IEEE INFOCOM 2022 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) | 978-1-6654-0926-1/22/$31.00 ©2022 IEEE | DOI: 10.1109/INFOCOMWKSHPS54753.2022.
9797992 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking
Malicious Transaction Identification in Digital
Currency via Federated Graph Deep Learning
Hanbiao Du∗ , Meng Shen† , Rungeng Sun∗ , Jizhe Jia† , Liehuang Zhu† and Yanlong Zhai†
∗ School
of Computer Science, Beijing Institute of Technology, Beijing, P. R. China
† School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, P. R. China
{duhanbiao, shenmeng, sunrungeng, jiajizhe, liehuangz, ylzhai}@bit.edu.cn
Abstract—With the rapid development of digital currencies
in recent years, their anonymity provides a natural shelter for
criminals. This problem resulting in various types of malicious
transactions emerge in an endless stream, which seriously endan-
gers the financial order of digital currencies. Many researchers
have started to focus on this area and have proposed heuristics
and feature-based centralized machine learning algorithms to
discover and identify malicious transactions. However, these
approaches ignore the existence of financial flows between digital
currency transactions and do not use the important neighborhood
relationships and rich transaction characteristics. In addition,
centralized learning exposes a large amount of transaction feature
data to the risk of leakage, where criminals may trace the actual
users using traceability techniques. To address these issues, we
proposes a graph neural network model based on federated
learning named GraphSniffer to identify malicious transactions
in the digital currency market. GraphSniffer leverages federated
learning and graph neural networks to model graph-structured
Bitcoin transaction data distributed at different worker nodes,
and transmits the gradients of the local model to the server node
for aggregation to update the parameters of the global model.
GraphSniffer can realize the joint identification and analysis of
malicious transactions while protecting the security of transaction
feature data and the privacy of the model. Extensive experiments
validate the superiority of the proposed method over the state-
of-the-art.
Index Terms—Malicious detection; Digital currency; Graph
neural network; Federated learning; Blockchain
I. I NTRODUCTION
Bitcoin, famous for its decentralization and anonymity of
transactions, has attracted a lot of attention from researchers
and investors worldwide since it was first proposed in 2008 [1].
According to the data from the well-known blockchain digital
currency statistics website CoinMarketCap [2], as of Decem-
ber 2021, the total market capitalization of the top-ranked
Bitcoin is more than $910 billion. However, while anonymity
protects the privacy of users’ identities and transactions, it also
provides a natural barrier for criminal behaviors, making the
digital currency market a hotbed of malicious transactions [3].
At present, there are various malicious transactions in the
digital currency ecosystem, such as Ponzi schemes, ransom
Meng Shen is the corresponding author.
This work is partially supported by National Key R&D Program of
China under Grant 2020YFB1006101, Beijing Nova Program under Grant
Z201100006820006, NSFC Projects under Grants 61972039 and 61872041,
and CCF-Huawei Populus Euphratica Blockchain Foundation under Grant
CCF-HuaweiBC2021007.
Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-0926-1/22/$31.00 ©2022 IEEE
viruses, money laundering, etc. These malicious activities have
caused great losses to people’s property and seriously damaged
the financial order in cyberspace. Ponzi scheme is a fraudulent
investment operation that creates profits for old investors
by acquiring funds from new investors, and eventually the
subsequent investors may lose most of their own funds [4].
Blockchain-based forms of Ponzi schemes defrauded over $7
million in Bitcoin from September 2, 2013 to September 9,
2014 [5]. Since March 2019, TokenBank trading platform
promised high investment returns to investors and suddenly
ran away after three months of operation, victimizing over 1
million people and involving over $3 billion.
Recent studies have proposed a number of methods for
identifying malicious transactions, with the aim of discovering
illegal behaviors hidden in digital currencies and regulating
the cryptocurrency market and its internal ecosystem. Some
researchers have put forward to use data mining technology
and machine learning algorithm to classify and identify Bit-
coin transaction data to find malicious behaviors related to
Ponzi schemes and money laundering [6–8]. In the Ethereum
network, researchers have used supervised learning algorithms
to detect Ponzi schemes deployed as smart contracts [9].
All these schemes, however, cannot perform well for the
reasons given below. First, for example, Bitcoin is a dig-
ital currency based on the UTXO model. A new UTXO
(payee) generated by one transaction will be used by an-
other transaction (payer), meaning that fund flow from one
transaction to another. This relationship can further aggregate
features between multiple neighbors of each transaction for
malicious transaction identification. The traditional machine
learning algorithms deployed in current researches empower
decision-making capabilities for identifying malicious trans-
actions, but most of them are difficult to extend beyond the
immediate neighborhood. Second, traditional machine learning
algorithms rely on a centralized data set to train the model,
and the native machine needs to collect and store all the data.
This adds to the computational load while greatly increasing
the risk of privacy leakage of transaction feature data [10].
The criminals may use traceability techniques to obtain the
real identity of the user through the stolen data [11–14].
In this paper, we propose GraphSniffer, a malicious transac-
tion identification model based on federated learning and graph
neural network, in order to better exploit the neighborhood
 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking
features among Bitcoin transaction data while avoiding the
risk of data privacy leakage. Unlike traditional centralized
machine learning, GraphSniffer models Bitcoin transaction
data on the worker side using graph neural network to train the
respective local models. Afterwards, the server aggregates the
gradients of the local model in a privacy-preserving manner,
jointly updates the parameters of the global model, and sends
the results back to the worker side. The GraphSniffer not
only effectively utilizes the local and aggregated features
between Bitcoin transactions, but also has the advantage of
possessing data privacy and security protection, enabling the
joint identification and analysis of malicious digital currency
transactions in data protection scenario.
The main contributions of this paper are summarized as
follows:
• We propose GraphSniffer, a malicious transaction identi-
fication model based on graph neural network under the
federated learning framework. By replacing the central-
ized machine learning by the secure FL platform, we can
protect the privacy of transaction feature data.
• We consider using the flow of funds between digital
currency transactions to construct features, in order to
discover and leverage the neighbourhood relationship.
• We demonstrate that the proposed method outperforms
the state-of-the-art on the Bitcoin transaction graph
dataset with extensive experiments.
To the best of our knowledge, this is the first attempt to ap-
ply a combination of federated learning techniques and graph
neural network to the digital currency malicious transaction
identification scenario. The rest of this paper is organized as
follows. Section II summarizes the current state of research
for malicious transactions in digital currency. The principle
and system architecture of our method is presented in Section
III. After evaluating the performance of our method in Section
IV, the conclusion of this study is presented in Section V.
II. BACKGROUND AND R ELATED W ORK
A. Bitcoin
Bitcoin is a decentralized digital currency, which does not
rely on a trusted entity and is a payment system based on
cryptography and a peer-to-peer network. Transactions and
blocks are the main components of Bitcoin. Bitcoin miners
generate blocks by solving cryptographic puzzles (Proof of
Work). With each block generated, the miner can create and
receive a new Bitcoin reward. The entire network automati-
cally adjusts the difficulty of the cryptographic puzzle so that
the network generates one new block every 10 minutes on
average, and the newly generated block contains the hash of
the previous block, thus linking to form the block chain.
The basic structure and value unit of a Bitcoin transaction
is the Unspent Transaction Output (UTXO), which cannot be
divided again [15]. The set of UTXOs of Bitcoin contains
all UTXOs, and the balance of the user’s wallet is the total
amount of UTXOs available. Each UTXO participates in a
Bitcoin transaction as a whole, which prevents the problem of
double spending.
Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
B. Related Work
In order to protect the security of users’ assets and reduce
the malicious activities of criminals, identifying malicious
digital currency transactions has become a problem worth
exploring. Currently, researchers have conducted a series of
studies on specific types of malicious transactions.
By investigating 192 Bitcoin scam cases, Vasek et al. [5]
classified these schemes into four types: Ponzi scheme, mining
scheme, fraudulent wallet and bogus exchange. Bartoletti et
al. [6] showed the research on Bitcoin Ponzi scheme through
data mining techniques. Henderson et al. [8] used K-means
and Role Extraction (RolX) methods to identify users who
conducted transactions in an abnormal manner over the Bitcoin
network and found that they were usually related to money
laundering. To understand the behavior of Bitcoin usage in
the Dark Web, Foley et al. [16] proposed several features to
identify illegal Bitcoin addresses, which were used to estimate
the amount of illegal activities. Mark et al. [17] developed a
dataset for identifying money laundering by using Bitcoin’s
publicly available transaction information and deployed graph
neural network to provide anti-money laundering solutions.
Seeking to reduce illegal activities on the Ethereum network,
Chen et al. [9] proposed to use supervised learning algo-
rithms to extract features from user accounts and operation
codes of the smart contracts and then build a classification
model to detect Ponzi schemes deployed as smart contracts.
It is estimated that there are more than 400 smart-Ponzi
schemes on the Ethereum network. In addition, McGinn et
al. [18] demonstrated a forced-directed graphical visualization
that can accelerate data exploration and discover unexpected
high-frequency trading patterns (including automated money
laundering operations) in the Bitcoin network.
The limitations of existing methods are that using traditional
machine learning relies on carefully-selected features, cannot
effectively utilize the neighbor features of transactions, and
centralized learning makes feature data facing the risk of leak-
age. The GraphSniffer proposed in this paper is based on the
data privacy protection scenario, which utilizes graph neural
networks to learn the neighbor features between transactions
to jointly analyze and detect digital currency transaction data
stored in different sites.
III. T HE P ROPOSED M ETHOD
In this section, we introduce the details of the proposed
malicious transaction identification model based on federated
learning and graph neural network, GraphSniffer.
A. Overview
As shown in Figure 1, there are four main processes in each
round of training. First, the server delivers the initial model
parameters to each worker. Then, each worker trains the local
machine learning model using GNN network based on their
local data. After that, the worker sends the gradients trained
by their respective models to the server. Finally, the server
aggregates these parameters to update the global model.
 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking

1.Downloading initial model

Local Data GNN Local Model Worker 1

3.Uploading
local gradients

Global Model
Local Data GNN Local Model Worker 2 Server
4.Aggregating parameters to

...
obtain the global model

5.Sending updated parameters

Local Data GNN Local Model Worker n
2.Training local model by local data

Fig. 1: The Workflow of GraphSniffer

With an intuitive description above, we formally present the Algorithm 1 The learning process of GraphSniffer
construction process of GraphSniffer, as depicted in Algorithm Input: Graph Gi = (Vi , Ei ) and node features {xvi , ∀i∈K} on
1. To begin with, GraphSniffer randomly initializes global worker i; activation function δ; learning rate β
model parameters and sends them to worker nodes (line Output: the GraphSniffer model M
1: Initialize and unified the global model parameters W 0
1). At the local model training part, GraphSniffer generates
2: for each epoch t = 0 to T do
local node embeddings by aggregating multi-hop neighbors’ 3: Stage1:Local training in worker
information using GraphSAGE [19] method (line 5-11) and 4: for i ∈ K in parallel do
then computes the gradient of local model (line 12-13) at each 5: # Calculates local node embeddings
worker. After uploading the gradients to server, GraphSniffer 6: for vi ∈ Vi do
(k)
7: Worker i: calculates HN (v) ←
calculates the global model parameters (line 17) and returns (k−1)
them back to update local parameters (line 19-22). Finally, we 8: Aggregatek (Hu , ∀u∈N (v))
(k)
can obtain the convergent GraphSniffer model. 9: calculates Hv ←
(k−1) (k)
10: δ(W (k) ·Concat(Hv , HN (v) ))
Section III-B will focus on the process of training the local 11: end for
model using GNN network on the worker side. Section III-C 12:
(t)
ŷit ← δ(Hv,i , Wit )
will explain how the server side aggregates all the locally 13: Calculates L(ŷit , yit ) and gets gKi
updated gradients for the purpose of data privacy protection. 14: # Uploads gradient gKi to server
15: end for
16: Stage2:Model aggregation in server
B. Local Training With GNN 17: W t+1 ← W t − β· I1 Ii=1 gKi
P

Suppose that we are given a set of I workers K = 18: Stage3:Update local model
19: Send updated parameters to worker i, ∀i∈K
{K1 , K2 , ..., KI }, and each worker node Ki owns a local
20: for i ∈ K in parallel do
Bitcoin transaction graph dataset Gi = (Vi , Ei ). Vi is the node 21: Worker i: updates local parameters
set, where each node in the graph represents a transaction. 22: end for
Ei is the edge set, where the edges represent the flow of 23: end for
transactions that exist between the two parties. Each node 24: return M
vi ∈Vi is associated with a transaction feature vector xvi and a
label yvi . Table I summarizes the major symbols and notations
in this paper. output, we use a weight matrix W (l) . The worker Ki runs a
After receiving the parameters transmitted by the server, forward computation of a graph convolutional layer as follows:
each worker locally trains a graph neural network model with
(l+1) (l) (l)
its own data Gi = (Vi , Ei ) respectively. Generally, during the Hi = δ(Ai Hi Wi ), (1)
training process, the l-th layer of the GCN takes the node
embedding matrix H (l) and the adjacency matrix A as input. where δ is an activation function (such as ReLU) for all but
In order to update the node embedding matrix to H (l+1) as the output layer. Assume that there are L layers of graph

Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking

convolutions in total, we write the output of an GCN as Based on the above output and loss function, we can obtain
follows: the gradient from each worker node.
(L) (L) (L) (L)
ŷi = f (Ai , Wi ; Hi ) = sof tmax(Ai Hi Wi ) (2) C. Model Aggregation
In the case of node classification, we use the softmax function After receiving all the gradients from the participating
at the output layer to get the normalized probability. workers, the server leverages these gradients by aggregating
new global parameters. The gradient of each worker Ki is
TABLE I: Symbols and Notations. represented by gKi , and the local model of Ki is represented
Notations Descriptions
by θKi . Then, we define:

K set of workers gKi = OL(θKi ). (6)

Gi graph dataset at worker i
Vi node set of graph Gi
They transmit local model gradients to the server for an
Ei edge set of graph Gi average mean gradient to update the global model as:
vi nodes of node set Vi I
xvi feature vector of node vi
1X
W t+1 = W t − β· gK , (7)
yvi label of node vi I i=1 i
Ai adjacency matrix of graph Gi
Wi model weight of worker i where t specifies the current number of epoch, β is the learning
J the total number of classes rate and W t is the global model parameters.
yit,j label probability of class j at the t-th epoch Each participating worker will download the updated global
ŷit,j predicted label probability of class j at the t-th epoch model parameters to train its local model. Repeating the above
H node embedding vector as the GNN input steps, the worker nodes and server node can collaboratively
N (v) neighborhood sampling function train a global graph neural network model while protecting
gKi gradient of worker i data privacy.
θKi local model of worker i
Wt global model parameters at the t-th epoch IV. P ERFORMANCE E VALUATION
However, GCN requires the input of the entire adjacency In this section, we introduce our dataset, experimental set-
matrix and feature matrix for training, and each node needs tings, methodology and the results to validate the effectiveness
the entire topological graph’s Laplacian matrix to participate of the proposed method.
in the computation when doing convolution. When a new node A. Experimental Settings
comes in, the entire graph nodes have to be involved in the
1) Environments: In our scheme, the training operations are
computation to get the embedding of this node. As the graph
implemented by Python 3.7 and Pytorch 1.10. The program
grows in size, it consumes a lot of device memory and CPU
runs on a PC (AMD Ryzen 7 2700X Eight-Core Processor
memory. Therefore, we use GraphSAGE to solve this problem.
at 3.70GHz and 32 GB RAM) to simulate the whole training
Different from the traditional full graph convolution, Graph-
process.
SAGE controls the number of neighbor nodes participating
2) Dataset: The experimental data chosen for this paper is
in the calculation through random sampling. The sampled
derived from the classical Elliptic Data Set [17], which was
neighbors’ embedding matrices are transmitted to the node,
published by Elliptic Company. To our knowledge, it is the
and an aggregation function is used to aggregate the neighbors’
largest publicly available dataset of labeled transactions of any
information to update the embedding matrix of the node.
digital currency in the world, presented as a graph network of
We use k denotes the current step in the outer loop. First,
Bitcoin transactions.
each node vi ∈Vi aggregates the embedding matrices of the
The Elliptic Data Set is constructed using public informa-
nodes in its immediate neighborhood into a single vector.
tion. The nodes in the graph represent transactions and the
Mathematically, we write:
edges represent the flow of Bitcoin currency (BTC) from
(k)
HN (v) = Aggregatek (Hu(k−1) , ∀u∈N (v)), (3) one transaction to the next (based on the UTXO model of
Bitcoin). There are 203,769 nodes and 234,355 transaction
where N (v) is the neighborhood sampling function. After this,
flows in total. By mapping Bitcoin transactions to real entities
GraphSAGE updates the node’s representation by concatenat-
in licit categories (miners, exchanges, wallet providers, licit
ing the aggregated neighborhood embedding information with
services, etc.) and illicit categories (Ponzi schemes, terrorist
the node’s current embedding information through a nonlinear
organizations, scams, malware, etc.), a transaction is consid-
activation function as:
ered to be licit if a licit entity initiates it. In the Elliptic
(k)
Hv(k) = δ(W (k) ·Concat(Hv(k−1) , HN (v) )), (4) Data Set, 2% (4,545) of transactions are labeled illicit, 21%
Then, the loss function can be defined as follows: (42019) of transactions are labeled licit, and the rest of the
J transactions fall into the category of unknown legitimacy. Each
1 X X t,j node is associated with 166 transaction features, including
L(ŷit , yit ) =− i yi log ŷit,j , (5)
n j=1
94 original features (time step, number of inputs/outputs,

Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking

transaction fee, etc.) and 72 aggregated features (maximum, TABLE II: Illicit transaction classification results.
minimum, standard deviation, correlation coefficient, etc.).
Illicit Transaction
In order to explore the joint computational analysis in data
Method Accuracy Precision Recall F1-Score
protection scenarios, the dataset used in this paper desensitizes
and splits the Elliptic Data Set to 40 sub-datasets. Each sub- Logistic Regression 0.892 0.677 0.564 0.615
dataset represents a distributed node, which data constitutes Multilayer Perceptron 0.972 0.912 0.675 0.776
a separate graph, and 40 nodes work together to complete GraphSniffer 0.994 0.894 0.751 0.816
federated learning. The pre-processed dataset does not change
the structure of the transaction graph, and the transactions are
labeled into three types (0 is illicit, 1 is licit, 2 is unknown). Training accuracy result in different models
1.0
Each node is associated with 165 transaction features (93
original features and 72 aggregated features), and finally 9

Accuracy of target model

0.9
groups of graph data are used as test data.
3) Metrics: Four widely used evaluation metrics are 0.8
adopted to evaluate our approach and benchmark methods,
including Accuracy, Precision, Recall and F1-Score. The four 0.7
metrics are both the greater the better. We can compute
model precision and recall for illicit transactions by equations 0.6
GraphSniffer
as: Accuracy = (T N + T P )/(T N + T P + F N + F P ), MLP
LR
P recision = (T N )/(T N + F N ), Recall = (T N )/(T N + 0.5
F P ), where T N is the amount of negative instances (illicit 0 20 40 60 80 100 120 140 160 180 200
Epochs
transactions) that are classified correctly, T P is the amount
of positive instances (licit transactions) that are classified Fig. 2: Accuracy result using different models.
correctly, F N is the amount of positive instances (licit trans-
actions) that are classified incorrectly and F P is the amount the ReLU function for the activation process. To prevent
of negative instances that are classified incorrectly. Then we the model from overfitting and to improve the generalization
can obtain model illicit F1-Score by equation: ability, we add a dropout layer to reduce the coupling between
2·P recision·Recall neurons (dropout rate=0.5). Finally, the probability vector of
F1 = (8) the corresponding category is obtained through Log Softmax
P recision + Recall
function. In Graph Neural Network, we adopted GraphSAGE
B. Benchmark Methods as the graph convolutional layer. There are three hidden layers
The benchmark method used in this paper is to biclassify employing ReLU as activation function. The MLP model and
each transaction using supervised machine learning within a GraphSniffer model are trained for 200 epochs by using the
federated learning framework, including Logistic Regression Adam optimizer and a learning rate of 0.001.
and Multilayer Perceptron (MLP). Logistic Regression method We perform parameters tuning-up for all mentioned models
has the advantage of being highly interpretable and is preferred and report the best results based on the validated dataset and
in anti-money laundering scenarios. Each input neuron in MLP evaluate model performance on the test dataset.
receives one data feature, and the hidden layer is processed
using an activation function during forward propagation. The D. Experimental Results Analysis
output is a probability vector corresponding to each category. We evaluate these three models by using all the 165 features
Logistic Regression and MLP are feature-based machine learn- and the results are summarized in Table II. The bottom part
ing methods, which can implement classification problems but
are challenging to extend beyond the immediate neighborhood. F1-Score in different models
0.8
C. Implementation Details 0.7
F1-Score of target model

In our experiments, all models are implemented with py- 0.6

torch framework. The Logistic Regression, Multilayer Percep- 0.5
tron, and Graph Neural Network methods used in this paper
0.4
are all based on the Federated Learning architecture. In the FL
0.3
part, we adopt 40 worker nodes to train local models using
their respective dataset and aggregate the gradients to server 0.2 GraphSniffer
nodes to update the global model parameters. 0.1 MLP
In Logistic Regression, we use the default parameters from 0.0
LR
the scikit-learn Python package. In MLP, the number of input 0 20 40 60 80 100 120 140 160 180 200
Epochs
neurons is 165 (corresponding to 165 transaction features).
Besides, we set a hidden layer with 96 neurons and choose Fig. 3: F1-Score result using different models.

Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
 IEEE INFOCOM WKSHPS: ICCN 2022: IEEE International Workshop on Intelligent Cloud Computing and Networking
of Table II shows the results achieved when we leverage the
graph structure of the Bitcoin transaction dataset with the
GraphSniffer (3 GraphSAGE layers).
In the scenario of malicious transaction identification, a
small number of illicit ones is more important to be solved.
Due to the task is a binary classification and the two classes are
imbalanced, we use a weighted cross entropy loss to train the
GraphSniffer model in order to provide higher importance to
the illicit samples. Table II shows the testing results in term of
Accuracy, Precision, Recall, and F1-Score for the illicit class.
Accuracy. From the perspective of accuracy, we explore the
relationship between accuracy and three different models. The
accuracy experiments results are as follows:
• In Fig. 2, we observe that GraphSniffer outperforms
Logistic Regression and Multilayer Perceptron, while
MLP can also achieve a high accuracy rate. Besides, the
results show that the GraphSniffer model is trained well
with only a few epochs.
• In Fig. 2, the logistic regression does not perform well
and show a decrease in accuracy after reaching the peak,
indicating that it may not suitable for this scenario.
F1-Score. Since the number of illicit samples is far less
than the number of licit samples, we conduct experiments to
obtain the F1-score and present the results as follows:
• In Fig. 3, we can clearly see that the MLP method
gets better F1-score in previous epochs. But in the later
training, the GraphSniffer shows higher F1-score than
other methods, indicating that the graph-based method
can take the advantage of graph-structured data.
• On the other hand, due to the input features are quite
informative already, Multilayer Perceptron has the ability
to train a good model using these features alone.
• In Fig. 3, Logistic Regression shows a significant de-
crease in F1-score during the late training period, which
also illustrates that the it cannot solve this problem .
Summary. Through extensive experimental results, we can
claim that our GraphSniffer model shows superiority over the
existing schemes in terms of model accuracy.
V. C ONCLUSION
In this paper, we presented a new federated graph neural
network model GraphSniffer to solve the problem of iden-
tifying malicious transactions for digital currency. Different
from existing malicious transaction identification schemes,
our approach proposed the use of graph neural network to
construct the identification model considering the existence
of noteworthy features in the flow of funds between each
transaction. To protect the security of the transaction feature
data and the privacy of the model, we introduced federated
learning to realize the joint identification and analysis of
malicious transactions. Extensive experiments conducted on
the Bitcoin transaction graph dataset demonstrated that our
GraphSniffer model had excellent capabilities in the task of
malicious transaction identification. In the future, we would
Authorized licensed use limited to: Chinese University of Hong Kong. Downloaded on March 22,2024 at 04:39:36 UTC from IEEE Xplore. Restrictions apply.
like to extend our approach to handle more kinds of digital cur-
rencies and make improvements in the operational efficiency of
the algorithm to contribute to the financial order in cyberspace.
R EFERENCES
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Decen-
tralized Business Review, p. 21260, 2008.
[2] “Coinmarketcap,” Accessed: Dec. 19, 2021. [Online]. Available:
https://coinmarketcap.com/
[3] W. Chen and Z. Zheng, “Blockchain data analysis: A review of status,
trends and challenges,” Journal of Computer Research and Development,
vol. 55, no. 9, pp. 1853–1870, 2018.
[4] M. Bartoletti, S. Carta, T. Cimoli, and R. Saia, “Dissecting ponzi
schemes on ethereum: identification, analysis, and impact,” Future
Generation Computer Systems, vol. 102, pp. 259–277, 2020.
[5] M. Vasek and T. Moore, “There’s no free lunch, even using bitcoin:
Tracking the popularity and profits of virtual currency scams,” in
International conference on financial cryptography and data security.
Springer, 2015, pp. 44–61.
[6] M. Bartoletti, B. Pes, and S. Serusi, “Data mining for detecting bitcoin
ponzi schemes,” in 2018 Crypto Valley Conference on Blockchain
Technology (CVCBT). IEEE, 2018, pp. 75–84.
[7] M. Shen, M. Wei, L. Zhu, and M. Wang, “Classification of encrypted
traffic with second-order markov chains and application attribute bi-
grams,” IEEE Transactions on Information Forensics and Security,
vol. 12, no. 8, pp. 1830–1843, 2017.
[8] K. Henderson, B. Gallagher, T. Eliassi-Rad, H. Tong, S. Basu,
L. Akoglu, D. Koutra, C. Faloutsos, and L. Li, “Rolx: structural role
extraction & mining in large graphs,” in Proceedings of the 18th ACM
SIGKDD international conference on Knowledge discovery and data
mining, 2012, pp. 1231–1239.
[9] W. Chen, Z. Zheng, J. Cui, E. Ngai, P. Zheng, and Y. Zhou, “Detecting
ponzi schemes on ethereum: Towards healthier blockchain technology,”
in Proceedings of the 2018 world wide web conference, 2018, pp. 1409–
1418.
[10] T. Li, A. K. Sahu, A. Talwalkar, and V. Smith, “Federated learning:
Challenges, methods, and future directions,” IEEE Signal Processing
Magazine, vol. 37, no. 3, pp. 50–60, 2020.
[11] M. Shen, Y. Liu, L. Zhu, X. Du, and J. Hu, “Fine-grained webpage
fingerprinting using only packet length information of encrypted traffic,”
IEEE Transactions on Information Forensics and Security, vol. 16, pp.
2046–2059, 2020.
[12] A. Biryukov, D. Khovratovich, and I. Pustogarov, “Deanonymisation
of clients in bitcoin p2p network,” in Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security, 2014,
pp. 15–29.
[13] F. Tramèr, D. Boneh, and K. Paterson, “Remote side-channel attacks
on anonymous transactions,” in 29th {USENIX} Security Symposium
({USENIX} Security 20), 2020, pp. 2739–2756.
[14] M. Shen, J. Zhang, L. Zhu, K. Xu, and X. Du, “Accurate decentralized
application identification via encrypted traffic analysis using graph
neural networks,” IEEE Transactions on Information Forensics and
Security, vol. 16, pp. 2367–2380, 2021.
[15] S. Delgado-Segura, C. Pérez-Sola, G. Navarro-Arribas, and J. Herrera-
Joancomartı́, “Analysis of the bitcoin utxo set,” in International Confer-
ence on Financial Cryptography and Data Security. Springer, 2018,
pp. 78–91.
[16] S. Foley, J. R. Karlsen, and T. J. Putniņš, “Sex, drugs, and bitcoin: How
much illegal activity is financed through cryptocurrencies?” The Review
of Financial Studies, vol. 32, no. 5, pp. 1798–1853, 2019.
[17] M. Weber, G. Domeniconi, J. Chen, D. K. I. Weidele, C. Bellei,
T. Robinson, and C. E. Leiserson, “Anti-money laundering in bitcoin:
Experimenting with graph convolutional networks for financial foren-
sics,” arXiv preprint arXiv:1908.02591, 2019.
[18] D. McGinn, D. Birch, D. Akroyd, M. Molina-Solana, Y. Guo, and
W. J. Knottenbelt, “Visualizing dynamic bitcoin transaction patterns,”
Big data, vol. 4, no. 2, pp. 109–119, 2016.
[19] W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive representation
learning on large graphs,” in Proceedings of the 31st International
Conference on Neural Information Processing Systems, 2017, pp. 1025–
1035.