EtherClue:Digital investigation of attacks on Ethereum smart contracts

Programming errors in Ethereum smart contracts can result in catastrophic financial losses from stolen cryptocurrency.While vulnerability detectors can prevent vulnerable contracts from being deployed,this does not mean that such contracts will not be deployed.Once a vulnerable contract is instantiated on the blockchain and becomes the target of attacks,the identification of exploit transactions becomes indispensable in assessing whether it has been actually exploited and identifying which malicious or subverted accounts were involved.In this work,we study the problem of post-factum investigation of Ethereum attacks using Indicators of Compromise(IoC)specially crafted for use in the blockchain.IoC definitions need to capture the side-effects of successful exploitation in the context of the Ethereum blockchain.Therefore,we define a model for smart contract execution,comprising multiple abstraction levels that mirror the multiple views of code execution on a blockchain.Subsequently,we compare IoCs defined across the different levels in terms of their effectiveness and practicality through EtherClue,a prototype tool for investigating Ethereum security incidents.Our results illustrate that coarse-grained IoCs defined over blocks of transactions can detect exploit transactions with less computation.However,they are contract-specific and suffer from false negatives.On the other hand,fine-grained IoCs defined over virtual machine instructions can avoid these pitfalls at the expense of increased computation,which is nevertheless applicable for practical use.

TriCTI:an actionable cyber threat intelligence discovery system via trigger-enhanced neural network

The cybersecurity report provides unstructured actionable cyber threat intelligence(CTI)with detailed threat attack procedures and indicators of compromise(IOCs),e.g.,malware hash or URL(uniform resource locator)of command and control server.The actionable CTI,integrated into intrusion detection systems,can not only prioritize the most urgent threats based on the campaign stages of attack vectors(i.e.,IOCs)but also take appropriate mitigation measures based on contextual information of the alerts.However,the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence.In this paper,we propose a trigger-enhanced actionable CTI discovery system(TriCTI)to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing(NLP)technology.Specifically,we introduce the“campaign trigger”for an effective explanation of the campaign stages to improve the performance of the classification model.The campaign trigger phrases are the keywords in the sentence that imply the campaign stage.The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords.We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets.Compared with state-of-the-art text classification models,such as BERT,the trigger-enhanced classification model has better performance with accuracy(86.99%)and F1 score(87.02%).We run TriCTI on more than 29k cybersecurity reports,from which we automatically and efficiently collect 113,543 actionable CTI.In particular,we verify the actionability of discovered CTI by using large-scale field data from VirusTotal(VT).The results demonstrate that the threat intelligence provided by VT lacks a part of the threat context for IOCs,such as the Actions on Objectives campaign stage.As a comparison,our proposed method can completely identify the actionable CTI in all campaign stages.Accordingly,cyber threats can be identified and resisted at any campaign stage with the discovered actionable CTI.