CN116781332A - Block chain-based network flow evidence obtaining and tracing method and system - Google Patents

Block chain-based network flow evidence obtaining and tracing method and system Download PDF

Info

Publication number
CN116781332A
CN116781332A CN202310662506.8A CN202310662506A CN116781332A CN 116781332 A CN116781332 A CN 116781332A CN 202310662506 A CN202310662506 A CN 202310662506A CN 116781332 A CN116781332 A CN 116781332A
Authority
CN
China
Prior art keywords
network
chain
blockchain
data
tracing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310662506.8A
Other languages
Chinese (zh)
Inventor
刘敖迪
杜学绘
王娜
吕震昊
杨昕越
于建骁
李连成
吴翔宇
杨钱涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202310662506.8A priority Critical patent/CN116781332A/en
Publication of CN116781332A publication Critical patent/CN116781332A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network information security, in particular to a network flow evidence obtaining and tracing method and system based on a blockchain, which takes the sensing result representing the statistical characteristics, the behavior characteristics, the identification characteristics and whether the network flow is malicious or not as network flow description source data, stores the network flow description source data in an under-chain database and generates an on-chain index code; generating certification data according to the index code on the chain and the network flow representation characteristics, and deploying the certification data to the blockchain through encryption; acquiring identification characteristics of a malicious traffic target node according to a network malicious traffic evidence obtaining and tracing request so as to obtain a target chain index code corresponding to the identification characteristics in a block chain; and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information. The invention can realize reliable traffic attack tracing and perception result data sharing with decentralization, safety and non-falsification based on the blockchain.

Description

Block chain-based network flow evidence obtaining and tracing method and system
Technical Field
The invention relates to the technical field of network information security, in particular to a network flow evidence obtaining and tracing method and system based on a blockchain.
Background
With the rapid development of the internet, network security problems are continuously updated and changed. The network traffic attack means are more and more complicated and diversified, and from the traditional virus and Trojan attack to a series of novel attack means such as luxury software, phishing websites, phishing and the like which appear in recent years, the difficulty of network security protection is greatly increased, and the network security environment is influenced by the difficulty. Because of the increasing frequency and scale of network attack, personal information security and normal operation of network service are seriously threatened, and direct or indirect loss is caused on the aspects of regional economy and the like. In order to effectively strike the network attack, attack tracing is required to find out an attacker, so that corresponding measures are taken to ensure the network security. However, the difficulty of tracing modern network attacks is increasing due to the anonymity and concealment of network attacks. Especially, hidden and advanced attack modes, such as various loopholes, botnets and other means, often enable an attacker to avoid being traced. Therefore, the problem of tracing the attack has become a difficulty in the field of network security.
The network flow evidence obtaining is an important post-incident responsibility measure, and can help law enforcement authorities strengthen the attack force of network illegal crimes and maintain network safety and order by carrying out evidence obtaining analysis on the network flow and generating electronic data evidence. The network traffic tracing is a method for finding out the network attack source through restoring the attack path, and can effectively hide the attacker, thereby better guaranteeing the network security. The technology can determine the position and the identity of an attacker, block network attacks and radically contain network criminal activities. The network flow evidence obtaining and tracing technology is combined with the network flow evidence obtaining and tracing technology, network security personnel can be helped to locate the real attack source, the attack means and the attack path of the attacker are known, and powerful support is provided for guaranteeing network security.
The existing network evidence obtaining tracing technology generally does not consider the requirement of network evidence obtaining, so that when network attacks are traced, a lot of valuable data cannot be used as effective electronic data evidence in litigation, and therefore the application of the network evidence obtaining tracing technology in the aspect of network evidence obtaining is limited. In addition, the security risk faced in the evidence obtaining and tracing process is also a factor restricting the sharing of the perception result data. Since much sensitive information is involved for the authentication data, such as source IP, destination IP, port number, etc., once compromised, it can have a significant negative impact on the network security environment. How to ensure the security, confidentiality and integrity of shared data while achieving sharing is also an important issue. Meanwhile, the evidence-storing data of the existing method is often stored in a single trusted third party node, however, the evidence-storing data is complex in source and various in structure, cross-mechanism cross-system evidence-obtaining tracing is limited by laws and regulations, business confidentiality, potential safety hazards and the like, and complex approval and data verification of multiple mechanisms, multiple departments, multiple systems and multiple personnel are needed, so that the evidence-obtaining tracing is very difficult, and the problems of slow response, easy tampering of the evidence-storing data, unsafe data transmission and the like exist.
Disclosure of Invention
Therefore, the invention provides a network flow evidence obtaining and tracing method and system based on a blockchain, which solve the problems of difficult evidence obtaining and tracing of network flow sensing results, difficult secure storage, excessive dependence on a centralized organization of data reliability and the like, and realize reliable flow attack tracing and sensing result data sharing with decentralization, secure and non-falsifiable capabilities.
