CN115174279B - Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability - Google Patents

Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability Download PDF

Info

Publication number
CN115174279B
CN115174279B CN202211101277.4A CN202211101277A CN115174279B CN 115174279 B CN115174279 B CN 115174279B CN 202211101277 A CN202211101277 A CN 202211101277A CN 115174279 B CN115174279 B CN 115174279B
Authority
CN
China
Prior art keywords
transaction
node
intelligent contract
message
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211101277.4A
Other languages
Chinese (zh)
Other versions
CN115174279A (en
Inventor
张殷乾
吕幸谕
牛健宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southwest University of Science and Technology
Original Assignee
Southwest University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest University of Science and Technology filed Critical Southwest University of Science and Technology
Priority to CN202211101277.4A priority Critical patent/CN115174279B/en
Publication of CN115174279A publication Critical patent/CN115174279A/en
Application granted granted Critical
Publication of CN115174279B publication Critical patent/CN115174279B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a real-time detection method, a terminal and a storage medium for intelligent house contract vulnerabilities, wherein the method comprises the following steps: monitoring a transaction message of a P2P network in a current block chain state through a multi-view observation point consisting of a plurality of nodes; each node is a node running an optimized Etherhouse client; processing transaction messages sent by multiple nodes, outputting metadata required by attack detection, and taking the metadata as input of the attack detection; carrying out attack detection on the corresponding transaction data of the intelligent contract according to the input metadata, and outputting a corresponding attack detection result; inquiring and analyzing the Ether house transaction data, and obtaining evidence and giving an alarm for event response according to the attack detection result of the intelligent contract; the invention can detect the possible attack behavior before the transaction message is linked up or in a short time, thereby efficiently detecting the vulnerability in the contract.

Description

Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability
Technical Field
The invention relates to the technical field of block chains, in particular to a real-time detection method, a terminal and a storage medium for intelligent contract vulnerabilities of an Ethernet workshop.
Background
Since 2008, the inventor has proposed a new type of point-to-point (P2P) cryptocurrency system, its underlying block-chain technology has attracted attention in recent years. With the emergence of a block chain-driven and image-based application platform, the intelligent contract technology provides a foundation for the wide application of the block chain in decentralized financial markets. However, as an emerging technology, the intelligent framework has some drawbacks in its programming language and execution system. First, developers write intelligent contracts using high-level languages to implement various complex business logic. However, these high-level languages (e.g., identity, etc.) are highly error prone and intelligent rules cannot be modified after deployment to the blockchain platform, so programming errors that cannot be detected before deployment onto the blockchain are highly likely to be exploited by attackers. Second, blockchain intelligent contracts typically store and manage large amounts of financial assets and run on public P2P networks, and any user can join and view the contract without a trusted third party, which increases the risk of the contract being attacked resulting in significant asset loss.
In order to solve the security problem brought by the intelligent contract, researchers successively put forward a series of coping schemes, including a method based on symbolic analysis, a method based on formal verification, a method based on fuzzy test, a method based on machine learning and the like, which provide a certain idea for detecting the vulnerability of the intelligent contract, but the tools are difficult to realize the completeness and accuracy of the contract vulnerability detection at the same time, for example, the method based on symbolic analysis usually faces the problems of path explosion and the like, the method based on formal verification needs relatively low degree of automation, the method based on fuzzy test has low detection accuracy, and the method based on machine learning can only detect a few specific vulnerability types and cannot be extended to other vulnerability types.
Thus, the prior art has yet to be improved.
Disclosure of Invention
The invention aims to solve the technical problem that the prior art is defective, and provides a real-time detection method, a terminal and a storage medium for detecting the vulnerability of an Etherhouse intelligent contract, so as to solve the technical problem that the traditional intelligent contract detection mode cannot realize the safety detection of a complete visual angle.
The technical scheme adopted by the invention for solving the technical problem is as follows:
in a first aspect, the present invention provides a real-time detection method for an intelligent Ethernet contract vulnerability, including:
monitoring a transaction message of a P2P network in a current block chain state through a multi-view observation point consisting of a plurality of nodes; each node is a node running an optimized Etherhouse client;
processing transaction messages sent by multiple nodes, outputting metadata required by attack detection, and taking the metadata as input of the attack detection;
carrying out attack detection on the corresponding transaction data of the intelligent contract according to the input metadata, and outputting a corresponding attack detection result;
and inquiring and analyzing the Ether house transaction data, and obtaining evidence and giving an alarm for event response according to the attack detection result of the intelligent contract.
In one implementation, the monitoring point of multi-view composed of a plurality of nodes listens to a transaction message of a P2P network in a state of a current blockchain, and includes:
and monitoring the transaction message of the P2P network after each node operates for a certain time.
In one implementation, the monitoring transaction messages of the P2P network after each node operates for a certain time includes:
monitoring the latest transaction message in the P2P network, and recording the earliest transaction time when the local node receives the message of the peer node;
and processing the related functions in the transaction pool in the geth node, and sending the transaction message in the geth node channel to a message processing program.
In one implementation, the monitoring transaction messages of the P2P network after each node operates for a certain time further includes:
and monitoring a channel on the new transaction message in real time through the message processing program, acquiring the transmitted transaction message through the coroutine channel, and performing message duplicate removal and synchronization operation on the acquired transaction message.
In one implementation, the processing a transaction message sent by multiple nodes and outputting metadata required for attack detection, where the metadata is used as an input of the attack detection, includes:
selecting geth nodes of a plurality of different areas;
detecting whether the latest transaction message received by each geth node is synchronized to a comprehensive view angle or not by maintaining a common communication channel among a plurality of geth nodes;
if yes, ignoring the received latest transaction message;
if not, generating detection metadata of the transaction from the data of the latest transaction message through the local node, and forwarding the generated detection metadata to the message processing program.
In one implementation, the performing attack detection on the transaction data of the corresponding intelligent contract according to the input metadata and outputting a corresponding attack detection result includes:
for a new intelligent contract transaction, generating transaction execution logic data based on transaction Trace data recorded by the nodes;
and inputting the generated detection metadata into an attack detection model according to the specific transaction operation covered by the execution logic data, and outputting a corresponding attack detection result.
In one implementation, the querying and analyzing the ethernet house transaction data, and performing forensics and event response alarm according to the attack detection result of the intelligent contract includes:
for intelligent contract transactions with attack events, if the economic loss reaches a set index, copying corresponding attack behaviors after the attack events occur and generating corresponding evidence-taking analysis results;
and feeding back the evidence-obtaining analysis result to a corresponding trading platform.
In one implementation, the method further comprises:
and performing correlation analysis of intelligent contract transactions through graph calculation and machine learning, and displaying an analysis result to improve the accuracy of risk identification.
In a second aspect, the present invention further provides a terminal, including: the real-time detection program of the Ethernet intelligent contract vulnerabilities is used for realizing the operation of the real-time detection method of the Ethernet intelligent contract vulnerabilities in the first aspect when being executed by the processor.
In a third aspect, the present invention further provides a storage medium, where the storage medium is a computer-readable storage medium, and the storage medium stores an ethernet intelligent contract vulnerability real-time detection program, where the ethernet intelligent contract vulnerability real-time detection program is used to implement the operation of the ethernet intelligent contract vulnerability real-time detection method according to the first aspect when executed by a processor.
The technical scheme adopted by the invention has the following effects:
aiming at the characteristic that attacks cannot be traced due to the fact that uplink transactions of a block chain cannot be tampered, transaction messages of a P2P network are monitored through a multi-view observation point formed by a plurality of nodes in the current state of the block chain, and a message blind area possibly existing in a single-node view is made up through a multi-view synchronous comprehensive view of the transaction messages of the nodes; moreover, by outputting metadata required by attack detection, the metadata is utilized to carry out attack detection on the transaction data of the corresponding intelligent contract, and possible attack behaviors can be detected before the transaction message is linked up or in a short time; and the data of the Ether house transaction are inquired, analyzed, forensics and event response alarm are carried out, so that the attack can be fundamentally blocked, and the real-time perception and the timely response of the safety threat of the block chain are realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a flowchart of an ethernet intelligent contract vulnerability real-time detection method in an implementation manner of the present invention.
Fig. 2 is a schematic diagram of an ethernet intelligent contract vulnerability real-time monitoring system based on distributed nodes in an implementation manner of the present invention.
Fig. 3 is a schematic diagram of a message listening process of a distributed node in an implementation manner of the present invention.
Fig. 4 is a schematic diagram of message synchronization of a distributed node in an implementation of the present invention.
Fig. 5 is a schematic diagram of an attack detection flow in an implementation manner of the present invention.
Fig. 6 is a functional schematic of a terminal in one implementation of the invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Exemplary method
A Smart contract (Smart contract) is a computerized transaction agreement that encodes paper contracts and executes terms. Smart contracts allow trusted transactions to be conducted without third parties, which transactions are traceable and irreversible. The combination of intelligent contracts and block chain technologies in an ether house is considered to be one-time milestone upgrading of the block chain, and with the increase of the number of the intelligent contracts and the popularization of decentralized application, digital assets related to the intelligent contracts grow in an exponential level. Meanwhile, the technical defects and security holes of the intelligent contracts cause huge money loss, and the ecological stability of the block chain contract layer is damaged. Thus, effectively and efficiently detecting vulnerabilities in contracts is an emerging but crucial issue.
According to the related research of the security detection of the current intelligent contracts, it has been proved that the security vulnerabilities existing in the block chain intelligent contracts can be discovered and corresponding defense suggestions can be provided through means of code analysis technologies of the intelligent contracts, such as formal verification, static analysis and the like; however, the previous studies have suffered from the following disadvantages:
(1) Methods based on symbolic execution, formal verification, fuzzy test and the like have certain disadvantages respectively, for example, symbolic execution faces to the problem of path explosion, the formal verification method may detect a non-existing vulnerability, the fuzzy test method has low detection accuracy, and in addition, the vulnerability types detected by the methods are incomplete and cannot provide more complete analysis;
(2) The existing method is used for detecting historical data based on the uplink, and cannot support real-time perception and quick response to attack threats and real-time detection and forensics analysis of intelligent contract security.
In addition, the detection methods are based on historical data of the block chain, and potential safety hazards of the intelligent contract of the block chain cannot be detected based on large-scale transaction data generated in real time. Moreover, the transaction data based on a single node may cause a certain transaction view blind area due to network delay and the like, so that the detected data is incomplete, and therefore a method for realizing real-time monitoring and safety detection of the complete view ether house transaction is required to be found.
In view of the above technical problems, embodiments of the present invention provide a real-time detection method for an intelligent ethernet contract vulnerability, which can detect a possible attack before a transaction message is linked up or in a short time, thereby efficiently detecting the vulnerability in the contract.
As shown in fig. 1, an embodiment of the present invention provides a real-time detection method for an intelligent house contract vulnerability, including the following steps:
step S100, monitoring the transaction message of the P2P network in the state of the current block chain through a multi-view observation point composed of a plurality of nodes.
In this embodiment, the real-time detection method for the intelligent house contract vulnerabilities is applied to a terminal, where the terminal includes but is not limited to: computers, mobile terminals, and the like.
In this embodiment, the ethernet workshop underlying network uses a P2P (point-to-point network) protocol, each ethernet workshop client is used as a node in the P2P network to jointly form a block chain network, a transaction initiated by a user is propagated and verified through the P2P network, one transaction is averagely propagated to each node in the entire ethernet workshop public chain network within 6 seconds, the average block-out time of the current ethernet workshop is 15 seconds, and according to the latest data statistics of an Etherscan website, the average number of ethernet workshop transactions generated each day in the last year (2021.6 to 2022.5) exceeds 120 thousands of strokes, so that the requirements of analyzing the transaction data of the ethernet workshops on the efficiency and the real-time performance of the detection method are high.
One common method is to obtain the ethernet transaction received in real time based on a memory pool (mempool) of the ethernet node deployed locally and then directly input the ethernet transaction into a corresponding vulnerability detection model for analysis. However, such a design has a drawback that due to factors such as network delay, transaction information received by a single node may not be a complete perspective, so that some of the ethernet transaction information propagated in the P2P network may be missed, and to solve this problem, in this embodiment, a method for detecting an ethernet intelligent contract vulnerability in real time based on distributed nodes is provided, which aims to provide a platform with high compatibility, high extensibility, support of real-time sensing and quick response to attack threats, and intelligent contract security real-time detection and forensics analysis, and the main design concept includes:
(1) Aiming at the characteristic that attacks cannot be traced back caused by the fact that uplink transactions of the blockchain cannot be tampered, by inserting a plurality of distributed transaction monitoring nodes into a blockchain underlying network, on the premise that the performance of the blockchain network does not generate extra overhead, transaction messages in the blockchain underlying network are analyzed in real time, and a 'message blind area' which may exist in a single node view is made up through a comprehensive view of multi-node transaction message synchronization.
(2) By real-time monitoring and analysis of the transaction messages in the blockchain underlying network by the distributed nodes, possible attack behavior of the transaction messages is detected before or in a short time before uplink.
(3) The system can feed back the detected transactions containing the attack behaviors to benefit-related nodes such as the block chain node, the White hat transaction node and the like in time for response, thereby preventing malicious transactions from being linked up and fundamentally blocking the attacks, and realizing real-time perception and timely response of the block chain security threat.
Specifically, in one implementation manner of the present embodiment, the step S100 includes the following steps:
and step S101, monitoring the transaction message of the P2P network after each node runs for a certain time.
As shown in fig. 2, fig. 2 is a framework of an ethernet intelligent contract vulnerability real-time monitoring system based on distributed nodes, and in this embodiment, the ethernet intelligent contract vulnerability real-time detection method is implemented through the framework; the architecture diagram shows the architecture of the Detection system, which comprises a Multi-node observation module (Multi-nodes view), a transaction Message processing module (Message Handler), an attack Detection module (Detection), a data Storage module (Storage) and an Application module (Application).
Multi-node observation module (Multi-nodes view): the multi-view observation alliance comprises a plurality of nodes, wherein each node runs an optimized EtherFangeth client, and the nodes monitor the transaction information of public memorool in the state of the latest block chain. Upon receiving a transaction message from the P2P network, each node sends the message of the latest status received to the message processing module.
Transaction Message handling module (Message Handler): the message processing module is mainly responsible for maintaining a final state of filtering redundant transaction information, transaction information sent from the multi-node is processed in a short time by using a Bitmap principle, and metadata required by attack detection is output as input of the attack detection module after the transaction information is processed by the message processing module.
Attack Detection module (Detection): the attack detection module detects data of related transactions of the intelligent contract and outputs a detection result.
Data Storage module (Storage): the data storage module is used for storing attack detection results of intelligent contract transactions, storing large-scale transaction data by using a cache technology (such as Redis), and finally storing the data into a non-relational database (PostgreSQL).
Application module (Application): the application module supports the query analysis of the Ether shop transaction data, the evidence obtaining of the intelligent contract transaction attack detection result, the response alarm of the event and the like.
In this embodiment, the goal is to acquire the latest transaction message in the P2P network as early as possible by the ethernet bay node, and input the received message to the detection module for processing in time, but due to factors such as network delay, the view angle at which a single node receives the ethernet bay transaction information is usually limited, that is, the node may receive the latest transaction in some ethernet bays later than other nodes, and the real-time performance of intelligent contract transaction attack detection is greatly reduced. For a single ether house node, factors such as the observed timeliness of the transaction, the geographic position of the node, and the Peer connected to the node have a certain correlation, so that in order to deal with the deficiency of the single node view, the system designed in the embodiment provides a multi-node transaction observation method.
As shown in fig. 3, the system architecture mainly describes a process from receiving information to detecting and generating a result by three nodes, specifically:
firstly, the whole nodes (go implementation version: go-ethernet) belonging to the etherhouses run in the system, the mode of synchronizing data is full mode, and the mode of synchronization can maintain a latest etherhouse transaction visual angle in a memory pool. In this embodiment, each node is required to continue to operate for a period of time before the synchronization message is started, which helps the nodes reach a stable state. Since a new node that first enters the network is introduced by the bootstrap node (bootnode node) into a set of peer nodes, its only purpose is to connect the new node to the peer nodes. geth keeps trying to connect to other nodes on the network until it has enough peers. However, in the actual situation, due to the problems of asynchronous time and incompatible versions, the connected peer state is always error, and therefore, the connected peer state needs to be continuously operated for a period of time, such as more than two weeks, to reach a stable state.
Specifically, in one implementation manner of this embodiment, step S101 includes the following steps:
step S101a, monitoring the latest transaction message in the P2P network, and recording the earliest transaction time when the local node receives the message of the peer node;
step S101b, processing a related function in a transaction pool in a geth node, and sending a transaction message in a geth node channel to a message processing program;
and step S101c, monitoring a channel on the new transaction message in real time through the message processing program, acquiring the transmitted transaction message through the coroutine channel, and performing message duplication removal and synchronization operation on the acquired transaction message.
In this embodiment, for each node, it mainly includes the following flows from accepting a new transaction message to sending the message to the processing module:
first, the local node is added to the P2P network of the Etherhouse, which relies on Kademlia-based node (Peer) discovery protocol, with each node typically having 50 nodes that peer to it. Once the node reaches the limit, it no longer accepts new connection requests. Therefore, in the embodiment, the maximum peer connection number of the node is increased to 1000, which greatly increases the capacity of adding peer nodes by the node. A source node connected to a high performance low latency node can send data to the rest of the network faster and furthermore is connected directly to a premium peer node, e.g., a large exchange peer node sending a large number of transactions, all of which will be sent from the peer node to the local node at the first time. Therefore, when the local node is started, besides the peer connection limit expansion of the node, some relatively known static nodes, such as mine pool nodes, are added to the node from the beginning.
Secondly, after establishing a stable connection with the peer node, the local node can monitor the latest transaction message from the P2P network, and when a node receives the transaction from the neighboring node, it also needs to check and process before entering the transaction pool (memo) of the node, so this is a very critical time point, in this embodiment, when the local node receives the message of the peer node, the earliest time of a transaction is recorded, and includes: txHash, timestamp received, peer IP (IP information of the transaction source node).
And thirdly, in the process of acquiring the latest message of the local node, mainly processing a function related to TransactionMsg in the geth node and TransactionMsg of Pooled, sending the transaction to a next message processing module, and sending the message through a channle channel in the geth.
Finally, the message processing program monitors the channel on the new transaction message in real time, and acquires the transmitted message through the coroutine channel to perform message de-duplication, synchronization and other operations. To obtain the detection data corresponding to the need, the node in this embodiment records trace (byte code level) data executed by the underlying EVM associated with the smart contract transaction.
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the method for detecting the vulnerability of the intelligent contracts of the ethernet workshop in real time further includes the following steps:
and step S200, processing the transaction message sent by the multiple nodes, outputting metadata required by attack detection, and taking the metadata as the input of the attack detection.
In this embodiment, after each node monitors the transaction message of the P2P network, it needs to process the transaction message sent by multiple nodes, i.e. synchronize the transaction message of multiple nodes; and then outputting metadata required by attack detection, wherein the metadata is used as input of the attack detection.
Specifically, in one implementation manner of the present embodiment, the step S200 includes the following steps:
step S201, selecting geth nodes of a plurality of different areas;
step S202, detecting whether the latest transaction message received by each geth node is synchronized to a comprehensive view angle or not by maintaining a common communication channel among a plurality of geth nodes;
step S203, if yes, ignoring the received latest transaction message;
and step S204, if not, generating detection metadata of the transaction from the data of the latest transaction message through the local node, and forwarding the generated detection metadata to the message processing program.
As shown in fig. 4, in this embodiment, the system selects geth nodes in three different regions (storage space of each node is 8t, and cpu 64 cores), the number of nodes in the system can be dynamically adjusted according to actual conditions, usually, two or more ethernet nodes located in different continents or countries are required, and time between the nodes needs to be synchronized to be consistent.
Further, the three nodes check whether the latest transaction received by the nodes is synchronized into the integrated View by maintaining a common communication channel (channel). As shown in fig. 4, when receiving a new transaction, a Node obtains a record of a transaction Message Total View through a channel (implemented by a Bloom Filter), and a bitmap-based Message Filter (Message Filter) that maintains hundreds of millions of spaces only consumes tens of M of memories, so that it takes negligible time for a Node in a system to read the Message record through a coroutine. And the Message Filter detects the Message sent by the node, if the Message is already sent by other nodes, namely the total Message view angle of the multiple nodes exists, the Message is ignored, otherwise, the local node forwards the detection metadata of the data generation transaction of the new Message to a processing module of the next step.
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the method for detecting the vulnerability of the intelligent contracts of the ethernet workshop in real time further includes the following steps:
and step S300, carrying out attack detection on the corresponding transaction data of the intelligent contract according to the input metadata, and outputting a corresponding attack detection result.
Smart contracts are essentially programs stored on a blockchain that run when predetermined conditions are met. They are typically used to automate the execution of the protocol so that all participants can determine the results immediately without any man-in-the-middle involvement or time loss, and thus have some major drawbacks as well as normal procedures, with the types of vulnerabilities common in the intelligent contracts of etherhouses including:
(1) Logic errors
Reentry attacks: invoking external contracts or sending ethernet tokens to addresses requires external calls that, once hijacked by an attacker, cause the contract to execute the code of the attacker's logic and thus create a compromise such as an ethernet token that may exhaust the caller's contract.
Delegatecall injection: the callee contract may update the state variables of the caller contract to trigger this vulnerability.
(2) Integer overflow and underflow: the failure of this loophole intelligent contract code to verify the result of a digital input, and the EVM in the ether house does not provide for the detection of integer overflow.
(3) And (3) DOS attack: loop statements, recursive functions, external contract calls, etc., are mishandled, potentially resulting in an infinite loop, recursive stack exhaustion, etc., risk of denial of service. Such as DOS with unexpected revert: this occurs because the transaction was restored due to the caller contract encountering an external call failure, or the callee contract intentionally performed a restore operation to interrupt the execution of the caller contract. This vulnerability is caused by the caller contract performing the restore by the caller contract. This vulnerability can be prevented by having the receiver invoke the transaction to "withdraw" funds that the sender has reserved for the receiver, effectively preventing the sender's transaction from being restored.
(4) Access control design deficiency: the intelligent contracts have no restrictions on access control mishandling, such as visibility of functions, and allow unauthorized access. This can cause a series of hazards such as the destruction of contracts without protection, which can delete storage and bytecode.
(5) Function misuse: the method mainly comes from the problems existing in pseudo-random function call and interface function realization such as wrong constructor name and the like, and risks such as predictable random numbers and abnormal interface function return can be caused.
(6) The Etheng design mechanism: the method mainly solves the defect problems existing in the design of the Ethernet house contract, such as an attack form of short address attack on the ERC20 intelligent contract on the Ethernet house, and the principle of the short address attack is that an automatic completion mechanism for input byte codes in the EVM attacks.
In this embodiment, attack detection is performed on the transaction data of the corresponding intelligent contract according to the input metadata, and a corresponding attack detection result is output, that is, the attack condition and the vulnerability type of the transaction data of the intelligent contract are detected.
Specifically, in one implementation manner of the present embodiment, the step S300 includes the following steps:
step S301, for a new intelligent contract transaction, generating transaction execution logic data based on transaction Trace data recorded by the node;
step S302, according to the transaction specific operation covered by the execution logic data, the generated detection metadata is input into an attack detection model, and a corresponding attack detection result is output.
In this embodiment, attack detection may be performed on transaction data related to the smart contract based on the latest transaction of the multi-node synchronization. As shown in fig. 5, for a new intelligent contract transaction, the system generates execution logic data of the transaction based on the transaction trace data recorded by the node, this part of data usually covers the specific operation of the transaction, such as function logic in the intelligent contract transaction program, etc., and the detection result is obtained by inputting the generated detection metadata into the attack detection model of the attack detection module (adapting various attack patterns and rules).
In this embodiment, the system processes large-scale transaction data in a short time due to the real-time nature of the attack detection, and therefore this designs the access and reading of large-scale transaction data. The intelligent contract transactions with risks can be stored by using caching technology such as Redis, and the intelligent contract transactions with risks can be buffered before being stored in a database, and the process is in millisecond level, and simultaneously, the transactions containing leaks can be timely delivered. Furthermore, the results of the attack detection are stored into structured data through a non-relational database such as PostgreSQL or Elasticsearch, etc., thereby providing support for further analysis.
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the method for detecting an intelligent house-based contract vulnerability in real time further includes the following steps:
and step S400, inquiring and analyzing the Ether shop transaction data, and obtaining evidence and giving an alarm for event response according to the attack detection result of the intelligent contract.
In this embodiment, after the attack detection result is stored, analysis and response may be performed by the system, that is, the monitored transaction data is subjected to query analysis, and meanwhile, evidence is obtained according to the analysis result and a response and an alarm of an attack event in the transaction process is performed to a related transaction platform.
Specifically, in one implementation manner of this embodiment, the step S500 includes the following steps:
step S401, for the intelligent contract transaction with the attack event, if a certain economic loss is caused, copying the corresponding attack behavior after the attack event occurs and generating a corresponding evidence obtaining analysis result;
step S402, feeding back the evidence-obtaining analysis result to a corresponding trading platform;
and S403, performing correlation analysis of the intelligent contract transaction through graph calculation and machine learning, and displaying an analysis result to improve the accuracy of risk identification.
In this embodiment, in the process of responding to an attack event, after the latest received transaction is detected, the latest received transaction is timely fed back to interested parties, such as a trading platform and the like, which need to cooperate with the relevant trading platform or a service market, and besides, the supporting of the mine pool also needs to be obtained, for example, the corresponding "Whitehat research" operation is performed through quick uplink of the privacy transaction.
In this embodiment, in the process of performing attack evidence obtaining analysis, if a certain economic loss is caused to an intelligent contract transaction having an attack event, the attack behavior can be duplicated after the attack event occurs and a corresponding evidence obtaining analysis result is generated. This helps to trace the source and recover the loss of the transaction after the fact.
In addition, in the embodiment, the transaction query correlation analysis can support a graph analysis method, generate a transaction network graph, an attack network graph, a call graph of an intelligent contract and the like, and visually display the analysis of a correlation graph. The partial system adopts spark image calculation and machine learning methods for further correlation analysis, path search, semantic analysis and the like can be supported, and analysis results are displayed in the system so as to improve accuracy in the aspects of risk identification and the like. In addition, the database contains massive label information of the Ether house address, and the information can be updated in real time to support the deep analysis of transaction data.
The system is mainly based on the Ethernet workshop bottom layer P2P network information and does not generate extra overhead on the whole block chain network; in addition, the embodiment provides a method for efficiently storing, querying, associating and safely analyzing massive block chain transaction message data, and supports carrying out rapid security threat forensics on block chains with hundreds of millions of transaction quantities.
The embodiment achieves the following technical effects through the technical scheme:
aiming at the characteristic that attack cannot be traced back caused by the fact that uplink transaction of a blockchain cannot be tampered, by inserting a plurality of distributed transaction monitoring nodes into a blockchain underlying network, transaction messages in the blockchain underlying network are analyzed in real time on the premise that additional overhead is not generated on the performance of the blockchain network, and a 'message blind area' possibly existing in a single-node view angle is made up through a comprehensive view angle of multi-node transaction message synchronization; and the transaction message in the block chain underlying network is monitored and analyzed in real time through the distributed nodes, and possible attack behaviors of the transaction message are detected before chaining or in a short time, so that the system can timely feed the detected transaction containing the attack behaviors back to benefit-related nodes such as block chain nodes and White hat transaction nodes for timely response, malicious transaction chaining is prevented, attack is fundamentally blocked, and real-time perception and timely response of block chain security threat are realized.
Exemplary device
Based on the above embodiment, the present invention further provides a terminal, including: the system comprises a processor, a memory, an interface, a display screen and a communication module which are connected through a system bus; wherein the processor is configured to provide computing and control capabilities; the memory comprises a storage medium and an internal memory; the storage medium stores an operating system and a computer program; the internal memory provides an environment for the running of an operating system and a computer program in the storage medium; the interface is used for connecting external equipment, such as mobile terminals, computers and the like; the display screen is used for displaying corresponding information; the communication module is used for communicating with a cloud server or a mobile terminal.
The computer program is used for realizing the operation of the real-time detection method of the intelligent Ethernet contract vulnerability when being executed by the processor.
It will be understood by those skilled in the art that the block diagram of fig. 6 is a block diagram of only a portion of the structure associated with the inventive arrangements and is not intended to limit the terminals to which the inventive arrangements may be applied, and that a particular terminal may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a terminal is provided, which includes: the real-time detection program of the Ethernet intelligent contract vulnerability is used for realizing the operation of the real-time detection method of the Ethernet intelligent contract vulnerability when being executed by the processor.
In one embodiment, a storage medium is provided, where the storage medium stores an ethernet intelligent contract vulnerability real-time detection program, and the ethernet intelligent contract vulnerability real-time detection program is used for implementing the operation of the ethernet intelligent contract vulnerability real-time detection method described above when being executed by the processor.
It will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by hardware related to instructions of a computer program, which may be stored in a non-volatile storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases or other media used in the embodiments provided herein may include non-volatile and/or volatile memory.
In summary, the invention provides a real-time detection method, a terminal and a storage medium for intelligent contract vulnerabilities of an Ether house, wherein the method comprises the following steps: monitoring a transaction message of a P2P network in a current block chain state through a multi-view observation point consisting of a plurality of nodes; each node is a node running an optimized Etherhouse client; processing transaction messages sent by multiple nodes, outputting metadata required by attack detection, and taking the metadata as input of the attack detection; carrying out attack detection on the corresponding transaction data of the intelligent contract according to the input metadata, and outputting a corresponding attack detection result; inquiring and analyzing the Ether house transaction data, and obtaining evidence and giving an alarm for event response according to the attack detection result of the intelligent contract; the invention can detect the possible attack behavior before the transaction message is linked up or in a short time, thereby efficiently detecting the vulnerability in the contract.
It will be understood that the invention is not limited to the examples described above, but that modifications and variations will occur to those skilled in the art in light of the above teachings, and that all such modifications and variations are considered to be within the scope of the invention as defined by the appended claims.

Claims (6)

1. A real-time detection method for Ethernet intelligent contract vulnerabilities is characterized by comprising the following steps:
monitoring a transaction message of a P2P network in a current block chain state through a multi-view observation point consisting of a plurality of nodes; each node is a node running an optimized Etherhouse client;
processing transaction messages sent by multiple nodes, outputting metadata required by attack detection, and taking the metadata as input of the attack detection;
carrying out attack detection on the corresponding transaction data of the intelligent contract according to the input metadata, and outputting a corresponding attack detection result;
inquiring and analyzing the Ether house transaction data, and obtaining evidence and giving an alarm for event response according to the attack detection result of the intelligent contract;
the multi-view observation point composed of a plurality of nodes monitors the transaction message of the P2P network in the state of the current block chain, and the method comprises the following steps:
monitoring a transaction message of the P2P network after each node operates for a certain time;
after each node operates for a certain time, monitoring the transaction message of the P2P network, including:
monitoring the latest transaction message in the P2P network, and recording the earliest transaction time when the local node receives the message of the peer node;
processing a related function in a transaction pool in a geth node, and sending a transaction message in a geth node channel to a message processing program;
monitoring a channel on the new transaction message in real time through the message processing program, acquiring the transmitted transaction message through the coroutine channel, and performing message duplication removal and synchronization operation on the acquired transaction message;
the processing of the transaction message sent by the multiple nodes and the output of the metadata required by the attack detection, the metadata being used as the input of the attack detection, includes:
selecting geth nodes of a plurality of different areas;
detecting whether the latest transaction message received by each geth node is synchronized to a comprehensive view angle or not by maintaining a common communication channel among a plurality of geth nodes;
if yes, ignoring the received latest transaction message;
if not, generating detection metadata of the transaction from the data of the latest transaction message through the local node, and forwarding the generated detection metadata to the message processing program.
2. The method for detecting the vulnerability of the intelligent Ethernet contracts in real time according to claim 1, wherein the detecting the attack of the transaction data of the corresponding intelligent contracts according to the input metadata and outputting the corresponding attack detection results comprises:
for a new intelligent contract transaction, generating transaction execution logic data based on transaction Trace data recorded by the nodes;
and inputting the generated detection metadata into an attack detection model according to the specific transaction operation covered by the execution logic data, and outputting a corresponding attack detection result.
3. The method for detecting the real-time Ethernet room intelligent contract vulnerability according to claim 1, wherein the inquiring and analyzing the Ethernet room transaction data, obtaining evidence according to the attack detection result of the intelligent contract and alarming the event response comprises:
for intelligent contract transactions with attack events, if the economic loss reaches a set index, copying corresponding attack behaviors after the attack events occur and generating corresponding evidence-taking analysis results;
and feeding back the evidence obtaining analysis result to a corresponding transaction platform.
4. The method for real-time detection of Etherhouse intelligent contract vulnerabilities according to claim 1, further comprising:
correlation analysis of intelligent contract transactions is carried out through graph calculation and machine learning, and an analysis result is displayed, so that the accuracy of risk identification is improved.
5. A terminal, comprising: the real-time detection method comprises a processor and a memory, wherein the memory stores an Ethernet workshop intelligent contract vulnerability real-time detection program, and the Ethernet workshop intelligent contract vulnerability real-time detection program is used for realizing the operation of the Ethernet workshop intelligent contract vulnerability real-time detection method according to any one of claims 1-4 when being executed by the processor.
6. A storage medium, which is a computer-readable storage medium, and which stores an ethernet intelligent contract real-time detection program, and when the ethernet intelligent contract real-time detection program is executed by a processor, the storage medium is configured to implement the operation of the ethernet intelligent contract real-time detection method according to any one of claims 1 to 4.
CN202211101277.4A 2022-09-09 2022-09-09 Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability Active CN115174279B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211101277.4A CN115174279B (en) 2022-09-09 2022-09-09 Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211101277.4A CN115174279B (en) 2022-09-09 2022-09-09 Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability

Publications (2)

Publication Number Publication Date
CN115174279A CN115174279A (en) 2022-10-11
CN115174279B true CN115174279B (en) 2022-11-29

Family

ID=83482479

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211101277.4A Active CN115174279B (en) 2022-09-09 2022-09-09 Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability

Country Status (1)

Country Link
CN (1) CN115174279B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170357B (en) * 2023-04-23 2023-07-04 清华大学 Fuzzy test method and device for block chain consensus protocol
CN117155977B (en) * 2023-10-27 2024-01-26 中电科大数据研究院有限公司 Block chain-based data transaction right distribution method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11960473B2 (en) * 2019-01-15 2024-04-16 Fisher-Rosemount Systems, Inc. Distributed ledgers in process control systems
CN109948345A (en) * 2019-03-20 2019-06-28 杭州拜思科技有限公司 A kind of method, the system of intelligence contract Hole Detection
EP3906488B1 (en) * 2019-06-12 2023-08-02 Nec Corporation Method and contract rewriting framework system for supporting smart contracts in a blockchain network
CN110543419B (en) * 2019-08-28 2021-09-03 杭州趣链科技有限公司 Intelligent contract code vulnerability detection method based on deep learning technology
WO2021114093A1 (en) * 2019-12-10 2021-06-17 中国科学院深圳先进技术研究院 Deep learning-based smart contract vulnerability detection method
CN111753306B (en) * 2020-05-29 2022-08-05 西安深信科创信息技术有限公司 Intelligent contract vulnerability detection method and device, electronic equipment and storage medium
CN113190330B (en) * 2021-05-26 2022-06-24 电子科技大学 Block chain threat sensing system and method
CN114676462A (en) * 2022-01-10 2022-06-28 南京铉盈网络科技有限公司 Data storage system, method and device based on Ether house and intelligent contract
CN114491508A (en) * 2022-01-18 2022-05-13 武汉大学 Intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage
CN114647487A (en) * 2022-03-21 2022-06-21 蚂蚁金服(杭州)网络技术有限公司 Trusted execution environment architecture based on AMD SEV and trusted execution system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng

Also Published As

Publication number Publication date
CN115174279A (en) 2022-10-11

Similar Documents

Publication Publication Date Title
CN115174279B (en) Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability
WO2021036545A1 (en) Smart contract-based data processing method, and device and storage medium
JP6905059B2 (en) Systems and methods for detecting replay attacks
CN110650128B (en) System and method for detecting digital currency stealing attack of Etheng
US8224761B1 (en) System and method for interactive correlation rule design in a network security system
US7685637B2 (en) System security approaches using sub-expression automata
CN103294950B (en) A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system
JP2020505799A (en) System and method for replay attack detection
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN110083391A (en) Call request monitoring method, device, equipment and storage medium
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN110505228B (en) Edge cloud architecture-based big data processing method, system, medium and device
US7216364B2 (en) System security approaches using state tables
EP1607823A2 (en) Method and system for virus detection based on finite automata
CN112202704A (en) Block chain intelligent contract safety protection system
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN111782456A (en) Anomaly detection method and device, computer equipment and storage medium
CN113364766B (en) APT attack detection method and device
CN113852641A (en) Network attack tracing system, method and equipment based on graph database
CN113360568A (en) Method and system for shielding alliance link data and computer readable storage medium
CN107341396A (en) Intrusion detection method, device and server
Zhu et al. Attacker Traceability on Ethereum through Graph Analysis
CN106789150B (en) Network fault detection method and device
CN116938605B (en) Network attack protection method and device, electronic equipment and readable storage medium
CN112989349B (en) Virus detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant