Abnormal User Detection via Multiview Graph Clustering in the Mobile e-Commerce Network

In recent years, Internet of Things has not only promoted the continuous development of e-commerce transaction but also brought loop-hole to the fraud gangs who always utilize mobile devices to commit fraud crimes. For example, fraud gangs are usually organized to purchase commodities at low prices in e-commerce promotions. They bene ﬁ t from the price spread by reselling commodities at high prices. In the past few years, the transaction fraud caused serious ﬁ nancial losses to merchants in e-commerce platform. To detect the fraudulent user and behavior e ﬀ ectively, a multiview graph clustering-based abnormal detection model is developed in this paper. In the proposed model, two fraudulent behavior patterns are proposed by abstracting the e-commerce network as a heterogeneous information graph. On this basis, two user-similarity graphs are reorganized from the heterogeneous graph with the help of di ﬀ erent metapaths. Subsequently, in order to capture the corresponding fraudulent behavior patterns, the above two graphs are encoded into user embeddings and assigned to speci ﬁ c clusters in respective views. Finally, the consensus detection result is produced by fusing the complementary information of di ﬀ erent views in a joint multiview learning framework. As we know, our work is the ﬁ rst one that uses multiview graph clustering in e-commerce fraud detection, which will provide a new research perspective for fraud detection in e-commerce platform. Extensive experiments are conducted on real and semisynthetic datasets, and the results demonstrate the e ﬀ ectiveness and superiority of the proposed model.


Introduction
The rapid development of Internet of Things (IoT) has brought much convenience for our life over the past years. The IoT is constructed on the basis of multiple sensor networks, and its essence is to realize the information interaction between users and various devices or terminals. The development of mobile communication, sensor technology, and computer networks greatly enriched the contents covered by IoT, especially the mobile e-commerce. By means of mobile terminals, such as phones and tablet computers, people can realize online shopping or transactions anytime and anywhere.
With the promotion of IoT, the transaction size of the mobile e-commerce is increasing continuously, as well as the number of online users. Many merchants in the ecommerce platform always initiate sales promotions to attract and get more customers. In order to gain illegal benefits, fraud gangs always manipulate a large number of mobile devices to register new users, and they frequently purchase promotional commodities at zero or low cost. Then, they earn profit by reselling promotional commodities at high prices in the second-hand market. This fraudulent behavior will cause a considerable marketing loss for the merchants in the e-commerce platform and may damage the market order of the e-commerce platform seriously. To address the problem in the above fraudulent scene, it is particularly urgent to design effective antifraud strategies and technologies. As an important data mining technique, anomaly detection has been successfully applied in various fields [1,2]; it also reveals enormous potential in the e-commerce fraud recognition.
The anomaly detection methods used in e-commerce fraud recognition can be divided into three categories: rulebased strategy, machine learning-based strategy, and graphbased strategy. The rule-based strategy performs anomaly detection by generating inference rule from experts' experiences, in which some indicators or indexes are designed to evaluate fraudulent behaviors [3]. However, abnormal users always evade the detection rules by implementing some technical measures such as GSM sniffer and IP obfuscation, which makes it harder for rule-based methods to detect fraudulent behaviors [4]. Compared with rule-based methods, machine learning-based methods show stronger performance and better adaptability in many complex tasks [3]. Meanwhile, they have to face several challenges in some applications. Firstly, most machine learning algorithms can only deal with the input in terms of vector. However, ecommerce data always includes many complex information, such as timestamps, geographic locations, and evaluations, which cannot be represented by vector efficiently. Secondly, the sizes of e-commerce data are usually very large; as a result, the performance degradation will appear in the machine learning-based models. Thirdly, abnormal users usually maliciously imitate normal transaction behaviors to hide their identities. This indistinct pattern of fraudulent behavior is difficult to be recognized automatically by the detection model. Subsequently, researchers find that in spite of hiding their identities, abnormal users would inevitably leave some traces about fraudulent behavior in the network of interactions. Based on this idea, some studies model the e-commerce users and their interactive relationships by graph structure and propose a series of graph-based detection methods. In these models, many graph data mining algorithms are employed to identify fraudulent user by recognizing abnormal nodes, edges, or subgraphs whose distributions or patterns are different from others [5]. To address the data representation problem in the graph model, deep learning methods are introduced into graph-based ecommerce fraud detection recently due to their powerful representation ability [4,6,7]. All above methods assume that the abnormal user or behavior always implies a certain pattern or regularity. However, with the constantly evolution of technical means in e-commerce fraud, the intrinsic patterns implied in fraudulent behaviors are becoming diversified and increasingly difficult to be recognized.
Multiview learning methods provide an effective means of describing and recognition abnormal pattern from different perspectives. In this paper, we propose a multiview clustering-based abnormal user detection model for mobile e-commerce network, namely, Deep Multiview Clustering Detection Model (DM-VCDM), in order to comprehensively capture intrinsic patterns for abnormal user or behavior in the fraud scene. By organizing the records of user behavior in an interaction-constraint graph, the proposed model utilizes two metapaths to seek the behavioral patterns and interaction regularity of abnormal users from different perspectives. Within a joint learning framework, complementary and consensus information from these perspectives can be effectively combined to improve the detection ability of the model. To sum up, the main contributions of our work are as follows: (1) Two important behavior patterns are developed for depicting abnormal users in e-commerce fraud, i.e., device aggregation and consumption aggregation. These two patterns can effectively assist the model to identify the interaction trace of abnormal user (2) A multiview clustering-based abnormal user detection model is proposed, in which the behavior patterns in different views are encoded and fused in a dual encoder-decoder framework. The complementary and consensus information between multiple views can be integrated with the help of a multiview auxiliary target distribution, in the clustering process. In the proposed model, the anomaly detection result is generated by predicting the cluster assignment with the multiview fusion mechanism (3) Extensive experiments on several real and semisynthetic datasets demonstrate the validity and superiority of our DM-VCDM model, in comparison with several traditional anomaly detection methods, convolutional autoencoder-based detection models, and deep graph anomaly detection algorithms The rest of this paper are organized as follows. Section 2 introduces several related works. Section 3 illustrates details of the proposed model. In Section 4, the proposed model is compared with several reference algorithms in the experiments. Finally, conclusion of this work and future plan are given in Section 5.

