CN115208767B - Ethernet network detection method, device, equipment and medium based on simulation technology - Google Patents
Ethernet network detection method, device, equipment and medium based on simulation technology Download PDFInfo
- Publication number
- CN115208767B CN115208767B CN202210512262.0A CN202210512262A CN115208767B CN 115208767 B CN115208767 B CN 115208767B CN 202210512262 A CN202210512262 A CN 202210512262A CN 115208767 B CN115208767 B CN 115208767B
- Authority
- CN
- China
- Prior art keywords
- node
- nodes
- acquaintance
- protocol
- metadata
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 28
- 238000004088 simulation Methods 0.000 title claims abstract description 22
- 238000005516 engineering process Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 claims abstract description 32
- 230000006399 behavior Effects 0.000 claims description 32
- 238000004458 analytical method Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 10
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000011161 development Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008450 motivation Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses an Ethernet network detection method, device, computer equipment and storage medium based on simulation technology, wherein the method comprises the following steps: collecting data, wherein the data comprises a node-node acquaintance relationship and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before; and analyzing the behavior of the nodes in the Ethernet according to the inter-node acquaintance relationship and the node metadata. The application uses the characteristics of node discovery protocol to repeatedly inquire peer nodes and aggregate and de-duplicate the peer nodes, the node database obtains the node acquaintance relation which is not analyzed before, and then the behavior of the nodes in the Ethernet network is analyzed according to the node acquaintance relation and the node metadata, and the number of discovered active nodes is more than that of the existing other methods, which indicates that the method can more completely display the Ethernet network property.
Description
Technical Field
The application belongs to the technical field of computer network security, and particularly relates to an Ethernet network detection method, device, computer equipment and storage medium based on simulation technology.
Background
At present, the Ethernet is the most widely applied intelligent contract platform of the blockchain. Although there is increasing research on ethernet consensus algorithms and contract code security analysis, research on peer-to-peer network characteristics of ethernet has not been fully appreciated. Studies have shown that the security of blockchain systems using workload certification mechanisms is dependent on the reliability of the point-to-point network.
Ethernet uses a point-to-point network to communicate the state of its blockchain, the network of ethernet is intended to simulate a Kademlia DHT-based structured graph. Because of the above differences, it is necessary to perform complete and comprehensive detection and analysis on the ethernet point-to-point network to find possible risks and hidden dangers in the ethernet point-to-point network.
Two protocols, namely a UDP-based node discovery protocol and a TCP-based RLPx protocol, are mainly run on the Ethernet point-to-point network.
In the node discovery protocol, nodes discover other nodes in the network by probing each other. To join the ethernet network and begin block synchronization, the ethernet client would designate a set of seed nodes to discover other active nodes and save their information to the corresponding buckets. To enable the swizzle of nodes between nodes as soon as possible, the Node Discovery Protocol of the ethernet uses UDP as the transport layer protocol. Six message types are included in the v4 version of the protocol: ping, pong, findNode, neighbors, ENRRequest, ENRResponse, wherein each two are mutually used as response data packets. The Ping and Pong packets are used to determine whether the remote node survives, and the neighbor packet returns 16 records closest to the node in the FindNode packet each time. Running a node discovery protocol, adding a node record to a node database, locally sending a FindNode packet within a first RTT time, receiving a neighbor packet returned by a remote node, and storing 16 stored node records to the node database; the second RTT time is locally about to send Ping packet to the remote node to attempt to activate the remote node, and after receiving the Ping packet back to indicate that the other party is alive, the above operation is continuously performed on the remaining nodes in a cyclic manner.
All nodes in the Ethernet network have independent node records, and each node record is identified by a node ID. The node ID is a 512-bit ECDSA public key using a 16-ary representation. At present, node records in two forms, namely an node record and an enr record, wherein the node record is expressed in a plaintext manner, and the enr record is a result obtained by signing by using a node private key and respectively performing RLP coding and base64 coding. The distance between two nodes is called the logarithmic distance. The calculation function used by the ethernet is a modification of the Kademlia algorithm, and all node records known by the local node are sorted according to logarithmic distance. The log distance is calculated as follows: (1) calculate two node ID hash values using a keccak256 algorithm. (2) Exclusive or is taken for the two hash values, and then logarithm is taken for the exclusive or result.
