TY - JOUR
T1 - Time-Travel Investigation
T2 - Toward Building a Scalable Attack Detection Framework on Ethereum
AU - Wu, Siwei
AU - Wu, Lei
AU - Zhou, Yajin
AU - Li, Runhuai
AU - Wang, Zhi
AU - Luo, Xiapu
AU - Wang, Cong
AU - Ren, Kui
N1 - Funding Information:
This work is partially supported by the National Natural Science Foundation of China under Grant No. 62172360, Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (Grant No. 2018R01005), the Fundamental Research Funds for the Central Universities (Grant No. 2021FZZX001-26), Research Grants Council of Hong Kong under Grants No. CityU 11217819, No. CityU 11217620, No. R6021-20F, Research Grants Council of the Hong Kong Special Administrative Region under Gants No. PolyU15222320 and No. PolyU15219319. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of funding agencies. Authors’ addresses: S. Wu, Zhejiang University & Key Laboratory of Blockchain and Cyberspace Governance of Zhe-jiang Province, Hangzhou, China; email: [email protected]; L. Wu, Y. Zhou (corresponding author), R. Li, and K. Ren, Zhejiang University, Hangzhou, China; emails: {lei_wu, yajin_zhou, 21821327, kuiren}@zju.edu.cn; Z. Wang, Florida State University, Tallahassee, US; email: [email protected]; X. Luo, The Hong Kong Polytechnic University, Hong Kong, China; email: [email protected]; C. Wang, City University of Hong Kong, Hong Kong, China; email: congwang@ cityu.edu.hk. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2022 Association for Computing Machinery. 1049-331X/2022/04-ART54 $15.00 https://doi.org/10.1145/3505263
Publisher Copyright:
© 2022 Association for Computing Machinery.
PY - 2022/4/9
Y1 - 2022/4/9
N2 - Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage.In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.
AB - Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage.In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.
KW - Ethereum
KW - attack detection
KW - vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85130705437&partnerID=8YFLogxK
U2 - 10.1145/3505263
DO - 10.1145/3505263
M3 - Journal article
SN - 1049-331X
VL - 31
SP - 1
EP - 33
JO - ACM Transactions on Software Engineering and Methodology
JF - ACM Transactions on Software Engineering and Methodology
IS - 3
M1 - 54
ER -