CN-121980312-A - Method for detecting malicious behavior of cryptocurrency of end-to-end deep generation framework

Abstract

The invention discloses an encryption currency malicious behavior detection method of an end-to-end depth dynamic map generation framework, which comprises the following steps of S1, constructing a dynamic transaction map sequence from encryption currency transaction records, S2, using a preprocessing module to jointly extract a structure and a time context to prevent fragmentation and information loss, S3, using a Transformer encoder to combine a map attention network capture node to connect dynamic and time evolution, S4, using a reinforcement learning mechanism to iteratively optimize the generated map structure to ensure high fidelity and reduce error links, S5, using the generated dynamic map for data enhancement, and inputting a downstream classifier to detect malicious behavior nodes. According to the invention, the real local dependence is reserved through a transducer-GAT architecture, and the local dynamic mode and the sudden behavior of the malicious behavior node are effectively captured through strengthening the connectivity and the behavior similarity around the learning reward function priority minority seed node.

Inventors

• ZHANG LEJUN
• WANG LE
• XIAO SIYI
• TIAN ZHIHONG
• SU SHEN
• LIU YUAN
• QIU JING
• SUN YANBIN
• LI MOHAN
• LU HUI

Assignees

• 扬州大学

Dates

Publication Date

20260505

Application Date

20260122

Claims (9)

1. 1. A method for detecting malicious behavior of encryption currency of an end-to-end depth dynamic image generation framework is characterized by comprising the following steps, S1, constructing a dynamic transaction diagram sequence from an encrypted currency transaction record; s2, jointly extracting the structure and the time context by using a preprocessing module; s3, capturing node connection dynamics and time evolution by using a transducer encoder in combination with a graph attention network; S4, using a reinforcement learning mechanism to iterate and optimize the generated graph structure; S5, using the generated dynamic graph for data enhancement, and inputting the dynamic graph into a downstream classifier for malicious behavior node detection.
2. 2. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic graph generation framework of claim 1, wherein in S1, a dynamic transaction graph sequence is constructed specifically, Extracting unique address from the encrypted money transaction record as node, using the transaction as directed edge, and directing the transaction from sender to receiver to construct dynamic graph sequence Wherein each snapshot , For the total time slice length, For a set of nodes within the time window t, In order to have a set of directed edges, For node feature matrix, including statistical properties such as transaction frequency, amount change, etc., a continuous time evolution graph is formed to capture local dynamic patterns of malicious behaviors.
3. 3. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic image generation framework of claim 1, wherein in S2, the joint extraction structure and the temporal context are specifically, The preprocessing module jointly extracts structure and time context from transaction data, prevents fragmentation and information loss, builds continuous node tracks by aligning transaction events of continuous time intervals instead of processing each interval in isolation, embeds node reception occurrence sequences, processes history sequences using position codes to capture long-term trends and short-term deviations, uses autoregressive strategies to condition the generation of each new snapshot on previously generated outputs, forces smooth neighborhood evolution, ensures time consistency, and represents node tracks as sequences Wherein For the feature vector of node i at time t, including the neighborhood structure and the time attribute, a joint context matrix is formed for subsequent encoding.
4. 4. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic graph generation framework of claim 1, wherein in step S3, the capturing node connection dynamics and time evolution are specifically, S301, carrying out node track serialization processing on the joint context matrix output by the preprocessing module, and taking a continuous time feature vector sequence of each node as input to form a time-serialized node embedding sequence; s302, performing local neighborhood aggregation on nodes in each time snapshot by using a graph annotation force network (GAT), and learning context-sensitive node representation, wherein an attention weight calculation formula is as follows ; Wherein, the And The eigenvectors of nodes i and j respectively, Representing the transformed feature vector of node i, Representing the transformed feature vector of the neighboring node j, Representing the neighborhood of node i The transformed feature vector of any neighboring node k, Is an attention vector, exp is an exponential function for mapping the values to a positive number field, ensuring that the attention weight is positive and convenient for normalization, leakyReLU is a leakage correction linear unit activation function, defined as ; Wherein, the Is a positive number; S303, processing the node track sequence obtained in the step S301 by using a transducer encoder, and capturing time evolution by adopting position coding; s304, fusing the GAT node representation of each snapshot obtained in the step S302 with the transducer sequence representation obtained in the step S303 to form a combined dynamic node representation.
5. 5. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic image generation framework of claim 4, wherein in step S303, the self-attention mechanism formula is ; Wherein, the In order to query the matrix, In the form of a matrix of keys, In the form of a matrix of values, In order to input the embedded sequence, In order to be able to learn the projection weight matrix, Is the dimension of the key vector, softmax is the soft maximum function, defined as ; Wherein, the For an attention score vector, i.e., the original score calculated from the query-key dot product, j is the index in the vector used to convert the dot product into a probability distribution, ensuring that the attention weight is non-negative and the sum is 1; Is a scaling factor.
6. 6. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic graph generation framework of claim 1, wherein in step S4, the graph structure generated by iterative optimization is specifically, S401, initializing the state of the agent to be the embedded representation of the initial dynamic graph output in the step S3, and defining an action space as adding or deleting the potential edges in the current generated graph; s402, the agent outputs action probability distribution through a strategy network according to the current state, selects adding or deleting actions, and generates a new candidate graph structure; s403, calculating a reward function R to evaluate the quality of the candidate graph structure, wherein the reward function is defined as ; Wherein, the In order for the topology to be similar, In order for the degree of similarity of the behaviors, In order to penalize the wrong link, Is the weight; S404, agent uses strategy gradient method to optimize, and updates formula as follows ; Wherein, the As an objective function Regarding parameters Is used for the gradient of (a), Averaging over the state-motion trajectory distribution for the mathematical desired representation to estimate the gradient expectation; For policy networks, parameterization is Given the probability distribution of state s output action a; Taking logarithms for the logarithm probability, taking the logarithm for the strategy to calculate the gradient, a is action, and the edge selected by the agent in the current state is added or deleted; s405, judging whether the rewards are converged or whether the iteration times of the steps S402-S404 reach the preset iteration times, if not, returning to the step S402, otherwise, finally outputting the refined high-fidelity dynamic graph structure.
7. 7. The method for detecting malicious behavior of cryptocurrency in an end-to-end depth dynamic map generating framework of claim 1, wherein step S5 is specifically, Integrating the generated dynamic graph with the original data set to form an enhanced data set ; Wherein the method comprises the steps of In order to synthesize the snapshot it is possible, To infer the tag; inputting a downstream classifier to detect malicious behavior nodes, wherein the classifier uses cross entropy loss training, and the loss function is that ; Wherein y is a real label, To predict probability.
8. 8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the cryptocurrency malicious behavior detection method of the end-to-end depth dynamic map generation framework of any one of claims 1 to 6.
9. 9. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the cryptocurrency malicious behavior detection method of the end-to-end depth dynamic map generation framework of any one of claims 1 to 6.

Description

Method for detecting malicious behavior of cryptocurrency of end-to-end deep generation framework Technical Field The invention relates to the field of cryptocurrency security, in particular to a method for detecting malicious behaviors of cryptocurrency of an end-to-end deep generation framework. Background With the rapid development of cryptocurrency technology, ethernet has been widely used as a mainstream cryptocurrency platform for intelligent contract and decentralization applications, but malicious fraud increasingly threatens the security of its ecosystem. The existing malicious behavior detection methods are mainly divided into two types, namely, the first type is based on a dependence rule and a data mining technology, and a fraud mode is identified from a transaction network, for example, the data mining method is used for detecting the Ethernet fraud, or heuristic rules are developed by analyzing transaction flows to detect the Pond fraud. However, these methods are highly dependent on expert knowledge, resulting in incomplete feature extraction, limited generalization capability, and inability to effectively capture dynamic evolution characteristics of the transaction map, and poor detection performance. The second type of method is based on graph learning detection technology, modeling the Ethernet transaction as a dynamic network, for example, providing a malicious behavior account identification method based on graph embedding, embedding accounts and detecting abnormal clusters by using DeepWalk, node2vec and other technologies, or carrying out community analysis by network embedding, integrating GRAPHSAGE and other induction learning methods. While these approaches show promising results, their effectiveness is limited by serious class imbalance in that malicious behavior nodes account for only a small fraction of all addresses in the real world dataset, resulting in models that tend to overfit benign patterns with limited sensitivity to rare malicious instances. While synthetic data enhancement is a promising direction through dynamic graph generation, existing frameworks such as TagGen and TIGGER use random walk or point processes to generate time graphs, primarily optimizing global statistical properties (e.g., degree distribution), not suitable for security-sensitive tasks. These methods tend to fragment node trajectories or break subgraphs by heuristic edge formation rule stitching, resulting in time-inconsistent neighborhood structures and false connections, distorting key behavioral cues required for malicious behavior detection, such as star-shaped flows, transaction activity bursts, or persistent interaction patterns among small group nodes. Disclosure of Invention The present invention has been made in view of the above-described problems occurring in the conventional malicious behavior detection methods. Therefore, the problem to be solved by the invention is that the prior art mostly generates dynamic graphs based on global statistical properties, and cannot effectively capture local dynamic modes required by malicious behavior detection, such as a time inconsistent neighborhood structure and false connection caused by node track fragmentation, distort behavior clues such as star-shaped outflow, transaction activity burst and the like, and lead to insufficient enhancement effect on category unbalanced data. In order to solve the technical problems, the invention provides a method for detecting malicious behaviors of the cryptocurrency of an end-to-end deep generation framework, which comprises the following steps, S1, constructing a dynamic transaction diagram sequence from an encrypted currency transaction record; s2, jointly extracting the structure and the time context by using a preprocessing module; s3, capturing node connection dynamics and time evolution by using a transducer encoder in combination with a graph attention network; S4, using a reinforcement learning mechanism to iterate and optimize the generated graph structure; S5, using the generated dynamic graph for data enhancement, and inputting the dynamic graph into a downstream classifier for malicious behavior node detection. As an optimal scheme of the method for detecting the malicious behavior of the cryptocurrency of the end-to-end depth generation framework, in S1, a dynamic transaction diagram sequence is constructed specifically, Extracting unique address from the encrypted money transaction record as node, using the transaction as directed edge, and directing the transaction from sender to receiver to construct dynamic graph sequenceWherein each snapshot,For the total time slice length,For a set of nodes within the time window t,In order to have a set of directed edges,For node feature matrix, including statistical properties such as transaction frequency, amount change, etc., a continuous time evolution graph is formed to capture local dynamic patterns of malicious behaviors. As a preferable scheme of th