[go: nahoru, domu]

CN111683084A - Intelligent contract intrusion detection method and device, terminal equipment and storage medium - Google Patents

Intelligent contract intrusion detection method and device, terminal equipment and storage medium Download PDF

Info

Publication number
CN111683084A
CN111683084A CN202010506593.4A CN202010506593A CN111683084A CN 111683084 A CN111683084 A CN 111683084A CN 202010506593 A CN202010506593 A CN 202010506593A CN 111683084 A CN111683084 A CN 111683084A
Authority
CN
China
Prior art keywords
intelligent contract
attack
information
data
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010506593.4A
Other languages
Chinese (zh)
Other versions
CN111683084B (en
Inventor
田志宏
杜莎莎
苏申
曾标
林炼升
孙彦斌
崔翔
谭庆丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202010506593.4A priority Critical patent/CN111683084B/en
Publication of CN111683084A publication Critical patent/CN111683084A/en
Application granted granted Critical
Publication of CN111683084B publication Critical patent/CN111683084B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an intelligent contract intrusion detection method, an intelligent contract intrusion detection device, terminal equipment and a storage medium, wherein the method comprises the following steps: collecting transaction data of the current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs; matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information; and judging whether intrusion behaviors exist or not according to the matching result of the transaction data and preset attack characteristic data, and if so, generating an intrusion detection warning. By implementing the embodiment of the invention, the safety of the intelligent contract can be improved.

Description

Intelligent contract intrusion detection method and device, terminal equipment and storage medium
Technical Field
The invention relates to the technical field of block chains, in particular to an intelligent contract intrusion detection method, an intelligent contract intrusion detection device, terminal equipment and a storage medium.
Background
The block chain is a distributed account book technology, adopts a cryptography method, and ensures that data recorded in the block chain is public, transparent, safe and credible. The core characteristic of the block chain is a decentralized and consensus mechanism, which establishes a trust network in a complex network environment through a certain algorithm to ensure the safety of information exchange between points. From another perspective, the blockchain technique is a decentralized and distrusted collective maintenance database technique, which is essentially an internet protocol. As a powerful technique, blockchains provide powerful data integrity guarantees in untrusted networks.
An intelligent contract is code deployed on a blockchain that, depending on the contract content, is able to execute the code automatically when certain conditions are met. Because of the data-immutable nature of blockchains, intelligent contracts are likewise immutable, and no one can control the execution of contract code. Thus, there is no way for anyone, including the contract creator, to write a contract or rule into an intelligent contract to violate the contract. The intelligent contract is an intermediary between an application program and data stored in a blockchain, and the data can be stored in the blockchain or corresponding data can be inquired from the blockchain through the intelligent contract. Meanwhile, the intelligent contract also has an identity verification function, can check the certificate of the caller, verifies the identity of the caller and judges whether to provide services for the caller according to the identity of the caller.
Smart contracts, however, have a number of security issues. Etherhouses have been exposed to many devastating attacks on smart contracts. For example, there is a large body of detail regarding attacks on Ethereum smart contracts-reentry attacks successfully steal an Etherum dollar-worth of money from the contract and eventually lead to hard forking in the creation of Ethereum classic (ETC). In the prior art, the source code of the intelligent contract is detected by the existing intelligent contract vulnerability detection tool, so that the potential vulnerability existing in the intelligent contract can be detected, but most of the existing detection tools are designed for processing specific known vulnerabilities, and because the attack behavior of the intelligent contract is unpredictable, the vulnerability generated in the actual operation process of the intelligent contract cannot be found only by analyzing the source code, so that the safety of the intelligent contract is low.
Disclosure of Invention
The embodiment of the invention provides an intelligent contract intrusion detection method, an intelligent contract intrusion detection device, terminal equipment and a storage medium, and can improve the security of an intelligent contract.
An embodiment of the present invention provides an intelligent contract intrusion detection method, including: collecting transaction data of the current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and judging whether intrusion behaviors exist or not according to the matching result of the transaction data and preset attack characteristic data, and if so, generating an intrusion detection warning.
Further, the method for constructing the intelligent contract attack library comprises the following steps:
constructing a honeypot intelligent contract for collecting attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract;
when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information; acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information;
and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
Further, in the intelligent contract attack library, matching a malicious address consistent with the transaction source address or matching attack behavior information consistent with the feature instruction sequence calling information, and judging that an intrusion behavior exists; otherwise, judging that no intrusion behavior exists.
And further, when the intrusion behavior is judged to exist, rolling back the execution state of the intelligent contract to be protected.
On the basis of the above method item embodiments, the present invention correspondingly provides apparatus item embodiments;
an embodiment of the present invention provides an intelligent contract intrusion detection apparatus, including: the system comprises a data acquisition module, a data matching module and an intrusion analysis module;
the data acquisition module is used for acquiring transaction data during current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
the data matching module is used for matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and the intrusion analysis module is used for judging whether intrusion behaviors exist according to the matching result of the transaction data and the preset attack characteristic data, and if so, generating an intrusion detection warning.
Furthermore, the system also comprises an intelligent contract attack library construction module;
the intelligent contract attack library construction module is used for constructing a honey pot intelligent contract for acquiring attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract;
when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information;
acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information; and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
Further, the system also comprises an execution state rollback module; and the execution state rollback module is used for rolling back the execution state of the intelligent contract to be protected when the intrusion behavior is judged to exist.
On the basis of the embodiment of the method item of the invention, the embodiment of the terminal equipment item is correspondingly provided;
another embodiment of the present invention provides an intelligent contract intrusion detection terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor executes the computer program to implement the intelligent contract intrusion detection method according to any one of the method embodiments of the present invention.
The embodiment of the storage medium item is correspondingly provided on the basis of the embodiment of the method item;
another embodiment of the present invention provides a storage medium, where the storage medium includes a stored computer program, where, when the computer program runs, a device in which the storage medium is located is controlled to execute the intelligent contract intrusion detection method according to any one of the method embodiments of the present invention.
The embodiment of the invention has the following beneficial effects:
the embodiment of the invention provides an intelligent contract intrusion detection method, an intelligent contract intrusion detection device, terminal equipment and a storage medium, wherein a probe program is embedded into an intelligent contract to be protected, and characteristic instruction sequence calling information during intelligent operation to be protected is acquired through the probe program; in addition, transaction source address information is collected, then transaction source address information and characteristic instruction sequence calling information are matched with malicious addresses and attack behavior information stored in an intelligent contract attack library, finally, intrusion behavior is judged according to a matching result, and the method is different from the traditional intelligent contract vulnerability detection technology. The safety is improved.
Drawings
Fig. 1 is a schematic flowchart of an intelligent contract intrusion detection method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of an intelligent contract intrusion detection apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, is a schematic flow chart of a method according to an embodiment of the present invention, including:
step S101, collecting transaction data during current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
step S102, matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and S103, judging whether intrusion behaviors exist or not according to the matching result of the transaction data and preset attack characteristic data, and if so, generating an intrusion detection warning.
For the step S101, firstly, a probe program is put into the intelligent contract to be protected in advance in the invention; when a block chain generates a transaction, the intelligent contract to be protected runs, the transaction source address in the transaction of the intelligent contract is monitored and called in real time through the monitoring transaction pool and is collected, when a user initiates the transaction, the transaction address information of the user can be uploaded, and the collection of the transaction source address can be realized through the real-time detection of the transaction pool; meanwhile, the feature instruction sequence calling information during the operation of the intelligent contract to be protected is acquired through a probe program embedded in the intelligent contract to be protected. The characteristic instruction sequence refers to behavior characteristic information called by the instruction sequence in the intelligent contract to be protected in the transaction process; the method comprises the steps of calling the type of an instruction sequence, the calling times and the like; for example, if the fallback function in the intelligent contract to be protected is continuously and circularly called in a certain transaction process, at this time, the probe program records the fallback function and the characteristic that the fallback function is continuously and circularly called, and generates the characteristic instruction sequence calling information;
for step S102, firstly, the construction of the intelligent contract attack library is explained:
in a preferred embodiment, the method for constructing the intelligent contract attack library comprises the following steps:
constructing a honeypot intelligent contract for collecting attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract; when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information; acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information; and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
The specific meaning of the behavior characteristic information mentioned here is consistent with the characteristic instruction sequence calling information in the above, and both refer to the behavior characteristic information called by the instruction sequence when the intelligent contract runs;
the honeypot intelligent contract also refers to an intelligent contract which is mainly used for collecting high attack source addresses and attack behavior characteristic information of various attack behaviors; the intelligent contract of the honeypot can be generated in two ways. The first method is to set up an intelligent contract with a leak according to the existing leak and to put a probe for collecting operation data in the contract to form a honey-pot contract. The intelligent contract is easy to be discovered by an attacker, and when the attacker invokes the honeypot contract to attack, the attacker can record information such as attack behavior characteristics and malicious account addresses of the attacker by reading parameter states in the honeypot contract. Through simulation of known vulnerabilities, not only may known attack patterns be collected, but unknown means of attack may be derived.
And secondly, simulating a contract of normal business to generate a honey pot intelligent contract, and for the intelligent contract with business logic normally used on the current chain, simulating some open-source contracts and adding probes for collecting operation data on the basis of not influencing the business logic. While setting the assets of the honey pot intelligence contract to 0 in order to avoid real loss. When an attacker invokes a honeypot contract to attack, the honeypot contract is equivalent to defending the simulated open-source contract against the attack, and possible attack behavior characteristics and an attacker contract address (attack source address information) are recorded.
Continuously acquiring behavior characteristic information and address information of an attack source when an attacker implements attack through the constructed honeypot intelligent contract; taking the address information of an attack source as malicious address information, and taking behavior characteristic information as attack behavior information to be stored to obtain an intelligent contract attack library; the behavior characteristic information and the address information of different attack modes are continuously accumulated and stored, and the detection types of the attack modes can be continuously widened, so that the level of intrusion detection is continuously improved, and the safety of the intelligent contract is improved. In the invention, once the honey intelligent contract is detected to be called, the honey intelligent contract is considered to be attacked.
In another embodiment, in the process of constructing the intelligent contract attack library, some malicious address information and behavior characteristic information related to the intelligent contract and issued in the open source community can be collected.
As for step S103, in a preferred embodiment, whether an intrusion behavior exists is determined according to a matching result of the transaction data and preset attack feature data, specifically: matching a malicious address consistent with the transaction source address or matching attack behavior information consistent with the characteristic instruction sequence calling information in the intelligent contract attack library, and judging that an intrusion behavior exists; otherwise, judging that no intrusion behavior exists.
And comparing the collected information with a known intelligent contract attack library so as to discover the behavior of violating the security policy. The process may be simple (e.g., by string matching to find a simple entry or instruction) or complex (e.g., using regular mathematical expressions to represent a change in security status). Generally, an attack pattern may be represented by a sequence of instructions that satisfy a certain characteristic (e.g., the characteristics of a reentrant vulnerability are a transfer operation and a fallback function loop call) or by overriding the reading of some sensitive data. The method has the advantage that only relevant data sets need to be collected, and the system burden is reduced remarkably.
In a preferred embodiment, the method further comprises rolling back the execution state of the intelligent contract to be protected when the intrusion behavior is judged to exist.
When the intrusion behavior is found, the execution state of the intelligent contract to be protected is restored to the initial state, and loss is avoided.
The following lists the specific applications of the above method in the practical process:
take intelligent contract reentry vulnerabilities as an example:
in the context of this vulnerability, the withdraw function in a smart contract with reentry vulnerability may forward the ethernet currency in the contract to the called address (similar to a bank withdraw operation). An attacker writes an Attack intelligent contract (an intelligent contract capable of realizing Attack behavior), uses the Attack intelligent contract to call a withdraw function in a SendBalance intelligent contract (an intelligent contract which is running in a block chain system), the withdraw function calls a failback function in the Attack contract, the attacker calls the withdraw function again in the failback function, and the loop is carried out until a fuel value is used up or a balance in the SendBalance intelligent contract is used up, so that the attacker can obtain a large amount of Ethernet coins due to the vulnerability.
If SendBalance Smart contracts wish to avoid this possible risk, then the smart contract intrusion detection techniques disclosed herein may be used. The intelligent contract intrusion detection technology utilizes an intelligent contract attack library to match security problems existing in transactions. It is assumed here that attack behavior information of a reentry vulnerability exists in the current intelligent contract attack library, that is, the wizardraw function and the malicious address are continuously and circularly called: (0x755cdba6AE4F479F71647928318b2a06c759833B)
In the first case, when an attacker attempts to invoke other intelligent contracts using this address, the intrusion detection system may collect transaction data for the current blockchain in real time, once the address is found to be: when a transaction calling a contract is issued (0x755cdba6AE4F479F71647928318b2a06c759833B), it is judged that the contract is suspected to be invaded by pattern matching, an invasion detection alarm is generated, and a log is recorded in detail.
In the second case, when an attacker tries to perform reentry attack using other addresses, a probe in an intelligent contract to be protected may record a feature instruction, and by reading features recorded in the probe, when discovering that attack behavior information (or feature instruction sequence call information) of a reentry vulnerability exists using a pattern matching policy, that is, judging that the reentry vulnerability exists, a rollback condition is triggered immediately and an intrusion detection warning is generated.
On the basis of the method embodiment, the invention correspondingly provides an apparatus item embodiment;
as shown in fig. 2: another embodiment of the invention provides an intelligent contract intrusion detection device, which comprises a data acquisition module, a data matching module and an intrusion analysis module;
the data acquisition module is used for acquiring transaction data during current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
the data matching module is used for matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and the intrusion analysis module is used for judging whether intrusion behaviors exist according to the matching result of the transaction data and the preset attack characteristic data, and if so, generating an intrusion detection warning.
In a preferred embodiment, the system further comprises an intelligent contract attack library construction module;
the intelligent contract attack library construction module is used for constructing a honey pot intelligent contract for acquiring attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract;
when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information;
acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information; and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
In a preferred embodiment, the system further comprises an execution state rollback module; and the execution state rollback module is used for rolling back the execution state of the intelligent contract to be protected when the intrusion behavior is judged to exist.
It should be noted that the above-mentioned apparatus item embodiments correspond to the method item embodiments of the present invention, and can implement the intelligent contract intrusion detection method described in any of the above-mentioned method item embodiments of the present invention.
On the basis of the above method item embodiment of the invention, a terminal equipment item embodiment is correspondingly provided;
another embodiment of the present invention provides an intelligent contract intrusion detection terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor executes the computer program to implement the intelligent contract intrusion detection method according to any one of the method embodiments of the present invention.
On the basis of the above method item embodiments of the present invention, storage medium item embodiments are correspondingly provided;
another embodiment of the present invention provides a storage medium, where the storage medium includes a stored computer program, where, when the computer program runs, a device in which the storage medium is located is controlled to execute the intelligent contract intrusion detection method according to any one of the method embodiments of the present invention.
The terminal device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The intelligent contract intrusion detection terminal equipment can comprise, but is not limited to, a processor and a memory.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor is a control center of the intelligent contract intrusion detection device/terminal equipment, and various interfaces and lines are utilized to connect various parts of the whole intelligent contract intrusion detection terminal equipment.
The memory can be used for storing the computer programs and/or modules, and the processor can realize various functions of the intelligent contract intrusion detection terminal equipment by running or executing the computer programs and/or modules stored in the memory and calling data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
If the module/unit integrated by the intelligent contract intrusion detection device/the terminal equipment is realized in the form of a software functional unit and is sold or used as an independent product, the module/unit can be stored in a storage medium, and the storage medium is a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc.
It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiment of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
By implementing the embodiment of the invention, suspicious attack activity can be monitored in more detail, vulnerability detection in the running process of the intelligent contract is realized, and data and contract addresses of suspicious attack behaviors can be recorded in the intelligent contract attack library, so that the defect that a novel attack cannot be quickly responded in an intrusion detection technology is overcome. Only the data judged to be attacked by the intrusion detection technology is transmitted to the intelligent contract attack library for further matching verification. The technology reduces the false alarm rate, simultaneously, the novel attack characteristics recorded in the intelligent contract attack library can be used by an intrusion detection system so as to improve the performance, thereby ensuring the safety of the intelligent contract.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (9)

1. An intelligent contract intrusion detection method, comprising:
collecting transaction data of the current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and judging whether intrusion behaviors exist or not according to the matching result of the transaction data and preset attack characteristic data, and if so, generating an intrusion detection warning.
2. The intelligent contract intrusion detection method according to claim 1, wherein the construction method of the intelligent contract attack library comprises:
constructing a honeypot intelligent contract for collecting attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract;
when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information; acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information;
and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
3. The intelligent contract intrusion detection method according to claim 1, wherein whether an intrusion behavior exists is judged according to a matching result of the transaction data and preset attack characteristic data, and specifically:
matching a malicious address consistent with the transaction source address or matching attack behavior information consistent with the characteristic instruction sequence calling information in the intelligent contract attack library, and judging that an intrusion behavior exists;
otherwise, judging that no intrusion behavior exists.
4. The intelligent contract intrusion detection method according to claim 1, further comprising: and when judging that the intrusion behavior exists, rolling back the execution state of the intelligent contract to be protected.
5. An intelligent contract intrusion detection device is characterized by comprising a data acquisition module, a data matching module and an intrusion analysis module;
the data acquisition module is used for acquiring transaction data during current blockchain transaction; the transaction data comprises transaction source address information and characteristic instruction sequence calling information; the characteristic instruction sequence calling information is behavior information of calling instruction sequences, which is acquired by a probe program arranged in the intelligent contract to be protected when the intelligent contract to be protected runs;
the data matching module is used for matching the transaction data with preset attack characteristic data; the attack characteristic data is stored in a preset intelligent contract attack base and comprises malicious addresses and attack behavior information;
and the intrusion analysis module is used for judging whether intrusion behaviors exist according to the matching result of the transaction data and the preset attack characteristic data, and if so, generating an intrusion detection warning.
6. The intelligent contract intrusion detection device according to claim 5, further comprising an intelligent contract attack library construction module;
the intelligent contract attack library construction module is used for constructing a honey pot intelligent contract for acquiring attack characteristic data; wherein, a second probe program is arranged in the honeypot intelligent contract;
when the intelligent honeypot contract is attacked, recording address information of an attack source, and then taking the address information of the attack source as the malicious address information;
acquiring behavior characteristic information of an instruction sequence when the intelligent honeypot contract is attacked through the second probe program, and then taking the behavior characteristic information as the attack behavior information; and storing the malicious address information and the attack behavior information in a preset database to generate the intelligent contract attack library.
7. The intelligent contract intrusion detection device of claim 5, further comprising an execution state rollback module; and the execution state rollback module is used for rolling back the execution state of the intelligent contract to be protected when the intrusion behavior is judged to exist.
8. An intelligent contract intrusion detection terminal device, comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the intelligent contract intrusion detection method according to any one of claims 1 to 4 when executing the computer program.
9. A storage medium comprising a stored computer program, wherein the computer program, when executed, controls a device on which the storage medium is located to perform the intelligent contract intrusion detection method according to any one of claims 1 to 4.
CN202010506593.4A 2020-06-05 2020-06-05 Intelligent contract intrusion detection method and device, terminal equipment and storage medium Active CN111683084B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010506593.4A CN111683084B (en) 2020-06-05 2020-06-05 Intelligent contract intrusion detection method and device, terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010506593.4A CN111683084B (en) 2020-06-05 2020-06-05 Intelligent contract intrusion detection method and device, terminal equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111683084A true CN111683084A (en) 2020-09-18
CN111683084B CN111683084B (en) 2022-05-10

Family

ID=72453932

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010506593.4A Active CN111683084B (en) 2020-06-05 2020-06-05 Intelligent contract intrusion detection method and device, terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111683084B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788145A (en) * 2021-01-21 2021-05-11 中国科学院信息工程研究所 Cross-domain functional security anomaly detection tracing method based on non-embedded probe
CN112861123A (en) * 2021-01-26 2021-05-28 中山大学 Bit currency malicious address identification method and device
CN115065562A (en) * 2022-08-17 2022-09-16 湖南红普创新科技发展有限公司 Block chain-based injection determination method, device, equipment and storage medium
CN116132142A (en) * 2022-12-30 2023-05-16 中国银联股份有限公司 Block chain attack interception method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170331858A1 (en) * 2016-05-10 2017-11-16 Quadrant Information Security Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures
CN107770198A (en) * 2017-12-07 2018-03-06 北京泛融科技有限公司 A kind of DNS anti-hijack systems and method based on block chain
CN108521426A (en) * 2018-04-13 2018-09-11 中国石油大学(华东) A kind of array honey jar cooperative control method based on block chain
US20190050855A1 (en) * 2017-07-24 2019-02-14 William Martino Blockchain-based systems, methods, and apparatus for securing access to information stores
CN109800175A (en) * 2019-02-20 2019-05-24 河海大学 A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng
US20200014528A1 (en) * 2018-07-03 2020-01-09 International Business Machines Corporation Strengthening non-repudiation of blockchain transactions

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170331858A1 (en) * 2016-05-10 2017-11-16 Quadrant Information Security Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures
US20190050855A1 (en) * 2017-07-24 2019-02-14 William Martino Blockchain-based systems, methods, and apparatus for securing access to information stores
CN107770198A (en) * 2017-12-07 2018-03-06 北京泛融科技有限公司 A kind of DNS anti-hijack systems and method based on block chain
CN108521426A (en) * 2018-04-13 2018-09-11 中国石油大学(华东) A kind of array honey jar cooperative control method based on block chain
US20200014528A1 (en) * 2018-07-03 2020-01-09 International Business Machines Corporation Strengthening non-repudiation of blockchain transactions
CN109800175A (en) * 2019-02-20 2019-05-24 河海大学 A kind of ether mill intelligence contract reentry leak detection method based on code pitching pile
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
赵淦森等: "《ContractGuard:面向以太坊区块链智能合约的入侵检测系统》", 《网络与信息安全学报》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788145A (en) * 2021-01-21 2021-05-11 中国科学院信息工程研究所 Cross-domain functional security anomaly detection tracing method based on non-embedded probe
CN112788145B (en) * 2021-01-21 2022-05-10 中国科学院信息工程研究所 Cross-domain functional security anomaly detection and tracing method based on non-embedded probe
CN112861123A (en) * 2021-01-26 2021-05-28 中山大学 Bit currency malicious address identification method and device
CN115065562A (en) * 2022-08-17 2022-09-16 湖南红普创新科技发展有限公司 Block chain-based injection determination method, device, equipment and storage medium
CN115065562B (en) * 2022-08-17 2022-11-22 湖南红普创新科技发展有限公司 Block chain-based injection determination method, device, equipment and storage medium
CN116132142A (en) * 2022-12-30 2023-05-16 中国银联股份有限公司 Block chain attack interception method and device
CN116132142B (en) * 2022-12-30 2024-04-12 中国银联股份有限公司 Block chain attack interception method and device

Also Published As

Publication number Publication date
CN111683084B (en) 2022-05-10

Similar Documents

Publication Publication Date Title
CN111683084B (en) Intelligent contract intrusion detection method and device, terminal equipment and storage medium
US12003534B2 (en) Detecting and mitigating forged authentication attacks within a domain
US11570204B2 (en) Detecting and mitigating golden ticket attacks within a domain
US11005824B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US11223637B2 (en) Detecting attacks on web applications using server logs
CN111931166B (en) Application program anti-attack method and system based on code injection and behavior analysis
US20200314118A1 (en) Detecting a missing security alert using a machine learning model
CN109155774A (en) System and method for detecting security threat
CN114598504B (en) Risk assessment method and device, electronic equipment and readable storage medium
US11424993B1 (en) Artificial intelligence system for network traffic flow based detection of service usage policy violations
JP7531816B2 (en) Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same
CN113141335B (en) Network attack detection method and device
US20220270093A1 (en) System and method for detecting intrusions by recognizing unauthorized cryptocurrency transactions at an optimized cost
US20230319019A1 (en) Detecting and mitigating forged authentication attacks using an advanced cyber decision platform
CN113111359A (en) Big data resource sharing method and resource sharing system based on information security
CN114207613A (en) Techniques for an energized intrusion detection system
CN113364766B (en) APT attack detection method and device
US20230376964A1 (en) Systems and methods for detecting unauthorized online transactions
KR102541888B1 (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
EP3679506A2 (en) Advanced cybersecurity threat mitigation for inter-bank financial transactions
CN115643044A (en) Data processing method, device, server and storage medium
WO2021144978A1 (en) Attack estimation device, attack estimation method, and attack estimation program
Prabhavathy et al. Permission and API Calls Based Hybrid Machine Learning Approach for Detecting Malicious Software in Android System.
CN117134999B (en) Safety protection method of edge computing gateway, storage medium and gateway
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant