TSGN: Transaction Subgraph Networks for Identifying Ethereum Phishing Accounts

Abstract

Blockchain technology and, in particular, blockchain-based transaction offers us information that has never been seen before in the financial world. In contrast to fiat currencies, transactions through virtual currencies like Bitcoin are completely public. And these transactions of cryptocurrencies are permanently recorded on Blockchain and are available at any time. Therefore, this allows us to build transaction networks (TN) to analyze illegal phenomenons such as phishing scams in blockchain from a network perspective. In this paper, we propose a Transaction SubGraph Network (TSGN) based classification model to identify phishing accounts in Ethereum. Firstly we extract transaction subgraphs for each address and then expand these subgraphs into corresponding TSGNs based on the different mapping mechanisms. We find that TSGNs can provide more potential information to benefit the identification of phishing accounts. Moreover, Directed-TSGNs, by introducing direction attributes, can retain the transaction flow information that captures the significant topological pattern of phishing scams. By comparing with the TSGN, Directed-TSGN indeed has much lower time complexity, benefiting the graph representation learning. Experimental results demonstrate that, combined with network representation algorithms, the TSGN model can capture more features to enhance the classification algorithm and improve phishing nodes’ identification accuracy in the Ethereum networks.

7 Appendix

• Number of Graph Nodes (N): The number of nodes in the graph.

• Number of Graph Edges (E): The number of edges in the graph.

• Average Degree (\(D_A\)): The mean number of edges connected to a node in the graph.

• Percentage of leaf nodes (P): A node is defined as a leaf node if it’s degree is 1. If there are l leaf nodes in the graph, the percentage of leaf nodes can be calculated as \(P=l/N\).

• Average Clustering Coefficient (\(C_{coef}\)): The clustering coefficient is a classic measure to quantify the edge density of the ego-network. Given a graph, there are \(m_i\) neighbors of node \(v_i\) and they are connected by \(e_i\) edges. Then, the average clustering coefficient of the graph can be defined as

  $$\begin{aligned} C_{coef}=\frac{1}{N}\sum _{i=1}^N\frac{2e_i}{m_i(m_i-1)}\,. \end{aligned}$$

  (2)

• Largest Eigenvalue of the Adjacency Matrix (\(\lambda \)): Given a graph G, it can be represented as an adjacency matrix \(A^{N\times {N}}\). As the isomorphic invariant, we can adopt the largest one \(\lambda \) of eigenvalues of A as the graph feature.

• Network Density (\(D_N\)): Given a network, the numbers of nodes and edges are N and E, then the network density can be defined as \(D=2E/N(N-1)\)

• Average Betweenness Centrality (\(C_{betw}\)): For each pair of nodes in a connected network, there exists at least one shortest path between the nodes such that the number of edges that construct this path is minimized. The betweenness centrality of a node is a measure of centrality based on the shortest paths. So, the betweenness centrality of a node is defined as

  $$\begin{aligned} C_{betw}(i)=\sum _{m\ne i\ne n} {\frac{e_{mn}(i)}{e_{mn}}}\,. \end{aligned}$$

  (3)

  \(C_{betw}(i)\) can reflect the importance of node i as a bridge node. Where \(e_{mn}\) is the number of shortest paths between \(v_m\) and \(v_n\), and \(e_{mn}(i)\) is the number of shortest paths between \(v_m\) and \(v_n\) that pass through \(v_i\).

  Then, the average betweenness centrality of the network can be calculated as

  $$\begin{aligned} C_{betw}=\frac{1}{N}\sum _{i=1}^N{C_{betw}(i)}\,. \end{aligned}$$

  (4)

• Average Closeness Centrality (\(C_{close}\)): The closeness centrality is also a measure of centrality based on the shortest paths, which requires taking into account the shortest paths from each node to the other nodes. Given a connected network, the closeness centrality of a node is represented as the reciprocal of the sum of shortest path length between this node and the others. The average closeness centrality of the network is defined as

  $$\begin{aligned} C_{close}=\frac{1}{N}\sum _{i=1}^N\frac{{k-1}}{{\sum _{j=1}^k {{e_{ij}}} }}\,, \end{aligned}$$

  (5)

  where \(e_{ij}\) is the shortest path length between nodes \(v_i\) and \(v_j\).

• Average Neighbor Degree (\(D_{neighbor}\)): The neighbor degree of a node is the average degree of all the neighbors of this node, which can capture the 2-hop information. We can calculate the neighbor degree of the node \(v_i\) as

  $$\begin{aligned} D_{neighbor}(i)= \frac{1}{k_i}{\sum _{v_j\in \mathcal {N}_i} k_j}\,, \end{aligned}$$

  (6)

  where \(\mathcal {N}_i\) is the neighbor set of node \(v_i\), and \(k_i\) and \(k_j\) are the degrees of node \(v_i\) and \(v_j\in {\varOmega _i}\). For a network, we can get the average neighbor degree

  $$\begin{aligned} D_{neighbor}=\frac{1}{N}\sum _{i=1}^N {D_{neighbor}(i)} \end{aligned}$$

  (7)