According to the design scheme provided by the invention, the network flow evidence obtaining and tracing method based on the block chain comprises the following steps:
taking the network traffic statistical characteristics, the behavior characteristics, the identification characteristics and the perception result of whether the network traffic is malicious or not as network traffic description source data, storing the network traffic description source data in a link database and generating a link index code, wherein the network traffic identification characteristics comprise a time stamp, a port number and a source destination IP;
generating certification storage data according to the on-chain index code and the network flow representation characteristic, and deploying the certification storage data to the blockchain through encryption by utilizing the uplink storage logic predefined by the intelligent contract so as to realize on-chain storage;
acquiring identification characteristics of a malicious traffic target node according to a network malicious traffic evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification characteristics in a block chain by calling an intelligent contract predefined tracing inquiry logic, wherein the evidence obtaining request comprises an attack tracing link obtained according to a malicious traffic sensing result;
and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information.
As the network flow evidence collection and tracing method based on the blockchain, the invention further generates evidence storage data according to the index code and the network flow expression characteristic on the chain, and deploys the evidence storage data to the blockchain by utilizing the predefined uplink storage logic of the intelligent contract through encryption so as to realize the storage on the chain, and the method comprises the following steps:
firstly, adding a random number into a source IP of a network flow identification characteristic, combining a time stamp, a port number and an on-chain index code in a network identification to form to-be-encrypted uploaded certificate storage data, and carrying out hash encryption on the to-be-encrypted uploaded certificate storage data by adopting an SM3 hash function algorithm to obtain encrypted privacy information;
the encrypted privacy information is then deployed to the blockchain node using the smart contract predefined uplink storage logic.
As the network flow evidence collection and tracing method based on the blockchain, the invention further utilizes the predefined uplink storage logic of the intelligent contract to deploy the evidence storage data to the blockchain through encryption so as to realize the on-chain storage, and the invention further comprises the following steps: and correlating the on-chain storage and the under-chain database storage of the blockchain through a bloom filter and a blockchain index library to realize the retrieval and tracing of the target network flow by utilizing the bloom filter, wherein each block of the blockchain stores a transaction set corresponding to the certificate storage data by utilizing a BMerkle tree structure, and stores the transaction of the new certificate storage data by utilizing the next block BMerkle tree structure.
As the network flow evidence collection and tracing method based on the blockchain, the invention further utilizes the next block BMerkle tree structure to store the transaction of the new evidence data, and comprises the following steps:
firstly, creating an information list for storing each node in a BMerkle tree; the information of each transaction list is hashed, and information of non-leaf nodes is generated through the leaf nodes;
and then dynamically judging the length of the bloom filter and the number of hash functions according to index codes of the left and right child nodes, acquiring corresponding bloom filters, adding the bloom filters and hash values of the left and right child nodes to an information list together, forming a BMerkle tree and returning.
As the network flow evidence collection and tracing method based on the blockchain, the invention further relates to the storage of the blockchain upper store and the storage of the database under the chain through a bloom filter and a blockchain index library, and further comprises the following steps: when a block is inserted for the transaction of the new stored data, judging whether the current inserted block needs to be built with an index according to the height of a block chain when the block is inserted; and judging the block access heat according to the access times and the weight value of each block in the block chain, and adjusting the block index level according to the block access heat.
The network traffic evidence obtaining and tracing method based on the blockchain further obtains the identification characteristics of the malicious traffic target node according to the network malicious traffic evidence obtaining and tracing request, and comprises the following steps:
firstly, acquiring a malicious flow sensing result in a current network according to a network malicious flow sensing model, and constructing a malicious flow attack traceable link according to the sensing result;
and then, acquiring the identification characteristics of the target node in the link according to the malicious traffic attack tracing link.
As the network flow evidence collection and tracing method based on the blockchain, the invention further obtains the index code on the target chain corresponding to the identification feature in the blockchain by calling the intelligent contract predefined tracing and inquiring logic, and comprises the following steps: and acquiring the index code on the target chain associated with the identification characteristic stored in the blockchain based on the intelligent contract and by utilizing a consensus algorithm and a verification signature algorithm according to the identification characteristic of the target node.
As the network flow evidence collection and tracing method based on the blockchain, the invention further obtains the index code on the target chain corresponding to the identification feature in the blockchain by calling the intelligent contract predefined tracing and inquiring logic, and further comprises the following steps: traversing all transaction sets related to the target index codes, extracting the evidence data from the transaction sets and adding the evidence data into a transaction list related to the predefined target index codes so as to acquire network flow description source data stored in the in-chain database by using the transaction list.
Further, the invention also provides a network traffic evidence obtaining and tracing system based on the blockchain, which comprises the following components: the flow evidence storage module and the traceability evidence collection module, wherein,
the flow verification module is used for taking the network flow statistical characteristics, the behavior characteristics, the identification characteristics and the perception result of whether the network flow is malicious or not as network flow description source data, storing the network flow description source data in a downlink database and generating an on-link index code, wherein the network flow identification characteristics comprise a timestamp, a port number and a source destination IP; generating certification storage data according to the index code and the network flow representation characteristic on the chain, and deploying the certification storage data to the blockchain through encryption by utilizing the uplink storage logic predefined by the intelligent contract so as to realize the storage on the chain;
the tracing evidence obtaining module is used for obtaining identification characteristics of a malicious flow target node according to a network malicious flow evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification characteristics in a block chain by calling intelligent contract predefined tracing inquiry logic, wherein the evidence obtaining tracing request comprises an attack tracing link obtained according to a malicious flow sensing result; and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information.
The invention has the beneficial effects that:
the invention combines the decentralization and non-falsification characteristics of the blockchain with the under-chain database to realize the under-chain distributed data certificate store; the security and the integrity of the evidence-storing data are improved by using the encryption signature algorithm, and the efficient retrieval and tracing of the target flow data can be further realized by using the bloom filter, so that the evidence-obtaining and tracing cost is reduced and the data utilization efficiency is improved on the premise of protecting the safety of the evidence-storing information. Through simulation experiment data verification, compared with the existing evidence-based tracing technology, the scheme has certain advantages and good expandability in the aspects of safety, integrity, tamper resistance, expandability, storage effectiveness, application cost and the like, and can be applied to the fields of network protection and the like so as to improve network safety.
Description of the drawings:
FIG. 1 is a schematic diagram of a network traffic evidence-obtaining and tracing flow based on a blockchain in an embodiment;
FIG. 2 is a block chain logic architecture schematic in an embodiment;
FIG. 3 is a schematic diagram of a data structure of a bloom filter in an embodiment;
fig. 4 is a schematic diagram of a network traffic evidence obtaining and tracing principle in an embodiment;
fig. 5 is a schematic diagram of a network traffic tracing flow in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
In recent years, how to perform reliable and efficient evidence-obtaining tracing of network traffic attack is a research hot spot, and the basis of the evidence-obtaining tracing of network traffic attack is to ensure the true validity of the data of the evidence, so that multi-party reliable and safe distributed data sharing is required to be realized. The advent of blockchain technology has created a new opportunity for evidence-taking and tracing. Blockchains are a decentralised, publicly transparent distributed storage technology that serves to establish trust relationships in an untrusted environment, and can share data of multiple parties in the same data network while ensuring that they are not tampered with or lost. By establishing a trusted, transparent and traceable certificate storing system, the problems of centralized storage and fragmented storage of network certificate storing data are solved. And by means of the advantages of block chain safety, decentralization, non-falsification and the like, the integrity of the stored certificate data can be effectively ensured, the value of the stored certificate data is fully exerted, and a reliable attack chain is formed by utilizing the relevance and statistics of the stored certificate data, so that the tracing effect is achieved. Referring to fig. 1, the embodiment of the present invention provides a network traffic evidence obtaining and tracing method based on a blockchain technology, which combines corresponding cryptography technology to ensure the security of the evidence storage information, and specifically includes:
s101, taking a network flow statistical feature, a behavior feature, an identification feature and a perception result of whether the network flow is malicious or not as network flow description source data, storing the network flow description source data in an under-chain database and generating an on-chain index code, wherein the network flow identification feature comprises a timestamp, a port number and a source destination IP;
s102, generating certification storage data according to the on-chain index code and the network flow representation characteristic, and deploying the certification storage data to the blockchain through encryption by utilizing an intelligent contract predefined uplink storage logic so as to realize on-chain storage;
s103, acquiring identification features of a malicious flow target node according to a network malicious flow evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification features in a block chain by calling intelligent contract predefined tracing query logic, wherein the evidence obtaining request comprises an attack tracing link obtained according to a malicious flow sensing result;
s104, inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to acquire network malicious flow evidence obtaining information.
Blockchain is a distributed, decentralized database that includes distributed data storage, consensus mechanisms, point-to-point transmission, and encryption algorithms. The novel application mode is based on the idea of a peer-to-peer network architecture, and realizes the decentralization of data storage and transaction processing. Meanwhile, the system is a novel trust mode, as shown in fig. 2, the blockchain disperses and stores data on a plurality of independent devices, an extensible system structure is adopted, a plurality of servers are utilized to share the storage load, meanwhile, the sharing management of the data is realized by utilizing technologies such as a common-knowledge management mechanism, a distributed account book, a P2P protocol, account book storage and the like, the trust establishment mechanism of decentralization, distribution and non-falsification of information is realized, and the transfer of value can be completed while the information is transmitted.
The block chain is formed by innovations of various technologies, the integrity and the non-tamper resistance of shared data on the block chain are ensured by utilizing a cryptography technology, the decentralised distributed storage is realized through a corresponding co-treatment mechanism, the distributed storage of the block chain is not only the distributed storage of data, but also the distributed storage of data records and logs, each node in the block chain not only serves as a block chain network user, but also serves as a manager and a supervisor, namely, all nodes participate in data maintenance together, the data of a single node is tampered or destroyed and cannot influence the data stored in the block chain, so that the high-reliability safe storage of the data is realized, the occurrence of single-point faults can be effectively avoided, the transparent, automatic and non-tamper digital asset exchange and management are realized, and the block chain technology has the following technical advantages: decentralizing: the blockchain data is not stored on any one central server, but is distributed across the nodes in the network. The decentralization characteristic enables the blockchain technology to avoid single-point faults and risks of data tampering, so that the safety and reliability of the system are improved. Transparency and non-tamper evident: in the blockchain, all transactions are publicly recorded, and due to the non-tamper of the data, anyone cannot modify the data in the blockchain without the consensus of the network, thereby ensuring transparency and non-tamper of the transactions. High efficiency and low cost: the blockchain technology can be automatically operated through intelligent contracts, so that labor and time cost are saved, de-mediation can be realized, and transaction cost is reduced. Distrusting: because of the characteristics of decentralization and non-tamper property of the blockchain, the transaction and other actions can be free from trust, so that the trust cost of the transaction is reduced. Traceability: the blockchain adopts a chain type blockstore data structure with a timestamp, the time dimension is increased, and each transaction on the block is connected with two adjacent blocks by a cryptography method, so that any transaction is traceable.
In this embodiment, the blockchain may employ a Fabirc alliance chain to store the authenticated traffic to be uplinked, where the authenticated traffic record generally includes the encrypted hash value of the private data and related characteristic information including related protocol, flow duration, and traffic size. The under-chain database adopts an IPFS database, and stores source data of perceived flow results such as source and destination IP, port numbers, time stamps, statistical characteristics, behavior characteristics, perceived results, corresponding index codes and the like, and the blockchain carries out efficient retrieval and evidence tracing through the index codes and bloom filters. The validity authentication of the stored certificate flow is mainly the validity authentication of the uploading information, the validity authentication occurs when the approval server verifies whether the uploading information is valid or not, at this time, the approval server distributes verification work to a supervision node for providing a digital signature private key according to the stored information on the blockchain, decrypts the digital signature to obtain a corresponding Hash value, then carries out Hash conversion on the original stored data, compares the Hash value with the original stored data, and if the Hash value is the same, the Hash value is not tampered, so that the reliability and the safety of the stored certificate information on the chain are ensured. Referring to fig. 4, the block chain and interstellar file system IPFS database are complementary in advantages by adopting a chain-on-chain-off-chain storage structure, so that data privacy and security are ensured, and efficient, reliable and decentralised data storage and sharing are realized. Meanwhile, the authentication module can be flexibly configured according to actual needs, and different data access requirements are met.
As a preferred embodiment, further, the method generates the certification data according to the on-chain index code and the network traffic expression feature, and deploys the certification data to the blockchain through encryption by using the predefined uplink storage logic of the intelligent contract, so as to realize on-chain storage, which can be designed to include the following contents:
firstly, adding a random number into a source IP of a network flow identification characteristic, combining a time stamp, a port number and an on-chain index code in a network identification to form to-be-encrypted uploaded certificate storage data, and carrying out hash encryption on the to-be-encrypted uploaded certificate storage data by adopting an SM3 hash function algorithm to obtain encrypted privacy information;
the encrypted privacy information is then deployed to the blockchain node using the smart contract predefined uplink storage logic.
The SM2 digital signature is a public key cryptographic algorithm based on elliptic curve algorithm and is used for encryption and decryption calculation and digital signature, and is mainly used for digital signature generation and verification, key exchange, encryption and decryption and other applications, the cryptographic strength is 256 bits, the supportable data amount is 128G, and the signature obtained through the digital signature generation algorithm is 256 bits long. The SM2 digital signature algorithm can be divided into four parts, namely system parameter generation, key generation, signature and verification, and can be specifically described as follows:
(1) And (3) generating system parameters: the safety parameter lambda is the input of the algorithm, and the public parameter params= { P, fp, a, b, G, G, q, H } of the output system. Wherein P is a large prime number, and Fp is a finite field; elliptic curve equation is defined over Fq: y is 2 =x 3 +ax+b mod P, the points satisfying the equation form a switching group, denoted G, whose order is q, G being the base point of group G; h: {0,1} → Zq → is a hash function that performs digest calculation.
(2) And (3) key generation: the user generates a specific private key dA e Zq, calculates pa=da·g as a public key, and discloses the public key.
(3) Signature: firstly, carrying out a hash function on the message to obtain a corresponding abstract e=H (m); then randomly selecting k epsilon Zq, calculating point (x 1 ,y 1 ) =k·g; then the abstract and the information are calculated as r= (e+x) 1 )mod q,s=((1+dA)-1·(k-r·dA)) mod q; finally, the signature (r, s) is output.
(4) And (3) verification: after receiving the message m ' and the signature (r ', s '), the verifier first checks whether r ', s ' e Zq are satisfied, if not, the verifier fails the verification, otherwise, calculates e ' =h (m '), t= (r ' +s ') mod q; and then restoring points (x) on the elliptic curve with s' and t 1 ′,y 1 's' =s '·g+t·pa, r= (e' +x) is calculated 1 ') mod q; finally, whether the equation R=r' is satisfied is verified, if so, (R, s) is about an m-valid signature, otherwise the signature is invalid.
The SM3 algorithm is a password hash algorithm based on an elliptic curve algorithm, and outputs 256-bit digital fingerprints, so that data can be effectively prevented from being tampered or forged. Because of the advantages of high security, high computing efficiency, strong expandability and the like, the SM3 algorithm has been widely applied to the fields of electronic commerce, electronic government affairs and the like, and mainly comprises three parts of message expansion, message compression, hash value output and the like, and can be specifically described as follows:
message extension: dividing the message M into a plurality of 512-bit message packets, and performing filling and message expansion operations to finally generate a plurality of 512-bit expansion message packets.
Message compression: a group of 512-bit message blocks is taken out of the extended message packet and processed using a series of arithmetic operations (exclusive or, permutation diffration, etc.), and the processing result is taken as input for the next round of processing.
Hash value output: after all the expanded message grouping processing is completed, the compressed result is subjected to some final operation operations to obtain a final 256-bit hash value.
In the embodiment of the scheme, the distributed storage of the existing certificate data is realized by using the blockchain technology, the credibility of the data is improved, the excessive dependence on a centralization mechanism is reduced, and the data sharing efficiency is improved. And the security of shared data is enhanced by introducing corresponding cryptography technologies such as SM2 digital signature and SM3 encryption technology, so that the problems of difficult evidence tracing of network flow sensing results, difficult secure storage of evidence, excessive dependence on centralized organization of data reliability and the like are solved, and reliable flow attack tracing and sensing result data sharing with decentralization, security and untampereable capability are realized.
As shown in fig. 4, the network traffic authentication is divided into an on-link authentication and an off-link authentication, where the on-link authentication is the identification information of the network traffic perception, and the off-link authentication is the source data of the network traffic perception result, so that the security of the authentication data is protected, and meanwhile, the storage pressure of the blockchain is reduced, and the authentication efficiency is improved.
The on-chain forensic data is the encrypted private data hash value and the under-chain database URL. The network traffic data SD to be stored is constituted. m is privacy information, including source destination IP, port number, timestamp, index code of database under chain, etc. Since some information related to the privacy of the user is recorded on the network traffic characteristics, the unencrypted privacy information and related characteristics are stored in the link database; because the network prefix of the IP address is fixed and regional, the number of the numerical digits of part of the IP address is too small, and an attacker can easily crack the corresponding IP by using an exhaustion method, the Random number Random32 can be added into the IP address to be combined into the data M to be encrypted. And then carrying out Hash change Hash () by adopting an SM3 Hash function algorithm to finally obtain encrypted privacy information C, and finally storing the encrypted privacy information C in a uplink manner, wherein the specific implementation can be shown as the following algorithm pseudo code:
and further, the on-chain storage and the off-chain database storage of the blockchain can be associated through a bloom filter and a blockchain index library so as to realize the retrieval and tracing of the target network flow by utilizing the bloom filter, wherein each block of the blockchain stores a transaction set corresponding to the stored certificate data by utilizing a BMerkle tree structure, and the next block BMerkle tree structure is utilized for storing the transaction of the new stored certificate data. Also comprises: when a block is inserted for the transaction of the new stored data, judging whether the current inserted block needs to be built with an index according to the height of a block chain when the block is inserted; and judging the block access heat according to the access times and the weight value of each block in the block chain, and adjusting the block index level according to the block access heat.
Bloom filters are an efficient random data structure that supports initialization and query functions. The structure comprises a binary number group and a group of hash functions which are mutually independent and uniformly distributed. Referring to fig. 3, when an element needs to be added to the data structure, k hash functions are used to calculate k values to map to the array, and then the corresponding position element is set to 1. In the query operation, k hash values are calculated to correspond to positions in the bit array, and if values of all the positions are 1, the element may be in the data set; if there is a position whose value is not 1, then the element must not be in the dataset. The data structure has very high space utilization rate and can effectively reduce weight. And respectively adding 1 to the values of the corresponding k counters when the element is inserted, and respectively subtracting 1 from the values of the corresponding k counters when the element is deleted. Counting Bloom Filter adds delete operations to the bloom filter at the cost of taking up several times more storage space.
In network tracing, referring to fig. 5, a blockchain index library class is established to realize the tracing area. The establishment of the index library can be divided into three parts, namely establishment of BMerkle, dynamic insertion of an index and dynamic adjustment of a block index.
The blockchain adopts a BMerkle structure, the tree structure constructs nodes from bottom to top, and updating is stopped after the whole tree is constructed. Thus, in our system, a new transaction requires the BMerkle tree construction of the next chunk to be awaited. Firstly, creating an information list for storing each node in a BMerkle tree; then, the information of each transaction list is subjected to hash value, then, information of non-leaf nodes is generated through leaf nodes, the length of a bloom filter is dynamically judged according to the input tracing codes of the left and right child nodes by using a cal_bloom () function, the number of hash functions is used, the corresponding bloom filter is calculated, and the bloom filter and the hash values of the left and right child nodes are added to a txhash list together; the BMerkle tree is built and returned, and the specific implementation can be shown as the following pseudo code algorithm:
in the dynamic insertion index, the parameter skIPList_probability is set to 1/2, and values between 0 and Imax are randomly generated. When creating a block, there is a certain probability that an index needs to be created. If the return of 0 indicates that the index does not need to be established, the probability is 1/4; if 1 is returned, the first-level index needs to be established, and the probability is 1/8; if return 2 indicates that a secondary index needs to be established, the probability is 1/16, and so on, the specific implementation is as shown in the following algorithm pseudo code:
in the dynamic adjustment of the block index, the latest access times of each block of the block chain are recorded in the tracing process, and the cold and hot blocks are distinguished by setting a weight value g, and the block index is dynamically adjusted. A list is created in which the block indexes that require modification of the index progression are stored. And then judging whether each block belongs to the hot block or the cold block one by one, and adding the index series modified according to the needs into the corresponding position of the list. The specific implementation can be as follows:
as a preferred embodiment, further, obtaining the identification feature of the malicious traffic target node according to the network malicious traffic evidence obtaining and tracing request includes: acquiring a malicious flow sensing result in a current network according to a network malicious flow sensing model, and constructing a malicious flow attack tracing link according to the sensing result; and acquiring the identification characteristics of the target node in the link according to the malicious traffic attack tracing link.
The intelligent contract is called to predefine the tracing inquiry logic to obtain the index code on the target chain corresponding to the identification feature in the block chain, and the index code on the target chain associated with the identification feature stored in the block chain can be obtained based on the intelligent contract and by utilizing a consensus algorithm and a verification signature algorithm according to the identification feature of the target node.
Specifically, the transaction list can be used to obtain the network traffic description source data stored in the in-chain database by traversing all transaction sets related to the target index codes, extracting the certificate data from the transaction sets and adding the certificate data to the transaction list related to the predefined target index codes.
In the tracing process, the whole blockchain is traversed first, and a transaction set associated with a specific tracing code is found. This is accomplished by querying each block for the stored encrypted certification information and the URL of the location of the database under the chain. Thus, all related transactions can be acquired only by inputting the source tracing code. In this process, the traversal starts from the newly generated block to the created block in order to acquire information of each stage. In the searching process, because one tracing code may have a plurality of records, whether a proCode exists in a bloom filter of a BMerkle tree root needs to be judged. If not, the next block needs to be searched directly, and if so, the BMerkle tree is entered for searching.
The output of the block chain inquiry stage is used for quickly searching each corresponding flow sensing source data under the chain through a hot_skip pointer, and the following steps are needed to be carried out in order to acquire the under-chain storage data corresponding to the specific source tracing code. First, all transaction sets associated with a particular traceability code are traversed. The certification data ID associated with the proCode is then extracted from these transactions and added to the transaction list. Finally, the transaction list contains the link-down storage data corresponding to the specific source code.
Further, based on the above method, the embodiment of the present invention further provides a blockchain-based network traffic evidence obtaining and tracing system, which is used for unintentional phase modulation estimation of a radiation source individual, and includes: the flow evidence storage module and the traceability evidence collection module, wherein,
the flow verification module is used for taking the network flow statistical characteristics, the behavior characteristics, the identification characteristics and the perception result of whether the network flow is malicious or not as network flow description source data, storing the network flow description source data in a downlink database and generating an on-link index code, wherein the network flow identification characteristics comprise a timestamp, a port number and a source destination IP; generating certification storage data according to the index code and the network flow representation characteristic on the chain, and deploying the certification storage data to the blockchain through encryption by utilizing the uplink storage logic predefined by the intelligent contract so as to realize the storage on the chain;
the tracing evidence obtaining module is used for obtaining identification characteristics of a malicious flow target node according to a network malicious flow evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification characteristics in a block chain by calling intelligent contract predefined tracing inquiry logic, wherein the evidence obtaining tracing request comprises an attack tracing link obtained according to a malicious flow sensing result; and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information.
To verify the validity of this protocol, the following is further explained in connection with experimental data:
the advantages and disadvantages of the scheme are analyzed by comparing with other schemes in the existing research results by adopting a comparison analysis method, and the scheme is specifically shown in the table 1:
table 1 comparison of different protection schemes
Wherein, (a) - (d) are related documents of existing evidence storage tracing, (a) are network attack evidence collection researches based on cloud computing, (b) are network attack evidence collection researches based on machine learning, (c) are secondary area network attack evidence collection researches, (d) are Linux attack evidence collection researches based on AIDE and ELK, (e) are application researches of a blockchain technology in electronic evidence collection work, (f) are cloud computing electronic evidence collection model researches based on blockchains, and (g) are application researches of the blockchain technology in electronic evidence collection work.
Table 1 compares the security, integrity, tamper resistance, scalability, storage effectiveness, application cost, whether to use blockchain seven dimensions, (a) - (d) do not use blockchain for evidence collection and tracing, compared with the scheme using blockchain for evidence collection, the security is lower, and the consideration of data integrity and tamper resistance is lacking, so that the method is suitable for small data evidence collection and tracing in a single security domain, and the capability is limited in a distributed and multiparty environment. (e) Emphasis is placed on using blockchain techniques to efficiently track, monitor and audit data behavior, but reliable cryptography techniques have not been introduced to protect the privacy of data. (f) The stored data information is stored in the block without using intelligent contracts and combining with the off-link database, and (h) a set of intelligent contracts for data sharing is established for each participant and user, so that a large number of contracts are created in the system, a large amount of computing resources and running time are occupied, and the efficiency is low. After comprehensive comparison, the scheme can better consider the safety and the integrity of data, can improve the efficiency of evidence collection and tracing through the combination of the upper chain and the lower chain and the bloom filter, and has higher expandability and advantages.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The elements and method steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or a combination thereof, and the elements and steps of the examples have been generally described in terms of functionality in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different methods for each particular application, but such implementation is not considered to be beyond the scope of the present invention.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the above methods may be performed by a program that instructs associated hardware, and that the program may be stored on a computer readable storage medium, such as: read-only memory, magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits, and accordingly, each module/unit in the above embodiments may be implemented in hardware or may be implemented in a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. The network flow evidence collection and tracing method based on the blockchain is characterized by comprising the following steps of:
taking the network traffic statistical characteristics, the behavior characteristics, the identification characteristics and the perception result of whether the network traffic is malicious or not as network traffic description source data, storing the network traffic description source data in a link database and generating a link index code, wherein the network traffic identification characteristics comprise a time stamp, a port number and a source destination IP;
generating certification storage data according to the on-chain index code and the network flow representation characteristic, and deploying the certification storage data to the blockchain through encryption by utilizing the uplink storage logic predefined by the intelligent contract so as to realize on-chain storage;
acquiring identification characteristics of a malicious traffic target node according to a network malicious traffic evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification characteristics in a block chain by calling an intelligent contract predefined tracing inquiry logic, wherein the evidence obtaining request comprises an attack tracing link obtained according to a malicious traffic sensing result;
and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information.
2. The blockchain-based network traffic evidence obtaining and tracing method of claim 1, wherein generating the evidence-preserving data according to the on-chain index code and the network traffic expression feature, and deploying the evidence-preserving data to the blockchain by encryption using the uplink storage logic predefined by the intelligent contract to realize the on-chain storage comprises:
firstly, adding a random number into a source IP of a network flow identification characteristic, combining a time stamp, a port number and an on-chain index code in a network identification to form to-be-encrypted uploaded certificate storage data, and carrying out hash encryption on the to-be-encrypted uploaded certificate storage data by adopting an SM3 hash function algorithm to obtain encrypted privacy information;
the encrypted privacy information is then deployed to the blockchain node using the smart contract predefined uplink storage logic.
3. The blockchain-based network traffic forensic tracing method of claim 1 or 2, wherein the deployment of forensic data to the blockchain by encryption using the predefined uplink storage logic of the smart contract to enable on-chain storage further comprises: and correlating the on-chain storage and the under-chain database storage of the blockchain through a bloom filter and a blockchain index library to realize the retrieval and tracing of the target network flow by utilizing the bloom filter, wherein each block of the blockchain stores a transaction set corresponding to the certificate storage data by utilizing a BMerkle tree structure, and stores the transaction of the new certificate storage data by utilizing the next block BMerkle tree structure.
4. The blockchain-based network traffic evidence collection and tracing method of claim 3 wherein the transaction of storing new evidence data using the next blockbmerkle tree structure comprises:
firstly, creating an information list for storing each node in a BMerkle tree; the information of each transaction list is hashed, and information of non-leaf nodes is generated through the leaf nodes;
and then dynamically judging the length of the bloom filter and the number of hash functions according to index codes of the left and right child nodes, acquiring corresponding bloom filters, adding the bloom filters and hash values of the left and right child nodes to an information list together, forming a BMerkle tree and returning.
5. The blockchain-based network traffic evidence collection and tracing method of claim 3 wherein the blockchain-on-store and the link-off database store are associated by a bloom filter with a blockchain index store, further comprising: when a block is inserted for the transaction of the new stored data, judging whether the current inserted block needs to be built with an index according to the height of a block chain when the block is inserted; and judging the block access heat according to the access times and the weight value of each block in the block chain, and adjusting the block index level according to the block access heat.
6. The blockchain-based network traffic evidence obtaining and tracing method according to claim 1, wherein obtaining the identification feature of the malicious traffic target node according to the network malicious traffic evidence obtaining and tracing request comprises:
firstly, acquiring a malicious flow sensing result in a current network according to a network malicious flow sensing model, and constructing a malicious flow attack traceable link according to the sensing result;
and then, acquiring the identification characteristics of the target node in the link according to the malicious traffic attack tracing link.
7. The blockchain-based network traffic evidence collection and tracing method of claim 1 or 6, wherein the obtaining the index code on the target chain corresponding to the identification feature in the blockchain by calling the intelligent contract predefined tracing query logic comprises: and acquiring the index code on the target chain associated with the identification characteristic stored in the blockchain based on the intelligent contract and by utilizing a consensus algorithm and a verification signature algorithm according to the identification characteristic of the target node.
8. The blockchain-based network traffic evidence obtaining and tracing method of claim 7, wherein the obtaining the index code on the target chain corresponding to the identification feature in the blockchain by calling the intelligent contract predefined tracing and inquiring logic further comprises: traversing all transaction sets related to the target index codes, extracting the evidence data from the transaction sets and adding the evidence data into a transaction list related to the predefined target index codes so as to acquire network flow description source data stored in the in-chain database by using the transaction list.
9. The utility model provides a network flow traceability system that evidence obtained based on blockchain which characterized in that includes: the flow evidence storage module and the traceability evidence collection module, wherein,
the flow verification module is used for taking the network flow statistical characteristics, the behavior characteristics, the identification characteristics and the perception result of whether the network flow is malicious or not as network flow description source data, storing the network flow description source data in a downlink database and generating an on-link index code, wherein the network flow identification characteristics comprise a timestamp, a port number and a source destination IP; generating certification storage data according to the index code and the network flow representation characteristic on the chain, and deploying the certification storage data to the blockchain through encryption by utilizing the uplink storage logic predefined by the intelligent contract so as to realize the storage on the chain;
the tracing evidence obtaining module is used for obtaining identification characteristics of a malicious flow target node according to a network malicious flow evidence obtaining request, and obtaining an index code on a target chain corresponding to the identification characteristics in a block chain by calling intelligent contract predefined tracing inquiry logic, wherein the evidence obtaining tracing request comprises an attack tracing link obtained according to a malicious flow sensing result; and inquiring corresponding network flow description source data stored in a database under the chain according to the index code so as to obtain network malicious flow evidence obtaining information.
10. An electronic device comprising a memory and a processor, said processor and said memory completing communication with each other via a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1-8.
CN202310662506.8A 2023-06-06 2023-06-06 Block chain-based network flow evidence obtaining and tracing method and system Pending CN116781332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310662506.8A CN116781332A (en) 2023-06-06 2023-06-06 Block chain-based network flow evidence obtaining and tracing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310662506.8A CN116781332A (en) 2023-06-06 2023-06-06 Block chain-based network flow evidence obtaining and tracing method and system

Publications (1)

Publication Number Publication Date
CN116781332A true CN116781332A (en) 2023-09-19

Family

ID=87990628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310662506.8A Pending CN116781332A (en) 2023-06-06 2023-06-06 Block chain-based network flow evidence obtaining and tracing method and system

Country Status (1)

Country Link
CN (1) CN116781332A (en)

Similar Documents

Publication Publication Date Title
Lu et al. A blockchain-based privacy-preserving authentication scheme for VANETs
CN111639361B (en) Block chain key management method, multi-person common signature method and electronic device
Da Xu et al. Embedding blockchain technology into IoT for security: A survey
Kiyomoto et al. On blockchain-based anonymized dataset distribution platform
Mehmood et al. Protection of big data privacy
Jayaprakash et al. Cloud data encryption and authentication based on enhanced Merkle hash tree method.
Cai et al. Hardening distributed and encrypted keyword search via blockchain
JP2023504492A (en) Efficient threshold storage of data objects
Cheng et al. Polynomial-based modifiable blockchain structure for removing fraud transactions
Xie et al. Blockchain‐Based Cloud Data Integrity Verification Scheme with High Efficiency
Jiang et al. Anonymous and efficient authentication scheme for privacy-preserving distributed learning
Ma et al. Authenticated data redaction with fine-grained control
CN114139203A (en) Block chain-based heterogeneous identity alliance risk assessment system and method and terminal
Liu et al. A data preservation method based on blockchain and multidimensional hash for digital forensics
Yeh et al. A collaborative DDoS defense platform based on blockchain technology
Liu et al. Data integrity audit scheme based on quad Merkle tree and blockchain
Liu et al. Efficient decentralized access control for secure data sharing in cloud computing
Subramani et al. Blockchain-based physically secure and privacy-aware anonymous authentication scheme for fog-based vanets
Maheswari et al. A survey on data integrity checking and enhancing security for cloud to fog computing
Duan et al. Design of anonymous authentication scheme for vehicle fog services using blockchain
Zhou et al. A Scalable Blockchain‐Based Integrity Verification Scheme
CN117454442A (en) Anonymous security and traceable distributed digital evidence obtaining method and system
CN114866244B (en) Method, system and device for controllable anonymous authentication based on ciphertext block chaining encryption
Li A Blockchain‐Based Verifiable User Data Access Control Policy for Secured Cloud Data Storage
Keshk et al. Privacy-preserving techniques for protecting large-scale data of cyber-physical systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination