CN116032670A - Ethernet phishing fraud detection method based on self-supervision depth map learning - Google Patents

Abstract

The invention relates to a method for detecting fraudulent behaviors of Ethereum phishing based on self-supervised deep graph learning, and belongs to the technical field of self-supervised deep graph learning. Data mapping: Based on the obtained Ethereum data, automatic information extraction is performed, and merged into nodes that do not have available attributes to obtain a transaction graph with node characteristics. Model preparation: set up spatial self-supervised pre-tasks, build models and training tasks, which are used to mine and represent node attribute information and topology information in the graph. Model training: Set the training scale and convergence conditions to obtain an optimized training model for detection. The model can detect new transaction graphs on Ethereum, and deal with problems such as constant changes in the scale of Ethereum, continuous evolution of transaction graphs, and insufficient number of node labels.

Description

Ethereum phishing fraud detection method based on self-supervised deep graph learning

Technical Field

The present invention relates to an Ethereum phishing fraud behavior detection method based on self-supervised deep graph learning, and belongs to the technical field of self-supervised deep graph learning.

Background Art

As one of the most popular scalable blockchains in the world today, Ethereum has fully tapped the potential of smart contracts and created a large number of decentralized financial applications (DeFi) based on smart contracts, attracting widespread attention and funding. Figure 1 shows the creation process of smart contracts. Smart contracts can automatically manage and approve the transaction process without any centralized entity, ensuring transaction trust and transparency while eliminating delays and costs in the original transaction process. It is estimated that the current total market value of Ethereum has reached 200 billion US dollars, but its booming development has also put millions of users at risk of malicious attacks, such as phishing scams and extortion of user funds. These attacks are difficult to defend against with traditional methods such as software security or smart contract analysis alone. Therefore, it is particularly important to conduct intelligent analysis at the level of Ethereum transaction behavior.

There are two main types of existing phishing fraud detection methods based on intelligent analysis. The first type mainly uses shallow learning models, such as traditional machine learning methods that rely on feature engineering, or network embedding methods based on random walks like DeepWalk and Node2Vec. The second type is mainly based on graph-based deep learning methods, such as graph convolutional neural networks. Deep learning has achieved great success in computer vision, speech recognition, and natural language processing due to its powerful representation learning ability. In recent years, how to apply deep learning to non-Euclidean data such as graphs has attracted more and more attention, such as social networks, protein interface prediction, knowledge graph embedding, etc., which also helps many tasks in computer vision or natural language processing, such as object detection, action recognition, machine translation, semantic parsing, etc. In view of the experience in other fields, combined with the characteristics of Ethereum's own transaction activities-all Ethereum's transaction activities can be regarded as a large-scale transaction graph. If the advantages of deep graph learning methods on Ethereum can be fully utilized, the effectiveness of security analysis can be greatly improved.

The basic workflow of the deep graph learning method is shown in Figure 2. The steps include: 1) Data collection - obtaining a data set for deep graph learning; 2) Data mapping - building a graph for the deep learning method based on the data set; 3) Model preparation - designing a training model and creating a training method; 4) Model training - passing the data subgraph used for training as input to the training model until the training results converge; 5) Model application - after training is completed, the trained model is deployed, and the data subgraph used for evaluation is used as input to obtain the application results.

At present, there are two main problems in applying deep graph learning methods to Ethereum phishing fraud detection. On the one hand, the scale of Ethereum transaction data constructed is very large. As of now, there have been more than 1.8 billion transactions on the chain, and thousands of new transactions are continuously added to the chain per second, that is, the constructed Ethereum transaction graph is an evolving graph that keeps changing dynamically; on the other hand, the number of node labels in the constructed Ethereum transaction graph is very small, especially the lack of fishing node labels for phishing fraud detection training. In addition, there is even less label data in the transaction graph generated by new transaction data, which further leads to the problem of label imbalance. The existing deep graph learning methods cannot solve the above problems well. Most of them are direct training methods, which can only be detected in a single fixed graph. Every time a new node and subgraph appear, they need to be retrained, which is not suitable for the scenario where new subgraphs are constantly entering Ethereum. At the same time, in order to deal with the situation where the number of labels is too small, these methods use a biased sampling method when generating the transaction graph, that is, selecting nodes with labels, and then using these nodes as the center to perform extended sampling using algorithms such as random walks, and finally selecting the nodes with labels and their neighbors. This changes the node distribution of the original Ethereum graph to a certain extent and is not suitable for actual scenarios.

Further analysis and summary of the above problems show that the existing deep graph learning only limits the research scale of the Ethereum transaction graph and changes the original structure of the graph through methods such as direct training and biased sampling, but it cannot completely solve the problems of the ever-changing Ethereum data scale, the ever-evolving transaction graph, and the insufficient number of node labels.

Summary of the invention

Purpose of the invention: In view of the above-mentioned existing problems and shortcomings, the purpose of the present invention is to provide an Ethereum phishing fraud detection method based on self-supervised deep graph learning, propose an effective self-supervised learning pre-task, train a self-supervised model on existing Ethereum transaction data, and apply the trained converged model to new subgraphs that need to be detected to find nodes in the subgraphs where phishing fraud exists.

In terms of process, users of this method only need to train a convergent phishing fraud detection model based on existing Ethereum transaction data, construct the latest transaction data that needs to be detected into a transaction graph input, and then return the corresponding normal nodes and nodes that may have phishing fraud behavior, thereby realizing the detection of Ethereum phishing fraud behavior.

In terms of characteristics, this method can detect new data subgraphs based on the existing Ethereum data training model to cope with problems such as the ever-changing scale of Ethereum, the evolving transaction graph, and the insufficient number of node labels.

Technical solution: To achieve the above-mentioned invention object, the present invention adopts the following technical solution:

A method for detecting Ethereum phishing fraud based on self-supervised deep graph learning, comprising the following steps:

Step 1: Data graph construction: Based on the acquired Ethereum data, automatic information extraction is performed and merged into nodes that originally did not have available attributes to obtain a transaction graph with node characteristics;

Step 2: Model preparation: Set up spatial self-supervised pre-tasks, build models and training tasks to mine and represent node attribute information and topological structure information in the graph;

Step 3: Model training: Set the training scale and convergence conditions to obtain the optimized training model for detection.

Furthermore, the specific steps of step 1 are:

Step 1.1: Collect Ethereum transaction data for training and filter out failed transactions and transactions with a transaction value of 0;

Step 1.2: Divide the transaction data obtained in step 1.1 into S parts according to the block number or timestamp, and further divide each transaction data into S pieces with similar transaction numbers;

Step 1.3: Based on the transaction graph node attributes, calculate the node feature vector in each piece of transaction data and construct a one-to-one Ethereum transaction graph.

Furthermore, the specific steps of step 2 are:

Step 2.1: Set model parameters and choose direct or inductive learning;

Step 2.2: If direct learning is selected, the transaction graph formed by the first S-2 pieces of each transaction data is input in sequence for model training, and the model training results are evaluated on the transaction graph of the S-1th piece; if inductive learning is selected, the transaction graph of the first S-1 pieces is input in sequence for model training, and the model training results are evaluated on the transaction graph of the Sth piece.

Furthermore, the specific steps of step 3 are: repeating step 2.2 on S pieces of transaction data respectively to obtain the final trained converged model.

Furthermore, the S is 5.

，按照区块号或者时间戳的顺序划分为

共

个子图，其中每个子图

，

，即

是子图中

个节点的集合，

是子图中边的集合，

是根据子图节点的17条特征构建的特征矩阵。以

表示子图的邻接矩阵，即如果子图中任意两个节点m, n间存在边，则邻接矩阵中

，否则

，再对该无标签且有节点特征的交易子图运用自监督学习的训练方法，通过如下公式计算损失值

：Furthermore, the specific steps of step 2 are as follows: the transaction graph obtained in step 1 is set as

, divided into

common

subgraphs, where each subgraph

,

,Right now

In the subgraph

A collection of nodes,

is the set of edges in the subgraph,

is a feature matrix constructed based on the 17 features of the subgraph nodes.

Represents the adjacency matrix of the subgraph, that is, if there is an edge between any two nodes m and n in the subgraph, then the adjacency matrix

,otherwise

, and then apply the self-supervised learning training method to the unlabeled transaction subgraph with node features, and calculate the loss value by the following formula

:

：

:

是前置任务中交易图节点集合，

是前置任务训练的交易图节点

的真实特征值，

是用于衡量节点

的特征嵌入向量和真实特征值

误差的判定模型，在经过本轮前置任务的训练后，图神经网络的编码器g将会被保留到下一轮训练，同时生成子图节点的表示

，该节点表示将会被送入最终的分类器进行下游的钓鱼节点检测任务，通过图神经网络的特征提取器计算给定子图

中所有节点的特征嵌入向量表示

，其次对于子图

中的节点

，如果

位于从

开始不超过k跳可达（即经过k跳或更短的路径）的所有点集合中（不考虑边上的方向），即

是

的k跳邻居，经过模型训练后两个节点的特征嵌入向量表示相似度应该尽可能高，反之亦然，该任务的一般性表达如下公式所示：Among them, g is the encoder of the graph neural network, that is, the feature extractor,

is the set of transaction graph nodes in the previous task,

It is the transaction graph node of the previous task training

The true eigenvalue of

It is used to measure the node

The feature embedding vector and true eigenvalue of

Error judgment model. After training the previous task in this round, the encoder g of the graph neural network will be retained for the next round of training, and the representation of the subgraph nodes will be generated at the same time.

, which will be sent to the final classifier for downstream fishing node detection tasks. The feature extractor of the graph neural network is used to calculate the given subgraph

The feature embedding vector representation of all nodes in

, and secondly for the subgraph

Nodes in

,if

Located from

Start with the set of all points that are reachable within k hops (i.e., a path that is k hops or shorter) (regardless of the direction of the edge), that is

yes

k-hop neighbors, after model training, the feature embedding vector representation similarity of two nodes should be as high as possible, and vice versa. The general expression of this task is shown in the following formula:

，

,

和

分别表示子图

所有节点

中互为k跳邻居的节点组集合和非k跳邻居的节点组集合，

是相似度判断函数，本方法设置为

，

表示的是线性变换层，

是

中节点

的特征嵌入向量表示。in,

and

Represent subgraphs

All nodes

The set of node groups that are k-hop neighbors and the set of node groups that are not k-hop neighbors,

is the similarity judgment function, and this method is set to

,

represents the linear transformation layer,

yes

Midpoint

The feature embedding vector representation of .

Beneficial effects: Compared with the prior art, the present invention has the following advantages: The main problems solved come from three aspects:

The available properties of nodes cannot be found in the original transaction data of Ethereum. At the same time, there may be multiple transactions between two nodes, resulting in the generation of a multilateral transaction graph. This requires the design of a reasonable Ethereum transaction graph structure and the setting of representative node and edge properties.

The Ethereum transaction graph has very little labeled data, and the transaction graph generated by new transactions has even less labeled data, further exacerbating the problem of label imbalance;

The data scale of Ethereum is very large. If the entire generated transaction graph is trained, the time and resource costs will be very high.

In response to the above problems, this patent proposes an Ethereum phishing fraud detection method based on self-supervised deep graph learning, which can divide the three aspects of the problem to be solved into three modules of the method - Ethereum data mapping, preparation of phishing fraud detection model and training of phishing fraud detection model. For Ethereum data mapping. Unlike Bitcoin transactions, which can have multiple inputs and outputs, Ethereum transactions are one-to-one, but the original transaction graph has problems such as nodes having no available attributes and multiple edges between two nodes. This method does not directly merge the multiple edges of the transaction graph into one edge, but extracts relatively useful information from the original transaction data, and artificially merges this information into the attributes of the node to obtain a unilateral directed graph with node attributes, and then selects the largest weakly connected component (WCC) in the graph as the final training model input graph.

