CN-122001629-A - Black box graph fraud detection collusion model editing method based on conditional diffusion model

Abstract

The invention relates to the technical field of Internet security, and particularly provides a black box graph fraud detection collusion model editing method based on a conditional diffusion model, which comprises the following steps of S1, constructing a local subgraph context coding mechanism; S2, establishing a conditional diffusion generation model of a potential space, S3, designing a combined generation strategy of features and edges, and S4, performing collaborative optimization based on countermeasures. Under the combined action of related technical schemes, the problem that the prior art lacks a conditional diffusion model, and under the constraint of a black box and only a local visual field, collusion characteristic nodes and an edge attack method are generated cooperatively is solved, real collusion attack simulation is realized, local consistency and high concealment are ensured, the problem of cracking generated by characteristic-topology is solved, strict black box and local access constraint are met, potential security holes in an industrial financial wind control system can be revealed, and key technical support is provided for developing a next generation robust defense mechanism.

Inventors

• TIAN HUAMING
• XIE LI
• YANG MENGMENG
• CHENG DAWEI
• CAI JIAN
• WANG JUNHUA
• SUN XIAOYA

Assignees

• 上海帆立信息科技有限公司

Dates

Publication Date

20260508

Application Date

20260121

Claims (7)

1. 1. The black box graph fraud detection collusion model editing method based on the conditional diffusion model is characterized by comprising the following steps, S1, constructing a local subgraph context coding mechanism, namely, starting from a target node in a black box scene, extracting a k-hop local subgraph of the local subgraph, extracting structure and attribute characteristics of the subgraph by utilizing a graph isomorphic network and a self-adaptive pooling technology, and establishing potential representation of the local subgraph context; S2, establishing a conditional diffusion generation model of a potential space, namely establishing a potential diffusion model comprising forward denoising and reverse denoising processes by taking the context of a local subgraph and the characteristics of a target node as conditions, guiding the denoising processes through a gating conditional modulation mechanism, and generating potential attack vectors of an implicit collusion mode; S3, designing a combined generation strategy of features and edges, namely decoding the potential vectors into specific attack node attributes and connection relations between the attack nodes and the atomic diagram by utilizing feature projection and an edge sampling strategy based on cosine similarity based on the generated potential attack vectors, and generating a disturbance diagram meeting budget constraint; S4, collaborative optimization based on countermeasures, namely combining reconstruction measures of the diffusion model and the Carlinic-Van countermeasures aiming at the proxy model, and jointly optimizing the encoder and the diffusion denoising network, so that the generated attack node can keep concealment and maximize the misclassification probability of the target fraud node.
2. 2. The black box graph fraud detection collusion model editing method based on the conditional diffusion model according to claim 1, wherein in step S1, the specific process of the local subgraph context coding is as follows: a, for each target node, extracting a k-hop sub-graph thereof And adopts the multi-layer graph isomorphic network as backbone network, the first The node embedding update formula of the layer is as follows Wherein, MLP represents a multi-layer perceptron, Is a learnable parameter; b to process sub-graphs of different sizes and obtain a fixed-dimension context representation, employing node-based budgets Is used for the adaptive maximum pooling layer of the (c), embedding the last layer Conversion to a sub-graph context matrix ; And c, finally obtaining the potential space code through the projection layer The encoding implies topology and attribute patterns of the local subgraph as initial state and condition inputs of the diffusion model.
3. 3. The black box graph fraud detection collusion model editing method based on the conditional diffusion model according to claim 1, wherein in step S2, the conditional diffusion generation model includes a forward noise adding process Reverse denoising network The specific establishment of the conditional diffusion generation model comprises forward process construction, condition vector construction, gating condition modulation and denoising target construction.
4. 4. The black box graph fraud detection collusion model editing method based on the conditional diffusion model according to claim 3, wherein in step S2, specific construction details are as follows, Forward process construction, in Gradual progress to potential coding in time steps Adding Gaussian noise, noise state at step t Satisfy the following requirements , wherein, Scheduling parameters for the variance; condition vector construction Condition vector Is formed by splicing two parts, namely Wherein Is the target node Is to be used in the meaning of the term (1), Embedding the sub-graph context obtained in the step S1; the Gating Condition Modulation (GCM) is that the denoising network adopts a multi-layer MLP structure, a GCM module is introduced into each layer to inject condition information, and the first layer is set The hidden state of the layer is Conditional embedding as Then the vector is gated Calculated as The adjusted conditions are embedded as The updated hidden state is , wherein, For the time-step embedding, The splice is indicated as being a function of the splice, Representing element-wise multiplication, the GCM mechanism allows the model to adaptively control the intensity of conditional information injection; denoising target construction, denoising network The noise added at each time step is intended to be predicted to recover potential attack vectors from pure Gaussian noise 。
5. 5. The black box graph fraud detection collusion model editing method based on the conditional diffusion model according to claim 1, wherein in step S3, specific processes of feature and edge joint generation include attribute generation, edge generation, and budget constraint processing.
6. 6. The black box graph fraud detection collusion model editing method based on conditional diffusion model as recited in claim 5, wherein in step S3, the specific process of generating is as follows, attribute generation is as follows By projection matrix Bias and method of making same Mapping back to attribute space, and obtaining feature matrix of injection node by using Sigmoid function and maximum and minimum normalized limiting feature range ; Edge generation, namely, in order to simulate a collusion structure, calculating connection probability between an injection node and an existing node in a subgraph, and characterizing the injection node Node characteristics of sub-graph Mapping to a shared space, and calculating cosine similarity to obtain an edge scoring matrix ; Budget constraint processing according to edge budget Using Gumbel-Top-k sampling strategy Middle sampling discrete edges forcing each injection node to connect with a target node to ensure connectivity, the remainder The edges are connected in the subgraph according to the similarity probability distribution, thereby forming a collusion structure.
7. 7. The black box graph fraud detection collusion model editing method based on the conditional diffusion model according to claim 1, wherein the collaborative optimization specific flow in step S4 is as follows: establishing a total loss function Wherein, the The reconstruction loss of the diffusion model, defined as the mean square error of the predicted noise and the real noise, To combat losses, the C & W loss form is used, defined as The confidence level is output for the proxy model on the disturbance map; By minimizing total losses Updating model parameters by using a gradient descent algorithm, and guiding the diffusion generation process to evolve towards the most destructive direction; in the reasoning stage, an attack sample is generated by using the trained model, so that the attack on the black box graph fraud detection model is realized.

Description

Black box graph fraud detection collusion model editing method based on conditional diffusion model Technical Field The invention relates to the technical field of Internet security, in particular to a black box graph fraud detection collusion model editing method based on a conditional diffusion model. Background The Graph Neural Network (GNN) has become a core technology for identifying suspicious entities in the fields of financial wind control, social network spam detection and the like by virtue of the capability of aggregating neighborhood information. Although GNN is excellent in modeling local dependencies, research has shown that it is very sensitive to resistance attacks, particularly "graph model editing" (Graph Injection Attack), i.e., an attacker degrades model performance by injecting malicious nodes and edges without changing the original graph topology, which constitutes a serious threat to financial security and platform reputation. In a realistic financial fraud scenario, fraudsters often no longer fight alone, but rather operate in the form of "collusion-partner" (Conspiracy), exhibiting a highly organized collaborative attack mode. Meanwhile, the real scene has strict physical limitation on an attacker, wherein the attacker cannot acquire the parameters (black boxes) of the defense model generally, can only access the local subgraph formed by the target node and the neighbor thereof, and cannot acquire the global graph information. In the prior art, the study of resistance map attack is focused on disturbance attack or simple model editing. Early attack methods such as NIPA and the like, which require access to model gradients or retraining of models, have limited utility in black box scenarios. Some advanced black box Attack methods, such as TDGIA, use topology heuristic rules and smoothing features to generate attacks, cluster attach models the attacks as clustering problems, and G 2 A2C uses reinforcement learning to generate nodes. In addition, monTi, et al, have attempted to combine multiple injection nodes using a Transformer framework in an effort to simulate collusion behavior by a fraudster. Meanwhile, although the diffusion model shows strong capability in the field of image and text generation, the diffusion model is mainly applied to molecular generation or graph complementation in the field of graphs at present, and researches on resistance attacks are very few. However, the above prior art still has significant drawbacks in solving the problem of attacks in real fraud scenarios. Firstly, the existing mainstream graph model editing method mainly generates injection nodes independently or only follows simple statistical constraint, omits key cooperative interaction among the injection nodes, cannot effectively simulate complex 'group fraud' behaviors in reality, causes abrupt generated characteristic distribution, and is easy to identify by the existing robust GNN defense algorithm. Secondly, a plurality of methods respectively generate graph structures and node characteristics in a staged mode, so that inconsistency between topology and attributes is caused, and the generated authenticity is reduced. Again, some methods (e.g., monTi) that attempt to simulate collaborative attacks ignore the limitation that in reality an attacker can only access a local subgraph, and heavily rely on global graph information to coordinate node behavior, resulting in a scheme that is not feasible in practical applications. On the other hand, although the diffusion model shows strong joint distribution modeling capability, the application of the diffusion model to the generation of the resistance graph is still in the exploration stage, and the existing research fails to solve the problem of how to generate a cooperative attack structure with attack effectiveness and high concealment by using the diffusion model under strict local constraint. In summary, the prior art lacks an attack method capable of cooperatively generating nodes and edges with collusion features under the constraint of a black box and only a local view based on a conditional diffusion model. Disclosure of Invention In order to overcome the defect that a conditional diffusion model is lacking in the prior art, under the constraint of a black box and only a local visual field, collusion characteristic nodes and an edge attack method are cooperatively generated, the invention provides a black box graph fraud detection collusion model editing method based on the conditional diffusion model, which realizes real collusion attack simulation, ensures local consistency and high concealment, solves the problem of splitting generated by characteristic-topology, accords with strict black box and local access constraint, can effectively reveal potential security holes in an industrial financial wind control system, and provides key technical support for developing a next-generation robust defense mechanism. The technical scheme adopted fo