GraphSAGE Fraud Detection · Graph Pattern Analysis

Three Financial Fraud Graph Patterns

Visual reference for graph topology features used by the GNN model to detect anomalous transaction behavior
Pattern 01 · Chain Topology
Account Takeover & Drain
Linear escape path · balance zeroed
C_src HACKED 100% Mule1 → 0 split Mule2 → 0 MuleN Graph Signal: Linear Chain oldBalance − newBalance ≈ full amount · high tx velocity
CASH_OUT TRANSFER Balance Drain
  • Full-amount drain: oldBalance = amount, newBalance = 0
  • Chain topology: each mule immediately re-forwards funds
  • Velocity spike: transaction rate far exceeds account baseline
  • GNN signal: high-degree path with consecutively drained nodes
Detection Algorithm
Longest Path + Balance Feature
nx.dag_longest_path() · filter nodes where (oldBal − newBal) / oldBal ≥ 0.95
Pattern 02 · Cycle Topology
Circular Layering
Closed-loop cycle · amount attrition
Acc A ORIGIN Acc B Acc C Acc D 1000 980 960 940 ↩ CYCLE SCC detected
TRANSFER SCC Cycle Detection
  • Closed loop: A → B → C → D → A, funds return to origin
  • Amount attrition: each hop reduces amount slightly to evade matching
  • Hard for SQL: requires multi-level JOINs; trivial with graph models
  • GNN signal: nodes in same strongly connected component share embeddings
Detection Algorithms
Tarjan SCC · Johnson Cycles
nx.strongly_connected_components(G) · nx.simple_cycles(G) — finds all closed loops regardless of depth
Pattern 03 · Star Topology
Fan-out / Structuring
One-to-many · sub-threshold splitting
C_fraud out-deg ↑↑ m1 <threshold m2 m3 m4 m5 m6 m7 <threshold
TRANSFER Fan-out Out-degree Spike
  • One-to-many: single account fans out to many unrelated accounts rapidly
  • Sub-threshold: each amount just below regulatory reporting limit
  • No lateral edges: receiver accounts have zero connection to each other
  • GNN signal: abnormal out-degree burst; neighborhood heterogeneity spike
Detection Algorithm
Out-degree Anomaly · Ego Graph
nx.out_degree_centrality(G) · nx.ego_graph(G, node, radius=1) — flag nodes with sudden degree burst vs. 7-day baseline
Graph Pattern Comparison
Pattern Graph Topology Key Feature NetworkX API GNN Embedding Signal
Account Drain Linear chain newBalance = 0, velocity spike dag_longest_path() Sequential drained-node neighborhood
Circular Layering Directed cycle / SCC Funds return to origin, amount attrition strongly_connected_components()
simple_cycles()		 Nodes in same SCC share similar embeddings
Fan-out Star (hub + spokes) Out-degree burst, no lateral edges out_degree_centrality()
ego_graph()		 Hub node isolated from receiver subgraph
Fraud Detection System · PaySim Dataset · GraphSAGE GNN Graph patterns detected via NetworkX · Embeddings learned via PyTorch Geometric