Heterogeneous Graph Neural Networks for Malicious Account Detection (GEM) – Overview of Ant Financial’s CIKM 2018 Paper

The 27th ACM International Conference on Information and Knowledge Management (CIKM 2018) was held in Turin, Italy, and featured a paper by Ant Financial titled Heterogeneous Graph Neural Networks for Malicious Account Detection (authors: Ziqi Liu, Chaochao Chen, Xinxing Yang, Jun Zhou, Xiaolong Li, Le Song).

1. Overview

The paper proposes GEM (Graph Embeddings for Malicious accounts), the world’s first graph neural network specifically targeting malicious account detection, aiming to protect financial services by reducing losses caused by large‑scale fraudulent registrations.

2. What is a malicious account?

Malicious accounts are low‑cost, bulk‑registered accounts used for activities such as spam, fraud, money‑laundering, or “grabbing freebies” in online services (e.g., email, social media, payment platforms). They exhibit strong profit‑driven motives and often operate as coordinated groups.

2.1 Characteristics

Analysis of black‑market account data reveals two dominant patterns:

• Device clustering : Malicious accounts share many devices (phones, MACs, IMSIs, etc.) leading to dense, regular connections in a user‑device bipartite graph. (See image below.)

• Temporal clustering : Malicious accounts concentrate their activity in short time windows, unlike normal accounts that show evenly distributed login patterns. (See image below.)

3. Why Graph Neural Networks?

Device clustering can be captured by constructing a user‑device bipartite graph and measuring the size of connected sub‑graphs; this intuition is naturally expressed by graph neural networks, which can learn discriminative patterns from the graph structure.

4. How GEM Works

GEM extends the basic graph‑based approach by building a heterogeneous graph that includes account nodes and multiple device‑type nodes (phone, MAC, IMSI, etc.). Each node is also enriched with temporal behavior features X ∈ ℝ^{N×P}, where each row X_i represents the time‑based activity of a node. The network learns to combine device‑level aggregation with temporal patterns to distinguish malicious from benign accounts.

The overall algorithm is illustrated in the following diagram:

5. Experimental Results

Using four weeks of real‑world data, GEM was compared against several strong baselines. It achieved higher AUC and F1‑score across the board, as shown in the tables and precision‑recall curves below.

Further analysis of the heterogeneous graph revealed which device types contribute most to detection and how malicious strategies evolve over time.

Reference

[1] Ziqi Liu, Chaochao Chen, Xinxing Yang, Jun Zhou, Xiaolong Li, Le Song. “Heterogeneous Graph Neural Networks for Malicious Account Detection.” Proceedings of the 27th ACM International Conference on Information and Knowledge Management, Turin, 2018.