Detecting Malicious Accounts in Permissionless Blockchains using Temporal Graph Properties

TL;DR

This paper introduces temporal graph features and machine learning techniques to detect malicious accounts in blockchain networks, demonstrating improved detection accuracy and identifying additional suspicious accounts through behavior analysis.

Contribution

It proposes novel temporal features for account behavior modeling and evaluates multiple ML algorithms, achieving enhanced malicious account detection in blockchain data.

Findings

ExtraTreesClassifier outperforms other ML algorithms on Ethereum data.

Cosine similarity combined with K-Means detects 554 additional suspicious accounts.

Behavior change analysis identifies 814 suspicious accounts across temporal granularities.

Abstract

The temporal nature of modeling accounts as nodes and transactions as directed edges in a directed graph -- for a blockchain, enables us to understand the behavior (malicious or benign) of the accounts. Predictive classification of accounts as malicious or benign could help users of the permissionless blockchain platforms to operate in a secure manner. Motivated by this, we introduce temporal features such as burst and attractiveness on top of several already used graph properties such as the node degree and clustering coefficient. Using identified features, we train various Machine Learning (ML) algorithms and identify the algorithm that performs the best in detecting which accounts are malicious. We then study the behavior of the accounts over different temporal granularities of the dataset before assigning them malicious tags. For Ethereum blockchain, we identify that for the entire dataset - the ExtraTreesClassifier performs the best among supervised ML algorithms. On the other hand, using cosine similarity on top of the results provided by unsupervised ML algorithms such as K-Means on the entire dataset, we were able to detect 554 more suspicious accounts. Further, using behavior change analysis for accounts, we identify 814 unique suspicious accounts across different temporal granularities.