WO2022127342A1 - Method and device for detecting eclipse attack for blockchain - Google Patents

Method and device for detecting eclipse attack for blockchain Download PDF

Info

Publication number
WO2022127342A1
WO2022127342A1 PCT/CN2021/124772 CN2021124772W WO2022127342A1 WO 2022127342 A1 WO2022127342 A1 WO 2022127342A1 CN 2021124772 W CN2021124772 W CN 2021124772W WO 2022127342 A1 WO2022127342 A1 WO 2022127342A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
logical
moment
historical
detection
Prior art date
Application number
PCT/CN2021/124772
Other languages
French (fr)
Chinese (zh)
Inventor
刘杨
常庆安
彭木根
关建峰
陈宇杰
李辉忠
张开翔
范瑞彬
李成博
Original Assignee
深圳前海微众银行股份有限公司
北京邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司, 北京邮电大学 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2022127342A1 publication Critical patent/WO2022127342A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates to the field of financial technology (Fintech), and in particular, to a method and device for detecting an eclipse attack on a blockchain.
  • the eclipse attack is an attack method against the blockchain system.
  • the attacker restarts the victim node through the eclipse attack, clears the routing table in the victim node, and then controls a specific node (such as a malicious node) to
  • the victim node accesses information, so that all specific nodes exist in the routing table of the victim node, so that it can only receive the attacker's information and send feedback information to the attacker, so that the victim node cannot view the real
  • the information of the blockchain system will cause the victim node to split with the blockchain system, so that the attacker can use less than 51% of the computing power to launch a 51% attack on the blockchain system, resulting in the security of the blockchain system. hidden danger.
  • a random forest algorithm is used to detect solar eclipse attacks.
  • the random forest algorithm is used to collect offline neighbor nodes determined by other normal nodes in their respective routing tables to construct a random decision forest, and then collect multiple neighbor nodes (specific nodes) of the victim node determined in the routing table according to the random decision forest. , and then detect the victim node.
  • eclipse attacks including the eclipse attack without restarting the victim node, that is, a restartless eclipse attack.
  • the specific node is gradually inserted into the output node list of the victim node, so as to invade the victim node running smoothly, without storing the specific node in the routing table of the victim node.
  • the random forest algorithm can only detect the eclipse attack for the victim nodes whose routing tables are all specific nodes, so the random forest algorithm cannot detect the restart-free eclipse attack, and the random forest The algorithm needs to be detected offline, and its real-time and initiative are low.
  • Embodiments of the present invention provide a method and device for detecting a solar eclipse attack on a blockchain, which are used to detect a restart-free solar eclipse attack and increase the real-time and proactiveness of the solar eclipse attack detection.
  • an embodiment of the present invention provides a method for detecting an eclipse attack on a blockchain, including:
  • each output node of the first node at the detection time is determined; each second node is a node in the distributed routing table of the first node; so Describe each neighbor node as the node in the distributed routing table of the second node;
  • each of the first logical distances and each of the second logical distances of at least one historical moment it is determined whether the first node is under a solar eclipse attack.
  • a preset number of neighbor nodes with the smallest logical distance between each neighbor node and the first node are assigned. It is determined as each output node of the first node at the detection time. Based on this, the non-restart eclipse attack will construct a neighbor node with a small logical distance from the first node. Therefore, when the output node at the detection time is determined After that, determine the first logical distance between the output node and the first node, and then determine whether the first node is under an eclipse attack at the detection time according to the second logical distance at the historical moment and the first logical distance at the detection time. In this way, the real-time and initiative of the non-restart eclipse attack detection at the detection time is increased, and the attack mode of the non-restart eclipse attack is detected.
  • determining whether the first node is under a solar eclipse attack according to the first logical distances and the second logical distances of at least one historical moment including:
  • the predicted logical distance at the detection moment is determined through a neural network model
  • each first logical distance and the predicted logical distance at the detection time it is determined whether the first node is under a solar eclipse attack.
  • the neural network model is used to determine the predicted logical distance at the detection moment, which increases the real-time and active detection of the output node at the detection moment, thereby increasing the Real-time and proactive detection of restartless eclipse attacks.
  • determining whether the first node is under a solar eclipse attack according to the first logical distances and the predicted logical distances at the detection moment including:
  • the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
  • determining whether the detection time is an abnormal time including:
  • each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
  • the detection time is an abnormal time.
  • the output node corresponding to any first logical distance is detected. If at the detection moment, the first error corresponding to any output node is greater than the error threshold, the detection moment is determined to be an abnormal moment to prevent attackers from gradually occupying
  • the output node table of the first node increases the accuracy of the restartless eclipse attack detection.
  • determining an error threshold according to each of the second errors and the first errors of the N historical moments including:
  • the error threshold is obtained from the second vector.
  • the error threshold is obtained according to formula (1), including:
  • is the error threshold; ⁇ (es ) is the average value of the second vector; ⁇ ( es ) is the standard deviation of the second vector; ⁇ ( es ) is the abnormality in the second vector ⁇ (es ) is the standard deviation of the outliers in the second vector;
  • is the modulus of the set of outliers in the second vector;
  • 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
  • the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
  • an embodiment of the present invention provides an apparatus for detecting an eclipse attack on a blockchain, including:
  • a calculation module configured to determine each output node of the first node at the detection time based on each neighbor node reported by each second node at the detection time; each second node is the distributed routing table of the first node The nodes in the node; the neighbor nodes are nodes in the distributed routing table of the second node;
  • a processing module configured to, for at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
  • each of the first logical distances and each of the second logical distances of at least one historical moment it is determined whether the first node is under a solar eclipse attack.
  • processing module is specifically used for:
  • the predicted logical distance at the detection moment is determined through a neural network model
  • each first logical distance and the predicted logical distance at the detection time it is determined whether the first node is under a solar eclipse attack.
  • processing module is specifically used for:
  • the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
  • processing module is specifically used for:
  • each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
  • the detection time is an abnormal time.
  • processing module is specifically used for:
  • the error threshold is obtained from the second vector.
  • the error threshold is obtained according to formula (1), including:
  • is the error threshold; ⁇ (es ) is the average value of the second vector; ⁇ ( es ) is the standard deviation of the second vector; ⁇ ( es ) is the abnormality in the second vector ⁇ (es ) is the standard deviation of the outliers in the second vector;
  • is the modulus of the set of outliers in the second vector;
  • 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
  • the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
  • an embodiment of the present invention further provides a computing device, including:
  • the processor is configured to call the program instructions stored in the memory, and execute the above method for detecting the solar eclipse attack on the blockchain according to the obtained program.
  • an embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to cause a computer to execute the above-mentioned blockchain eclipse attack method of detection.
  • FIG. 1 is a schematic diagram of an attack detection method of a random forest algorithm provided by an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a system architecture provided by an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for detecting a solar eclipse attack on a blockchain provided by an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for detecting an eclipse attack on a blockchain according to an embodiment of the present invention.
  • the blockchain system is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc., and the established physical network is based on a peer-to-peer (P2P) distributed network.
  • P2P peer-to-peer
  • the underlying distributed network of Ethereum that is, the P2P network
  • KAD Kademlia Distributed Hash Table, distributed hash table
  • the OR operation is the basis for measuring the logical distance between nodes.
  • the routing table of KAD is constructed from data called K buckets.
  • the K buckets record information such as node ID (Identity document, identity number), logical distance, etc.
  • the number of K buckets is not consistent.
  • the number of K buckets is 17, and each bucket stores 16 node IDs.
  • the routing table in the K bucket is obtained according to the node discovery mechanism.
  • Sybil attack and Eclipse attack There are various attack methods in the existing technology, such as Sybil attack and Eclipse attack.
  • Sybil attack and Eclipse attack normal nodes are isolated from the blockchain system, so as to achieve 51% attack when the computing power is lower than 51% , for example, the TCP (Transmission Control Protocol) interface of the Ethereum node is determined in two tables, including the output node table and the input node table, where the input node table is determined according to the nodes in the K bucket , a preset number (eg, half the number) of nodes in the output node table are selected in the input node table, and the rest of the nodes are determined through a node discovery mechanism.
  • TCP Transmission Control Protocol
  • the attacker builds a large number of malicious nodes through the witch attack, and continuously connects the Ethereum nodes by controlling the botnet, that is, to refresh the two node tables, so that the addresses of the malicious nodes are stored in the two node tables.
  • DDoS Distributed Denial of Service
  • the Ethereum node is restarted, so that the output node table and the input node table of the Ethereum node are all malicious nodes controlled by the attacker.
  • FIG. 1 exemplarily shows a schematic diagram of an attack detection method of the random forest algorithm, as shown in FIG. 1 .
  • the random forest algorithm collects normal data packets in the normal nodes of Ethereum as a data packet training set, wherein the normal data packets include multiple neighbor nodes, and the data packets are obtained according to the node discovery mechanism, for example, node A Randomly generate target node B, and calculate the logical distance l AB between node A and target node B. Node A finds node C in its own K bucket.
  • node A sends a find-node (find node) request to node C (a request for querying a node with a logical distance from target node B), where the find-node request includes the target node
  • node C determines a preset number (such as 16) of nodes such as node D according to the ID of target node B. It should be noted that multiple nodes such as node D are in the K bucket of node C, and the The logical distance between the IDs of the target node B is the smallest.
  • the feature vector is extracted from the training set of the data packet of the normal node, and then the random forest model is trained according to the training set including the feature vector and the label, and the label is added to the random forest model.
  • the random forest model runs the attack script, and continuously sends find-node requests to the victim node to collect the attack data packets returned by the victim node that contain malicious nodes, and then extracts the feature vector of the attack data packets, through
  • the random forest model makes predictions, and the results predicted by the random forest model are regarded as the predicted labels of the detection.
  • the random forest algorithm is composed of a large number of decision trees, and the random forest algorithm can give relatively accurate detection results under the condition of low consumption of computing resources.
  • the implementation process of the random forest algorithm is as follows: 1. Use the Bootstrap (front-end toolkit) method to randomly extract k training samples from the training set, thereby generating k classification trees. 2. Randomly select S variables from the nodes of the k classification trees, select representative variables, and then select the threshold for classification from multiple classification points. 3. Do not build the classification tree and keep it growing infinitely. Whenever a new training sample is input, the constructed decision tree forest will be split, and the final label will be obtained by voting on the classification tree.
  • Bootstrap front-end toolkit
  • the method of detecting solar eclipse attacks based on the random forest algorithm needs to collect a large number of data packets of normal nodes, build a random decision forest in advance, and then label and classify the data to be detected.
  • the victim node is considered to be attacked. Therefore, the method of detecting eclipse attacks based on the random forest algorithm cannot detect Ethereum nodes in real time.
  • the method of detecting eclipse attacks based on the random forest algorithm cannot detect Ethereum nodes in real time.
  • there is a packet that is marked as an attack packet it is considered that an attack has occurred, and the false positive rate is high.
  • the method of detecting solar eclipse attacks based on random forest algorithm is limited to the types of solar eclipse attacks, which can only be restarted solar eclipse attacks, that is to detect low resource consumption solar eclipses that occupy the TCP link of the Ethereum node after the restart of the victim node attack mode.
  • the victim node includes 25 TCP connection IDs, which are divided into an output node table including 8 output nodes and an input node table including 17 input nodes. Since the Ethereum network does not impose restrictions on the input node link, the attacker can easily use the input node table to actively establish a connection with the victim node according to the multiple witch nodes constructed and continuously send TCP inbound connection requests to the victim node. , until the occupation is complete, to achieve the occupation of the input node table.
  • the output node table of the victim node is selected through two mechanisms. The first mechanism is to randomly select the first node in each K bucket of the victim node through the Read Random Nodes function, that is, in the input node table. randomly selected. Another mechanism is selected through the node discovery mechanism. After the victim node obtains the neighbor nodes through the discovery mechanism, it determines the 4 nodes closest to the victim node in the neighbor nodes as output nodes, and obtains the output node table.
  • the False Friend Attack eclipse attack can compromise a smoothly running victim node without requiring the victim node to reboot.
  • the first mechanism only needs to inject a witch node into the head of each K bucket of the victim node to ensure that the output node table of the Ethereum node has been invaded. .
  • the victim node selects the nodes of the output node table, part of it depends on the first mechanism, such as randomly selecting 4 nodes in the input node table as output nodes through the Read Random Nodes function.
  • the attacker needs to place at least one witch node in each K bucket of the victim node, so that the Ethereum node sends a find-node request to the attacker, and the attacker receives the find-node request from the victim node.
  • the node request After the node request, return a pre-made fake witch node (neighbors list), where the nodes in the neighbors (neighbors) list are witch nodes that are closer to the victim node. Nodes with short distances invade the output node table of the victim node.
  • the logical distance between nodes is calculated by XOR operation according to the ID of the node. For example, for example, the logical distance between the node whose node ID is 000111 and the node whose node ID is 000110 and 000011 is calculated as: (decimal 1), (Decimal 4).
  • FIG. 2 exemplarily shows a system architecture to which the embodiments of the present invention are applicable, where the system architecture includes a first node 210 and a second node 220 .
  • the second node 220 is determined by the first node 210 in its own K bucket. Specifically, the first node 210 randomly generates a target node, and calculates the logical distance between the first node 210 and the target node, Then determine the second node 220 of the first node 210 in its own K bucket, and the logical distance between the first node 210 and the second node 220 is smaller than the logical distance between the first node 210 and the target node, which needs to be explained.
  • the number of second nodes 220 may be multiple or a preset number. For example, it is determined that the first node 210 determines that 10 nodes in its own K bucket are smaller than the logical distance between the first node 210 and the target node. three nodes are randomly selected as the second nodes 220 .
  • the first node 210 is configured to send a find-node request to the second node 220 , so that the second node 220 queries neighbor nodes and feeds back the neighbor nodes to the first node 210 .
  • the first node 210 determines an output node among the neighbor nodes, detects the output node, and then determines whether the detection time is an abnormal time.
  • FIG. 3 exemplarily shows a schematic flowchart of a method for detecting a solar eclipse attack on a blockchain provided by an embodiment of the present invention, and the process can be executed by an apparatus for detecting a solar eclipse attack on a blockchain.
  • the process specifically includes:
  • Step 310 Determine each output node of the first node at the detection time based on each neighbor node reported by each second node at the detection time.
  • each second node is a node in the distributed routing table of the first node
  • each neighbor node is a node in the distributed routing table of the second node.
  • the second node is determined by the first node in the distributed routing table of the first node according to the target node, and each neighbor node is determined by the second node in the distributed routing table of the second node according to the target node.
  • the first node determines the output node it will be described in a specific example below.
  • the first node a randomly generates the target node b, wherein the randomly generated target node b includes the node ID of the target node b, and the first node a and the node ID of the target node b are used to calculate the node ID of the first node a and the node ID of the target node b.
  • the logical distance between a node a and the target node b is l ab
  • the first node a sends a find-node request to the second node c, where the find-node request includes the node ID of the target node b. So that the second node c determines 16 neighbor nodes d according to the node ID of the target node b, wherein, the neighbor node d is the second node c in the distributed routing table, and the logical distance between the target node b is the smallest. 16 nodes, and then the neighbor node d is fed back to the first node a by the second node c.
  • the first node a After the first node a obtains 16 neighbor nodes d, it calculates each logical distance lad between each neighbor node d and the first node a, and determines 4 minimum values among the 16 logical distances lad , then the minimum value
  • the corresponding neighbor node d is each output node of the first node at the detection time.
  • Step 320 Determine each first logical distance between each output node at the detection moment and the first node respectively.
  • the first logical distance between the output node and the first node is obtained according to the node ID of the output node.
  • Step 330 For at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively.
  • the first node determines the output node according to the second node, and further determines each second logical distance between the output node and the first node at the historical moment.
  • the historical moment is the moment before the detection moment
  • the second logical distance between the second node e and the first node in the historical moment is the second logical distance.
  • Step 340 Determine whether the first node is under a solar eclipse attack according to the first logical distances and the second logical distances of at least one historical moment.
  • the predicted logical distance at the detection time is determined according to the second logical distance at the historical time, and then it is determined whether the first node is under a solar eclipse attack.
  • the neural network model is used to determine the predicted logical distance at the detection moment, and then according to each first logical distance and the predicted logical distance of the detection moment, it is determined whether the first node is in the daily Eclipse attack.
  • the predicted logical distance at the detection moment may be determined according to each second logical distance at at least one historical moment, or the predicted logical distance at the detection moment may be determined according to the logical distance between each neighbor node and the first node at at least one historical moment.
  • the predicted logical distance is not limited herein, and the use of the second logical distance can increase the accuracy of determining the predicted logical distance at the detection moment.
  • the detection time is t
  • the output nodes at each detection time are 4, and the output nodes of the two historical moments (t-1 and t-2) before the detection time are used as the input samples of the neural network model, that is, the input samples X is where each feature in sample X (such as ) includes the second logical distance after preprocessing, and the preprocessing includes normalization processing, encoding processing, and the like.
  • the predicted logical distance at the detection moment is obtained according to the input sample X
  • the predicted logical distance at the detection time is used to determine whether the detection time is an abnormal time, and whether the first node is under a solar eclipse attack is determined according to the abnormal time.
  • the detection time is an abnormal time. If the first node has multiple consecutive abnormal time, it is determined that the first node is under a solar eclipse attack.
  • the first error is determined according to the predicted logical distance between the first logical distance and the detection moment, and for any historical moment in the N historical moments, each second logical distance based on the historical moment is determined.
  • the second error is determined according to the predicted logical distance from the historical moment, and the error threshold is determined according to each second error and the first error of N historical moments. If the first error is greater than the error threshold, the detection moment is determined to be an abnormal moment.
  • the detection time there are multiple first logical distances, any one of the first logical distances is determined, and when the first error corresponding to any first logical distance is greater than the error threshold, the detection time is determined to be an abnormal time
  • the detection time can be determined as an abnormal time, and the specific number is not limited to determine the detection time as an abnormal time.
  • the error threshold is obtained by taking the second errors and the first errors of N historical moments as a vector. Specifically, the first vector is obtained according to each second error and the first error at N historical moments, the second vector is determined according to the first vector and the exponential moving weighted average algorithm, and finally the error threshold is obtained according to the second vector.
  • error threshold is obtained according to the following formula (1), including:
  • is the error threshold; ⁇ (es ) is the average value of the second vector; ⁇ ( es ) is the standard deviation of the second vector, ⁇ ( es ) is the average value of outliers in the second vector, ⁇ (e s ) is the standard deviation of the outliers in the second vector,
  • is the modulus of the set of outliers in the second vector,
  • 2 is the modulus of the set of consecutive outliers in the second vector
  • the square of , the outlier is the value of the historical moment in the second vector that is an abnormal moment.
  • formula (1) is an unsupervised threshold calculation method. In order to better explain how to determine the error threshold at the detection moment, the following will be described in a specific example in conjunction with Example 2.
  • the output nodes d1, d2, d3, and d4 are determined, and the first logical distance between the output node d1 and the first node is obtained for the output node d1, and the predicted logical distance obtained above is obtained.
  • get the first error obtain the first vector e according to the second errors (such as e (t-1) and e (t-2) ) of the first two (that is, N is 2) historical moments, Then use the first vector e to obtain the second vector es through the exponential moving weighted average algorithm, Then, the set of outliers is obtained according to the second vector es.
  • the second errors such as e (t-1) and e (t-2)
  • the error threshold s1 at the detection time t is determined by the above formula (1), and finally according to the first error
  • the magnitude of the error threshold s1 determines whether the detection time is an abnormal time. For example, the first error If it is greater than the error threshold s1, the detection time is an abnormal time.
  • the detection of the output node is not limited, and the detection of each neighbor node fed back by the second node may also be performed, but the calculation amount in the detection process will be correspondingly increased.
  • the exponential moving weighted average algorithm is used to give different weights to the first vector e respectively, obtain a moving average according to different weights, and determine the second vector es based on the final moving average.
  • the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
  • Each residential node obtained by the first node at each historical moment is used as a training sample, and the neural network model is obtained by training according to the M training samples.
  • the neural network model can be trained by the Dropout method, so as to prevent the defects of overfitting and long training time of the neural network model during training.
  • Any logical distance mentioned in the present invention includes, but is not limited to, the distance feature after the logical distance obtained by the node ID is processed by normalization and one-hot encoding.
  • FIG. 4 exemplarily shows a schematic structural diagram of a block chain solar eclipse attack detection device provided by an embodiment of the present invention, and the device can execute the flow of the block chain solar eclipse attack detection method. .
  • the device specifically includes:
  • the calculation module 410 is configured to determine, based on each neighbor node reported by each second node at the detection time, each output node of the first node at the detection time; each second node is a distributed route of the first node A node in the table; each neighbor node is a node in the distributed routing table of the second node;
  • the processing module 420 is configured to, for at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
  • each of the first logical distances and each of the second logical distances of at least one historical moment it is determined whether the first node is under a solar eclipse attack.
  • processing module 420 is specifically used for:
  • the predicted logical distance at the detection moment is determined through a neural network model
  • each first logical distance and the predicted logical distance at the detection time it is determined whether the first node is under a solar eclipse attack.
  • processing module 420 is specifically used for:
  • the detection time is an abnormal time
  • the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
  • processing module 420 is specifically used for:
  • each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
  • the detection time is an abnormal time.
  • processing module 420 is specifically used for:
  • the error threshold is obtained from the second vector.
  • the error threshold is obtained according to formula (1), including:
  • is the error threshold; ⁇ (es ) is the average value of the second vector; ⁇ ( es ) is the standard deviation of the second vector; ⁇ ( es ) is the abnormality in the second vector ⁇ (es ) is the standard deviation of the outliers in the second vector;
  • is the modulus of the set of outliers in the second vector;
  • 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
  • the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
  • an embodiment of the present invention also provides a computing device, including:
  • the processor is configured to call the program instructions stored in the memory, and execute the above method for detecting the solar eclipse attack on the blockchain according to the obtained program.
  • an embodiment of the present invention also provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to cause a computer to execute the above-mentioned blockchain data.
  • Eclipse attack detection method is used to cause a computer to execute the above-mentioned blockchain data.
  • the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flows of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Hardware Design (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method and device for detecting an eclipse attack for a blockchain. The method comprises: determining each output node of a first node at the detection moment on the basis of each neighbor node reported by each second node at the detection moment, each second node being a node in a distributed routing table of the first node, and each neighbor node being a node in a distributed routing table of the second node; and then determining each first logical distance between each output node at the detection moment and the first node; determining, for at least one historical moment earlier than the detection moment, each second logical distance between each output node at the historical moment and the first node; and determining, according to each first logical distance and each second logical distance at the at least one historical moment, whether the first node is subjected to an eclipse attack. In this way, the real-time performance and initiative of the non-restart type eclipse attack detection at the detection moment are improved, and the attack mode of the non-restart type eclipse attack is detected.

Description

一种区块链日蚀攻击检测的方法及装置A method and device for detecting eclipse attack in blockchain
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求在2020年12月16日提交中国专利局、申请号为202011486985.5、申请名称为“一种区块链日蚀攻击检测的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on December 16, 2020 with the application number 202011486985.5 and titled "A method and device for detecting solar eclipse attacks in a blockchain", the entire contents of which are approved by Reference is incorporated in this application.
技术领域technical field
本发明涉及金融科技(Fintech)领域,尤其涉及一种区块链日蚀攻击检测的方法及装置。The present invention relates to the field of financial technology (Fintech), and in particular, to a method and device for detecting an eclipse attack on a blockchain.
背景技术Background technique
随着计算机技术的发展,越来越多的技术(例如:区块链、云计算或大数据)应用在金融领域,传统金融业正在逐步向金融科技转变,大数据技术也不例外,但由于金融、支付行业的安全性、实时性要求,也对大数据技术提出的更高的要求。With the development of computer technology, more and more technologies (such as: blockchain, cloud computing or big data) are applied in the financial field, the traditional financial industry is gradually transforming into financial technology, and big data technology is no exception, but due to The security and real-time requirements of the financial and payment industries also place higher requirements on big data technology.
日蚀攻击是针对区块链系统的一种攻击手段,攻击者通过日蚀攻击使得受害者节点进行重启,并将受害者节点中的路由表清空,然后通过控制特定节点(如恶意节点)对受害者节点进行信息的访问,以使受害者节点的路由表中存在的都是特定节点,使其只能接收攻击者的信息且将反馈信息发送至攻击者,从而使受害者节点无法查看真实的区块链系统的信息,导致受害者节点与区块链系统产生分裂,进而使攻击者可以使用少于51%的算力对区块链系统发起51%攻击,导致区块链系统存在安全隐患。The eclipse attack is an attack method against the blockchain system. The attacker restarts the victim node through the eclipse attack, clears the routing table in the victim node, and then controls a specific node (such as a malicious node) to The victim node accesses information, so that all specific nodes exist in the routing table of the victim node, so that it can only receive the attacker's information and send feedback information to the attacker, so that the victim node cannot view the real The information of the blockchain system will cause the victim node to split with the blockchain system, so that the attacker can use less than 51% of the computing power to launch a 51% attack on the blockchain system, resulting in the security of the blockchain system. hidden danger.
现有技术中,为了防御重启式日蚀攻击,通过随机森林算法对日蚀攻击进行检测。具体的,通过随机森林算法离线收集其他正常节点在各自路由表中确定的邻居节点构建随机决策森林,再根据随机决策森林收集受害者节点的在路由表中确定的多个邻居节点(特定节点),进而对受害者节点进行检测。In the prior art, in order to defend against restarting solar eclipse attacks, a random forest algorithm is used to detect solar eclipse attacks. Specifically, the random forest algorithm is used to collect offline neighbor nodes determined by other normal nodes in their respective routing tables to construct a random decision forest, and then collect multiple neighbor nodes (specific nodes) of the victim node determined in the routing table according to the random decision forest. , and then detect the victim node.
然而,日蚀攻击的方式包括多种,其中包括不需要使受害者节点重启也可以实现日蚀攻击,即无重启式日蚀攻击。具体的,通过与受害者节点保持频繁的数据通信,使特定节点逐步插入至受害者节点的输出节点列表中,以此入侵运行平稳的受害者节点,无需将受害者节点的路由表都存储特定节点,实现无重启式日蚀攻击,但随机森林算法只能针对路由表均为特定节点的受害者节点检测出日蚀攻击,因此随机森林算法无法检测出无重启式日蚀攻击,且随机森林算法需要离线进行检测,其实时性与主动性低。However, there are various ways of eclipse attacks, including the eclipse attack without restarting the victim node, that is, a restartless eclipse attack. Specifically, by maintaining frequent data communication with the victim node, the specific node is gradually inserted into the output node list of the victim node, so as to invade the victim node running smoothly, without storing the specific node in the routing table of the victim node. node, to achieve a restart-free eclipse attack, but the random forest algorithm can only detect the eclipse attack for the victim nodes whose routing tables are all specific nodes, so the random forest algorithm cannot detect the restart-free eclipse attack, and the random forest The algorithm needs to be detected offline, and its real-time and initiative are low.
因此,现需要一种日蚀攻击检测的方法,以检测无重启式日蚀攻击,增加对日蚀攻击检测的实时性与主动性。Therefore, there is a need for a method for detecting an eclipse attack, so as to detect a restart-free eclipse attack and increase the real-time and proactiveness of the eclipse attack detection.
发明内容SUMMARY OF THE INVENTION
本发明实施例提供一种区块链日蚀攻击检测的方法及装置,用于检测无 重启式的日蚀攻击,增加对日蚀攻击检测的实时性与主动性。Embodiments of the present invention provide a method and device for detecting a solar eclipse attack on a blockchain, which are used to detect a restart-free solar eclipse attack and increase the real-time and proactiveness of the solar eclipse attack detection.
第一方面,本发明实施例提供一种区块链日蚀攻击检测的方法,包括:In a first aspect, an embodiment of the present invention provides a method for detecting an eclipse attack on a blockchain, including:
基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点;所述各第二节点为所述第一节点的分布式路由表中的节点;所述各邻居节点为第二节点的分布式路由表中的节点;Based on each neighbor node reported by each second node at the detection time, each output node of the first node at the detection time is determined; each second node is a node in the distributed routing table of the first node; so Describe each neighbor node as the node in the distributed routing table of the second node;
确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离;determining the first logical distances between each output node at the detection moment and the first node respectively;
针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离;For at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each of the first logical distances and each of the second logical distances of at least one historical moment, it is determined whether the first node is under a solar eclipse attack.
上述技术方案中,基于各第二节点在检测时刻上报的各邻居节点与第一节点之间的逻辑距离,将预设数量的且各邻居节点与第一节点之间的逻辑距离最小的邻居节点确定为第一节点在检测时刻的各输出节点,基于此,无重启式日蚀攻击会构造出与第一节点之间的逻辑距离较小的邻居节点,因此,在确定出检测时刻的输出节点之后,确定出输出节点与第一节点之间的第一逻辑距离,再根据历史时刻的第二逻辑距离以及检测时刻的第一逻辑距离来确定在检测时刻时,第一节点是否处于日蚀攻击中,以此增加在检测时刻对无重启式的日蚀攻击检测的实时性与主动性,且针对无重启式日蚀攻击的攻击方式进行检测。In the above technical solution, based on the logical distance between each neighbor node and the first node reported by each second node at the detection time, a preset number of neighbor nodes with the smallest logical distance between each neighbor node and the first node are assigned. It is determined as each output node of the first node at the detection time. Based on this, the non-restart eclipse attack will construct a neighbor node with a small logical distance from the first node. Therefore, when the output node at the detection time is determined After that, determine the first logical distance between the output node and the first node, and then determine whether the first node is under an eclipse attack at the detection time according to the second logical distance at the historical moment and the first logical distance at the detection time. In this way, the real-time and initiative of the non-restart eclipse attack detection at the detection time is increased, and the attack mode of the non-restart eclipse attack is detected.
可选的,根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中,包括:Optionally, determining whether the first node is under a solar eclipse attack according to the first logical distances and the second logical distances of at least one historical moment, including:
根据所述至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定所述检测时刻的预测逻辑距离;According to each second logical distance at the at least one historical moment, the predicted logical distance at the detection moment is determined through a neural network model;
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each first logical distance and the predicted logical distance at the detection time, it is determined whether the first node is under a solar eclipse attack.
上述技术方案中,根据至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定检测时刻的预测逻辑距离,增加了对检测时刻的输出节点检测的实时性与主动性,以此增加了对无重启式的日蚀攻击检测的实时性与主动性。In the above technical solution, according to each second logical distance at at least one historical moment, the neural network model is used to determine the predicted logical distance at the detection moment, which increases the real-time and active detection of the output node at the detection moment, thereby increasing the Real-time and proactive detection of restartless eclipse attacks.
可选的,根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中,包括:Optionally, determining whether the first node is under a solar eclipse attack according to the first logical distances and the predicted logical distances at the detection moment, including:
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检测时刻是否为异常时刻;Determine whether the detection time is an abnormal time according to the predicted logical distances between the first logical distances and the detection time;
若所述第一节点存在多个连续的异常时刻,则确定所述第一节点处于日蚀攻击中。If the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
可选的,根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检测时刻是否为异常时刻,包括:Optionally, according to the predicted logical distances between the first logical distances and the detection time, determining whether the detection time is an abnormal time, including:
针对任一所述第一逻辑距离,根据所述第一逻辑距离与所述检测时刻的预测逻辑距离,确定第一误差;For any one of the first logical distances, determine a first error according to the first logical distance and the predicted logical distance at the detection moment;
针对N个历史时刻中的任一历史时刻,基于所述历史时刻的各第二逻辑距离和所述历史时刻的预测逻辑距离,确定各第二误差;For any historical moment in the N historical moments, each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值;determining an error threshold according to each of the second errors and the first errors of the N historical moments;
若所述第一误差大于所述误差阈值,则确定所述检测时刻为异常时刻。If the first error is greater than the error threshold, it is determined that the detection time is an abnormal time.
上述技术方案中,针对任一第一逻辑距离对应的输出节点进行检测,若在检测时刻,任一输出节点对应的第一误差大于误差阈值,则确定检测时刻为异常时刻,防止攻击者逐步占据第一节点的输出节点表,增加了对无重启式日蚀攻击检测的准确性。In the above technical solution, the output node corresponding to any first logical distance is detected. If at the detection moment, the first error corresponding to any output node is greater than the error threshold, the detection moment is determined to be an abnormal moment to prevent attackers from gradually occupying The output node table of the first node increases the accuracy of the restartless eclipse attack detection.
可选的,根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值,包括:Optionally, determining an error threshold according to each of the second errors and the first errors of the N historical moments, including:
根据所述N个历史时刻的各第二误差和所述第一误差得到第一向量;Obtain a first vector according to each second error and the first error of the N historical moments;
根据所述第一向量和指数移动加权平均算法确定第二向量;determining a second vector according to the first vector and an exponential moving weighted average algorithm;
根据所述第二向量得到所述误差阈值。The error threshold is obtained from the second vector.
可选的,根据公式(1)得到所述误差阈值,包括:Optionally, the error threshold is obtained according to formula (1), including:
Figure PCTCN2021124772-appb-000001
Figure PCTCN2021124772-appb-000001
其中,∈为误差阈值;μ(e s)为所述第二向量的平均值;σ(e s)为所述第二向量的标准差;Δμ(e s)为所述第二向量中异常值的平均值;Δσ(e s)为所述第二向量中异常值的标准差;|e a|为所述第二向量中异常值的集合的模;|E seq| 2为所述第二向量中,连续的异常值的集合的模的平方;所述异常值是所述第二向量中历史时刻为异常时刻的值。 Among them, ∈ is the error threshold; μ(es ) is the average value of the second vector; σ ( es ) is the standard deviation of the second vector; Δμ( es ) is the abnormality in the second vector Δσ (es ) is the standard deviation of the outliers in the second vector; |e a | is the modulus of the set of outliers in the second vector; |E seq | 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
可选的,所述神经网络模型是根据M个历史时刻上报的各邻居节点与所述第一节点之间的逻辑距离进行训练得到的。Optionally, the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
第二方面,本发明实施例提供一种区块链日蚀攻击检测的装置,包括:In a second aspect, an embodiment of the present invention provides an apparatus for detecting an eclipse attack on a blockchain, including:
计算模块,用于基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点;所述各第二节点为所述第一节点的分布式路由表中的节点;所述各邻居节点为第二节点的分布式路由表中的节点;A calculation module, configured to determine each output node of the first node at the detection time based on each neighbor node reported by each second node at the detection time; each second node is the distributed routing table of the first node The nodes in the node; the neighbor nodes are nodes in the distributed routing table of the second node;
确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离;determining the first logical distances between each output node at the detection moment and the first node respectively;
处理模块,用于针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离;a processing module, configured to, for at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each of the first logical distances and each of the second logical distances of at least one historical moment, it is determined whether the first node is under a solar eclipse attack.
可选的,所述处理模块具体用于:Optionally, the processing module is specifically used for:
根据所述至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定所述检测时刻的预测逻辑距离;According to each second logical distance at the at least one historical moment, the predicted logical distance at the detection moment is determined through a neural network model;
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each first logical distance and the predicted logical distance at the detection time, it is determined whether the first node is under a solar eclipse attack.
可选的,所述处理模块具体用于:Optionally, the processing module is specifically used for:
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检 测时刻是否为异常时刻;According to the predicted logical distance of each first logical distance and the detection moment, determine whether the detection moment is an abnormal moment;
若所述第一节点存在多个连续的异常时刻,则确定所述第一节点处于日蚀攻击中。If the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
可选的,所述处理模块具体用于:Optionally, the processing module is specifically used for:
针对任一所述第一逻辑距离,根据所述第一逻辑距离与所述检测时刻的预测逻辑距离,确定第一误差;For any one of the first logical distances, determine a first error according to the first logical distance and the predicted logical distance at the detection moment;
针对N个历史时刻中的任一历史时刻,基于所述历史时刻的各第二逻辑距离和所述历史时刻的预测逻辑距离,确定各第二误差;For any historical moment in the N historical moments, each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值;determining an error threshold according to each of the second errors and the first errors of the N historical moments;
若所述第一误差大于所述误差阈值,则确定所述检测时刻为异常时刻。If the first error is greater than the error threshold, it is determined that the detection time is an abnormal time.
可选的,所述处理模块具体用于:Optionally, the processing module is specifically used for:
根据所述N个历史时刻的各第二误差和所述第一误差得到第一向量;Obtain a first vector according to each second error and the first error of the N historical moments;
根据所述第一向量和指数移动加权平均算法确定第二向量;determining a second vector according to the first vector and an exponential moving weighted average algorithm;
根据所述第二向量得到所述误差阈值。The error threshold is obtained from the second vector.
可选的,根据公式(1)得到所述误差阈值,包括:Optionally, the error threshold is obtained according to formula (1), including:
Figure PCTCN2021124772-appb-000002
Figure PCTCN2021124772-appb-000002
其中,∈为误差阈值;μ(e s)为所述第二向量的平均值;σ(e s)为所述第二向量的标准差;Δμ(e s)为所述第二向量中异常值的平均值;Δσ(e s)为所述第二向量中异常值的标准差;|e a|为所述第二向量中异常值的集合的模;|E seq| 2为所述第二向量中,连续的异常值的集合的模的平方;所述异常值是所述第二向量中历史时刻为异常时刻的值。 Among them, ∈ is the error threshold; μ(es ) is the average value of the second vector; σ ( es ) is the standard deviation of the second vector; Δμ( es ) is the abnormality in the second vector Δσ (es ) is the standard deviation of the outliers in the second vector; |e a | is the modulus of the set of outliers in the second vector; |E seq | 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
可选的,所述神经网络模型是根据M个历史时刻上报的各邻居节点与所述第一节点之间的逻辑距离进行训练得到的。Optionally, the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
第三方面,本发明实施例还提供一种计算设备,包括:In a third aspect, an embodiment of the present invention further provides a computing device, including:
存储器,用于存储程序指令;memory for storing program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行上述区块链日蚀攻击检测的方法。The processor is configured to call the program instructions stored in the memory, and execute the above method for detecting the solar eclipse attack on the blockchain according to the obtained program.
第四方面,本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使计算机执行上述区块链日蚀攻击检测的方法。In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to cause a computer to execute the above-mentioned blockchain eclipse attack method of detection.
附图说明Description of drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1为本发明实施例提供的一种随机森林算法的攻击检测方法的示意图;1 is a schematic diagram of an attack detection method of a random forest algorithm provided by an embodiment of the present invention;
图2为本发明实施例提供的一种系统架构示意图;2 is a schematic diagram of a system architecture provided by an embodiment of the present invention;
图3为本发明实施例提供的一种区块链日蚀攻击检测的方法的流程示意 图;3 is a schematic flowchart of a method for detecting a solar eclipse attack on a blockchain provided by an embodiment of the present invention;
图4为本发明实施例提供的一种区块链日蚀攻击检测的装置的结构示意图。FIG. 4 is a schematic structural diagram of an apparatus for detecting an eclipse attack on a blockchain according to an embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
区块链系统是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式,而建立的物理网络基础是点对点(P2P)的分布式网络。用以太坊为例,以太坊底层分布式网络,即P2P网络,使用了经典的Kademlia(Kademlia Distributed Hash Table,分布式哈希表)网络,简称KAD,是一种分布式散列表技术,以异或运算为节点之间逻辑距离的度量基础,其中,KAD的路由表是通过称为K桶的数据构造而成,K桶记录了节点ID(Identity document,身份标识号),逻辑距离等信息,在不同版本的以太坊客户端中,K桶的数量也不是一致的,例如,在以太坊客户端1.8版本中,K桶的数量为17,每个桶中存储有16个节点ID。其中,K桶中的路由表是根据节点发现机制得到的。The blockchain system is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc., and the established physical network is based on a peer-to-peer (P2P) distributed network. Taking Ethereum as an example, the underlying distributed network of Ethereum, that is, the P2P network, uses the classic Kademlia (Kademlia Distributed Hash Table, distributed hash table) network, referred to as KAD, which is a distributed hash table technology. The OR operation is the basis for measuring the logical distance between nodes. The routing table of KAD is constructed from data called K buckets. The K buckets record information such as node ID (Identity document, identity number), logical distance, etc. In different versions of the Ethereum client, the number of K buckets is not consistent. For example, in the Ethereum client version 1.8, the number of K buckets is 17, and each bucket stores 16 node IDs. Among them, the routing table in the K bucket is obtained according to the node discovery mechanism.
现有技术中存在多种攻击方式,例如女巫攻击和日蚀攻击,通过女巫攻击和日蚀攻击将正常节点隔离开区块链系统,以达到在低于51%算力时,实现51%攻击,例如,以太坊节点的TCP(Transmission Control Protocol,传输控制协议)接口是在两个表中确定的,包括输出节点表和输入节点表,其中,输入节点表是根据K桶中的节点确定的,输出节点表中预设数量(如一半数量)的节点是在输入节点表中选择的,其余的节点是通过节点发现机制确定的。攻击者通过女巫攻击构建大量的恶意节点,通过控制僵尸网络不断地去连接以太坊节点,即达到刷新这两张节点表的目的,使得这两张节点表都保存恶意节点的地址,攻击者再通过DDoS(Distributed Denial of Service,分布式拒绝服务)攻击等方法,让以太坊节点重启,以此使以太坊节点的输出节点表和输入节点表存储的均是攻击者控制的恶意节点。There are various attack methods in the existing technology, such as Sybil attack and Eclipse attack. Through Sybil attack and Eclipse attack, normal nodes are isolated from the blockchain system, so as to achieve 51% attack when the computing power is lower than 51% , for example, the TCP (Transmission Control Protocol) interface of the Ethereum node is determined in two tables, including the output node table and the input node table, where the input node table is determined according to the nodes in the K bucket , a preset number (eg, half the number) of nodes in the output node table are selected in the input node table, and the rest of the nodes are determined through a node discovery mechanism. The attacker builds a large number of malicious nodes through the witch attack, and continuously connects the Ethereum nodes by controlling the botnet, that is, to refresh the two node tables, so that the addresses of the malicious nodes are stored in the two node tables. Through DDoS (Distributed Denial of Service) attacks and other methods, the Ethereum node is restarted, so that the output node table and the input node table of the Ethereum node are all malicious nodes controlled by the attacker.
现有技术中,为了检测出以太坊节点收到了日蚀攻击,给出了随机森林算法的检测方法,图1示例性的示出了一种随机森林算法的攻击检测方法的示意图,如图1所示,随机森林算法在以太坊的正常节点中收集正常数据包,作为数据包训练集,其中,正常数据包中包括多个邻居节点,数据包是根据节点发现机制得到的,例如,节点A随机生成目标节点B,并计算出节点A与目标节点B之间的逻辑距离l AB,节点A在自身的K桶中找出节点C,需要说明的是,节点A与节点C之间的逻辑距离l AC小于逻辑距离l AB,然后节点A向节点C发送find-node(查找节点)请求(查询与目标节点B之间的逻辑距离的节点的请求),其中,find-node请求包括目标节点B的ID,节点C根据 目标节点B的ID确定出预设数量(如16个)的节点D等多个节点,需要说明的是,节点D等多个节点在节点C的K桶中,与目标节点B的ID之间的逻辑距离最小。然后在正常节点的数据包的训练集中提取特征向量,然后根据包括特征向量和标签的训练集训练出随机森林模型,并在随机森林模型中加入标签。 In the prior art, in order to detect that an Ethereum node has received an eclipse attack, a detection method of the random forest algorithm is given, and FIG. 1 exemplarily shows a schematic diagram of an attack detection method of the random forest algorithm, as shown in FIG. 1 . As shown, the random forest algorithm collects normal data packets in the normal nodes of Ethereum as a data packet training set, wherein the normal data packets include multiple neighbor nodes, and the data packets are obtained according to the node discovery mechanism, for example, node A Randomly generate target node B, and calculate the logical distance l AB between node A and target node B. Node A finds node C in its own K bucket. It should be noted that the logic between node A and node C The distance l AC is less than the logical distance l AB , then node A sends a find-node (find node) request to node C (a request for querying a node with a logical distance from target node B), where the find-node request includes the target node The ID of node B, node C determines a preset number (such as 16) of nodes such as node D according to the ID of target node B. It should be noted that multiple nodes such as node D are in the K bucket of node C, and the The logical distance between the IDs of the target node B is the smallest. Then, the feature vector is extracted from the training set of the data packet of the normal node, and then the random forest model is trained according to the training set including the feature vector and the label, and the label is added to the random forest model.
在测试过程中,随机森林模型运行攻击脚本,通过不断向受害者节点发送find-node请求,以收集受害者节点返回的包含有恶意节点的攻击数据包,然后提取攻击数据包的特征向量,通过随机森林模型进行预测,将随机森林模型预测的结果视作检测的预测标签。During the testing process, the random forest model runs the attack script, and continuously sends find-node requests to the victim node to collect the attack data packets returned by the victim node that contain malicious nodes, and then extracts the feature vector of the attack data packets, through The random forest model makes predictions, and the results predicted by the random forest model are regarded as the predicted labels of the detection.
需要说明的是,随机森林算法是由大量决策树共同组成的,随机森林算法可以在较低计算资源消耗的情况下给出较为准确的探测结果。在上述测试过程中,随机森林算法实现流程为:1、采用Bootstrap(前端工具包)方法随机从训练集中提取k个训练样本,从而生成k个分类树。2、从k个分类树的节点中随机选取S个变量,并选出具有代表性的变量,再由多个分类点选出分类的阈值。3、不修建分类树,令其保持无限增长,每当输入新的训练样本时,将被构建好了的决策树森林拆分,并通过分类树投票得到最终标签。It should be noted that the random forest algorithm is composed of a large number of decision trees, and the random forest algorithm can give relatively accurate detection results under the condition of low consumption of computing resources. In the above testing process, the implementation process of the random forest algorithm is as follows: 1. Use the Bootstrap (front-end toolkit) method to randomly extract k training samples from the training set, thereby generating k classification trees. 2. Randomly select S variables from the nodes of the k classification trees, select representative variables, and then select the threshold for classification from multiple classification points. 3. Do not build the classification tree and keep it growing infinitely. Whenever a new training sample is input, the constructed decision tree forest will be split, and the final label will be obtained by voting on the classification tree.
根据上面所述,基于随机森林算法的检测日蚀攻击的方法需要收集海量正常节点的数据包,需要预先构建随机决策森林,再对需要探测的数据进行标签分类,当判定存在恶意节点的攻击数据包时,则认为受害者节点遭受到了攻击。因此,基于随机森林算法的检测日蚀攻击的方法无法实时检测以太坊节点,而且,当存在一个数据包被标签为攻击数据包时,就认为发生了攻击,误报率较高。According to the above, the method of detecting solar eclipse attacks based on the random forest algorithm needs to collect a large number of data packets of normal nodes, build a random decision forest in advance, and then label and classify the data to be detected. When it is determined that there is attack data of malicious nodes packet, the victim node is considered to be attacked. Therefore, the method of detecting eclipse attacks based on the random forest algorithm cannot detect Ethereum nodes in real time. Moreover, when there is a packet that is marked as an attack packet, it is considered that an attack has occurred, and the false positive rate is high.
另外,基于随机森林算法的检测日蚀攻击的方法针对的日蚀攻击类型有限,只可以重启式日蚀攻击,即检测受害者节点重启后侵占以太坊节点的TCP链接的低资源消耗的日蚀攻击模式。In addition, the method of detecting solar eclipse attacks based on random forest algorithm is limited to the types of solar eclipse attacks, which can only be restarted solar eclipse attacks, that is to detect low resource consumption solar eclipses that occupy the TCP link of the Ethereum node after the restart of the victim node attack mode.
但是目前,存在一种名为False Friend Attack的无重启式日蚀攻击模式,该攻击模式可以利用以太坊网络中正常节点的邻居节点会断开连接的特点,通过构造长期在线的女巫节点,在节点发现机制过程中侵占受害者节点的TCP接口中的输出节点表,无需等待以太坊节点重启,而这种无重启式日蚀攻击是基于随机森林算法的检测日蚀攻击的方法所无法检测的。But at present, there is a restart-free eclipse attack mode called False Friend Attack. This attack mode can take advantage of the fact that the neighbor nodes of normal nodes in the Ethereum network will be disconnected. By constructing long-term online witch nodes, In the process of node discovery mechanism, the output node table in the TCP interface of the victim node is invaded, and there is no need to wait for the restart of the Ethereum node, and this kind of restartless eclipse attack cannot be detected by the method of detecting eclipse attacks based on the random forest algorithm. .
为了进一步地描述False Friend Attack的日蚀攻击模式,下面再具体实例中阐述False Friend Attack的日蚀攻击实现方式。In order to further describe the solar eclipse attack mode of False Friend Attack, the implementation of the solar eclipse attack of False Friend Attack will be described in the following specific examples.
实例1Example 1
在以太坊客户端1.8版本,受害者节点的包括25个TCP连接ID,分为包括8个输出节点的输出节点表和包括17个输入节点的输入节点表。由于以太坊网络不对输入的节点链路施加限制,攻击者可以根据构建的多个女巫节点,并持续向受害者节点发送TCP入站连接请求,轻松地利用输入节点表主动与受害者节点建立连接,直到占领完成为止,以实现侵占输入节点表。受害者节点的输出节点表是通过两个机制选择的,第一种机制是通过Read Random Nodes函数在受害者节点的每个K桶中的首个节点中随机选择的,即在输入 节点表中随机选择的。另一种机制是通过节点发现机制选择的,受害者节点在通过发现机制得到邻居节点后,在邻居节点中确定出与受害者节点最近的4个节点,作为输出节点,得到输出节点表。In version 1.8 of the Ethereum client, the victim node includes 25 TCP connection IDs, which are divided into an output node table including 8 output nodes and an input node table including 17 input nodes. Since the Ethereum network does not impose restrictions on the input node link, the attacker can easily use the input node table to actively establish a connection with the victim node according to the multiple witch nodes constructed and continuously send TCP inbound connection requests to the victim node. , until the occupation is complete, to achieve the occupation of the input node table. The output node table of the victim node is selected through two mechanisms. The first mechanism is to randomly select the first node in each K bucket of the victim node through the Read Random Nodes function, that is, in the input node table. randomly selected. Another mechanism is selected through the node discovery mechanism. After the victim node obtains the neighbor nodes through the discovery mechanism, it determines the 4 nodes closest to the victim node in the neighbor nodes as output nodes, and obtains the output node table.
False Friend Attack日蚀攻击可以入侵运行平稳的受害者节点,无需使受害者节点重新启动。在False Friend Attack攻击模型中,包括两种机制,第一种机制,只需要在受害者节点的每个K桶中的头部注入一个女巫节点即可确保以太坊节点的输出节点表完成了侵占。受害者节点选择输出节点表的节点时,一部分取决于第一种机制,如通过Read Random Nodes函数在输入节点表中随机选取4个节点作为输出节点。The False Friend Attack eclipse attack can compromise a smoothly running victim node without requiring the victim node to reboot. In the False Friend Attack attack model, there are two mechanisms. The first mechanism only needs to inject a witch node into the head of each K bucket of the victim node to ensure that the output node table of the Ethereum node has been invaded. . When the victim node selects the nodes of the output node table, part of it depends on the first mechanism, such as randomly selecting 4 nodes in the input node table as output nodes through the Read Random Nodes function.
针对另一种机制:攻击者需要在的受害者节点的每个K桶中至少放置一个女巫节点,以便以太坊节点向攻击者发送find-node请求,攻击者在接收到受害者节点的find-node请求后,返回预先制造的虚假的女巫节点(neighbors列表),其中,neighbors(邻居)列表中的节点是与受害者节点距离较近的女巫节点,因此,攻击者通过伪造与受害者节点之间短距离的节点侵占受害者节点的输出节点表。For another mechanism: the attacker needs to place at least one witch node in each K bucket of the victim node, so that the Ethereum node sends a find-node request to the attacker, and the attacker receives the find-node request from the victim node. After the node request, return a pre-made fake witch node (neighbors list), where the nodes in the neighbors (neighbors) list are witch nodes that are closer to the victim node. Nodes with short distances invade the output node table of the victim node.
需要说明的是,节点之间的逻辑距离是根据节点的ID通过异或运算计算得到的。例如,比如节点ID为000111的节点与节点ID为000110、000011的节点之间的逻辑距离计算为:
Figure PCTCN2021124772-appb-000003
(十进制1)、
Figure PCTCN2021124772-appb-000004
(十进制4)。 It should be noted that the logical distance between nodes is calculated by XOR operation according to the ID of the node. For example, for example, the logical distance between the node whose node ID is 000111 and the node whose node ID is 000110 and 000011 is calculated as:
Figure PCTCN2021124772-appb-000003
(decimal 1),
Figure PCTCN2021124772-appb-000004
(Decimal 4).
因此,现需要一种日蚀攻击检测的方法,以针对无重启式日蚀攻击的攻击方式进行检测,并增加在检测时刻对无重启式的日蚀攻击检测的实时性与主动性。Therefore, there is a need for a method for detecting an eclipse attack, which is used to detect an attack against a restartless eclipse attack, and increases the real-time and proactiveness of the restartless eclipse attack detection at the detection time.
图2示例性的示出了本发明实施例所适用的一种系统架构,该系统架构包括第一节点210和第二节点220。FIG. 2 exemplarily shows a system architecture to which the embodiments of the present invention are applicable, where the system architecture includes a first node 210 and a second node 220 .
其中,第二节点220是第一节点210通过在自身的K桶中确定的,具体的,第一节点210随机生成一个目标节点,并计算出第一节点210与目标节点之间的逻辑距离,然后确定出第一节点210在自身的K桶中的第二节点220,第一节点210与第二节点220之间的逻辑距离小于第一节点210与目标节点之间的逻辑距离,需要说明的是,第二节点220可以为多个,也可以为预设的数量,例如,确定出第一节点210在自身的K桶中确定出10个小于第一节点210与目标节点之间的逻辑距离的节点,随机选取3个作为第二节点220。The second node 220 is determined by the first node 210 in its own K bucket. Specifically, the first node 210 randomly generates a target node, and calculates the logical distance between the first node 210 and the target node, Then determine the second node 220 of the first node 210 in its own K bucket, and the logical distance between the first node 210 and the second node 220 is smaller than the logical distance between the first node 210 and the target node, which needs to be explained. Yes, the number of second nodes 220 may be multiple or a preset number. For example, it is determined that the first node 210 determines that 10 nodes in its own K bucket are smaller than the logical distance between the first node 210 and the target node. three nodes are randomly selected as the second nodes 220 .
第一节点210用于向第二节点220发送find-node请求,以使第二节点220查询出邻居节点,并将邻居节点反馈至第一节点210。The first node 210 is configured to send a find-node request to the second node 220 , so that the second node 220 queries neighbor nodes and feeds back the neighbor nodes to the first node 210 .
第一节点210在得到邻居节点之后,在邻居节点中确定出输出节点,并对输出节点进行检测,进而确定出检测时刻是否为异常时刻。After obtaining the neighbor nodes, the first node 210 determines an output node among the neighbor nodes, detects the output node, and then determines whether the detection time is an abnormal time.
需要说明的是,上述图2所示的结构仅是一种示例,本发明实施例对此不做限定。It should be noted that the structure shown in FIG. 2 above is only an example, which is not limited in this embodiment of the present invention.
基于上述描述,图3示例性的示出了本发明实施例提供的一种区块链日蚀攻击检测的方法的流程示意图,该流程可由区块链日蚀攻击检测的装置执行。Based on the above description, FIG. 3 exemplarily shows a schematic flowchart of a method for detecting a solar eclipse attack on a blockchain provided by an embodiment of the present invention, and the process can be executed by an apparatus for detecting a solar eclipse attack on a blockchain.
如图3所示,该流程具体包括:As shown in Figure 3, the process specifically includes:
步骤310,基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点。Step 310: Determine each output node of the first node at the detection time based on each neighbor node reported by each second node at the detection time.
本发明实施例中,各第二节点为第一节点的分布式路由表中的节点,各邻居节点为第二节点的分布式路由表中的节点。In the embodiment of the present invention, each second node is a node in the distributed routing table of the first node, and each neighbor node is a node in the distributed routing table of the second node.
具体的,第二节点是第一节点根据目标节点在第一节点的分布式路由表中确定的,各邻居节点是第二节点根据目标节点在第二节点的分布式路由表中确定的。为了更好的描述第一节点如何确定输出节点,下面将在具体的实例中进行阐述。Specifically, the second node is determined by the first node in the distributed routing table of the first node according to the target node, and each neighbor node is determined by the second node in the distributed routing table of the second node according to the target node. In order to better describe how the first node determines the output node, it will be described in a specific example below.
实例2Example 2
在检测时刻,第一节点a随机的生成目标节点b,其中,随机的生成目标节点b包括目标节点b的节点ID,并通过第一节点a的节点ID和目标节点b的节点ID计算出第一节点a与目标节点b之间的逻辑距离l ab,然后第一节点a在自身的分布式路由表中找出第二节点c,其中,第一节点a与第二节点c之间的逻辑距离l ac小于逻辑距离l ab。在确定出第二节点c之后,第一节点a向第二节点c发送find-node请求,其中,find-node请求中包括目标节点b的节点ID。以使第二节点c根据目标节点b的节点ID确定出16个的邻居节点d,其中,邻居节点d是第二节点c的分布式路由表中,与目标节点b之间的逻辑距离最小的16个节点,然后由第二节点c将邻居节点d反馈至第一节点a。 At the detection moment, the first node a randomly generates the target node b, wherein the randomly generated target node b includes the node ID of the target node b, and the first node a and the node ID of the target node b are used to calculate the node ID of the first node a and the node ID of the target node b. The logical distance between a node a and the target node b is l ab , and then the first node a finds the second node c in its own distributed routing table, wherein the logical distance between the first node a and the second node c is The distance l ac is smaller than the logical distance l ab . After the second node c is determined, the first node a sends a find-node request to the second node c, where the find-node request includes the node ID of the target node b. So that the second node c determines 16 neighbor nodes d according to the node ID of the target node b, wherein, the neighbor node d is the second node c in the distributed routing table, and the logical distance between the target node b is the smallest. 16 nodes, and then the neighbor node d is fed back to the first node a by the second node c.
第一节点a在得到16个邻居节点d之后,计算出各邻居节点d与第一节点a之间的各逻辑距离l ad,在16个逻辑距离l ad中确定4个最小值,则最小值对应的邻居节点d为第一节点在检测时刻的各输出节点。 After the first node a obtains 16 neighbor nodes d, it calculates each logical distance lad between each neighbor node d and the first node a, and determines 4 minimum values among the 16 logical distances lad , then the minimum value The corresponding neighbor node d is each output node of the first node at the detection time.
步骤320,确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离。Step 320: Determine each first logical distance between each output node at the detection moment and the first node respectively.
本发明实施例中,在第一节点确定输出节点时,根据输出节点的节点ID得到输出节点与第一节点之间的第一逻辑距离。In this embodiment of the present invention, when the first node determines the output node, the first logical distance between the output node and the first node is obtained according to the node ID of the output node.
步骤330,针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离。Step 330: For at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively.
本发明实施例中,在历史时刻中,第一节点根据第二节点确定出输出节点,进而确定出历史时刻的输出节点与第一节点之间的各第二逻辑距离。例如,结合实例2,历史时刻为检测时刻的前一时刻,历史时刻的第二节点e与第一节点之间的为第二逻辑距离。In the embodiment of the present invention, in the historical moment, the first node determines the output node according to the second node, and further determines each second logical distance between the output node and the first node at the historical moment. For example, in conjunction with Example 2, the historical moment is the moment before the detection moment, and the second logical distance between the second node e and the first node in the historical moment is the second logical distance.
步骤340,根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。Step 340: Determine whether the first node is under a solar eclipse attack according to the first logical distances and the second logical distances of at least one historical moment.
本发明实施例中,根据历史时刻的第二逻辑距离确定出检测时刻的预测逻辑距离,进而确定第一节点是否处于日蚀攻击中。In the embodiment of the present invention, the predicted logical distance at the detection time is determined according to the second logical distance at the historical time, and then it is determined whether the first node is under a solar eclipse attack.
进一步地,根据至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定检测时刻的预测逻辑距离,再根据各第一逻辑距离与检测时刻的预测逻辑距离,确定第一节点是否处于日蚀攻击中。Further, according to each second logical distance of at least one historical moment, the neural network model is used to determine the predicted logical distance at the detection moment, and then according to each first logical distance and the predicted logical distance of the detection moment, it is determined whether the first node is in the daily Eclipse attack.
本发明实施例中,可以根据至少一个历史时刻的各第二逻辑距离确定检测时刻的预测逻辑距离,也可以根据至少一个历史时刻的各邻居节点与第一节点之间的逻辑距离确定检测时刻的预测逻辑距离,在此不做限定,使用第二逻辑距离可以增加确定检测时刻的预测逻辑距离的准确度。In this embodiment of the present invention, the predicted logical distance at the detection moment may be determined according to each second logical distance at at least one historical moment, or the predicted logical distance at the detection moment may be determined according to the logical distance between each neighbor node and the first node at at least one historical moment. The predicted logical distance is not limited herein, and the use of the second logical distance can increase the accuracy of determining the predicted logical distance at the detection moment.
例如,检测时刻为t,每个检测时刻的输出节点为4个,将检测时刻之前的两个历史时刻(t-1和t-2)的输出节点作为神经网络模型的输入样本,即输入样本X为
Figure PCTCN2021124772-appb-000005
其中,样本X中的每个特征(如
Figure PCTCN2021124772-appb-000006
)包括预处理后的第二逻辑距离,预处理包括归一化处理,编码处理等。然后根据输入样本X得到检测时刻的预测逻辑距离
Figure PCTCN2021124772-appb-000007
其中,检测时刻的预测逻辑距离用于确定检测时刻是否为异常时刻,根据异常时刻确定第一节点是否处于日蚀攻击中。 For example, the detection time is t, the output nodes at each detection time are 4, and the output nodes of the two historical moments (t-1 and t-2) before the detection time are used as the input samples of the neural network model, that is, the input samples X is
Figure PCTCN2021124772-appb-000005
where each feature in sample X (such as
Figure PCTCN2021124772-appb-000006
) includes the second logical distance after preprocessing, and the preprocessing includes normalization processing, encoding processing, and the like. Then the predicted logical distance at the detection moment is obtained according to the input sample X
Figure PCTCN2021124772-appb-000007
The predicted logical distance at the detection time is used to determine whether the detection time is an abnormal time, and whether the first node is under a solar eclipse attack is determined according to the abnormal time.
进一步地,根据各第一逻辑距离与检测时刻的预测逻辑距离,确定检测时刻是否为异常时刻,若第一节点存在多个连续的异常时刻,则确定第一节点处于日蚀攻击中。Further, according to the predicted logical distance between each first logical distance and the detection time, it is determined whether the detection time is an abnormal time. If the first node has multiple consecutive abnormal time, it is determined that the first node is under a solar eclipse attack.
具体的,针对任一第一逻辑距离,根据第一逻辑距离与检测时刻的预测逻辑距离,确定第一误差,针对N个历史时刻中的任一历史时刻,基于历史时刻的各第二逻辑距离和历史时刻的预测逻辑距离,确定各第二误差,根据N个历史时刻的各第二误差和第一误差,确定误差阈值,若第一误差大于误差阈值,则确定检测时刻为异常时刻。Specifically, for any first logical distance, the first error is determined according to the predicted logical distance between the first logical distance and the detection moment, and for any historical moment in the N historical moments, each second logical distance based on the historical moment is determined. The second error is determined according to the predicted logical distance from the historical moment, and the error threshold is determined according to each second error and the first error of N historical moments. If the first error is greater than the error threshold, the detection moment is determined to be an abnormal moment.
本发明实施例中,在检测时刻,存在多个第一逻辑距离,针对任一第一逻辑距离进行确定,在任一第一逻辑距离对应的第一误差大于误差阈值时,确定检测时刻为异常时刻,需要说明的是,为了降低误报率,也可以在大于误差阈值的第一误差大于预设数量时,确定检测时刻为异常时刻,在此不限定具体数量确定检测时刻为异常时刻。In the embodiment of the present invention, at the detection time, there are multiple first logical distances, any one of the first logical distances is determined, and when the first error corresponding to any first logical distance is greater than the error threshold, the detection time is determined to be an abnormal time It should be noted that, in order to reduce the false alarm rate, when the first error greater than the error threshold is greater than the preset number, the detection time can be determined as an abnormal time, and the specific number is not limited to determine the detection time as an abnormal time.
其中,误差阈值是将N个历史时刻的各第二误差和第一误差作为一个向量得到的。具体的,根据N个历史时刻的各第二误差和第一误差得到第一向量,再根据第一向量和指数移动加权平均算法确定第二向量,最后根据第二向量得到误差阈值。The error threshold is obtained by taking the second errors and the first errors of N historical moments as a vector. Specifically, the first vector is obtained according to each second error and the first error at N historical moments, the second vector is determined according to the first vector and the exponential moving weighted average algorithm, and finally the error threshold is obtained according to the second vector.
进一步地,根据下述公式(1)得到误差阈值,包括:Further, the error threshold is obtained according to the following formula (1), including:
Figure PCTCN2021124772-appb-000008
Figure PCTCN2021124772-appb-000008
其中,∈为误差阈值;μ(e s)为第二向量的平均值;σ(e s)为第二向量的标准差,Δμ(e s)为第二向量中异常值的平均值,Δσ(e s)为第二向量中异常值的标准差,|e a|为第二向量中异常值的集合的模,|E seq| 2为第二向量中,连续的异常值的集合的模的平方,异常值是第二向量中历史时刻为异常时刻的值。 Among them, ∈ is the error threshold; μ(es ) is the average value of the second vector; σ ( es ) is the standard deviation of the second vector, Δμ( es ) is the average value of outliers in the second vector, Δσ (e s ) is the standard deviation of the outliers in the second vector, |e a | is the modulus of the set of outliers in the second vector, |E seq | 2 is the modulus of the set of consecutive outliers in the second vector The square of , the outlier is the value of the historical moment in the second vector that is an abnormal moment.
本发明实施例中,公式(1)是一种无监督的阈值计算方法,为了更好的解释如何确定检测时刻的误差阈值,下面将结合实例2在具体实例中进行阐述。In the embodiment of the present invention, formula (1) is an unsupervised threshold calculation method. In order to better explain how to determine the error threshold at the detection moment, the following will be described in a specific example in conjunction with Example 2.
实例3Example 3
在检测时刻,确定出输出节点d1、d2、d3、d4,针对输出节点d1得到输出节点d1与第一节点之间的第一逻辑距离,根据上述得到的预测逻辑距离
Figure PCTCN2021124772-appb-000009
得到第一误差
Figure PCTCN2021124772-appb-000010
Figure PCTCN2021124772-appb-000011
再根据前两个(即N为2)历史时刻的第二误差(如e (t-1)和e (t-2))得到第一向量e,
Figure PCTCN2021124772-appb-000012
再将第一向量e通过指数移动加权平均算法得到第二向量e s
Figure PCTCN2021124772-appb-000013
然后根据第二向量e s得到异常值的集合,如t-1的历史时刻为异常时刻,则异常值的集合
Figure PCTCN2021124772-appb-000014
Figure PCTCN2021124772-appb-000015
然后根据第二向量e s和异常值的集合
Figure PCTCN2021124772-appb-000016
通过上述公式(1)确定出检测时刻t的误差阈值s1,最后根据第一误差
Figure PCTCN2021124772-appb-000017
与误差阈值s1的大小确定检测时刻是否为异常时刻。如,第一误差
Figure PCTCN2021124772-appb-000018
大于误差阈值s1,则检测时刻为异常时刻。 At the detection time, the output nodes d1, d2, d3, and d4 are determined, and the first logical distance between the output node d1 and the first node is obtained for the output node d1, and the predicted logical distance obtained above is obtained.
Figure PCTCN2021124772-appb-000009
get the first error
Figure PCTCN2021124772-appb-000010
Figure PCTCN2021124772-appb-000011
Then obtain the first vector e according to the second errors (such as e (t-1) and e (t-2) ) of the first two (that is, N is 2) historical moments,
Figure PCTCN2021124772-appb-000012
Then use the first vector e to obtain the second vector es through the exponential moving weighted average algorithm,
Figure PCTCN2021124772-appb-000013
Then, the set of outliers is obtained according to the second vector es. If the historical time of t -1 is an abnormal time, then the set of outliers
Figure PCTCN2021124772-appb-000014
Figure PCTCN2021124772-appb-000015
Then according to the second vector es and the set of outliers
Figure PCTCN2021124772-appb-000016
The error threshold s1 at the detection time t is determined by the above formula (1), and finally according to the first error
Figure PCTCN2021124772-appb-000017
The magnitude of the error threshold s1 determines whether the detection time is an abnormal time. For example, the first error
Figure PCTCN2021124772-appb-000018
If it is greater than the error threshold s1, the detection time is an abnormal time.
示例性的,在检测时刻的其他输出节点根据相同的方法确定第一误差
Figure PCTCN2021124772-appb-000019
是否大于误差阈值sn,其中,n为输出节点的数量。 Exemplarily, other output nodes at the detection moment determine the first error according to the same method
Figure PCTCN2021124772-appb-000019
Is it greater than the error threshold sn, where n is the number of output nodes.
需要说明的是,在本发明中,不局限于对输出节点的检测,也可以对第二节点反馈的各邻居节点进行检测,但会相应的增加检测过程中的计算量。It should be noted that, in the present invention, the detection of the output node is not limited, and the detection of each neighbor node fed back by the second node may also be performed, but the calculation amount in the detection process will be correspondingly increased.
其中,指数移动加权平均算法用于对第一向量e分别给予不同的权数,按不同权数求得移动平均值,并以最后的移动平均值为基础,确定第二向量e sThe exponential moving weighted average algorithm is used to give different weights to the first vector e respectively, obtain a moving average according to different weights, and determine the second vector es based on the final moving average.
本发明实施例中,神经网络模型是根据M个历史时刻上报的各邻居节点与第一节点之间的逻辑距离进行训练得到的,例如,将检测时刻的前一时刻至前M各时刻的M个历史时刻第一节点得到的各居节点作为训练样本,根据M个训练样本进行训练,得到神经网络模型。In the embodiment of the present invention, the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments. Each residential node obtained by the first node at each historical moment is used as a training sample, and the neural network model is obtained by training according to the M training samples.
进一步地,可以通过Dropout方法训练神经网络模型,以防止神经网络模型在训练时存在过拟合且训练时间过长的缺陷。Further, the neural network model can be trained by the Dropout method, so as to prevent the defects of overfitting and long training time of the neural network model during training.
本发明中所提及的任一逻辑距离包括但不限于通过节点ID得到的逻辑距离通过归一化、one-hot编码处理后的距离特征。Any logical distance mentioned in the present invention includes, but is not limited to, the distance feature after the logical distance obtained by the node ID is processed by normalization and one-hot encoding.
基于相同的技术构思,图4示例性的示出了本发明实施例提供的一种区块链日蚀攻击检测的装置的结构示意图,该装置可以执行区块链日蚀攻击检测的方法的流程。Based on the same technical concept, FIG. 4 exemplarily shows a schematic structural diagram of a block chain solar eclipse attack detection device provided by an embodiment of the present invention, and the device can execute the flow of the block chain solar eclipse attack detection method. .
如图4所示,该装置具体包括:As shown in Figure 4, the device specifically includes:
计算模块410,用于基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点;所述各第二节点为所述第一节点的分布式路由表中的节点;所述各邻居节点为第二节点的分布式路由表中的节点;The calculation module 410 is configured to determine, based on each neighbor node reported by each second node at the detection time, each output node of the first node at the detection time; each second node is a distributed route of the first node A node in the table; each neighbor node is a node in the distributed routing table of the second node;
确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离;determining the first logical distances between each output node at the detection moment and the first node respectively;
处理模块420,用于针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离;The processing module 420 is configured to, for at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each of the first logical distances and each of the second logical distances of at least one historical moment, it is determined whether the first node is under a solar eclipse attack.
可选的,所述处理模块420具体用于:Optionally, the processing module 420 is specifically used for:
根据所述至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定所述检测时刻的预测逻辑距离;According to each second logical distance at the at least one historical moment, the predicted logical distance at the detection moment is determined through a neural network model;
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each first logical distance and the predicted logical distance at the detection time, it is determined whether the first node is under a solar eclipse attack.
可选的,所述处理模块420具体用于:Optionally, the processing module 420 is specifically used for:
根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检测时刻是否为异常时刻;According to the predicted logical distances between the first logical distances and the detection time, determine whether the detection time is an abnormal time;
若所述第一节点存在多个连续的异常时刻,则确定所述第一节点处于日蚀攻击中。If the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
可选的,所述处理模块420具体用于:Optionally, the processing module 420 is specifically used for:
针对任一所述第一逻辑距离,根据所述第一逻辑距离与所述检测时刻的预测逻辑距离,确定第一误差;For any one of the first logical distances, determine a first error according to the first logical distance and the predicted logical distance at the detection moment;
针对N个历史时刻中的任一历史时刻,基于所述历史时刻的各第二逻辑距离和所述历史时刻的预测逻辑距离,确定各第二误差;For any historical moment in the N historical moments, each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值;determining an error threshold according to each of the second errors and the first errors of the N historical moments;
若所述第一误差大于所述误差阈值,则确定所述检测时刻为异常时刻。If the first error is greater than the error threshold, it is determined that the detection time is an abnormal time.
可选的,所述处理模块420具体用于:Optionally, the processing module 420 is specifically used for:
根据所述N个历史时刻的各第二误差和所述第一误差得到第一向量;Obtain a first vector according to each second error and the first error of the N historical moments;
根据所述第一向量和指数移动加权平均算法确定第二向量;determining a second vector according to the first vector and an exponential moving weighted average algorithm;
根据所述第二向量得到所述误差阈值。The error threshold is obtained from the second vector.
可选的,根据公式(1)得到所述误差阈值,包括:Optionally, the error threshold is obtained according to formula (1), including:
Figure PCTCN2021124772-appb-000020
Figure PCTCN2021124772-appb-000020
其中,∈为误差阈值;μ(e s)为所述第二向量的平均值;σ(e s)为所述第二向量的标准差;Δμ(e s)为所述第二向量中异常值的平均值;Δσ(e s)为所述第二向量中异常值的标准差;|e a|为所述第二向量中异常值的集合的模;|E seq| 2为所述第二向量中,连续的异常值的集合的模的平方;所述异常值是所述第二向量中历史时刻为异常时刻的值。 Among them, ∈ is the error threshold; μ(es ) is the average value of the second vector; σ ( es ) is the standard deviation of the second vector; Δμ( es ) is the abnormality in the second vector Δσ (es ) is the standard deviation of the outliers in the second vector; |e a | is the modulus of the set of outliers in the second vector; |E seq | 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
可选的,所述神经网络模型是根据M个历史时刻上报的各邻居节点与所述第一节点之间的逻辑距离进行训练得到的。Optionally, the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
基于相同的技术构思,本发明实施例还提供一种计算设备,包括:Based on the same technical idea, an embodiment of the present invention also provides a computing device, including:
存储器,用于存储程序指令;memory for storing program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行上述区块链日蚀攻击检测的方法。The processor is configured to call the program instructions stored in the memory, and execute the above method for detecting the solar eclipse attack on the blockchain according to the obtained program.
基于相同的技术构思,本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使计算机执行上述区块链日蚀攻击检测的方法。Based on the same technical concept, an embodiment of the present invention also provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to cause a computer to execute the above-mentioned blockchain data. Eclipse attack detection method.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flows of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (10)

  1. 一种区块链日蚀攻击检测的方法,其特征在于,包括:A method for detecting an eclipse attack on a blockchain, comprising:
    基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点;所述各第二节点为所述第一节点的分布式路由表中的节点;所述各邻居节点为第二节点的分布式路由表中的节点;Based on each neighbor node reported by each second node at the detection time, each output node of the first node at the detection time is determined; each second node is a node in the distributed routing table of the first node; so Describe each neighbor node as the node in the distributed routing table of the second node;
    确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离;determining the first logical distances between each output node at the detection moment and the first node respectively;
    针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离;For at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
    根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each of the first logical distances and each of the second logical distances of at least one historical moment, it is determined whether the first node is under a solar eclipse attack.
  2. 如权利要求1所述的方法,其特征在于,根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中,包括:The method of claim 1, wherein determining whether the first node is under an eclipse attack according to the first logical distances and the second logical distances of at least one historical moment comprises:
    根据所述至少一个历史时刻的各第二逻辑距离,通过神经网络模型,确定所述检测时刻的预测逻辑距离;According to each second logical distance at the at least one historical moment, the predicted logical distance at the detection moment is determined through a neural network model;
    根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each first logical distance and the predicted logical distance at the detection time, it is determined whether the first node is under a solar eclipse attack.
  3. 如权利要求2所述的方法,其特征在于,根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述第一节点是否处于日蚀攻击中,包括:The method according to claim 2, wherein determining whether the first node is under a solar eclipse attack according to the first logical distances and the predicted logical distances at the detection time comprises:
    根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检测时刻是否为异常时刻;According to the predicted logical distances between the first logical distances and the detection time, determine whether the detection time is an abnormal time;
    若所述第一节点存在多个连续的异常时刻,则确定所述第一节点处于日蚀攻击中。If the first node has multiple consecutive abnormal moments, it is determined that the first node is under a solar eclipse attack.
  4. 如权利要求3所述的方法,其特征在于,根据所述各第一逻辑距离与所述检测时刻的预测逻辑距离,确定所述检测时刻是否为异常时刻,包括:The method according to claim 3, wherein determining whether the detection time is an abnormal time according to the predicted logical distances between the first logical distances and the detection time comprises:
    针对任一所述第一逻辑距离,根据所述第一逻辑距离与所述检测时刻的预测逻辑距离,确定第一误差;For any one of the first logical distances, determine a first error according to the first logical distance and the predicted logical distance at the detection moment;
    针对N个历史时刻中的任一历史时刻,基于所述历史时刻的各第二逻辑距离和所述历史时刻的预测逻辑距离,确定各第二误差;For any historical moment in the N historical moments, each second error is determined based on each second logical distance of the historical moment and the predicted logical distance of the historical moment;
    根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值;determining an error threshold according to each of the second errors and the first errors of the N historical moments;
    若所述第一误差大于所述误差阈值,则确定所述检测时刻为异常时刻。If the first error is greater than the error threshold, it is determined that the detection time is an abnormal time.
  5. 如权利要求4所述的方法,其特征在于,根据所述N个历史时刻的各第二误差和所述第一误差,确定误差阈值,包括:The method of claim 4, wherein determining an error threshold according to each of the second errors and the first errors of the N historical moments, comprising:
    根据所述N个历史时刻的各第二误差和所述第一误差得到第一向量;Obtain a first vector according to each second error and the first error of the N historical moments;
    根据所述第一向量和指数移动加权平均算法确定第二向量;determining a second vector according to the first vector and an exponential moving weighted average algorithm;
    根据所述第二向量得到所述误差阈值。The error threshold is obtained from the second vector.
  6. 如权利要求5所述的方法,其特征在于,根据公式(1)得到所述误 差阈值,包括:The method of claim 5, wherein obtaining the error threshold according to formula (1), comprising:
    Figure PCTCN2021124772-appb-100001
    Figure PCTCN2021124772-appb-100001
    其中,ε为误差阈值;μ(e s)为所述第二向量的平均值;σ(e s)为所述第二向量的标准差;Δμ(e s)为所述第二向量中异常值的平均值;Δσ(e s)为所述第二向量中异常值的标准差;|e a|为所述第二向量中异常值的集合的模;|E seq| 2为所述第二向量中,连续的异常值的集合的模的平方;所述异常值是所述第二向量中历史时刻为异常时刻的值。 Among them, ε is the error threshold; μ(es ) is the average value of the second vector; σ ( es ) is the standard deviation of the second vector; Δμ( es ) is the abnormality in the second vector Δσ (es ) is the standard deviation of the outliers in the second vector; |e a | is the modulus of the set of outliers in the second vector; |E seq | 2 is the In the two vectors, the square of the modulus of the set of consecutive outliers; the outliers are the values in the second vector whose historical moments are abnormal moments.
  7. 如权利要求2所述的方法,其特征在于,所述神经网络模型是根据M个历史时刻上报的各邻居节点与所述第一节点之间的逻辑距离进行训练得到的。The method according to claim 2, wherein the neural network model is obtained by training according to the logical distance between each neighbor node and the first node reported at M historical moments.
  8. 一种区块链日蚀攻击检测的装置,其特征在于,包括:A device for detecting an eclipse attack on a blockchain, characterized in that it includes:
    计算模块,用于基于各第二节点在检测时刻上报的各邻居节点,确定第一节点在所述检测时刻的各输出节点;所述各第二节点为所述第一节点的分布式路由表中的节点;所述各邻居节点为第二节点的分布式路由表中的节点;A calculation module, configured to determine each output node of the first node at the detection time based on each neighbor node reported by each second node at the detection time; each second node is the distributed routing table of the first node The nodes in the node; the neighbor nodes are nodes in the distributed routing table of the second node;
    确定所述检测时刻的各输出节点分别与所述第一节点之间的各第一逻辑距离;determining the first logical distances between each output node at the detection moment and the first node respectively;
    处理模块,用于针对所述检测时刻之前的至少一个历史时刻,确定所述历史时刻的各输出节点分别与所述第一节点之间的各第二逻辑距离;a processing module, configured to, for at least one historical moment before the detection moment, determine each second logical distance between each output node of the historical moment and the first node respectively;
    根据所述各第一逻辑距离和至少一个历史时刻的各第二逻辑距离,确定所述第一节点是否处于日蚀攻击中。According to each of the first logical distances and each of the second logical distances of at least one historical moment, it is determined whether the first node is under a solar eclipse attack.
  9. 一种计算设备,其特征在于,包括:A computing device, comprising:
    存储器,用于存储程序指令;memory for storing program instructions;
    处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行权利要求1至7任一项所述的方法。The processor is configured to call the program instructions stored in the memory, and execute the method according to any one of claims 1 to 7 according to the obtained program.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使计算机执行权利要求1至7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to cause a computer to execute the method of any one of claims 1 to 7 .
PCT/CN2021/124772 2020-12-16 2021-10-19 Method and device for detecting eclipse attack for blockchain WO2022127342A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011486985.5 2020-12-16
CN202011486985.5A CN112653682B (en) 2020-12-16 2020-12-16 Method and device for detecting block chain eclipse attack

Publications (1)

Publication Number Publication Date
WO2022127342A1 true WO2022127342A1 (en) 2022-06-23

Family

ID=75354318

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/124772 WO2022127342A1 (en) 2020-12-16 2021-10-19 Method and device for detecting eclipse attack for blockchain

Country Status (2)

Country Link
CN (1) CN112653682B (en)
WO (1) WO2022127342A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112653682B (en) * 2020-12-16 2022-12-27 深圳前海微众银行股份有限公司 Method and device for detecting block chain eclipse attack
CN114462589B (en) * 2021-09-28 2022-11-04 北京卫达信息技术有限公司 Normal behavior neural network model training method, system, device and storage medium
CN113783901B (en) * 2021-11-15 2022-02-08 湖南宸瀚信息科技有限责任公司 Multi-communication-node cooperative anti-attack network system based on block chain
CN114389859B (en) * 2021-12-24 2023-07-18 重庆邮电大学 Detection system and detection method for Ethernet node Sybil attack in block chain
CN114285640B (en) * 2021-12-24 2023-07-18 重庆邮电大学 System and method for detecting solar corrosion attack of Ethernet nodes in block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965259A (en) * 2018-06-21 2018-12-07 佛山科学技术学院 A kind of discovery of block chain malicious node and partition method and device
CN110191116A (en) * 2019-05-24 2019-08-30 北京清红微谷技术开发有限责任公司 Malicious node partition method and system calculate power verifying terminal and P2P network
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
WO2020099924A1 (en) * 2018-11-08 2020-05-22 Iagon As Intelligent, decentralized and autonomous marketplace for distributed computing and storage
CN112653682A (en) * 2020-12-16 2021-04-13 深圳前海微众银行股份有限公司 Method and device for detecting block chain eclipse attack

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103701771A (en) * 2013-11-26 2014-04-02 中国十七冶集团有限公司 Novel method for detecting Sybil attack in Internet of Things
CN104125572B (en) * 2014-07-17 2017-08-11 南京邮电大学 The Sybil attack detection methods cooperated based on node
CN106888205B (en) * 2017-01-04 2020-02-18 浙江大学 Non-invasive PLC anomaly detection method based on power consumption analysis
CN109033832B (en) * 2018-06-22 2021-02-09 深圳前海益链网络科技有限公司 Method for preventing transient bifurcation double-flower attack on block chain network
CN112671739B (en) * 2018-07-24 2023-04-18 中国计量大学 Node property identification method of distributed system
CN110493198A (en) * 2019-07-26 2019-11-22 北京工业大学 A method of it is attacked based on Sybil in PBFT algorithm defence block chain is improved

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965259A (en) * 2018-06-21 2018-12-07 佛山科学技术学院 A kind of discovery of block chain malicious node and partition method and device
WO2020099924A1 (en) * 2018-11-08 2020-05-22 Iagon As Intelligent, decentralized and autonomous marketplace for distributed computing and storage
CN110191116A (en) * 2019-05-24 2019-08-30 北京清红微谷技术开发有限责任公司 Malicious node partition method and system calculate power verifying terminal and P2P network
CN110730195A (en) * 2019-12-18 2020-01-24 腾讯科技(深圳)有限公司 Data processing method and device and computer readable storage medium
CN112653682A (en) * 2020-12-16 2021-04-13 深圳前海微众银行股份有限公司 Method and device for detecting block chain eclipse attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CUI ZHONGJIE: "A Survey on the Attacks and Defense Technology of Blockchain Network Layer", JOURNAL OF INFORMATION SECURITY RESEARCH, vol. 6, no. 11, 1 November 2020 (2020-11-01), XP055942376 *

Also Published As

Publication number Publication date
CN112653682B (en) 2022-12-27
CN112653682A (en) 2021-04-13

Similar Documents

Publication Publication Date Title
WO2022127342A1 (en) Method and device for detecting eclipse attack for blockchain
Ramalingam et al. Fake profile detection techniques in large-scale online social networks: A comprehensive review
Derhab et al. Intrusion detection system for internet of things based on temporal convolution neural network and efficient feature engineering
Xing et al. Survey on botnet detection techniques: Classification, methods, and evaluation
Hosseinpour et al. An intrusion detection system for fog computing and IoT based logistic systems using a smart data approach
Procopiou et al. ForChaos: Real time application DDoS detection using forecasting and chaos theory in smart home IoT network
Ortet Lopes et al. Towards effective detection of recent DDoS attacks: A deep learning approach
Muhammad et al. Robust early stage botnet detection using machine learning
CN113364752A (en) Flow abnormity detection method, detection equipment and computer readable storage medium
Kumar et al. Sad-iot: Security analysis of ddos attacks in iot networks
US10726123B1 (en) Real-time detection and prevention of malicious activity
Laftah Al-Yaseen et al. Hybrid Modified K‐Means with C4. 5 for Intrusion Detection Systems in Multiagent Systems
Aversano et al. Effective anomaly detection using deep learning in IoT systems
Dat-Thinh et al. MidSiot: A multistage intrusion detection system for internet of things
US11463475B1 (en) Click-to-call fraud detection
US11930020B2 (en) Detection and mitigation of security threats to a domain name system for a communication network
Priyadarshini et al. SDN and application layer DDoS attacks detection in IoT devices by attention‐based Bi‐LSTM‐CNN
CN112364304B (en) Method and device for detecting solar erosion attack of block chain
Najafimehr et al. DDoS attacks and machine‐learning‐based detection methods: A survey and taxonomy
Li Detection of ddos attacks based on dense neural networks, autoencoders and pearson correlation coefficient
Gelenbe et al. G-networks can detect different types of cyberattacks
Dalal et al. Optimized LightGBM model for security and privacy issues in cyber‐physical systems
Almasri et al. A novel‐cascaded ANFIS‐based deep reinforcement learning for the detection of attack in cloud IoT‐based smart city applications
US20240161116A1 (en) Systems and methods for real-time identification of an anomaly of a block of a blockchain
Radjaa et al. Federated Deep Learning-based Intrusion Detection Approach for Enhancing Privacy in Fog-IoT Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21905271

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 02/10/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21905271

Country of ref document: EP

Kind code of ref document: A1