The next step after the node discovery is completed is to exchange data with the newly discovered node, and the RLPx protocol is used to establish a TCP connection between two nodes that can perform secure communications. The process of establishing a connection can be divided into two steps: encryption handshake and sub-protocol handshake. The encryption handshake constructs a symmetric encryption key used for the next communication based on ECIES, and the sub-protocol handshake communicates the sub-protocol name and version for the two parties of communication, and selects a proper protocol for data transmission. The two parties first send a HELLO message to each other, which includes their own node ID, the DEVp2p protocol version, the client name, the supported application layer protocol, and the port number of the local listening (default 30303).
The specification of the node discovery protocol specifies that each returned neighboring packet will include 16 node records that are closest in database to the record sent by the discovery node. The previous probing method does not consider the history node record stored in the node database, and only one round trip of the node and the adjacent data packet is discovered in probing of each node, so that only a quite limited node record entry can be obtained.
Disclosure of Invention
In order to solve the defects in the prior art, the application provides an Ethernet network detection method, an Ethernet network detection device, an Ethernet network detection computer device and an Ethernet network storage medium based on a simulation technology.
The first object of the application is to provide an Ethernet network detection method based on simulation technology.
The second object of the application is to provide an Ethernet network detection device based on simulation technology.
A third object of the present application is to provide a computer device.
A fourth object of the present application is to provide a storage medium.
The first object of the present application can be achieved by adopting the following technical scheme:
an ethernet network detection method based on simulation technology, the method comprising:
collecting data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
and analyzing the behavior of the nodes in the Ethernet according to the node acquaintance relationship and the node metadata.
Further, the analyzing the behavior of the node in the ethernet network according to the node acquaintance relationship and the node metadata includes:
storing all node acquaintance relations and node metadata in a local database, and dividing the data in the local database into tables;
dividing nodes in the table into active nodes, key nodes, routing nodes and malicious nodes;
counting the categories of nodes in each table;
and analyzing the behavior of the nodes in the Ethernet network according to the statistical result.
Further, the data in the local database is sorted, that is, the data in the local database is sorted according to the node type, including an active node table, an acquaintance relation table and a key node table.
Further, the analyzing the behavior of the node in the ethernet network according to the statistical result includes:
calculating the proportion of each active node in the network according to the statistical result;
traversing the acquaintance relation table, finding out all active nodes, and analyzing key nodes and influence factors thereof in the table by adopting a PageRank algorithm; analysis is performed for malicious nodes, the principle of forgery and the influence of network are analyzed.
Further, the active node is a node currently existing in the network and normally running the blockchain protocol, which is an indispensable factor for the blockchain operation;
the key node is an active node, has excellent network conditions and hardware resources, and has great influence on the block output and broadcasting of the new block;
the routing nodes are special nodes, do not run any application layer protocol, only forward node records, and have important significance for fast joining new nodes into the blockchain network;
the malicious node does not run any blockchain protocol and has no acquaintance relation with other nodes, but a large number of special nodes which record forged nodes or forge node identities and enable active nodes to be connected with the nodes are broadcasted.
Further, the node metadata includes a node record sequence number, a client version and development language, an operating system type, and a supported application layer protocol, wherein:
the step of obtaining the node record sequence number data comprises the following steps:
the starting node simulates and transmits ENR Request Packet to a remote node, and analyzes node record sequence number data from the received ENR Response Packet;
the obtaining of the remaining metadata includes:
after the starting node and the remote node complete ECIES handshake of the RLPx protocol, the two parties carry out protocol handshake again, and a client version, a development language, an operating system type and a supported application layer protocol are obtained from a handshake packet of the other party in a protocol handshake stage; according to the analysis of the Ethernet client source code, when the remote node returns error information of "toi management peers", the node is regarded as being connected with more than 50 nodes and is used as an active node.
Further, the collecting data, through the detector, includes initializing and recursively searching the simulation node, wherein:
the simulating node initialization includes:
in an initial state, creating a starting node based on a simulation technology, designating a series of seed nodes for the starting node, and performing recursive search on the seed nodes by the starting node until no new node appears, namely completing the search of the whole Ethernet network;
the recursive search includes:
the query procedure for each node includes: and sending UDP data packets to acquire all nodes which are acquainted by the nodes on the node discovery protocol, establishing TCP connection with the nodes, and acquiring corresponding metadata of the nodes by simulating the handshake process of the RLPx protocol, so as to acquire the data to be acquired.
The second object of the application can be achieved by adopting the following technical scheme:
an ethernet network detection device based on simulation technology, the device comprising:
the data acquisition module is used for acquiring data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
and the behavior analysis module is used for analyzing the behavior of the nodes in the Ethernet network according to the node acquaintance relationship and the node metadata.
The third object of the present application can be achieved by adopting the following technical scheme:
the computer equipment comprises a processor and a memory for storing a program executable by the processor, wherein the Ethernet network detection method is realized when the processor executes the program stored by the memory.
The fourth object of the present application can be achieved by adopting the following technical scheme:
a storage medium storing a program which, when executed by a processor, implements the ethernet network detection method described above.
Compared with the prior art, the application has the following beneficial effects:
1. the application uses the characteristics of node discovery protocol to repeatedly inquire peer nodes and aggregate and remove duplication, and the node database obtains the node acquaintance relationship which is not analyzed before; and then, according to the node acquaintance relationship and the node metadata, the behavior of the nodes is analyzed, and the number of the discovered active nodes is more than that of the existing other methods, so that the method can more completely show the Ethernet network property, namely, the method has stronger applicability in the Ethernet network.
2. The application has important effect on improving the establishment efficiency of network topology by defining the routing nodes, and further discovers that the underlying point-to-point network has a tendency of centralising development by analyzing the behavior of the key nodes.
3. By adopting the method provided by the application, a large number of node record counterfeiting actions are found, which is beneficial to quantitatively analyzing the communication efficiency and network security problem work of the Ethernet in future.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the structures shown in these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an ethernet network detection method based on simulation technology in embodiment 1 of the present application.
Fig. 2 is a flowchart of an ethernet network detection method based on simulation technology in embodiment 1 of the present application.
Fig. 3 is a schematic diagram of a simulation node in the network according to embodiment 1 of the present application.
Fig. 4 is a block diagram of an ethernet network detection device based on simulation technology in embodiment 2 of the present application.
Fig. 5 is a block diagram showing the structure of a computer device according to embodiment 3 of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present application are within the scope of protection of the present application. It should be understood that the detailed description is intended to illustrate the application, and is not intended to limit the application.
Example 1:
as shown in fig. 1 and 2, this embodiment provides an ethernet network detection method based on a simulation technology, where peer nodes are repeatedly queried and aggregated to remove duplication by using characteristics of a node discovery protocol, so that node acquaintance relationships which are not analyzed before can be obtained from a node database, and further, behaviors of nodes in the ethernet network can be analyzed and summarized by using the collected node acquaintance relationships and node metadata.
S101, data collected through the detector comprise node acquaintance relations and node metadata.
The data collected by the detector in this embodiment includes two main data: node acquaintance relationship and node metadata, wherein:
(1) Node acquaintance relationship.
The node record stored in the local database of each node is regarded as the acquaintance node of the node. The specification of the node discovery protocol specifies that each returned neighbor data packet includes 16 node records that are closest in database to the record sent by the discovery node. In the prior detection method, the history node records stored in the node database are not considered, and the detection of each node only discovers nodes and neighbor data packets to and fro once, so that only quite limited node record entries can be obtained. The application adopts repeated inquiry and de-duplication method to obtain all node records stored in the peer node, and the asymmetric relation of the node record stored in another node is called as node acquaintance relation, thus obtaining the node acquaintance relation which is not analyzed before.
(2) Node metadata.
The node metadata includes node record sequence number, client version and development language, operating system type, and supported application layer protocol. The node record sequence number is called seq and its value can be obtained from the node discovery protocol. Because the realization of the criterion Ethereum Node Records is different between the Geth and the Party clients, the seq of the Geth client starts to self-increment from 0, and the Patry client selects a random number as an initial value, so that the value of the seq of the Geth client can be used as one of the metrics of node liveness. After the RLPx protocol completes the encryption handshake process, the protocol handshake needs to be continuously executed, the client name and the supported sub-protocol need to be exchanged between the two parties in the process, and the rest of data can be acquired in the protocol handshake.
The process of obtaining node metadata comprises the following steps:
(2-1) obtaining the node record sequence number.
The initiator node sends ENR Request Packet the remote node emulation, parsing out the node record sequence number (seq) data from the received ENR Response Packet.
(2-2) obtaining the remaining metadata.
The starting node and the remote node firstly complete ECIES handshake of the RLPx protocol, and next, the two parties carry out protocol handshake, and at the stage, other information such as a client version, an application layer protocol and the like can be obtained from a handshake packet of the other party. According to the analysis of the source codes of the Ethernet clients, when the remote node returns error information of 'toi management peers', the node is regarded as being connected with more than 50 nodes, and belongs to quite active nodes.
(3) Data is acquired by the detector.
The data collected by the detector in this embodiment includes node acquaintance relationship and node metadata, and the specific process is as follows:
as shown in fig. 3, the operation of the emulated node in the network includes two steps, initialization and recursive search. The probe was compiled to run under version 1.17 using the go language. In order to improve the data access efficiency, all node records and acquaintance relations are stored in a level DB and are managed by simulating a table structure in a prefix coding mode. The detector also provides an RPC interface to monitor in real time the data acquisition progress and the currently discovered network status, wherein:
(3-1) simulation node initialization.
Creating a starting node in an initial state, wherein the starting node is obtained by virtualization based on a simulation technology; and then a series of seed nodes are designated for the starting node, and the starting node carries out recursive search on the seed nodes until no new node appears, namely the search of the whole Ethernet network is completed.
(3-2) recursive search.
The query process for each node is also divided into two steps, firstly a UDP packet is sent to obtain all nodes that the node knows on the node discovery protocol, then a TCP connection is established with the nodes and the corresponding metadata of the node is obtained by simulating the handshake process of the RLPx protocol. The final experimental data set, namely the node acquaintance relationship and the node metadata, can be obtained through the two steps.
S102, analyzing the behaviors of the Ethernet nodes according to the node acquaintance relationship and the node metadata.
Further, step S102 specifically includes:
(1) Data are tabulated.
In order to improve the data access efficiency in the query process, all node records and acquaintance relations are stored in a LevelDB local database and are managed by simulating a table structure in a prefix coding mode.
After the whole Ethernet network data is grabbed, the data in the database are classified according to the behavior types by using Python, wherein the data comprise an active node table, an acquaintance relation table, a key node table and the like.
One example provided by this example is from 2021, 12, 2, to 2022, 3, 2, and the ethernet network was monitored for a quarter, with a total of 33G of more than 2 hundred million pieces of raw data collected. The probe was placed on a server (Intel (R) Xeon (R) Gold 5220 CPU @ 2.20GHz x 72 CPU, 128G RAM,2TB SSD), operating system Linux 18.04. The data analysis program uses the level db as a local database to store data in categories based on the python version 3.9.
(2) And (5) defining nodes.
For ease of analysis and description, nodes are divided into four classes according to typical behavior in a network: active nodes, critical nodes, routing nodes, and malicious nodes, wherein:
(2-1) active nodes.
Active nodes refer to nodes currently existing in the network and capable of normally running the blockchain protocol, and are factors indispensable to the blockchain operation. A node is said to be an active node if it meets any of the following conditions:
(a) The node returns non-error metadata in the handshake phase of the RLPx protocol;
(b) A non-empty ENR record may be obtained by Node Discovery Protocol v;
(c) At least once with other nodes (more than one node is known).
Active nodes represent nodes which normally run in the Ethernet network and are the root of all point-to-point network running, and the topology structure of the Ethernet network can be obtained by researching the active nodes, so that whether the Ethernet itself can run safely and stably is known.
(2-2) critical nodes.
The key node must be an active node first, and possess excellent network conditions and hardware resources, which have a great impact on the blocking and broadcasting of new blocks. Through analysis of the collected network topology data, the underlying network has a tendency of centralizing development towards key nodes. A node is said to be a critical node if it meets all of the following conditions:
(a) Running the latest version client, indicating that the node is actively maintained;
(b) The number of the peer nodes exceeds 50, which indicates that the node has high external activity;
(c) The number of the acquainted nodes exceeds 50000, which indicates that the node stably operates for a long time. The acquaintance node refers to all nodes found by the local node in the node discovery protocol and is stored in the node database.
The critical nodes are carefully maintained and occupy a central place in the blockchain network. From the block-out situation, they occupy most of the computational effort, belong to high-value nodes, and are most likely to be targets of attack.
(2-3) routing nodes.
The routing nodes are special nodes, do not run any application layer protocol, only forward node records, and have important significance for fast joining of new nodes into the blockchain network.
(2-4) malicious nodes.
Malicious nodes refer to special nodes which do not run any blockchain protocol and have no acquaintance relation with other nodes, but broadcast forged node records or forged node identities in a large number to enable active nodes to be connected with the nodes. Malicious nodes can cause reduced ethernet network efficiency and have a significant impact on the security of a particular node. The typical behavior of malicious nodes is falsified node records, which proactively acts to further exacerbate the confusion of the underlying network. Malicious falsification of node records means that an attacker generates a large number of random public keys to package the random public keys into node records and then broadcast the node records outwards.
In one case provided in this embodiment, after a quarter of detection, 2578458 node records and 124972682 acquaintance relationships are finally obtained. The nodes are divided into four classes of active nodes, key nodes, routing nodes and malicious nodes according to typical behaviors of the nodes. From a quantitative perspective, 64559 active nodes are finally obtained, including key nodes and 2039 routing nodes. The number of active nodes doubles two years ago, indicating that the ethernet network scale expands rapidly in the near two years. Meanwhile, by adopting the method provided by the application, the number of the discovered active nodes is more than that of the other methods at present, which indicates that the method can more completely display the Ethernet network property. From the node property, the routing node plays a role in improving the establishment efficiency of the network topology, the key node plays a leading role in blocking out and uplink of a new area, and the underlying point-to-point network has a tendency towards centralization development.
The typical behavior of malicious nodes is falsified node records, which proactively acts to further exacerbate the confusion of the underlying network. Malicious falsification of node records means that an attacker generates a large number of random public keys to package the random public keys into node records and then broadcast the node records outwards. The Kademlia algorithm is a root cause of malicious node record counterfeiting, and an attacker only needs to forge a large number of node records with different public keys and broadcast the node records outwards, so that nodes with similar distances always actively transmit false records to the whole network. This behavior will quickly contaminate the node databases of most nodes in the network. An attacker can also use this method to launch a solar attack on any node, so all critical nodes should be configured with precautions to avoid solar attacks. In addition, not only are malicious forged node records, but also a plurality of key nodes are used for intentionally generating different node records to induce other nodes to actively establish connection in order to improve the network weight. This behavior is obviously detrimental to fair competition among nodes, enhancing the centralization of the network.
Aiming at the common node record counterfeiting behavior in the current Ethernet network, nearly half of all records are randomly counterfeited. The root cause of this forgery is the routing algorithm used by the ethernet node discovery protocol, and for its own interests, each party in the blockchain network has the motivation to repeatedly forgery the records for various reasons, and the phenomena that will occur by these motivations also coincide with the actually discovered data.
(3) And (5) data statistics.
And counting the metadata carried by each table node, drawing a statistical chart, an IP map, a thermodynamic diagram and the like, and facilitating visual observation and analysis.
(4) And (5) data analysis.
Summarizing the proportion of each active node in the network; traversing the relation table, finding out all active nodes, and analyzing key nodes and influence factors thereof in the node table by adopting a PageRank algorithm; analysis is conducted aiming at malicious nodes, the common fake node recording behavior in the Ethernet network is revealed, the principle and the purpose of the fake behavior and the influence on the network are analyzed, and finally the coping scheme of the common nodes is provided.
Those skilled in the art will appreciate that all or part of the steps in a method implementing the above embodiments may be implemented by a program to instruct related hardware, and the corresponding program may be stored in a computer readable storage medium.
It should be noted that although the method operations of the above embodiments are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in that particular order or that all illustrated operations be performed in order to achieve desirable results. Rather, the depicted steps may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
Example 2:
as shown in fig. 4, the present embodiment provides an ethernet network detection device based on simulation technology, which includes a data acquisition module 401 and a behavior analysis module 402, wherein:
a data acquisition module 401, configured to acquire data, where the data includes node acquaintance relationships and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
and the behavior analysis module 402 is configured to analyze the behavior of the node in the ethernet network according to the node acquaintance relationship and the node metadata.
Specific implementation of each module in this embodiment may be referred to embodiment 1 above, and will not be described in detail herein; it should be noted that, the apparatus provided in this embodiment is only exemplified by the division of the above functional modules, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure is divided into different functional modules, so as to perform all or part of the functions described above.
Example 3:
the present embodiment provides a computer device, which may be a computer, as shown in fig. 5, and is connected through a system bus 501, where the processor is configured to provide computing and control capabilities, the memory includes a nonvolatile storage medium 506 and an internal memory 507, where the nonvolatile storage medium 506 stores an operating system, a computer program, and a database, and the internal memory 507 provides an environment for the operating system and the computer program in the nonvolatile storage medium, and when the processor 502 executes the computer program stored in the memory, the ethernet network probing method of the foregoing embodiment 1 is implemented as follows:
collecting data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
and analyzing the behavior of the nodes in the Ethernet according to the node acquaintance relationship and the node metadata.
Example 4:
the present embodiment provides a storage medium, which is a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the ethernet network detection method of the foregoing embodiment 1, as follows:
collecting data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
and analyzing the behavior of the nodes in the Ethernet according to the node acquaintance relationship and the node metadata.
The computer readable storage medium of the present embodiment may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In summary, the application acquires more complete and comprehensive data to analyze the network state by acquiring all node records stored in the local database of the nodes of the whole network, classifies and summarizes the discovered nodes, divides the nodes into active nodes, key nodes, routing nodes and malicious nodes, analyzes the influence of the active nodes, the key nodes, the routing nodes and the malicious nodes on the network, and analyzes the malicious behavior patterns of the forged nodes.
The above-mentioned embodiments are only preferred embodiments of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can make equivalent substitutions or modifications according to the technical solution and the inventive concept of the present application within the scope of the present application disclosed in the present application patent, and all those skilled in the art belong to the protection scope of the present application.
Claims (7)
1. The Ethernet network detection method based on the simulation technology is characterized by comprising the following steps:
collecting data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
according to the node acquaintance relationship and the node metadata, analyzing the behavior of the nodes in the Ethernet network, including:
storing all node acquaintance relations and node metadata in a local database, and dividing the data in the local database into tables;
dividing nodes in the table into four categories, namely active nodes, key nodes, routing nodes and malicious nodes;
counting the number of nodes of each class in the table;
analyzing the behavior of the nodes in the Ethernet network according to the statistical result;
the active node is a node which is currently in the network and normally operates a blockchain protocol, and is an indispensable factor for blockchain operation;
the key node is an active node and specifically meets all the following conditions: a) The client of the latest version can be operated; b) The number of the peer nodes exceeds a first set threshold; c) The number of the acquaintance nodes exceeds a second set threshold;
the routing nodes are special nodes, do not run any application layer protocol, and only forward node records;
the malicious node does not run any blockchain protocol and has no acquaintance relation with other nodes, but broadcasts fake node records or fake node identities to enable the active node to be connected with the special node.
2. The ethernet detection method as claimed in claim 1, wherein the divided tables include an active node table and an acquaintance relation table;
according to the statistical result, analyzing the behavior of the node in the Ethernet network, including:
calculating the proportion of the active node in the network according to the statistical result;
traversing the acquaintance relation table, finding out all active nodes, and analyzing key nodes and influence factors thereof in the active node table by adopting a PageRank algorithm; analysis is performed for malicious nodes, the principle of forgery and the influence of network are analyzed.
3. The ethernet detection method of claim 1, wherein said node metadata comprises a node record sequence number, a client version and development language, an operating system type, and a supported application layer protocol, wherein:
the step of obtaining the node record sequence number data comprises the following steps:
the starting node simulates and transmits ENR Request Packet to a remote node, and analyzes node record sequence number data from the received ENR Response Packet;
the obtaining of the remaining metadata includes:
after the starting node and the remote node complete ECIES handshake of the RLPx protocol, the two parties carry out protocol handshake again, and a client version, a development language, an operating system type and a supported application layer protocol are obtained from a handshake packet of the other party in a protocol handshake stage; according to the analysis of the Ethernet client source code, when the remote node returns error information of "toi management peers", the node is regarded as being connected with more than 50 nodes and is used as an active node.
4. The ethernet detection method of any one of claims 1 to 3, wherein the collecting data, collecting data by a detector, includes initializing a simulation node and recursively querying, wherein:
the simulating node initialization includes:
in an initial state, creating a starting node based on a simulation technology, designating a series of seed nodes for the starting node, and performing recursive search on the seed nodes by the starting node until no new node appears, namely completing the search of the whole Ethernet network;
the recursive query is a query procedure for each node, comprising:
and sending UDP data packets to acquire all nodes which are acquainted by the nodes on the node discovery protocol, establishing TCP connection with the nodes, and acquiring corresponding metadata of the nodes by simulating the handshake process of the RLPx protocol, so as to acquire the data to be acquired.
5. An ethernet network detection device based on emulation technique, characterized in that the device includes:
the data acquisition module is used for acquiring data, wherein the data comprises node acquaintance relations and node metadata; after the starting node is established, the peer node is repeatedly inquired and aggregated to remove the duplication by utilizing the characteristics of the node discovery protocol, and the node database obtains the node acquaintance relationship which is not analyzed before;
the behavior analysis module is used for analyzing the behavior of the nodes in the Ethernet according to the node acquaintance relationship and the node metadata, and comprises the following steps:
storing all node acquaintance relations and node metadata in a local database, and dividing the data in the local database into tables;
dividing nodes in the table into four categories, namely active nodes, key nodes, routing nodes and malicious nodes;
counting the number of nodes of each class in the table;
analyzing the behavior of the nodes in the Ethernet network according to the statistical result;
the active node is a node which is currently in the network and normally operates a blockchain protocol, and is an indispensable factor for blockchain operation;
the key node is an active node and specifically meets all the following conditions: a) The client of the latest version can be operated; b) The number of the peer nodes exceeds a first set threshold; c) The number of the acquaintance nodes exceeds a second set threshold;
the routing nodes are special nodes, do not run any application layer protocol, and only forward node records;
the malicious node does not run any blockchain protocol and has no acquaintance relation with other nodes, but broadcasts fake node records or fake node identities to enable the active node to be connected with the special node.
6. A computer device comprising a processor and a memory for storing a program executable by the processor, wherein the processor, when executing the program stored in the memory, implements the ethernet network probing method of any one of claims 1-4.
7. A storage medium storing a program which, when executed by a processor, implements the ethernet network probing method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210512262.0A CN115208767B (en) | 2022-05-12 | 2022-05-12 | Ethernet network detection method, device, equipment and medium based on simulation technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210512262.0A CN115208767B (en) | 2022-05-12 | 2022-05-12 | Ethernet network detection method, device, equipment and medium based on simulation technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115208767A CN115208767A (en) | 2022-10-18 |
| CN115208767B true CN115208767B (en) | 2023-10-27 |
Family
ID=83574343
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210512262.0A Active CN115208767B (en) | 2022-05-12 | 2022-05-12 | Ethernet network detection method, device, equipment and medium based on simulation technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208767B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5185860A (en) * | 1990-05-03 | 1993-02-09 | Hewlett-Packard Company | Automatic discovery of network elements |
| CN103765835A (en) * | 2011-08-30 | 2014-04-30 | 高通股份有限公司 | Topology discovery in a hybrid network |
| CN111082995A (en) * | 2019-12-25 | 2020-04-28 | 中国科学院信息工程研究所 | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device |
| CN112751697A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Network topology discovery method and node equipment |
| CN114285640A (en) * | 2021-12-24 | 2022-04-05 | 重庆邮电大学 | Detection system and detection method for solarization attack of Ethernet house nodes in block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7185109B2 (en) * | 2001-04-20 | 2007-02-27 | Hewlett-Packard Development Company, L.P. | Recursive discovery of CDP type of nodes in a network of various node types |
-
2022
- 2022-05-12 CN CN202210512262.0A patent/CN115208767B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5185860A (en) * | 1990-05-03 | 1993-02-09 | Hewlett-Packard Company | Automatic discovery of network elements |
| CN103765835A (en) * | 2011-08-30 | 2014-04-30 | 高通股份有限公司 | Topology discovery in a hybrid network |
| CN112751697A (en) * | 2019-10-31 | 2021-05-04 | 华为技术有限公司 | Network topology discovery method and node equipment |
| CN111082995A (en) * | 2019-12-25 | 2020-04-28 | 中国科学院信息工程研究所 | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device |
| CN114285640A (en) * | 2021-12-24 | 2022-04-05 | 重庆邮电大学 | Detection system and detection method for solarization attack of Ethernet house nodes in block chain |
Non-Patent Citations (2)
| Title |
|---|
| 基于聚类推荐的P2P信任模型;杨磊;秦志光;钟婷;;计算机应用研究(第04期);全文 * |
| 廖海亮 ; 胡光岷 ; 钱峰 ; 杨志豪 ; .网络拓扑识别:基于traceroute的层析成像方法.计算机应用研究.2009,(01),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115208767A (en) | 2022-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113328B (en) | Software defined opportunistic network DDoS defense method based on block chain | |
| WO2022099966A1 (en) | Blockchain-based ddos attack joint defense system and method | |
| Gao et al. | Topology measurement and analysis on ethereum p2p network | |
| Chun et al. | Netbait: a distributed worm detection service | |
| Evans et al. | R5n: Randomized recursive routing for restricted-route networks | |
| Shahsavari et al. | Performance modeling and analysis of the bitcoin inventory protocol | |
| Uddin et al. | Intrusion detection system to detect DDoS attack in gnutella hybrid P2P network | |
| Panchenko et al. | NISAN: network information service for anonymization networks | |
| Chan-Tin et al. | Accurate and Provably Secure Latency Estimation with Treeple. | |
| Ha et al. | On the effectiveness of structural detection and defense against P2P-based botnets | |
| CN110956463B (en) | Credible certificate storing method and system based on extensible distributed query system | |
| Lal et al. | Retracted article: A provenance based defensive technique to determine malevolent selective forwarding attacks in multi-hop wireless sensor networks | |
| Dasari et al. | Detection of Different DDoS Attacks Using Machine Learning Classification Algorithms. | |
| Nwebonyi et al. | Reputation based approach for improved fairness and robustness in P2P protocols | |
| Yen | Detecting stealthy malware using behavioral features in network traffic | |
| Evans et al. | Routing in the dark: Pitch black | |
| CN115208767B (en) | Ethernet network detection method, device, equipment and medium based on simulation technology | |
| Lrt et al. | Capturing collusive interest flooding attacks signal: A novel Malaysia’s state named-data networking topology (MY-NDN) | |
| Germanus et al. | Pass: an address space slicing framework for p2p eclipse attack mitigation | |
| CN104168147A (en) | Node maintenance method for P2P network monitoring based on one-dimensional chain tables | |
| Germanus et al. | Susceptibility analysis of structured p2p systems to localized eclipse attacks | |
| Muhs et al. | On the robustness of random walk algorithms for the detection of unstructured P2P botnets | |
| KR102429912B1 (en) | Node influence monitoring apparatus and node influence analysis method on the ethereum network | |
| Panchenko et al. | WhisperChord: Scalable and Secure Node Discovery for Overlay Networks | |
| Kim et al. | A Machine Learning Approach to Peer Connectivity Estimation for Reliable Blockchain Networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |