KR102198266B1 - Bitcoin exchange with blockchain analysis device for intrusion detection - Google Patents

Abstract

The present invention relates to a Bitcoin exchange equipped with a block chain analysis device for intrusion detection. A bitcoin exchange according to a specific example of the present invention includes a user management server, a signature server, and a central bitcoin node, and intrusion management that detects and mitigates illegal intrusion of the bitcoin exchange using a transaction of the blockchain analysis unit. It further includes a server.

Description

Bitcoin exchange with block chain analysis device for intrusion detection {BITCOIN EXCHANGE WITH BLOCKCHAIN ANALYSIS DEVICE FOR INTRUSION DETECTION}

The present invention relates to a bitcoin exchanger, and more particularly, to a bitcoin exchanger included in a block chain analysis device for intrusion detection.

Recently, bitcoin based on cryptocurrency, which enables online transactions, especially international transactions, is becoming an issue, and although such bitcoins have existed since 2008, people have recently existed. The reason I came across is because the value of Bitcoin has skyrocketed over the past few months.

Bitcoin is a digital currency created by Satoshi Nakamoto in 2009, and has a structure that does not have a central device for issuing and managing currencies. Instead, transactions in Bitcoin are made through a P2P-based distributed database, and transactions are performed based on public key cryptography. Bitcoin has anonymity and openness.

Bitcoin is stored in the form of a wallet file, and each wallet is given a unique address, and Bitcoin transactions are made based on that address. Bitcoin is one of the first to implement the concept of cryptocurrency, which Weitai put on the cyberpunk mailing list in 1998.

Bitcoin also uses public key cryptography to trade between public accounts. All transactions are public and stored in a distributed database. Distributed time servers prevent double-spending by performing a series of proof-of-work. All transaction records must be stored in the database of the user management server. A Merkle tree is used to reduce the storage size.

Everyone who participates in the Bitcoin network will have a wallet containing a random pair of cryptographic keys generated by the signing server. The public key is like a Bitcoin address, which acts as the sender and receiver endpoint of all payments.

The private key paired with the public key is used to allow only the owner to pay. Bitcoin addresses do not contain information about the owner, so they are anonymous.

Here, the address is about 33 characters when it is marked human-readable and looks like 1rYK1YzEGa59pI314159KUF2Za4jAYYTd. Bitcoin users can have multiple addresses and create new ones without restrictions. This is because a new address can be created immediately by simply generating a new public key and cryptographic key pair without having to contact any network node. If you easily create an infinite number of addresses and use them, anonymity can be guaranteed.

And Bitcoin contains the current owner's public key (address). Let's say that user A sends something to user A. A adds B's public key (address) to Bitcoin and signs with A's private key. Next, A broadcasts this bitcoin to the P2P network as the transaction details of the appropriate message. The rest of the network nodes verify the encrypted signature and transaction volume before authorizing.

The Bitcoin network is designed to generate and distribute a bunch of new bitcoins about 6 times per hour to someone running software that has selected the "Generate Coins" option, specifically to someone who has successfully created a block. Anyone who runs the software or a special program created by a user in the same role is likely to receive a bitcoin bundle. Generating Bitcoin is sometimes referred to as "mining" in relation to gold mining. The probability that a user can receive a bundle of coins is the same as the probability of generating a hash below the set target value, and the amount of bitcoin generated per bundle does not exceed 50 BTC. And the fluctuation is programmed to decrease to zero over the entire time, so that the total does not exceed 21 million. When this payout decreases, users are encouraged to earn transaction fees rather than running nodes that generate blocks.

All the generating nodes of the network compete to find cryptographic problems to create their candidate blocks. Repetitive trial and error is required to solve this problem. When a node finds the correct answer, it informs the rest of the network and asks for a new bitcoin bundle. Nodes that have received a newly resolved-block authenticate and add to the chain before granting it.

Nodes can use standard clients or other software that utilizes GPU acceleration. Users can also generate bitcoins in groups.

Each node readjusts the difficulty of the problem every 2016 blocks (about 2 weeks) according to the change in the collective computing power of the P2P network so that one block can be generated approximately every 10 minutes.

Despite the use of such a block chain to correct the encryption and anonymity of bitcoin, there have been various malicious intrusion attempts, and there is a problem that the transaction market becomes unstable.

Korean Patent Publication No. 2015-0077538 (Title of invention: Cryptocurrency transaction system and method) Korean Patent Registration No. 10-1857223 (Name of invention: Blockchain token-based user identification method and system)

An object of the present invention is to detect and mitigate intrusions of a user management server and a signature server of a bitcoin exchange, and each intrusion of a bitcoin network through block chain analysis.

In order to achieve the above object, an aspect of the present invention is a bitcoin exchange that includes a user management server, a signature server, and a central bitcoin node, and exchanges bitcoin and fiat money, wherein the bitcoin exchange It further includes an intrusion management server that detects and mitigates illegal intrusion using transactions of the blockchain analysis unit.

Preferably, the intrusion management server detects and mitigates the first intrusion that illegally intrudes into the user management server, accesses the account with the account ID and password of the customer, changes the customer balance, and generates fake purchase information. It includes a first intrusion analysis unit.

Preferably, the first intrusion analysis unit comprises a first intrusion modeling module for modeling a plurality of first intrusion types, and according to whether the transaction data of the black chain analysis unit matches the data recorded in the balance sheet of the user management server. 1 Among the types of intrusions, a second intrusion detection module that detects intrusions that increase the amount of bitcoins held by modifying the balance sheet and resells bitcoins at a discounted price, and the second intrusion detection module detected based on the second intrusion detection module. And a first intrusion mitigation module for mitigating the first intrusion by withdrawing payment of bitcoin after ending the operation of the signature server.

Preferably, the intrusion management server further includes a second intrusion analysis unit for detecting and mitigating a second intrusion that illegally intrudes into the signature server and extracts a private key, and the second intrusion analysis unit includes the block chain analysis unit The second intrusion detects as the second intrusion when the block hash value (Txid) of the mempool and the block hash value of the block chain analysis unit do not match as a result of monitoring all transactions of the mempool not used in the user management server at And a second intrusion mitigation module for mitigating an illegal second intrusion by adding a lock time parameter to the private key generated by the signature server and stopping the use of bitcoin during the lock time.

Preferably, the intrusion management server further comprises a third intrusion analysis unit for detecting and mitigating a third intrusion attacking the bitcoin network, and the third intrusion analysis unit includes the block time of the block chain analysis unit 110. A third intrusion detection module that detects a third intrusion by setting the average time of the block time according to the analysis result, checking deposits and unconfirmed deposits at the bitcoin exchange during the average block time, and depositing and checking at the bitcoin exchange It includes a third intrusion mitigation module for mitigating third intrusion by stopping signing to prevent the withdrawal of bitcoin from the signing server and reverting all transactions caused by the attack when the unsuccessful deposit is confirmed.

According to the present invention having the configuration as described above, intrusions of the user management server and signature server of a bitcoin exchange and each of the bitcoin network can be detected and mitigated by block chain analysis.

The following drawings attached in the present specification illustrate preferred embodiments of the present invention, and serve to further understand the technical idea of the present invention together with the detailed description of the present invention to be described later, so the present invention is described in such drawings. It is limited to matters and should not be interpreted.
1 is a diagram showing the configuration of a bitcoin system according to an embodiment of the present invention.
2 is a configuration diagram of the intrusion management server shown in FIG. 1.
3 is a configuration diagram of a first intrusion analysis unit shown in FIG. 2.
4 is a configuration diagram of a second intrusion analysis unit shown in FIG. 2.
5 is a configuration diagram of a third intrusion analysis unit shown in FIG. 2.
6 is a conceptual diagram for explaining a third intrusion process through a bitcoin network
to be.

Hereinafter, embodiments of the present invention will be described in more detail with reference to the drawings.

Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described later together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in a variety of different forms, and only these embodiments make the disclosure of the present invention complete, and are common knowledge in the technical field to which the present invention pertains. It is provided to completely inform the scope of the invention to those who have, and the invention is only defined by the scope of the claims.

The terms used in the present specification will be briefly described, and the present invention will be described in detail.

The terms used in the present invention have been selected from general terms that are currently widely used while considering functions in the present invention, but this may vary depending on the intention or precedent of a technician working in the field, the emergence of new technologies, and the like. In addition, in certain cases, there are terms arbitrarily selected by the applicant, and in this case, the meaning of the terms will be described in detail in the description of the corresponding invention. Therefore, the terms used in the present invention should be defined based on the meaning of the term and the overall contents of the present invention, not a simple name of the term.

When a part of the specification is said to "include" a certain component, it means that other components may be further included rather than excluding other components unless otherwise stated. In addition, the term "unit" used in the specification refers to a hardware component such as software, FPGA, or ASIC, and "unit" performs certain roles. However, "unit" is not meant to be limited to software or hardware. The “unit” may be configured to be in an addressable storage medium or may be configured to reproduce one or more processors.

Thus, as an example, "unit" refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, procedures, Includes subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, database, data structures, tables, arrays and variables. The functions provided within the components and "units" may be combined into a smaller number of components and "units" or may be further separated into additional components and "units".

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art may easily implement the present invention. In addition, in the drawings, parts not related to the description are omitted in order to clearly describe the present invention.

In this embodiment, the customer terminal is a terminal owned by a company or individual who wants to trade bitcoin in fiat currency or vice versa, and the user management server authenticates the customer and manages the balance sheet for each customer, The signature server is a device that signs withdrawal of bitcoins based on the information provided by the user management server, and the central bitcoin node verifies the transaction and block, and sends the generated transaction to other local bitcoin nodes and miner ) And transmits the receipt including the transaction identification number to the user management server.

Accordingly, the present embodiment is configured to detect each type of intrusion on a user management server, a signature server, and a bitcoin network connecting a central bitcoin node and a local bitcoin node based on blockchain analysis and mitigate the detected intrusion.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

1 is a diagram showing a bitcoin system to which this embodiment is applied, as shown in FIG. 1, a customer terminal 10, a user management server 21, a signature server 22, and a central bitcoin node 23. It may include a bitcoin exchange 20, and a number of local bitcoin nodes 30.

The customer terminal 10 requests a transaction between bitcoin and fiat currency, and the user management server 21 of the bitcoin exchange 20 receiving the transaction request from the customer terminal 10 is a login web page for customer authentication. Is transmitted to the customer terminal 10 and the authentication procedure of the customer terminal 10 is performed thereon. Here, transactions are purchases, sales, withdrawals, and deposits.

The user management server 21 checks the balance of the customer terminal 10 that has been successfully authenticated, requests the customer to pay bitcoin to the desired bitcoin address, and then sends the bitcoin payment request information to the signature server 22 through an authenticated communication line. Deliver.

The signature server 22 generates a transaction according to the bitcoin payment request information and transfers the generated transaction to the local bitcoin node 30 through the central bitcoin node 23.

The local bitcoin node 30 checks whether the received transaction has been delivered to the other local bitcoin node 30, then issues a transaction identification number in the form of a receipt, and transmits it to the user management server 21.

The user management server 21 stores the received transaction identification number and transmits it to the customer terminal 10 (S8), and the customer terminal 10 can check the transaction using the received transaction identification number (S9).

The bitcoin exchanger 20 analyzes each type of intrusion on the bitcoin network connecting the user management server 21, the signature server 22, and the central bitcoin node 23 and the local bitcoin node 30. It may further include an intrusion management server 100 for detecting based on and mitigating the detected intrusion.

Figure 2 is a diagram showing the configuration of the intrusion management server 100 shown in Figure 1, referring to Figure 2, the intrusion management server 100 is a block chain analysis unit 110, a first intrusion analysis unit 120 , It may include a second intrusion analysis unit 130 and a third intrusion analysis unit 140.

Blockchain is a structure that creates a block once every 10 minutes, binds several transaction details into one block, and connects it to the previously created block continuously like a chain. Accordingly, the block chain analysis unit 110 is distributed and stored and managed across multiple nodes, and performs a function of managing a distributed ledger or a common ledger including all transaction information. Here, a block is a bundle of a number of transaction information and consists of a block header, a number of transactions that record transaction information, and other information, and the transaction is an operation that records transaction information related to deposit and withdrawal, and other information is among the information in the block. Block information including information not corresponding to the block header and transaction information, and is not used for block hash calculation.

The block hash is the identification information of the block, and the tree root when the software/protocol version of the block header, the previous block hash, which is the hash value of the block located immediately before the block chain, and the transaction hash of individual transaction information are configured in the form of a binary tree. Markle root, which is the hash value located at, time, which is the generation time value of the block, bits that are numerical values for difficulty adjustment, and nonce information, which is the number of calculations that increases when searching for a hash value that satisfies the condition starting with the first 0. Include.

The first intrusion analysis unit 120 detects the intrusion of the user management server 21 by type and then performs a function of mitigating the first intrusion.

The first intrusion is an attack to change the customer's balance by accessing the account with the customer's account ID and password, and is an attack that takes financial advantage by setting up an exchange balance book and creating fake purchase and sales orders.

FIG. 3 is a diagram showing a detailed configuration of the first intrusion analysis unit 120 shown in FIG. 2. As shown in FIG. 3, the first intrusion analysis unit 120 is a first intrusion modeling module 121 , A first intrusion detection module 123, and a first intrusion mitigation module 125.

The first intrusion modeling module 121 includes (1) the outflow of a user account that withdraws bitcoin to an attacker account, (2) an increase in the fiat currency balance in which the fiat currency held by the attacker is modified by the attacker If bitcoin is fake ordered at a high price by the increase in the number of bitcoin high-priced purchase orders that sell bitcoin at a premium, (4) the balance sheet is modified by the attacker and the bitcoin balance increases, ( 5) In the case of a fake order of bitcoin at a low price by an attacker, the price of bitcoin falls, causing a flash crash, and many bitcoin low-cost sales orders that resell bitcoins after the market stabilizes by purchasing bitcoins at a discounted price. A model of the first type of intrusion has been built including an increase and the like.

3 is an embodiment for detection and removal of (4) and (5) intrusion types among the first intrusion types using black chain analysis, and components related to the present embodiment are shown. Accordingly, in addition to the components shown in FIG. 3, general-purpose components for detecting and mitigating other types of intrusion may be further included.

The first intrusion detection module 123 uses the data of the balance sheet stored in the user management server 21 and the block chain analysis unit 110 to check the integrity of the user balance by using the transaction information of the transaction of the block chain analysis unit 110. ), and detects (4) and (5) intrusions among the plurality of first intrusion types according to the comparison result. For example, as shown in the table below, the balance sheet stored in the user management server 21 represents the total amount of bitcoins sold in "∑sell order" and "∑ Not used" refers to bitcoins that are not used for sale. The amount of 10.05 BTC represents the total amount of Bitcoin on the exchange.

Based on the user management server 21, the total amount of bitcoin displayed on the balance sheet and the total amount of bitcoin recorded in the block chain analysis unit 110 are recorded by cross-matching, so that the first intrusion detection module 123 The data of the balance sheet stored in the management server 21 and the data of the block of the block chain analysis unit 110 are compared, and according to the comparison result, it can be seen that the attacks are (4) and (5) of the plurality of first intrusion types. .

That is, if the block data of the block chain analysis unit 110 generated once every 10 minutes and the data of the balance sheet stored in the user management server 21 do not match, the first intrusion detection module 123 Among the first intrusion types of (4) and (5) intrusion types are detected. Here, since the first intrusion detection module 123 is independently operated, the total amount of bitcoin in the balance sheet stored in the user management server 21 to protect the customer's personal information when there is no request from the customer terminal 10 It is provided to this first intrusion detection module 123.

In the first intrusion mitigation module 125, since the damage caused by the first intrusion is limited to the user management server 21, the operation of the signature server 22 is terminated to withdraw the bitcoin payment, and the attacker enters the trading market. And then evaluate the type of intrusion. In addition, the first intrusion mitigation module 125, when a fake sale or purchase order is attempted by an attacker, stops a transaction by the attacker, thereby securing time to withstand the intrusion.

The intrusion management server 100 detects and mitigates the attack type of intrusion generated by the signature server 22 that is the target of the attack and hosts the bitcoin private key despite the existing security parameters and intrusion detection function. It further includes an intrusion analysis unit 130.

FIG. 4 is a diagram showing a detailed configuration of the second intrusion analysis unit 130 shown in FIG. 2, and the second intrusion analysis unit 130 includes a second intrusion detection module 131 and a second intrusion mitigation module 133 ) Can be included.

The second intrusion attacking the signature server 22 is an attack in which an attacker directly accesses the signature server 22 and extracts a private key, and the second intrusion analysis unit 130 is an attack of the transaction of the block chain analysis unit 110. The second intrusion is detected through transaction verification using transaction information.

If the private key of the signing server 22 is leaked by an attacker, the second intrusion is very difficult to detect because it can attack the signing server 22 through a bitcoin network. Accordingly, the second intrusion detection module 123 monitors the mempool of the transaction of the black chain analysis unit 110 and matches the data of the transaction of the mempool with the transaction of the user management server 21, thereby making the second intrusion. Can be detected.

Mempool is stored in the local Bitcoin node 30, and stores and transmits transactions that are not included in the blockchain.

The second intrusion detection module 131 can perform verification for transactions occurring at a specific address by using a distributed average of all transactions of bitcoins, and thus, can transfer bitcoins from the wallet of the bitcoin exchanger 20 without permission. You can easily detect malicious transactions you are transacting.

Accordingly, in order to quickly identify a malicious transaction, a transaction identification number is used to match the transaction of the Mempool and the transaction of the user management server 21. In other words, the signature server 22 separates and stores signature information that serves as a witness during bitcoin transactions so that the transaction identification number or block hash value (Txid) is not changed due to signature reversibility. Segwit (Segregated Witness) must be implemented, and in wallet and transaction segment, the signature confirming the transaction is moved to the back of the block, and the block hash value is not generated.

Therefore, the second intrusion detection module 131 compares the input block hash value (Txid) for all the Mempool transaction lines that are not used in the user management server 21, and according to the comparison result, the signature server 22 The second intrusion can be detected.

Since the detection of the second intrusion is performed in Mempool, a function to overwrite Mempool's transaction is added to replace the existing Mempool's transaction, and for this purpose, a replacement or RBF ( Replace Buy Fee) transaction.

RBF transactions were developed to accelerate bitcoin transactions with low transaction fees or to save transaction costs by batch processing of transactions, but they can be used to replace malicious transactions with new transactions.

For example, when an attacker intrudes into a legitimate customer's signature server 22 and transmits a malicious transaction to the acquired bitcoin address, the RBF transaction is performed without an outgoing transaction.

Since the signature server 22 generates a private key, the generated private key includes the lock time parameter and thus the bitcoin cannot be used during the lock time. Accordingly, the second intrusion mitigation module 133 is controlled during the lock time. 2 After evaluating the intrusion, you can create a security wallet.

According to the second intrusion mitigation module 133, the transaction of the RBF is updated in real time, and the transaction is automatically propagated to the local bitcoin node 30, so that the malicious transaction caused by the second intrusion is removed.

The intrusion management server 100 may further include a third intrusion analysis unit 140 that detects and mitigates a third intrusion attacking the bitcoin network.

5 is a diagram showing a detailed configuration of the third intrusion analysis unit 140 shown in FIG. 2. As shown in FIG. 5, the third intrusion analysis unit 140 is a third intrusion detection module 141 And it may include a third intrusion mitigation module 143.

As described above, the third intrusion is an attack that occurs on the bitcoin network and is indirectly performed on the bitcoin exchanger 20, and for this, the attacker must use a block hash ratio of 50% or more. Accordingly, the third intrusion is said to be a 51% attack, so the attacker can double the bitcoin transaction.

6 is a conceptual diagram illustrating a third intrusion process. Referring to FIG. 6, a third intrusion process through a bitcoin network is as follows.

(1) If the attacker leases the hash rate using the hash rental service, it is possible to control more than 50% of the current Bitcoin hash rate.

(2) After that, after setting up a private bitcoin node, disconnect the main bitcoin network between the central bitcoin node 23 and the local bitcoin node 30, and mine using a hash rate of 50% or more.

(3) If you transfer the same bitcoin as the wallet you own using a public bitcoin node in advance, the bitcoin is transferred to the bitcoin exchange 20 through the main bitcoin network.

(4) The bitcoin exchanger 20 sells bitcoins and then withdraws fiat currency.

(5) The same bitcoin in step (3) above is delivered to the attacker's wallet instead of the private bitcoin node. At this stage, when the private mining block is propagated to the blockchain analysis unit 100, the transaction transmitted to the bitcoin exchanger 20 through the main bitcoin network is marked as malicious.

(6) In the private bitcoin node, it is checked whether the private mining block chain has more Proof of Work (PoW) than the main bitcoin network, and the private mining block is propagated to the main bitcoin network, and then bit in step (3). All transactions transferred after step (2), including the attacker's transaction transferred to the coin exchange 20, are returned. However, transactions transferred to wallets owned by them are excluded.

This third intrusion can be mitigated by increasing the confirmation time for bitcoin deposits after being attacked and penalizing the attacker when leasing a long hash rate. This third intrusion may be detected based on a statistical index that detects the third intrusion according to the analyzed result of the block chain analysis unit 110.

If a deposit confirmation is set in relation to the deposit amount of bitcoin, a safety measure against a third intrusion can be set.However, the safe measure against such a third intrusion is performed under the assumption that a large amount of bitcoin attacks must be estimated. It fails when delivering a small number of bitcoins to a plurality of bitcoin exchanges 20.

The third intrusion detection module 141 performs a function of detecting 3 intrusions during the average block time of the block chain analysis unit 110.

Block time is the time it takes to create a new block for a new proof of work (PoW), and in the case of Bitcoin, it is generated every 10 minutes on average. This block time is determined according to the difficulty of proof-of-work, and if the block time is faster than an average of 10 minutes, the difficulty of proof-of-work increases, and if the block time is later than an average of 10 minutes, the difficulty of proof-of-work decreases. Therefore, the third intrusion is detected only when the blocking time of the bitcoin network becomes more than 50% of the hash rate due to an attack against the third intrusion. Therefore, increasing the average block time from 10 minutes to 20 minutes becomes a statistical index for third intrusion detection.

For example, assuming that block 383627 is timestamped on 2015-11-15 05:11:19 and the next block, 383628, is timestamped on 2015-11-15 05:03:16, then receiving a new block Since the average time of the Bitcoin node is 12.6 seconds, the time stamp is judged to be 12.6 seconds behind the actual time stamp on average.If the block time is calculated by subtracting the time stamp of the current block and the previous block, the average absolute error should be about 12.6 seconds. . Accordingly, the third intrusion detection module 131 may detect a third intrusion by increasing the average block time from 10 minutes to 20 minutes.

The third intrusion mitigation module 143 checks the deposits and unconfirmed deposits of the bitcoin exchanger 20 during the set average block time to reverse all transactions caused by the attack and prevent the withdrawal of bitcoins from the signature server 22. Take safety measures to stop signing.

Accordingly, malicious intrusions supplied from outside of the user management server and signature server of the bitcoin exchange 20 and each of the bitcoin network can be detected and mitigated using the result of the block chain analysis.

In terms of accuracy and reliability of operation of the user management server of the Bitcoin exchange, the signature server, and the blockchain analysis device for intrusion detection of the Bitcoin exchange that can detect and mitigate the intrusion of Bitcoin Networks with blockchain analysis. It is an invention that has great industrial applicability because it can bring a very large progress in terms of performance efficiency, and the possibility of commercialization or sales of the bitcoin system is sufficient as well as the degree to be practically obvious.

Claims (5)

In a bitcoin exchanger that has a user management server, a signature server, and a central bitcoin node and exchanges bitcoin and fiat currency,
Including an intrusion management server that detects and mitigates illegal intrusion of the bitcoin exchange using a transaction of a block chain analysis unit,
The intrusion management server is a first intrusion analysis that detects and mitigates the first intrusion that illegally intrudes into the user management server, accesses the account with the customer's account ID and password, and then changes the customer balance and generates fake purchase information. Includes wealth,
The first intrusion analysis unit may include a first intrusion modeling module that models a plurality of first intrusion types; According to whether the transaction data of the block chain analysis unit matches the data recorded in the balance sheet of the user management server, the balance sheet among the first types of intrusion is modified to increase the amount of bitcoins held and purchase bitcoins at a discounted price. A second intrusion detection module that detects an intrusion that is then re-sold; And a first intrusion mitigation module for mitigating the first intrusion detected by the second intrusion detection module by withdrawing payment of bitcoin after ending the operation of the signature server,
The first intrusion modeling module includes: i) outflow of a user account for withdrawing bitcoin to an attacker account; ii) an increase in the fiat currency balance, which increases the fiat currency held by the attacker's balance sheet modification; iii) Increasing the number of high-priced Bitcoin purchase orders selling Bitcoin at a premium when Bitcoin is faked at a high price by an attacker; iv) Increasing the bitcoin balance due to the amendment of the balance sheet by the attacker, increasing the amount of bitcoins held; v) If bitcoins are fake ordered at a low price by an attacker, the price of bitcoin falls, causing a flash crash, and a large number of low-cost bitcoin sales orders that are reselled after the market stabilizes by purchasing bitcoin at a discounted price. To build an intrusion type model that includes
Bitcoin exchange, characterized in that.
delete delete The method of claim 1, wherein the intrusion management server,
Further comprising a second intrusion analysis unit for detecting and mitigating a second intrusion that illegally intrudes into the signature server and extracts a private key,
The second intrusion analysis unit,
If the block chain analysis unit monitors all mempool transactions that are not used in the user management server, and the monitoring result, the block hash value (Txid) of the mempool and the block hash value of the block chain analysis unit do not match, the second intrusion occurs. A second intrusion detection module to detect; And
A second intrusion mitigation module for mitigating illegal second intrusion by adding a lock time parameter to the private key generated by the signature server and stopping the use of bitcoin during the lock time.
Bitcoin exchange, characterized in that including.
The method of claim 4, wherein the intrusion management server,
Further comprising a third intrusion analysis unit for detecting and mitigating a third intrusion attacking the bitcoin network,
The third intrusion analysis unit,
The third intrusion detection detects a third intrusion by setting the average block time according to the analysis result of the block time by the block chain analysis unit, and checking deposits and unconfirmed deposits at the bitcoin exchange during the average block time. module; And
If the user management server confirms deposits and unconfirmed deposits, a third intrusion mitigation module is provided to mitigate third intrusion by reverting all transactions caused by the attack and stopping signing to prevent the withdrawal of bitcoins from the signature server.
Bitcoin exchange, characterized in that including.

Images