A high-precision ethereum phishing account detection method based on high-order topology

By constructing a multi-level graph and using random walk techniques, the problem of insufficient utilization of topology structure in Ethereum phishing account detection is solved, and high-precision phishing node identification is achieved.

CN122179130APending Publication Date: 2026-06-09UNIV OF SCI & TECH OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
UNIV OF SCI & TECH OF CHINA
Filing Date
2026-01-07
Publication Date
2026-06-09

Smart Images

  • Figure CN122179130A_ABST
    Figure CN122179130A_ABST
Patent Text Reader

Abstract

This application belongs to the field of Ethereum transaction technology, and particularly relates to a high-precision Ethereum phishing account detection method based on high-order topology. The detection method includes: acquiring transaction information containing historical phishing nodes, and then cleaning it to obtain several qualified transaction records; constructing a training node graph based on the qualified transaction records; constructing a corresponding multi-order graph based on the training node graph; the multi-order graph includes a bipartite graph and a classic pairwise graph, the bipartite graph containing the edge relationships between the simplex nodes corresponding to each maximal clique in the training node graph and the original nodes; the classic pairwise graph containing the edge relationships between the original nodes; obtaining the optimal influence score of the current classification model based on the multi-order graph; calculating the spliced ​​feature matrix of the current actual Ethereum node graph based on the optimal influence score; and the current classification model predicting phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix. This application can accurately detect phishing nodes.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of Ethereum transaction technology, and in particular relates to a high-precision Ethereum phishing account detection method based on high-order topology. Background Technology

[0002] Ethereum, as the world's leading decentralized smart contract platform, has played a key role in driving innovation and application of blockchain technology. It has not only promoted the development of decentralized finance (DeFi) and non-fungible tokens (NFTs), but has also been widely used in many industries such as the Internet of Things (IoT) and supply chain management.

[0003] Based on Ethereum's decentralized and anonymous nature, malicious attackers can carry out phishing scams by forging transactions and tricking users into clicking malicious links. These malicious attackers' accounts are called phishing accounts. In a transaction record, a phishing account can be either the transaction initiator's account or the transaction receiver's account.

[0004] Existing technologies model Ethereum transaction records by abstracting accounts as nodes, where a node is an account address, and transactions as edges. They also use deep learning to identify phishing nodes by classifying and identifying the characteristics of nodes in the transaction network.

[0005] Currently, the implementation of node classification tasks relies on obtaining node features. The common method for obtaining node features is feature engineering, which involves using artificially designed features by domain experts, such as the transaction amount, number of transactions, and transaction time of nodes. However, this method is inefficient and cannot fully utilize the topological relationships between nodes, resulting in low accuracy in identifying phishing nodes.

[0006] Therefore, how to accurately detect phishing nodes has become a technical problem that urgently needs to be solved in this field. Summary of the Invention

[0007] The purpose of this application is to overcome the shortcomings of the prior art and provide a high-precision Ethereum phishing account detection method based on high-order topology, which can accurately detect phishing nodes.

[0008] To achieve the above objectives, this application adopts the following technical solution: A high-precision Ethereum phishing account detection method based on high-order topology includes the following steps: Step 1: After obtaining transaction information containing historical phishing nodes, clean the data to obtain several qualified transaction records. Step 2: Construct a training node graph based on the qualified transaction information; all nodes in the training node graph are denoted as original nodes, and the average original edge used to connect two original nodes in the training node graph is denoted as _____. Step 3: Construct the corresponding multi-order graph based on the training node graph; the multi-order graph includes a bipartite graph and a classical pairwise graph. The bipartite graph contains the edge relationships between the simplex nodes corresponding to each maximal clique in the training node graph and the original nodes; the classical pairwise graph contains the edge relationships between the original nodes. Step 4: Obtain the best influence score for the current classification model based on the multi-level graph; Step 5: Calculate the splicing feature matrix of the current actual Ethereum node graph based on the best influence score; Step 6: The current classification model predicts phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix.

[0009] Preferably, step 1 also includes the following: Step 11: Count the number of transactions for all nodes included in the acquired transaction information containing historical phishing nodes, and select nodes with fewer than [number of transactions]. Item or more Each node is marked as a suspected phishing node; among them, the nodes include the transaction initiating address node and the transaction receiving address node; Step 12: After removing the transaction information of the historical phishing nodes that are suspected to be phishing nodes, the remaining transaction information containing the historical phishing nodes is recorded as qualified transaction information.

[0010] Preferably, step 2 also includes the following: Step 21: Nodes with different addresses in the qualified transaction information are all used as original nodes in the training node graph; Step 22: Connect the original node corresponding to the transaction initiation address and the original node corresponding to the transaction receiving address that belong to the same qualified transaction information to obtain the corresponding original edge. Each original edge contains the transaction timestamp and transaction amount in the corresponding qualified transaction information. Step 23: Perform edge deduplication between two original nodes that have more than one original edge, so that there is only one average original edge between the two corresponding original nodes, thus completing the construction of the training node graph.

[0011] Preferably, the deduplication of original edges also includes the following: taking the arithmetic mean of the transaction timestamps and the arithmetic mean of the transaction amounts of all original edges between two original nodes, as the average transaction timestamp and average transaction amount of the corresponding average original edge.

[0012] Preferably, step 3 also includes the following: Constructing a higher-order bipartite graph Including steps 31 and 32: Step 31: By traversing each original node and the average original edge in the training node graph, identify all maximal cliques in the training node graph. Each maximal clique is a simplex, and each simplex is used as a different simplex node. Step 32: Connect the simplex nodes with the original nodes in the corresponding simplex by adding edges to obtain a higher-order bipartite graph. : ;in, Representing a higher-order bipartite graph The set of simplex nodes in the equation. , This represents the i-th simplex node in the set of simplex nodes; This represents the original set of nodes in the training node graph. , This represents the set of original nodes contained in the simplex corresponding to the i-th simplex node in the node graph used for training; This represents the set of edges connecting a simplex node to its corresponding original node. , Representing simplex nodes With the corresponding original node set The set of edges obtained by connecting each original node in the array; Constructing classic pairwise graphs : ,in, This represents the average set of original edges in the node graph used for training.

[0013] Preferably, step 4 also includes the following: Step 41, in the higher-order bipartite diagram The original nodes and simplex nodes are traversed through random walks to obtain the high-order random walk transition matrix Ω; simultaneously, based on classic pairwise graphs... Obtain the classical transition matrix C; Step 42, based on the high-order random walk transition matrix Ω, the classical transition matrix C, and the potential value of the Zth influence score. Construct the corresponding enhanced transition matrix : ;in, The value range of z is [0,1]; Z is a positive integer. Step 43, based on the enhanced transition matrix Calculate the probability distribution vector corresponding to the enhanced random walk. : ; get The value at which convergence begins is recorded as the corresponding potential influence score. High-order topological feature vectors (HTF) ); where t represents the current iteration number, and traversing the entire multi-order graph to complete one probability propagation is denoted as one iteration; t is a positive integer greater than 1; Represents the initial probability distribution vector; It is a row vector or column vector with the same number of dimensions as the original nodes, and the values ​​on different dimensions represent the importance scores of different original nodes; Step 44: Based on the classical transition matrix C, obtain the 5-dimensional pairwise topological feature vector PTF, which consists of five centrality index values: degree centrality, core degree centrality, betweenness centrality, eigenvector centrality, and PageRank centrality. Step 45, combine the paired topological feature vectors PTF and HTF (… The concatenated feature matrix is ​​fed into the classification model for training. Based on the classification model's predicted label probabilities for each original node and the true labels of each original node, the potential influence score of the classification model is calculated. Comprehensive performance index values ​​at that time: ;in, and These represent the first weighting coefficient and the second weighting coefficient, respectively. and These represent the first performance index value and the second performance index value, respectively; the first performance index value Compared with the second performance index value These refer to the AUC-ROC value and the AUC-PR value, respectively. Step 46: Record the potential influence score corresponding to the largest comprehensive performance index value as the best influence score of the current classification model.

[0014] Preferably, step 2 also includes the following: when the number of phishing nodes in all qualified transaction information exceeds At this point, the node graph constructed based on all qualified transaction information is called the training node graph. Then, using random walk and breadth-first search methods, the training node graph is decomposed into several training node graphs. The fishing nodes and average original edges in different training node graphs do not overlap.

[0015] Preferably, step 41 further includes the following sub-steps: Step 411, based on the higher-order bipartite diagram Obtain the m x n higher-order incidence matrix W, where the α-th row of the higher-order incidence matrix W represents the α-th original node. The i-th column of the higher-order incidence matrix W represents the i-th simplex node. , Let represent the element in the α-th row and i-th column of the higher-order incidence matrix W, where α ≤ m, i ≤ n, and n < m; if the α-th original node belongs to the simplex corresponding to the β-th simplex node, then ,otherwise ; Based on classic pairwise graphs Obtain the classical transition matrix C with n rows and n columns, and the nth element in the classical transition matrix C. The element in row γ-th column Indicates the first Original nodes With the γth original node Are there any edges connecting them? If so, then Otherwise, it is 0, where γ≤m; Step 412, in the higher-order bipartite diagram The original node and the simplex node are traversed through random walks. The starting node of each random walk is any original node or simplex node, and the direction of the walk is either upstream or downstream. Upstream means walking from the original node to the simplex node, and vice versa. In the context of higher-order bipartite diagrams During the traversal, starting from the original node Travel to simplex node probability for: ; in, Represents the original node In the higher-order bipartite diagram The sum of in-degree and out-degree; After calculating the probability of traversing from each original node to each simplex node, we obtain the first transition matrix with m rows and n columns. , Represents the first transition matrix The element in the α-th row and i-th column; From simplex nodes Travel to the original node probability for: ; in, Representing simplex nodes The order of the corresponding simplex is the total number of original nodes contained in the simplex minus 1; After calculating the probability of traversing from each original node to each simplex node, we obtain the second transition matrix with n rows and m columns. , Represents the second transition matrix The element in the i-th row and α-th column.

[0016] Step 413, calculate the n x n high-order random walk transition matrix Ω: .

[0017] Preferably, in step 43: when The 2-norm begins to be less than or equal to the minimum value. hour, It begins to converge.

[0018] Preferably, in step 5: Step 51: After obtaining real-time transaction information, construct the current actual Ethereum node graph (RE) based on the real-time transaction information; Step 52: Based on the current actual Ethereum node graph, obtain the corresponding actual higher-order bipartite graph and actual classical transition matrix C'. Then, based on the actual higher-order bipartite graph, obtain the corresponding actual higher-order random walk transition matrix Ω'. Based on the best influence score of the current classification model, the actual higher-order random walk transition matrix Ω', and the actual classical transition matrix C', calculate the corresponding actual enhanced transition matrix. ´; Step 53, based on the actual enhanced transition matrix ´, calculate the probability distribution vector of the corresponding actual enhanced random walk, obtain the value when the actual probability distribution vector begins to converge and record it as the actual high-order topological feature vector HTF´ with the best influence score; at the same time, obtain the corresponding actual paired topological feature vector PTF´ based on the actual classical transition matrix C´, and concatenate it with the actual high-order topological feature vector HTF´ to obtain the concatenated feature matrix of the current actual Ethereum node graph.

[0019] The beneficial effects of this application are as follows: (1) The phishing account detection method of this application can greatly improve the detection effect of the classification model on phishing nodes, and has higher accuracy, robustness and stability.

[0020] (2) The phishing account detection method of this application transforms the initial node graph (referring to the training node graph or the actual Ethereum node graph) into a corresponding multi-order graph, whether in the training process of the classification model or in the process of using the classification model to predict phishing nodes in the actual Ethereum node graph. The multi-order graph includes higher-order bipartite graphs and classic pairwise graphs. The construction of the multi-order graph can retain a more complete higher-order interaction structure. The random walk on the multi-order graph can obtain network information more comprehensively, retain the higher-order structural information between nodes, obtain a deeper representation of nodes and effective node features, and mine the potential features and potential relationships of each node in the Ethereum transaction data.

[0021] (3) This application introduces an enhanced transition matrix to represent the random walk process on a multi-order graph. During the random walk process, the best influence score that best suits the Ethereum node graph and the current classification model is found by verifying the comprehensive performance index value containing AUC-ROC and AUC-PR values. The best influence score is used to calculate the spliced ​​feature matrix of the current actual Ethereum node graph (the node features in the spliced ​​feature matrix contain the network topology information of the current actual Ethereum node graph). This enables the current classification model to accurately predict phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix, which greatly reduces the adverse effects of the training set on the classification model caused by the imbalance of data categories and the large difference from the distribution of real phishing nodes. Attached Figure Description

[0022] Figure 1 This is a flowchart of a high-precision Ethereum phishing account detection method based on high-order topology, as described in this application. Figure 2 This is a schematic diagram for deduplicating the original edges; Figure 3 A schematic diagram of the distribution of maximal cliques in the node graph used for training; Figure 4 This is a schematic diagram of a multi-level graph architecture. Detailed Implementation

[0023] To make the technical solution of this application clearer and more explicit, the application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Solutions derived by those skilled in the art through equivalent substitution and conventional reasoning of the technical features of the technical solution of this application without creative effort all fall within the protection scope of this application.

[0024] This application presents a high-precision Ethereum phishing account detection method based on high-order topology, such as... Figure 1 As shown, it includes the following steps: Step 1: After obtaining transaction information containing historical phishing nodes, clean the data to obtain several qualified transaction records.

[0025] Step 2: Construct a training node graph based on the qualified transaction information; all nodes in the training node graph are denoted as original nodes, and the average original edge used to connect two original nodes in the training node graph is then calculated.

[0026] Step 3: Construct the corresponding multi-order graph based on the training node graph; the multi-order graph includes a bipartite graph and a classical pairwise graph. The bipartite graph contains the edge relationships between the simplex nodes corresponding to each maximal clique in the training node graph and the original nodes; the classical pairwise graph contains the edge relationships between the original nodes.

[0027] Step 4: Obtain the best influence score for the current classification model based on the multi-level graph.

[0028] Step 5: Calculate the splicing feature matrix of the current actual Ethereum node graph based on the best influence score.

[0029] Step 6: The current classification model predicts phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix.

[0030] Optionally, when the classification model changes, return to step 1.

[0031] Optionally, return to step 1 and update the best influence score for the current classification model.

[0032] In step 1: Each transaction record includes the transaction initiating address, transaction receiving address, transaction timestamp, and transaction amount. Because the transaction initiating address, transaction receiving address, transaction timestamp, and transaction amount cannot all be the same, there are no duplicate transaction records in the historical transaction information. Historical phishing node transaction information refers to transactions where the transaction initiating address and transaction receiving address have been marked as phishing node addresses by relevant departments / monitoring systems.

[0033] The historical transaction information is crawled from real Ethereum transaction datasets and public transaction data from the XBlock platform; it is known whether there are phishing nodes in the historical transaction information.

[0034] In this embodiment, the historical phishing node transaction information crawled is from the most recent year, so that the obtained historical transaction information can include the latest phishing nodes.

[0035] After cleaning, several qualified transaction records were obtained, including the following: Step 11: Count the number of transactions for all nodes included in the acquired transaction information containing historical phishing nodes, and select nodes with fewer than [number of transactions]. Item or more Each node is marked as a suspected phishing node; among them, nodes include nodes with transaction initiation addresses and nodes with transaction receiving addresses.

[0036] In this embodiment, =5, =1000.

[0037] Step 12: After removing the transaction information of the historical phishing nodes that are suspected to be phishing nodes, the remaining transaction information containing the historical phishing nodes is recorded as qualified transaction information.

[0038] In step 1, the cleaning in steps 11 and 12 involves reviewing the transaction information of historical phishing nodes. Addresses that meet the cleaning and removal criteria are likely to have been mistakenly identified as phishing addresses by relevant departments / monitoring systems. In order to improve the accuracy of subsequent phishing node identification, we perform cleaning to remove the transaction information of these suspected phishing addresses.

[0039] Step 2 also includes the following: Step 21: Different address nodes in the qualified transaction information are all used as original nodes in the training node graph; Step 22: Connect the original node corresponding to the transaction initiation address and the original node corresponding to the transaction receiving address that belong to the same qualified transaction information to obtain the corresponding original edge. Each original edge contains the transaction timestamp and transaction amount in the corresponding qualified transaction information. Step 23, as Figure 2 As shown, for two original nodes with more than one original edge, the original edges are deduplicated so that there is only one average original edge between the corresponding two original nodes. This completes the construction of the training node graph. The training node graph is an undirected graph.

[0040] In step 23, the deduplication of the original edges also includes the following: taking the arithmetic mean of the transaction timestamps and the arithmetic mean of the transaction amounts of all the original edges between the two original nodes, and using them as the average transaction timestamps and average transaction amounts of the average edges of the corresponding two nodes.

[0041] Optionally, when the number of phishing nodes in all qualified transaction information exceeds At this point, the node graph constructed based on all qualified transaction information is called the training node graph. Then, using random walk and breadth-first search methods, the training node graph is decomposed into several training node graphs. The fishing nodes and average original edges in different training node graphs do not overlap.

[0042] When the node graph (i.e., the Ethereum main node graph) constructed from all qualified transaction information becomes too large, graph decomposition can be performed to improve the efficiency of subsequent data processing. In this embodiment, the Ethereum main node graph is decomposed into eight training node graphs, each containing 50, 50, 100, 100, 150, 150, 200, and 200 phishing nodes respectively.

[0043] In step 3, the bipartite graph is a higher-order bipartite graph. Constructing a higher-order bipartite graph The method also includes the following: Step 31: By traversing all the original nodes and average original edges in the training node graph, identify all maximal cliques in the training node graph. Each maximal clique is a simplex, and each simplex is treated as a different simplex node. For example... Figure 3 As shown, Figure 3 The numbers in the box represent the nodes of the corresponding simplex. The primitive nodes contained within the shaded area of ​​the box number are the corresponding maximal cliques, which are the simplexes. Some simplexes have only two primitive nodes. For example, the maximal clique corresponding to box 3 contains only primitive nodes D and E.

[0044] All original nodes within a maximal clique are fully connected.

[0045] Step 32: Connect the simplex nodes with the original nodes in the corresponding simplex by adding edges to obtain a higher-order bipartite graph. : ;in, Representing a higher-order bipartite graph The set of simplex nodes in the equation. , This represents the i-th simplex node in the set of simplex nodes; This represents the original set of nodes in the training node graph. , This represents the set of original nodes contained in the simplex corresponding to the i-th simplex node in the node graph used for training; This represents the set of edges connecting a simplex node to its corresponding original node. , Representing simplex nodes With the corresponding original node set The set of edges obtained by connecting each original node in the array.

[0046] Higher-order bipartite diagram Topology such as Figure 4 As shown in (a) of the diagram.

[0047] In step 3, a classic pairwise graph is constructed. : ,in, This represents the average set of original edges in the node graph used for training.

[0048] Classic paired images Topology such as Figure 4 As shown in (b) of the diagram.

[0049] exist Figure 4 A higher-order bipartite diagram can be seen in it. Paired with classic images They correspond to each other through the same original node (i.e. Figure 4 (The dashed lines connecting the same original nodes between Figures (a) and (b)).

[0050] Step 4 includes the following sub-steps: Step 41, in the higher-order bipartite diagram The original nodes and simplex nodes are traversed through random walks to obtain the high-order random walk transition matrix Ω; simultaneously, based on classic pairwise graphs... Obtain the classical transition matrix C; Step 42, based on the high-order random walk transition matrix Ω, the classical transition matrix C, and the potential value of the Zth influence score. Construct the corresponding enhanced transition matrix : ;in, The value range of Z is [0,1]; Z is a positive integer.

[0051] Enhanced transition matrix ( The purpose of this is to capture higher-order bipartite graphs for subsequent classification models. Paired with classic images The interaction relationship between them; and the potential value of the z-th influence score. This will affect subsequent classification models in capturing interaction relationships and in higher-order bipartite graphs. Classic paired images The probability of performing a traversal.

[0052] For example, when =0 indicates that the subsequent classification model only applies to higher-order bipartite graphs. Iterate over the top; when A value of 0.5 indicates that the probability of subsequent classification models being identical in a higher-order bipartite graph is... The above and classic paired images Iterate over the top; when =1 indicates that the subsequent classification model only applies to classic pairwise graphs. Iterate through the top.

[0053] Step 43, based on the enhanced transition matrix Calculate the probability distribution vector corresponding to the enhanced random walk. : ; get The value at which convergence begins is recorded as the corresponding potential influence score. High-order topological feature vectors (HTF) ); where t represents the current iteration number, and traversing the entire multi-order graph to complete one probability propagation is counted as one iteration; t is a positive integer greater than 1; This represents the initial probability distribution vector, which is a known quantity; It is a row vector or column vector with the same number of dimensions as the original nodes, and the values ​​on different dimensions represent the importance scores of different original nodes.

[0054] Step 44: Based on the classical transition matrix C, obtain the 5-dimensional pairwise topological feature vector PTF, which consists of five centrality index values: degree centrality, core degree centrality, betweenness centrality, eigenvector centrality, and PageRank centrality.

[0055] The calculation methods for the above five centrality metrics are existing technologies and will not be elaborated here. Degree centrality and core degree centrality are typical neighborhood centrality metrics used to characterize the organization and function of a local network (i.e., the node graph used for training); betweenness centrality captures the path features between nodes from a propagation perspective; eigenvector centrality and PageRank centrality are classic methods that comprehensively consider the number and strength of neighbors.

[0056] Step 45, combine the paired topological feature vectors PTF and HTF (… The concatenated feature matrix is ​​fed into the classification model for training. Based on the classification model's predicted label probabilities for each original node and the true labels of each original node, the potential influence score of the classification model is calculated. Comprehensive performance index values ​​at that time: ;in, and These represent the first weighting coefficient and the second weighting coefficient, respectively. and These represent the first performance index value and the second performance index value, respectively.

[0057] In this embodiment, the first performance index value Compared with the second performance index value These refer to the AUC-ROC value and the AUC-PR value, respectively. and The technical staff will configure the settings themselves based on the performance requirements of the classification model.

[0058] In this embodiment, the classification model is the LightGBM model.

[0059] Step 46: Record the potential influence score corresponding to the largest comprehensive performance index value as the best influence score of the current classification model.

[0060] When the overall training node graph is decomposed into several individual training node graphs, each training node graph corresponds to a multi-order graph. Each training node graph will then obtain its optimal influence score after step 4. The optimal influence score of the overall training node graph is determined by taking the optimal influence scores of the top e most frequent training node graphs. If the optimal influence scores of each training node graph have the same frequency, then the arithmetic mean of the optimal influence scores of all training node graphs is taken.

[0061] Step 41 also includes the following sub-steps: Step 411, based on the higher-order bipartite diagram Obtain the m x n higher-order incidence matrix W, where the α-th row of the higher-order incidence matrix W represents the α-th original node. The i-th column of the higher-order correlation matrix W represents the i-th simplex node. , Let represent the element in the α-th row and i-th column of the higher-order incidence matrix W, where α ≤ m, i ≤ n, and n < m; if the α-th original node belongs to the simplex corresponding to the β-th simplex node, then ,otherwise ; Based on classic pairwise graphs The obtained n x n classical transition matrix C, the nth element in classical transition matrix C The element in row γ-th column Indicates the first Original nodes With the γth original node Are there any edges connecting them? If so, then Otherwise, it is 0, where γ≤m.

[0062] Step 412, in the higher-order bipartite diagram The original node and the simplex node are traversed through random walks. The starting node of each random walk is any original node or simplex node, and the direction of the walk is either upstream or downstream. Upstream means walking from the original node to the simplex node, and vice versa. Then in the case of higher-order bipartite diagrams During the traversal, starting from the original node Travel to simplex node probability for: ; in, Represents the original node In the higher-order bipartite diagram The sum of in-degree and out-degree; After calculating the probability of traversing from each original node to each simplex node, we obtain the first transition matrix with m rows and n columns. , Represents the first transition matrix The element in the α-th row and i-th column; From simplex nodes Travel to the original node probability for: ; in, Representing simplex nodes The order of the corresponding simplex is the total number of original nodes contained in the simplex minus 1; After calculating the probability of traversing from each original node to each simplex node, we obtain the second transition matrix with n rows and m columns. , Represents the second transition matrix The element in the i-th row and α-th column.

[0063] Step 413, calculate the n x n high-order random walk transition matrix Ω: .

[0064] In step 42: Based on the value range of [0,1], the technicians pre-set several potential values ​​for influence scores, such as 0.1, 0.2, 0.3, ..., 0.8, and 0.9.

[0065] In step 43: when The 2-norm begins to be less than or equal to the minimum value. When, it means Convergence begins. In this embodiment, =0.01.

[0066] Step 5 also includes the following sub-steps: Step 51: After obtaining real-time transaction information, construct the content of the current actual Ethereum node graph RE based on the real-time transaction information. This is similar to the construction of the training node graph with no overlapping edges based on qualified transaction information in steps 21 to 23, and will not be repeated here.

[0067] Step 52: Based on the current actual Ethereum node graph, obtain the corresponding actual higher-order bipartite graph and actual classical transition matrix C'. Then, based on the actual higher-order bipartite graph, obtain the corresponding actual higher-order random walk transition matrix Ω'. Based on the best influence score of the current classification model, the actual higher-order random walk transition matrix Ω', and the actual classical transition matrix C', calculate the corresponding actual enhanced transition matrix using the calculation formula in Step 42. ´.

[0068] Step 53, based on the actual enhanced transition matrix Using the calculation formula in step 43, calculate the probability distribution vector of the corresponding actual enhanced random walk, obtain the value when the actual probability distribution vector begins to converge and record it as the actual high-order topological feature vector HTF´ with the best influence score; at the same time, obtain the corresponding actual paired topological feature vector PTF´ based on the actual classical transition matrix C´, and then concatenate it with the actual high-order topological feature vector HTF´ to obtain the concatenated feature matrix of the current actual Ethereum node graph.

[0069] In step 6, the current classification model calculates the probability value of each node in the current actual Ethereum node graph having different labels based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix. Then, it predicts the label of the current node based on the label probability, that is, predicts whether each node is a phishing node.

[0070] It is important to emphasize that the actual Ethereum node graph contains fewer phishing nodes compared to the training node graph, and the distribution of phishing nodes may be more scattered. This is because the training node graph is constructed by engineers using transaction information containing phishing nodes, so the number and distribution of phishing nodes in the training node graph are inevitably denser.

[0071] Table 1. Comparison of AUC-ROC performance of different methods on 8 actual Ethereum node graphs used for verification.

[0072] Table 2. Comparison of AUC-PR performance of different methods on 8 actual Ethereum node graphs used for verification.

[0073] Table 1 is a comparison table of AUC-ROC performance using different methods on 8 actual Ethereum node graphs used for verification, and Table 2 is a comparison table of AUC-PR performance using different methods on 8 actual Ethereum node graphs used for verification. The technical personnel know the true labels of each original node in these 8 actual Ethereum node graphs used for verification.

[0074] Prior art 1 to prior art 7 are as follows: Existing technology 1: Deep walk is based on random walk and Skip-Gram model, which generates node embeddings by simulating node sequences to capture the structural information of the graph.

[0075] Existing technology 2: Line utilizes first-order and second-order similarity to model simultaneously, efficiently generating node representations for large-scale networks.

[0076] Existing technology 3: Node2vec improves DeepWalk by generating more flexible node embeddings through a controllable random walk strategy (a combination of DFS and BFS).

[0077] Existing technology 4: Struc2Vec captures the structural equivalence between nodes by constructing a multi-level structural similarity graph and generates node embeddings.

[0078] Existing technology 5: TTAGN proposes a time-series transaction aggregation graph network, which generates edge representations by modeling the temporal relationships of historical transactions between nodes, aggregates the edge features around nodes to capture topological interaction relationships, and combines statistical and structural features to improve the performance of phishing address detection.

[0079] Existing technology 6: BiLSTM4DPS is based on attention-enhanced BiLSTM, which extracts the time and potential patterns of account transaction sequences. It combines multi-head attention mechanism and masking technology to achieve accurate classification of Ethereum phishing fraud accounts.

[0080] Existing technology 7: LBPS, based on LSTM-FCN and BP neural network, captures the temporal features of transaction records and the implicit relationships between features, providing a new method for Ethereum phishing fraud detection.

[0081] As shown in Tables 1 and 2, the phishing account detection method of this application outperforms existing detection methods in both AUC-ROC and AUC-PR performance on the actual Ethereum node graph. Using the phishing account detection method of this application can significantly improve the detection performance of the classification model for phishing nodes, exhibiting higher accuracy, robustness, and stability.

[0082] For existing technologies using classification models to identify phishing nodes, the model needs to be trained on a training set before implementation. Therefore, the class balance of the data in the training set directly impacts the model's classification performance. Furthermore, the data categories in the training set differ somewhat from the node distribution characteristics in actual Ethernet networks, leading to low accuracy in identifying phishing nodes. For example, during training, to help the model quickly learn to identify phishing nodes, the training set often contains a large proportion of data belonging to the phishing node category. However, this can easily cause the trained model to overfit (because the number of phishing nodes in actual Ethernet networks is relatively small, and we cannot predict whether a node will become a phishing node before it appears), causing the model to misclassify many normal nodes as phishing nodes.

[0083] Existing technologies use classification models that can effectively identify other nodes or normal nodes with a large number of samples, resulting in a high AUC-ROC score. However, in actual Ethernet networks with fewer nodes, the performance is poor when identifying phishing nodes, resulting in a relatively low AUC-ROC value.

[0084] Classical pairwise graph networks are limited to utilizing pairwise interactions between nodes; while random walks on higher-order bipartite graphs effectively capture higher-order features of the network, such as the 2-simplex conveying more information than the three individual nodes that make it up, they to some extent ignore pairwise topological features (i.e., the topological features in classical pairwise graphs).

[0085] The phishing account detection method of this application transforms the initial node graph (referring to the training node graph or the actual Ethereum node graph) into a corresponding multi-order graph, both during the training process of the classification model and during the actual use of the classification model to predict phishing nodes in the actual Ethereum node graph. The multi-order graph includes higher-order bipartite graphs and classic pairwise graphs. The construction of the multi-order graph can preserve a more complete higher-order interaction structure. The random walk performed on the multi-order graph can more comprehensively obtain network information, preserve the higher-order structural information between nodes, obtain deeper representations and effective node features of nodes, and mine the potential features and potential relationships of each node in Ethereum transaction data.

[0086] A multi-level graph is a data structure used to represent and analyze multi-level network structures and dynamics. In graph theory and network analysis, this graphical structure is particularly suitable for solving problems that require simultaneous consideration of multiple types of relationships and levels of influence.

[0087] This application introduces an enhanced transition matrix representation of the random walk process on a multi-order graph. During the random walk, the optimal influence score, which is most suitable for the Ethereum node graph and the current classification model, is found by verifying the comprehensive performance index value including AUC-ROC and AUC-PR values. The optimal influence score is then used to calculate the spliced ​​feature matrix of the current actual Ethereum node graph (the node features in the spliced ​​feature matrix contain the network topology information of the current actual Ethereum node graph). This enables the current classification model to accurately predict phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix, significantly mitigating the adverse effects of the training set's imbalanced data categories and large differences from the actual distribution of phishing nodes on the classification model.

[0088] The technologies, shapes, and structures not described in detail in this application are all well-known technologies. It should also be noted that the above are merely preferred embodiments of this application and are not intended to limit the scope of this application. The components or steps in the embodiments of this application can be decomposed and / or recombined, and these decompositions and / or recombinations should be considered as equivalent solutions of this application and should all fall within the protection scope of this application.

Claims

1. A high-precision Ethereum phishing account detection method based on high-order topology, characterized in that, Includes the following steps: Step 1: After obtaining transaction information containing historical phishing nodes, clean the data to obtain several qualified transaction records. Step 2: Construct a training node graph based on the qualified transaction information; all nodes in the training node graph are denoted as original nodes, and the average original edge used to connect two original nodes in the training node graph is denoted as _____. Step 3: Construct the corresponding multi-order graph based on the training node graph; the multi-order graph includes a bipartite graph and a classical pairwise graph. The bipartite graph contains the edge relationships between the simplex nodes corresponding to each maximal clique in the training node graph and the original nodes; the classical pairwise graph contains the edge relationships between the original nodes. Step 4: Obtain the best influence score for the current classification model based on the multi-level graph; Step 5: Calculate the splicing feature matrix of the current actual Ethereum node graph based on the best influence score; Step 6: The current classification model predicts phishing nodes based on the current actual Ethereum node graph and the corresponding spliced ​​feature matrix.

2. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 1, characterized in that, Step 1 also includes the following: Step 11: Count the number of transactions for all nodes included in the acquired transaction information containing historical phishing nodes, and select nodes with fewer than [number of transactions]. Item or more Each node is marked as a suspected phishing node; among them, the nodes include the transaction initiating address node and the transaction receiving address node; Step 12: After removing the transaction information of the historical phishing nodes that are suspected to be phishing nodes, the remaining transaction information containing the historical phishing nodes is recorded as qualified transaction information.

3. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 1, characterized in that, Step 2 also includes the following: Step 21: Nodes with different addresses in the qualified transaction information are all used as original nodes in the training node graph; Step 22: Connect the original node corresponding to the transaction initiation address and the original node corresponding to the transaction receiving address that belong to the same qualified transaction information to obtain the corresponding original edge. Each original edge contains the transaction timestamp and transaction amount in the corresponding qualified transaction information. Step 23: Remove duplicate edges between two original nodes that have more than one original edge, so that there is only one average original edge between the two corresponding original nodes, thus completing the construction of the training node graph.

4. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 3, characterized in that, The deduplication of original edges also includes the following: taking the arithmetic mean of the transaction timestamps and the arithmetic mean of the transaction amounts of all original edges between two original nodes, and using them as the average transaction timestamps and average transaction amounts of the corresponding average original edges.

5. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 1, characterized in that, Step 3 also includes the following: Constructing a higher-order bipartite graph Including steps 31 and 32: Step 31: By traversing each original node and the average original edge in the training node graph, identify all maximal cliques in the training node graph. Each maximal clique is a simplex, and each simplex is used as a different simplex node. Step 32: Connect the simplex nodes with the original nodes in the corresponding simplex by adding edges to obtain a higher-order bipartite graph. : ;in, Representing a higher-order bipartite graph The set of simplex nodes in the equation. , This represents the i-th simplex node in the set of simplex nodes; This represents the original set of nodes in the training node graph. , This represents the set of original nodes contained in the simplex corresponding to the i-th simplex node in the node graph used for training; This represents the set of edges connecting a simplex node to its corresponding original node. , Representing simplex nodes With the corresponding original node set The set of edges obtained by connecting each original node in the array; Constructing classic pairwise graphs : ,in, This represents the average set of original edges in the node graph used for training.

6. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 5, characterized in that, Step 4 also includes the following: Step 41, in the higher-order bipartite diagram The original nodes and simplex nodes are traversed through random walks to obtain the high-order random walk transition matrix Ω; simultaneously, based on classic pairwise graphs... Obtain the classical transition matrix C; Step 42, based on the high-order random walk transition matrix Ω, the classical transition matrix C, and the potential value of the Zth influence score. Construct the corresponding enhanced transition matrix : ;in, The value range of z is [0,1]; Z is a positive integer. Step 43, based on the enhanced transition matrix Calculate the probability distribution vector corresponding to the enhanced random walk. : ; get The value at which convergence begins is recorded as the corresponding potential influence score. High-order topological feature vectors (HTF) ); where t represents the current iteration number, and traversing the entire multi-order graph to complete one probability propagation is denoted as one iteration; t is a positive integer greater than 1; Represents the initial probability distribution vector; It is a row vector or column vector with the same number of dimensions as the original nodes, and the values ​​on different dimensions represent the importance scores of different original nodes; Step 44: Based on the classical transition matrix C, obtain the 5-dimensional pairwise topological feature vector PTF, which consists of five centrality index values: degree centrality, core degree centrality, betweenness centrality, eigenvector centrality, and PageRank centrality. Step 45, combine the paired topological feature vectors PTF and HTF (… The concatenated feature matrix is ​​fed into the classification model for training. Based on the classification model's predicted label probabilities for each original node and the true labels of each original node, the potential influence score of the classification model is calculated. Comprehensive performance index values ​​at that time: ;in, and These represent the first weighting coefficient and the second weighting coefficient, respectively. and These represent the first performance index value and the second performance index value, respectively; the first performance index value Compared with the second performance index value These refer to the AUC-ROC value and the AUC-PR value, respectively. Step 46: Record the potential influence score corresponding to the largest comprehensive performance index value as the best influence score of the current classification model.

7. The high-precision Ethereum phishing account detection method based on high-order topology according to claim 3, characterized in that, Step 2 also includes the following: when the number of phishing nodes in all qualified transaction information exceeds At this point, the node graph constructed based on all qualified transaction information is called the training node graph. Then, using random walk and breadth-first search methods, the training node graph is decomposed into several training node graphs. The fishing nodes and average original edges in different training node graphs do not overlap.

8. A high-precision Ethereum phishing account detection method based on high-order topology according to claim 6, characterized in that, Step 41 also includes the following sub-steps: Step 411, based on the higher-order bipartite diagram Obtain the m x n higher-order incidence matrix W, where the α-th row of the higher-order incidence matrix W represents the α-th original node. The i-th column of the higher-order incidence matrix W represents the i-th simplex node. , Let represent the element in the α-th row and i-th column of the higher-order correlation matrix W, where α≤m, i≤n and n<m; If the α-th original node belongs to the simplex corresponding to the β-th simplex node, then ,otherwise ; Based on classic pairwise graphs Obtain the classical transition matrix C with n rows and n columns, and the nth element in the classical transition matrix C. The element in row γ-th column Indicates the first Original nodes With the γth original node Are there any edges connecting them? If so, then Otherwise, it is 0, where γ≤m; Step 412, in the higher-order bipartite diagram The original node and the simplex node are traversed through random walks. The starting node of each random walk is any original node or simplex node, and the direction of the walk is either upstream or downstream. Upstream means walking from the original node to the simplex node, and vice versa. In the context of higher-order bipartite diagrams During the traversal, starting from the original node Travel to simplex node probability for: ; in, Represents the original node In the higher-order bipartite diagram The sum of in-degree and out-degree; After calculating the probability of traversing from each original node to each simplex node, we obtain the first transition matrix with m rows and n columns. , Represents the first transition matrix The element in the α-th row and i-th column; From simplex nodes Travel to the original node probability for: ; in, Representing simplex nodes The order of the corresponding simplex is the total number of original nodes contained in the simplex minus 1; After calculating the probability of traversing from each original node to each simplex node, we obtain the second transition matrix with n rows and m columns. , Represents the second transition matrix The element in the i-th row and α-th column; Step 413, calculate the n x n high-order random walk transition matrix Ω: .

9. A high-precision Ethereum phishing account detection method based on high-order topology according to claim 6, characterized in that, In step 43: when The 2-norm begins to be less than or equal to the minimum value. hour, It begins to converge.

10. A high-precision Ethereum phishing account detection method based on high-order topology according to claim 6, characterized in that, In step 5: Step 51: After obtaining real-time transaction information, construct the current actual Ethereum node graph (RE) based on the real-time transaction information; Step 52: Based on the current actual Ethereum node graph, obtain the corresponding actual higher-order bipartite graph and the actual classical transition matrix C'. Then, based on the actual higher-order bipartite graph, obtain the corresponding actual higher-order random walk transition matrix Ω'. Based on the best influence score of the current classification model, the actual higher-order random walk transition matrix Ω', and the actual classical transition matrix C', calculate the corresponding actual enhanced transition matrix. ´; Step 53, based on the actual enhanced transition matrix ´, calculate the probability distribution vector of the corresponding actual enhanced random walk, obtain the value when the actual probability distribution vector begins to converge and record it as the actual high-order topological feature vector HTF´ with the best influence score; at the same time, obtain the corresponding actual paired topological feature vector PTF´ based on the actual classical transition matrix C´, and concatenate it with the actual high-order topological feature vector HTF´ to obtain the concatenated feature matrix of the current actual Ethereum node graph.