CADetector:跨家族的各项异性合约蜜罐检测

CADetector:Cross-family Anisotropic Contract Honeypot Detection Method

智能合约是区块链生态环境的根基,以太坊区别于比特币的最显著特性就是支持“智能合约”,也正因为这种特性使其可承载DeFi、NFT等上层应用,因此保障智能合约安全至关重要.然而,近年来兴起的智能合约蜜罐(Smart Contract Honeypot,以下简称合约蜜罐)已对以太坊生态环境造成显著污染,其具有的检测延迟大、攻击时效长、变形方法多等特点,使其成为有别于以太坊其他攻击形式的新形态威胁.为了准确、及时的检测未知合约蜜罐,本文首先研究了合约蜜罐机理,分析了现有检测方法不足.在此基础上,本文提炼了合约蜜罐的攻击模型,将其完整的攻击过程概括为“构建、编译、投递、部署、传播、诱导、锁定与收割”八个步骤.围绕“诱导”与“锁定”技术上的关键区别,本文对已知的10个蜜罐家族进行了细粒度的基因特征挖掘,首次构建了蜜罐家谱.以蜜罐家谱为指导,本文提出了一种跨家族的各项异性合约蜜罐检测方法,实现了一个不依赖机器学习的自动化检测工具—CADetector.CADetector通过检测范围界定、动态路径规划与基于启发式的各项异性特性匹配实现了对合约蜜罐的精准检测.本文基于benchmark数据集和XGBoost数据集进行了对比实验,实验结果表明CADetector实现了更高的检测召回率和精准率(93.5%~100%),超越了当前最先进的两个合约蜜罐检测工具HONEYBADGER和XGBoost,它们的精准率和召回率分别为87.3%和91.2%,凸显了CADetector集成的基因特征提取方法对合约蜜罐检测具有重要的影响.除此之外,本文基于自爬取数据集(200万个区块上的125988个未知智能合约)进行了0day合约蜜罐检测实验,新发现了高达450个0day合约蜜罐,进一步量化验证了CADetector的有效性和鲁棒性.值得一提的是,0day合约蜜罐检测实验涵盖了本文通过蜜罐家谱划分的21种围绕合约蜜罐的攻击方法,其中有3种新型的合约蜜罐攻击方法由本文首次提出.最后,本文从面向以太坊的污染现状、攻击技术、检测层面和增强实现四个维度进行了深层次的数据分析,并发现合约蜜罐仍呈现缓慢上升的趋势、隐藏状态更新技术一直是攻击者偏爱的技术且偏爱程度持续升高.对此,本文建议防御者可及时关注合约蜜罐的发展趋势、攻击者相关的以太坊地址、IP地址来源等威胁情报,进而助力区块链安全社区的情报共享和态势感知.

Smart contracts are the foundation of the blockchain ecological environment.The most significant feature of Ethereum that differs from Bitcoin is to support“smart contracts”.It is precisely because of this feature that it can carry upper-level applications such as DeFi and NFT,thus it is very important to ensure the security of smart contracts.However,the smart contract honeypot(hereinafter referred to as“contract honeypot”)that has emerged in recent years has caused significant pollution to the Ethereum ecological environment.It has the characteristics of large detection delay,long attack time,and multiple deformation methods,making it a new form of threat that is different from other attack forms of Ethereum.In order to accurately and timely detect unknown contract honeypots,this paper first studies the contract honeypot mechanism and analyzes the deficiencies of existing detection methods.On this basis,this paper refines the attack model of contract honeypots,and summarizes its complete attack process into eight steps:“build,compile,deliver,deploy,spread,induce,lock,and harvest”.Focusing on the key difference between“induce”and“lock”technologies,this paper conducted fine-grained gene feature mining on 10 known honeypot families,and constructed the honeypot genealogy for the first time.Guided by the honeypot genealogy,this paper proposes a cross-family anisotropic contract honeypot detection method,and realizes an automated detection tool called CADetector that does not rely on machine learning.CADetector achieves precise detection of contract honeypots through detection range definition,dynamic path planning,and heuristics-based anisotropic feature matching.This paper conducts a comparative experiment based on the benchmark dataset and the XGBoost dataset.The experimental results show that CADetector achieves a higher detection recall rate and accuracy rate(93.5%~100%),surpassing the current two most advanced contract honeypot detection tools HONEYBADGER and XGBoost.The accuracy and recall rates of HONEYBADGER and XGBoost are 87.3% and 91.2%,respectively,highlighting the important influence of the integrated gene feature extraction method of CADetector on contract honeypot detection.In addition,this paper conducted a 0day contract honeypot detection experiment based on a self-crawling dataset(125988 unknown smart contracts on 2 million blocks),and newly discovered up to 4500day contract honeypots,which further quantifies the effectiveness and robustness of CADetector.It is worth mentioning that the 0day contract honeypot detection experiment covers 21 attack methods around contract honeypots divided by the honeypot genealogy in this paper.Among them,3 new contract honeypot attack methods are proposed for the first time in this paper.Finally,this article conducts in-depth data analysis from the four dimensions of Ethereum’s pollution status,attack technology,detection level and enhanced implementation,and finds that contract honeypots are still showing a slow upward trend,and Hidden State Update technology has always been the attacker’s preference and the degree of preference continues to increase.In this regard,this paper suggests that the defender can pay attention to the development trend of contract honeypots,attacker-related threat intelligence such as the Ethereum address,IP address source,etc.,thereby helping realize the blockchain security community's intelligence sharing and situational awareness.