Continual Graph Learning with Knowledge-Augmented Replay: A Case for Ethereum Phishing Detection

Abstract

Humans have the ability to incrementally learn, accumulate, update, and apply knowledge from dynamic environments. This capability, known as continual learning or lifelong learning, is also a long-term goal in the development of artificial intelligence. However, neural network-based continual learning suffers from catastrophic forgetting: the acquisition of new knowledge typically disrupts previously learned knowledge, leading to partial forgetting and a decline in the model’s overall performance. Most current continual learning methods can only mitigate catastrophic forgetting and fail to incrementally improve the overall performance. In this work, we aim to incrementally improve performance within sample incremental context by utilizing inter-stage edges as a pathway for explicit knowledge transfer in continual graph learning. Building on this pathway, we propose a knowledge-augmented replay method by leveraging evolving subgraphs of important nodes. This method enhances the distinction between patterns associated with different node classes and consolidates previously learned knowledge. Experiments on phishing detection in Ethereum transaction networks validate the effectiveness of the proposed method, demonstrating effective knowledge retention and augmentation while overcoming catastrophic forgetting and incrementally improving performance. The results also reveal the relationship between average accuracy and average forgetting. Lastly, we identify the key factor to incremental performance improvement, which lays a foundation for convergence of continual graph learning.

1. Introduction

Human beings can incrementally acquire, accumulate, update, and utilize knowledge from the ever-changing environments throughout their lifespan. This ability is referred to as continual learning [1]. While machine learning, especially deep learning, has made significant strides in various tasks within natural language processing (NLP) and computer vision (CV), endowing machine learning systems with this ability remains a long-standing challenge. This difficulty primarily stems from catastrophic forgetting [2], where an intelligent agent typically experiences a substantial decline in performance on previously learned tasks when learning new ones. This phenomenon is rooted in the plasticity–stability dilemma [3].

To address catastrophic forgetting, many strategies have been proposed, including replay-based, regularization-based, and parameter isolation-based approaches [1]. These methods strike a good balance between the plasticity and stability of agents and mitigate the phenomenon of catastrophic forgetting. Nevertheless, existing methods for mitigating catastrophic forgetting typically only control the extent of performance decline and struggle to achieve incremental performance improvement.

Recent work extends applications of continual learning to graph data, particularly within graph neural networks (GNNs), a field referred to as continual graph learning [4,5,6,7,8]. To address the catastrophic forgetting problem in continual graph learning, several recent studies undertake preliminary explorations and report promising results [9,10,11,12,13,14,15]. Despite recent advancements, addressing catastrophic forgetting in continual graph learning remains challenging as the structural information introduces additional complexity across various aspects of continual graph learning, including scenario settings, task types, and anti-forgetting strategies. Moreover, they all fail to improve model performance incrementally.

Although many continual graph learning works explicitly consider structural information to develop topological structure-aware methods, such as TWP [10] and PDGNNs [16], they rarely handle connections across different graphs. More precisely, these connections are called inter-task edges [17] in multi-task continual learning scenarios (e.g., class incremental and task incremental settings) or inter-stage edges in single-task scenarios (e.g., sample-incremental and domain-incremental settings). SEA-ER [18] argues that inter-task edges induce structural shifts and catastrophic forgetting and introduce a structure–evolution–aware replay method to mitigate these shifts. IncreGNN [19] separately samples replay nodes from those connected by inter-task edges and those without such connections, thereby incorporating inter-task edges into continual graph learning for link prediction. TACO [20] explicitly retrieves and retains inter-task edges by merging the previous reduced graph with the new task subgraph via a node-mapping table, reconnecting new-to-old edges during combination. These preserved inter-task edges are carried through the coarsening and proxy graph generation steps to maintain each node’s evolving receptive field. Nevertheless, they do not investigate how connections between nodes in different tasks or stages affect model performance. Ref. [17] conducts experiments on node-level tasks under task incremental settings with and without considering inter-task edges. The results show that the inter-task edges introduce contradictory factors for model performance, and the conditions under which they provide benefits versus drawbacks remain uncertain.

This paper explores incremental performance improvement by investigating the influence of inter-stage edges on knowledge transfer. Specifically, we utilize inter-stage edges as an explicit pathway for knowledge transfer in continual graph learning. Through this pathway, we propose to reframe node classification tasks as graph classification tasks to achieve efficient knowledge transfer in sample incremental scenarios of continual graph learning. Moreover, we present a knowledge-augmented replay method that can augment and supplement old knowledge with new knowledge while preserving it, thereby incrementally improving overall performance and overcoming catastrophic forgetting. We validate its effectiveness in a real-world application. Drawing on the experimental results, we further investigate the relationship between the two metrics and identify the key factor to incremental performance improvement. The contributions of this paper are summarized as follows:

• Knowledge-augmented replay: We investigate the influence of inter-stage edges on model performance in the sample-incremental scenario of continual graph learning and  propose a knowledge-augmented replay method for node classification in this scenario. It leverages inter-stage edges and evolving subgraphs of reappearing nodes as pathways for effective knowledge transfer. It preserves prior knowledge while integrating new knowledge, simultaneously reinforcing and augmenting existing knowledge to overcome catastrophic forgetting, thereby achieving incremental performance improvement and yielding results on par with full retraining but with fewer resources.
• A real-world application: We demonstrate the practical effectiveness of the proposed method through validation in Ethereum phishing scam detection. To the best of our knowledge, this is the first study aimed at addressing catastrophic forgetting and improving performance incrementally in Ethereum phishing scam detection using continual graph learning.
• Key factor to incremental performance improvement: We explore the relationship between the average accuracy and average forgetting based on the experimental results. Furthermore, we identify the key factor to incremental performance improvement, laying a foundation for convergence analysis in broader continual learning contexts.

The rest of this paper is organized as follows: Section 2 reviews related work. Section 3 provides the necessary preliminaries, including the notations used, definitions, and problem formalization. The methodology is detailed in Section 4, and the experiments are presented in Section 5. Section 6 discusses the key to incremental performance improvement in continual graph learning from a knowledge perspective. Finally, Section 7 concludes the paper.

2. Related Work

2.1. Ethereum Phishing Scam Detection

Ethereum phishing scam detection hinges on obtaining highly discriminative features, typically achieved through two primary approaches. One approach leverages traditional machine learning to obtain statistical features. For example, ref. [21] extracts over 200 statistical features within the first-order and second-order node neighbors. The other approach utilizes various network embedding techniques to generate node or graph embeddings, such as node2vec [22,23,24], trans2vec [25], and graph2vec [26,27].

Recent work focuses on extracting richer information from transaction networks to augment representations, such as those using self-supervised learning, including graph contrastive learning [28,29] and self-supervised regression [30], to obtain high-quality and robust representations. Additionally, some other work incorporates additional information to enhance embeddings, such as interaction intensity [31], node and edge types [32], and temporal information. An increasing number of studies consider temporal information as a critical factor, as phishing accounts often follow specific temporal patterns, such as conducting a large number of transactions within a short period. Integrating temporal information with transactions can typically enhance feature representations to improve model performance. Such work can be referred to [33,34,35,36,37,38,39]. Particularly, ref. [37] emphasizes capturing the dynamic evolution patterns of nodes to continuously identify new transaction features.

Nevertheless, these studies do not explore Ethereum phishing detection through the lens of continual learning. Ref. [40] employs incremental learning during pre-training to obtain an optimal GNN as the encoder to generate node embeddings. However, it does not leverage the encoders obtained from different pre-training stages to generate node embeddings, thereby failing to assess the impact of incremental learning on the performance change of the downstream task.

2.2. Graph Representation Learning

Graph representation learning, also called network representation learning, aims to learn low-dimensional representations of nodes, edges, subgraphs, or entire graphs from complex networks while preserving the essential structural and relational information inherent in the networks. A typical graph representation learning process can be framed within an encoder–decoder architecture [41]. In this framework, the encoder takes the graph as input, and possibly additional attributes like node features or edge weights, and maps its nodes, edges, subgraphs, or the entire graph into a low-dimensional vector space and generates embeddings. The decoder then utilizes these embeddings to either reconstruct or predict certain properties of the original graph. GNNs are commonly used graph encoders, including GCNs [42], GATs [43], GraphSAGE [44], GINs [45], GAEs and VGAEs [46], and graph transformer networks (GTNs) [47].

Learning representations in the Ethereum transaction network for phishing scam detection presents unique challenges due to its dynamic nature, large scale, label scarcity, and complex structure. According to the statistics on Etherscan, Ethereum currently has nearly 300 million unique addresses and over 2.4 billion transactions, with both numbers increasing continuously. The vast majority of these addresses are unlabeled. Moreover, Ethereum exhibits a pronounced long-tail distribution, with a small number of nodes having very high degrees, while the majority of nodes maintain very low degrees. This imbalance hinders the model’s ability to learn stable, effective representations for low-degree nodes.

2.3. Continual Learning

Numerous strategies have been proposed to overcome catastrophic forgetting in continual learning, including replay-based, regularization-based, and parameter isolation-based approaches [48]. Replay-based methods [49,50,51] store a few historical samples within a memory buffer and replay these sample in the buffer when learning new tasks to overcome catastrophic forgetting. Regularization-based methods [52,53,54] alleviate catastrophic forgetting by imposing extra regularization terms in loss function to consolidate previously learned knowledge when learning new tasks. Parameter isolation-based methods [55,56,57] allocate parameters to different tasks to avoid interference between tasks. More recently, an increasing number of approaches have been proposed, including optimization-based methods and representation-based methods, as summarized in [1]. More recently, ref. [58] proposes parabolic continual learning by formulating continual learning as a partial differential equation (PDE)-constrained optimization problem, constraining the evolution of the loss function over time to follow a parabolic PDE. Nevertheless, these methods typically fail to improve performance incrementally.

2.4. Continual Graph Learning

Continual graph learning is an emerging field where the structural information between data samples is incorporated into continual learning. Refs. [4,6,7,8] summarized recent continual graph learning efforts and strategies from various perspectives comprehensively. These approaches broadly fall into the three main continual learning categories.

TWP [10] is a typical regularization-based continual graph learning method. It measures parameter importance by integrating both task-related loss and topological information, and then preserves the most critical parameters. However, regularization methods usually interfere with the model’s ability to learn new knowledge. PI-GNN [59] proposes parameter isolation and expansion to circumvent the tradeoff between learning new patterns and maintaining old ones. In another work, GCL [60] also follows this line. It learns optimal model structure through reinforcement learning and adds or prunes neurons to ensure sufficient model capacities. These methods typically require maintaining a gradually expanding model capacity. A notable work is the HPN [5], where the knowledge is represented by various levels of prototypes and their combinations, and the number of model parameters is theoretically upper bounded by giving a threshold. Replay-based methods occupy a dominant position in continual graph learning. They evaluate node importance using various criteria, optionally considering structural information, and then use importance-based sampling to select and store representative nodes from earlier tasks for replay. Representative works include ContinualGNN [9], ER-GNN [61], DyGRAIN [62], and PBR [63]. Some works, such as SSM [64], CaT [11], and PDGNNs [16], use sparsified or condensed subgraphs instead of individual nodes for replay to reduce memory overhead. More recently, PromptCGL [65] proposes to combine prompt learning with continual graph learning, which is beyond the three main methods. Nevertheless, they do not explore and reveal the impact of the inter-stage edges on model performance.

To the best of our knowledge, we are the first to apply continual graph learning to address catastrophic forgetting in Ethereum phishing detection and improve performance incrementally.

3. Preliminaries

We present the definitions of key concepts and the problem formulation in this section.

Table 1. Summarizations of key notations.

Notations	Descriptions
${\mathcal{D}}_i$	The dataset (a set of 1-TSGs) extracted from $\Delta G_i$ or $G_i$.
${\mathcal{M}}_i$	The memory buffer for stage i. ${\mathcal{M}}_i={\mathcal{M}}_i^p\cup {\mathcal{M}}_i^n$, where ${\mathcal{M}}_i^p$ and ${\mathcal{M}}_i^n$ are the sets of phishing and non-phishing samples in ${\mathcal{M}}_i$, respectively.
$G_i, G_i^{\prime }$	The Ethereum transaction network (ETN, i.e., snapshot) at time $t_i$ with inter-stage edges and corresponding ETN without inter-stage edges, respectively. $G_i=\{V_i,E_i\}=G_{i-1}\cup \Delta G_i$, and $G_i^{\prime }={\bigcup }_{j=1}^i{G}_j^{\prime }=G_i\setminus ({\bigcup }_{j=1}^i\Delta E_j^r)$.
$\Delta G_i, \Delta G_i^{\prime }$	The incremental transaction network (ITN) between time $t_{i-1}$ and $t_i$ with inter-stage edges and corresponding ITN without inter-stage edges, respectively. $\Delta G_i=\{\Delta V_i,\Delta E_i\}$, and $\Delta G_i^{\prime }=\Delta G_i\setminus \Delta E_i^r$.
$E_i, \Delta E_i$	The set of all edges in $G_i$ and $\Delta G_i$, respectively. $\Delta E_i=\Delta E_i^a\cup \Delta E_i^r$.
$\Delta E_i^a, \Delta E_i^r$	The set of edges between newly added nodes (i.e., intra-task edges) and the set of edges between newly added nodes and reappearing nodes (i.e., inter-stage edges) in $\Delta G_i$, respectively.
$V_i, \Delta V_i$	The set of all nodes in $G_i$ and $\Delta G_i$, respectively. $\Delta V_i=\Delta V_i^a\cup \Delta V_i^r=\Delta V_i^p\cup \Delta V_i^n$.
$\Delta V_i^a, \Delta V_i^r$	The set of newly added nodes and reappearing nodes in $\Delta G_i$, respectively. $\Delta V_i^a=\Delta V_i^{ap}\cup \Delta V_i^{an}$, and $\Delta V_i^r=\Delta V_i^{rp}\cup \Delta V_i^{rn}$.
$\Delta V_i^p, \Delta V_i^n$	The set of all phishing nodes and non-phishing nodes in $\Delta G_i$, respectively. $\Delta V_i^p=\Delta V_i^{ap}\cup \Delta V_i^{rp}$, and $\Delta V_i^n=\Delta V_i^{an}\cup \Delta V_i^{rn}$.
$\Delta V_i^{ap}, \Delta V_i^{rp}$	The set of newly added phishing nodes and reappearing phishing nodes in $\Delta G_i$, respectively. $\Delta V_i^{rp}={\bigcup }_{j=1}^{i-1}\Delta V_{ij}^{rp}$.
$\Delta V_i^{an}, \Delta V_i^{rn}$	The set of newly added non-phishing nodes and reappearing non-phishing nodes in $\Delta G_i$, respectively. $\Delta V_i^{rn}={\bigcup }_{j=1}^{i-1}\Delta V_{ij}^{rn}$.
$\Delta V_{ij}^{rp}, \Delta V_{ij}^{rn}$	The set of newly added phishing nodes and non-phishing nodes in $\Delta G_j$ that are also reappearing in $\Delta G_i$, respectively. $\Delta V_{ij}^{rp}=\Delta V_j^{ap}\cap \Delta V_i^p$, and $\Delta V_{ij}^{rn}=\Delta V_j^{an}\cap \Delta V_i^n,i>j$.
$S_u^i, \Delta S_u^i$	The 1-order accumulative transaction subgraph (1-ATSG) and 1-order incremental transaction subgraph (1-ITSG) of a node u in $G_i$ and $\Delta G_i$, respectively.
$C_i^N, C_i^R, C_i^K$	The set of central nodes in the $i\mathrm{th}$ dataset under the naïve method, retraining method, and KAR method, respectively. $C_i^N=C_i^{Np}\cup C_i^{Nn}$, $C_i^R=C_i^{Rp}\cup C_i^{Rn}$, and $C_i^K=C_i^{Kp}\cup C_i^{Kn}$.
$C_i^{Np}, C_i^{Rp},C_i^{Kp}$	The set of phishing central nodes in the $i\mathrm{th}$ dataset under the naïve, retraining, and KAR methods, respectively.
$C_i^{Nn}, C_i^{Rn}, C_i^{Kn}$	The set of non-phishing central nodes in the $i\mathrm{th}$ dataset under the naïve, retraining, and KAR methods, respectively.

summarizes the key notations used in this paper.

3.1. Definitions

Dynamic Network: A dynamic network is represented by $G_t=(V_t,E_t)$, where $V_t$ and $E_t$ are the set of vertices and edges at time t, respectively. Specifically, $G_t=G_{t-1}\cup \Delta G_t$, where $\Delta G_t=(\Delta V_t,\Delta E_t)$ is the incremental network between time $t-1$ and t, with $\Delta V_t$ and $\Delta E_t$ representing the sets of vertex changes and edge changes, respectively. Consequently, $V_t=V_{t-1}\cup \Delta V_t$, $E_t=E_{t-1}\cup \Delta E_t$. Additionally, $G_t=(A_t,X_t)$ if the network is attributed, where $A_t$ and $X_t$ denote the adjacency matrix and node feature matrix of the network at time t, respectively. Correspondingly, $\Delta G_t=(\Delta A_t,\Delta X_t)$, where $\Delta A_t$ and $\Delta X_t$ represent the adjacency matrix and node feature matrix of the incremental network between time $(t-1)$ and t, respectively.

Graph Neural Networks: A graph neural network is a general neural network designed to capture the dependencies between nodes in graph-structured data. It propagates information across nodes in the graph and learns embeddings that encode graph structures and node features through message passing. The representation of a node v in the $l\mathrm{th}$ layer is defined as follows:

$${\mathit{h}}_v^l=\mathrm{UPDATE}\left({\mathit{h}}_v^{l-1},\mathrm{AGG}\left({\mathit{h}}_u^{l-1},\forall u\in {\mathcal{N}}_v\right)\right),$$

(1)

where ${\mathit{h}}_v^l$ denotes the representation of node v at the $l\mathrm{th}$ layer, ${\mathcal{N}}_v$ is the set consisting of all neighboring nodes of node v. $\mathrm{AGG}(·)$ and $\mathrm{UPDATE}(·)$ denote the aggregation function and update function, respectively. The specific form of the aggregation function varies across GNN architectures and may include operations such as sum, attention, mean, or max pooling. The aggregated representations are typically passed through an update function, which may involve linear transformations and non-linear activation functions, to produce the final representation of each node in the $l\mathrm{th}$ layer. Representative GNN models include GCNs [42], GraphSAGE [44], GATs [43], and GINs [45].

3.2. Problem Formalization

As shown in Figure 1, in the evolving Ethereum transaction network (ETN) is denoted by $G=\left\{G_1,G_2,\cdots ,G_n\right\}$, where $G_n$ is the snapshot of the network at time $t_n$, and $G_n=G_{n-1}\cup \Delta G_n$. The term $\Delta G_n$ is the incremental transaction network (ITN) between time $t_{n-1}$ and $t_n$ (stage n). We aim to train a sequence of GNN models $(f_1,f_2,\cdots ,f_n)$ for corresponding snapshots $\left\{G_1,G_2,\cdots ,G_n\right\}$ to continuously detect phishing nodes within the sample incremental setting of continual graph learning, incrementally improving the model performance as the network evolves, and to eliminate catastrophic forgetting throughout this process. In this process, each subsequent model $f_i$ is trained using the previous model $f_{i-1}$ as its initial state.

Notably, we employ the term “inter-stage edges” rather than “inter-task edges” in this work, as the task is single and constant—detecting newly added phishing nodes as the network evolves. In other continual graph learning scenarios with multiple tasks, “inter-task edges” is more appropriate.

4. Methodology

Figure 2 depicts the proposed approach, which consists of three steps, namely temporal partitioning, transaction subgraph extraction, and continual training.

4.1. Temporal Partitioning

Temporal partitioning involves splitting the entire ETN $G_n$ into multiple ITNs $\Delta G_i$ to accommodate the continual learning setting. Since each transaction is associated with a specific timestamp, the most straightforward and logical partitioning method is based on the chronological order of timestamps. Additionally, the ETN can be partitioned according to equal time intervals or by an equal number of phishing nodes. Specifically, the temporal partitioning is formalized as follows.

Temporal Partitioning: Let $G_t=(V_t,E_t)$ be the snapshot of the ETN at time t. Choosing a strictly increasing sequence of timestamps $\mathcal{T}=(t_1,t_2,\cdots ,t_n)$. For each $i=1,2,\cdots ,n$, define the incremental transaction network $\Delta G_i=(\Delta V_i,\Delta E_i)$ by $\Delta E_i=\left\{e=(u,v,a,\tau )\in E_t\mid t_{i-1}<\tau \le t_i\right\}$, and $\Delta V_i=\left\{u\mid \exists v,(u,v)\in \Delta E_i\vee (v,u)\in \Delta E_i\right\}$. Temporal partitioning splits the ETN into a sequence of incremental transaction networks ${(\Delta G_i)}_{i=1}^n$.

Since the ETN is a weighted directed multigraph, there may be multiple directed transactions between any two accounts at different times. Consequently, an account may be associated with multiple timestamps. We designate the timestamp that an account is first involved in a transaction as the basis for chronological order. After partitioning the ETN, multiple ITN $\Delta G_i$ are obtained.

4.2. Transaction Subgraph Extraction

Phishing scam detection in Ethereum is essentially a typical node classification task. However, in real-world ETN, there is a significant class imbalance between phishing nodes and non-phishing nodes: the number of phishing nodes is typically orders of magnitude smaller than the number of non-phishing nodes. This imbalance makes it highly challenging to conduct effective node classification for phishing detection in the ETN. To address this challenge, we propose transforming the node classification task into a graph classification task by introducing k-order transaction subgraphs (k-TSGs).

k-order subgraphs: The k-order subgraphs $G_v^k$ centered at a node v is defined as $G_v^k=(V,E)$, $V=\left\{u|\forall u,|d(u,v)|\le k\right\},E=\left\{e_{uv}|\forall u,|d(u,v)|\le k\right\}$, where $d(u,v)$ is the graph distance (hop) between nodes u and v, as shown in Figure 3.

Given the extremely small proportion of phishing accounts and our goal to detect them across the entire ETN, we aim for the datasets to include all known phishing accounts. Therefore, we extract the k-TSGs of all phishing accounts in each ITN as positive samples. Next, we randomly select an equal number of k-TSGs from non-phishing accounts in the corresponding ITN as negative samples. In this manner, we can obtain multiple datasets ${\mathcal{D}}_i$ for subsequent continual learning, with each dataset being class-balanced. This paper uses the first-order transaction subgraphs (1-TSGs) of nodes as the samples for graph classification.

4.3. Continual Learning

After obtaining a sequence of class-balanced datasets, we can continuously perform phishing scam detection in the ETN through continual learning with graph classification. During this process, various strategies for continual learning can be implemented. We introduce a knowledge-augmented replay (KAR) method for continual graph learning.

4.3.1. Knowledge-Augmented Replay

Evidence from [66] suggests that phishing nodes exhibit distinct features and behavior patterns compared to non-phishing nodes. For better clarification, we adopt the theoretical framework of distributional separability.

Let ${\mathcal{P}}_i^{ap}=\left\{z_u^i:u\in \Delta V_i^{ap}\right\}$ and ${\mathcal{P}}_i^{an}=\left\{z_v^i:v\in \Delta V_i^{an}\right\}$ be the distributions of newly added phishing and non-phishing nodes in $\Delta G_i$, respectively. $z_u^i$ and $z_v^i$ are the embedding of nodes u and v produced by $f_i$, respectively. Let ${\Delta }_i^a=\mathcal{S}({\mathcal{P}}_i^{ap},{\mathcal{P}}_i^{an})$ be any chosen separability measure (e.g., distance, divergence, margin) between the two distributions of newly added phishing and non-phishing nodes in $\Delta G_i$. If ${\Delta }_i^a$ increases with i, the classifier’s decision boundary can better separate the two classes.

As the network evolves, the differences between phishing and non-phishing nodes tend to become more pronounced. For example, from times $t_j$ to $t_i$, a phishing account A typically accumulates larger increases in its neighbor count, degrees, and transaction amount than a representative non-phishing node B. As a result, the separability measure between their class-conditional feature distributions grows over time, i.e., ${\Delta }_i^a>{\Delta }_{i-1}^a$.

Nevertheless, an increase in the separability between the newly added phishing and non-phishing nodes in $\Delta G_i$ alone does not guarantee that knowledge acquired on current stage will positively transfer back to earlier stages because the classifier is optimized solely to maximize ${\Delta }_i^a$. It may relocate its decision boundary to suit only the new data, thereby misclassifying earlier samples and suffering catastrophic forgetting.

By contrast, knowledge-augmented replay enriches the distribution by taking union with samples in memory buffer, i.e., $\Delta V_i^p=\Delta V_i^{ap}\cup {\mathcal{M}}_i^p$ and $\Delta V_i^n=\Delta V_i^{an}\cup {\mathcal{M}}_i^n$. Let ${\mathcal{P}}_i^p=\left\{z_u^i:u\in \Delta V_i^p\right\}$ and ${\mathcal{P}}_i^n=\left\{z_v^i:v\in \Delta V_i^n\right\}$ be the distributions of all phishing and non-phishing nodes in $\Delta G_i$, respectively. Define ${\Delta }_i=\mathcal{S}({\mathcal{P}}_i^p,{\mathcal{P}}_i^n)$ as the separability of ${\mathcal{P}}_i^p$ and ${\mathcal{P}}_i^n$. These two distributions incorporate both newly added and replay samples from earlier stages, encouraging the model to learn a decision boundary that simultaneously maximizes separability on both new and historical distributions. i.e., ${\Delta }_i\ge \max {\left({\Delta }_j\right)}_{j=1}^{i-1}$.

In this paper, we track the activity of all known phishing accounts across ITNs and store the reappearing phishing nodes in the memory buffer. Additionally, to preserve the class balance, we randomly sample an equal number of reappearing non-phishing nodes from earlier ITNs to store in the buffer. As the ETN evolves, the features and structures of these reappearing accounts change, motivating a shift from node classification to graph classification. We therefore introduce evolutionary transaction subgraphs (ETSGs) to capture these differences, which are crucial for continual learning.

4.3.2. Evolutionary Transaction Subgraph

Unlike representing all transactions formed by many nodes over a period of time as a network, we describe all transactions associated with a specific node over a given period as a graph. Consequently, ETSGs depict the evolution process of a node over time. Specifically, ETSGs include incremental transaction subgraphs (ITSGs) and accumulative transaction subgraphs (ATSGs), which are formalized as follows.

Incremental /Accumulative Transaction Subgraph: In a dynamic transaction network $G_t$, let $\Delta G_i=(\Delta V_i,\Delta E_i)$ be the incremental transaction network between time $t_{i-1}$ and $t_i$, and $G_i=(V_i,E_i)$ be the snapshot up to $t_i$. Given a node $u\in \Delta V_i$ and a pre-defined rule $\mathcal{R}$, the incremental transaction subgraph $\Delta H_u^i$ of u is defined as $\Delta H_u^i=(\Delta V_u^i,\Delta E_u^i)$, where $\Delta E_u^i=\mathcal{R}(u,\Delta G_i)\subset \Delta E_i$, and $\Delta V_u^i=V(\Delta E_u^i)$ includes all endpoints of edges in $\Delta E_u^i$. The accumulative transaction subgraph of $u\in V_i$ is defined as $H_u^i=(V_u^i,E_u^i)$, where $E_u^i=\mathcal{R}(u,G_i)\subset E_i$, and $V_u^i=V\left(E_u^i\right)$ contains all endpoints of edges in $E_u^i$. $\mathcal{R}(u,G)$ returns the set of transactions in G that involve node u according to rule $\mathcal{R}$. In this paper, we define $\mathcal{R}$ to extract all edges incident to u, and we refer to the resulting subgraph as the first-order transaction subgraph.

Figure 4a,b illustrate the first-order ITSG and first-order ATSG, respectively. ITSGs ($\Delta S_u^i$) capture a node’s incremental transactions within a specific time period, whereas ATSGs ($S_u^i$) represent all transactions associated with that node up to the current time. Formally, $\Delta S_u^i=S_u^i\setminus S_u^{i-1}$.

As the patterns of phishing and non-phishing nodes become increasingly distinct over time, retaining the 1-ATSGs of reappearing phishing and non-phishing nodes provides more discriminative examples. By replaying these examples during the current stage, the model can learn more discriminative representations, thereby improving its performance.

4.3.3. Overall Process

Algorithm 1 delineates an overall procedure for continual graph learning using the KAR method.

Algorithm 1 Continual Graph Learning with KAR Method

Input: Incremental Transaction Network $\Delta G_i$, previous model $f_{i-1}$

Output: Performance matrix $R_{ij}$

1:   Initialization: all initialized to the empty set 2:   for $i=1$ to n do 3:      Assemble & simplify:      $G_i\leftarrow \mathrm{simplify}\left(G_{i-1}\cup \Delta G_i\right)$ 4:      Extract nodes:      $\Delta V_i^p,\Delta V_i^{ap},\Delta V_i^{rp}\leftarrow \mathrm{extract}\_\mathrm{Phishing}\_\mathrm{Nodes}(\Delta G_i),$      $\Delta V_i^n,\Delta V_i^{an},\Delta V_i^{rn}\leftarrow \mathrm{extract}\_\mathrm{Non-Phishing}\_\mathrm{Nodes}(\Delta G_i),$      $C_i^{Kp}\leftarrow \Delta V_i^p$ 5:      Balanced sampling: 6:      $C_i^{Kan}\leftarrow \mathrm{sample}(\Delta V_i^{an},|\Delta V_i^{ap}|)$ 7:      for $j=1$ to  $i-1$ do 8:         $\Delta V_{ij}^{rp}\leftarrow \Delta V_i^p\cap \Delta V_j^{ap}$,   $\Delta V_{ij}^{rn}\leftarrow \Delta V_i^n\cap \Delta V_j^{an}$ 9:         $C_{ij}^{Krn}\leftarrow \mathrm{sample}(\Delta V_{ij}^{rn},|\Delta V_{ij}^{rp}|)$ 10:    end for 11:    $C_i^{Krn}\leftarrow {\bigcup }_{j=1}^{i-1}{C}_{ij}^{Krn}$, $C_i^{Kn}\leftarrow C_i^{Kan}\cup C_i^{Krn}$ 12:    ${\mathcal{M}}_i\leftarrow C_i^{Krp}\cup C_i^{Krn}$ 13:    $C_i^K\leftarrow C_i^{Kp}\cup C_i^{Kn}$ 14:    Subgraph & feature extraction: 15:    for all $u\in C_i^K$ do 16:       $S_u^i\leftarrow \mathrm{extract}\_1\text{-}\mathrm{Order}\_\mathrm{ATSG}(G_i,u)$ 17:       for all $v\in S_u^i$ do 18:          ${\mathbf{x}}_v^i\leftarrow \mathrm{compute}\_\mathrm{Node}\_\mathrm{Features}(G_i,v)$ 19:       end for 20:    end for 21:    Dataset & train:    ${\mathcal{D}}_i\leftarrow \left\{(S_u^i,{\mathbf{x}}_v^i)\right|u\in C_i^K,v\in S_u^i\},\{{\mathcal{D}}_i^{\mathrm{tr}},{\mathcal{D}}_i^{\mathrm{te}}\}\leftarrow \mathrm{split}\left({\mathcal{D}}_i\right)$ 22:    $f_i\leftarrow \mathrm{train}(f_{i-1},{\mathcal{D}}_i^{\mathrm{tr}})$ 23:    for $j=1$ to i do 24:       $R_{i,j}\leftarrow \mathrm{eval}(f_i,{\mathcal{D}}_j^{\mathrm{te}})$ 25:    end for 26: end for

Given a timestamp $t_i$, we extract the ITN $\Delta G_i$ and assemble the cumulative snapshot $G_i$, which comprises all transactions up to $t_i$. Initially, the snapshot is a multigraph. We simplify the multigraph into a simple graph (still denoted by $G_i$ for convenience) by merging parallel edges and summing their transaction amounts. This simplification preserves the main node features of the ETN while avoiding the additional complexity of handling multi-edge structures during GNN message passing.

At each stage i, we first extract phishing and non-phishing nodes from the ITN $\Delta G_i$, distinguishing nodes newly added in $\Delta G_i$ from those reappearing from earlier ITNs. We then construct the class-balanced central node set $C_i^K$ by balanced sampling, selecting equal numbers of phishing and non-phishing nodes. The memory buffer ${\mathcal{M}}_i$ is populated with the reappearing phishing nodes and an equal number of non-phishing nodes. Next, for every central node $u\in C_i^K$, we extract its 1-ATSG $S_u^i$ from the simplified snapshot $G_i$ and compute node features for each node $v\in S_u^i$. The collection $\left\{S_u^i|u\in C_i^K\right\}$ constitutes the dataset ${\mathcal{D}}_i$, which we use to train the GNN model and evaluate its performance under continual learning settings. Further implementation details are given in Section 5.

5. Experiments

We conduct extensive experiments to evaluate the performance of the proposed method on detecting Ethereum phishing scams.

5.1. Data

We construct the ETN dataset for continual graph learning based on ETN data on XBlock (https://xblock.pro/#/dataset/13, accessed on 15 March 2025), which contains 2,973,489 addresses, 13,551,303 transactions, and 1165 labeled phishing addresses. This transaction network is composed of 13 connected components, where a connected component is a network in which all nodes are reachable from each other through (un)directed edges. We select the largest component, which contains 2,973,382 addresses, 13,551,214 transactions, and 1157 labeled phishing addresses, to construct the continual graph learning datasets.

Table 2. Ethereum phishing transaction network statistics.

Items	Original Network	Max Component
Components	13	1
Nodes (addresses)	2,973,489	2,973,382
Edges (transactions)	13,551,303	13,551,214
Phishing nodes	1165	1157
Non-phishing nodes	2,972,324	2,972,225

summarizes the statistics of this dataset.

Although node features are not strictly required for graph classification tasks, they can provide valuable information that enables GNNs to more effectively capture patterns and features within the graph structure. In particular, we extract the following node features:

• Node labels: Each node is labeled to indicate whether it represents a phishing or non-phishing entity. Although phishing scam detection in Ethereum is fundamentally a node classification task, these node labels can also serve as features when reformulating the problem as a graph classification task.
• The number of neighbors: A neighbor of a given node is any node reachable from it. First-order neighbors are directly connected to the given node, while higher-order neighbors are reached through one or more intermediate nodes. For instance, second-order neighbors are connected via one intermediate node, and k-order neighbors are connected through $k-$1 intermediaries. In this paper, we consider the number of first-order neighbors as a node feature.
• In-degree: The number of edges directed towards a node, indicating how many edges terminate at that node. In the ETN, in-degree represents the number of incoming transactions an account receives from other accounts.
• Out-degree: The number of edges originating from a node, indicating how many edges start from that node. In the ETN, out-degree reflects the number of outgoing transactions from an account to other accounts.
• Total degree: The sum of in-degree and out-degree, representing the total number of edges connected to a node, regardless of direction. In the ETN, the total degree corresponds to the number of transactions associated with an account.
• In-strength: In a weighted graph, in-strength is the sum of the weights of all incoming edges to a node, serving as the weighted counterpart of in-degree. It captures the total influence or flow that a node receives from its neighbors. In the ETN, it refers to the total amount of Ether received by an account.
• Out-strength: In a weighted graph, out-strength is the sum of the weights of all outgoing edges from a node, representing the weighted counterpart of out-degree. It reflects the total influence or flow that a node exerts on its neighbors. In the ETN, it denotes the total amount of Ether sent by an account.
• Total strength: The sum of in-strength and out-strength, representing the total weighted connections of a node. It quantifies the overall influence the node exerts and receives within the network. In the ETN, it refers to the total amount of Ether involved in an account’s transactions.

5.2. ETN Partition

Following the chronological order, we propose partitioning the ETN based on the principle of an approximately equal number of phishing accounts. Specifically, we first sort all 1157 phishing accounts according to their first timestamps and then allocate them into 10 ITNs on average (i.e., 116 for the first 7 ITNs and 115 for the last 3 ITNs).

Defining the first timestamp of a phishing node $v_i$ is $t_i^1(i=1,2,\cdots ,1157$), and the first ITN contains all transactions between the beginning timestamp of the ETN (denoted by $t_0$) and the timestamp $t_{117}^1-1$. The second ITN contains all transactions between the timestamp $t_{117}^1$ and $t_{233}^1-1$, and so forth. The last ITN contains all transactions between the timestamp $t_{1043}^1-1$ and the last timestamp (denoted as $t_n$). In this way, we derive 10 ITNs ($\Delta G_1,\Delta G_2,\cdots ,\Delta G_{10}$) by partitioning the ETN $G_n$, along with the distribution of phishing node across these ITNs, as detailed in

Table 3. Distribution of phishing nodes across ITNs.

$\mathbf{\Delta }{\mathit{G}}_{\mathit{i}}$	$\mathbf{\Delta }{\mathit{G}}_1$	$\mathbf{\Delta }{\mathit{G}}_2$	$\mathbf{\Delta }{\mathit{G}}_3$	$\mathbf{\Delta }{\mathit{G}}_4$	$\mathbf{\Delta }{\mathit{G}}_5$	$\mathbf{\Delta }{\mathit{G}}_6$	$\mathbf{\Delta }{\mathit{G}}_7$	$\mathbf{\Delta }{\mathit{G}}_8$	$\mathbf{\Delta }{\mathit{G}}_9$	$\mathbf{\Delta }{\mathit{G}}_{10}$
$\Delta G_1$	116	49	8	15	3	4	7	3	3	6
$\Delta G_2$	0	116	34	22	11	9	10	6	4	9
$\Delta G_3$	0	0	116	51	24	15	16	11	7	9
$\Delta G_4$	0	0	0	116	50	17	11	9	8	9
$\Delta G_5$	0	0	0	0	116	37	17	11	7	12
$\Delta G_6$	0	0	0	0	0	116	59	20	12	20
$\Delta G_7$	0	0	0	0	0	0	116	55	17	33
$\Delta G_8$	0	0	0	0	0	0	0	115	50	28
$\Delta G_9$	0	0	0	0	0	0	0	0	115	47
$\Delta G_{10}$	0	0	0	0	0	0	0	0	0	115
Sum	116	165	158	204	204	198	236	230	223	288

.

Note that the above partitioned ITNs include the inter-stage edges. To further investigate the influence of inter-stage edges on continual learning performance, we also perform continual learning without inter-stage edges.

5.3. Datasets Construction

5.3.1. Central Node Set Construction

After obtaining ITNs, we construct a corresponding class-balanced dataset ${\mathcal{D}}_i$ for each ITN $\Delta G_i$. Since we transform the node classification into a graph classification task, we first determine the central node set of ${\mathcal{D}}_i$. Under the KAR method, the central node set $C_i^K$ is the union of the phishing central node set $C_i^{Kp}$ and the central non-phishing node set $C_i^{Kn}$.

To maximize the presence of phishing examples in the dataset, we incorporate all phishing nodes into the central node set. Therefore, $C_i^{Kp}=\Delta V_i^p$. Furthermore, the phishing central node set comprises both newly added and reappearing phishing central nodes, denoted by $C_i^{Kap}$ and $C_i^{Krp}$, respectively. Particularly, $C_i^{Kap}=\Delta V_i^{ap}$, and $C_i^{Krp}=\Delta V_i^{rp}$.

The reappearing phishing central nodes are those that were newly added in earlier ITNs and then reappear in $\Delta G_i$. Formally, for each $j<i$, let $\Delta V_{ij}^{rp}=\Delta V_i^p\cap \Delta V_j^{ap}$ be the set of phishing nodes newly added in $\Delta G_j$ that reappear in $\Delta G_i$. Then the total reappearing phishing node set is $\Delta V_i^{rp}={\bigcup }_{j=1}^{i-1}\Delta V_{ij}^{rp}$.

Analogously, the central non-phishing node set $C_i^{Kn}$ is partitioned into newly added and reappearing subsets, denoted by $C_i^{Kan}$ and $C_i^{Krn}$, respectively. Since non-phishing nodes far outnumber phishing nodes, we maintain a consistent distribution of phishing and non-phishing nodes within the central node set by uniformly sampling from the corresponding pools of non-phishing candidates.

Specifically, we obtain the newly added central non-phishing node set by uniformly sampling a subset $C_i^{Kan}\subset \Delta V_i^{an}$ such that $\left|C_i^{Kan}\right|=\left|C_i^{Kap}\right|=|\Delta V_i^{ap}|$. For the reappearing central non-phishing nodes, we first randomly sample $C_{ij}^{Krn}\subset \Delta V_{ij}^{rn}$ with $\left|C_{ij}^{Krn}\right|=|\Delta V_{ij}^{rp}|$ for each $j<i$ and then aggregate $C_i^{Krn}={\bigcup }_{j=1}^{i-1}{C}_{ij}^{Krn}$. In this way, we obtain the central node set $C_i^K=C_i^{Kp}\cup C_i^{Kn}=\Delta V_i^p\cup C_i^{Kan}\cup C_i^{Krn}$.

To illustrate, we present a concrete example of central node set construction. As shown in Table 3, $\Delta G_3$ contains 158 phishing nodes in total: 116 newly added ($|\Delta V_3^{ap}|=116$) and 42 reappearing ($|\Delta V_3^{rp}|=42$), of which 8 reappear from $\Delta G_1$ ($|\Delta V_{31}^{rp}|=8$) and 34 reappear from $\Delta G_2$ ($|\Delta V_{32}^{rp}|=34$). Accordingly, the phishing central node set also contains 158 phishing nodes ($\left|C_3^{Kp}\right|=|\Delta V_3^{ap}|$).

Next, we randomly sample 116 non-phishing nodes from the newly added non-phishing node set $\Delta V_i^{an}$ so that $\left|C_3^{Kan}\right|=116$. Similarly, we randomly sample 8 non-phishing nodes from the reappearing non-phishing node pool in $\Delta G_1$ ($\left|C_{31}^{Krn}\right|=8$) and 34 from the corresponding pool in $\Delta G_2$ ($\left|C_{32}^{Krn}\right|=34$), thereby matching the distribution of reappearing phishing nodes. Consequently, the central node set in the third stage contains 316 central nodes in total ($\left|C_3^K\right|=|\Delta V_3^{ap}|+\left|C_3^{Kn}\right|=316$).

5.3.2. Subgraph and Node Feature Extraction

We then extract subgraphs and compute node features for each node contained within each subgraph. Specifically, we extract 1-ATSG $S_u^i$ from each snapshot $G_i$ for each central node $u\in C_i^K$ and compute the node features $x_v^i$ of each node $v\in S_u^i$. The resulting dataset ${\mathcal{D}}_i$ comprises all such extracted 1-ATSGs.

Additionally, we include naïve and retraining strategies for evaluation. The naïve approach simply fine-tunes the model on each new ITN without any forgetting mitigation, serving as the lower bound for continual learning performance. In contrast, the retraining method retrains the model from scratch on the accumulated date at every stage, thereby establishing an upper bound. The main difference between these two methods and the KAR method lies in the construction of the central node set and the extraction of subgraphs.

Taking stage 3 as an example, $\Delta G_3$ introduces 116 newly added phishing nodes. Under the naïve strategy, the phishing central node set consists solely of these 116 nodes. By contrast, the retraining approach aggregates all newly added phishing nodes from stages 1 through 3—totaling 348—into the phishing central node set. The sampling procedure for non-phishing central nodes mirrors that of the KAR method. As for subgraph extraction, the naïve approach extracts 1-ITSGs $\Delta S_u^3$ from $\Delta G_3$, whereas the retraining method extracts 1-ATSGs $S_u^3$ from $G_3$.

For the scenario in which inter-stage edges are removed, we extract 1-ITSGs from $\Delta G_i^{\prime }$ for the central nodes under the naïve method, and 1-ITSGs from $G_i^{\prime }$ for the central nodes under both the KAR and retraining methods.

5.4. Experimental Settings

5.4.1. Models

We conduct experiments using the following GNNs.

• GCN [42]: The GCN uses convolutional operations on graph data to aggregate information from neighboring nodes through a first-order approximation of spectral convolution.
• GAT [43]: The GAT employs attention mechanisms to assign different weights to the edges connecting a node to its neighbors, enabling more flexible and context-aware feature aggregation in graph neural networks.
• GATv2 [67]: GATv2 improves upon the original GAT by using a dynamic attention mechanism that better captures the importance of neighboring nodes, resulting in more accurate and expressive attention weights.
• GIN [45]: The GIN improves the expressiveness of graph neural networks by using sum aggregation, which closely approximates the Weisfeiler–Lehman graph isomorphism test, making it capable of distinguishing a wider variety of graph structures.

All four models share a common blueprint: two stacked graph convolutional layers (each followed by a nonlinear activation and 50% dropout); a global pooling operation that collapses node embeddings into a single graph-level vector; and a final linear classifier that produces the output logits.

In the GCN variant, both convolutional layers are implemented as GCNConv modules that project node features into a d-dimensional latent space, each followed by a ReLU activation. The GAT and GATv2 versions replace these with attention-based convolutions: the first layer employs eight parallel heads, each producing a d-dimensional output that is concatenated into a $8d$-dimensional representation and subjected to ELU activation and dropout, before a single-head projection back to d dimensions; the only difference between them is the use of GATConv versus GATv2Conv. The GIN model instead uses two GINConv layers, each internally parameterized by an MLP that applies a linear map to d dimensions, batch normalization, a ReLU, and a second linear layer with ReLU. After each convolution, global sum pooling yields two d-dimensional graph summaries that are concatenated into a $2d$-dimensional embedding and passed through a two-layer MLP head with a $2d$-unit hidden layer, ReLU activation, and 50% dropout prior to the final classification.

5.4.2. Training

We train the aforementioned GNN models using the following parameters: the proportion of the training set within each dataset ($\alpha$), the number of neurons in the hidden layers (d), the maximum number of epochs (m), the learning rate ($\eta$), and the batch size (b). Specifically, we set $\alpha$ to 0.7, d to 32, m to (100, 300, 500), $\eta$ to (0.001, 0.003, 0.005), and b to 32. All datasets are randomly shuffled before being split into training and test sets.

Training is conducted on a server equipped with an NVIDIA V100 GPU with 16GB of GPU memory. The models are implemented in PyTorch v2.1.2, with the GNNs constructed using the PyTorch Geometric library.

5.4.3. Evaluation

We assess the overall performance and degree of forgetting of the models using the average accuracy (ACC) and backward transfer (BWT), respectively, as defined in [68].

$$\begin{array}{cc}\hfill {\mathrm{ACC}}_n& ={\displaystyle \frac{1}{n}}\sum _{i=1}^n{R}_{n,i}\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill {\mathrm{BWT}}_n& ={\displaystyle \frac{1}{n-1}}\sum _{i=1}^{n-1}(R_{n,i}-R_{i,i}),\hfill \end{array}$$

(3)

where n is the number of all stages, and $R_{i,j}$ refers to the test performance on the $j\mathrm{th}$ stage after training on the $i\mathrm{th}$ stage.

ACC describes the overall performance of a continual learning model across all datasets after sequentially training on all n stages. BWT measures the extent to which a model forgets previously learned knowledge. Therefore, we use overall performance and average accuracy interchangeably, as well as backward transfer and average forgetting.

5.5. Results

5.5.1. Overall Performance

Table 4. Comparison of different models on three methods across settings with and without inter-stage edges. ↑ indicates that larger values imply better performance.

Scenario	Model	GCN		GAT		GATv2		GIN
	Metric (%)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)
Remove inter-stage edges	Naïve-o	$51.4\pm 1.0$	$-2.6\pm 2.0$	$49.8\pm 1.6$	$-4.8\pm 2.8$	$51.0\pm 1.6$	$-4.4\pm 2.4$	$51.5\pm 0.8$	$-6.5\pm 1.9$
	Retraining-o	$59.3\pm 4.6$	$-0.1\pm 2.8$	$61.4\pm 6.3$	$-0.5\pm 6.9$	$61.2\pm 8.0$	$-1.7\pm 8.7$	$67.6\pm 1.8$	$0.6\pm 1.6$
	Replay-o	$50.2\pm 0.4$	$-4.6\pm 1.3$	$48.9\pm 1.8$	$-6.7\pm 2.7$	$49.0\pm 1.2$	$-7.2\pm 2.9$	$51.2\pm 1.2$	$-6.6\pm 1.7$
Retain inter-stage edges	Naïve	$82.6\pm 6.4$	$0.3\pm 5.8$	$87.5\pm 4.1$	$-1.1\pm 1.6$	$86.4\pm 8.6$	$-3.4\pm 7.6$	$84.5\pm 5.9$	$-5.9\pm 7.2$
	Retraining	$86.8\pm 4.9$	$5.8\pm 5.2$	$95.4\pm 2.5$	$5.0\pm 3.9$	$96.5\pm 1.9$	$4.3\pm 3.5$	$94.9\pm 1.4$	$1.0\pm 1.7$
	Replay (KAR)	$86.8\pm 4.0$	$3.8\pm 2.7$	$93.1\pm 5.7$	$5.0\pm 3.0$	$94.9\pm 2.8$	$3.8\pm 2.3$	$91.6\pm 0.4$	$0.3\pm 1.2$

compares the average accuracy and average forgetting of four GNNs after training on all 10 datasets across two scenarios. It shows that retaining inter-stage edges significantly improves model’s overall performance and backward transfer compared to removing them.

In the scenario without inter-stage edges, nearly all models exhibit catastrophic forgetting across all three methods, as indicated by the negative backward transfer values, with the exception of the retraining-o method using a GIN. However, in the scenario with inter-stage edges, both the KAR and retraining methods eliminate catastrophic forgetting for all models. Particularly, the KAR method achieves performance comparable to the retraining method.

An intriguing observation is that, in the scenario without inter-stage edges, the replay-o method unexpectedly underperforms compared to the naïve-o method. A reasonable explanation is the high proportion of recurring nodes in the ETN, resulting in a significant number of inter-stage edges between ITNs. When inter-stage edges are removed, phishing nodes lose substantial transactional information, making their 1-TSGs less distinguishable from those of non-phishing nodes. The replay-o method introduces more of these indistinguishable samples, which paradoxically leads to worse performance compared to the naïve-o method.

5.5.2. Stage-Wise Average Accuracy

We also compare the average accuracy of four GNNs using three methods under two scenarios of each stage, as shown in Figure 5. The plots demonstrate that retaining inter-stage edges allow the model to incrementally improve overall performance or maintain stability, while removing inter-stage edges causes the model’s overall performance to decline sharply over time and eventually stabilize.

When inter-stage edges are removed, all methods experience a sharp decline in average accuracy over time, particularly during the initial stages. The naïve-o and replay-o methods eventually stabilize around 50%, while the retraining-o method performs slightly better, stabilizing at 60%. Conversely, when inter-stage edges are retained, all methods exhibit an incremental increase in average accuracy over time, except for those using the GIN model, which remain stable or show a slight decrease. Specifically, the KAR and retraining methods reach or exceed 90%, consistently delivering the best performance. The KAR method achieves results comparable to the retraining method while using less memory.

These results highlight that removing inter-stage edges hinders knowledge transfer, leading to a gradual decline in overall performance. In contrast, retaining inter-stage edges facilitates knowledge transfer, promoting improvements in overall performance over time.

5.5.3. Stage-Wise Average Forgetting

Figure 6 plots the results of the stage-wise average forgetting mechanisms of four GNNs using three methods across two scenarios. Each method generally shows stronger positive backward transfer when inter-stage edges are retained compared to when they are removed. Furthermore, in conjunction with stage-wise average accuracy, the results reveal that incremental performance improvement does not necessarily coincide with positive backward transfer values.

When inter-stage edges are removed, the naïve-o and replay-o methods consistently exhibit negative backward transfer values across all stages, indicating persistent catastrophic forgetting. The retraining-o method shows predominantly positive backward transfer, remaining stable or with slight fluctuations around zero in most cases.

In contrast, when inter-stage edges are retained, both the KAR and retraining methods show predominantly positive backward transfer values that are significantly above zero, with the exception of their implementations using the GIN model. This outcome suggests positive knowledge transfer in most cases, effectively overcoming catastrophic forgetting. Notably, the KAR method achieves performance comparable to the retraining method while using less memory. The naïve method displays considerable fluctuations, with only a few stages showing positive backward transfer values, but catastrophic forgetting remains prevalent in most stages.

5.5.4. Comparison with Existing Methods

We further compare the proposed method with several existing baselines, EWC [53], LwF [52], and TWP [10], under a unified training protocol, using a maximum of 300 epochs, a batch size of 32, and a learning rate of $0.005$.

Table 5. Comparison of four GNNs with existing methods across settings with and without inter-stage edges. Results for our method Replay (KAR), and the best results in the two scenarios are bolded.

Scenario	Model	GCN		GAT		GATv2		GIN
	Metric (%)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)	ACC(↑)	AF(↑)
Remove inter-stage edges	Naïve-o	$51.50$	$-6.06$	$49.88$	$-3.39$	$49.37$	$-3.94$	$51.36$	$-7.6$
	EWC	$52.9$	$-2.24$	$51.54$	$-3.25$	$53.67$	$-1.92$	$50.72$	$-6.26$
	LwF	$52.31$	$-\mathbf{0.96}$	$50.91$	$-7.1$	$51.35$	$-3.62$	$51.83$	$-5.6$
	TWP	$50.92$	$-2.47$	$\mathbf{52.82}$	$\mathbf{-}\mathbf{0.71}$	$51.24$	$-0.08$	$52.16$	$-2.75$
	Replay-o	$50.42$	$-2.99$	$49.62$	$-11.09$	$49.48$	$-9.07$	$50.41$	$-6.5$
	Retraining-o	$\mathbf{56.29}$	$-1.77$	$52.35$	$-10.15$	$\mathbf{68.92}$	$\mathbf{5.34}$	$\mathbf{64.39}$	$\mathbf{-}\mathbf{2.64}$
Retain inter-stage edges	Naïve	$\mathbf{89.38}$	$5.72$	$87.52$	$-4.47$	$92.11$	$-1.60$	$86.08$	$-3.99$
	EWC	$83.8$	$-0.95$	$91.53$	$1.91$	$89.1$	$0.94$	$85.22$	$-7.64$
	LwF	$77.76$	$4.43$	$91.97$	$-0.97$	$92.83$	$-1.76$	$87.80$	$-5.26$
	TWP	$79.76$	$0.63$	$79.20$	$-0.63$	$76.03$	0	$89.38$	$-0.16$
	Replay (KAR)	$\mathbf{88.38}$	$\mathbf{7.48}$	$\mathbf{95.73}$	$\mathbf{4.38}$	$\mathbf{95.86}$	$\mathbf{1.26}$	$\mathbf{91.1}$	$\mathbf{0.37}$
	Retraining	$86.13$	$4.39$	$95.68$	$\mathbf{5.66}$	$94.86$	$\mathbf{2.08}$	$\mathbf{95.22}$	$\mathbf{1.81}$

presents the results under two scenarios.

As shown in Table 5, in the scenario of removing inter-stage edges, the Replay-o method confers no clear advantage: the Retraining-o method achieves the best results in most cases, while the replay-o method lags behind or at best matches other methods. Moreover, all approaches exhibit negative backward transfer values in this setting, indicating persistent forgetting of prior knowledge. In contrast, when inter-stage edges are preserved, every method attains substantially improved backward transfer—most values turn positive—and the KAR method not only matches or slightly exceeds the retraining method in average accuracy across all four GNNs but also surpasses established baselines (EWC, LwF, TWP) on both accuracy and forgetting metrics. These results underscore the critical importance of maintaining inter-stage connectivity in the Ethereum transaction network for continuous and effective phishing detection.

5.6. Determinants of Performance Improvement

From the results of stage-wise average accuracy and stage-wise average forgetting, we observe that performance improvement does not necessarily require positive backward transfer values, thereby somewhat contradicting our intuition. Figure 7 depicts the changes in average accuracy and forgetting values of the KAR method across different stages.

Figure 7 demonstrates that the variations in backward transfer closely mirror those in average accuracy, with their trends remaining consistent in most cases. However, certain exceptions to this alignment are observed. To further investigate this effect, we explore the mathematical relationship between them starting from their definitions.

According to Equations (2) and (3), we have

$$\begin{array}{cc}\hfill & n·{\mathrm{ACC}}_n=\sum _{i=1}^n{R}_{n,i}=\sum _{i=1}^{n-1}{R}_{n,i}+R_{n,n},\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill & (n-1)·{\mathrm{BWT}}_n=\sum _{i=1}^{n-1}{R}_{n,i}-\sum _{i=1}^{n-1}{R}_{i,i}.\hfill \end{array}$$

(5)

Therefore, ${\mathrm{ACC}}_n$ can be expressed as a function of ${\mathrm{BWT}}_n$. In other words, we have

$$\begin{array}{c}\hfill {\mathrm{ACC}}_n={\displaystyle \frac{n-1}{n}}·{\mathrm{BWT}}_n+{\displaystyle \frac{1}{n}}\sum _{i=1}^n{R}_{i,i}={\displaystyle \frac{n-1}{n}}·{\mathrm{BWT}}_n+{\overline{S}}_n,\end{array}$$

(6)

where ${\overline{S}}_n={\displaystyle \frac{1}{n}}{\displaystyle \sum _{i=1}^n}{R}_{i,i}={\displaystyle \frac{S_n}{n}}$ is the average initial performance over all known n stages.

To uncover the relationship between the changes in overall performance and backward transfer, we define $\Delta {\mathrm{ACC}}_n={\mathrm{ACC}}_n-{\mathrm{ACC}}_{n-1}$ as the change in overall performance after training on $n\mathrm{th}$ stage, compared to the performance after training on the $(n-1)\mathrm{th}$ stage in the continual learning process. According to Equation (6), we obtain the following equation:

$$\begin{array}{c}\hfill \Delta {\mathrm{ACC}}_n=\left({\displaystyle \frac{n-1}{n}}{\mathrm{BWT}}_n+{\overline{S}}_n\right)-\left({\displaystyle \frac{n-2}{n-1}}{\mathrm{BWT}}_{n-1}+{\overline{S}}_{n-1}\right).\end{array}$$

(7)

This equation can be further simplified to the following one:

$$\begin{array}{c}\hfill \Delta {\mathrm{ACC}}_n={\displaystyle \frac{n-1}{n}}\Delta {\mathrm{BWT}}_n+{\displaystyle \frac{1}{n(n-1)}}{\mathrm{BWT}}_{n-1}+{\displaystyle \frac{1}{n}}(R_{n,n}-{\overline{S}}_{n-1}),\end{array}$$

(8)

where $\Delta {\mathrm{BWT}}_n={\mathrm{BWT}}_n-{\mathrm{BWT}}_{n-1}$ represents the change in backward transfer after training on the $n\mathrm{th}$ stage, compared to the backward transfer after training on the $(n-1)\mathrm{th}$ stage.

Equation (8) indicates that overall performance change is primarily influenced by the variation in backward transfer, alongside its value and the initial performance of each stage.

5.6.1. Backward Transfer

In the early stages of continual learning, both the value of backward transfer and the initial performance of each stage have a notable influence on overall performance changes. This is particularly evident in cases where positive changes in backward transfer do not necessarily lead to improvements in overall performance. A clear example of this can be observed in the naive-o method, as shown in Figure 5d and Figure 6d.

When $n=2$, the naïve-o method exhibits a large negative backward transfer value, indicating substantial forgetting. Although there is a positive change in backward transfer from stages two to three, this improvement is insufficient to offset the negative impact of the large negative backward transfer and the continuously declining initial performance, leading to a further decrease in overall performance. This highlights the critical role of both backward transfer and initial performance in the early stages of continual learning.

5.6.2. Initial Performance

Figure 5 and Figure 6 also reveal the significant influence of initial performance in early stages on overall performance changes. For highly discriminative models such as GINs, the initial performance at the beginning tends to be high, as shown in Figure 5d. According to Equation (8), this can negatively impact overall performance. If changes in backward transfer and its values fail to offset the gap between the initial performance of new stages and the average initial performance of previous stages, overall performance declines. For example, in the naïve method, both the backward transfer value and its change are negative, which exacerbates this decline. In contrast, less discriminative models such as GCNs, GATs, and GATv2 exhibit lower initial performance in the early stages. In the sample-incremental setting of this study, a lower starting performance proves beneficial for improving overall performance, particularly when the introduction of new samples reinforces the model’s inductive bias, as observed when inter-stage edges are retained.

5.6.3. Backward Transfer Change

As the number of stage increases, the influence of backward transfer variation on performance becomes progressively stronger. In the limit, as the number of stages approaches infinity, overall performance change is governed solely by the change in backward transfer.

The relationship between the average accuracy and backward transfer indicates that predominantly negative backward transfer values do not necessarily result in a continuous performance decline. For example, in the naïve method, the backward transfer values are negative most of the time due to the absence of forgetting-resistant strategies. However, by retaining inter-stage edges, both phishing samples and non-phishing samples preserve most transaction information, maintaining the primary pattern distinction between them. As a result, the initial performance across stages differs slightly, preventing sharp drops in overall performance and even allowing for gradual improvement.

Similarly, predominantly positive backward transfer values do not guarantee incremental performance improvement. In the retraining-o method, the backward transfer values are generally positive due to the accumulation of data from all prior stages, indicating no forgetting. However, the removal of inter-stage edges causes a significant loss of transaction information, disrupting the pattern distinction between phishing and non-phishing nodes. Consequently, subsequent stages fail to enhance the patterns from earlier ones, and the initial performance on new stages is substantially lower than the average initial performance of previous stages, thereby negatively impacting overall performance.

5.7. Convergence

5.7.1. Performance Perspective

In deep learning, convergence refers to the state where the training process stabilizes, typically characterized by the loss function, model parameters, gradient norms, or validation error reaching a steady state or approaching an optimal value. It can also be reflected in the stabilization of model performance metrics, such as accuracy, which exhibit no further improvement as training progresses. Currently, the convergence of deep learning is predominantly studied through the lens of loss function optimization via stochastic gradient descent, with limited focus on alternative approaches. In this work, we assess convergence from the perspective of average accuracy and backward transfer. Specifically, we define the convergence in continual learning from the changes in average accuracy and backward transfer.

5.7.2. $ϵ$-k Bounded Convergence

Considering the changes in overall performance and backward transfer as functions of n, and given their bounded ranges ($\Delta {\mathrm{ACC}}_n\in [-1,1],\Delta {\mathrm{BWT}}_n\in [-2,2]$), it is impossible that these changes exhibit a strictly monotonic increase or decrease over the long term as n grows. Instead, they can only fluctuate within their respective ranges.

To formalize this, we introduce two thresholds $ϵ$ and k to define $ϵ$-k bounded convergence, where continual learning is considered converge when backward transfer variation or overall performance variation falls below a specified threshold $ϵ$ over k consecutive stages, rather than requiring the variation to strictly reach zero. This allows for more flexibility in determining convergence based on task-specific requirements. Since different scenarios prioritize different metrics, we separately define convergence based on overall performance and backward transfer.

Specifically, continual learning is considered to converge on average accuracy at t stage if $|\Delta {\mathrm{ACC}}_n|\le ϵ,\forall n\in [t,t+k-1]$. Similarly, it converges on backward transfer at t stage if $|\Delta {\mathrm{BWT}}_n|\le ϵ,\forall n\in [t,t+k-1]$. As the change in overall performance with increasing stages is primarily influenced by variations in backward transfer, it is generally sufficient to use either of these two metrics to assess convergence.

5.7.3. Convergence in KAR Method

In the sample incremental scenario examined in this paper, as shown in Figure 5 and Figure 6, the introduction of new samples initially exerts a pronounced impact on previous stages, leading to substantial changes in both overall performance and backward transfer. As n increases, the influence of new samples on earlier stages gradually diminishes, resulting in smaller variations in overall performance and backward transfer, eventually stabilizing with minor fluctuations around zero. This indicates that, in this sample-incremental setting, the variations in average accuracy and backward transfer will ultimately converge to a relatively stable state over time. To explain this, we further explore the key factors influencing convergence, building on their respective definitions.

According to Equation (2), we obtain

$$\Delta {\mathrm{ACC}}_n={\displaystyle \frac{1}{n}}\sum _{i=1}^n{R}_{n,i}-{\displaystyle \frac{1}{n-1}}\sum _{i=1}^{n-1}{R}_{n-1,i}.$$

(9)

Since ${\sum }_{i=1}^n{R}_{n,i}={\sum }_{i=1}^{n-1}{R}_{n,i}+R_{n,n}$, Equation (9) can be simplified to the following one:

$$\begin{array}{c}\hfill \Delta {\mathrm{ACC}}_n={\displaystyle \frac{1}{n}}\sum _{i=1}^{n-1}(R_{n,i}-R_{n-1,i})+{\displaystyle \frac{1}{n}}(R_{n,n}-{\mathrm{ACC}}_{n-1}).\end{array}$$

(10)

Similarly, according to Equation (3), we have

$$\begin{array}{c}\hfill \Delta {\mathrm{BWT}}_n={\displaystyle \frac{1}{n-1}}\sum _{i=1}^{n-1}\left(R_{n,i}-R_{i,i}\right)-{\displaystyle \frac{1}{n-2}}\sum _{i=1}^{n-2}\left(R_{n-1,i}-R_{i,i}\right).\end{array}$$

(11)

Since ${\sum }_{i=1}^{n-1}\left(R_{n,i}-R_{i,i}\right)={\sum }_{i=1}^{n-2}(R_{n,i}-R_{i,i})+(R_{n,n-1}-R_{n-1,n-1})$, Equation (11) can be simplified to

$$\begin{array}{c}\hfill \Delta {\mathrm{BWT}}_n={\displaystyle \frac{1}{n-1}}\sum _{i=1}^{n-1}(R_{n,i}-R_{n-1,i})-{\displaystyle \frac{1}{n-1}}{\mathrm{BWT}}_{n-1}.\end{array}$$

(12)

Equations (10) and (12) suggest that the convergence of continual learning process is predominantly influenced by the term $R_{n,i}-R_{n-1,i}$, thereby representing the change in performance on the $i\mathrm{th}$ stage after training on the $n\mathrm{th}$ stage relative to the $(n-1)\mathrm{th}$ stage. This term quantifies the extent to which performance on the $i\mathrm{th}$ stage is affected by additional training on the $n\mathrm{th}$ stage, thereby reflecting the influence of newly acquired knowledge on previously learned knowledge.

Let $I_n={\sum }_{i=1}^{n-1}(R_{n,i}-R_{n-1,i})$, ${\overline{I}}_n^a={\displaystyle \frac{I_n}{n}}$, and ${\overline{I}}_n^b={\displaystyle \frac{I_n}{n-1}}$. The term $I_n$ represents the cumulative influence of learning the $n\mathrm{th}$ stage on all preceding stages. Furthermore, ${\overline{I}}_n^a$ quantifies the average influence on average accuracy, while ${\overline{I}}_n^b$ captures the average influence on backward transfer.

In this paper, we identify two primary factors that influence convergence: uncertainties arising from random sampling and significant shifts in phishing patterns. The KAR method effectively preserves prior knowledge by retaining inter-stage edges and evolutionary subgraphs of reoccurring phishing nodes. When phishing patterns remain stable, learning at a new stage typically has a positive effect on earlier stages, with the magnitude of this effect gradually diminishing and eventually stabilizing around zero. However, this influence can fluctuate irregularly due to random sampling uncertainties. For instance, if a stage’s sampling disproportionately includes exceptional non-phishing nodes, the impact of learning this new stage on prior stages may be more pronounced than usual.

When excluding random sampling uncertainties, significant changes in phishing patterns at a later stage—if not captured by the node features—may cause substantial fluctuations in the influence on prior stages, even if the model has already converged at an earlier stage. In cases where the phishing patterns of subsequent stages differ significantly from those of earlier stages, learning the new stage may negatively affect prior stages, leading to a decline in overall performance. However, if the phishing patterns of later stages align with those of earlier stages, the model’s performance may gradually recover and eventually converge to a new stable state. Consequently, convergence in continual learning may not be a one-time event but rather a multi-stage process.

5.7.4. Convergence in Broader Contexts

In broader continual learning scenarios, the convergence of continual learning may depend on the relationships between tasks, model capacity, and anti-forgetting strategies. Specifically, similar or complementary tasks encourage positive transfer, supporting convergence, while unrelated tasks can lead to interference and hinder stability. High-capacity models (e.g., with a large number of parameters) better accommodate new information without overwriting prior knowledge, whereas limited-capacity models may struggle to represent both old and new tasks, slowing or even preventing convergence. Effective anti-forgetting strategies, such as replay methods or regularization techniques, help maintain learned representations and stabilize performance. In scenarios where these factors are misaligned or inadequately addressed, the convergence of continual learning becomes uncertain and warrants further discussion.

6. Discussion

6.1. A Knowledge Perspective

The core of the KAR method lies in the ability of knowledge learned from later stages to supplement or augment the knowledge acquired from earlier stages, thereby facilitating incremental improvement in overall performance. In deep learning, knowledge takes various forms and is represented through different carriers, including data samples, data distributions, embeddings, and model parameters, all of which form a hierarchical structure.

In graph theory [69], nodes serve as the fundamental elements. Edges, subgraphs, and entire graphs are all defined based on nodes and their relationships. As such, nodes can be considered the smallest unit of knowledge within graph data. In knowledge graphs, for example, nodes often represent specific entities, each containing attribute information. A node representing a cat, for instance, might include attributes such as breed, fur color, and other relevant details. This attribute information constitutes the knowledge associated with the node and is commonly expressed in the form of a triplet: “node–attribute–attribute value.”

However, the knowledge encapsulated within a single node is often isolated. In most cases, knowledge is organized and represented in a systematic, hierarchical, or networked manner to facilitate understanding, usage, and reasoning. Consequently, nodes can also represent abstract categories or concepts, with their relationships to entity-specific nodes expressing more complex knowledge. For example, in a knowledge graph, a node might represent the concept of “animal”, and through its relationship to the node representing “cat”, it can convey the knowledge “a cat is an animal”. In this case, the node becomes a component of a more intricate knowledge structure, with triplets of the form “node–relationship–node” serving as fundamental building blocks of such organized knowledge.

In this paper, a node represents an account, which encompasses various details such as account type, permissions, registration time, address, and public/private key pairs. However, this information alone is insufficient for identifying phishing accounts. To extract the necessary knowledge for phishing detection, we require interaction data (transactions) between accounts. The more comprehensive the transactions, the clearer the distinction between phishing and non-phishing accounts, enabling the model to learn more discriminative representations and thereby improving performance. To this end, the KAR method utilizes transaction subgraphs as a fundamental knowledge structure to capture account transaction behaviors. By retaining inter-stage edges and the 1-ATSGs of reoccurring phishing accounts, the method preserves more transactions. This approach not only addresses catastrophic forgetting but also strengthens the differentiation between phishing and non-phishing accounts. As new stages are introduced, the model can continuously refine and update its knowledge, resulting in a gradual improvement in overall performance.

6.2. Applicability of KAR

The KAR method is not confined to Ethereum phishing detection; it can be extended to a wider range of cryptocurrency anomaly detection applications, including anti-money laundering and fraud detection. Additionally, the Ethereum transaction network is a multigraph, whereas simple graphs (i.e., graphs without multiple edges between two nodes and self-loops) do not exhibit reoccurring nodes, making it impossible to identify important nodes. However, alternative approaches can be used to assess node importance. In graph theory, metrics such as degree and centrality are commonly employed to gauge the significance of nodes. In deep learning, node importance can be evaluated based on its contribution to the learning task, which can be quantified through factors such as loss function values, gradients, and model parameters. The specific metrics and methods for evaluating node importance vary according to the task and application context.

On the other hand, knowledge is not solely confined to being expressed through subgraphs. In continual graph learning scenarios involving multiple tasks, such as task incremental and class incremental settings, samples from a particular class can be represented by one or multiple prototypes. When a new sample belonging to an existing class appears, its similarity to the prototype of the known class can be measured using Euclidean distance or cosine similarity, allowing the prototype to be updated or augmented. When a new class emerges, a new prototype is added to the existing set of prototypes. This approach enables the model to retain knowledge from previous tasks while simultaneously learning from new ones. The concept of prototypes can also be interpreted from a graph perspective. If the prototype of a class is viewed as a central node, each sample from that class can be seen as a child node connected to the prototype by their similarity, forming a subgraph. The greater the number of representative samples, the richer the information, and the more accurately the prototype can represent the class.

In general continual learning settings, data often lack clear relationships. However, relationships can be discovered or constructed, such as temporal relationships in scenarios with time-series (e.g., video analysis, action recognition, object tracking) and spatial relationships in tasks like multi-view learning or 3D reconstruction. Images can also be linked through similarity measures; for instance, ref. [70] uses the RBF kernel to compute pairwise similarities and generate random graphs that capture relational structures. However, how these relational structures are effectively leveraged to incrementally enhance model performance in general continual learning remains an open question.

7. Conclusions

In this work, we address the challenge of incremental performance improvement in sample-incremental continual graph learning for node classification tasks, with a focus on leveraging inter-stage edges as a pathway for explicit knowledge transfer. We propose a knowledge-augmented replay method, KAR, to use these edges to reinforce learned patterns across stages, effectively mitigating catastrophic forgetting and achieving incremental performance improvement by consolidating previously acquired knowledge while integrating new information. Experimental results on Ethereum phishing scam detection validate KAR’s effectiveness, achieving performance comparable to retraining with lower resource requirements. Additionally, we analyze the role of backward transfer variation in long-term performance changes and introduce $ϵ$-k bounded convergence as a practical criterion for assessing the convergence of continual learning.

Looking forward, our findings on knowledge augmentation provide a foundation for preserving and enhancing knowledge in evolving graph structures for incremental performance improvement. This approach has potential applicability beyond Ethereum phishing detection, extending to cryptocurrency anomaly detection and even other various continual graph learning scenarios. Further research could explore adapting knowledge augmentation to other continual learning settings. Further refinement of the $ϵ$-bounded convergence criterion may also facilitate standardization in convergence assessment, supporting sustained model performance across dynamic data landscapes.