Preparation of a phishing fraud detection model. In order to make full use of large-scale Ethereum transaction data when the number of node labels is small, this patent adopts a self-supervised learning method. The self-supervised learning method does not need to worry about labels and annotations, and directly mines more information from the data itself through supervisory signals. At present, the effectiveness of self-supervised learning methods has been proven by many successful cases such as natural language processing and computer vision. However, the topological structure of the Ethereum transaction graph shows that the nodes on the graph are not independent, which makes it almost impossible to use the existing framework directly on the graph. For this reason, the technology described in this patent will focus on the design of pre-tasks and propose an effective spatial self-supervised pre-task.

For the training of phishing fraud detection models. The huge amount of Ethereum data brings huge resource pressure to model training. This method divides the transaction data into five parts according to the Ethereum block number (or timestamp), reduces variability through multiple experiments, and ensures more stable results. At the same time, each transaction data is further divided into five pieces, and under limited resource conditions, the detection model is trained on five pieces of transaction data in turn, thus solving the difficulties of Ethereum data scalability and large data scale.

Based on the above analysis, this patent designs a method for detecting Ethereum phishing fraud based on self-supervised deep graph learning in three modules. The data mapping module automatically extracts relatively useful information from the original Ethereum transaction data and merges it into the node attributes to obtain a unilateral directed graph with node attributes; the model preparation module designs an effective spatial pre-task based on the self-supervised learning method to mine and represent the rich node attribute information and topological structure information in the graph; the model training module divides the transaction data/transaction graph according to the Ethereum block number (or timestamp), sets the convergence conditions to continuously optimize the feature extractor, and conducts multiple experiments to ensure the stability of the results.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of creating a smart contract of the present invention;

FIG2 is a basic workflow diagram of deep graph learning of the present invention;

FIG3 is a spatial pre-task of the present invention;

FIG4 is a visualization result of the original features of detecting Ethereum phishing fraud using the method described in this patent compared with other methods in an embodiment of the present invention;

FIG5 is a visualization result of an untrained graph convolutional neural network for detecting Ethereum phishing fraud using the method described in this patent in accordance with an embodiment of the present invention compared to other methods;

FIG6 is a visualization result of the method of the present invention for detecting Ethereum phishing fraud using the method of the present invention compared with other methods;

FIG. 7 is a visualization result of detecting Ethereum phishing fraud behavior using the method described in this patent under different training iterations of 1 round in an embodiment of the present invention;

FIG8 is a visualization result of detecting Ethereum phishing fraud behavior using the method described in this patent under different training iterations of 10 rounds in an embodiment of the present invention;

FIG. 9 is a visualization result of detecting Ethereum phishing fraud using the method described in this patent under 50 different training iterations according to an embodiment of the present invention.

DETAILED DESCRIPTION

The present invention is further explained below in conjunction with the accompanying drawings and specific embodiments. It should be understood that these embodiments are only used to illustrate the present invention and are not used to limit the scope of the present invention. After reading the present invention, various equivalent forms of modifications to the present invention by those skilled in the art all fall within the scope defined by the claims attached to this application.

A method for detecting Ethereum phishing fraud based on self-supervised deep graph learning is shown in Figures 4 to 9 compared with other methods.

In the data mapping part, this method automatically extracts information from the original Ethereum transaction data and merges it into nodes that originally did not have available attributes, obtaining a transaction graph with node characteristics.

In the model preparation part, this method proposes an effective spatial self-supervised pre-task to solve the problem of scarce labels and obtain a converged model that can be used for detection by minimizing the cumulative error.

In the model training part, this method trains the transaction graph by sharding according to block number (or timestamp), continuously optimizes the training of each transaction graph, controls the use of resources and adapts to the latest changes in the transaction graph.

Example

The genesis block of Ethereum originated in July 2015. Without loss of generality, this method collects all transaction data from January 2018 to May 2020 (including external transaction data initiated from user addresses and internal transaction data initiated from smart contract addresses) for model training. The original data structure is complex, and there are a lot of meaningless noise data for phishing fraud detection, such as failed transaction data and transaction data with a transaction value of 0. After filtering by this method, a total of 75,382,756 transaction data were finally obtained.

In the data mapping part, 17 general features of Ethereum original transaction data are automatically extracted as transaction graph node attributes, as shown in Table 1 below. The 17 basic features of transaction graph node attributes show that the current feature extraction effect is good.

Table 1

已经被按照区块号（或者时间戳）的顺序划分为{

}共N个子图，其中每个子图

，

，即

是子图中

个节点的集合，

是子图中边的集合，

是根据子图节点的17条特征构建的特征矩阵。以

表示子图的邻接矩阵，即如果子图中任意两个节点m, n间存在边，则邻接矩阵中

，否则

。之后对该无标签且有节点特征的交易子图运用自监督学习的训练方法，自监督学习的训练目标可以被概括为最小化前置任务的损失值

，如公式一所示：In the model preparation part, before self-supervised learning training, this method assumes that the original transaction graph of Ethereum

It has been divided into {

}There are N subgraphs in total, each of which

,

,Right now

In the subgraph

A collection of nodes,

is the set of edges in the subgraph,

is a feature matrix constructed based on the 17 features of the subgraph nodes.

Represents the adjacency matrix of the subgraph, that is, if there is an edge between any two nodes m and n in the subgraph, then the adjacency matrix

,otherwise

Then, the self-supervised learning training method is applied to the unlabeled transaction subgraph with node features. The training objective of self-supervised learning can be summarized as minimizing the loss value of the previous task.

, as shown in Formula 1:

Formula 1:

是前置任务训练的交易图节点

的真实特征值，

是原始交易图已经被按照区块号（或者时间戳）划分好的某一个子图，

是前置任务中交易图节点集合，

是用于衡量节点

的特征嵌入向量和真实特征值

误差的判定模型。在经过本轮前置任务的训练后，图神经网络的编码器g将会被保留到下一轮训练，同时生成子图节点的表示

，该节点表示将会被送入最终的分类器进行下游的钓鱼节点检测任务。Among them, g is the encoder of the graph neural network, that is, the feature extractor,

It is the transaction graph node of the previous task training

The true eigenvalue of

It is a subgraph of the original transaction graph that has been divided according to the block number (or timestamp).

is the set of transaction graph nodes in the previous task,

It is used to measure the node

The feature embedding vector and true eigenvalue of

Error judgment model. After training the previous task in this round, the encoder g of the graph neural network will be retained for the next round of training, and the representation of the subgraph nodes will be generated at the same time.

, this node indicates that it will be sent to the final classifier for downstream fishing node detection tasks.

Intuitively speaking, for the problem of detecting phishing fraud, the design of a qualified pre-task should meet the following prerequisites: 1) The extracted data labels should reflect the characteristics of the data itself; 2) Due to the large scale of Ethereum transaction data, the extracted data labels should be obtained with a lower time complexity, otherwise the time cost of training is unacceptable; 3) The pre-task can contain some domain knowledge, but it cannot be too detailed, otherwise the applicability of the pre-task will be limited and it will be vulnerable to adversarial attacks. For nodes on the Ethereum transaction graph, this method believes that neighbor nodes with frequent transactions should have similar node representations. In order to effectively capture the spatial relationship between neighbor nodes in the Ethereum transaction graph, the method described in this patent designs a spatial pre-task as shown in Figure 3.

中所有节点的特征嵌入向量表示

。其次对于子图

中的节点

，如果

位于从

开始不超过k跳可达（即经过k跳或更短的路径）的所有点集合中（不考虑边上的方向），即

是

的k跳邻居，经过模型训练后两个节点的特征嵌入向量表示相似度应该尽可能高，反之亦然。该任务的一般性表达如公式二所示：First, the feature extractor of the graph neural network is used to calculate the given subgraph

The feature embedding vector representation of all nodes in

. Secondly, for the subgraph

Nodes in

,if

Located from

Start with the set of all points that are reachable within k hops (i.e., a path that is k hops or shorter) (regardless of the direction of the edge), that is

yes

After model training, the feature embedding vectors of two nodes should have as high similarity as possible, and vice versa. The general expression of this task is shown in Formula 2:

Formula 2:

和

分别表示子图

所有节点

中互为k跳邻居的节点组集合和非k跳邻居的节点组集合，

是相似度判断函数，本方法设置为

，

表示的是线性变换层，

是

中节点

的特征嵌入向量表示。in,

and

Represent subgraphs

All nodes

The set of node groups that are k-hop neighbors and the set of node groups that are not k-hop neighbors,

is the similarity judgment function, and this method is set to

,

represents the linear transformation layer,

yes

Midpoint

The feature embedding vector representation of .

The changes in the Ethereum market are far more dramatic than those of traditional trading platforms. The scale of its transaction data is huge and is in the process of continuous expansion. The transaction graph is also constantly evolving. It is impractical to put all the acquired data into training at one time. So as mentioned above, this method divides the transaction data according to the block number (or timestamp), inputs only part of the transaction subgraph each time for training, and uses the trained model to train the new subgraph. This not only alleviates the problem of the continuous expansion of Ethereum data, but also helps the model adapt to the new distribution of Ethereum transaction data.

The final algorithm of the model is as follows:

已经被按照区块号（或者时间戳）的顺序划分为{

}共N个子图，其中

= (Ai, Xi)。(1) Ethereum original transaction graph

It has been divided into {

}There are N subgraphs in total, among which

= (Ai, Xi).

的节点特征嵌入向量表示为Zi =gi(Ai, Xi)。(2) Obtain the subgraph through the current graph neural network encoder gi

The node feature embedding vector is represented as Zi =gi(Ai, Xi).

的节点特征嵌入向量表示Zi输入空间性前置任务，基于公式一使得任务损失

最小化，将模型训练收敛得到更新后的图神经网络编码器gi’。(3) The current graph neural network encoder gi and the subgraph

The node feature embedding vector represents the spatial pre-task of Zi input, and the task loss is made based on formula 1.

Minimize and converge the model training to obtain the updated graph neural network encoder gi'.

+1的编码器，重复步骤（2）~（4），直到训练完所有的训练集子图。(4) Take the updated graph neural network encoder gi' as the next subgraph

+1 encoder, repeat steps (2) to (4) until all training set subgraphs are trained.

In terms of model training, compared to most existing deep graph learning methods which are direct-push, the method described in this patent can implement both direct-push and inductive training methods. The direct-push learning method refers to the use of both training and test data when training the model, while the inductive learning method only uses training data and does not use test data during training. When training the model using direct learning, this method uses the first three pieces (a total of five pieces) of each transaction data (a total of five pieces) divided according to the block number (or timestamp) of Ethereum for model training, and performs model evaluation in the fourth piece of transaction data. When training the model using inductive learning, this method uses the first four pieces of each transaction data for model training, and performs model evaluation in the fifth piece of transaction data. Taking the first three pieces of one of the transaction data as an example, the data statistical information of the first three pieces of a certain transaction data used for training of the present invention is shown in Table 2 below:

Table 2

The method described in this patent selects a 2-layer GraphSage with a mean pool aggregator as the main body of the node classification model, and uses a logistic regression model as a binary classifier. The Ethereum phishing node labels used for node classification are mainly derived from the blacklists released by Etherscan.io and some companies, totaling 6588; while the Ethereum normal node labels are randomly selected from each transaction graph. Non-phishing nodes, the number of which is about 3 times the number of phishing nodes in the graph. These labeled nodes are allocated to the training set, evaluation set, and test set in a ratio of 5:2:3. This method uses Adam as the optimizer, traverses the learning rate through {0.01, 0.001, 0.0001}, drops out is set to 0.5, the number of hidden layer nodes traverses {32, 64,128, 256}, and the batch size is set to 512. At the same time, k is set to 2 in the spatial pre-task of the model training part.

So far, the three main parts of this method have been introduced: data mapping, model preparation, and model training. Its main innovation is that while maintaining the original structure of the Ethereum transaction graph, the method based on self-supervised deep graph learning solves the problems of the ever-changing Ethereum data scale and the lack of data labels. Next, we will introduce the beneficial results achieved by this method.

In short:

The method described in this patent has been implemented and fully evaluated. A large number of implementations on large-scale Ethereum transaction graphs have shown that this method significantly outperforms the baseline model, with its F-1 score outperforming the baseline by about 4% to 16%.

Specifically:

The direct learning of the method described in this patent is compared with six baseline methods, including: 1) original features; 2) DeepWalk algorithm; 3) DeepWalk node feature embedding and original features; 4) GraphSage algorithm, a flexible inductive graph neural network algorithm; 5) DGI, an unsupervised inductive graph neural network algorithm that maximizes the interaction information between local batch representation and high-dimensional graph representation; 6) untrained graph convolutional neural network algorithm. For inductive learning, the node feature embedding vector generated by the DeepWalk algorithm will be rotated relative to the original embedding space, so it is not compared with this baseline. Based on five transaction data divided according to the block number (or timestamp) of Ethereum, the prediction results of direct and inductive methods are shown in Tables 3 and 4, respectively, including four indicators: accuracy, prediction rate, regression rate and F1-score.

Table 3: Comparison of prediction results of transductive learning with six baseline methods

Table 4: Comparison of prediction results of inductive learning with six baseline methods

From the results in Tables 3 and 4, it can be observed that the method described in this patent is much better than the baseline model.

The process for users to use the method described in this patent is as follows:

a. Collect Ethereum transaction data for training and filter out failed transaction data with transaction value of 0;

b. Divide the collected transaction data into five parts according to the block number (or timestamp), and further divide each transaction data into five parts with similar transaction numbers;

c. According to the 17 transaction graph node attributes set in Table 1, manually calculate the node feature vector in each piece of transaction data and construct a one-to-one Ethereum transaction graph;

d. Set the model parameters of the method and choose direct learning or inductive learning;

e. Taking the first transaction data as an example, if direct learning is selected, the first three transaction graphs are input in sequence for model training, and the model training results are evaluated on the fourth transaction graph; if inductive learning is selected, the first four transaction graphs are input in sequence for model training, and the model training results are evaluated on the fifth transaction graph;

f. Repeat step e on five sets of transaction data to obtain the final training convergence model.

The technician deploys the model returned by methods a to f above, collects the Ethereum transaction data to be tested according to step a, filters and cleans the noise data, builds the corresponding Ethereum transaction graph according to step c, inputs the deployed model, and generates the test results.

The results of Ethereum phishing fraud detection were visualized, and the visualization results are shown in Figures 4 to 9. In order to ensure that the visualization graph is clear enough, the number of nodes in the visualization graph is controlled within 500. The ratio of the number of randomly sampled normal nodes to the number of nodes with phishing fraud is about 4:1. The circular nodes in Figures 4 to 9 represent normal nodes, and the five-pointed star nodes represent nodes with phishing fraud.

Figures 4 to 6 show the node feature visualization results of the three methods at the same time. It can be found that the method described in this patent has better and more concentrated point separation than the original features and the untrained graph convolutional neural network, which further proves the effectiveness of the method described in this patent. It can be seen that this method can achieve the effect that the existing technology cannot achieve.

Figures 7 to 9 also show the visualization results of the method described in this patent under different data training iteration rounds. It can be found that within a certain range, as the data training iteration rounds increase, the method described in this patent can make the features of nodes of the same type more concentrated, and normal nodes and phishing fraud nodes are easier to separate.

Claims (6)

1. The method for detecting the phishing fraud of the Ethernet based on the self-supervision depth map learning is characterized by comprising the following steps of: the method comprises the following steps:

step 1: and (3) data mapping: based on the acquired Ethernet data, automatic information extraction is carried out, and the information is combined to nodes which do not have available attributes originally, so that a transaction diagram with node characteristics is obtained;

step 2: preparing a model: setting a spatial self-supervision pre-task, constructing a model and a training task, and mining and representing node attribute information and topology structure information in the diagram;

step 3: model training: setting training scale and convergence condition to obtain optimized training model for detection.

2. The method for detecting the phishing fraud of the ethernet based on self-supervision depth map learning as claimed in claim 1, wherein the method comprises the following steps: the specific steps of the step 1 are as follows:

step 1.1: collecting the Ethernet transaction data for training, and filtering out the transaction data with failure and transaction value of 0;

step 1.2: dividing the transaction data obtained in the step 1.1 into S parts according to block numbers or time stamps, and further dividing each part of transaction data into S pieces with similar transaction numbers;

step 1.3: and calculating node feature vectors in each piece of transaction data according to the node attributes of the transaction graph, and constructing a one-to-one Ethernet transaction graph.

3. The method for detecting the phishing fraud of the ethernet based on the self-supervision depth map learning as claimed in claim 2, wherein the method comprises the following steps: the specific steps of the step 2 are as follows:

step 2.1: setting model parameters, and selecting direct pushing type or inductive type learning;

step 2.2: if direct push learning is selected, sequentially inputting a transaction graph formed by S-2 pieces of transaction data before each piece of transaction data for model training, and evaluating model training results on the S-1 th transaction graph; if inductive learning is selected, the former S-1 transaction graphs are sequentially input for model training, and model training results are evaluated on the S-th transaction graph.

4. The method for detecting the phishing fraud of the ethernet based on self-supervision depth map learning as claimed in claim 3, wherein: the specific steps of the step 3 are as follows: and (2) repeating the step 2.2 on the S transaction data respectively to obtain a final training convergence model.

5. The method for detecting the phishing fraud of the ethernet based on the self-supervision depth map learning as claimed in claim 2, wherein the method comprises the following steps: and S is 5.

6. The method for detecting the phishing fraud of the ethernet house based on the self-supervision depth map learning as claimed in claim 5, wherein: the specific steps of the step 2 are as follows: the transaction diagram obtained in the step 1 is set as

Dividing into +/according to the sequence of block number or time stamp>

Co (all ]>

A plurality of sub-pictures, wherein each sub-picture +.>

，

I.e. +.>

Is +.>

A set of individual nodes->

Is the collection of edges in the sub-graph,

is a feature matrix constructed according to 17 features of the sub-graph nodes to +.>

Adjacency matrix representing sub-graphs, i.e. if any two of the sub-graphsThere is an edge between the nodes m, n, then +.>

Otherwise->

Then, the transaction subgraph is applied with a training method of self-supervision learning, and the loss value +.>

：/>

，

Where g is the encoder of the neural network, i.e. the feature extractor,

is a collection of transaction graph nodes in the pre-task,

transaction graph node for pre-task training>

Is>

Is used for measuring node->

Feature embedding vector and true feature value +.>

The error judging model, after the training of the front-end task of the round, the encoder g of the graphic neural network is reserved to the next round of training, and simultaneously the representation of the sub-graph node is generated>

The node represents the phishing node detection task that will be fed into the final classifier for downstream calculation of the given sub-graph +_ by the feature extractor of the graph neural network>

Feature embedding vector representation of all nodes in +.>

Second, for subgraph->

Node->

If->

Is located at the sub->

Of all sets of points that start not more than k hops reachable (i.e. going through paths of k hops or less), irrespective of the direction on the edge, i.e +.>

Is->

The feature embedded vectors of two nodes after model training represent high similarity, and the general expression of the task is as follows:

，

wherein ,

and

Respectively represent sub-graph->

All nodes->

Node group set of k-hop neighbors and node group set of non-k-hop neighbors, respectively,

Is a similarity judging function, the method is set as +.>

，

Represented is a linear transformation layer, ">

Is->

Middle node->

Is embedded in the vector representation. />

Images