LU501959B1 - Graph embedding based method for detecting abnormal behaviors of blockchain - Google Patents

Graph embedding based method for detecting abnormal behaviors of blockchain Download PDF

Info

Publication number
LU501959B1
LU501959B1 LU501959A LU501959A LU501959B1 LU 501959 B1 LU501959 B1 LU 501959B1 LU 501959 A LU501959 A LU 501959A LU 501959 A LU501959 A LU 501959A LU 501959 B1 LU501959 B1 LU 501959B1
Authority
LU
Luxembourg
Prior art keywords
transaction
nodes
blockchain
abnormal behavior
graph
Prior art date
Application number
LU501959A
Other languages
German (de)
Inventor
Zhaowei Liu
Original Assignee
Univ Yantai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Yantai filed Critical Univ Yantai
Priority to LU501959A priority Critical patent/LU501959B1/en
Application granted granted Critical
Publication of LU501959B1 publication Critical patent/LU501959B1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention discloses a graph embedding based method for detecting abnormal behaviors of blockchain. The method includes: collecting data, specifically, acquiring data of public blockchain abnormal behavior nodes on the Internet, and acquiring normal nodes consistent with the abnormal behavior nodes in amount; building an abnormal behavior identification model, specifically, extracting features of all nodes, constructing nodes subjected to feature extraction into a transaction graph, and forming the abnormal behavior identification model on the basis of the graph embedding technology and according to a constructed transaction graph; and detecting a transaction, specifically, determining, when the transaction occurs, a transaction risk according to the abnormal behavior identification model obtained, and prompting a user for a risk level. The present invention effectively detects possible abnormal behaviors in blockchain transactions and conducts early warning.

Description

BL-5473
GRAPH EMBEDDING BASED METHOD FOR DETECTING ABNORMAL LUS01959
BEHAVIORS OF BLOCKCHAIN
TECHNICAL FIELD
[01] The present invention relates to the field of blockchain networks, and in particular to a method for detecting abnormal behaviors of blockchain.
BACKGROUND ART
[02] Continuous development of the blockchain technology has brought many opportunities for government and social governance, judicial practice development and people's livelihood. At present, there are an increasing number of crimes using the blockchain technology, and illegal and abnormal behaviors such as phishing, Ponzi scheme, money laundering and terrorist financing emerge in endlessly. Existing methods for detecting abnormal behaviors of blockchain are mainly to detect single abnormal behaviors of Ethereum in blockchain (such as phishing, Ponzi scheme, money laundering and terrorist financing) through manual annotation or code analysis. If all possible abnormal behaviors are detected through the method for detecting single abnormal behaviors, collection of a large amount of data and integration of various detection methods are required, thus increasing complexity of the detection method, reducing stability of a detection system constructed by the method, spending a lot of time due to the barrel effect, and increasing the running burden of a detection server.
Therefore, there is an urgent need for a simple, stable and efficient method for detecting abnormal behaviors of blockchain.
SUMMARY
[03] A main objective of the present invention is to provide a graph embedding based method for detecting abnormal behaviors of blockchain, so as to overcome defects in the prior art.
[04] The technical solution of the present invention is as follows:
[05] The graph embedding based method for detecting abnormal behaviors of blockchain includes:
[06] S100: collecting data, specifically, acquiring public blockchain abnormal behavior nodes on the Internet, and acquiring normal nodes consistent with the abnormal behavior nodes in amount;
[07] S200: building an abnormal behavior identification model, specifically, extracting node features and transaction features of the abnormal behavior nodes and the normal nodes in S100, constructing all nodes subjected to feature extraction into a transaction graph, and building the abnormal behavior identification model on the basis of the graph embedding technology according to a constructed transaction graph; and
[08] S300: detecting a transaction, specifically, determining, when the transaction occurs, a transaction risk by means of the abnormal behavior identification model, and prompting a user for a risk level.
[09] S100 includes:
[10] S101: acquiring the abnormal behavior nodes mainly from open source databases such as EtherScamDB and Etherscan; and
[11] S102: acquiring normal nodes consistent with the abnormal behavior nodes in amount by means of a blockchain client or a blockchain transaction database deployed locally, where the normal nodes cannot be marked as abnormal behavior nodes by any database. 1
BL-5473
[12] S200 includes: LU501959
[13] S201: extracting node features and transaction features of the abnormal behavior nodes and the normal nodes by means of a blockchain client or a blockchain transaction database deployed locally, where the node features and transaction features include, but not limited to, a balance of a node, a minimum amount received by a node, an initiator and a receiver of a transaction, a block height, a transaction amount, a call contract type, a transaction type, etc ;
[14] S202: constructing the node features and transaction features extracted in
S201 into the transaction graph,
[15] where the transaction graph may be expressed as G=(V,E), where V is a node set and E is an edge set,
[16] preferably, the V is a node set, which is configured to store the node features extracted in S201, and each node may be expressed as a quadruple, that is
V = {v, d, b, m} where v represents a node, d represents a time stamp difference between a first transaction and a last transaction, b represents an account balance, and m represents a minimum amount received; and
[17] preferably, the E is an edge set, which is configured to store the transaction features extracted in S201, and each edge may be expressed as a quintuple, that is oe ar ae. au eden gr. 7 UF an = + SS Sa DD
E SAN ones Vue teZreR;} „where {0 3 vy) represents transactions from % to Ÿi, w represents a transaction amount, t represents a block height of a transaction, and r represents a transaction type;
[18] S203, using the graph embedding technology to build the abnormal behavior identification model according to a constructed transaction graph, where
[19] preferably, the abnormal behavior identification model is a blockchain behavior identification model formed by using an attribute network embedding method based on biased random walk in graph embedding for multiple times of embedding, and the identification model mainly considers three biased random walk methods: a random walk strategy based on a transaction amount, a random walk strategy based on a block height and a random walk strategy based on a transaction type; >
[20] preferably, a transition probability from node u to neighbor node & & Var of the random walk strategy based on a transaction amount is: p MaxA(u, x)
Aux TF1 Com Alar an 21] we Ex'ey,SumA(U, x")
[22] where MaxA(u,x) refers to a maximum amount of transactions between the
A fe SUIT 2, x . node u and the node x, and dx ev, SumÂlu, x} refers to a total amount of transactions between u and all nodes having transactions with u; i
[23] preferably, a transition probability from node u to neighbor node & &: Va of the random walk strategy based on a block height 1s: p MaxT (u, x) 24] ux Zyrey, SumT (u, x’)
[25] where MaxT(u,x) refers to a maximum block height when a transaction occurs
Esey SumT (u, x between the node u and the node x, and xe refers to the sum of block heights of u and all nodes having transactions with u; . Jo . “> FE
[26] preferably, a transition probability from node u to neighbor node & & Va of 2
BL-5473 the random walk strategy based on a transaction type is: LU501959 p MaxE{u,x)
[27] nx RO SumE {u, X )
[28] where MaxE(u,x) refers to a most frequent transaction type between the node u and the node x, and Zen, SUME (u, x ) refers to the sum of transaction types of u and all nodes having transactions with u; and
[29] preferably, to give consideration to multiple times of embedding by using an attribute network embedding method based on biased random walk, influence of multiple times of embedding may be balanced by using hyper-parameters, the hyper-parameters may be adjusted by using Auto ML or other automatic parameter adjustment algorithms, and finally the abnormal behavior identification model may be obtained.
[30] S300 includes:
[31] S301: acquiring the node features and transaction features and conducting feature extraction according to the methods in S201 and S202 before a transaction behavior occurs;
[32] S302: inputting obtained node features and transaction features of transaction nodes into the abnormal behavior identification model obtained in S203, and identifying whether the behavior is abnormal; and
[33] S303: prompting a user for a transaction risk according to an identification result.
[34] The graph embedding based method for detecting abnormal behaviors of blockchain in the present invention may effectively detect possible abnormal behaviors in blockchain transactions and conduct early warning. Abnormal behavior nodes in blockchain are collected by means of public data sets, and overall features are extracted, so as to obtain rich data containing node information and transaction information.
Compared with existing traditional methods of only collecting node information or transaction information for identification, the method may obtain the abnormal behavior identification model with higher identification accuracy in the later period, which is closer to a real situation.
BRIEF DESCRIPTION OF THE DRAWINGS
[35] FIG 1: a flow block diagram of a graph embedding based method for detecting abnormal behaviors of blockchain in the present invention.
DETAILED DESCRIPTION OF THE EMBODIMENTS
[36] To make the objectives, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some, rather than all of the embodiments.
[37] The technical solution of the present invention will be further described below with reference to the accompanying drawings and the embodiments.
[38] Embodiment
[39] As shown in FIG 1, the present invention includes:
[40] S100: data is collected, specifically, public blockchain abnormal behavior 3
BL-5473 nodes on the Internet are acquired, and normal nodes consistent with the abnormal LU501959 behavior nodes in amount are acquired.
[41] S200: an abnormal behavior identification model is built, specifically, node features and transaction features of the abnormal behavior nodes and the normal nodes in S100 are extracted, all nodes subjected to feature extraction are constructed into a transaction graph, and the abnormal behavior identification model is built on the basis of the graph embedding technology according to a constructed transaction graph.
[42] S300: a transaction is detected, specifically, a transaction risk is determined when the transaction occurs by means of the abnormal behavior identification model, and a user is prompted for a risk level.
[43] S100 includes:
[44] S101: the abnormal behavior nodes are acquired mainly from open source databases such as EtherScamDB and Etherscan, where data is stored through a data acquisition method provided in the databases according to a conventional data storage mode.
[45] Preferably, when the abnormal behavior nodes are extracted, nodes existing in two or more databases at the same time are usually identified as the abnormal behavior nodes.
[46] S102: normal nodes consistent with the abnormal behavior nodes in amount are acquired by means of a blockchain client or a blockchain transaction database deployed locally. The normal nodes cannot be marked as abnormal behavior nodes by any database, selection of normal nodes should be random, and heights of blocks should be evenly distributed.
[47] Preferably, for blockchain platforms that distinguish external accounts from contract accounts, such as Ethereum, normal nodes should be selected to be similar to abnormal behavior nodes obtained in S101 in a proportion of external accounts and contract accounts. It is better to filter a large number of accounts that view airdrop information, so as to reduce identification pressure of the abnormal behavior identification model.
[48] S200 specifically includes:
[49] S201: node features and transaction features of the abnormal behavior nodes and the normal nodes are extracted by means of a blockchain client or a blockchain transaction database deployed locally.
[50] Preferably, the node features include, but not limited to, a balance of a node, a minimum amount received by a node, a time stamp difference between a first transaction and a last transaction, the number of transactions, the number of created contracts, etc. The transaction features include, but not limited to, an initiator and a receiver of a transaction, a block height, a transaction amount, a call contract type, a transaction type, etc.
[51] S202: the node features and transaction features extracted in S201 are constructed into the transaction graph.
[52] The transaction graph may be expressed as G=(V,E), where V is a node set and
E is an edge set.
[53] Preferably, the V is a node set, which is configured to store the node features extracted in S201, and each node may be expressed as a quadruple, that is
Vo fe, m where v represents a node, d represents a time stamp difference between a first transaction and a last transaction, b represents an account balance, and m represents a minimum amount received.
[54] Preferably, the E is an edge set, which is configured to store the transaction features extracted in S201, and each edge may be expressed as a quintuple, that is 4
BL-5473
Es {{wpu, eu, r)|u, 0, EV,we Rte Zire RY po 0
LP vy) represents transactions from %% to iw represents a transaction amount, t represents a block height of a transaction, and r represents a transaction type.
[55] The V and E are recommended construction methods that comprehensively consider performance and identification accuracy, and may be adjusted according to data obtained after feature extraction.
[56] S203, the graph embedding technology is used to build the abnormal behavior identification model according to a constructed transaction graph.
[57] Preferably, the abnormal behavior identification model is a blockchain behavior identification model formed by using an attribute network embedding method based on biased random walk in graph embedding for multiple times of embedding, and the identification model mainly considers three biased random walk methods: random walk strategies based on a transaction amount, a block height and a transaction type.
[58] Referring to algorithms such as Node2Vec, with the random walk strategy used, a relation between nodes and surrounding nodes is obtained on the basis of the transaction features, and an embedded vector of nodes is obtained by using a Skip-gram model for solving. The obtained embedded vector of nodes is added to the node features, so as to obtain a final node embedded vector.
[59] Considering the random walk strategy based on a transaction amount 1s mainly because a large transaction amount means a close relation between two nodes.
Under the condition of biased sampling based on the transaction amount, a transition probability from node u to neighbor node # & Va is p MaxA(u, x) 160] Aux 2 x'ey, Suma (u, x")
[61] where MaxA(u,x) refers to a maximum transaction amount between the node
Fey SumÂlu, x") . u and the node x, and 8 refers to the sum of transaction amounts between u and all nodes having transactions with u.
[62] Considering the random walk strategy based on a block height is mainly because each edge has a block height, and the larger the block height, the greater influence on a current relation of nodes. Under the condition of biased sampling based on time, a transition probability from node u to neighbor node & & Vi is p MaxT (u, x) 1631 Tux Ex'ey, SUMT (u, x")
[64] where MaxT(u,x) refers to a maximum block height when a transaction occurs b Zaren SUmT (ue, x’) etween the node u and the node x, and = refers to the sum of block heights of u and all nodes having transactions with u.
[65] Considering the random walk strategy based on a transaction type is mainly because there are various types of transactions in blockchain. Different weights are set for different transaction types. Under the condition of biased sampling based on the transaction type, a transition probability from node u to neighbor node & & Va is p MaxE(u, x)
Eux TE axe Ÿ va 7 6 Ze SUmE(u, x")
BL-5473
[67] where MaxE(u,x) refers to a most frequent transaction type between the node LU501959
Ete, SumE(u, x") . u and the node x, and * “Fa refers to the sum of transaction types of u and all nodes having transactions with u.
[68] Preferably, for blockchain platforms such as “Bitcoin” in blockchain, which do not support smart contracts and other functions and only support a transfer transaction type, a weight may be set as a uniform value. For platforms such as “Ethereum” in blockchain, which support smart contracts and other functions, weights of transaction types such as transfer, contract creation and contract calling may be set as 1, 2 and 3 respectively.
[69] Preferably, to give consideration to multiple times of embedding by using an attribute network embedding method based on biased random walk, influence of multiple times of embedding may be balanced by using hyper-parameters, the hyper-parameters may be adjusted by using Auto ML or other automatic parameter adjustment algorithms, and finally the abnormal behavior identification model may be obtained.
[70] Preferably, S300 specifically includes:
[71] S301: the node features and transaction features are acquired and feature extraction is conducted according to the methods in S201 and S202 before a transaction behavior occurs.
[72] S302: obtained node features and transaction features of transaction nodes are input into the abnormal behavior identification model obtained in S203, and whether the behavior is abnormal is identified.
[73] S303: a user is prompted for a transaction risk according to an identification result.
[74] The foregoing is merely the preferred embodiments of the present invention and is not intended to limit the present invention, and various changes and modifications may be made by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. within the spirit and principles of the present invention are intended to fall within the scope of protection of the present invention. 6

Claims (4)

BL-5473 WHAT IS CLAIMED IS: 10001958
1. A graph embedding based method for detecting abnormal behaviors of blockchain, comprising: S100: collecting data, specifically, acquiring public blockchain abnormal behavior nodes on the Internet, and acquiring normal nodes consistent with the abnormal behavior nodes in amount; S200: building an abnormal behavior identification model, specifically, extracting features and transaction features of the nodes in S1, constructing nodes subjected to feature extraction into a transaction graph, and constructing the abnormal behavior identification model; and S300: detecting a transaction, specifically, determining a transaction risk by means of the abnormal behavior identification model, and prompting a user for a risk level.
2. The graph embedding based method for detecting abnormal behaviors of blockchain according to claim 1, wherein S100 comprises: S101: acquiring the abnormal behavior nodes from an open source database; and S102: acquiring normal nodes consistent with the abnormal behavior nodes in amount by means of a blockchain client or a blockchain transaction database deployed locally, wherein the normal nodes cannot be marked as abnormal behavior nodes by any database.
3. The graph embedding based method for detecting abnormal behaviors of blockchain according to claim 1, wherein S200 comprises: S201: extracting node features and transaction features of the abnormal behavior nodes and the normal nodes by means of a blockchain client or a blockchain transaction database deployed locally; S202: constructing the node features and transaction features extracted in S201 into the transaction graph; and S203, using the graph embedding technology to build the abnormal behavior identification model according to a constructed transaction graph.
4. The graph embedding based method for detecting abnormal behaviors of blockchain according to claim 3, wherein the identification model is formed by using an embedding method based on biased random walk in graph embedding for multiple times of embedding, and three biased random walk methods are considered: random walk strategies based on a transaction amount, a block height and a transaction type; and a strategy transition probability is: p MaxA(u, x) Aux Ex'ey, SumA(u, x") p MaxT(u, x) fur © Ye SumT (u, x”) p MaxE(u, x) Eux 2 x! ev, S ume (u X 3 7
LU501959A 2022-04-27 2022-04-27 Graph embedding based method for detecting abnormal behaviors of blockchain LU501959B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
LU501959A LU501959B1 (en) 2022-04-27 2022-04-27 Graph embedding based method for detecting abnormal behaviors of blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
LU501959A LU501959B1 (en) 2022-04-27 2022-04-27 Graph embedding based method for detecting abnormal behaviors of blockchain

Publications (1)

Publication Number Publication Date
LU501959B1 true LU501959B1 (en) 2023-10-27

Family

ID=88469821

Family Applications (1)

Application Number Title Priority Date Filing Date
LU501959A LU501959B1 (en) 2022-04-27 2022-04-27 Graph embedding based method for detecting abnormal behaviors of blockchain

Country Status (1)

Country Link
LU (1) LU501959B1 (en)

Similar Documents

Publication Publication Date Title
US11803855B2 (en) Method for detecting block chain abnormal behavior based on graph embedding
CN106952159B (en) Real estate collateral risk control method, system and storage medium
CN104881783A (en) E-bank account fraudulent conduct and risk detecting method and system
CN102567788A (en) Real-time identification system and real-time identification method for fraudulent practice in communication services
CN108053318A (en) It is a kind of to the method and device that is identified of merchandising extremely
CN109670937A (en) Risk subscribers recognition methods, user equipment, storage medium and device
CN107862599B (en) Bank risk data processing method and device, computer equipment and storage medium
CN112750038B (en) Transaction risk determination method, device and server
CN111159387A (en) Recommendation method based on multi-dimensional alarm information text similarity analysis
CN110378575A (en) Overdue event returned money collection method and device, computer readable storage medium
CN110807699B (en) Overdue event payment collection method and device and computer readable storage medium
CN114841705A (en) Anti-fraud monitoring method based on scene recognition
CN105096195A (en) Account money amount processing method and system based on internet application platform
CN113962712A (en) Method for predicting fraud gangs and related equipment
CN120106854A (en) Cross-border payment path optimization system and method based on multi-dimensional data analysis
LU501959B1 (en) Graph embedding based method for detecting abnormal behaviors of blockchain
CN114372810A (en) A kind of fund account identification and fund transaction relationship network analysis method
CN105930430B (en) A real-time fraud detection method and device based on non-cumulative attributes
CN114328646B (en) Data detection method, device, computer equipment and storage medium
CN114445217A (en) Credit risk prevention and control method, device and system and computer readable storage medium
CN111161063A (en) Capital account identification method based on graph calculation and computer readable storage medium
CN119917793A (en) A data processing method and related device
CN111833171A (en) Abnormal operation detection and model training method, device and readable storage medium
CN118365330A (en) A method and system for detecting illegal Ethereum accounts based on time-series graph neural network
CN115955528A (en) Number identification method, device and readable storage medium

Legal Events

Date Code Title Description
FG Patent granted

Effective date: 20231027