Related Work
In this section, some important contents that provide foundation for the construction of our framework are introduced. Firstly, we review the recent studies about pattern recognition and graph anomaly detection. Subsequently, we introduce the concepts and applications of heterogeneous information networks and metapaths. Finally, we describe related theories and applications of multiview clustering in detail.

Pattern Recognition in IoT
Data. The development and application of IoT technology make various data and information in terms of image, video, and operation log more accessible than ever before. Implementing multiple pattern recognition studies on these extremely large amounts of IoT data will help people gain a better understanding of intrinsic characteristics, activity mechanics, and evolution rules for the complex system. With the rapid development of computer technology and IoT, a large majority of data such as image, video, and graph are growing and obtained easily, which widely exist in the field of computer vision and machine learning. These data contain rich information, and mining its useful information has important theoretical and practical value in the field of pattern recognition, such as 2 Wireless Communications and Mobile Computing human activity recognition, intention recognition, and video semantic recognition. Luo et al. [8] proposed a novel semisupervised feature analyzing framework for video semantic recognition by integrating the adaptive optimal similarity matrix learning into the procedure of feature selection. In the framework, the sensitivity of the model to the input affinity matrix is alleviated, and the intrinsic manifold structure of the original feature space is captured through adaptive neighbor assignment. Zhang et al. [9] employed spatiotemporal representations to enhance the EEG-based intention recognition in a cross-subject, multiclass scenario, and developed two unified, end-to-end trainable deep learning frameworks for human intention recognition. Chen et al. [10] developed a pattern-balanced semisupervised framework to extract and preserve diverse latent patterns of activities. By designing a recurrent convolutional attention network, they exploited the independence of multimodalities of sensory data and attentively identified salient regions that are indicative of human activities from inputs. Inspired by the above studies, we focus on the ecommerce fraud detection problem and define two behavioral patterns for abnormal users: device aggregation and consumption aggregation. These behavior patterns can be expressed as special relationships in a graph structure, and they can effectively enhance the detection ability of the model. Based on this idea, we reorganize the users' behavioral as a mobile e-commerce network to explore the semantic and structural information of abnormal users, which can be helpful for fraud detection.

Graph Anomaly Detection.
Graph is an abstract form of the real world, which has natural advantage in describing the data with complex interaction relationships. In many scenes, these relationships can provide abundant valuable information for anomaly detection. For example, in e-commerce fraud, abnormal users often disguise their identities by imitating normal users. By describing the relationships between different entities in a graph, it can be seen that no matter how abnormal users disguise, their fraudulent behaviors will inevitably expose some traces in the graph. Therefore, some anomaly detection techniques were proposed from the graph perspective and attracted extensive attentions from both academic and industrial fields.
Graph anomaly detection models the original problem with a graph structure and utilizes graph learning algorithms to find out abnormal nodes, edges, or subgraphs, whose distributions and patterns are different from other parts of the graph [11], as shown in Figure 1. Graph anomaly detection not only needs to consider the similarities between data objects but also needs to pay attention to their associations. In earlier studies, most graph anomaly detection methods employed manual feature engineering or statistical models [12,13], but their generalization abilities are often insufficient. Afterwards, many machine learning technologies [14,15] were used to improve the performance of graph anomaly detection. In many complex detection tasks, it is difficult to recognize abnormal objects from the raw data space due to the non-Euclidean structure and complicated intrinsic pattern [16]. To this end, several recent studies attempt to utilize deep learning models to learn appropriate representations for the anomaly detection objective [17,18]. Specifically, deep graph representation learning and graph neural networks (GNNs) provide powerful tools to graph anomaly detection and produce a new research perspective for this field [19,20].
In fact, research of graph anomaly detection for abnormal user recognition in the mobile e-commerce network is a relative new field. Due to the urgency of the e-commerce fraud problem, many research achievements have emerged in recently years. Jiang et al. [21] developed a detection method for abnormal users based on graph convolutional neural network. In order to quantify structure information between users, this method designs a weighting function to act on the user adjacency matrix, which can detect the behavior features of fraudulent groups. Wang et al. [22] proposed novel deep structure learning model for suspicious user recognition, which can preserve the nonlinear graph structure and user behavior information simultaneously. To capture the highly nonlinear relationship between vertexes in a user-item bipartite graph, Zheng et al. [23] designed a joint deep structure embedding framework for fraud detection. The framework embeds different types of vertexes jointly in the same latent space; it can preserve the highly nonlinear structural information of networks. Liu et al. [24] presented a heterogeneous GNN-based malicious account detection approach at Alipay. Based on two behavior patterns of attackers, i.e., device aggregation and activity aggregation, it adaptively learns discriminative embeddings from heterogeneous account-device graphs. In order to detect and prevent fraudulent insurance claims, Liang et al. [25] developed a data-driven procedure to identify fraudulent accounts, in which an automated fraud detection solution is designed based on graph learning. Specifically, groups of fraudster are uncovered and separated from normal customers by introducing a device-sharing network among claimants.

Heterogeneous Graph.
Recently, many studies model the data with complex interaction relationships as heterogeneous information networks or heterogeneous graphs, which can comprehensively retain the original semantic and interaction pattern of objects. Heterogeneous information network represents a graph consisting of different types of entities (nodes) or relations (edges), whose definition is given as [26]: Definition 1. Heterogeneous information network (or heterogeneous graph). A heterogeneous information network is defined as a graph G = fV, Eg, where V = fvg and E = feg represent the node set and the edge set, respectively. The network schema can be seen as a metatemplate of the graph, which is defined as S = ðA, RÞ with the node type mapping function ϕðvÞ: V ⟶ A and the edge type mapping function φðeÞ: E ⟶ R. A and R represent the node types and edge types, where A + R > 2.

Wireless Communications and Mobile Computing
Heterogeneous information networks provide a powerful data structure for modeling the entities in complex system and association relationships between them, as well as the high-level semantics of the data. To this end, many recent works focus on learning and predicting tasks on heterogeneous information network. Zhang et al. [27] introduced a structured heterogeneous information network to construct interactions between threads, users, replies, and topics to detect cybercriminal suspect threads. Fan et al. [28] designed a heterogeneous information network to model the relationship between users and tweets in Twitter. They also used a metagraph representation-based method to embed semantic correlations between users, in order to detect narcotic drug users. Zhu et al. [29] utilized passengers' taxi records to predict their short-term personalized transport demand based on deep heterogeneous network embeddings. To design a news recommendation system, Hu et al. [30] constructed a heterogeneous graph about user-news-topic and applied graph convolution networks to learn embeddings for user and news with high-order information endcoded by propa-gating embeddings over the graph. To improve the performance of visual question answering system, Li et al. [31] modeled the association relationships between different entities in the image as a heterogeneous information network. On this basis, they adopted a representation learning method based on graph attention mechanism to learn the relationship representation for visual question answering.
As an information network constituted by users and their behavior interactions, the mobile e-commerce network has prominent characteristics of heterogeneous structure. Figure 2 illustrates an example of a mobile e-commerce network. There are four types of object in the network, such as users, mobile devices, merchants, and products, as well as various association relationships between these objects. In this paper, we seek the solution for the mobile e-commerce fraud detection problem with the help of the heterogeneous network structure, in order to comprehensively capture the behavioral semantic and interaction pattern of abnormal users in the e-commerce platform.

Metapath.
The heterogeneous information network consists of different types of object and different types of relationships between these objects. To effectively describe the rich semantic information in the heterogeneous information network, metapath is always used to represent the combination of relationships between different types of objects [32][33][34]. The definition of metapath is given as follows [26]: Based on a network schema S = ðA, RÞ, we can express a metapath as a sequence of binary relationships between two objects. In a network S = ðA, RÞ, a metapath m is defined as ∈ A and R 1 , R 2 , ⋯R l ∈ R denote node types and edge types, respectively. Significantly, semantic relationships in the heterogeneous information network can be described in different views by different metapaths. For example, Figure 3 illustrates a mobile e-commerce network organized by a heterogeneous graph and the metapaths in the network.    Wireless Communications and Mobile Computing commerce platform from a same mobile device, the userdevice-user (UDU) metapath shown in Figure 3(b) can be used to represent the logging connection between users. In another view, if two users buy commodity from a same merchant, the user-merchant-user (UMU) metapath shown in Figure 3(c) can be used to denote the purchase connection between users.
As an appropriate description for semantic information, metapath has been widely applied in the analyzing and mining of heterogeneous information networks. Fan et al. [35] constructed an e-commerce network including users, items, and queries, and they proposed a user representation learning method based on the metapath. Hu et al. [36] employed an attribute heterogeneous information network to model   Wireless Communications and Mobile Computing different entities, attributes, and associations in the credit payment service. They adopted a representation learning method based on metapath and hierarchical attention mechanism to learn user representations. Hosseini et al. [37] utilized the heterogeneous information network to model clinical data and captured important semantics for disease diagnosis with the help of metapath.

Multiview
Clustering. Driven by the widely application of IoT and sensor network, the multiview data is becoming more and more common and easier to acquire. Compared with the traditional data which describe objects from a single view, the multiview data with rich semantic information is more useful and more complex [38]. Traditional clustering algorithms are not applicable to deal with the multiview data; thus, more and more attentions have been paid to multiview clustering, in order to explore potential information among different views. In [39], Zhang et al. presented a mul-tiview fuzzy clustering algorithm based on the consistency constraint of representative points. The algorithm utilizes the consistency constraints of representative points to realize multiview collaborative learning, which ensures the improvement of the clustering effect. Luo et al. [40] proposed a subspace learning-based clustering approach, in which a shared consistent representation is used to constrain the multiview self-representation attributes to mine the subspace structure of the data. Xia et al. [41] developed a multiview clustering algorithm based on the neighborhood multikernel learning to perform information fusion in the class partition space.
In [42], Tang et al. presented a joint graph learning method for multiview subspace clustering, in which the LRR model is employed to learn a common representation coefficient matrix from different views, and a diversity regularization term is used both to enforce the diversity and to reduce the redundancy of views. Based on that, the learned representation coefficient matrix is converted to an affinity graph for 7 Wireless Communications and Mobile Computing subspace clustering. To solve the multiview spectral clustering problem, Tang et al. [43] designed a novel model by jointly utilizing the information of view-specific graphs and embedding matrices, in which a unified graph is introduced by combining view-specific graphs and embedding matrices.
In this paper, we design a multiview clustering-based abnormal user detection model for the mobile e-commerce network, which can be used to solve the problem of ecommerce fraud by detecting abnormal user more reasonably from multiple perspectives.

The Proposed Model
3.1. Basic Consideration of the Work. Based on the analysis of a large number of e-commerce fraud cases, we find that many fraud gangs utilize disguised phone numbers or emails to register a large amount of accounts on different mobile devices, and they login these accounts buy promotional commodities at relative low prices. Afterwards, they resell these commodities at higher prices in the second-hand market to gain huge illegal profits. In order to effectively q (1) p q (2)  Encode G ðvÞ ðU, E ðvÞ Þ to get latent embedding Z ðvÞ by Equation (3) Initialize cluster assignments and fμ ðvÞ k g K k=1 using K-means++ in each view; Initialize q ðvÞ ik and p ðvÞ ik by Equation (5) and Equation (6) respectively; end for; for l =1 to L: for v =1 to 2: Update θ ðvÞ and fμ ðvÞ k g K k=1 using backward propagate SGD according to Equation (10) and Equation (11); Update latent embedding Z ðvÞ by Equation (3); Update q ðvÞ ik and p ðvÞ ik by Equation (5) and Equation (6) respectively; end for; Calculate p ik according to Equation (7); Update w 1 and w 2 by Equation (12); end for; Calculate the detection results by Equation (7); Return cluster assignments for all users Algorithm 1: Implementation of the DM-VCDM. 8 Wireless Communications and Mobile Computing recognize fraudulent users in the e-commerce platform, we first summarize two behavior patterns of abnormal users corresponding to the above fraud scenes: device aggregation and transaction aggregation. 3.1.2. Transaction Aggregation. The basic idea of transaction aggregation is that plenty of purchase transactions on the ecommerce intensively occur between certain accounts and merchants that implement promotions, when the fraud activity takes place. This is mainly because fraud gangs generally pay their attention to certain merchants with promotion, and they will intensively buy commodities with large discounts in a short time. Device aggregation and transaction aggregation describe typical behavior patterns of fraud gangs from two perspectives; thus, abnormal user detection can be realized by recognizing these behavior patterns. To this end, we capture semantic relationships from heterogeneous graph of mobile e-commerce network using different metapaths as shown in Figures 4(a) and 4(b), respectively. In the former one, the abnormal users are connected by corresponding devices, while in the latter one, the suffered merchants take on the role of correlating fraud accounts. Based on these semantic relationships, we construct a multiview framework to detect the abnormal behavior patterns of device aggregation and transaction aggregation in corresponding views, in order to discover fraudulent users in the e-commerce network.

Construction of the Model.
The overall framework of the proposed model, i.e., DM-VCDM, is illustrated in Figure 5. In general, the semantic relationships captured from hetero-geneous graph of mobile e-commerce network are transferred and explored through two tunnels corresponding to two views, in which the two abnormal behavior patterns will be recognized, respectively. In each view, a user-similarity graph is reorganized from semantic relationships by using a certain metapath. Subsequently, the node (user) embeddings of each graph in the latent space are learned by the encoder formed by GCNs. Then, soft clustering is applied on latent embeddings in each view, in order to divide users' behavior patterns into different categories from the particular perspectives. At last, the abnormal detection result is produced by integrating assignments of behavior pattern in different views in a multiview fusion mechanism. In the DM-VCDM model, the behavior patterns of abnormal user are described and explored comprehensively from two different views. And, the detection decision is made by fusing the complementary information into a consensus prediction. The details of the model are presented as follows.
According to the UDU and UMU metapaths, the similarities between two users in different views can be calculated by the following equation: where v = 1 or 2 is the ID of the view. In the v th view, Sim ðvÞ ij is the similarity between the user i and the user j, r ðvÞ i⟶j denotes a route in the graph between these two users constrained by the metapath, and R ðvÞ denotes the set of routes in the graph. By calculating the similarity between users in different metapaths, the user-similarity matrixes in different views can be constructed, respectively, as shown in Equation (2), where m denotes the number of users in the e-commerce network. Based on that, two user-similarity graphs G ðvÞ ðU, E ðvÞ Þ with N user nodes can be reorganized from semantic relationships in the corresponding views, respectively, where U is matrix composed of attributes of users in the ecommerce network.   In each view, the user-similarity graph is embedded into latent representations by an encoder constructed by GCNs according to the following equation: Z ðvÞ denotes the latent embedding of the user-similarity graph in v th view, and the framework of the GCNs is formulated as the following equation: where Gconvð·Þ denotes the graph convolutional layer and W are learnable weight matrixes in the two graph convolutional layers, respectively.
In the latent space, we employ K-means++ to initialize the cluster assignments for user embeddings and alternately enhance the clustering in respective views. In the abnormal user detection context, the users are categorized as normal users and abnormal users. Thus, the number of cluster K is considered as 2. Given a set of user embeddings Z ðvÞ = fz ðvÞ i g N i=1 and the initial cluster centroids fμ ðvÞ k g K k=1 , the soft assignment between the embedded users and the cluster centroids in each view can be calculated using a Students' t-distribution according to the following equation: where q ðvÞ ik denotes the soft assignment distribution and α is the degree of freedom of the Student t-distribution. q ðvÞ ik can be interpreted as the probability that assigns the i th user embedding to the k th cluster. Due to the lack of labels, we design an auxiliary target distribution to  [44] is a tree-based anomaly detection model, which assumes that the abnormal objects can be isolated from others by fewer random feature segmentations compared with normal objects.

KNN
The K-nearest neighbor (KNN) model [45] recognizes the outliers as abnormal objects by comparing distances between objects.

LOF
The local outlier factor (LOF) algorithm [46] is based on an assumption that the local density of a normal object should be close to its neighbor's density, while the local density of an abnormal object will be remarkably different from its neighbor's density.

CAE+IF/CAE+KNN/ CAE+LOF
These models are all composed of two components: a convolutional autoencoder is used to obtain lowdimensional embeddings, and an abnormal detector (IF/KNN/LOF) is used to discover abnormal objects based on the embeddings.

DeepFD
The model encodes the user-item bipartite graph into low-dimensional user representations with behavioral features using an autoencoder and employs DBSCAN to detect fraud block based on the representations [22].

FraudNE
The model captures the high-nonlinear characteristics from the user-item bipartite graph by an autoencoder and recognizes multiple fraudulent groups by predicting the cluster assignments based on the user representations [23].
where f ðvÞ k = ∑ i q ðvÞ ik is the soft cluster frequency in the v th view.
To produce a consensus detection result, we design a multiview fusion mechanism to integrate the complementary information in respective views according to the following equation: where p ik is the integrated auxiliary target distribution and w 1 > 0 and w 2 > 0 are the information weights of the two views, respectively, with the constraint w 1 + w 2 = 1. The integrated target distribution predicts the probability of user assignment more comprehensively than that generated in any single view. Finally, the user detection result is produced by the following equation: where y i means the clustering assignment of i th user.

The Optimization
Model. The DM-VCDM can be trained in a recursive optimization process. The joint optimization model of the DM-VCDM can be established as the following equation: where the cluster centroid μ ðvÞ k , the encoder's parameters θ ðvÞ , and the information weight in each view are optimized alternately by the stochastic gradient descent (SGD). In each iteration, the encoder's parameters θ ðvÞ and the cluster centroids μ ðvÞ k in each view are firstly updated using the user embeddings by the following equations:

Wireless Communications and Mobile Computing
Then, the information weights can be acquired according to the optimization objective shown in the following equation: On this basis, the implement process of the DM-VCDM model is listed in Algorithm 1.

Experiments and Analysis
In this section, a series of experiments are conducted on several e-commerce data sets to evaluate the validity of the proposed model.

Experimental Setup
4.1.1. Datasets. Four e-commerce datasets are used in the experiments including three real-world datasets and one semisynthetic dataset. The real-world datasets are subsets sampled from an e-commerce transaction dataset on Kaggle, which is consisted of 400 K transaction records collected from an e-commerce platform. Each record includes several transaction information such as IDs of user, mobile device, commodity, merchant, and transaction time. And some of users in the dataset are labeled as fraudsters. Based on the sampled subsets, we capture the login relationships between user and device and transaction relationships between user and merchant and construct the three real datasets. The semisynthetic dataset is generated from a dataset of user consumption records collected from a large online store. The raw dataset is consisted of 15 K records including 2487 users, 1996 devices, 1564 merchants, and 27 K relationships. Due to the lack of available user labels, we uniformly select 5% of users from the whole dataset as the fraudulent users and mimic the behaviors of fraudsters. And we also randomly select a certain number of merchants as targets in our experiments. The details of these datasets are shown in Table 1.

Evaluation Indexes.
In the experiments, we employ precision (P), recall (R), F1-score (F1), and AUC, which are widely utilized in clustering and classification tasks, to evaluate performances of different models. In this paper, the abnormal user detection is treated as a binary classification problem. Based on the confusion matrix in Table 2, the precision and recall indexes are defined as Equations (13) and (14), respectively.
On this basis, the F1-score is defined as follows: As a common evaluation index for binary classification problem, the AUC is also introduced in the experiments, which means the area under the ROC curve. The horizontal axis and vertical axis of the ROC curve are set as false positive rate (FPR) and true positive rate (TPR), respectively. The FPR and the TPR are defined as follows: In the first category, three traditional anomaly detection models are selected. In the second category, the traditional models are combined with the convolutional autoencoder. And the third category includes two deep graph anomaly detection models, namely, DeepFD [22] and FraudNE [23]. Parameters of all these reference models are set according to their authors' suggestions. The details of these reference models are listed in Table 3. results over reference models demonstrate the effectiveness of the proposed DM-VCDM for describing and recognizing abnormal behavior pattern. To further compare performances of different models in the experiments comprehensively, we perform the Friedman test on F1-score results of these models. Based on the results in Tables 4-7, the ordinal values of different models on each dataset in terms of F1-score are presented in Table 8.
The null hypothesis is set as H 0 : the performances of all the models in the experiments are essentially the same in terms of F1-score. And the alternative hypothesis is set as H 1 : there are significant differences between F1-score results of these tested models. Assuming k models are tested on M datasets, we use τ i to denote the average ordinal value of the i th model, which is normally distributed with the mean ðk + 1Þ/2 and variance ðk 2 − 1Þ/12. And the variate τ F defined in Equation (17) obeys an F distribution with the degrees of freedom k − 1 and ðk − 1ÞðM − 1Þ.
where the variate τ χ 2 defined in Equation (18) obeys an χ 2 distribution with the degree of freedom k − 1.
In our experiments, 9 models are compared on 4 datasets. For the significance level α = 0:05, the calculation result of testing variate is τ F = 14:45, which is significantly bigger   Figure 6. From the figure, it can be proved that the proposed DM-VCDM can actually achieve a superior detection performance compared in contrast to the reference models.

Optimization Process Analysis.
In the proposed DM-VCDM, the final detection decision is produced by fusing multiview information in a joint learning framework. To investigate how the model works, we test the learning process of the joint framework and the impact of each view on the model in this section. In Figure 7, we illustrate the change of the F1-score during the optimization process of the DM-VCDM on each dataset. From the figure, we can easily find that during the optimization process, the F1-score results are boosted on the datasets as the number of iterations increases. The results demonstrate that the proposed DM-VCDM model can effectively capture the behavioral patterns and semantic relationships of abnormal user, and the multiview fusion mechanism also helps to enhance its ability of recognizing anomaly target in the e-commerce network. It is notable that the F1-score on each datasets achieves relatively outstanding value and stays in a stable state after a certain epoch of optimization. This apparent performance proves that the DM-VCDM model has relative better convergence speed and stability.
To investigate the impact of different views on the proposed model, we present the variation of the information weights of different views during the optimization process in Figure 8. As we can see, based on the same initializations, the information weights can be adjusted adaptively as the optimization progresses. The variation of the curves indicates that the better view whose information is more useful will gradually dominate the final detection result in the learning process. For example, in Figure 8(a), w 1 keeps getting bigger in the optimization process, and w 2 decreases as the iteration goes on, while in Figure 8(b), the variation of the weights reveals an opposite trend. This is mainly because the device aggregation is more useful for recognizing the abnormal behaviors in dataset 1, while in dataset 2, the transaction aggregation becomes the dominant pattern of the fraudulent behavior.

Running Time Test.
In this section, we compare the running time of different models on each dataset for a more sufficient analysis of the proposed DM-VCDM. As shown in Table 9, it can be proved that our proposed model can achieve outstanding detection performance with acceptable computational cost compared to the traditional algorithms or deep models. As a result, the DM-VCDM can be applied to some abnormal detection tasks for large-scale e-commerce networks.

Conclusion
To cope with the problem of rampant network fraud in ecommerce platform, two typical behavior patterns are introduced to capture the semantic relationships for fraud gangs from two perspectives by abstracting the e-commerce network as a heterogeneous information graph. On this basis, we develop a joint multiview abnormal detection model, in which the two behavior patterns are captured in different views of the model, respectively. Finally, the abnormal detection result is produced by fusing the complementary information from different views in a multiview fusion mechanism. We conduct experiments by comparing the proposed model with several traditional algorithms and deep models on several e-commerce datasets. The experimental results demonstrate the validity and superiority of the proposed model.
In further work, we plan to improve our work from the perspective of exploring the intrinsic mechanism behind ecommerce fraud by drawing support from the studies of intention recognition and semantic recognition.

Data Availability
The data used to support the findings of this study have been deposited in the OSF repository (doi:10.17605/OSF.IO/ KYQN9).

Conflicts of Interest
The authors declare that they have no conflicts of interest.