| With the frequent occurrence of blockchain security incidents in recent years,the security situation of the blockchain network is becoming more and more severe,and the demand for effective blockchain traffic measurement and analysis methods is becoming more and more urgent.Compared with Bitcoin,Ethereum's support for smart contracts enables Ethereum to support the deployment of DApps more effectively,resulting in a higher research value for Ethereum network traffic.The identification of Ethereum network traffic and the classification of Ethereum behavior traffic can effectively provide support for Ethereum network security supervision and have guiding significance for the measurement and analysis of blockchain network traffic.Unlike the unencrypted transmission protocol of Bitcoin,Ethereum encrypts the transmission content using the private RLPx protocol during data transmission.Existing researchers have ignored the mining of Ethereum traffic features,and the industry lacks a fast and accurate method for identifying Ethereum traffic.Additionally,multiple Ethereum behavior data are transmitted through a single TCP connection,Ethereum behavior data are packaged uniformly into RLPX frames and encrypted before transmission,resulting in a single Ethereum TCP flow may containing multiple encrypted behavior traffic.Existing research lacks an effective behavior traffic segmentation method for Ethereum.Moreover,the Get-type traffic is highly similar due to the consistency of behavior data structures,which makes it difficult to realize the refined classification of Ethereum behavioral traffic.Above all,based on the "small world" characteristic of Ethereum and the “Burst”characteristic of behavior traffic,designed and realized an Ethereum traffic identification and Ethereum behavior traffic classification method,mainly includes the following three research contents:1.Proposed an Ethereum traffic identification method based on the active node library.Based on the unique "small world" feature of Ethereum,designed an active node library to record the information of active Ethereum nodes in the supervision area,and screen out potential Ethereum traffic through the active node library.For potential Ethereum traffic,the corresponding traffic features are respectively extracted from UDP traffic and TCP Traffic,using the machine learning method to realize the identification of the Ethereum traffic.The active node library is dynamically updated with the identification results.The experimental results show that the method proposed can achieve high identification accuracy while ensuring the efficiency of identification.2.Proposed an Ethereum behavior traffic classification method based on Burst.Firstly,locate the starting position of each behavior traffic from each RLPx frame header packet,then determine the behavior traffic range through the behavior burst length,finally,realize the segmentation of the Ethereum behavior traffic.For the similarity between the Get-type traffic,choose to merge Get-type traffic and use machine learning methods for rough classification.The exact type of Get-type traffic was classified by the methods of behavior reordering,elimination of Get-type traffic without returned data,and serialization inverse derivation.Experimental results show that the method proposed can accurately segment Ethereum behavior traffic and greatly improve the effect of Ethereum behavioral traffic classification.3.Designed and implemented a prototype system for blockchain network security traffic measurement and analysis.The system design includes Ethereum traffic identification model construction,Ethereum behavior traffic segmentation,Ethereum behavioral traffic classification,and user interface display.The prototype system can display the results of designed methods in the graphical interface. |
PDF Full Text Request