Time-Travel Investigation: Toward Building a Scalable Attack Detection Framework on Ethereum

Siwei WU; Lei WU; Yajin ZHOU; Runhuai LI; Zhi WANG; Xiapu LUO; Cong WANG; Kui REN

doi:10.1145/3505263

Time-Travel Investigation: Toward Building a Scalable Attack Detection Framework on Ethereum

Siwei WU, Lei WU, Yajin ZHOU^*, Runhuai LI, Zhi WANG, Xiapu LUO, Cong WANG, Kui REN

^*Corresponding author for this work

Department of Computer Science

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

23 Citations (Scopus)

Abstract

Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage.
In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around 2,300× when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.

Original language	English
Article number	54
Number of pages	33
Journal	ACM Transactions on Software Engineering and Methodology
Volume	31
Issue number	3
Online published	Apr 2022
DOIs	https://doi.org/10.1145/3505263
Publication status	Published - Jul 2022

Bibliographical note

Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

Funding

This work is partially supported by the National Natural Science Foundation of China under Grant No. 62172360, Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (Grant No. 2018R01005), the Fundamental Research Funds for the Central Universities (Grant No. 2021FZZX001-26), Research Grants Council of Hong Kong under Grants No. CityU 11217819, No. CityU 11217620, No. R6021-20F, Research Grants Council of the Hong Kong Special Administrative Region under Gants No. PolyU15222320 and No. PolyU15219319.

Research Keywords

attack detection
Ethereum
vulnerability

RGC Funding Information

RGC-funded

Access Output

10.1145/3505263

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{c334d7fa00f6482cb363556319042ba2,

title = "Time-Travel Investigation: Toward Building a Scalable Attack Detection Framework on Ethereum",

abstract = "Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage. In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around 2,300× when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.",

keywords = "attack detection, Ethereum, vulnerability",

author = "Siwei WU and Lei WU and Yajin ZHOU and Runhuai LI and Zhi WANG and Xiapu LUO and Cong WANG and Kui REN",

note = "Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).",

year = "2022",

month = jul,

doi = "10.1145/3505263",

language = "English",

volume = "31",

journal = "ACM Transactions on Software Engineering and Methodology",

issn = "1049-331X",

publisher = "Association for Computing Machinery",

number = "3",

}

TY - JOUR

T1 - Time-Travel Investigation

T2 - Toward Building a Scalable Attack Detection Framework on Ethereum

AU - WU, Siwei

AU - WU, Lei

AU - ZHOU, Yajin

AU - LI, Runhuai

AU - WANG, Zhi

AU - LUO, Xiapu

AU - WANG, Cong

AU - REN, Kui

N1 - Full text of this publication does not contain sufficient affiliation information. With consent from the author(s) concerned, the Research Unit(s) information for this record is based on the existing academic department affiliation of the author(s).

PY - 2022/7

Y1 - 2022/7

N2 - Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage. In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around 2,300× when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.

AB - Ethereum has been attracting lots of attacks, hence there is a pressing need to perform timely investigation and detect more attack instances. However, existing systems suffer from the scalability issue due to the following reasons. First, the tight coupling between malicious contract detection and blockchain data importing makes them infeasible to repeatedly detect different attacks. Second, the coarse-grained archive data makes them inefficient to replay transactions. Third, the separation between malicious contract detection and runtime state recovery consumes lots of storage. In this article, we propose a scalable attack detection framework named EthScope, which overcomes the scalability issue by neatly re-organizing the Ethereum state and efficiently locating suspicious transactions. It leverages the fine-grained state to support the replay of arbitrary transactions and proposes a well-designed schema to optimize the storage consumption. The performance evaluation shows that EthScope can solve the scalability issue, i.e., efficiently performing a large-scale analysis on billions of transactions, and a speedup of around 2,300× when replaying transactions. It also has lower storage consumption compared with existing systems. Further analysis shows that EthScope can help analysts understand attack behaviors and detect more attack instances.

KW - attack detection

KW - Ethereum

KW - vulnerability

UR - http://www.scopus.com/inward/record.url?scp=85130705437&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85130705437&origin=recordpage

U2 - 10.1145/3505263

DO - 10.1145/3505263

M3 - RGC 21 - Publication in refereed journal

SN - 1049-331X

VL - 31

JO - ACM Transactions on Software Engineering and Methodology

JF - ACM Transactions on Software Engineering and Methodology

IS - 3

M1 - 54

ER -

Time-Travel Investigation: Toward Building a Scalable Attack Detection Framework on Ethereum

Abstract

Bibliographical note

Funding

Research Keywords

RGC Funding Information

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

RIF-ExtU-Lead: Enabling Secure and Efficient Cross-Silo Federated Learning at Scale

GRF: Towards Full Accounting for Leakage Exploitation and Mitigation in Encrypted Databases

GRF: Towards Secure and Privacy-assured Truth Discovery from the Crowd

Cite this

Time-Travel Investigation: Toward Building a Scalable Attack Detection Framework on Ethereum

Abstract

Bibliographical note

Funding

Research Keywords

RGC Funding Information

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Projects

RIF-ExtU-Lead: Enabling Secure and Efficient Cross-Silo Federated Learning at Scale

GRF: Towards Full Accounting for Leakage Exploitation and Mitigation in Encrypted Databases

GRF: Towards Secure and Privacy-assured Truth Discovery from the Crowd

Cite this