CN-122027114-A - Intelligent contract attack link tracking system and method based on transaction map

Abstract

The application discloses an intelligent contract attack link tracking system and method based on transaction atlas, belonging to the block chain field, the technical proposal is characterized by comprising a transaction data collection module, an atlas construction module, a pattern recognition module and a path analysis module, the method and the system realize effective identification and tracking of complex attack paths, construct a call relation graph between transactions in real time, identify suspicious attack path modes, track attack sources and predict possible attack paths, and provide decision support effect for intelligent contract security protection.

Inventors

• FENG CHANGSHENG
• WANG CHENYU
• CHEN ZHIWEI

Assignees

• 厦门慢雾科技有限公司

Dates

Publication Date

20260512

Application Date

20260209

Claims (9)

1. 1. An intelligent contract attack link tracking system based on a transaction map, comprising: The transaction data collection module is used for deploying a multi-chain data collection interface and a data analyzer, wherein the multi-chain data collection interface supports breakpoint continuous transmission and data verification through WebSocket long connection, RPC polling or P2P network monitoring; the map construction module comprises a map data model design unit, a map construction engine and a map query interface; the map data model design unit defines three types of nodes and three types of edges, the map construction engine adopts an incremental updating mechanism to convert standardized transaction data into a map structure in real time, processes block chain bifurcation and reorganization and maintains map time sequence; The system comprises a pattern recognition module, a built-in attack pattern feature library, a pattern matching engine and a risk assessment system, wherein the attack pattern feature library defines topological features, time sequence features and numerical features of attacks through a custom description language, the pattern matching engine adopts an improved subgraph isomorphic algorithm and an approximate matching algorithm to detect suspicious paths matched with the attack patterns in a map, and the risk assessment system calculates path risks according to a formula, and divides high (more than or equal to 80%), medium (50% -79%) and low (less than 50%) risk grades into the following formulas: Risk score = w 1 x amount of funds + w 2 x path complexity + w 3 x time compactness + w 4 x address similarity, Wherein w 1 -w 4 is a weight coefficient; The path analysis module comprises a path analysis engine, an analysis algorithm library and a report generation system, wherein the path analysis engine tracks an attack source through fund flow backtracking and address association analysis, predicts potential attack paths based on a history mode and graph structure reasoning, the analysis algorithm library comprises algorithms such as shortest paths, community discovery, a graph neural network and the like, supports multidimensional path analysis, and the report generation system generates a traceable report comprising attack link visualization, risk level and protection suggestion.
2. 2. The intelligent contract attack link tracking system based on the transaction map is characterized in that a multi-chain data acquisition interface of the transaction data collection module supports parallel acquisition of main stream block chain networks such as Ethernet, coin-in intelligent chains and Polygon, data verification adopts SHA256 hash comparison and transaction state filtering to ensure the integrity of acquired data, and the data analyzer transfers data to ERC20/NFT, decodes token symbols and transfer amounts through contract ABI, extracts key event parameters from event logs and standardizes the key event parameters into unified fields.
3. 3. The intelligent contract attack link tracking system based on the transaction pattern is characterized in that a pattern construction engine of the pattern construction module adopts a real-time increment updating and timing full-quantity checking mechanism, corresponding nodes and edges are immediately created or updated after standardized transaction data are received in real time, full-quantity checking is carried out on pattern data and block chain link point data in the past 24 hours per hour, pattern deviation caused by bifurcation is corrected, an LRU cache is further built in the pattern construction engine, high-frequency access nodes are cached, and the response time of pattern query is shortened to be within 1 second.
4. 4. The intelligent contract attack link tracking system based on the transaction atlas is characterized in that an attack pattern feature library of the pattern recognition module comprises typical attack patterns including re-entry attack, lightning credit attack and permission override, the improved subgraph isomorphism algorithm is optimized through three steps of topology screening, attribute matching and time sequence checking, subgraphs conforming to an attack pattern topological structure are screened firstly, then node or edge attributes are matched, finally whether transaction time sequences conform to attack sequences is checked, and the matching efficiency is improved by 200% compared with that of a traditional algorithm.
5. 5. The intelligent contract attack link tracking system based on the transaction map is characterized in that when a path analysis engine of the path analysis module backtracks an attack source, reverse depth-first search is adopted, fund flow tracking is combined, an attack initiating address is positioned, when a potential attack path is predicted, risk prediction is carried out on a contract call chain of an untriggered attack based on historical attack path characteristics learned by a graph neural network, and the prediction accuracy is more than or equal to 85%.
6. 6. An intelligent contract attack link tracking method based on a transaction map is characterized by comprising the following steps: s1, transaction data collection, wherein a multi-chain data acquisition interface subscribes blockchain transactions in real time, and a data analyzer extracts and standardizes transaction information and stores the transaction information into a distributed database; s2, constructing a transaction map, converting standardized data into a directed map containing nodes and edges by a map construction engine, updating the map in an increment mode and maintaining time sequence; S3, identifying an attack mode, loading an attack mode feature library, adopting an improved subgraph isomorphic algorithm to match suspicious paths, and calculating a risk level according to a risk formula; S4, analyzing an attack path, backtracking an attack source for the high-risk path, predicting a potential path by adopting a graph algorithm, and generating a visual traceability report; And S5, updating the atlas and the feature library, checking the consistency of the atlas at regular time, and updating the attack pattern feature library according to new attack cases.
7. 7. The intelligent contract attack link tracking method based on transaction atlas according to claim 6, characterized in that the specific procedure of atlas construction in step S2 includes: s21, creating nodes, namely creating transaction nodes for each transaction, creating address nodes for addresses related to the transaction, and creating contract nodes for called contracts; s22, creating an edge, namely creating a call relation edge between a transaction node and a contract node if the transaction calls the contract, creating a fund circulation edge between an address node and the address node if the transaction involves fund transfer, and creating a creation relation edge between the transaction node and the contract node if the transaction creates the contract; And S23, map updating, namely triggering increment updating once every 100 transactions are received, synchronizing node or edge attributes, performing full verification every hour, and correcting error association caused by bifurcation.
8. 8. The intelligent contract attack link tracking method based on transaction atlas according to claim 6, the risk score calculation process in step S3 includes: S31, weight setting, wherein the weight is adjusted according to the service scene, and w 1 =0.3、w 2 =0.3、w 3 =0.2、w 4 =0.2 is defaulted; S32, calculating indexes, namely taking a logarithmic value of total transfer amount in a path by funds, taking the branch number of a calling chain by path complexity, taking the reciprocal of adjacent transaction intervals in the path by time compactness, and taking the common transaction frequency duty ratio of addresses in the path by address similarity; And S33, calculating the score, weighting and summing according to a formula to obtain a risk score, and if the score is more than or equal to 80%, judging that the risk is high, and triggering path analysis.
9. 9. The method for intelligent contract attack link tracking based on transaction patterns according to claim 6, wherein the specific process of path analysis in step S4 includes: s41, backtracking the source, namely, tracking to an initial initiated transaction and an address by adopting a reverse depth-first search to traverse a call chain of a high-risk path, and confirming an attack source by combining a fund flow direction; S42, predicting potential paths, namely predicting contract call chains which do not trigger attacks in the map through a graph neural network, and outputting potential paths of risk Top 5; and S43, generating a report, visually displaying an attack link, marking an attack source, a key contract and a fund flow direction, and providing protection suggestions such as contract authority reinforcement, abnormal transaction monitoring and the like.

Description

Intelligent contract attack link tracking system and method based on transaction map Technical Field The application relates to the field of blockchains, in particular to an intelligent contract attack link tracking system and method based on a transaction map. Background With the development of blockchain technology, smart contracts have become an important carrier for processing digital assets. An intelligent contract is a program running on a blockchain that can accept user initiated transactions and execute corresponding business logic. However, since smart contracts typically involve large amounts of funds, security issues are increasingly prominent. Hackers typically implement attacks by constructing complex transaction call chains, which often involve interactions between multiple smart contracts, forming complex attack paths. Traditional intelligent contract security analysis methods mainly comprise static analysis and dynamic analysis. Static analysis discovers potential vulnerabilities by scanning intelligent contract code, while dynamic analysis discovers anomalies by monitoring behavior of contracts while they are running. For example, a method for detecting a vulnerability of a HyperledgerFabric chain code by combining dynamic and static states is proposed in chinese patent CN115618351a, which combines static detection and dynamic detection to detect a known vulnerability type of an intelligent contract. According to the method, the chain codes are formatted, static detection and dynamic detection are carried out, and finally, a detection report is generated, wherein the detection of the detection report depends on a preset corpus, and the detection report is mainly analyzed aiming at a single intelligent contract, so that attack paths related to interaction of a plurality of contracts cannot be effectively identified and tracked. In view of this, the present inventors devised an intelligent contract attack link tracking system and method based on transaction patterns. Disclosure of Invention Aiming at the defects existing in the prior art, the invention aims to provide an intelligent contract attack link tracking system and method based on a transaction map, which have the advantages that by constructing and analyzing the transaction call relationship map, the method has the advantages of effectively identifying and tracking complex attack paths, constructing a calling relation map between transactions in real time, identifying suspicious attack path modes, tracking attack sources and predicting possible attack paths, and providing decision support for intelligent contract security protection. In order to achieve the above purpose, the invention provides a transaction map-based intelligent contract attack link tracking system, which comprises: The transaction data collection module is used for deploying a multi-chain data collection interface and a data analyzer, wherein the multi-chain data collection interface supports breakpoint continuous transmission and data verification through WebSocket long connection, RPC polling or P2P network monitoring; the map construction module comprises a map data model design unit, a map construction engine and a map query interface; the map data model design unit defines three types of nodes and three types of edges, the map construction engine adopts an incremental updating mechanism to convert standardized transaction data into a map structure in real time, processes block chain bifurcation and reorganization and maintains map time sequence; The system comprises a pattern recognition module, a built-in attack pattern feature library, a pattern matching engine and a risk assessment system, wherein the attack pattern feature library defines topological features, time sequence features and numerical features of attacks through a custom description language, the pattern matching engine adopts an improved subgraph isomorphic algorithm and an approximate matching algorithm to detect suspicious paths matched with the attack patterns in a map, and the risk assessment system calculates path risks according to a formula, and divides high (more than or equal to 80%), medium (50% -79%) and low (less than 50%) risk grades into the following formulas: Risk score = w 1 x amount of funds + w 2 x path complexity + w 3 x time compactness + w 4 x address similarity, Wherein w 1、w2、w3、w4 is a weight coefficient; The path analysis module comprises a path analysis engine, an analysis algorithm library and a report generation system, wherein the path analysis engine tracks an attack source through fund flow backtracking and address association analysis, predicts potential attack paths based on a history mode and graph structure reasoning, the analysis algorithm library comprises algorithms such as shortest paths, community discovery, a graph neural network and the like, supports multidimensional path analysis, and the report generation system generates a traceable report compris