CN113595986B - A smart contract interception method and device based on a smart contract firewall framework - Google Patents
A smart contract interception method and device based on a smart contract firewall framework Download PDFInfo
- Publication number
- CN113595986B CN113595986B CN202110740050.3A CN202110740050A CN113595986B CN 113595986 B CN113595986 B CN 113595986B CN 202110740050 A CN202110740050 A CN 202110740050A CN 113595986 B CN113595986 B CN 113595986B
- Authority
- CN
- China
- Prior art keywords
- contract
- transaction
- firewall
- rule
- protected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000002159 abnormal effect Effects 0.000 claims description 69
- 238000012360 testing method Methods 0.000 claims description 48
- 238000001514 detection method Methods 0.000 claims description 18
- 230000035772 mutation Effects 0.000 claims description 17
- 238000005065 mining Methods 0.000 claims description 16
- 230000002787 reinforcement Effects 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 abstract description 3
- 238000012544 monitoring process Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 11
- 230000008859 change Effects 0.000 description 10
- 238000012423 maintenance Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 238000012550 audit Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 4
- 239000011814 protection agent Substances 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000000877 morphologic effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Business, Economics & Management (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
技术领域technical field
本发明涉及计算机技术领域,尤其是涉及一种基于智能合约防火墙框架的智能合约拦截方法及装置。The invention relates to the field of computer technology, in particular to a smart contract interception method and device based on a smart contract firewall framework.
背景技术Background technique
智能合约的出现标志着区块链技术正式进入2.0时代,这也意味着区块链也拥有了能够自己去执行一系列的操作且不需要人工直接进行干预的系统,而智能合约正是这一系统的载体。但智能合约型区块链自面世以来就一直存在这样一个问题:大多数智能合约型区块链在智能合约上链部署之后难以进行升级和维护,以太坊甚至没有提供官方的智能合约升级途径。因此,一旦含有漏洞的智能合约上链,其维护成本高昂,且容易被黑客反复攻击从而导致合约部署方遭受重大损失。目前应对智能合约安全的技术主要有智能合约防火墙和智能合约安全审计技术。智能合约防火墙为智能合约提供实时保护,通过在智能合约上增加另一层保护来阻止未经授权的交易,并且可根据项目实际需求自定义配置黑白名单,严格过滤攻击者及恶意用户,保障平台公平性与资产安全。智能合约安全审计技术是慢雾科技、派盾科技、零时科技等专业区块链公司的核心业务之一。该技术是在链码上链之前对智能合约进行第三方审计,其中存在含特征代码的匹配、基于形态化验证以及基于符号执行和符号抽象的自动化审计技术和人工审计技术。The emergence of smart contracts marks the official entry of blockchain technology into the 2.0 era, which also means that blockchain also has a system that can perform a series of operations by itself without direct human intervention, and smart contracts are exactly this system carrier. However, there has always been a problem with smart contract blockchains since their inception: most smart contract blockchains are difficult to upgrade and maintain after the smart contracts are deployed on the chain, and Ethereum does not even provide an official smart contract upgrade path. Therefore, once a smart contract with vulnerabilities is put on the chain, its maintenance cost is high, and it is easy to be repeatedly attacked by hackers, which will cause heavy losses to the contract deployer. At present, the technologies to deal with smart contract security mainly include smart contract firewall and smart contract security audit technology. The smart contract firewall provides real-time protection for smart contracts, prevents unauthorized transactions by adding another layer of protection to smart contracts, and can customize the configuration of black and white lists according to the actual needs of the project, strictly filtering attackers and malicious users, and protecting the platform Fairness and asset security. Smart contract security audit technology is one of the core businesses of professional blockchain companies such as SlowMist Technology, Paidun Technology, and Zero Time Technology. This technology is a third-party audit of the smart contract before the chain code is put on the chain. There are matching with feature codes, automatic audit technology based on morphological verification, symbol execution and symbol abstraction, and manual audit technology.
现有的智能合约拦截方法在上链之前进行的智能合约安全升级主要用于链码漏洞的发现和修复,智能合约防火墙通过防火墙代码的部署,实现对链码调用的管控并防止未经授权的链码访问,然而现有的智能合约拦截方法无法及时发现针对智能合约漏洞所发起的恶意交易并进行拦截。The existing smart contract interception method is to upgrade the security of the smart contract before going to the chain, which is mainly used for the discovery and repair of chain code vulnerabilities. The smart contract firewall implements the control of chain code calls and prevents unauthorized access through the deployment of firewall codes. However, the existing smart contract interception methods cannot detect and intercept malicious transactions initiated for smart contract vulnerabilities in time.
发明内容Contents of the invention
本发明提供了一种基于智能合约防火墙框架的智能合约拦截方法及装置,以解决现有的智能合约拦截方法无法及时发现针对智能合约漏洞所发起的恶意交易并进行拦截技术问题。The present invention provides a smart contract interception method and device based on a smart contract firewall framework to solve the technical problem that the existing smart contract interception method cannot detect malicious transactions initiated for smart contract loopholes in time and intercept them.
本发明的一个实施例提供了一种基于智能合约防火墙框架的智能合约拦截方法,包括:An embodiment of the present invention provides a smart contract interception method based on a smart contract firewall framework, including:
在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;所述第一拦截规则库包括第一规则合约;Deploy the first firewall contract, the first interception rule base and the protected contract on the block chain; the first interception rule base includes the first rule contract;
接收并响应用户端发送的调用请求,将所述用户端发送的交易请求中的交易信息发送至所述第一规则合约,使所述第一规则合对所述交易信息的合理性进行判断,并在得到合理性通过的判断结果时,将所述判断结果返回至所述第一防火墙合约;receiving and responding to the call request sent by the client, and sending the transaction information in the transaction request sent by the client to the first rule contract, so that the first rule contract can judge the rationality of the transaction information, and returning the judgment result to the first firewall contract when the judgment result of reasonableness is passed;
接收并响应所述判断结果,并将所述交易请求发送至所述被保护合约,使所述被保护合约根据所述交易请求与所述用户端进行交易,并在交易完成后将交易结果返回至所述第一防火墙合约;Receive and respond to the judgment result, and send the transaction request to the protected contract, make the protected contract conduct a transaction with the client according to the transaction request, and return the transaction result after the transaction is completed to said first firewall contract;
接收所述被保护合约发送的交易结果,并将所述交易结果发送至所述第一规则合约,使所述第一规则合约根据自身合约内的规则对所述交易结果进行检测,若检测结果为所述交易结果不满足交易条件,则将所述检测结果返回至所述第一防火墙合约;Receive the transaction result sent by the protected contract, and send the transaction result to the first rule contract, so that the first rule contract detects the transaction result according to the rules in its own contract, if the detection result If the transaction result does not meet the transaction condition, then return the detection result to the first firewall contract;
根据所述检测结果对交易进行拦截,并将拦截结果返回至所述用户端。The transaction is intercepted according to the detection result, and the interception result is returned to the client.
进一步的,所述拦截方法还包括:Further, the interception method also includes:
在所述第一拦截规则库中部署第二规则合约;Deploying a second rule contract in the first interception rule base;
通过修改所述第一防火墙合约的调用状态参数,将所述第一规则合约更换为所述第二规则合约。By modifying the calling status parameter of the first firewall contract, the first rule contract is replaced with the second rule contract.
进一步的,所述拦截方法还包括:Further, the interception method also includes:
在所述区块链上部署第二拦截规则库和第二防火墙合约;Deploying a second interception rule base and a second firewall contract on the block chain;
销毁所述第一防火墙合约,通过所述第二防火墙合约调用所述第二拦截规则库中的规则合约,以所述第二拦截规则库中的规则合约对所述被保护合约进行保护。Destroy the first firewall contract, call the rule contract in the second interception rule base through the second firewall contract, and protect the protected contract with the rule contract in the second interception rule base.
进一步的,所述防火墙合约、所述规则合约和被保护合约之间为多对多的关系。Further, there is a many-to-many relationship among the firewall contract, the rule contract and the protected contract.
进一步的,所述拦截方法还包括:Further, the interception method also includes:
当所述被保护合约受到未知的新型攻击后,将所述被保护合约内的异常参数作为样本进行模糊测试,得到用于应对所述新型攻击的加固规则。When the protected contract is subjected to an unknown new type of attack, the abnormal parameters in the protected contract are used as a sample to perform a fuzz test to obtain reinforcement rules for dealing with the new type of attack.
进一步的,所述将所述被保护合约内的异常参数作为样本进行模糊测试,得到用于应对所述新型攻击的加固规则,具体为:Further, the fuzzy test is performed on the abnormal parameters in the protected contract as a sample to obtain the reinforcement rules for dealing with the new type of attack, specifically:
在所述新型攻击发生后,确定导致所述被保护合约受到攻击时导致状态异常的异常参数,对所述异常参数进行随机变异处理后得到变异异常参数,对所述变异异常参数进行多次模糊测试得到加固规则。After the new type of attack occurs, determine the abnormal parameters that cause the abnormal state when the protected contract is attacked, perform random mutation processing on the abnormal parameters to obtain the abnormal abnormal parameters, and fuzz the abnormal abnormal parameters multiple times Tests get hardened rules.
进一步的,所述对所述异常参数进行随机变异处理后得到变异异常参数,对所述变异异常参数进行多次模糊测试得到加固规则,具体为:Further, after performing random mutation processing on the abnormal parameters, the abnormal abnormal parameters are obtained, and multiple fuzzy tests are performed on the abnormal abnormal parameters to obtain reinforcement rules, specifically:
将所述变异异常参数作为每一次所述模糊测试的输入项,将受到攻击的所述被保护合约作为每一次所述模糊测试的载体进行模糊测试,得到所述模糊测试的输出项为受到攻击的所述被保护合约的控制流;The abnormal parameter of the mutation is used as the input item of each fuzz test, and the protected contract under attack is used as the carrier of each fuzz test to carry out the fuzz test, and the output item of the fuzz test obtained is attacked The control flow of the protected contract of ;
在多次模糊测试后得多组所述变异异常参数和所述控制流的输入输出对,通过对所述输入输出对进行频繁项挖掘,筛选出所述输入输出对的高频代码块,通过对所述高频代码块进行分析得到用于应对所述新型攻击的加固规则。After multiple fuzzing tests, multiple sets of the abnormal mutation parameters and the input-output pairs of the control flow are performed, and the high-frequency code blocks of the input-output pairs are screened out by performing frequent item mining on the input-output pairs. Analyzing the high-frequency code blocks obtains reinforcement rules for dealing with the new type of attack.
本发明的另一实施例提供了一种基于智能合约防火墙框架的智能合约拦截装置,包括:Another embodiment of the present invention provides a smart contract interception device based on a smart contract firewall framework, including:
部署模块,用于在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;所述第一拦截规则库包括第一规则合约;A deployment module, configured to deploy a first firewall contract, a first interception rule base, and a protected contract on the block chain; the first interception rule base includes a first rule contract;
交易信息发送模块,用于接收并响应用户端发送的调用请求,将所述用户端发送的交易请求中的交易信息发送至所述第一规则合约,使所述第一规则合对所述交易信息的合理性进行判断,并在得到合理性通过的判断结果时,将所述判断结果返回至所述第一防火墙合约;The transaction information sending module is used to receive and respond to the call request sent by the client, and send the transaction information in the transaction request sent by the client to the first rule contract, so that the first rule matches the transaction judge the rationality of the information, and return the judgment result to the first firewall contract when the judgment result is reasonable;
交易请求发送模块,用于接收并响应所述判断结果,并将所述交易请求发送至所述被保护合约,使所述被保护合约根据所述交易请求与所述用户端进行交易,并在交易完成后将交易结果返回至所述第一防火墙合约;A transaction request sending module, configured to receive and respond to the judgment result, and send the transaction request to the protected contract, so that the protected contract conducts a transaction with the client according to the transaction request, and After the transaction is completed, the transaction result is returned to the first firewall contract;
交易结果发送模块,用于接收所述被保护合约发送的交易结果,并将所述交易结果发送至所述第一规则合约,使所述第一规则合约根据自身合约内的规则对所述交易结果进行检测,若检测结果为所述交易结果不满足交易条件,则将所述检测结果返回至所述第一防火墙合约;The transaction result sending module is used to receive the transaction result sent by the protected contract, and send the transaction result to the first rule contract, so that the first rule contract can process the transaction according to the rules in its own contract. The results are detected, and if the detection result is that the transaction result does not meet the transaction conditions, the detection result is returned to the first firewall contract;
交易拦截模块,用于根据所述检测结果对交易进行拦截,并将拦截结果返回至所述用户端。The transaction interception module is configured to intercept the transaction according to the detection result, and return the interception result to the client.
本发明的又一实施例提供了一种计算机可读存储介质,所述计算机可读存储介质包括存储的计算机程序,其中,在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行如上述的基于智能合约防火墙框架的智能合约拦截方法。Another embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium includes a stored computer program, wherein, when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute As mentioned above, the smart contract interception method based on the smart contract firewall framework.
本发明实施例通过在区块链上建立防火墙合约以及拦截规则库来对被保护合约的每一次交易进行实时监控,一旦发现被保护合约存在恶意交易行为,通过防火墙合约能够及时拦截该交易行为,从而能够有效避免恶意交易行为导致的损失。The embodiment of the present invention monitors each transaction of the protected contract in real time by establishing a firewall contract and an interception rule library on the blockchain. Once a malicious transaction is found in the protected contract, the transaction can be intercepted in time through the firewall contract. In this way, losses caused by malicious trading behaviors can be effectively avoided.
进一步地,本发明实施例通过防火墙合约和拦截规则分离的形式实现对被保护合约的防护,当用户想要更换防护规则或服务提供者时,只需变更防火墙合约调用参数或者直接更换新的防火墙合约即可实现,不仅能够使得对被保护合约的保护服务更加全面以及更灵活,还能够有效降低智能合约的维护成本以及维护难度。Further, the embodiment of the present invention realizes the protection of the protected contract through the separation of the firewall contract and the interception rule. When the user wants to change the protection rule or service provider, he only needs to change the calling parameters of the firewall contract or directly replace the new firewall The contract can be realized, which not only makes the protection service for the protected contract more comprehensive and flexible, but also effectively reduces the maintenance cost and difficulty of smart contracts.
附图说明Description of drawings
图1是本发明实施例提供的一种基于智能合约防火墙框架的智能合约拦截方法的流程示意图;Fig. 1 is a schematic flow diagram of a smart contract interception method based on a smart contract firewall framework provided by an embodiment of the present invention;
图2是本发明实施例提供的智能合约防火墙架构示意图;Fig. 2 is a schematic diagram of the smart contract firewall architecture provided by the embodiment of the present invention;
图3是本发明实施例提供的更换规则合约时合约间调用关系变化示意图;Fig. 3 is a schematic diagram of the change of call relationship between contracts when the rule contract is replaced provided by the embodiment of the present invention;
图4是本发明实施例提供的更换拦截规则库时合约间调用关系变化示意图;Fig. 4 is a schematic diagram of the change in the call relationship between contracts when the interception rule library is replaced according to the embodiment of the present invention;
图5是本发明实施例提供的种基于智能合约防火墙框架的智能合约拦截方法的另一流程示意图;Fig. 5 is another schematic flowchart of a smart contract interception method based on a smart contract firewall framework provided by an embodiment of the present invention;
图6是本发明实施例提供的程序代码运行流程图;Fig. 6 is a flow chart of program code operation provided by the embodiment of the present invention;
图7是本发明实施例提供的一种基于智能合约防火墙框架的智能合约拦截装置的结构式示意图。Fig. 7 is a schematic structural diagram of a smart contract interception device based on a smart contract firewall framework provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
在本申请的描述中,需要理解的是,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。In the description of the present application, it should be understood that the terms "first" and "second" are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the present application, unless otherwise specified, "plurality" means two or more.
在本申请的描述中,需要说明的是,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本申请中的具体含义。In the description of this application, it should be noted that unless otherwise specified and limited, the terms "installation", "connection", and "connection" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection. Connected, or integrally connected; it can be mechanically connected or electrically connected; it can be directly connected or indirectly connected through an intermediary, and it can be the internal communication of two components. Those of ordinary skill in the art can understand the specific meanings of the above terms in this application in specific situations.
请参阅图1-6,在本发明的第一实施例中,提供了图1所示的一种基于智能合约防火墙框架的智能合约拦截方法,包括:Referring to Figures 1-6, in the first embodiment of the present invention, a smart contract interception method based on the smart contract firewall framework shown in Figure 1 is provided, including:
S1、在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;第一拦截规则库包括第一规则合约;S1. Deploy the first firewall contract, the first interception rule base and the protected contract on the blockchain; the first interception rule base includes the first rule contract;
S2、接收并响应用户端发送的调用请求,将用户端发送的交易请求中的交易信息发送至第一规则合约,使第一规则合对交易信息的合理性进行判断,并在得到合理性通过的判断结果时,将判断结果返回至第一防火墙合约;S2. Receive and respond to the call request sent by the client, and send the transaction information in the transaction request sent by the client to the first rule contract, so that the first rule can judge the rationality of the transaction information, and when the rationality is passed When the judgment result is determined, the judgment result is returned to the first firewall contract;
可选地,交易信息包括交易发起者的信息以及交易参数,合理性判断包括权限判断以及预先执行结果判断,在得到交易信息的合理性不通过的判断结果时,防火墙合约将交易进行拦截。Optionally, the transaction information includes the information of the transaction initiator and transaction parameters, and the rationality judgment includes authority judgment and pre-execution result judgment. When the judgment result of the rationality of the transaction information is not passed, the firewall contract intercepts the transaction.
S3、接收并响应判断结果,并将交易请求发送至被保护合约,使被保护合约根据交易请求与用户端进行交易,并在交易完成后将交易结果返回至第一防火墙合约;S3. Receive and respond to the judgment result, and send the transaction request to the protected contract, so that the protected contract conducts a transaction with the client according to the transaction request, and returns the transaction result to the first firewall contract after the transaction is completed;
S4、接收被保护合约发送的交易结果,并将交易结果发送至第一规则合约,使第一规则合约根据自身合约内的规则对交易结果进行检测,若检测结果为交易结果不满足交易条件,则将检测结果返回至第一防火墙合约;S4. Receive the transaction result sent by the protected contract, and send the transaction result to the first rule contract, so that the first rule contract can detect the transaction result according to the rules in its own contract. If the detection result is that the transaction result does not meet the transaction conditions, then return the detection result to the first firewall contract;
S5、根据检测结果对交易进行拦截,并将拦截结果返回至用户端。S5. Intercept the transaction according to the detection result, and return the interception result to the client.
在本发明实施例中,规则合约本质上也是需要部署在区块链上的智能合约,里面写有多种针对智能合约交易的防护规则和拦截规则,防火墙拦截规则可以形式化描述如下:In the embodiment of the present invention, the rule contract is essentially a smart contract that needs to be deployed on the blockchain, which contains a variety of protection rules and interception rules for smart contract transactions. The firewall interception rules can be formally described as follows:
f(p1,p2,...)f(p1,p2,...)
其中,pi为交易参数,f是在交易参数上的函数操作,具体可以是一段代码。Among them, pi is a transaction parameter, and f is a function operation on the transaction parameter, which can be a piece of code.
拦截规则库是规则合约的集合,在实际的应用场景中体现为许多个已经部署上链的写有交易过滤防护规则的智能合约。The interception rule base is a collection of rule contracts. In actual application scenarios, it is embodied as many smart contracts that have been deployed on the chain and written transaction filtering protection rules.
本发明实施例中,防火墙合约本质上是一个合约防护代理,防火墙合约为拦截规则库的入口,且作用为连接着拦截规则库以及被保护合约。请参阅图2,为本发明实施例提供的一种智能合约防火墙架构示意图。In the embodiment of the present invention, the firewall contract is essentially a contract protection agent, and the firewall contract is the entry of the interception rule base, and acts as a connection between the interception rule base and the protected contract. Please refer to FIG. 2 , which is a schematic diagram of a smart contract firewall architecture provided by an embodiment of the present invention.
本发明实施例通过在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;第一拦截规则库包括第一规则合约,以第一防火墙合约连接拦截规则库以及被保护合约,通过第一防火墙实时监控被保护合约的每一次交易,一旦发现被保护合约存在恶意交易行为,通过防火墙合约能够及时拦截该交易行为,从而能够有效避免恶意交易行为导致的损失。In the embodiment of the present invention, the first firewall contract, the first interception rule base and the protected contract are deployed on the block chain; the first interception rule base includes the first rule contract, and the first firewall contract is used to connect the interception rule base and the protected contract , each transaction of the protected contract is monitored in real time through the first firewall. Once a malicious transaction is found in the protected contract, the transaction can be intercepted in time through the firewall contract, thereby effectively avoiding losses caused by malicious transactions.
作为本发明实施例的一种具体实施方式,拦截方法还包括:As a specific implementation of the embodiment of the present invention, the interception method also includes:
在第一拦截规则库中部署第二规则合约;Deploy the second rule contract in the first interception rule base;
通过修改第一防火墙合约的调用状态参数,将第一规则合约更换为第二规则合约。By modifying the call status parameter of the first firewall contract, the first rule contract is replaced with the second rule contract.
本发明实施例中,防火墙合约本质上是一个合约防护代理,防火墙合约为拦截规则库的入口,且作用为连接着拦截规则库以及被保护合约。In the embodiment of the present invention, the firewall contract is essentially a contract protection agent, and the firewall contract is the entry of the interception rule base, and acts as a connection between the interception rule base and the protected contract.
请参阅图3,当需要更换规则合约对保护合约进行保护时,本发明实施例通过修改防火墙合约的调用状态参数即可完成规则合约的更换。请继续参阅图3,区块链上部署了第一规则合约、第二规则合约、防火墙合约以及被保护合约,在更换拦截规则前,被保护合约的拦截防护规则由第一规则合约确定。当需要将拦截规则更换成第二规则合约的内容时,本发明实施例通过将防火墙合约的调用状态参数由第一规则合约修改为第二规则合约即可完成拦截规则的更换,更换追个合约后被保护合约的拦截规则由第二规则合约确定。Please refer to FIG. 3 , when the rule contract needs to be replaced to protect the protection contract, the embodiment of the present invention can complete the replacement of the rule contract by modifying the calling state parameters of the firewall contract. Please continue to refer to Figure 3. The first rule contract, the second rule contract, the firewall contract and the protected contract are deployed on the blockchain. Before the interception rules are replaced, the interception protection rules of the protected contract are determined by the first rule contract. When it is necessary to replace the interception rule with the content of the second rule contract, the embodiment of the present invention can complete the replacement of the interception rule by modifying the call state parameter of the firewall contract from the first rule contract to the second rule contract, and replace the second contract The interception rules of the latter protected contract are determined by the second rule contract.
本发明实施例通过第一防火墙合约连接规则合约以及被保护合约,当用户需要更换防护服务时,通过修改第一防火墙合约的调用状态参数即可便捷实现规则合约的更换,不仅能够有效提高防护的效率,而且仅通过修改调用状态参数的方式实现规则合约的更换,能够有效降低智能合约的维护成本以及维护难度。In the embodiment of the present invention, the rule contract and the protected contract are connected through the first firewall contract. When the user needs to replace the protection service, the replacement of the rule contract can be realized conveniently by modifying the call state parameters of the first firewall contract, which can not only effectively improve the protection Efficiency, and the replacement of the rule contract is only realized by modifying the call state parameters, which can effectively reduce the maintenance cost and difficulty of the smart contract.
作为本发明实施例的一种具体实施方式,拦截方法还包括:As a specific implementation of the embodiment of the present invention, the interception method also includes:
在区块链上部署第二拦截规则库和第二防火墙合约;Deploy the second interception rule base and the second firewall contract on the blockchain;
销毁第一防火墙合约,通过第二防火墙合约调用第二拦截规则库中的规则合约,以第二拦截规则库中的规则合约对被保护合约进行保护。Destroy the first firewall contract, call the rule contract in the second interception rule base through the second firewall contract, and use the rule contract in the second interception rule base to protect the protected contract.
可选地,在实际应用场景中,不同的拦截规则库一般由不同的服务提供者维护。请参阅图4,当用户想要更换为被保护合约提供防护规则标准的拦截规则库时,本发明实施例通过更换防火墙代理合约实现。图4中已在区块链上部署了第一拦截规则库、第二拦截规则库、第一防火墙合约和被保护合约,此时被保护合约由第一防火墙合约提供防护服务,并且拦截规则由第一拦截规则库内的其中一个规则合约决定。在一种具体的实施方式中,拦截规则可以有多个规则合约决定。Optionally, in actual application scenarios, different interception rule bases are generally maintained by different service providers. Please refer to FIG. 4 , when the user wants to replace the interception rule library that provides protection rule standards for the protected contract, the embodiment of the present invention is implemented by replacing the firewall proxy contract. In Figure 4, the first interception rule base, the second interception rule base, the first firewall contract and the protected contract have been deployed on the blockchain. Determined by one of the rule contracts in the first interception rule base. In a specific implementation manner, the interception rule may be determined by multiple rule contracts.
可选地,当用户想要将拦截规则更换为第二拦截规则库内的某一个规则合约时,因为不同的拦截规则库提供的对外接口的类型或属性可能不一致,不能直接通过改变防火墙合约的调用状态参数来完成服务的更换。本发明实施例通过重新部署一个第二防火墙合约来调用第二拦截规则库里的规则合约,以实现拦截规则的更换。此时被保护合约不再需要第一拦截规则库来提供拦截规则服务,本发明实施例直接将第一防火墙合约销毁,以降低系统的内存空间以及提高系统的拦截效率。而第一规则合约则可以继续部署在区块链上等待被其它防火墙合约再次调用。在完成上述操作后,通过第二防火墙合约提供防护服务给被保护合约,并且拦截规则由第二拦截规则库内的其中一个规则合约决定。在一种具体的实施方式中,拦截规则可以有多个规则合约决定。Optionally, when the user wants to replace the interception rule with a certain rule contract in the second interception rule base, because the types or attributes of the external interfaces provided by different interception rule bases may be inconsistent, it cannot be directly changed by changing the firewall contract. Call the state parameter to complete the replacement of the service. In the embodiment of the present invention, a second firewall contract is redeployed to call the rule contract in the second interception rule base, so as to realize the replacement of the interception rule. At this time, the protected contract no longer needs the first interception rule base to provide the interception rule service, and the embodiment of the present invention directly destroys the first firewall contract, so as to reduce the memory space of the system and improve the interception efficiency of the system. The first rule contract can continue to be deployed on the blockchain and wait to be called again by other firewall contracts. After the above operations are completed, the protection service is provided to the protected contract through the second firewall contract, and the interception rule is determined by one of the rule contracts in the second interception rule base. In a specific implementation manner, the interception rule may be determined by multiple rule contracts.
本发明实施例中通过第一防火墙合约连接规则合约以及被保护合约,以第一防火墙合约作为防护提供者为被保护合约提供防护服务,当用户需要更换防护提供者时,销毁第一防火墙合约,并通过在区块链上部署第二防火墙合约,并以该第二防火墙合约调用第二拦截规则库中的规则合约,以第二拦截规则库中的规则合约对被保护合约进行保护,不仅能够快捷更换防护提供者,使得对被保护合约的保护服务更加全面以及更灵活,还能够有效降低智能合约的维护成本以及维护难度。In the embodiment of the present invention, the rule contract and the protected contract are connected through the first firewall contract, and the first firewall contract is used as the protection provider to provide protection services for the protected contract. When the user needs to change the protection provider, the first firewall contract is destroyed. And by deploying the second firewall contract on the block chain, and using the second firewall contract to call the rule contract in the second interception rule base, and protecting the protected contract with the rule contract in the second interception rule base, not only can Quickly replace the protection provider, making the protection service for the protected contract more comprehensive and flexible, and can effectively reduce the maintenance cost and difficulty of smart contracts.
作为本发明实施例的一种具体实施方式,防火墙合约、规则合约和被保护合约之间为多对多的关系。As a specific implementation manner of the embodiment of the present invention, there is a many-to-many relationship among the firewall contract, the rule contract and the protected contract.
示例性的,防火墙合约既可以只针对一个被保护合约进行保护,也可以同时保护多个被保护合约,同时防火墙合约也可以调用一个规则合约或同时调用多个规则合约,规则合约、防火墙合约和被保护合约之间可以是多对多的关系。本发明实施例中防火墙合约、规则合约和被保护合约之间的多对多关系,能够有效提高拦截的效率,以及提高智能合约部署维护升级困难的问题。Exemplarily, the firewall contract can protect only one protected contract, or protect multiple protected contracts at the same time. At the same time, the firewall contract can also call a rule contract or call multiple rule contracts at the same time. The rule contract, firewall contract and There can be a many-to-many relationship between protected contracts. The many-to-many relationship between the firewall contract, the rule contract and the protected contract in the embodiment of the present invention can effectively improve the efficiency of interception and improve the difficulty of smart contract deployment, maintenance and upgrade.
作为本发明实施例的一种具体实施方式,拦截方法还包括:As a specific implementation of the embodiment of the present invention, the interception method also includes:
当被保护合约受到未知的新型攻击后,将被保护合约内的异常参数作为样本进行模糊测试,得到用于应对新型攻击的加固规则。When the protected contract is attacked by an unknown new type, the abnormal parameters in the protected contract are used as a sample for fuzzing to obtain reinforcement rules for dealing with the new type of attack.
在本发明实施例中,以受到攻击的被保护合约内的异常参数作为样本进行模糊测试,针对性的生成用于应对新型攻击的加固规则,能够有效提高该加固规则的有效性。In the embodiment of the present invention, the fuzzy test is carried out using the abnormal parameters in the protected contract under attack as a sample, and the hardening rules for dealing with new types of attacks are generated in a targeted manner, which can effectively improve the effectiveness of the hardening rules.
作为本发明实施例的一种具体实施方式,将被保护合约内的异常参数作为样本进行模糊测试,得到用于应对新型攻击的加固规则,具体为:As a specific implementation of the embodiment of the present invention, the abnormal parameters in the protected contract are used as samples for fuzz testing to obtain reinforcement rules for dealing with new types of attacks, specifically:
在新型攻击发生后,确定导致被保护合约受到攻击时导致状态异常的异常参数,对异常参数进行随机变异处理后得到变异异常参数,对变异异常参数进行多次模糊测试得到加固规则。After the new type of attack occurs, determine the abnormal parameters that lead to the abnormal state when the protected contract is attacked, perform random mutation processing on the abnormal parameters to obtain the abnormal abnormal parameters, and perform multiple fuzzy tests on the abnormal abnormal parameters to obtain the reinforcement rules.
作为本发明实施例的一种具体实施方式,对异常参数进行随机变异处理后得到变异异常参数,对变异异常参数进行多次模糊测试得到加固规则,具体为:As a specific implementation of the embodiment of the present invention, the abnormal parameters are randomly mutated to obtain the abnormal parameters, and the abnormal parameters are subjected to multiple fuzzy tests to obtain the reinforcement rules, specifically:
将变异异常参数作为每一次模糊测试的输入项,将受到攻击的被保护合约作为每一次模糊测试的载体进行模糊测试,得到模糊测试的输出项为受到攻击的被保护合约的控制流;The abnormal parameters of mutation are used as the input items of each fuzz test, and the protected contract under attack is used as the carrier of each fuzz test for fuzz testing, and the output item of the fuzz test is the control flow of the protected contract under attack;
在多次模糊测试后得多组变异异常参数和控制流的输入输出对,通过对输入输出对进行频繁项挖掘,筛选出输入输出对的高频代码块,通过对高频代码块进行分析得到用于应对新型攻击的加固规则。After multiple fuzz tests, there are many sets of abnormal parameters of mutation and input-output pairs of control flow. By mining the frequent items of the input-output pairs, the high-frequency code blocks of the input-output pairs are screened out, and the high-frequency code blocks are obtained by analyzing the high-frequency code blocks. Hardening rules for new types of attacks.
示例性的,在本发明实施例中,变异为:以原参数为基础,用特定的方法生成新的参数的过程。参数变异方法包括随机数的加减与替换、按位或随机翻转、异或和取反,敏感边界值替换等方法。数据流为:智能合约运行过程中从开始到结束所运行过的代码,即代码程序的运行路径。请参阅图6,若参数i为0,则该代码程序的运行路径为A->B->D,其数据流即为该路径途中所运行的代码。模糊测试为:一种通过向目标系统提供非预期输出并监控异常结果来发现软件漏洞的方法。一次模糊测试主要过程如下:首先是对触发智能合约异常状态的交易或调用参数进行随机变异,然后将这些变异后的参数重新作为输入参数来调用原来受到攻击的智能合约,在合约运行的过程中将所运行的代码记录下来作为数据流输出。Exemplarily, in the embodiment of the present invention, variation refers to a process of generating new parameters based on the original parameters using a specific method. Parameter mutation methods include addition, subtraction and replacement of random numbers, bitwise or random flip, XOR and inversion, sensitive boundary value replacement and other methods. The data flow is: the code that has been run from the beginning to the end during the operation of the smart contract, that is, the running path of the code program. Please refer to Figure 6, if the parameter i is 0, the running path of the code program is A->B->D, and its data flow is the code running on the way. Fuzz testing is: A method of discovering software vulnerabilities by providing unexpected output to the target system and monitoring abnormal results. The main process of a fuzz test is as follows: First, randomly mutate the transaction or call parameters that trigger the abnormal state of the smart contract, and then use these mutated parameters as input parameters to call the smart contract that was originally attacked. Record the code that is run as a stream output.
本发明实施例中的频繁项挖掘为实质上是一个建立从调用参数到代码块的映射的过程。本发明实施例通过模糊测试能够得到多组变异交易参数和代码控制流的输入输出对,然后通过观察同一个交易参数在不同变异结果情况下所对应的各组代码控制流内相同代码语句,建立频繁项集,从而确定交易参数与代码块的映射。示例性的,本发明实施例进行频繁项挖掘使用的算法是Apriori算法,Apriori算法是一种基于关联规则挖掘的算法,目的是找出事物之间存在的隐藏关系,在Apriori算法中用支持度作为本发明实施例判断频繁项集的标准。Apriori算法的目标是找到最大的K项频繁集。本发明实施例中关联规则形如X→Y的蕴涵式,其中,X和Y分别称为关联规则的先导(antecedent或left-hand-side,LHS)和后继(consequent或right-hand-side,RHS)。关联规则XY存在支持度和信任度。支持度为规则前项LHS和规则后项RHS所包括的商品都同时出现的概率,可以理解为LHS和RHS商品的交易次数/总交易次数。本发明实施例中频繁项集产生,其目标是发现满足最小支持度阈值的所有项集,这些项集称作频繁项集(frequent itemset)。Mining frequent items in the embodiment of the present invention is essentially a process of establishing a mapping from call parameters to code blocks. The embodiment of the present invention can obtain input and output pairs of multiple sets of mutated transaction parameters and code control flow through fuzzy testing, and then establishes Frequent itemsets to determine the mapping between transaction parameters and code blocks. Exemplarily, the algorithm used for mining frequent items in the embodiment of the present invention is the Apriori algorithm. The Apriori algorithm is an algorithm based on association rule mining. As a criterion for judging frequent itemsets in the embodiment of the present invention. The goal of the Apriori algorithm is to find the largest frequent set of K items. In the embodiment of the present invention, the association rule is in the form of an implication of X→Y, wherein X and Y are respectively called the antecedent (or left-hand-side, LHS) and the successor (consequent or right-hand-side, LHS) of the association rule. RHS). Association rule XY has support and trust. The support degree is the probability that the commodities included in the LHS in the former item of the rule and the RHS in the latter item of the rule appear at the same time, which can be understood as the number of transactions of LHS and RHS commodities/the total number of transactions. In the embodiment of the present invention, the frequent itemsets are generated, and its goal is to find all itemsets that meet the minimum support threshold, and these itemsets are called frequent itemsets (frequent itemsets).
在一种具体的实施方式中,本发明实施例进行频繁挖掘采用的算法步骤为:In a specific implementation manner, the algorithm steps used for frequent mining in the embodiment of the present invention are:
输入:数据集合D,支持度阈值α;Input: data set D, support threshold α;
输出:最大的频繁k项集;Output: the largest frequent k-itemset;
S10、扫描整个数据集,得到所有出现过的数据,作为候选频繁1项集,其中k=1,频繁0项集为空集;S10. Scan the entire data set to obtain all the data that have appeared, as a candidate frequent 1-itemset, where k=1, and the frequent 0-itemset is an empty set;
S20、挖掘频繁k项集;S20. Mining frequent k-itemsets;
a.扫描数据计算候选频繁k项集的支持度;a. scan the data to calculate the support of candidate frequent k-itemsets;
b.去除候选频繁k项集中支持度低于阈值的数据集,得到频繁k项集;如果得到的频繁k项集为空,则直接返回频繁k-1项集的集合作为算法结果,算法结束;如果得到的频繁k项集只有一项,则直接返回频繁k项集的集合作为算法结果,算法结束;b. Remove the data set whose support degree is lower than the threshold in the candidate frequent k-itemset, and obtain the frequent k-itemset; if the obtained frequent k-itemset is empty, directly return the set of frequent k-1 itemset as the algorithm result, and the algorithm ends ; If the obtained frequent k-itemset has only one item, then directly return the set of frequent k-itemset as the algorithm result, and the algorithm ends;
c.基于频繁k项集,连续生成候选频繁k+1项集。c. Based on frequent k-itemsets, continuously generate candidate frequent k+1-itemsets.
S30、令k=k+1,并跳转至步骤S20。S30, set k=k+1, and jump to step S20.
在一种具体的实施方式中,本发明实施例经过模糊测试得到的输入输出对中存在以下三个输入输出对:{A,{a,b}},{B,{b,c}},{C,{b}},其中A、B、C为同一个交易参数W随机变异后的三个不同的新输入参数值,a、b、c分别是受到攻击的智能合约里的三条代码语句。通过观察发现W无论是变成A、B或者C,代码语句b都运行,则得到一个项集{W,b},即当参数W发生变化时b语句有一定的概率同期运行,W与b之间有一定概率有联系。而当本发明实施例多次改变参数W后,语句b较大概率运行,本发明实施例通过Apriori算法建立频繁项集{W,b},并计算出它的支持度,只要该集合的支持度大于输入一个不太大的阈值α且不大于一个较大的阈值β,本发明实施即认为参数W的各种变异对b是否运行有直接影响。In a specific implementation manner, the following three input-output pairs exist in the input-output pairs obtained through the fuzzy test in the embodiment of the present invention: {A, {a, b}}, {B, {b, c}}, {C, {b}}, where A, B, and C are three different new input parameter values after random mutation of the same transaction parameter W, and a, b, and c are three code statements in the smart contract under attack . Through observation, it is found that whether W is changed to A, B or C, the code statement b will run, and then an itemset {W,b} will be obtained, that is, when the parameter W changes, the b statement has a certain probability of running at the same time, and W and b There is a certain probability that there is a connection between them. However, when the parameter W is changed multiple times in the embodiment of the present invention, the statement b runs with a high probability. The embodiment of the present invention establishes the frequent itemset {W, b} through the Apriori algorithm, and calculates its support degree. As long as the set supports degree is greater than input a not too large threshold α and not greater than a larger threshold β, the implementation of the present invention considers that various variations of parameter W have a direct impact on whether b operates.
本发明实施例在被保护合约受到新型攻击后,以受到攻击后的被保护合约内的异常参数作为样本进行模糊测试得到输入输出对,并通过频繁项挖掘筛选出输入输出对的高频代码块,即产生状态异常的可疑代码,对该可疑代码进行分析能够使有效得到针对于该新型攻击的加固规则,从而能够有效提供对被保护合约的防护力度。In the embodiment of the present invention, after the protected contract is attacked by a new type, the abnormal parameters in the protected contract after being attacked are used as a sample to perform fuzzy testing to obtain the input-output pair, and the high-frequency code blocks of the input-output pair are screened out through frequent item mining , that is, the suspicious code that produces an abnormal state. Analyzing the suspicious code can effectively obtain the reinforcement rules for this new type of attack, thereby effectively providing protection for the protected contract.
请参阅图5,为本发明实施例提供的一种基于智能合约防火墙框架的智能合约拦截的另一流程示意图。Please refer to FIG. 5 , which is another schematic flowchart of smart contract interception based on the smart contract firewall framework provided by the embodiment of the present invention.
实施本发明实施例,具有以下有益效果:Implementing the embodiment of the present invention has the following beneficial effects:
本发明实施例通过在区块链上建立防火墙合约以及拦截规则库来对被保护合约的每一次交易进行实时监控,一旦发现被保护合约存在恶意交易行为,通过防火墙合约能够及时拦截该交易行为,从而能够有效避免恶意交易行为导致的损失;发明实施例通过防火墙合约和拦截规则分离的形式实现对被保护合约的防护,当用户想要更换防护规则或服务提供者时,只需变更防火墙合约调用参数或者直接更换新的防火墙合约即可实现,不仅能够使得对被保护合约的保护服务更加全面以及更灵活,还能够有效降低智能合约的维护成本以及维护难度;本发明实施例以受到攻击的被保护合约内的异常参数作为样本进行模糊测试,针对性的生成用于应对新型攻击的加固规则,能够有效提高该加固规则的有效性。The embodiment of the present invention monitors each transaction of the protected contract in real time by establishing a firewall contract and an interception rule library on the blockchain. Once a malicious transaction is found in the protected contract, the transaction can be intercepted in time through the firewall contract. In this way, losses caused by malicious transactions can be effectively avoided; the embodiment of the invention realizes the protection of the protected contract through the separation of the firewall contract and the interception rules. When the user wants to change the protection rules or service providers, he only needs to change the firewall contract call parameters or directly replace the new firewall contract, which can not only make the protection service for the protected contract more comprehensive and flexible, but also effectively reduce the maintenance cost and difficulty of the smart contract; the embodiment of the present invention takes the attacked The abnormal parameters in the protection contract are used as samples for fuzz testing, and targeted generation of hardening rules to deal with new attacks can effectively improve the effectiveness of the hardening rules.
请参阅图7,本发明的另一实施例提供了一种基于智能合约防火墙框架的智能合约拦截装置,包括:Referring to Fig. 7, another embodiment of the present invention provides a smart contract interception device based on a smart contract firewall framework, including:
部署模块10,用于在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;第一拦截规则库包括第一规则合约;The
交易信息请求发送模块20,用于接收并响应用户端发送的调用请求,将用户端发送的交易请求中的交易信息发送至第一规则合约,使第一规则合对交易信息的合理性进行判断,并在得到合理性通过的判断结果时,将判断结果返回至第一防火墙合约;The transaction information
可选地,交易信息包括交易发起者的信息以及交易参数,合理性判断包括权限判断以及预先执行结果判断,在得到交易信息的合理性不通过的判断结果时,防火墙合约将交易进行拦截。Optionally, the transaction information includes the information of the transaction initiator and transaction parameters, and the rationality judgment includes authority judgment and pre-execution result judgment. When the judgment result of the rationality of the transaction information is not passed, the firewall contract intercepts the transaction.
交易请求发送模块30,用于接收并响应判断结果,并将交易请求发送至被保护合约,使被保护合约根据交易请求与用户端进行交易,并在交易完成后将交易结果返回至第一防火墙合约;The transaction
交易结果发送模块40,用于接收被保护合约发送的交易结果,并将交易结果发送至第一规则合约,使第一规则合约根据自身合约内的规则对交易结果进行检测,若检测结果为交易结果不满足交易条件,则将检测结果返回至第一防火墙合约;The transaction
交易拦截模块50,用于根据检测结果对交易进行拦截,并将拦截结果返回至用户端。The
在本发明实施例中,规则合约本质上也是需要部署在区块链上的智能合约,里面写有多种针对智能合约交易的防护规则和拦截规则,防火墙拦截规则可以形式化描述如下:In the embodiment of the present invention, the rule contract is essentially a smart contract that needs to be deployed on the blockchain, which contains a variety of protection rules and interception rules for smart contract transactions. The firewall interception rules can be formally described as follows:
f(p1,p2,...)f(p1,p2,...)
其中,pi为交易参数,f是在交易参数上的函数操作,具体可以是一段代码。Among them, pi is a transaction parameter, and f is a function operation on the transaction parameter, which can be a piece of code.
拦截规则库是规则合约的集合,在实际的应用场景中体现为许多个已经部署上链的写有交易过滤防护规则的智能合约。The interception rule base is a collection of rule contracts. In actual application scenarios, it is embodied as many smart contracts that have been deployed on the chain and written transaction filtering protection rules.
本发明实施例中,防火墙合约本质上是一个合约防护代理,防火墙合约为拦截规则库的入口,且作用为连接着拦截规则库以及被保护合约。请参阅图2,为本发明实施例提供的一种智能合约防火墙架构示意图。In the embodiment of the present invention, the firewall contract is essentially a contract protection agent, and the firewall contract is the entry of the interception rule base, and acts as a connection between the interception rule base and the protected contract. Please refer to FIG. 2 , which is a schematic diagram of a smart contract firewall architecture provided by an embodiment of the present invention.
本发明实施例通过在区块链上部署第一防火墙合约、第一拦截规则库以及被保护合约;第一拦截规则库包括第一规则合约,以第一防火墙合约连接拦截规则库以及被保护合约,通过第一防火墙实时监控被保护合约的每一次交易,一旦发现被保护合约存在恶意交易行为,通过防火墙合约能够及时拦截该交易行为,从而能够有效避免恶意交易行为导致的损失。In the embodiment of the present invention, the first firewall contract, the first interception rule base and the protected contract are deployed on the block chain; the first interception rule base includes the first rule contract, and the first firewall contract is used to connect the interception rule base and the protected contract , each transaction of the protected contract is monitored in real time through the first firewall. Once a malicious transaction is found in the protected contract, the transaction can be intercepted in time through the firewall contract, thereby effectively avoiding losses caused by malicious transactions.
作为本发明实施例的一种具体实施方式,拦截方法还包括:As a specific implementation of the embodiment of the present invention, the interception method also includes:
在第一拦截规则库中部署第二规则合约;Deploy the second rule contract in the first interception rule base;
通过修改第一防火墙合约的调用状态参数,将第一规则合约更换为第二规则合约。By modifying the call status parameter of the first firewall contract, the first rule contract is replaced with the second rule contract.
本发明实施例中,防火墙合约本质上是一个合约防护代理,防火墙合约为拦截规则库的入口,且作用为连接着拦截规则库以及被保护合约。In the embodiment of the present invention, the firewall contract is essentially a contract protection agent, and the firewall contract is the entry of the interception rule base, and acts as a connection between the interception rule base and the protected contract.
请参阅图3,当需要更换规则合约对保护合约进行保护时,本发明实施例通过修改防火墙合约的调用状态参数即可完成规则合约的更换。请继续参阅图3,区块链上部署了第一规则合约、第二规则合约、防火墙合约以及被保护合约,在更换拦截规则前,被保护合约的拦截防护规则由第一规则合约确定。当需要将拦截规则更换成第二规则合约的内容时,本发明实施例通过将防火墙合约的调用状态参数由第一规则合约修改为第二规则合约即可完成拦截规则的更换,更换追个合约后被保护合约的拦截规则由第二规则合约确定。Please refer to FIG. 3 , when the rule contract needs to be replaced to protect the protection contract, the embodiment of the present invention can complete the replacement of the rule contract by modifying the calling state parameters of the firewall contract. Please continue to refer to Figure 3. The first rule contract, the second rule contract, the firewall contract and the protected contract are deployed on the blockchain. Before the interception rules are replaced, the interception protection rules of the protected contract are determined by the first rule contract. When it is necessary to replace the interception rule with the content of the second rule contract, the embodiment of the present invention can complete the replacement of the interception rule by modifying the call state parameter of the firewall contract from the first rule contract to the second rule contract, and replace the second contract The interception rules of the latter protected contract are determined by the second rule contract.
本发明实施例通过第一防火墙合约连接规则合约以及被保护合约,当用户需要更换防护服务时,通过修改第一防火墙合约的调用状态参数即可便捷实现规则合约的更换,不仅能够有效提高防护的效率,而且仅通过修改调用状态参数的方式实现规则合约的更换,能够有效降低智能合约的维护成本以及维护难度。In the embodiment of the present invention, the rule contract and the protected contract are connected through the first firewall contract. When the user needs to replace the protection service, the replacement of the rule contract can be realized conveniently by modifying the call state parameters of the first firewall contract, which can not only effectively improve the protection Efficiency, and the replacement of the rule contract is only realized by modifying the call state parameters, which can effectively reduce the maintenance cost and difficulty of the smart contract.
作为本发明实施例的一种具体实施方式,该拦截装置还包括规则合约调用模块,用于:As a specific implementation of the embodiment of the present invention, the interception device also includes a rule contract calling module, which is used for:
在区块链上部署第二拦截规则库和第二防火墙合约;Deploy the second interception rule base and the second firewall contract on the blockchain;
销毁第一防火墙合约,通过第二防火墙合约调用第二拦截规则库中的规则合约,以第二拦截规则库中的规则合约对被保护合约进行保护。Destroy the first firewall contract, call the rule contract in the second interception rule base through the second firewall contract, and use the rule contract in the second interception rule base to protect the protected contract.
可选地,在实际应用场景中,不同的拦截规则库一般由不同的服务提供者维护。请参阅图4,当用户想要更换为被保护合约提供防护规则标准的拦截规则库时,本发明实施例通过更换防火墙代理合约实现。图4中已在区块链上部署了第一拦截规则库、第二拦截规则库、第一防火墙合约和被保护合约,此时被保护合约由第一防火墙合约提供防护服务,并且拦截规则由第一拦截规则库内的其中一个规则合约决定。在一种具体的实施方式中,拦截规则可以有多个规则合约决定。Optionally, in actual application scenarios, different interception rule bases are generally maintained by different service providers. Please refer to FIG. 4 , when the user wants to replace the interception rule library that provides protection rule standards for the protected contract, the embodiment of the present invention is implemented by replacing the firewall proxy contract. In Figure 4, the first interception rule base, the second interception rule base, the first firewall contract and the protected contract have been deployed on the blockchain. Determined by one of the rule contracts in the first interception rule base. In a specific implementation manner, the interception rule may be determined by multiple rule contracts.
可选地,当用户想要将拦截规则更换为第二拦截规则库内的某一个规则合约时,因为不同的拦截规则库提供的对外接口的类型或属性可能不一致,不能直接通过改变防火墙合约的调用状态参数来完成服务的更换。本发明实施例通过重新部署一个第二防火墙合约来调用第二拦截规则库里的规则合约,以实现拦截规则的更换。此时被保护合约不再需要第一拦截规则库来提供拦截规则服务,本发明实施例直接将第一防火墙合约销毁,以降低系统的内存空间以及提高系统的拦截效率。而第一规则合约则可以继续部署在区块链上等待被其它防火墙合约再次调用。在完成上述操作后,通过第二防火墙合约提供防护服务给被保护合约,并且拦截规则由第二拦截规则库内的其中一个规则合约决定。在一种具体的实施方式中,拦截规则可以有多个规则合约决定。Optionally, when the user wants to replace the interception rule with a certain rule contract in the second interception rule base, because the types or attributes of the external interfaces provided by different interception rule bases may be inconsistent, it cannot be directly changed by changing the firewall contract. Call the state parameter to complete the replacement of the service. In the embodiment of the present invention, a second firewall contract is redeployed to call the rule contract in the second interception rule base, so as to realize the replacement of the interception rule. At this time, the protected contract no longer needs the first interception rule base to provide the interception rule service, and the embodiment of the present invention directly destroys the first firewall contract, so as to reduce the memory space of the system and improve the interception efficiency of the system. The first rule contract can continue to be deployed on the blockchain and wait to be called again by other firewall contracts. After the above operations are completed, the protection service is provided to the protected contract through the second firewall contract, and the interception rule is determined by one of the rule contracts in the second interception rule base. In a specific implementation manner, the interception rule may be determined by multiple rule contracts.
本发明实施例中通过第一防火墙合约连接规则合约以及被保护合约,以第一防火墙合约作为防护提供者为被保护合约提供防护服务,当用户需要更换防护提供者时,销毁第一防火墙合约,并通过在区块链上部署第二防火墙合约,并以该第二防火墙合约调用第二拦截规则库中的规则合约,以第二拦截规则库中的规则合约对被保护合约进行保护,不仅能够快捷更换防护提供者,使得对被保护合约的保护服务更加全面以及更灵活,还能够有效降低智能合约的维护成本以及维护难度。In the embodiment of the present invention, the rule contract and the protected contract are connected through the first firewall contract, and the first firewall contract is used as the protection provider to provide protection services for the protected contract. When the user needs to change the protection provider, the first firewall contract is destroyed. And by deploying the second firewall contract on the block chain, and using the second firewall contract to call the rule contract in the second interception rule base, and protecting the protected contract with the rule contract in the second interception rule base, not only can Quickly replace the protection provider, making the protection service for the protected contract more comprehensive and flexible, and can effectively reduce the maintenance cost and difficulty of smart contracts.
作为本发明实施例的一种具体实施方式,防火墙合约、规则合约和被保护合约之间为多对多的关系。As a specific implementation manner of the embodiment of the present invention, there is a many-to-many relationship among the firewall contract, the rule contract and the protected contract.
示例性的,防火墙合约既可以只针对一个被保护合约进行保护,也可以同时保护多个被保护合约,同时防火墙合约也可以调用一个规则合约或同时调用多个规则合约,规则合约、防火墙合约和被保护合约之间可以是多对多的关系。本发明实施例中防火墙合约、规则合约和被保护合约之间的多对多关系,能够有效提高拦截的效率,以及提高智能合约部署维护升级困难的问题。Exemplarily, the firewall contract can protect only one protected contract, or protect multiple protected contracts at the same time. At the same time, the firewall contract can also call a rule contract or call multiple rule contracts at the same time. The rule contract, firewall contract and There can be a many-to-many relationship between protected contracts. The many-to-many relationship between the firewall contract, the rule contract and the protected contract in the embodiment of the present invention can effectively improve the efficiency of interception and improve the difficulty of smart contract deployment, maintenance and upgrade.
作为本发明实施例的一种具体实施方式,该拦截装置还包括模糊测试模块,用于:As a specific implementation of the embodiment of the present invention, the intercepting device also includes a fuzzing module for:
当被保护合约受到未知的新型攻击后,将被保护合约内的异常参数作为样本进行模糊测试,得到用于应对新型攻击的加固规则。When the protected contract is attacked by an unknown new type, the abnormal parameters in the protected contract are used as a sample for fuzzing to obtain reinforcement rules for dealing with the new type of attack.
在本发明实施例中,以受到攻击的被保护合约内的异常参数作为样本进行模糊测试,针对性的生成用于应对新型攻击的加固规则,能够有效提高该加固规则的有效性。In the embodiment of the present invention, the fuzzy test is carried out using the abnormal parameters in the protected contract under attack as a sample, and the hardening rules for dealing with new types of attacks are generated in a targeted manner, which can effectively improve the effectiveness of the hardening rules.
作为本发明实施例的一种具体实施方式,模糊测试模块具体用于:As a specific implementation of the embodiment of the present invention, the fuzzing test module is specifically used for:
在新型攻击发生后,确定导致被保护合约受到攻击时导致状态异常的异常参数,对异常参数进行随机变异处理后得到变异异常参数,对变异异常参数进行多次模糊测试得到加固规则。After the new type of attack occurs, determine the abnormal parameters that lead to the abnormal state when the protected contract is attacked, perform random mutation processing on the abnormal parameters to obtain the abnormal abnormal parameters, and perform multiple fuzzy tests on the abnormal abnormal parameters to obtain the reinforcement rules.
作为本发明实施例的一种具体实施方式,对异常参数进行随机变异处理后得到变异异常参数,对变异异常参数进行多次模糊测试得到加固规则,具体为:As a specific implementation of the embodiment of the present invention, the abnormal parameters are randomly mutated to obtain the abnormal parameters, and the abnormal parameters are subjected to multiple fuzzy tests to obtain the reinforcement rules, specifically:
将变异异常参数作为每一次模糊测试的输入项,将受到攻击的被保护合约作为每一次模糊测试的载体进行模糊测试,得到模糊测试的输出项为受到攻击的被保护合约的控制流;The abnormal parameters of mutation are used as the input items of each fuzz test, and the protected contract under attack is used as the carrier of each fuzz test for fuzz testing, and the output item of the fuzz test is the control flow of the protected contract under attack;
在多次模糊测试后得多组变异异常参数和控制流的输入输出对,通过对输入输出对进行频繁项挖掘,筛选出输入输出对的高频代码块,通过对高频代码块进行分析得到用于应对新型攻击的加固规则。After multiple fuzz tests, there are many sets of abnormal parameters of mutation and input-output pairs of control flow. By mining the frequent items of the input-output pairs, the high-frequency code blocks of the input-output pairs are screened out, and the high-frequency code blocks are obtained by analyzing the high-frequency code blocks. Hardening rules for new types of attacks.
示例性的,在本发明实施例中,变异为:以原参数为基础,用特定的方法生成新的参数的过程。参数变异方法包括随机数的加减与替换、按位或随机翻转、异或和取反,敏感边界值替换等方法。数据流为:智能合约运行过程中从开始到结束所运行过的代码,即代码程序的运行路径。请参阅图6,若参数i为0,则该代码程序的运行路径为A->B->D,其数据流即为该路径途中所运行的代码。模糊测试为:一种通过向目标系统提供非预期输出并监控异常结果来发现软件漏洞的方法。一次模糊测试主要过程如下:首先是对触发智能合约异常状态的交易或调用参数进行随机变异,然后将这些变异后的参数重新作为输入参数来调用原来受到攻击的智能合约,在合约运行的过程中将所运行的代码记录下来作为数据流输出。Exemplarily, in the embodiment of the present invention, variation refers to a process of generating new parameters based on the original parameters using a specific method. Parameter mutation methods include addition, subtraction and replacement of random numbers, bitwise or random flip, XOR and inversion, sensitive boundary value replacement and other methods. The data flow is: the code that has been run from the beginning to the end during the operation of the smart contract, that is, the running path of the code program. Please refer to Figure 6, if the parameter i is 0, the running path of the code program is A->B->D, and its data flow is the code running on the way. Fuzz testing is: A method of discovering software vulnerabilities by providing unexpected output to the target system and monitoring abnormal results. The main process of a fuzz test is as follows: First, randomly mutate the transaction or call parameters that trigger the abnormal state of the smart contract, and then use these mutated parameters as input parameters to call the smart contract that was originally attacked. Record the code that is run as a stream output.
本发明实施例中的频繁项挖掘为实质上是一个建立从调用参数到代码块的映射的过程。本发明实施例通过模糊测试能够得到多组变异交易参数和代码控制流的输入输出对,然后通过观察同一个交易参数在不同变异结果情况下所对应的各组代码控制流内相同代码语句,建立频繁项集,从而确定交易参数与代码块的映射。示例性的,本发明实施例进行频繁项挖掘使用的算法是Apriori算法,Apriori算法是一种基于关联规则挖掘的算法,目的是找出事物之间存在的隐藏关系,在Apriori算法中用支持度作为本发明实施例判断频繁项集的标准。Apriori算法的目标是找到最大的K项频繁集。本发明实施例中关联规则形如X→Y的蕴涵式,其中,X和Y分别称为关联规则的先导(antecedent或left-hand-side,LHS)和后继(consequent或right-hand-side,RHS)。关联规则XY存在支持度和信任度。支持度为规则前项LHS和规则后项RHS所包括的商品都同时出现的概率,可以理解为LHS和RHS商品的交易次数/总交易次数。本发明实施例中频繁项集产生,其目标是发现满足最小支持度阈值的所有项集,这些项集称作频繁项集(frequent itemset)。Mining frequent items in the embodiment of the present invention is essentially a process of establishing a mapping from call parameters to code blocks. The embodiment of the present invention can obtain input and output pairs of multiple sets of mutated transaction parameters and code control flow through fuzzy testing, and then establishes Frequent itemsets to determine the mapping between transaction parameters and code blocks. Exemplarily, the algorithm used for mining frequent items in the embodiment of the present invention is the Apriori algorithm. The Apriori algorithm is an algorithm based on association rule mining. As a criterion for judging frequent itemsets in the embodiment of the present invention. The goal of the Apriori algorithm is to find the largest frequent set of K items. In the embodiment of the present invention, the association rule is in the form of an implication of X→Y, wherein X and Y are respectively called the antecedent (or left-hand-side, LHS) and the successor (consequent or right-hand-side, LHS) of the association rule. RHS). Association rule XY has support and trust. The support degree is the probability that the commodities included in the LHS in the former item of the rule and the RHS in the latter item of the rule appear at the same time, which can be understood as the number of transactions of LHS and RHS commodities/the total number of transactions. In the embodiment of the present invention, the frequent itemsets are generated, and its goal is to find all itemsets that meet the minimum support threshold, and these itemsets are called frequent itemsets (frequent itemsets).
在一种具体的实施方式中,本发明实施例进行频繁挖掘采用的算法步骤为:In a specific implementation manner, the algorithm steps used for frequent mining in the embodiment of the present invention are:
输入:数据集合D,支持度阈值α;Input: data set D, support threshold α;
输出:最大的频繁k项集;Output: the largest frequent k-itemset;
S10、扫描整个数据集,得到所有出现过的数据,作为候选频繁1项集,其中k=1,频繁0项集为空集;S10. Scan the entire data set to obtain all the data that have appeared, as a candidate frequent 1-itemset, where k=1, and the frequent 0-itemset is an empty set;
S20、挖掘频繁k项集;S20. Mining frequent k-itemsets;
a.扫描数据计算候选频繁k项集的支持度;a. scan the data to calculate the support of candidate frequent k-itemsets;
b.去除候选频繁k项集中支持度低于阈值的数据集,得到频繁k项集;如果得到的频繁k项集为空,则直接返回频繁k-1项集的集合作为算法结果,算法结束;如果得到的频繁k项集只有一项,则直接返回频繁k项集的集合作为算法结果,算法结束;b. Remove the data set whose support degree is lower than the threshold in the candidate frequent k-itemset, and obtain the frequent k-itemset; if the obtained frequent k-itemset is empty, directly return the set of frequent k-1 itemset as the algorithm result, and the algorithm ends ; If the obtained frequent k-itemset has only one item, then directly return the set of frequent k-itemset as the algorithm result, and the algorithm ends;
c.基于频繁k项集,连续生成候选频繁k+1项集。c. Based on frequent k-itemsets, continuously generate candidate frequent k+1-itemsets.
S30、令k=k+1,并跳转至S20。S30, set k=k+1, and jump to S20.
在一种具体的实施方式中,本发明实施例经过模糊测试得到的输入输出对中存在以下三个输入输出对:{A,{a,b}},{B,{b,c}},{C,{b}},其中A、B、C为同一个交易参数W随机变异后的三个不同的新输入参数值,a、b、c分别是受到攻击的智能合约里的三条代码语句。通过观察发现W无论是变成A、B或者C,代码语句b都运行,则得到一个项集{W,b},即当参数W发生变化时b语句有一定的概率同期运行,W与b之间有一定概率有联系。而当本发明实施例多次改变参数W后,语句b较大概率运行,本发明实施例通过Apriori算法建立频繁项集{W,b},并计算出它的支持度,只要该集合的支持度大于输入一个不太大的阈值α且不大于一个较大的阈值β,本发明实施即认为参数W的各种变异对b是否运行有直接影响。In a specific implementation manner, the following three input-output pairs exist in the input-output pairs obtained through the fuzzy test in the embodiment of the present invention: {A, {a, b}}, {B, {b, c}}, {C, {b}}, where A, B, and C are three different new input parameter values after random mutation of the same transaction parameter W, and a, b, and c are three code statements in the smart contract under attack . Through observation, it is found that whether W is changed to A, B or C, the code statement b will run, and then an itemset {W,b} will be obtained, that is, when the parameter W changes, the b statement has a certain probability of running at the same time, and W and b There is a certain probability that there is a connection between them. However, when the parameter W is changed multiple times in the embodiment of the present invention, the statement b runs with a high probability. The embodiment of the present invention establishes the frequent itemset {W, b} through the Apriori algorithm, and calculates its support degree. As long as the set supports degree is greater than input a not too large threshold α and not greater than a larger threshold β, the implementation of the present invention considers that various variations of parameter W have a direct impact on whether b operates.
本发明实施例在被保护合约受到新型攻击后,以受到攻击后的被保护合约内的异常参数作为样本进行模糊测试得到输入输出对,并通过频繁项挖掘筛选出输入输出对的高频代码块,即产生状态异常的可疑代码,对该可疑代码进行分析能够使有效得到针对于该新型攻击的加固规则,从而能够有效提供对被保护合约的防护力度。In the embodiment of the present invention, after the protected contract is attacked by a new type, the abnormal parameters in the protected contract after being attacked are used as a sample to perform fuzzy testing to obtain the input-output pair, and the high-frequency code blocks of the input-output pair are screened out through frequent item mining , that is, the suspicious code that produces an abnormal state. Analyzing the suspicious code can effectively obtain the reinforcement rules for this new type of attack, thereby effectively providing protection for the protected contract.
实施本发明实施例,具有以下有益效果:Implementing the embodiment of the present invention has the following beneficial effects:
本发明实施例通过在区块链上建立防火墙合约以及拦截规则库来对被保护合约的每一次交易进行实时监控,一旦发现被保护合约存在恶意交易行为,通过防火墙合约能够及时拦截该交易行为,从而能够有效避免恶意交易行为导致的损失;发明实施例通过防火墙合约和拦截规则分离的形式实现对被保护合约的防护,当用户想要更换防护规则或服务提供者时,只需变更防火墙合约调用参数或者直接更换新的防火墙合约即可实现,不仅能够使得对被保护合约的保护服务更加全面以及更灵活,还能够有效降低智能合约的维护成本以及维护难度;本发明实施例以受到攻击的被保护合约内的异常参数作为样本进行模糊测试,针对性的生成用于应对新型攻击的加固规则,能够有效提高该加固规则的有效性。The embodiment of the present invention monitors each transaction of the protected contract in real time by establishing a firewall contract and an interception rule library on the blockchain. Once a malicious transaction is found in the protected contract, the transaction can be intercepted in time through the firewall contract. In this way, losses caused by malicious transactions can be effectively avoided; the embodiment of the invention realizes the protection of the protected contract through the separation of the firewall contract and the interception rules. When the user wants to change the protection rules or service providers, he only needs to change the firewall contract call parameters or directly replace the new firewall contract, which can not only make the protection service for the protected contract more comprehensive and flexible, but also effectively reduce the maintenance cost and difficulty of the smart contract; the embodiment of the present invention takes the attacked The abnormal parameters in the protection contract are used as samples for fuzz testing, and targeted generation of hardening rules to deal with new attacks can effectively improve the effectiveness of the hardening rules.
本发明的又一实施例提供了一种计算机可读存储介质,计算机可读存储介质包括存储的计算机程序,其中,在计算机程序运行时控制计算机可读存储介质所在设备执行如上述的基于智能合约防火墙框架的智能合约拦截方法。Another embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium includes a stored computer program, wherein, when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the smart contract-based Smart contract interception method for firewall framework.
以上所述是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也视为本发明的保护范围。The above description is a preferred embodiment of the present invention, and it should be pointed out that for those skilled in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications are also considered Be the protection scope of the present invention.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110740050.3A CN113595986B (en) | 2021-06-30 | 2021-06-30 | A smart contract interception method and device based on a smart contract firewall framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110740050.3A CN113595986B (en) | 2021-06-30 | 2021-06-30 | A smart contract interception method and device based on a smart contract firewall framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113595986A CN113595986A (en) | 2021-11-02 |
| CN113595986B true CN113595986B (en) | 2023-02-21 |
Family
ID=78245392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110740050.3A Active CN113595986B (en) | 2021-06-30 | 2021-06-30 | A smart contract interception method and device based on a smart contract firewall framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595986B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865514B (en) * | 2022-12-23 | 2023-06-27 | 深圳市拓普泰克技术股份有限公司 | Intelligent contract firewall protection method and device based on blockchain |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020113139A1 (en) * | 2018-11-28 | 2020-06-04 | Dan Kikinis | System and method for security gateway for high security blockchain systems |
| CN110619523B (en) * | 2019-09-26 | 2023-02-14 | 成都链安科技有限公司 | Block chain intelligent contract firewall protection method and system |
| CN112202704A (en) * | 2020-04-10 | 2021-01-08 | 厦门慢雾科技有限公司 | Block chain intelligent contract safety protection system |
| CN111654494B (en) * | 2020-06-02 | 2022-06-07 | 广州大学 | Proxy firewall protection method and system for intelligent contract |
-
2021
- 2021-06-30 CN CN202110740050.3A patent/CN113595986B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113595986A (en) | 2021-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12341795B2 (en) | Interactive artificial intelligence-based response loop to a cyberattack | |
| CN115996146B (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| Foo et al. | ADEPTS: Adaptive intrusion response using attack graphs in an e-commerce environment | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| US7984504B2 (en) | Network risk analysis | |
| Shameli-Sendi et al. | Intrusion response systems: survey and taxonomy | |
| JP7531816B2 (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
| JP6224173B2 (en) | Method and apparatus for dealing with malware | |
| US8997236B2 (en) | System, method and computer readable medium for evaluating a security characteristic | |
| US6907430B2 (en) | Method and system for assessing attacks on computer networks using Bayesian networks | |
| US20230403294A1 (en) | Cyber security restoration engine | |
| US12056237B2 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
| Cao et al. | Learning state machines to monitor and detect anomalies on a kubernetes cluster | |
| Hemberg et al. | Adversarial co-evolution of attack and defense in a segmented computer network environment | |
| Kanaker et al. | Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning. | |
| US20250030730A1 (en) | Modification of connections | |
| WO2024263817A1 (en) | Dynamic authentication attack detection and enforcement at network, application, and host level | |
| CN113595986B (en) | A smart contract interception method and device based on a smart contract firewall framework | |
| US20250103721A1 (en) | System and method for defense in depth of one or more software delivery pipelines | |
| CN117972727A (en) | Antivirus security system deployment method, device, computer equipment and storage medium | |
| Alrehaili et al. | An attack scenario reconstruction approach using alerts correlation and a dynamic attack graph | |
| WO2024035746A1 (en) | A cyber security restoration engine | |
| Sharma | Safeguarding digital environments: Harnessing the power of blockchain for enhanced malware detection and iot security | |
| Klepp | Cruel intentions: enhancing androids intent firewall | |
| Fang | REPTRACKER: Towards Automatic Attack Investigation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |