Detecting malicious online activities using event stream processing over a graph database

What is claimed is: 1. A computer-implemented method of detecting a malicious event, the computer-implemented method comprising: receiving, by processing circuitry, event data describing interactions between entities; in response to receiving the event data, generating, by the processing circuitry, a relational graph that includes graph structures representing the interactions between the entities, the graph structures including nodes and edges connected to a pair of nodes, each node representing an entity, each edge representing an interaction between a pair of entities, each graph structure including a timestamp indicating a time at which an interaction between the entities took place; receiving, at a particular time, a new event datum describing an interaction between new entities; initiating, by the new event datum for each graph structure, (i) determining a time difference between the time indicated by the timestamp and the particular time, and (ii) determining whether the time difference exceeds a specified time difference; having determined whether the time difference exceeds the specified time difference, (i) adding a new graph structure representing the interaction between the new entities to the relational graph, and (ii) deleting each of a set of graph structures for which the time difference exceeds the specified time difference; and after adding and deleting, performing a malicious event detection operation on the relational graph, the malicious event detection operation providing, as an output, a malicious event detection result indicating whether the interaction between the new entities is part of a malicious event; receiving an indication that a particular edge represents an interaction that is part of a fraudulent transaction; wherein the performing of the malicious event detection operation includes, for each edge of the relational graph: generating a distance from the particular edge to that edge; and indicating a likelihood that that edge represents the interaction that is part of the fraudulent transaction based on the distance, wherein the generating of the distance includes: setting the distance to one (1) when that edge and the particular edge are connected to a common node; setting the distance to two (2) when that edge and an edge at a distance of one (1) from the particular edge have a common node; and setting the distance to three (3) for all other edges; and wherein the indicating of the likelihood includes: marking that edge as suspicious with high confidence when the distance from the particular edge to that edge is one (1); marking that edge as suspicious with low confidence when the distance from the particular edge to that edge is two (2); and not marking that edge as suspicious when the distance from the particular edge to that edge is three (3). 2. A computer-implemented method as in claim 1 , wherein the graph structures include nodes and edges connected to a pair of nodes, each node representing an entity, each edge representing an interaction between a pair of entities; wherein deleting each of the set of graph structures includes removing an edge from the relational graph. 3. A computer-implemented method as in claim 2 , further comprising receiving a set of rules, each of the set of rules specifying a logical condition that, when satisfied by the relational graph, indicates that edges of the relational graph represent interactions that are part of a malicious event; wherein performing the malicious event detection operation on the relational graph includes verifying whether the relational graph satisfies a logical condition specified by the set of rules. 4. A computer program product having a non-transitory computer readable medium which stores a set of instructions to detect malicious activity, the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of: receiving event data describing interactions between entities; in response to receiving the event data, generating a relational graph that includes graph structures representing the interactions between the entities, the graph structures including nodes and edges connected to a pair of nodes, each node representing an entity, each edge representing an interaction between a pair of entities, each graph structure including a timestamp indicating a time at which an interaction between the entities took place; receiving, at a particular time, a new event datum describing an interaction between new entities; initiating, by the new event datum for each graph structure, (i) determining a time difference between the time indicated by the timestamp and the particular time, and (ii) determining whether the time difference exceeds a specified time difference; having determined whether the time difference exceeds the specified time difference, (i) adding a new graph structure representing the interaction between the new entities to the relational graph, and (ii) deleting each of a set of graph structures for which the determined time difference exceeds the specified time difference; and after adding and deleting, performing a malicious event detection operation on the relational graph, the malicious event detection operation providing, as an output, a malicious event detection result indicating whether the interaction between the new entities is part of a malicious event; receiving an indication that a particular edge represents an interaction that is part of a fraudulent transaction; wherein the performing of the malicious event detection operation includes, for each edge of the relational graph: generating a distance from the particular edge to that edge; and indicating a likelihood that that edge represents the interaction that is part of the fraudulent transaction based on the distance; wherein the generating of the distance includes: setting the distance to one (1) when that edge and the particular edge are connected to a common node; setting the distance to two (2) when that edge and an edge at a distance of one (1) from the particular edge have a common node; and setting the distance to three (3) for all other edges; and wherein the indicating of the likelihood includes: marking that edge as suspicious with high confidence when the distance from the particular edge to that edge is one (1); marking that edge as suspicious with low confidence when the distance from the particular edge to that edge is two (2); and not marking that edge as suspicious when the distance from the particular edge to that edge is three (3). 5. A computer program product as in claim 4 wherein deleting each of the set of graph structures includes removing an edge from the relational graph. 6. A computer program product as in claim 5 , further comprising receiving a set of rules, each of the set of rules specifying a logical condition that, when satisfied by the relational graph, indicates that edges of the relational graph represent interactions that are part of a malicious event; wherein performing the malicious event detection operation on the relational graph includes verifying whether the relational graph satisfies a logical condition specified by the set of rules. 7. An electronic apparatus, comprising: a user interface; memory; and control circuitry coupled to the user interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to: receive event data describing interactions between entities; in response to receiving the event data, generate a relational graph that includes graph structures representing the interactions between the entities, the graph structures including nodes and edges connected to a pair of node