CN111988321B - Alliance chain abnormity detection system based on machine learning and detection method thereof - Google Patents

Alliance chain abnormity detection system based on machine learning and detection method thereof Download PDF

Info

Publication number
CN111988321B
CN111988321B CN202010853569.8A CN202010853569A CN111988321B CN 111988321 B CN111988321 B CN 111988321B CN 202010853569 A CN202010853569 A CN 202010853569A CN 111988321 B CN111988321 B CN 111988321B
Authority
CN
China
Prior art keywords
data
alliance chain
node
time
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010853569.8A
Other languages
Chinese (zh)
Other versions
CN111988321A (en
Inventor
黄冬艳
陈斌
王波
李浪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN202010853569.8A priority Critical patent/CN111988321B/en
Publication of CN111988321A publication Critical patent/CN111988321A/en
Application granted granted Critical
Publication of CN111988321B publication Critical patent/CN111988321B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses a alliance chain abnormity detection system based on machine learning and a detection method thereof, wherein the detection method arranges the detection system in an alliance chain network based on a PBFT consensus algorithm, firstly determines whether abnormal nodes exist in the alliance chain network according to time interval data of a single node preparation stage and a commit stage in the PBFT consensus process, and further determines the abnormal nodes if the abnormal nodes exist, so that whether the abnormal nodes exist in the alliance chain network can be quickly and accurately detected; adopting two times of abnormal detection to ensure that the resource occupation of the abnormal detection system is reduced under the condition of determining abnormal nodes in the alliance chain, detecting whether the abnormal nodes exist in the alliance chain network or not through data of a single node in the first time of abnormal detection, and determining the abnormal nodes in the alliance chain in the second time of abnormal detection; the system fully considers the problem of resource occupation on the premise of ensuring the detection effectiveness and reliability, and reduces the resource occupation of the detection system.

Description

Alliance chain abnormity detection system based on machine learning and detection method thereof
Technical Field
The invention relates to a block chain technology, in particular to a alliance chain abnormity detection system and a detection method thereof based on machine learning.
Background
The block chain technology has been proposed and received the attention of many experts and scholars, and the technology has wide application prospects in numerous fields of contract processing, data exchange, finance, credit investigation, internet of things, logistics, economic settlement and the like. The technology abandons traditional trusted third parties, is well known as decentralized and can be divided into a public chain, a alliance chain and a private chain according to different decentralized degrees. The public chain is completely decentralized, any person is allowed to join or quit at any time, but the problem is difficult to correct after the public chain runs, and the public chain has high overhead, high delay and low throughput and cannot meet the commercial requirement; the alliance chain is partially decentralized, the chain is participated by alliance members, nodes can be added or withdrawn only through authorization, and the alliance chain has the characteristics of low cost and high efficiency and is more suitable for commercial use; private chains are not decentralized, their membership to membership is strictly restricted, and write rights are controlled by some organization or organization.
The block chain is ensured to be safe and consistent by a consensus mechanism, and currently, the mainstream consensus mechanisms include Proof of workload (Proof of Work, POW), Proof of rights and interests (Proof of stamp, POS), Proof of rights and interests (released Proof of stamp, DPOS), Byzantine Fault-tolerant algorithms (such as reactive Byzantine Fault Tolerance, PBFT), and other improved consensus mechanisms. Wherein POW and POS are used for public chains and DPOS and byzantine algorithms are used for alliance chains. The PBFT algorithm does not need competition among nodes to complete accounting work, so the common recognition efficiency is higher compared with the algorithm of the "Proof of X" class.
Although the PBFT algorithm has a certain fault tolerance, the presence of malicious nodes in the network still has an impact on the block chaining. The explosive development of machine learning in recent years has created new approaches to solving this problem. Machine learning addresses this class of problems by mining for potential, valuable information in the data.
Currently, in the detection of the abnormal alliance chain, the following methods are mainly adopted:
firstly, the method comprises the following steps: feature extraction based on manual work
The method needs to be directly participated in the abnormality detection by manpower, the personnel participating in the abnormality detection need to have stronger related professional knowledge, and the abnormality detection effect depends on the quality of the manual feature extraction to a great extent; the method cannot be achieved extremely well, and a large amount of time is consumed, so that timely detection and rapid safety protection cannot be achieved when a new attacker method appears.
II, secondly: method based on statistics
Statistical-based methods are typically designed based on the distribution of network traffic, assuming that the network traffic follows a certain distribution. The simplest method for building a statistical model is to calculate the parameters of the probability density function of each type of known network traffic, and then test the unknown sample to determine which type it belongs to. In generating the probability density function, it typically constructs two different profiles, one for the common profile and one for the attack traffic. It checks whether the incoming traffic belongs to an existing class. In practical applications, there are two main methods for estimating the probability density function, namely, parametric method and non-parametric method. The parameterization technique assumes knowledge of the underlying distribution and estimates the parameters from the given data. Normal flow data is usually assumed to be gaussian. The parameterization technique estimates certain parameters to fit the existing distribution. Although the method is simple to implement, the abnormity is judged through the threshold value, the specific distribution of the flow in the network is difficult to determine in a complex network, the parameter tuning of a statistical model is relatively inefficient in high-dimensional network data, and effective statistics are difficult to select, so that the detection effect of the statistical-based method is not ideal when the abnormity is detected.
Thirdly, the method comprises the following steps: anomaly detection based on machine learning
The anomaly detection method based on machine learning mainly carries out anomaly detection according to parameters such as flow in a network, data size and the like, the machine learning can learn the rule and mode of data in massive data by means of a computer, and in the learning process, information which is potential and has useful value in the data is deeply mined. Thereby finding information about the data to detect anomalies. The method uses multi-source heterogeneous data when anomaly detection is carried out, the dimensionality number of the data is relatively large, and although data dimensionality reduction operation can be carried out when machine learning is carried out, the operation is complex. Especially when complex deep learning is used, the cost of both computing resources and time during learning can be high.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a alliance chain abnormity detection system based on machine learning and a detection method thereof.
The technical scheme for realizing the purpose of the invention is as follows:
a machine learning based federation chain anomaly detection system disposed on a node in a federation chain network using a PBFT consensus algorithm, the federation chain anomaly detection system comprising:
the initialization module is used for realizing the arrangement of a alliance chain abnormity detection system on nodes in an alliance chain network using a PBFT consensus algorithm and finishing the calling operation of a related interface;
the data acquisition module is used for acquiring data of the nodes in the prepare and commit stages;
the data preprocessing module is used for judging whether the data acquired by the data acquisition module is reasonable data or not, and storing the data if the data is reasonable data; otherwise, the data is eliminated;
the data storage module is used for storing the data acquired by the data acquisition module to the local, so that the data calculation module can calculate the time interval conveniently;
the data calculation module is used for calculating the data of the single node or the plurality of nodes stored by the data storage module into time interval data required by the anomaly detection model;
the data transmission module is used for transmitting the data obtained by the data calculation module to the module for judging whether the abnormal node exists or not and returning the detection result of the abnormal detection system to the alliance chain;
judging whether an abnormal node module exists or not, wherein the abnormal node module judges whether data obtained by calculation of the data calculation module exist or not, and performs abnormal detection by using CNN, KNN and SVM algorithms in machine learning to judge whether an abnormal node exists in the alliance chain network or not;
the abnormal node determining module is used for determining abnormal nodes for the multi-node time interval data in the data calculating module by using CNN, KNN and SVM algorithms in machine learning;
and the updating module is used for updating the anomaly detection in the anomaly detection system of the alliance chain and determining the CNN, KNN and SVM algorithm model parameters in the anomaly node.
A alliance chain abnormity detection method based on machine learning comprises the following steps:
1) arranging a alliance chain anomaly detection system based on machine learning into an alliance chain network based on a PBFT consensus algorithm, initializing the anomaly detection system in the alliance chain network based on the PBFT consensus algorithm by an execution node, and completing related configuration and initialization operation of the alliance chain anomaly detection system based on machine learning;
2) acquiring time data of a prepare stage and a commit stage of a single node required by anomaly detection in a PBFT consensus process from a node configured with an anomaly detection system, judging whether the time data meets a non-negative requirement, recording the time data in a file I if the time data meets the non-negative requirement, and deleting the time data if the time data does not meet the non-negative requirement;
3) acquiring time data of the preamble and commit stages of all nodes in the alliance chain network, which are required by anomaly detection in the PBFT consensus process, from nodes configured with an anomaly detection system, judging whether the time data meet nonnegative requirements or not, recording the time data in a file two if the time data meet the nonnegative requirements, and deleting the time data if the time data do not meet the nonnegative requirements;
4) calculating the time interval of the exception detection node at the prepare and commit stages in the PBFT consensus process according to the time data of the single node at the PBFT stage acquired in the step 2);
5) sending the time interval data obtained by calculation in the step 4) to a module for judging whether an abnormal node exists or not, and carrying out first-time abnormal detection;
6) judging whether an abnormal node exists in the alliance chain network or not according to the abnormal detection result in the step 5); if the abnormal point exists, executing step 7); if no abnormal point exists, returning to the step 2);
7) calculating time interval data of all nodes in the alliance chain at the preamble and commit stages according to the time data of all nodes in the PBFT consensus stage acquired in the step 3);
8) sending the time interval data of the PBFT consensus stage of all the nodes in the alliance chain obtained by calculation in the step 7) to an abnormal node determining module for carrying out second abnormal detection;
9) and determining the network nodes with the abnormality in the alliance chain network according to the abnormality detection result in the step 8), and returning the network nodes with the abnormality to the alliance chain system.
In step 1), the system for detecting the abnormal alliance chain based on machine learning meets the following requirements:
1-1) selecting a alliance chain applying a PBFT consensus algorithm, and ensuring that at least 3 alliance chain networks havef+1 network nodes, whereinfTaking a positive integer greater than 1;
1-2) when the alliance chain abnormity detection system is arranged at an abnormity detection node, the method is divided into two modes: firstly, directly arranging a alliance chain abnormity detection system on an abnormity detection node; the other method is that the alliance chain abnormity detection system is arranged at the cloud end, and abnormity detection is carried out by calling an interface reserved in advance by the alliance chain abnormity detection system through the abnormity detection node.
In step 2), the time interval data of the prepare and commit phases of the single nodes refers to the time data of the single nodes in the alliance chain network starting and ending at the prepare phase and the time data of the single nodes starting and ending at the commit phase; when data is recorded in the first file, the end time of the prepare phase in the PBFT consensus corresponds to the start of the commit phase, so that three data values are recorded in each line of the first file, which correspond to the start time of the prepare phase of the abnormality detection node, the end time of the prepare phase, that is, the start time of the commit phase and the end time of the commit phase.
In step 3), the time data of the prefix and commit phases of all the nodes refers to the time data of all the nodes in the alliance chain network starting and ending at the prefix phase and the time data of all the nodes starting and ending at the commit phase; when the data is recorded in the second file, because the end time of the prepare stage in the PBFT consensus corresponds to the start of the commit stage, three data values are recorded in each line of the second file, which respectively correspond to the start time of the prepare stage of the abnormality detection node, the end time of the prepare stage, namely the start time of the commit stage and the end time of the commit stage; and acquiring the data of each node from the alliance chain network, wherein the data of each node occupies one row when being recorded in the second file.
In the step 4), the time interval is obtained by opening the first file written with the data in the step 2), reading a row of data, subtracting the first value from the second value in the row of data to obtain the time interval data of the prefix stage of the single node, and subtracting the second value from the third value to obtain the time interval data of the commit stage of the single node.
In step 7), the time interval is obtained by opening the file two written with the data in step 3), reading a row of data, subtracting the first value from the second value in the row of data to obtain time interval data at the prefix stage of the single node, subtracting the second value from the third value to obtain time interval data at the commit stage of the single node, and so on, if there are N nodes in the alliance chain network, reading N rows of data, and calculating the time interval data at the prefix and commit stages of the N nodes.
The alliance chain abnormity detection system and method based on machine learning provided by the invention have the following advantages:
1. the system can detect whether abnormal nodes exist in the alliance chain network based on the PBFT consensus algorithm or not, then determines the abnormal nodes, does not need manual participation after the system is arranged on the alliance chain network nodes, saves manpower, is superior to a statistical method in detection effect, fully considers the problem of resource occupation on the premise of ensuring detection effectiveness and reliability, and reduces the resource occupation of the detection system as much as possible.
2. Compared with the existing block chain anomaly detection system, the system does not need personnel to participate, can well run after being arranged to the nodes, can be arranged to the local nodes, can also be arranged to the cloud so as to save the resource occupation of the local nodes, is divided into two times of anomaly detection, greatly reduces the resource occupation, utilizes various machine learning algorithms to carry out anomaly detection, and is more reliable in anomaly detection result compared with a single machine learning method.
3. According to time interval data of a prepare stage and a commit stage of a single node in a PBFT consensus process, the detection method firstly determines whether an abnormal node exists in a alliance chain network, and if the abnormal node exists, the abnormal node is further determined. According to the abnormity detection system, whether the abnormal node exists in the alliance chain network can be well detected. The data preprocessing prevents the data which are not qualified and obtained from the alliance link nodes from being input into the detection system, so that the detection result of the abnormity detection system is influenced, and the serious person may influence the normal operation of the abnormity detection system. The two-time anomaly detection system aims to reduce the resource occupation of the anomaly detection system under the condition that the anomaly nodes in the alliance chain can be ensured to be determined, wherein the first anomaly detection aims at detecting whether the anomaly nodes exist in the alliance chain network through data of a single node, and the second anomaly detection aims at determining the anomaly nodes in the alliance chain.
Drawings
FIG. 1 is a block diagram of a federation chain anomaly detection system based on machine learning;
FIG. 2 is a flow chart of a league chain anomaly detection method based on machine learning;
fig. 3 is a diagram of a first anomaly detection result of the machine learning-based league chain anomaly detection system according to the embodiment;
fig. 4 is a result diagram of determining an abnormal node of the machine learning-based federation chain abnormality detection system provided by the embodiment.
Detailed Description
The invention will be further elucidated with reference to the drawings and examples, without however being limited thereto.
Example (b):
a machine learning based federation chain anomaly detection system disposed on a node in a federation chain network using a PBFT consensus algorithm, as shown in figure 1, the federation chain anomaly detection system comprising:
the initialization module is used for realizing the arrangement of a alliance chain abnormity detection system on nodes in an alliance chain network using a PBFT consensus algorithm and finishing the calling operation of a related interface;
the data acquisition module is used for acquiring data of the nodes in the prepare and commit stages;
the data preprocessing module is used for judging whether the data acquired by the data acquisition module is reasonable data or not, and storing the data if the data is reasonable data; otherwise, the data is eliminated;
the data storage module is used for storing the data acquired by the data acquisition module to the local, so that the data calculation module can calculate the time interval conveniently;
the data calculation module is used for calculating the data of the single node or the plurality of nodes stored by the data storage module into time interval data required by the anomaly detection model;
the data transmission module is used for transmitting the data obtained by the data calculation module to the abnormity detection system and returning the detection result of the abnormity detection system to the alliance chain;
judging whether an abnormal node module exists or not, wherein the abnormal node module judges whether data obtained by calculation of the data calculation module exist or not, and performs abnormal detection by using CNN, KNN and SVM algorithms in machine learning to judge whether an abnormal node exists in the alliance chain network or not;
the abnormal node determining module is used for determining abnormal nodes for the multi-node time interval data in the data calculating module by using CNN, KNN and SVM algorithms in machine learning;
and the updating module is used for updating the anomaly detection in the anomaly detection system of the alliance chain and determining the CNN, KNN and SVM algorithm model parameters in the anomaly node.
A alliance chain anomaly detection method based on machine learning is shown in FIG. 2 and comprises the following steps:
1) arranging a alliance chain anomaly detection system based on machine learning into an alliance chain network based on a PBFT consensus algorithm, initializing the anomaly detection system in the alliance chain network based on the PBFT consensus algorithm by an execution node, and completing related configuration and initialization operation of the alliance chain anomaly detection system based on machine learning;
2) acquiring time data of a prepare stage and a commit stage of a single node required by anomaly detection in the PBFT consensus process from a node configured with an anomaly detection system, judging whether the time data meet the symbol requirement, recording the time data in a file I if the time data meet the requirement, and deleting the time data if the time data do not meet the requirement;
3) acquiring time data of the preamble and commit stages of all nodes in the alliance chain network, which are required by anomaly detection in the PBFT consensus process, from nodes configured with an anomaly detection system, judging whether the time data meet nonnegative requirements or not, recording the time data in a file two if the time data meet the nonnegative requirements, and deleting the time data if the time data do not meet the nonnegative requirements;
4) calculating the time interval of the exception detection node at the prepare and commit stages in the PBFT consensus process according to the time data of the single node at the PBFT stage acquired in the step 2);
5) sending the time interval data obtained by calculation in the step 4) to an anomaly detection system for carrying out first anomaly detection;
6) judging whether an abnormal node exists in the alliance chain network or not according to the abnormal detection result in the step 5); if the abnormal point exists, executing step 7); if no abnormal point exists, returning to the step 2);
7) calculating time interval data of all nodes in the alliance chain at the preamble and commit stages according to the time data of all nodes in the PBFT consensus stage acquired in the step 3);
8) sending the time interval data of the PBFT consensus stage of all the nodes in the alliance chain obtained by calculation in the step 7) to an abnormality detection system for second abnormality detection;
9) and determining the network nodes with the abnormality in the alliance chain network according to the abnormality detection result in the step 8), and returning the network nodes with the abnormality to the alliance chain system.
In step 1), the system for detecting the abnormal alliance chain based on machine learning meets the following requirements:
1-1) selecting a alliance chain applying a PBFT consensus algorithm, and ensuring that at least 3 alliance chain networks havef+1 network nodes, whereinfTaking a positive integer greater than 1;
1-2) when the alliance chain abnormity detection system is arranged at an abnormity detection node, the method is divided into two modes: firstly, directly arranging a alliance chain abnormity detection system on an abnormity detection node; the other method is that the alliance chain abnormity detection system is arranged at the cloud end, and abnormity detection is carried out by calling an interface reserved in advance by the alliance chain abnormity detection system through the abnormity detection node.
In step 2), the time interval data of the prepare and commit phases of the single nodes refers to the time data of the single nodes in the alliance chain network starting and ending at the prepare phase and the time data of the single nodes starting and ending at the commit phase; when data is recorded in the first file, the end time of the prepare phase in the PBFT consensus corresponds to the start of the commit phase, so that three data values are recorded in each line of the first file, which correspond to the start time of the prepare phase of the abnormality detection node, the end time of the prepare phase, that is, the start time of the commit phase and the end time of the commit phase.
In step 3), the time data of the prefix and commit phases of all the nodes refers to the time data of all the nodes in the alliance chain network starting and ending at the prefix phase and the time data of all the nodes starting and ending at the commit phase; when the data is recorded in the second file, because the end time of the prepare stage in the PBFT consensus corresponds to the start of the commit stage, three data values are recorded in each line of the second file, which respectively correspond to the start time of the prepare stage of the abnormality detection node, the end time of the prepare stage, namely the start time of the commit stage and the end time of the commit stage; and acquiring the data of each node from the alliance chain network, wherein the data of each node occupies one row when being recorded in the second file.
In the step 4), the time interval is obtained by opening the first file written with the data in the step 2), reading a row of data, subtracting the first value from the second value in the row of data to obtain the time interval data of the prefix stage of the single node, and subtracting the second value from the third value to obtain the time interval data of the commit stage of the single node.
In step 7), the time interval is obtained by opening the file two written with the data in step 3), reading a row of data, subtracting the first value from the second value in the row of data to obtain time interval data at the prefix stage of the single node, subtracting the second value from the third value to obtain time interval data at the commit stage of the single node, and so on, if there are N nodes in the alliance chain network, reading N rows of data, and calculating the time interval data at the prefix and commit stages of the N nodes.
An alliance chain anomaly detection method based on machine learning is disclosed, wherein an experiment result is shown in fig. 3 and fig. 4, and a specific experiment comprises the following contents:
there will be 3 in the experiment with the above system and detection methodfIn a +1 node alliance-link networkfThe individual node is down, whereinf=1,2,3,4, then the following data are acquired:
firstly, the method comprises the following steps: rest 2fUnder the condition that +1 nodes work normally, one node applies for time data nt from prepare to commit of each node in the block creation process1And time data nt of completion of the commit to commit stage of the self2
II, secondly: rest 2fOne of +1 nodes is in prepIn the case of delay of the are stage and the commit stage, one of the nodes applies for time data dt from the prepare to the commit of each node in the block creation process1And time data dt for completion of the commit to commit stage of the device itself2
Thirdly, the method comprises the following steps: rest 2fWhen one of the +1 nodes is delayed in the prepare stage and the commit stage, one of the nodes applies for the time interval data of each node in the prepare and commit stages collected by the nodes in the block creating process.
In the experiment, 10 ten thousand pieces of data are acquired from each node, wherein the label of normal data is 1 and representsfThe method comprises the following steps that (1) each node is down, and data of other nodes are not delayed; the label of the abnormal data is 0, representingfOne node is down, the other 2f+1 data with one node delay. In order to prevent the abnormal detection accuracy from being influenced by the data unbalance problem, the proportion of normal data to abnormal data in the experiment is 1: 1.
1) malicious delay detection:
the experiment respectively detects the time data of the nodes acquired by the alliance chain network of 4, 7, 10 and 13 nodes in the PBFT consensus process, and then obtains the experiment result of FIG. 3.
2) Determining a malicious delay node:
in the experiment, in the alliance chain network with 4, 7, 10 and 13 nodes, the time data of each node in the consensus stage, which is acquired by the nodes, is detected, and the experiment result shown in fig. 4 is obtained.
The ratio of the training set to the test set is set to 8 in the two cases: 2. then, a CNN algorithm, a KNN algorithm, a naive Bayes algorithm and an SVM algorithm are respectively used for training, the precision of the test set is calculated, and the experimental result is recorded.
According to the time-consuming research of the PBFT consensus phase, time-consuming data of the preamble and commit phases in the consensus process obtained from nodes are analyzed through three machine learning algorithm models, namely a CNN (probabilistic neural network), a KNN (K nearest neighbor) and an SVM (support vector machine), and a machine learning-based alliance chain network anomaly detection system is provided. .
The experimental results shown in fig. 3 and fig. 4 show that the CNN, KNN and SVM models have similar accuracy and are relatively stable, so that it can be well detected whether malicious delayed behaviors of malicious destruction consensus still exist in nodes except f fault-tolerant failures or malicious nodes in the network, and further, malicious delay nodes can be found, thereby helping to improve the efficiency and the security of the block chain system.

Claims (7)

1. A machine learning-based federation chain anomaly detection system disposed on a node in a federation chain network using a PBFT consensus algorithm, the federation chain anomaly detection system comprising:
the initialization module is used for realizing the arrangement of a alliance chain abnormity detection system on nodes in an alliance chain network using a PBFT consensus algorithm and finishing the calling operation of a related interface;
the data acquisition module is used for acquiring data of the nodes in the prepare and commit stages;
the data preprocessing module is used for judging whether the data acquired by the data acquisition module is reasonable data or not, and storing the data if the data is reasonable data; otherwise, the data is eliminated;
the data storage module is used for storing the data acquired by the data acquisition module to the local, so that the data calculation module can calculate the time interval conveniently;
the data calculation module is used for calculating the data of the single node or the plurality of nodes stored by the data storage module into time interval data required by the anomaly detection model;
the data transmission module is used for transmitting the data obtained by the data calculation module to the module for judging whether the abnormal node exists or not and returning the detection result of the abnormal alliance chain detection system to the alliance chain;
judging whether an abnormal node module exists or not, wherein the abnormal node module judges whether data obtained by calculation of the data calculation module exist or not, and performs abnormal detection by using CNN, KNN and SVM algorithms in machine learning to judge whether an abnormal node exists in the alliance chain network or not;
the abnormal node determining module is used for determining abnormal nodes for the multi-node time interval data in the data calculating module by using CNN, KNN and SVM algorithms in machine learning;
and the updating module is used for updating the anomaly detection in the anomaly detection system of the alliance chain and determining the CNN, KNN and SVM algorithm model parameters in the anomaly node.
2. A alliance chain abnormity detection method based on machine learning is characterized by comprising the following steps:
1) arranging a alliance chain anomaly detection system based on machine learning into an alliance chain network based on a PBFT consensus algorithm, initializing the anomaly detection system in the alliance chain network based on the PBFT consensus algorithm by an execution node, and completing related configuration and initialization operation of the alliance chain anomaly detection system based on machine learning;
2) acquiring time data of a prepare stage and a commit stage of a single node required by anomaly detection in a PBFT consensus process from a node configured with an anomaly detection system, judging whether the time data meets a non-negative requirement, recording the time data in a file I if the time data meets the non-negative requirement, and deleting the time data if the time data does not meet the non-negative requirement;
3) acquiring time data of the preamble and commit stages of all nodes in the alliance chain network, which are required by anomaly detection in the PBFT consensus process, from nodes configured with an anomaly detection system, judging whether the time data meet nonnegative requirements or not, recording the time data in a file two if the time data meet the nonnegative requirements, and deleting the time data if the time data do not meet the nonnegative requirements;
4) calculating the time interval of the exception detection node at the prepare and commit stages in the PBFT consensus process according to the time data of the single node at the PBFT stage acquired in the step 2);
5) sending the time interval data obtained by calculation in the step 4) to a module for judging whether an abnormal node exists or not, and carrying out first-time abnormal detection;
6) judging whether an abnormal node exists in the alliance chain network or not according to the abnormal detection result in the step 5); if the abnormal point exists, executing step 7); if no abnormal point exists, returning to the step 2);
7) calculating time interval data of all nodes in the alliance chain at the preamble and commit stages according to the time data of all nodes in the PBFT consensus stage acquired in the step 3);
8) sending the time interval data of the PBFT consensus stage of all the nodes in the alliance chain obtained by calculation in the step 7) to an abnormal node determining module for carrying out second abnormal detection;
9) and determining the network nodes with the abnormality in the alliance chain network according to the abnormality detection result in the step 8), and returning the network nodes with the abnormality to the alliance chain system.
3. The method for detecting abnormal alliance chain based on machine learning as claimed in claim 2, wherein in step 1), the system for detecting abnormal alliance chain based on machine learning meets the following requirements:
1-1) selecting a alliance chain applying a PBFT consensus algorithm, and ensuring that at least 3 alliance chain networks havef+1 network nodes, whereinfTaking a positive integer greater than 1;
1-2) when the alliance chain abnormity detection system is arranged at an abnormity detection node, the method is divided into two modes: firstly, directly arranging a alliance chain abnormity detection system on an abnormity detection node; the other method is that the alliance chain abnormity detection system is arranged at the cloud end, and abnormity detection is carried out by calling an interface reserved in advance by the alliance chain abnormity detection system through the abnormity detection node.
4. The alliance chain anomaly detection method based on machine learning as claimed in claim 2, wherein in step 2), the time interval data of the prepare and commit phases of the single node refers to the time data of the single node in the alliance chain network starting and ending in the prepare phase and the time data of the single node in the commit phase starting and ending; when data is recorded in the first file, the end time of the prepare phase in the PBFT consensus corresponds to the start of the commit phase, so that three data values are recorded in each line of the first file, which correspond to the start time of the prepare phase of the abnormality detection node, the end time of the prepare phase, that is, the start time of the commit phase and the end time of the commit phase.
5. The method for detecting abnormal alliance chain based on machine learning as claimed in claim 2, wherein in the step 3), the time data of the preamble and commit phases of all nodes refer to the time data of all nodes in the alliance chain network starting and ending in the preamble phase and the time data of all nodes in the commit phase; when the data is recorded in the second file, because the end time of the prepare stage in the PBFT consensus corresponds to the start of the commit stage, three data values are recorded in each line of the second file, which respectively correspond to the start time of the prepare stage of the abnormality detection node, the end time of the prepare stage, namely the start time of the commit stage and the end time of the commit stage; and acquiring the data of each node from the alliance chain network, wherein the data of each node occupies one row when being recorded in the second file.
6. The method for detecting abnormal alliance chain based on machine learning as claimed in claim 2, wherein in the step 4), the time interval is obtained by opening the file written with the data in the step 2), reading a row of data, subtracting a first value from a second value in the row of data to obtain the time interval data of the prepare stage of the single node, and subtracting the second value from a third value to obtain the time interval data of the commit stage of the single node.
7. A federation chain anomaly detection method based on machine learning according to claim 2, wherein in step 7), the time interval is obtained by opening the file two written with data in step 3), reading a row of data, subtracting the first value from the second value in the row of data to obtain the time interval data in the preamble stage of a single node, subtracting the second value from the third value to obtain the time interval data in the commit stage of the single node, and so on, if there are N nodes in the federation chain network, reading N rows of data, and calculating the time interval data in the preamble and commit stages of the N nodes.
CN202010853569.8A 2020-08-24 2020-08-24 Alliance chain abnormity detection system based on machine learning and detection method thereof Active CN111988321B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010853569.8A CN111988321B (en) 2020-08-24 2020-08-24 Alliance chain abnormity detection system based on machine learning and detection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010853569.8A CN111988321B (en) 2020-08-24 2020-08-24 Alliance chain abnormity detection system based on machine learning and detection method thereof

Publications (2)

Publication Number Publication Date
CN111988321A CN111988321A (en) 2020-11-24
CN111988321B true CN111988321B (en) 2022-02-11

Family

ID=73442840

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010853569.8A Active CN111988321B (en) 2020-08-24 2020-08-24 Alliance chain abnormity detection system based on machine learning and detection method thereof

Country Status (1)

Country Link
CN (1) CN111988321B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491900B (en) * 2020-11-30 2023-04-18 中国银联股份有限公司 Abnormal node identification method, device, equipment and medium
CN114615002B (en) * 2020-12-03 2024-02-27 中国移动通信集团设计院有限公司 Controlled identification method and system for key infrastructure of operator

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108492103A (en) * 2018-02-07 2018-09-04 北京大学深圳研究生院 A kind of alliance's block chain common recognition method
CN110083757A (en) * 2019-04-24 2019-08-02 中国地质大学(北京) A kind of abnormal data access and querying method, system based on alliance's chain network
CN110120936A (en) * 2019-02-23 2019-08-13 西安电子科技大学 Distributed network attack detecting and security measurement system and method based on block chain
CN110445778A (en) * 2019-08-01 2019-11-12 中盾云链(广州)信息科技有限公司 A kind of common recognition algorithm applied to alliance's chain
CN111371877A (en) * 2020-02-28 2020-07-03 桂林电子科技大学 Consensus method of heterogeneous alliance chain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110445619B (en) * 2017-03-30 2020-10-16 腾讯科技(深圳)有限公司 Block chain system, message processing method and storage medium
CN110474822B (en) * 2019-08-08 2022-07-08 腾讯科技(深圳)有限公司 Block chain link point detection method, device, equipment and medium
CN110460484B (en) * 2019-10-10 2020-02-18 杭州趣链科技有限公司 Single-node abnormal active recovery method improved based on PBFT algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108492103A (en) * 2018-02-07 2018-09-04 北京大学深圳研究生院 A kind of alliance's block chain common recognition method
CN110120936A (en) * 2019-02-23 2019-08-13 西安电子科技大学 Distributed network attack detecting and security measurement system and method based on block chain
CN110083757A (en) * 2019-04-24 2019-08-02 中国地质大学(北京) A kind of abnormal data access and querying method, system based on alliance's chain network
CN110445778A (en) * 2019-08-01 2019-11-12 中盾云链(广州)信息科技有限公司 A kind of common recognition algorithm applied to alliance's chain
CN111371877A (en) * 2020-02-28 2020-07-03 桂林电子科技大学 Consensus method of heterogeneous alliance chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"A review of intrusion detection and blockchain applications in the cloud: Approaches, challenges and solutions.";Alkadi, Osama, Nour Moustafa, and Benjamin Turnbull.;《IEEE Access 》;20200603;第8卷;第104893-104917页 *
"A survey of distributed consensus protocols for blockchain networks.";Xiao, Yang, et al.;《 IEEE Communications Surveys & Tutorials》;20200128;第22卷(第2期);第1432-1465页 *
"Blockchain and machine learning for communications and networking systems.";Liu, Yiming, et al.;《IEEE Communications Surveys & Tutorials》;20200224;第22卷(第2期);第1392-1431页 *
"Data security sharing and storage based on a consortium blockchain in a vehicular ad-hoc network.";Zhang, Xiaohong, and Xiaofeng Chen.;《IEEE Access》;20190103;第7卷;第58241-58254页 *

Also Published As

Publication number Publication date
CN111988321A (en) 2020-11-24

Similar Documents

Publication Publication Date Title
Wang et al. Detection of power grid disturbances and cyber-attacks based on machine learning
Hu et al. Ganfuzz: a gan-based industrial network protocol fuzzing framework
Hoang et al. An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls
Murtaza et al. A host-based anomaly detection approach by representing system calls as states of kernel modules
CN111988321B (en) Alliance chain abnormity detection system based on machine learning and detection method thereof
Wang et al. Modeling program behaviors by hidden Markov models for intrusion detection
Klerx et al. Model-based anomaly detection for discrete event systems
Ruan et al. An inertia-based data recovery scheme for false data injection attack
CN102291392A (en) Hybrid intrusion detection method based on bagging algorithm
CN109787958B (en) Network flow real-time detection method, detection terminal and computer readable storage medium
CN114760098A (en) CNN-GRU-based power grid false data injection detection method and device
CN110493221A (en) A kind of network anomaly detection method based on the profile that clusters
CN109784668A (en) A kind of sample characteristics dimension-reduction treatment method for electric power monitoring system unusual checking
CN115269314A (en) Transaction abnormity detection method based on log
Mbow et al. An intrusion detection system for imbalanced dataset based on deep learning
CN114357459A (en) Information security detection method for block chain system
CN109413047A (en) Determination method, system, server and the storage medium of Behavior modeling
Wang et al. Stealthy attack detection method based on Multi-feature long short-term memory prediction model
Al-Madani et al. Anomaly detection for industrial control networks using machine learning with the help from the inter-arrival curves
Zhang et al. A convolutional encoder network for intrusion detection in controller area networks
Tao et al. Tpfl: Test input prioritization for deep neural networks based on fault localization
Mokhtari et al. Measurement data intrusion detection in industrial control systems based on unsupervised learning
CN116074092A (en) Attack scene reconstruction system based on heterogram attention network
Zhu et al. A Performance Fault Diagnosis Method for SaaS Software Based on GBDT Algorithm.
Ullah et al. Measurable challenges in smart grid cybersecurity enhancement: A brief review

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant