There are various kinds of fraudulent activities on the Internet (Jiang et al., 2016), e.g., fraudsters disguise as regular users to post fake reviews (Kaghazgaran et al., 2019) and commit download fraud (Dou et al., 2019). By modeling the entities as nodes and the corresponding interactions between entities as edges (Peng et al., 2019), we can design a graph-based algorithm to detect the suspicious patterns and therefore can spot the fraudsters. Along with the development of Graph Neural Networks (GNNs) (Kipf and Welling, 2017; Veličković et al., 2017; Hamilton et al., 2017), which are powerful in learning the deep representation of nodes, recently, the previous endeavors also propose many GNN-based fraud detection frameworks (Wang et al., 2019b; Li et al., 2019; Zhong et al., 2020; Liu et al., 2018; Wang et al., 2019a; Zhang et al., 2019).
Among those frameworks, (Wang et al., 2019b; Li et al., 2019) detect opinion fraud in the online review system, (Zhong et al., 2020; Liu et al., 2018; Wang et al., 2019a) aim at financial fraud and (Zhang et al., 2019) targets cyber-criminal in online forums. They model their problems upon either homogeneous (Wang et al., 2019b; Li et al., 2019) or heterogeneous (Liu et al., 2018; Zhong et al., 2020; Li et al., 2019; Wang et al., 2019a; Zhang et al., 2019) graphs. Regarding the base model, FdGars (Wang et al., 2019b) and GAS(Li et al., 2019) adopt GCN (Kipf and Welling, 2017), while SemiGNN and Player2Vec (Zhang et al., 2019) adopt GAT (Veličković et al., 2017). Some works (Liu et al., 2018; Li et al., 2019; Zhong et al., 2020) devise new aggregators to aggregate the neighborhood information. Those GNN-based fraud detectors learn the node representation iteratively and predict the node suspiciousness in an end-to-end and semi-supervised fashion.
However, all existing methods ignore the inconsistency problem when designing a GNN model regarding the fraud detection task. The inconsistency problem is associated with the aggregation process of the GNN model. The mechanism of aggregation is based on the assumption that the neighbors share similar features and labels (Hou et al., 2020). When the assumption holds, we can aggregate the neighborhood information to learn the node embedding. However, as Figure 1 (Left) shows, the inconsistency in fraud detection problem comes from three perspectives:
(1) Context inconsistency. Smart fraudsters can connect themselves to regular entities as camouflage (Kaghazgaran et al., 2018; Sun et al., 2018). Meanwhile, the amount of fraudsters is much less than that of regular entities. Directly aggregating neighbors by the GNNs can only help the fraudulent entities aggregate the information from regular entities and thus prevent themselves from being spotted by fraud detectors. For example, in Figure 1 (Left), the fraudster connects to benign entities under relation II.
(2) Feature inconsistency. Taking the opinion fraud (e.g., spam reviews) detection problem as an example (Li et al., 2019), assuming there are two reviews posted from the same user but to products in distinct categories, those two reviews have an edge since they share the same user. However, their review content (features) are far from each other as they are associated with different products. Direct aggregation makes the GNN hard to distinguish the unique semantic characteristics of reviews and finally affects its ability to detect spam reviews. For example, in Figure 1 (Left), we can find that the feature of node is inconsistent with nodes , , and .
(3) Relation inconsistency. Since the entities are connected with multiple types of relations, simply treating all the relations equally results in a relation inconsistency problem. For example, two reviews may either be connected by the same user or the same product, which are respectively common-user relation and common-product relation. Assuming that one review is suspicious, then the other one should have a greater suspiciousness if they are connected by common-user relation since fraudulent users tend to post many fraudulent reviews. For example, in Figure 1 (Left), we find that under relation II, the fraudster is connected to two other fraudsters. However, under relation I, the fraudster is connected to only one fraudster but three benign entities.
To tackle all above inconsistencies, we design a novel GNN framework, GraphConsis, to solve the fraud detection problem, as shown in Figure 1 (Right). is built upon a heterogeneous graph. differs existing GNNs from the aggregation process. Instead of directly aggregating neighboring embeddings, we design three techniques to tackle three inconsistency problems simultaneously. Firstly, to handle the context inconsistency of neighbors, assigns each node a trainable context embedding, which is illustrated as the gray block aside nodes in Figure 1 (Right). Secondly, to aggregate consistent neighbor embeddings, we design a new metric to measure the embedding consistency between nodes. By incorporating the embedding consistency score into the aggregation process, we ignore the neighbors with a low consistency score (e.g. the node is dropped in Figure 1 (Right)) and generate the sampling probability. Last but not least, we learn relation attention weights associated with neighbors in order to alleviate the relation inconsistency problem.
The contributions of this paper are:
To the best of our knowledge, we are the first work addressing the inconsistency problem in GNN models.
We empirically analyze three inconsistency problems regarding applying GNN models to fraud detection tasks.
We propose to tackle three inconsistency problems, which combines context embedding, neighborhood information measure, and relational attention.
We detect the fraud entities in the graph by using the node representations. Hence, we need to introduce the node representation learning first. A heterogeneous graph , where denotes the nodes, is the feature matrix of nodes, and denotes the edges w.r.t. the relation . We have different types of relations. To represent the nodes as vectors, we need to learn a function that maps nodes to a dimensional space, where . The function
should preserve both the structural information of the graph and the original feature information of the nodes. With the learned node embeddings, we can train a classifierto detect whether a given node is a fraudster, where denotes fraudster, and denotes benign entity. In this paper, we adopt the GNN framework to learn the node representation through neighbor aggregation. GNN framework can train the mapping function and the classifier simultaneously. We only need to input the graph and the labels of nodes to a GNN model. The general framework of a GNN model is:
where is the hidden embedding of at -th layer, denotes the neighbors of node , and the represents the aggregation function that maps the neighborhood information into a vector. Here, we use to denote the combination of neighbor information and the center node information, it can be direct addition or concatenation then passed to a neural network. For the function, we first assign a sampling probability to the neighboring nodes. Then we sample nodes and average111Other pooling techniques can also be applied. them as a vector. The calculation of probability is introduced later in Eq. (4). Note that the framework of GNN is a -layer structure, where . At -th layer, it aggregates the information from -th layer.
3. Proposed Model
3.1. Context Embedding
The aggregator combines the information of neighboring nodes according to Eq. (2). When , the hidden embedding is equivalent to the node feature. To tackle the context inconsistency problem, we introduce a trainable context embedding for node ., instead of only using its feature vector . The first layer of the aggregator then becomes:
where denotes the concatenation operation. The context embedding is trained to represent the local structure of the node, which can help to distinguish the fraud. If we use addition operation for , then .
3.2. Neighbor Sampling
Since there exists a feature inconsistency problem, we should sample related neighbors rather than assign equal probabilities to them. Thus, we compute the consistency score between embeddings:
where denotes the consistency score for two nodes at -th layer, and is the -norm222Other metrics, such as -norm, are also applicable. of vector. We first apply a threshold to filter neighbors far away from consistent. Then, we assign each node to the filtered neighbors of node with a sampling probability by normalizing its consistency score:
Note that the probability is calculated at each layer for the .
3.3. Relation Attention
We have different relations in the graph. The relation information should also be included in the aggregation process to tackle the relation inconsistency problem. Hence, for each relation , we train a relation vector , where , to represent the relation information that should be incorporated. Since the relation information should be aggregated along with the neighbors to center node , we adopt the self-attention mechanism (Veličković et al., 2017) to assign weights for sampled neighbor nodes:
where denotes the relation of -th sample with node ,
is the activation function, andrepresents the attention weights that is shared for all attention layer. The final is:
where is the embedding of -th node sampled based on Eq. (4).
4.1. Experimental Setup
4.1.1. Dataset and Graph Construction
We utilize the YelpChi spam review dataset (Rayana and Akoglu, 2015), along with three other benchmark datasets (Kipf and Welling, 2017; Hamilton et al., 2017) to study the graph inconsistency problem in the fraud detection task. The YelpChi spam review dataset includes hotel and restaurant reviews filtered (spam) and recommended (legitimate) by Yelp. In this paper, we conduct a spam review classification task on the YelpChi dataset which is a binary classification problem. We remove products with more than 800 reviews to restrict the size of the computation graph. The pre-processed dataset has 29431 users, 182 products, and 45954 reviews (%14.5 spams).
Based on previous studies (Rayana and Akoglu, 2015) which show the spam reviews have connections in user, product, rating, and time, we take reviews as nodes in the graph and design three relations denoted by R-U-R, R-S-R, and R-T-R. R-U-R connects reviews posted by the same user; R-S-R connects reviews under the same product with the same rating; R-T-R connects two reviews under the same product posted in the same month. We take the 100-dimension Word2Vec embedding of each review as its feature like previous work (Li et al., 2019).
To show the ability of in alleviating inconsistency problems, we compare its performance with a non-GNN classifier, vanilla GNNs, and GNN-based fraud detectors.
Logistic Regression. A non-GNN classifier that makes predictions only based on the reviews features.
GraphSAGE (Hamilton et al., 2017). A popular GNN framework which samples neighboring nodes before aggregation.
Player2Vec (Zhang et al., 2019). A state-of-the-art fraud detection model which uses GCN to encode information in each relation, and uses GAT to aggregate neighbors from different relations.
4.1.3. Experimental Settings
We use Adam optimizer to train our model based on the cross-entropy loss. For the hyper-parameters, we choose -layer structure, and the number of samples is set as and for the first layer and second layer, respectively. The embedding dimension of the hidden layer is and for the first layer and second layer, respectively. We use F1-score to measure the overall classification performance and AUC to measure the performance of identifying spam reviews.
4.2. The Inconsistency Problem
We first take the Yelpchi dataset to demonstrate the inconsistency problem in applying GNN to fraud detection tasks. Table 1 shows the statistics of graphs built on YelpChi comparing to node classification benchmark datasets used by (Kipf and Welling, 2017; Hamilton et al., 2017). Yelp-ALL is composed of three single-relation graphs.
Comparing to three widely-used benchmark node classification datasets, we find that a multi-relation graph constructed on YelpChi has a much higher density (the average node degree is greater than 100). It demonstrates that the real-world fraud graphs usually incorporate complex relations and neighbors, and thus render inconsistency problems. Before we compare the graph characteristics and analyze three inconsistency problems, similar to (Hou et al., 2020), we design two characteristic scores. One is the context characteristic score:
where is an indicator function to indicate whether node and node have the same label. We sum all the indication w.r.t. all the edges and normalized by the total number of edges . The context characteristic measures the label similarity between neighboring nodes under a specific relation . The other one is the feature characteristic score:
where we employ the RBF kernel function333Other kernel functions can also be applied. as the similarity measurement between two connected nodes. The overall feature characteristic score is normalized by the product of the total number of edges and the feature dimension . Normalizing the similarity by feature dimension is to fairly compare the feature characteristics of different graphs, which may have different feature dimensions.
Context Inconsistency. We compute the context characteristic based on Eq. (7), which measures the context consistency. For the graph R-T-R, R-S-R and Yelp-ALL, there are less than of neighboring nodes have similar labels. It shows that fraudsters may hide themselves among regular entities under some relations.
Feature Inconsistency. We calculate the feature characteristic using Eq. (8). The graph constructed by R-U-R relation (reviews posted by the same user) has higher feature characteristic than the other two relations. Thus, we need to sample the neighboring nodes not only based on their relations but also the feature similarities.
Relation Inconsistency. For graphs constructed by three different relations, the neighboring nodes also have different feature/label inconsistency score. Thus, we need to treat different relations with different attention weights during the aggregation.
4.3. Performance Evaluation
Table 2 shows the experiment result of the spam review detection task. We could see that outperforms other models under and of training data on both metrics, which suggests that we can alleviate the inconsistency problem. Compared with other GNN-based models, LR performs stably and better on AUC. It indicates that the node feature is useful, but the aggregator in GNN undermines the classifier in identifying fraudsters. This observation also proves that the inconsistency problem is critical and should be considered when applying GNNs to fraud detection tasks. Compared to Player2Vec which also learns relation attention, performs better. It suggests that solely using relation attention cannot alleviate the feature inconsistency. The neighbors should be filtered and then sampled based on our designed methods. FdGars directly aggregates neighbors’ information and GraphSAGE samples neighbors with equal probability. Both of them perform worse than , which shows that our neighbor sampling techniques are useful.
5. Conclusion and Future Works
In this paper, we investigate three inconsistency problems in applying GNNs in fraud detection problem. To address those problems, we design three modules respectively and propose . Experiment results show the effectiveness of . Future work includes devising an adaptive sampling threshold for each relation to maximize the receptive field of GNNs. Investigating the inconsistency problems under other fraud datasets is another avenue of future research.
Acknowledgements.This work is supported by the National Key R&D Program of China under grant 2018YFC0830804, and in part by NSF under grants III-1526499, III-1763325, III-1909323, and CNS-1930941. For any correspondence, please refer to Hao Peng.
- Uncovering download fraud activities in mobile app markets. In ASONAM, Cited by: §1.
- Inductive representation learning on large graphs. In NeurIPS, Cited by: §1, 3rd item, §4.1.1, §4.2.
- Measuring and improving the use of graph information in graph neural networks. In ICLR, Cited by: §1, §4.2.
- Suspicious behavior detection: current trends and future directions. IEEE Intelligent Systems. Cited by: §1.
- Wide-ranging review manipulation attacks: model, empirical study, and countermeasures. In CIKM, Cited by: §1.
- Combating crowdsourced review manipulators: a neighborhood-based approach. In WSDM, Cited by: §1.
- Semi-supervised classification with graph convolutional networks. In ICLR, Cited by: §1, §1, 2nd item, §4.1.1, §4.2.
- Spam review detection with graph convolutional networks. In CIKM, Cited by: §1, §1, §1, §4.1.1.
- Heterogeneous graph neural networks for malicious account detection. In CIKM, Cited by: §1, §1.
- Fine-grained event categorization with heterogeneous graph convolutional networks. In IJCAI, Cited by: §1.
- Collective opinion spam detection: bridging review networks and metadata. In KDD, Cited by: §4.1.1, §4.1.1.
- Adversarial attack and defense on graph data: a survey. arXiv preprint arXiv:1812.10528. Cited by: §1.
- Graph attention networks. In ICLR, Cited by: §1, §1, §3.3.
- A semi-supervised graph attentive network for fraud detection. In ICDM, Cited by: §1, §1.
- FdGars: fraudster detection via graph convolutional networks in online app review system. In WWW Workshops, Cited by: §1, §1, 2nd item.
- Key player identification in underground forums over attributed heterogeneous information network embedding framework. In CIKM, Cited by: §1, §1, 4th item.
- Financial defaulter detection on online credit payment via multi-view attributed heterogeneous information network. In WWW, Cited by: §1, §1.