CN113469275A - Refined classification method for ether house behavior traffic - Google Patents

Abstract

The invention discloses a refined classification method for ether house behavior traffic. In the stage of dividing the Ethernet workshop behavior flow, the dividing position of the Ethernet workshop behavior flow is determined by identifying the frame header message position of the Ethernet workshop RLPx and judging the range of the Ethernet workshop behavior flow Burst, so that the behavior flow in the single Ethernet workshop TCP flow is divided. And in the stage of classifying the flow of the ether house behavior, firstly combining a plurality of similar Get behaviors, roughly classifying by using a machine learning method, further judging the accurate category of the Get behaviors by using the relevance relationship between the Get behaviors and the corresponding Send behaviors for the roughly classified result, and realizing the refined classification of the flow of the ether house behavior.

Description

Refined classification method for ether house behavior traffic

Technical Field

The invention belongs to the technical field of network space security, and relates to a refined classification method for Ethernet behavior traffic.

Background

With the frequent occurrence of the blockchain safety events in recent years, the situation of blockchain network safety becomes more severe, and the demand for the blockchain flow measurement and analysis method becomes more urgent. Compared with the bit currency, the support of the ether house on the intelligent contract enables the ether house to have a higher application prospect, and the ether house flow has a higher research value. The classification of the ether house behavior traffic contained in the ether house traffic is the basis for further analyzing and monitoring the ether house traffic. However, an effective Ether house behavior traffic classification method is still lacking in the industry at present, and the invention further researches the behavior classification problem in the Ether house data transmission phase encryption traffic on the basis of Ether house traffic identification according to the demand.

Etherhouse behavioral traffic classification requires support of data sets, while there is no currently available Etherhouse behavioral traffic public data set. And constructing an Ether behavior traffic data set based on the classification of the Taifang behavior traffic. In the ether house, all nodes are in the process of continuously updating and iterating, and in order to ensure the consistency of the states among the nodes, each ether house node can continuously synchronize and exchange information such as related blocks, transactions and the like with the connected neighbor nodes. If a new TCP connection is established for each behavioral interaction, a large number of connections are established and closed, resulting in a serious waste of resources. Therefore, the Ethern packs each behavior data in the application layer into an RLPx frame through a private RLPx protocol, and then transmits the behavior data in a TCP connection of the network layer in the form of the RLPx frame, and a receiving party can obtain the frame boundary through a frame header so as to ensure the reliable delivery of various behavior data. The method for realizing multi-class multi-time behavior transmission in a single TCP flow by the Ethernet through the RLPx protocol enables multi-class behavior flow in the single TCP flow of the Ethernet in the network layer to be mixed, and the behavior flow contained in the single TCP flow is difficult to accurately divide. The behavior traffic of the ether house cannot be accurately segmented, so that a behavior traffic data set cannot be constructed, and the behavior traffic segmentation of the traffic to be measured cannot be realized.

In addition, the etherhouse defines data structures of different behaviors in an application layer by using a private protocol ETH, wherein extremely high similarity exists between different Get behaviors on the data structures, and as shown in fig. 2, four Get behaviors are all composed of a 64-bit request and a plurality of 256-bit hash values. In addition, the behaviors are serialized, framed and encrypted before transmission, and the similarity, serialization and encryption of the data structure make the four Get behavior flows show extremely high similarity in the data packet payload or flow statistical characteristics, so that the traditional flow classification method is difficult to accurately distinguish the four flows, and a brand-new identification method needs to be designed for the flows with similar behaviors. Get behavior data will obtain corresponding Send behavior data from peer nodes, as shown in fig. 3, different attributes in the data structure of Send behavior are different, although available information in a data packet load can be hidden through encryption, Send type behavior traffic can be distinguished from behavior traffic statistical characteristics, and further, the accurate type of corresponding Get type behavior can be determined through Send behavior, however, no research on ethernet behavior traffic classification through this section is available at present.

Disclosure of Invention

In order to strengthen supervision on network space security and realize fine classification of ether house behavior traffic, the invention provides a fine classification method of ether house behavior traffic. The method comprises the steps of positioning the initial position of each behavior flow through an RLPx frame header data packet (RLPx, an Ether Fang private protocol, and RLP naming along with a recursive length prefix serialization mode widely used in the Ether Fang), determining a behavior flow range through a behavior Burst range, realizing the segmentation of the Ether Fang behavior flow, and further constructing an Ether Fang behavior flow data set. Aiming at the similarity problem among the Ether house Get behaviors, the Get behaviors are combined, the rough classification is carried out by using a machine learning method, and the accurate category of the Get behaviors is judged by a method of behavior reordering, Get behavior elimination without returned data and serialized backward pushing on the rough classification result.

In order to achieve the purpose, the invention provides the following technical scheme:

a refined classification method for ether house behavior traffic comprises the following steps:

(1) an Ethernet workshop behavior flow segmentation method is designed, the flow segmentation position is determined through an RLPx frame header message and a single behavior flow Burst range, and the behavior flow in a single Ethernet workshop TCP flow is segmented;

(2) a refined classification method for the ether house behavior flow is designed, similar Get behaviors are combined and then roughly classified by a machine learning method, and a refined classification result for the behavior flow is obtained by reversely deducing the rough classification result through behavior serialization.

The step (1) comprises the following steps:

(1.1) marking a single EtherFang TCP flow by a quintuple { source IP address, a sink IP address, a source port, a sink port and a protocol type }, firstly determining the initial position of each behavior flow through an RLPx frame header data packet with the load of 32B, and turning to the step (1.2);

(1.2) determining a data packet range contained in the next Burst in the flow, wherein the ending position of the flow Burst is the ending position of the single-action flow, and turning to (1.3);

(1.3) dividing the flow between the starting position and the ending position into single behavior flow, if the flow reaches the last position of a single Ether house TCP flow, finishing the division of the behavior flow, otherwise, turning to (1.1);

the step (2) specifically comprises the following substeps:

(2.1) deploying an Ether house private chain, modifying a Geth tool to obtain pure single-class behavior flow, dividing the single-class ether house behavior flow into single-class behavior flow by using an Ether house behavior flow dividing method, marking a corresponding label, constructing an Ether house behavior flow data set, and turning to (2.2);

(2.2) merging four Get class behaviors in the data set, including getBlokHeaders, getLockBodies, getReceipts and getNodeData, into a Get class, extracting 8 different features related to Burst and length in behavior flow to form a feature vector, and turning to (2.3) if the specific feature description is shown in a table I;

table-Get class behavioral profile

(2.3) selecting a random forest RF method in machine learning, training a classification model by using the selected feature vectors, and turning to (2.4)

(2.4) for each ether house flow to be detected, firstly, dividing the ether house flow to be detected into the ether house flow to be detected by a flow dividing method, roughly classifying the ether house flow by using the classification model in the step (2.3), reordering the Get and Send behaviors in the classification result according to the time stamp sequence information in the source data, and turning to the step (2.5);

(2.5) eliminating no-return data in the sequenced Get behavior sequence, namely, the Get behavior of the Send behavior corresponding to the no-return data is not returned, and turning to (2.6);

and (2.6) according to the Send behavior sequence, reversely eliminating the specific types of all behaviors in the Get behavior sequence without returned data to obtain a behavior flow refined classification result, and ending the process.

The step (2.1) specifically comprises the following substeps:

(2.1.1) deploying the Node1 and the Node2, connecting through an intermediate router, adjusting the initialized difficulty, generating a new block in about 12s, setting a script file to generate a new transaction, and turning to (2.1.2);

(2.1.2) modifying a Geth tool, initializing a private chain, ensuring that no other behavior flow is generated when single-direction single-class flow is generated, segmenting the one-way behavior flow, acquiring the single-class behavior flow, and turning to (2.1.3);

(2.1.3) dividing the flow of each single-class behavior into single-class behavior flows by an EtherFang behavior flow dividing method, marking a corresponding behavior type label, adding the behavior type label to a behavior flow data set, finishing the flow if the data completely cover all behaviors, and turning to (2.1.2) if the data completely cover all behaviors;

the step (2.4) specifically comprises the following substeps:

(2.4.1) setting a time interval threshold value interval _ threshold to judge whether the Get behavior receives corresponding return data, initializing the time interval between the first Get behavior and the Send behavior, and turning to (2.4.2);

(2.4.2) setting variables S _ interval and interval _ val, initializing S _ interval to the time interval between the first Get action and the Send action, initializing interval _ val to be one half of S _ interval, and turning to (2.4.3);

(2.4.3) calculating new S _ interval and interval for each time interval between Get behavior and Send behavior_valThe calculation formula is as follows:

interval_val＝0.75*interval_val′+0.25*|S_interval′-interval_i|

S_interval＝0.875*S_interval′+0.125*interval

(2.4.4) if no other Get behaviors exist between one Get behavior and the subsequent Send behavior, the two are in one-to-one correspondence, whether the Get behavior is illegal or not is not required to be judged, and the step is switched to (2.4.3), otherwise, the step is switched to (2.4.5);

(2.4.5) if the time interval between the Get behavior and the subsequent Send behavior exceeds the interval _ threshold, the Get behavior has no returned data, if the behavior to be judged still exists in the subsequent step, the step goes to (2.4.4), otherwise, the flow is ended.

Compared with the prior art, the invention has the following advantages and beneficial effects:

(1) the invention realizes the accurate segmentation of the Ethernet workshop behavior traffic by utilizing the characteristic that the Ethernet workshop traffic is packed by the RLPx frame and transmits data.

(2) The invention constructs the ether house behavior traffic data set through the ether house private chain and provides powerful support for ether house behavior traffic classification.

(3) The method fully considers the similarity between the behavior flows, and realizes the fine classification of the ether workshop behavior flows in a serialized reverse-pushing mode.

Drawings

Fig. 1 is a framework of a refined classification method for ether house behavior traffic provided by the present invention.

FIG. 2 is a data structure of Get class behavior.

FIG. 3 is a data structure for Send class behavior.

FIG. 4 is a comparison of the classification effect before and after merging.

FIG. 5a is a merged, back-pushed pre-confusion matrix.

FIG. 5b is a merged, backprojected confusion matrix.

Detailed Description

The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention.

Example (b): the invention provides a refined classifying method for Ether house behavior traffic, the specific architecture of which is shown in figure 1, firstly, a dividing method for Ether house behavior traffic is designed, pure single-class behavior traffic is obtained through a private chain, and is divided into single-class single-time behavior traffic through the dividing method for behavior traffic, and a travel-based traffic data set is constructed. And combining similar Get class behaviors in the data set into Get classes, extracting the characteristics of the flow of each class of behavior to obtain a characteristic vector set, and training a classification model through a random forest RF algorithm. And for each flow to be detected, firstly, dividing the flow into the flow of the behavior to be detected by an Ethengfang behavior flow dividing method, then roughly classifying by using a classification model, rearranging the behaviors identified as Get and Send types in the roughly classified result by timestamp information, judging whether the behaviors in the Get type behavior sequence have no returned data or not, and rejecting the Get type behaviors without the returned data. And finally, reversely deducing the accurate category of the Get behavior according to the category of the Send behavior to realize the refined classification of the behavior flow.

Specifically, the method of the invention comprises the following steps:

a refined classification method for ether house behavior traffic comprises the following steps:

(1) an Ethernet workshop behavior flow segmentation method is designed, the flow segmentation position is determined through an RLPx frame header message and a single behavior flow Burst range, and the behavior flow in a single Ethernet workshop TCP flow is segmented;

(2) a refined classification method for the ether house behavior flow is designed, similar Get behaviors are combined and then roughly classified by a machine learning method, and a refined classification result for the behavior flow is obtained by reversely deducing the rough classification result through behavior serialization.

The step (1) comprises the following steps:

(1.1) marking a single EtherFang TCP flow by a quintuple { source IP address, a sink IP address, a source port, a sink port and a protocol type }, firstly determining the initial position of each behavior flow through an RLPx frame header data packet with the load of 32B, and turning to the step (1.2);

(1.2) determining a data packet range contained in the next Burst in the flow, wherein the ending position of the flow Burst is the ending position of the single-action flow, and turning to (1.3);

(1.3) dividing the flow between the starting position and the ending position into single behavior flow, if the flow reaches the last position of a single Ether house TCP flow, finishing the division of the behavior flow, otherwise, turning to (1.1);

the step (2) specifically comprises the following substeps:

(2.1) deploying an Ether house private chain, modifying a Geth tool to obtain pure single-class behavior flow, dividing the single-class ether house behavior flow into single-class behavior flow by using an Ether house behavior flow dividing method, marking a corresponding label, constructing an Ether house behavior flow data set, and turning to (2.2);

(2.2) merging four Get class behaviors in the data set, including getBlokHeaders, getLockBodies, getReceipts and getNodeData, into a Get class, extracting 8 different features related to Burst and length in behavior flow to form a feature vector, and turning to (2.3) if the specific feature description is shown in a table I;

table-Get class behavioral profile

(2.3) selecting a random forest RF method in machine learning, training a classification model by using the selected feature vectors, and turning to (2.4);

(2.4) for each ether house flow to be detected, firstly, dividing the ether house flow to be detected into the ether house flow to be detected by a flow dividing method, roughly classifying the ether house flow by using the classification model in the step (2.3), reordering the Get and Send behaviors in the classification result according to the time stamp sequence information in the source data, and turning to the step (2.5);

(2.5) eliminating no-return data in the sequenced Get behavior sequence, namely, the Get behavior of the Send behavior corresponding to the no-return data is not returned, and turning to (2.6);

and (2.6) according to the Send behavior sequence, reversely eliminating the specific types of all behaviors in the Get behavior sequence without returned data to obtain a behavior flow refined classification result, and ending the process.

The step (2.1) specifically comprises the following substeps:

(2.1.1) deploying the Node1 and the Node2, connecting through an intermediate router, adjusting the initialized difficulty, generating a new block in about 12s, setting a script file to generate a new transaction, and turning to (2.1.2);

(2.1.2) modifying a Geth tool, initializing a private chain, ensuring that no other behavior flow is generated when single-direction single-class flow is generated, segmenting the one-way behavior flow, acquiring the single-class behavior flow, and turning to (2.1.3);

(2.1.3) dividing the flow of each single-class behavior into single-class behavior flows by an EtherFang behavior flow dividing method, marking a corresponding behavior type label, adding the behavior type label to a behavior flow data set, finishing the flow if the data completely cover all behaviors, and turning to (2.1.2) if the data completely cover all behaviors, wherein the finally obtained behavior flow data set is shown as a table II;

flow data set of Table two behavior

The step (2.4) specifically comprises the following substeps:

(2.4.1) setting a time interval threshold value interval _ threshold to judge whether the Get behavior receives corresponding return data, initializing the time interval between the first Get behavior and the Send behavior, and turning to (2.4.2);

(2.4.2) setting variables S _ interval and interval _ interval, initializing to be one half of the time interval between the first Get action and the Send action, and turning to (2.4.3);

(2.4.3) for each interval between Get and Send behaviors_iCalculating new S _ interval and interval_valThe calculation formula is as follows:

interval_val＝0.75*interval_val′+0.25*|S_interval′-interval_i|

S_interval＝0.875*S_interval′+0.125*interval

(2.4.4) if no other Get behaviors exist between one Get behavior and the subsequent Send behavior, the two are in one-to-one correspondence, whether the Get behavior is illegal or not is not required to be judged, and the step is switched to (2.4.3), otherwise, the step is switched to (2.4.5);

(2.4.5) if the time interval between the Get behavior and the subsequent Send behavior exceeds the interval _ threshold, the Get behavior has no returned data, if the behavior to be judged still exists in the subsequent step, the step goes to (2.4.4), otherwise, the flow is ended.

In order to verify the effectiveness of the ether house behavior flow classification method provided by the invention, experiments are respectively carried out on classification effects before and after combination of similar behaviors, evaluation indexes are Accuracy, Precision, Recall and comprehensive evaluation F1-score, and the experimental result is shown in FIG. 4. The accuracy rate of classification of the Get types is greatly improved, so that the combined recognition effect is greatly improved, the four index results are generally improved by about 10%, and the fact that most misjudgments in the classification results mainly occur in recognition of the Get types is shown.

To express the improvement of the classification effect of the merging on the 4 Get behaviors proposed by the present invention, a merging and inverse-marching pre-confusion matrix and a merging and inverse-marching post-confusion matrix are constructed, and the results are shown in fig. 5a and 5 b. As can be seen from the merging and inverse-pushing pre-confusion matrix in the graph, the classification effect of the four gets among the behaviors is poor, and the four behaviors have more misjudgments. The confusion matrix after merging and reverse pushing shows that the method effectively improves the accuracy of distinguishing the four Get behaviors, reduces misjudgment and realizes the fine classification of the ether house behavior flow.

The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.

Claims (5)

1. A refined classification method for ether house behavior traffic is characterized by comprising the following steps:

(1) an Ethernet workshop behavior flow segmentation method is designed, the flow segmentation position is determined through an RLPx frame header message and a single behavior flow Burst range, and the behavior flow in a single Ethernet workshop TCP flow is segmented;

(2) a refined classification method for the ether house behavior flow is designed, similar Get behaviors are combined and classified by a machine learning method, and a refined classification result for the behavior flow is obtained by performing behavior serialization reverse pushing on a rough classification result.

2. The Etherhouse behavior traffic refinement classification method according to claim 1, characterized in that said step (1) comprises the steps of:

(1.1) marking a single EtherFang TCP flow by a quintuple { source IP address, sink IP address, source port, sink port and protocol type }, firstly determining the initial position of each behavior flow through an RLPx frame header data packet, namely a TCP data packet with the load size of 32B, and turning to the step (1.2);

(1.2) determining the termination position of the behavior flow by determining the range of the data packet contained in each Burst, and turning to (1.3);

(1.3) dividing the flow between the starting position and the ending position into single action flow, if the last position of the single EtherFang TCP flow is reached, ending the action flow division, otherwise, turning to (1.1).

3. The Etherhouse behavior traffic refinement classification method according to claim 1, characterized in that step (2) specifically comprises the following substeps:

(2.1) acquiring pure single-class behavior traffic through an Ethenhouse private chain, constructing an Ethenhouse behavior traffic data set through an Ethenhouse behavior traffic segmentation method, and turning to (2.2);

(2.2) merging four Get class behaviors in the data set, including getBlokHeaders, getLockBodies, getReceipts and getNodeData, into a Get class, extracting features, constructing a feature vector set, and turning to (2.3);

(2.3) selecting a random forest RF method in machine learning, training a classification model by using the selected feature vectors, and turning to (2.4);

(2.4) classifying the behavior flow of the Ether workshop to be detected by using the classification model in (2.3), reordering the Get and Send behaviors in the classification result according to the time stamp sequence information in the source data, and turning to (2.5);

(2.5) eliminating no-return data in the sequenced Get behavior sequence, namely eliminating the Get behavior which does not return the corresponding Send data, and turning to (2.6);

and (2.6) according to the Send behavior sequence, reversely eliminating the specific types of all behaviors in the Get behavior sequence without returned data to obtain a behavior flow refined classification result, and ending the process.

4. The Etherhouse behavior traffic refinement classification method according to claim 3, characterized in that step (2.1) specifically comprises the following sub-steps:

(2.1.1) deploying the Node1 and the Node2, connecting through an intermediate router, adjusting the initialized difficulty, generating a new block in about 12s, setting a script file to generate a new transaction, and turning to (2.1.2);

(2.1.2) modifying a Geth tool, initializing a private chain, ensuring that no other behavior flow is generated when single-direction single-class flow is generated, segmenting the one-way behavior flow, acquiring the single-class behavior flow, and turning to (2.1.3);

(2.1.3) dividing the flow of each single-class behavior into single-class behavior flows by an EtherFang behavior flow dividing method, marking a corresponding behavior type label, adding the behavior type label to a behavior flow data set, finishing the flow if the data set completely covers all behaviors, and otherwise, turning to (2.1.2).

5. The Etherhouse behavior traffic refinement classification method according to claim 3, characterized in that step (2.4) specifically comprises the following sub-steps:

(2.4.1) setting a time interval threshold value interval _ threshold to judge whether the Get behavior receives corresponding return data, initializing the time interval between the first Get behavior and the Send behavior, and turning to (2.4.2);

(2.4.2) setting variables S _ interval and interval _ interval, initializing to be one half of the time interval between the first Get action and the Send action, and turning to (2.4.3);

(2.4.3) for each interval between Get and Send behaviors_iCalculating new S _ interval and interval_valThe calculation formula is as follows:

interval_val＝0.75*interval_val′+0.25*|S_interval′-intervali|

S_interval＝0.875*S_interval′+0.125*interval

(2.4.4) if no other Get behaviors exist between one Get behavior and the subsequent Send behavior, the two are in one-to-one correspondence, whether the Get behavior is illegal or not is not required to be judged, and the step is switched to (2.4.3), otherwise, the step is switched to (2.4.5);

(2.4.5) if the time interval between the Get behavior and the subsequent Send behavior exceeds the interval _ threshold, the Get behavior has no returned data, if the behavior to be judged still exists in the subsequent step, the step goes to (2.4.4), otherwise, the flow is ended.

Images