Nothing Special   »   [go: up one dir, main page]

CN111478912A - Block chain intrusion detection system and method - Google Patents

Block chain intrusion detection system and method Download PDF

Info

Publication number
CN111478912A
CN111478912A CN202010281630.6A CN202010281630A CN111478912A CN 111478912 A CN111478912 A CN 111478912A CN 202010281630 A CN202010281630 A CN 202010281630A CN 111478912 A CN111478912 A CN 111478912A
Authority
CN
China
Prior art keywords
data
module
node
storage module
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010281630.6A
Other languages
Chinese (zh)
Inventor
张连锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Manwu Technology Co ltd
Original Assignee
Xiamen Manwu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Manwu Technology Co ltd filed Critical Xiamen Manwu Technology Co ltd
Priority to CN202010281630.6A priority Critical patent/CN111478912A/en
Publication of CN111478912A publication Critical patent/CN111478912A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a system and a method for detecting block chain intrusion, wherein the system comprises a node data acquisition module, a data storage module, a data analysis module and a data feedback module; the method comprises the following steps: each node is independently deployed with a honeypot system, and the system is completely isolated from the nodes by a network; the honeypot system starts camouflage and simulates the RPC function of the client of each node; the honeypot system of each node starts to collect data generated by an attacker through a data acquisition module; all the nodes upload the collected data to a log server in a unified manner; the data storage module performs storage matching on the collected data and outputs unknown attack behaviors; the data analysis module performs behavior analysis on the data output by the data storage module and outputs an analysis result; the data feedback module uses the analysis result of the data analysis module to perfect the rule base of the data storage module and output threat intelligence. The system and the method can realize intrusion monitoring on the global blockchain system.

Description

Block chain intrusion detection system and method
[ technical field ] A method for producing a semiconductor device
The present invention relates to the field of blockchain technologies, and in particular, to a system and a method for detecting blockchain intrusion.
[ background of the invention ]
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
One of the advantages of the honeypot system is that the data to be analyzed can be greatly reduced. For a typical web site or server, attack traffic is typically overwhelmed by legitimate traffic. And the data entering and leaving the honeypot is mostly attack traffic. Therefore, it is easy to browse data and find out the actual behavior of the attacker. Honeypot programs have gathered a great deal of information since their inception in 1999. Some of the findings include: the attack rate has doubled over the past year; attackers are increasingly using auto-click tools that can block vulnerabilities (tools are easily updated if new vulnerabilities are discovered); despite the tension of the virtual voice, few hackers employ new approaches to attack.
However, the conventional honeypots also have corresponding disadvantages:
1. the data collection area is narrow-if nobody attacks the honeypots, they become useless. If the attacker identifies the user's system as a honeypot, it will avoid interacting with the system and sneak into the user's organization without the honeypot being aware of it.
2. The user is at risk that honeypots may pose a risk to the user's network environment, and once compromised, honeypots can be used to attack, submerge, or compromise other systems or organizations.
[ summary of the invention ]
The invention aims to overcome the defects of the prior art, and adopts the following technical scheme:
a block chain intrusion detection system comprises a node data acquisition module, a data storage module, a data analysis module and a data feedback module, wherein,
the node data acquisition module is responsible for collecting all data interacted with the honeypots and uploading the data to the data storage module of the log server;
the data storage module is responsible for classified storage of each node data, and outputs hit and unknown attack behavior characteristic data by matching with rule base data in the storage module;
the data analysis module analyzes and archives the data output by the data storage module, performs behavior analysis on unknown attacks, and outputs an analysis result;
the data feedback module is responsible for further perfecting the rule base of the data storage module by using the analyzed data and outputting threat information.
A block chain intrusion detection method comprises the following steps:
s1: each node is independently deployed with a honeypot system, and the system is completely isolated from the nodes by a network;
s2: the honeypot system starts camouflage and simulates the RPC function of the client of each node;
s3: the honeypot system of each node starts to collect data generated by an attacker through a data acquisition module;
s4: all the nodes upload the collected data to a log server in a unified manner;
s5: the data storage module performs storage matching on the collected data and outputs unknown attack behaviors;
s6: the data analysis module performs behavior analysis on the data output by the data storage module and outputs an analysis result;
s7: the data feedback module uses the analysis result of the data analysis module to perfect the rule base of the data storage module and output threat intelligence.
The invention has the beneficial effects that: compared with the traditional honeypot scheme, the invention has the following advantages:
1. the honeypot system is independently deployed at each node, so that a large amount of data information left by attackers can be collected, and a data collection surface is enlarged;
2. the honeypot system is completely isolated from the nodes by the network, and only the RPC function of the nodes is simulated, so that the safety of the node system is prevented from being damaged after being trapped by attack.
The features and advantages of the present invention will be described in detail by embodiments in conjunction with the accompanying drawings.
[ description of the drawings ]
Fig. 1 is a flowchart of a method for detecting a blockchain intrusion according to the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood, however, that the description herein of specific embodiments is only intended to illustrate the invention and not to limit the scope of the invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
A block chain intrusion detection system comprises a node data acquisition module, a data storage module, a data analysis module and a data feedback module, wherein,
the node data acquisition module is responsible for collecting all data interacted with the honeypots and uploading the data to the data storage module of the log server;
the data storage module is responsible for classified storage of each node data, and outputs hit and unknown attack behavior characteristic data by matching with rule base data in the storage module;
the data analysis module analyzes and archives the data output by the data storage module, performs behavior analysis on unknown attacks, and outputs an analysis result;
the data feedback module is responsible for further perfecting the rule base of the data storage module by using the analyzed data and outputting threat information.
A block chain intrusion detection method comprises the following steps:
s1: each node is independently deployed with a honeypot system, and the system is completely isolated from the nodes by a network;
s2: the honeypot system starts camouflage and simulates the RPC function of the client of each node;
s3: the honeypot system of each node starts to collect data generated by an attacker through a data acquisition module;
s4: all the nodes upload the collected data to a log server in a unified manner;
s5: the data storage module performs storage matching on the collected data and outputs unknown attack behaviors;
s6: the data analysis module performs behavior analysis on the data output by the data storage module and outputs an analysis result;
s7: the data feedback module uses the analysis result of the data analysis module to perfect the rule base of the data storage module and output threat intelligence.
Specifically, the honeypot is deployed at each node of a global block chain, the RPC function of the node is simulated, when an attacker attacks, the honeypot monitors the actual attack process collected in the honeypot through a series of flow rules of a data collection module, the collected data are uploaded to a storage module of a log server for storage, and an analysis module can capture weapons, attack techniques, complete data structures and the like used by the attacker through analysis of the collected data; the rule base of the detection system can be perfected and the invasion information of the blockchain is output through the data arrangement completed by the analysis, so that the invasion monitoring of the global blockchain system is realized.
The above detailed description of the embodiments of the present invention is provided as an example, and the present invention is not limited to the above described embodiments. It will be apparent to those skilled in the art that any equivalent modifications or substitutions can be made within the scope of the present invention, and thus, equivalent changes and modifications, improvements, etc. made without departing from the spirit and scope of the present invention should be included in the scope of the present invention.

Claims (2)

1. A blockchain intrusion detection system, comprising: comprises a node data acquisition module, a data storage module, a data analysis module and a data feedback module, wherein,
the node data acquisition module is responsible for collecting all data interacted with the honeypots and uploading the data to the data storage module of the log server;
the data storage module is responsible for classified storage of each node data, and outputs hit and unknown attack behavior characteristic data by matching with rule base data in the storage module;
the data analysis module analyzes and archives the data output by the data storage module, performs behavior analysis on unknown attacks, and outputs an analysis result;
the data feedback module is responsible for further perfecting the rule base of the data storage module by using the analyzed data and outputting threat information.
2. A method for detecting block chain intrusion, comprising: the method comprises the following steps:
s1: each node is independently deployed with a honeypot system, and the system is completely isolated from the nodes by a network;
s2: the honeypot system starts camouflage and simulates the RPC function of the client of each node;
s3: the honeypot system of each node starts to collect data generated by an attacker through a data acquisition module;
s4: all the nodes upload the collected data to a log server in a unified manner;
s5: the data storage module performs storage matching on the collected data and outputs unknown attack behaviors;
s6: the data analysis module performs behavior analysis on the data output by the data storage module and outputs an analysis result;
s7: the data feedback module uses the analysis result of the data analysis module to perfect the rule base of the data storage module and output threat intelligence.
CN202010281630.6A 2020-04-10 2020-04-10 Block chain intrusion detection system and method Pending CN111478912A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010281630.6A CN111478912A (en) 2020-04-10 2020-04-10 Block chain intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010281630.6A CN111478912A (en) 2020-04-10 2020-04-10 Block chain intrusion detection system and method

Publications (1)

Publication Number Publication Date
CN111478912A true CN111478912A (en) 2020-07-31

Family

ID=71752129

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010281630.6A Pending CN111478912A (en) 2020-04-10 2020-04-10 Block chain intrusion detection system and method

Country Status (1)

Country Link
CN (1) CN111478912A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039858A (en) * 2020-08-14 2020-12-04 深圳市迈科龙电子有限公司 Block chain service security reinforcement system and method
CN116931844A (en) * 2023-09-18 2023-10-24 北京云尚汇信息技术有限责任公司 Data storage method and device based on multi-block subchain in block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105488393A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Database honey pot based attack behavior intention classification method and system
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN110324313A (en) * 2019-05-23 2019-10-11 平安科技(深圳)有限公司 The recognition methods of malicious user based on honey pot system and relevant device
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105488393A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Database honey pot based attack behavior intention classification method and system
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN110324313A (en) * 2019-05-23 2019-10-11 平安科技(深圳)有限公司 The recognition methods of malicious user based on honey pot system and relevant device
CN110650128A (en) * 2019-09-17 2020-01-03 西安电子科技大学 System and method for detecting digital currency stealing attack of Etheng

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
赵淦森 等: "《智能合约安全综述: 漏洞分析》", 《广州大学学报( 自然科学版)》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039858A (en) * 2020-08-14 2020-12-04 深圳市迈科龙电子有限公司 Block chain service security reinforcement system and method
CN116931844A (en) * 2023-09-18 2023-10-24 北京云尚汇信息技术有限责任公司 Data storage method and device based on multi-block subchain in block chain
CN116931844B (en) * 2023-09-18 2024-02-23 北京云尚汇信息技术有限责任公司 Data storage method and device based on multi-block subchain in block chain

Similar Documents

Publication Publication Date Title
CN108259449B (en) Method and system for defending against APT (android packet) attack
CN113422771A (en) Threat early warning method and system
Chen et al. Intrusion detection
Sekar et al. Toward a framework for internet forensic analysis
KR102501372B1 (en) AI-based mysterious symptom intrusion detection and system
CN115134166B (en) Attack tracing method based on honey hole
Ren et al. Distributed agent-based real time network intrusion forensics system architecture design
CN111478912A (en) Block chain intrusion detection system and method
Jaiganesh et al. An efficient algorithm for network intrusion detection system
CN115987531A (en) Intranet safety protection system and method based on dynamic deception parallel network
Mathew et al. Real-time multistage attack awareness through enhanced intrusion alert clustering
Almutairi et al. Survey of high interaction honeypot tools: Merits and shortcomings
CN116827690A (en) DDoS attack and cloud WAF defense method based on distribution type
Paul et al. Honeypot based signature generation for defense against polymorphic worm attacks in networks
Xuanzhen et al. Application of passive DNS in cyber security
CN113132335A (en) Virtual transformation system and method, network security system and method
Mudgal et al. Spark-Based Network Security Honeypot System: Detailed Performance Analysis
Hunt et al. Achieving critical infrastructure protection through the interaction of computer security and network forensics
Bijalwan et al. Examining the Crimninology using Network Forensic
Zhan et al. Adaptive detection method for Packet-In message injection attack in SDN
Fanfara et al. Autonomous hybrid honeypot as the future of distributed computer systems security
Ahmed et al. Characterizing strengths of snort-based IDPS
Pilli et al. A framework for network forensic analysis
Agrawal et al. Proposed multi-layers intrusion detection system (MLIDS) model
Bijalwan et al. An Anatomy for Recognizing Network Attack Intention

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200731

RJ01 Rejection of invention patent application after publication