according to the transaction record, and a time sequence type block chain dynamic overall transaction network diagram with the total node number of N is obtained and expressed as
Figure BDA0003113100370000071
Wherein V (|v|=n) represents a node set, E represents a link set, and X represents transaction amount W (E) and transaction time T (E) information corresponding to each link.
And then taking the time interval between the first transaction and the last transaction in the transaction network diagram as the total transaction time length, equally dividing the time length into M transaction time periods, and dividing the time-series blockchain transaction network diagram into fragments according to the divided time periods. The transaction information of each transaction time period forms a network fragmentation graph, and the node number in each network fragmentation graph is the same as the node number of the whole transaction network graph. Finally obtaining a network sequence type block chain dynamic whole transaction network diagram composed of M network fragment diagrams, which is expressed as
Figure BDA0003113100370000072
In the same transaction period, there may be L transaction links +.>
Figure BDA0003113100370000073
In the invention, a phishing node with the quantity ratio of 1:1 and normal nodes selected at equal quantity randomly are taken as central nodes, and a second-order network with time and transaction amount information is obtained. Fig. 2 illustrates an exemplary second order network construction process.
Aiming at constructing a network sequence type blockchain dynamic transaction pattern subgraph, the invention traverses each node in the time sequence type blockchain dynamic whole transaction network graph, takes each node as a central node, extracts first-order transaction nodes according to transaction records, and transaction information between each first-order transaction node and corresponding second-order transaction nodes to obtain the time sequence type dynamic transaction pattern subgraph
Figure BDA0003113100370000074
Figure BDA0003113100370000075
wherein ,Vc Expressed in terms of node v c Node set in transaction pattern subgraph constructed as target node E c And X is c Respectively indicate->
Figure BDA0003113100370000076
Information about each transaction and the set of transaction links in the system. Then converting the time-series dynamic transaction pattern sub-graph into a dynamic transaction pattern sub-graph with a network sequence area composed of M network fragment graphs according to the method for constructing the network sequence dynamic overall transaction network graph
Figure BDA0003113100370000081
Fig. 3 illustrates an exemplary process for constructing a second order transaction pattern sub-graph.
Step 2, weighting and summing a plurality of transaction information among the same node pairs in different network sequences by using a trainable time importance coefficient to serve as a unique time weighted transaction connecting edge in the unified network sequence;
for each transaction period M e [0,1, …, M]Block chain dynamic global transaction network map of (C)
Figure BDA0003113100370000082
Dynamic transaction Pattern subgraph with target node>
Figure BDA0003113100370000083
With trainable time importance coefficients alpha e R M Different time coefficients are distributed for transaction links between different transaction time periods, and finally unique time weighted transaction connecting edges are obtained through combination:
Figure BDA0003113100370000084
Figure BDA0003113100370000085
wherein αnode And alpha is graph Respectively representing the time importance coefficients for the dynamic whole transaction network graph and the target node dynamic transaction pattern subgraph.
Figure BDA0003113100370000086
Representing node i as being +.>
Figure BDA0003113100370000087
The only time-weighted transaction borderline, +.>
Figure BDA0003113100370000088
Representing node i as being +.>
Figure BDA0003113100370000089
Is a unique time weighted transaction borderline.
Figure BDA00031131003700000810
And->
Figure BDA00031131003700000811
Respectively represent node i and node j in
Figure BDA00031131003700000812
And->
Figure BDA00031131003700000813
W (e) and T (e) represent the transaction amount and transaction time of transaction link e.
After weighting and summing the multi-transaction links, finally obtaining a network sequence type block chain dynamic whole transaction network diagram composed of M network fragment diagrams
Figure BDA00031131003700000814
Dynamic transaction pattern subgraph g= { G with target node 0 ,G 1 ,…,G N },
Figure BDA00031131003700000815
c∈[0,1…,N]. Wherein A is m ∈R N×N Adjacency matrix representing an mth monolithic transaction network fragmentation pattern,/->
Figure BDA00031131003700000816
Representing a target node v c Adjacency matrix of m-th transaction pattern fragment sub-graph,/->
Figure BDA00031131003700000817
Representation A m The amount of time-weighted transactions between the i-th node and the j-th node.
Step 3, aiming at the network sequence type dynamic overall transaction network diagram, learning the user potential characteristics of the target node by utilizing the dynamic node classification channel in the detection model; aiming at the network sequence type dynamic transaction pattern subgraph, the transaction pattern characteristics of the target node are learned by utilizing a dynamic pattern classification channel in the detection model;
for potential characteristics of user nodes, as shown in fig. 1, taking an overall transaction network fragment graph in different transaction time periods as input, adopting a node classification channel based on a graph rolling network (GCN), and learning the node potential characteristics at the current moment through a formula (3):
Figure BDA0003113100370000091
wherein ,
Figure BDA0003113100370000092
the potential characteristics of the nodes in the mth network fragment are represented by N, the number of the network nodes is represented by d, and the characteristic dimension of the potential characteristics of the network nodes is represented by d; f and σ are the softmax function and the Relu function, respectively;
Figure BDA0003113100370000093
Figure BDA0003113100370000094
is an adjacency matrix added with the m-th monolithic transaction network fragment of the self-connection, I N Is a self-connected edge matrix of the network, A m Is an adjacency matrix of the network; x represents a node attribute, in the present invention, x=i N
Figure BDA0003113100370000095
Is->
Figure BDA0003113100370000096
Metric matrix->
Figure BDA0003113100370000097
Values on the diagonal;
Figure BDA0003113100370000098
The weight matrix of the channel is classified from the input layer to the hidden layer and from the hidden layer to the output layer for the nodes.
For the transaction pattern characteristics of the user node, as shown in fig. 1, transaction pattern sub-graph fragments in different transaction time periods are taken as input, a transaction pattern recognition channel based on a differentiable hierarchical graph pooling model (Diffpool) is adopted, and the transaction pattern characteristics of the target node at the current moment are extracted through formulas (4) - (6).
Figure BDA0003113100370000099
Figure BDA00031131003700000910
Figure BDA00031131003700000911
wherein ,
Figure BDA00031131003700000912
for the target node v c Transaction pattern features in the mth network fragment;
Figure BDA00031131003700000913
Figure BDA00031131003700000914
is the target node v c Is added with the adjacency matrix of the m transaction mode network fragments of the self-connection, +.>
Figure BDA00031131003700000915
An adjacency matrix that is the mth transaction pattern subgraph;
Figure BDA00031131003700000916
Is->
Figure BDA00031131003700000917
Metric matrix->
Figure BDA00031131003700000918
Values on the diagonal;
Figure BDA00031131003700000919
A weight matrix is formed by layering a first layer of graph in Diffpool;
Figure BDA0003113100370000101
For the weight matrix of the pooling layer in Diffpool, n in the present invention 0 =0.1*|V c I, indicating the size of the pooling graph;
Figure BDA0003113100370000102
And outputting a weight matrix of the picture scroll lamination for the Diffpool.
The target node v is obtained by calculation through the steps c Transaction pattern features in mth network fragment of (c)
Figure BDA0003113100370000103
Then, the transaction mode characteristics of all nodes are spliced into final node transaction mode characteristics +.>
Figure BDA0003113100370000104
Step 4, different attention coefficients are distributed for the user potential characteristics and the transaction mode characteristics of the target node by using an attention mechanism, so that combined characteristics are obtained; inputting the combined characteristics into a detection module to obtain a final detection result of the target node;
the detection model comprises a node classification channel and a dynamic graph classification channel, and for the whole transaction network fragment graphs of different transaction time periods, the node classification channel based on a graph rolling network (GCN) is adopted to learn the user potential characteristics of a target node at the current moment; aiming at target node transaction pattern subgraphs of different transaction time periods, extracting transaction pattern characteristics of a target node at the current moment by utilizing a transaction pattern recognition channel based on a differentiable hierarchical image pooling model (Diffpool);
after the user potential characteristics and transaction mode characteristics of the target node are extracted, time characteristics of the whole transaction network and transaction mode subgraphs are learned by adopting a gate control circulation unit (GRU) with the same structure in each channel, the gate control circulation unit is trained by utilizing a network sequence type dynamic whole transaction network diagram and the transaction mode subgraphs, and the hidden layer output at the last moment of the GRU is adopted as the final user potential characteristics and the final transaction mode characteristics of the target node.
The GRU structure is shown in formula (7);
Figure BDA0003113100370000105
wherein ,Wz 、U z 、W r 、U r W and U are trainable weights,
Figure BDA0003113100370000106
representing an intermediate quantity in the computation, σ is the sigmoid activation function. Cell state h of GRU at previous time t-1 And input x at the current time t As input, the current cell state h is output t And as an output of the current time. The procedure for calculating each cell state of the GRU is simplified as formula (8):
h t =GRU(h t-1 ,x t ) (8)
the process of utilizing the GRU learning node potential features or transaction pattern features is collectively expressed as:
Figure BDA0003113100370000111
wherein ,
Figure BDA0003113100370000112
is node v i A GRU cell status at time m; when (I)>
Figure BDA0003113100370000113
Or->
Figure BDA0003113100370000114
Adjacency moment representing 0 th overall transaction network fragment graphRow i of the array, or node v i Is a contiguous matrix of transaction pattern subgraphs. Node classification channel->
Figure BDA0003113100370000115
In (2), the parameters of GCN and GRU are marked as Θ A The method comprises the steps of carrying out a first treatment on the surface of the Transaction Pattern recognition channel->
Figure BDA0003113100370000116
In the formula, the parameters of Diffpool and GRU are marked as Θ B . In Z i ∈R 1×d Unified representation Z A Or Z is B I-th row of (a), a spliced vector indicating cell status at all times, represents node v i Node potential characteristics or node transaction pattern characteristics of (c).
Step 5, adopting a formula (10) to weight and sum the attention of the potential characteristics of the node user and the characteristics of the node transaction mode to obtain combined characteristics
Figure BDA0003113100370000117
The obtained combined characteristics are used as input data of a fishing node detection module;
Figure BDA0003113100370000118
wherein, gamma= [ gamma ] AB ]In order to pay attention to the coefficient matrix,
Figure BDA0003113100370000119
representing node fusion features.
Step 6, in the embodiment, after the combined characteristics are obtained, the phishing node detection module adopts a fully-connected neural network as a two-classifier to realize two-classification prediction of the phishing node; training the detection model by using the real class label of the target node and the final detection result, taking the prediction confidence of the blockchain fishing detection model and the cross entropy of the node class label as a loss function, and giving the fusion characteristic z of the input i
Figure BDA00031131003700001110
The hidden layer and the output layer in the neural network classifier are respectively:
Figure BDA00031131003700001111
Figure BDA00031131003700001112
Figure BDA00031131003700001113
wherein M is the number of hidden layers of the neural network, W (m) and b(m) The weight and bias of the mth layer respectively,
Figure BDA0003113100370000121
is node v i The hidden layer output of the m-th layer. The output layer of the neural network has only one neuron, < >>
Figure BDA0003113100370000122
For node v i Is a final classification result of (a).
Step 7, the parameters of the classifier are marked as Θ NN In each training round, optimizing Θ by random gradient descent method using equation (14) as an objective function NN Training the multichannel blockchain fishing detection model;
Figure BDA0003113100370000123
wherein ,Ts A set of network nodes for blockchain transactions with class labels; f= [ tau ] 1 ,…,τ N ]Representing a set of network node class labels, node v i Class of indices τ i ∈[0,1],τ i =1 represents node v i Is a fishing node; if the network node v l Belonging to class tau k Y is then lk =1, otherwise Y lk =0;
Figure BDA0003113100370000124
Is the classification confidence output calculated from equation (13). />

Claims (6)

1. A multichannel blockchain phishing node detection method based on a graph neural network is characterized by comprising the following steps:
constructing a network sequence type dynamic overall transaction network diagram of a blockchain according to blockchain transaction information, and constructing a network sequence type dynamic transaction pattern sub-diagram of a target node aiming at each node in the network sequence type dynamic overall transaction network diagram; inputting the network sequence type dynamic overall transaction network diagram, the network sequence type dynamic transaction mode subgraph and the node real class mark of the blockchain into a detection model of a multichannel blockchain phishing node;
weighting and summing a plurality of transaction information between the same node pairs in different network sequences by using a trainable time importance coefficient to serve as a unique time weighted transaction connecting edge in the unified network sequence;
aiming at the network sequence type dynamic overall transaction network diagram, learning the user potential characteristics of the target node by utilizing a dynamic node classification channel in the detection model; aiming at the network sequence type dynamic transaction pattern subgraph, the transaction pattern characteristics of the target node are learned by utilizing a dynamic pattern classification channel in the detection model;
different attention coefficients are distributed to the user potential characteristics and the transaction mode characteristics of the target node by using an attention mechanism, so that combined characteristics are obtained; inputting the combined characteristics into a detection module to obtain a final detection result of the target node;
training the detection model by using the real class mark of the target node and the final detection result to obtain a final multi-channel blockchain fishing node detection model;
the process of obtaining the unique time transaction connection edge in the unified network sequence comprises the following steps:
for each transaction timeSegment M e [0,1, …, M]Network sequential dynamic global transaction network map of blockchain
Figure FDA0004084448100000011
Network sequential dynamic transaction Pattern subgraph with target node->
Figure FDA0004084448100000012
With trainable time importance coefficients alpha e R M Different time coefficients are distributed for transaction links among different transaction time periods, and finally, the unique time weighted transaction continuous edge is obtained through combination, weighting and summation;
the process of learning the user potential characteristics and transaction pattern characteristics of the target node includes:
the detection model comprises a node classification channel and a dynamic graph classification channel, and for the whole transaction network fragment graphs of different transaction time periods, the node classification channel based on the graph rolling network is adopted to learn the potential characteristics of the user of the target node at the current moment; aiming at target node transaction pattern subgraphs of different transaction time periods, extracting transaction pattern characteristics of a target node at the current moment by utilizing a transaction pattern recognition channel based on a differentiable hierarchical image pooling model;
after the user potential characteristics and the transaction mode characteristics of the target node are extracted, the time characteristics of the whole transaction network and the transaction mode subgraph are learned by adopting a gating circulation unit with the same structure in each channel, the gating circulation unit is trained by utilizing a network sequence type dynamic whole transaction network diagram and the transaction mode subgraph, and the hidden layer output at the final moment of the GRU is adopted as the final user potential characteristics and the target node transaction mode characteristics of the target node.
2. The method for detecting multi-channel blockchain phishing nodes based on the graph neural network according to claim 1, wherein the process of constructing a network sequential type dynamic whole transaction network graph of the blockchain is as follows:
selecting a certain number of phishing nodes and normal nodes as initial nodes, and extracting the other party according to the transaction recordThe account address is used as a first-order transaction node, then each first-order transaction node is used as a central node, the account address of the other party is extracted according to the transaction record and used as a second-order transaction node, and a time sequence type dynamic integral transaction network diagram with the total node number of N is obtained and expressed as
Figure FDA0004084448100000021
Wherein V (|v|=n) represents a node set, E represents a link set, and X represents transaction amount W (E) and transaction time T (E) information corresponding to each link;
taking the time interval between the first transaction and the last transaction in the time sequence type dynamic integral transaction network diagram as the total transaction time length, dividing the time length into M transaction time periods equally, dividing the time sequence type dynamic integral transaction network diagram into fragments according to the divided time periods, forming a network fragment diagram by transaction information of each transaction time period, wherein the node number in each network fragment diagram is the same as the node number of the integral transaction network diagram, and finally obtaining a network sequence type dynamic integral transaction network diagram formed by the M network fragment diagrams, wherein the network sequence type dynamic integral transaction network diagram is expressed as
Figure FDA0004084448100000022
In the same transaction period, there may be L transaction links +.>
Figure FDA0004084448100000023
3. The method for detecting multi-channel blockchain phishing nodes based on the graphic neural network of claim 1, wherein,
the process of constructing a network sequential dynamic transaction pattern subgraph of a target node includes:
traversing each node in the time-series dynamic overall transaction network diagram, taking each node as a central node, extracting transaction information between a first-order transaction node and a second-order transaction node according to the transaction records, and obtaining time-series transaction of a target nodePattern subgraph
Figure FDA0004084448100000031
Expressed as:
Figure FDA0004084448100000032
wherein ,Vc Expressed in terms of node v c Node set in transaction pattern subgraph constructed as target node E c And X is c Respectively represent
Figure FDA0004084448100000033
Information of the transaction link set and each transaction;
then, according to the time interval between the first transaction and the last transaction in the time series transaction pattern sub-graph as the total transaction time length, dividing the time length into M transaction time segments, and dividing the time series transaction pattern sub-graph according to the divided time segments, wherein the transaction information of each transaction time segment forms a network division graph, the node number in each network division graph is the same as the node number of the transaction pattern sub-graph, and finally a network series dynamic transaction pattern sub-graph set formed by M network division graphs is obtained, and is expressed as G= { G 0 ,G 1 ,…,G N (c-th network sequential dynamic transaction pattern subgraph)
Figure FDA0004084448100000034
4. The method for detecting the fishing node of the multi-channel blockchain based on the graphic neural network according to claim 1, wherein the process of obtaining the final detection result specifically comprises the following steps:
the fishing node detection method adopts the following formula to carry out weighted summation on the attention of the potential characteristics of the user and the characteristics of the transaction mode so as to obtain the combined characteristics
Figure FDA0004084448100000035
As input data of the phishing node detection module, a final detection result of the target node is obtained, and is expressed as:
Figure FDA0004084448100000036
wherein ,
Figure FDA0004084448100000037
representing the adoption of model parameters theta A Node classification lane f of (a) A (. About.) dynamic global transaction network diagram for blockchain>
Figure FDA0004084448100000038
Extracted user potential features, Z B =f B (G,Θ B ) Representing the adoption of model parameters theta B Transaction pattern recognition channel f of (2) B (. Cndot.) transaction pattern features extracted from dynamic transaction pattern subgraph G, γ= [ γ ] AB ]Is a matrix of attention coefficients.
5. The method for detecting the fishing nodes of the multi-channel blockchain based on the graphic neural network according to claim 1 or 4, wherein after the combined characteristics are obtained, the fishing node detection module adopts the fully-connected neural network as a classifier to realize the classification prediction of the fishing nodes.
6. The method of claim 1, wherein obtaining a final multi-channel blockchain phishing node detection model comprises: training the detection model by using the real class label of the target node and the final detection result, and obtaining the final dynamic whole transaction network diagram by taking the prediction confidence of the blockchain fishing detection model and the cross entropy of the node class label as loss functions
Figure FDA0004084448100000041
Multichannel blockchain fishing node detection model with dynamic transaction pattern sub-graph G as input>
Figure FDA0004084448100000042
CN202110654086.XA 2021-06-11 2021-06-11 Multichannel blockchain phishing node detection method based on graphic neural network Active CN113283902B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110654086.XA CN113283902B (en) 2021-06-11 2021-06-11 Multichannel blockchain phishing node detection method based on graphic neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110654086.XA CN113283902B (en) 2021-06-11 2021-06-11 Multichannel blockchain phishing node detection method based on graphic neural network

Publications (2)

Publication Number Publication Date
CN113283902A CN113283902A (en) 2021-08-20
CN113283902B true CN113283902B (en) 2023-05-09

Family

ID=77284428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110654086.XA Active CN113283902B (en) 2021-06-11 2021-06-11 Multichannel blockchain phishing node detection method based on graphic neural network

Country Status (1)

Country Link
CN (1) CN113283902B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520739A (en) * 2022-02-14 2022-05-20 东南大学 Phishing address identification method based on cryptocurrency transaction network node classification
CN115907770B (en) * 2022-11-18 2023-09-29 北京理工大学 Ethernet phishing fraud identification and early warning method based on time sequence feature fusion
CN116527313B (en) * 2023-03-23 2024-04-19 中国科学院信息工程研究所 Block chain fishing behavior detection method and device
CN117371540B (en) * 2023-12-07 2024-03-15 南京信息工程大学 Depth map neural network-based blockchain address identity inference method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311416B (en) * 2020-02-28 2024-01-23 杭州云象网络技术有限公司 Block chain money laundering node detection method based on multichannel graph and graph neural network
CN111447179A (en) * 2020-03-03 2020-07-24 中山大学 Network representation learning method for phishing and fraud of Ethernet
CN112600810B (en) * 2020-12-07 2021-10-08 中山大学 Ether house phishing fraud detection method and device based on graph classification
CN112738034B (en) * 2020-12-17 2022-04-29 杭州趣链科技有限公司 Block chain phishing node detection method based on vertical federal learning

Also Published As

Publication number Publication date
CN113283902A (en) 2021-08-20

Similar Documents

Publication Publication Date Title
CN113283902B (en) Multichannel blockchain phishing node detection method based on graphic neural network
Save et al. A novel idea for credit card fraud detection using decision tree
Liu et al. Attentive crowd flow machines
CN109544190A (en) A kind of fraud identification model training method, fraud recognition methods and device
CN113111930B (en) End-to-end Ethernet fishing account detection method and system
CN112738034B (en) Block chain phishing node detection method based on vertical federal learning
CN113283909B (en) Ether house phishing account detection method based on deep learning
CN113269647B (en) Graph-based transaction abnormity associated user detection method
CN112381179A (en) Heterogeneous graph classification method based on double-layer attention mechanism
CN112700324A (en) User loan default prediction method based on combination of Catboost and restricted Boltzmann machine
CN113821827B (en) Combined modeling method and device for protecting multiparty data privacy
CN116416478B (en) Bioinformatics classification model based on graph structure data characteristics
CN115375480A (en) Abnormal virtual coin wallet address detection method based on graph neural network
Peng et al. When urban safety index inference meets location-based data
CN113538126A (en) Fraud risk prediction method and device based on GCN
Chen et al. Knowledge-inspired subdomain adaptation for cross-domain knowledge transfer
Liu et al. Deep spatio-temporal multiple domain fusion network for urban anomalies detection
CN115965466A (en) Sub-graph comparison-based Ethernet room account identity inference method and system
CN115510948A (en) Block chain fishing detection method based on robust graph classification
CN115438751A (en) Block chain phishing fraud identification method based on graph neural network
CN115170334A (en) Anti-money laundering model training method and device
CN112183824B (en) Online and offline correlated urban passenger flow prediction method
CN114722920A (en) Deep map convolution model phishing account identification method based on map classification
Iqbal et al. Association rule analysis-based identification of influential users in the social media
CN115907770B (en) Ethernet phishing fraud identification and early warning method based on time sequence feature fusion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant