TL;DR for operators
Fraud teams already know the problem: the suspicious review, shop, seller, or account is rarely suspicious in isolation. The useful evidence is scattered across neighbours — same user, same product, same rating pattern, same time window, same commercial ecosystem. The less useful evidence is also scattered there. At scale, that second pile is larger. How inconvenient.
The paper behind DGP, or Dual-Granularity Prompting, asks a practical question: if LLMs are good at reading text, and fraud graphs are full of text, why not let the LLM read the graph?1 The answer is that “read the graph” quickly becomes “read a novella written by everyone adjacent to the graph”. In one industrial example discussed by the authors, a neighbouring node can carry more than 1,500 tokens, and a two-hop neighbourhood can balloon to millions of tokens. More context is not strategy. Sometimes it is just an expensive way to hide the answer.
DGP’s solution is simple in spirit and quite specific in execution. It keeps the target node’s own text at fine granularity, because that is where the immediate fraud evidence may live. It compresses neighbours into coarse summaries, because neighbour context is useful mainly as pattern evidence, not as bedtime reading. It trims metapath neighbours using Markov diffusion, summarises selected neighbour text at the metapath level, and aggregates numerical or categorical features by mean. The resulting prompt lets the LLM see both the target and its graph context without letting the neighbours take over the room.
The paper reports strong results across four datasets: YelpReviews, AmazonVideo, and two proprietary ByteDance datasets, E-Commerce and LifeService. DGP achieves the best reported Macro-F1, AUROC, and AUPRC across all four datasets. The largest practical gain is on YelpReviews, where DGP reaches 48.87 AUPRC versus 42.11 for the strongest baseline, a 6.76 percentage-point improvement.
For business use, the main lesson is not “replace your fraud GNN with an LLM”. That would be the sort of conclusion one reaches after reading only the abstract and perhaps one inspirational LinkedIn post. The better lesson is that LLMs can help where fraud evidence is textual and relational, but only if graph context is aggressively shaped: preserve the suspect item, compress the neighbourhood, and keep the prompt budget under control.
The real problem is not graph data. It is graph verbosity
Fraud graphs are attractive because fraud is relational. A fake review is connected to users, products, time windows, ratings, devices, shops, accounts, and behavioural clusters. A fraudulent shop may not shout “fraud” in its own profile, but its neighbours may whisper it repeatedly.
Traditional graph neural networks handle this relational structure well. They pass signals through neighbourhoods and learn structural patterns that isolated tabular models miss. But fraud graphs increasingly contain rich natural language: review text, shop descriptions, complaint narratives, listing copy, appeal messages, seller profiles. GNNs can use engineered or encoded text features, but they do not naturally reason over the fine-grained semantics of that text.
LLMs appear to solve that second problem. They read. They classify. They can compare textual cues. They can process semi-structured prompts. So one path is to convert graph information into text and let the LLM classify the target node.
The paper separates that path into two broad strategies:
| Strategy | What it saves | What it loses |
|---|---|---|
| Encoding-based graph prompting | Prompt length, because graph information is compressed into vectors | Fine semantic interaction, because text is vectorised early |
| Text-only graph prompting | Rich textual detail, because neighbour texts are included directly | Prompt focus and cost, because multi-hop neighbourhoods explode |
DGP lives between these two unsatisfying extremes. It does not abandon text by vectorising everything too early. It also refuses to concatenate every neighbour’s full text into a single heroic prompt. The design claim is that target text and neighbour text should not be treated with the same granularity.
That sounds obvious once stated. It is not how many “LLM plus graph” designs behave. The default instinct is to give the model more context, then blame the model when the useful signal drowns in the swamp. A classic enterprise pattern, really.
DGP keeps the suspect detailed and turns the crowd into summaries
The mechanism-first reading of this paper starts with the central asymmetry: the target node deserves detail; the neighbourhood deserves compression.
DGP builds the final classification prompt in four steps.
First, it creates a short task-agnostic summary for each node’s raw text. For a review, that means compressing the review content. For a shop profile, it means compressing the profile text. The important word is task-agnostic. The summary prompt does not say “extract fraud signals”. It simply asks for a short summary within a fixed token budget.
Second, it uses metapaths to define meaningful graph neighbourhoods. A metapath is a typed relational route such as Review → User → Review. In review fraud, one metapath might connect reviews written by the same user. Another might connect reviews on the same product with the same rating. The point is not just that two nodes are near each other; it is how they are near each other.
Third, it trims those metapath-specific neighbours using a Markov diffusion kernel. This is the paper’s way of avoiding the “all neighbours are useful because they are neighbours” fantasy. For each metapath, DGP estimates structural-semantic closeness and keeps only the top-$M$ nearest neighbours. The retained neighbours are then summarised into a metapath-level text summary.
Fourth, it handles numerical and categorical features differently from text. Instead of asking an LLM to summarise numbers poetically, which sounds like a punishment for everyone involved, DGP uses mean aggregation along each selected metapath. Ratings, categories, and other structured fields remain structured signals.
The final prompt combines:
| Prompt ingredient | Granularity | Reason |
|---|---|---|
| Target node text | Fine-grained | The target’s own text may contain direct fraud cues |
| Selected neighbour text | Coarse-grained metapath summaries | Neighbours provide contextual pattern evidence, but full text is noisy |
| Numerical/categorical neighbour features | Aggregated statistics | Structured fields should preserve distributional information |
| Classification instruction | First-token Yes/No probability | Fraud probability is derived from the LLM’s logits for “Yes” and “No” |
The target is therefore not treated as just another item in the crowd. It stays visible. The neighbourhood becomes structured context.
The token argument is the business argument wearing a lab coat
The paper’s complexity analysis is more than theoretical housekeeping. It is the operational argument.
A full-neighbour text prompt grows with the average out-degree $D$, number of hops $K$, and average text length $L$:
DGP’s final classification prompt instead scales with the number of relation types $R$, the hop depth $K$, and the metapath summary budget $B$:
The difference matters because $D$ can be much larger than $R$. The paper gives AmazonVideo as an example where $D=133$, while $R$ is only the number of relation types. It also notes YelpReviews has average node text length $L=170$. In plain English: long text times dense neighbourhoods equals prompt obesity. DGP puts the prompt on a diet without pretending text does not matter.
The authors also frame this as attention dilution under class imbalance. If the target node is fraudulent but most neighbours are benign, adding many neighbour tokens reduces the fraction of fraud-related tokens in the prompt. They define the fraud-related token fraction as:
where $L$ represents target tokens, $m$ tokens per neighbour, $n_K$ the $K$-hop neighbourhood size, and $p$ the global fraud ratio. As neighbourhood size grows, $r$ drifts toward $p$. Since $p$ is small in fraud settings, the useful signal becomes a minority voice inside the prompt. Democracy, unfortunately, is not always good for fraud detection.
This is not just an LLM problem. It is a risk-operations problem. Every fraud stack has an analogue: more rules, more signals, more logs, more alerts, more explanation fields, more dashboards. At some point, information stops being evidence and becomes weather.
What the experiments directly show
The experiments compare DGP against several categories of baselines: GNNs, a graph-agnostic MLP, a standalone fine-tuned Qwen3-8B LLM using target nodes only, LLM-enhanced GNNs such as TAPE, and graph-enhanced LLM methods such as GraphGPT, HiGPT, and InstructGLM.
The datasets are a useful mix. YelpReviews and AmazonVideo are public review-based benchmarks. E-Commerce and LifeService are proprietary ByteDance datasets involving shop profiles. All four contain textual and numerical features, multiple edge types, and imbalanced fraud labels. The training sets are deliberately limited, reflecting the reality that high-quality fraud labels are expensive.
Here is the clearest comparison: DGP versus the strongest baseline by AUPRC on each dataset.
| Dataset | DGP AUPRC | Strongest baseline AUPRC | Difference | Likely interpretation |
|---|---|---|---|---|
| YelpReviews | 48.87 ± 0.82 | 42.11 ± 0.16, ConsisGAD | +6.76 | Large gain where rich review text and graph relations both matter |
| AmazonVideo | 34.63 ± 0.24 | 33.41 ± 0.66, HGT | +1.22 | Modest but consistent gain over strong graph modelling |
| E-Commerce | 82.35 ± 0.20 | 76.40 ± 0.40, ConsisGAD | +5.95 | Strong industrial result on text-rich shop profiles |
| LifeService | 95.45 ± 0.07 | 92.85 ± 0.24, ConsisGAD | +2.60 | Improvement remains visible even when baseline performance is already high |
The paper also reports DGP as the top method across Macro-F1 and AUROC on all four datasets. On E-Commerce, for example, DGP reaches 75.01 Macro-F1, 82.74 AUROC, and 82.35 AUPRC. On LifeService, it reaches 93.73 Macro-F1, 98.04 AUROC, and 95.45 AUPRC.
The most important comparison is not “DGP beats one weak baseline”. It beats several families of models. Standalone LLMs underperform because target-node text alone is not enough. GNNs do better because structure matters. Some graph-enhanced LLMs help, but either compress semantics too early or carry too much prompt noise. DGP wins by treating graph context as something to be designed, not dumped.
The ablations say the mechanism is doing actual work
The detailed analysis section is easy to skim. That would be a mistake, because it tells us whether DGP is one good idea or just a bundle of decorations around a strong LLM.
The ablation study removes DGP components on YelpReviews and AmazonVideo. Its likely purpose is component validation: does each part of the method contribute to performance, or is the improvement mostly coming from the LLM backbone and fine-tuning recipe?
The answer is that the components matter.
Removing textual summarisation causes a clear performance drop. Removing numerical summarisation also hurts. Within the textual side, removing Markov diffusion kernel trimming or metapath summarisation also reduces performance. The paper states that textual features appear more important than numerical features in these datasets, which fits the setting: review spam and shop-profile fraud are heavily semantic, even when structured features help.
A useful way to read the experiments is this:
| Test | Likely purpose | What it supports | What it does not prove |
|---|---|---|---|
| Main comparison across four datasets | Main evidence | DGP outperforms tested GNN, LLM, and hybrid baselines under the paper’s setup | Universal superiority across all fraud domains |
| Component ablation | Ablation | Text summaries, numerical aggregation, MDK trimming, and metapath summaries each add value | Exact contribution size in every domain |
| Summary length sweep | Robustness/sensitivity test | Very short summaries lose context; long summaries can reintroduce dilution; around 10 tokens works best in the tested public datasets | That 10 tokens is always optimal |
| Task-aware versus task-agnostic summarisation | Variant test | Fraud-specific summarisation prompts can degrade performance | That domain knowledge is never useful |
The last result is especially interesting. The paper compares generic node-level summarisation with task-aware summarisation that explicitly asks the model to focus on fraudulent behaviour. On YelpReviews, task-aware summarisation drops AUPRC from 48.87 to 29.02. On AmazonVideo, it drops from 34.63 to 31.82. Macro-F1 and AUROC fall as well.
This is not an argument against expertise. It is an argument against crude expertise injected at the wrong stage. If the summariser is told too narrowly what to look for, it may discard subtle cues that the downstream classifier would have used. Fraud is not a list of keywords. Fraudsters do read the checklist eventually.
The 10-token result is not a magic number
The summary-length experiment varies the neighbour summary budget over 5, 10, 20, 40, and 80 tokens on YelpReviews and AmazonVideo. The best performance is generally achieved around 10 tokens.
The result should not be converted into a universal rule: “all neighbour summaries shall henceforth be 10 tokens, blessed by arXiv”. That would be tidy and wrong.
The better interpretation is that DGP’s neighbour context is useful at a high level of abstraction. Five tokens can be too compressed to preserve useful context. Eighty tokens may reintroduce the same dilution problem DGP is trying to avoid. The sweet spot in these datasets is small because the neighbour’s job is not to retell its full story. The neighbour’s job is to say what kind of local pattern it contributes.
For operators, this matters. In fraud systems, context budgets should be tuned like risk thresholds, not guessed like font sizes. A neighbour-summary budget is a control lever: too low, and the model is blind to relational nuance; too high, and the target signal gets buried.
What Cognaptus infers for fraud operations
The paper directly shows that DGP works well on the authors’ selected public and industrial graph datasets. The business question is what this suggests for teams building fraud, abuse, trust-and-safety, marketplace integrity, or transaction-risk systems.
The immediate inference is that LLMs are more useful as semantic graph readers than as isolated text classifiers. The standalone LLM baseline in the paper is not enough. Rich text helps, but fraud is relational. A suspicious profile, review, or shop has to be read alongside its graph context.
The second inference is that graph context needs summarisation policy. DGP’s value does not come from handing an LLM every neighbouring node and hoping transformer attention will politely sort it out. It comes from deciding which text stays detailed, which text becomes summary, which neighbours survive trimming, and which numerical signals remain numerical.
The third inference is that this pattern is attractive for scarce-label environments. The datasets use limited labelled training nodes, matching the real-world problem that verified fraud labels are slow, costly, and sometimes legally sensitive. If a model can combine graph structure and text under scarce labels, it becomes relevant to operations where manual investigation capacity is the bottleneck.
A practical adoption frame looks like this:
| Technical contribution | Operational consequence | ROI relevance |
|---|---|---|
| Fine target-node text | Investigators and models retain the suspect item’s own evidence | Reduces false narratives caused by over-weighting neighbours |
| Metapath-specific neighbour summaries | Context becomes structured by relationship type | Supports more interpretable case context and risk segmentation |
| Diffusion-based neighbour trimming | The model ignores many weakly relevant neighbours | Controls inference cost and reduces noise |
| Numerical feature aggregation | Ratings, categories, and structured attributes remain usable | Avoids wasting LLM capacity on basic statistics |
| Task-agnostic summarisation | Summaries preserve broader cues instead of hard-coded fraud stereotypes | Helps when fraud patterns shift or are poorly specified |
The commercial value, if it holds in deployment, is not just better AUPRC. It is a more disciplined way to use LLMs in fraud pipelines: use language models where semantic interpretation matters, but put a gate in front of the context.
Where this should fit in a production stack
DGP is best read as a candidate modelling layer, not a complete fraud platform.
In a production marketplace or financial platform, a DGP-style system would likely sit downstream of data engineering that builds heterogeneous graphs and upstream of case management or automated actioning. It could produce fraud probabilities, provide metapath-conditioned context, or serve as a second-stage scorer for suspicious nodes identified by cheaper models.
A sensible deployment would not begin by replacing existing rules, graph models, or investigator workflows. It would test DGP-like prompting as a challenger model on historical labelled cases, especially where text is central: review spam, seller profile abuse, fake-shop detection, repeated listing manipulation, and coordinated content fraud.
The sharper question is not whether an LLM can classify fraud. It can classify many things, including its own confidence with great theatrical sincerity. The sharper question is whether graph-conditioned summarised context improves the operational decision enough to justify compute, latency, privacy handling, and monitoring.
DGP gives a strong research answer. The production answer still needs measurement.
Boundaries that matter before anyone buys GPUs
The paper is careful enough to make its practical boundaries visible.
First, the evidence is strongest for heterogeneous graphs with rich text and structured features. If the fraud problem is mostly transactional time series, device telemetry, or low-text behavioural scoring, DGP may be less directly applicable. It might still inspire context compression, but the exact method would need adaptation.
Second, the experiments use static graph snapshots. The authors explicitly list dynamic graphs, where fraud patterns evolve over time, as future work. This matters because fraud operations are adversarial. Patterns decay. Attackers adapt. A summarisation scheme that works on last quarter’s graph may become a museum exhibit with excellent AUROC.
Third, the method requires LLM summarisation and fine-tuning. The authors use Qwen3-8B with LoRA and run experiments on four NVIDIA A100 80GB GPUs. That does not mean every deployment needs the same hardware, but it does mean cost and latency are not decorative details. Caching summaries helps inference, but summary refresh, graph updates, and compliance reviews still need engineering.
Fourth, the industrial datasets are proprietary. Their inclusion is valuable because it moves beyond toy benchmarks, but it also limits independent verification. We can read the reported results as encouraging, not final.
Finally, privacy and governance are not solved by the method. Fraud graphs often contain user-generated text, behavioural links, commercial metadata, and sensitive risk labels. Compressing text into summaries may reduce prompt length; it does not automatically solve data minimisation, retention, access control, or auditability.
The useful lesson is context discipline
DGP is a good paper because it resists an easy mistake. The easy mistake is to believe that LLMs need more context and that graphs are simply context reservoirs. That idea has surface appeal and operational menace.
The paper’s better idea is that context has shape. The target node should be detailed. Neighbours should be selected. Relationship paths should be preserved. Text should be summarised at the right level. Numbers should remain numbers. The LLM should receive a prompt designed for the decision, not a landfill arranged chronologically.
For fraud detection, this is the practical lesson: LLMs do not remove the need for graph thinking. They make graph thinking more important, because someone has to decide what the model is allowed to read.
DGP’s results suggest that dual granularity can improve fraud detection when text-rich graph data is available and labels are limited. Its limits suggest the next work: dynamic graphs, cost-aware deployment, privacy-preserving summarisation, and external replication on more fraud domains.
The conclusion, then, is not that LLMs have solved graph fraud detection. They have not. The conclusion is more useful: when fraud evidence is both textual and relational, the winning move may be neither vectorise everything nor paste everything. It may be to keep the suspect in full view and make the crowd speak in summaries.
A suspiciously reasonable idea. Those do still happen.
Cognaptus: Automate the Present, Incubate the Future.
-
Yuan Li, Jun Hu, Bryan Hooi, Bingsheng He, and Cheng Chen, “DGP: A Dual-Granularity Prompting Framework for Fraud Detection with Graph-Enhanced LLMs,” arXiv:2507.21653, 2025, https://arxiv.org/abs/2507.21653. ↩︎