METHOD OF DETECTING ANOMALIES IN A BLOCKCHAIN NETWORK AND BLOCKCHAIN NETWORK IMPLEMENTING SUCH A METHOD

Abstract

Embodiments include a method of detecting anomalies within a blockchain network including a plurality of nodes, the method including for at a measured node, of the blockchain network, measuring at least one operational parameter of the measured node. The method also includes injecting at least one measured value of at least one operational parameter into at least one predetermined heuristic model signaling a possible anomaly within the blockchain network based on the at least one measured value. Embodiments also include a computer program including computer instructions, which, when they are executed by a computer device, implement the method. Embodiments also include a block chain network configured to implement the method of detecting anomalies.

Claims

1. A method of detecting anomalies within a blockchain network comprising a plurality of nodes, said method comprising: for at least one node of said plurality of nodes, said at least one node comprising at least one measured node of said blockchain network, measuring at least one operational parameter of said at least one measured node; and injecting at least one measured value of said at least one operational parameter that is measured into a predetermined heuristic model signaling a possible anomaly within said blockchain network based on said at least one measured value.

2. The method according to claim 1, wherein said at least one measured node is a real node of the blockchain network.

3. The method according to claim 1, wherein said at least one measured node is a decoy node deployed within the blockchain network.

4. The method according to claim 1, wherein said injecting said at least one measured value is implemented at a decoy node deployed within the blockchain network.

5. The method according to claim 1, wherein said injecting said at least one measured value is implemented at a central module, and wherein the method further comprises transmitting said at least one measured value to said central module.

6. The method according to claim 1, wherein the at least one measured value of said at least one operational parameter of said at least one measured node is read in an operational log of said at least one measured node.

7. The method according to claim 1, wherein at least one communication relative to implementation of the method is encrypted.

8. The method according to claim 1, wherein said predetermined heuristic model comprises at least one heuristic model that is provided for comparing said at least one measured value that is injected to at least one predefined threshold value.

9. The method according to claim 1, wherein said predetermined heuristic model comprises at least one heuristic model that comprises a neuronal network previously trained to detect at least one anomaly from at least one value of an operational parameter that is provided to it.

10. The method according to claim 1, further comprising sending an alert message when said injecting said at least one measured value signals an anomaly.

11. The method according to claim 10, wherein, when said injecting said at least one measured value signals said anomaly, said method further comprises an incident response step comprising executing any combination of at least one of excluding certain nodes that have a Byzantine behavior, suspending a protocol for a time to make a report and prevent forging corrupt blocks, updating the protocol via a consensus.

12. A computer program comprising computer instructions, which, when executed by a computer device, implement a method of detecting anomalies within a blockchain network comprising a plurality of nodes, said method comprising: for at least one node of said plurality of nodes, said at least one node comprising at least one measured node of said blockchain network, measuring at least one operational parameter of said at least one measured node; and injecting at least one measured value of said at least one operational parameter that is measured into a predetermined heuristic model signaling a possible anomaly within said blockchain network based on said at least one measured value.

13. A blockchain network comprising: a plurality of nodes, configured to implement a method of detecting anomalies within said blockchain network, said method comprising for at least one node of said plurality of nodes, said at least one node comprising at least one measured node of said blockchain network, measuring at least one operational parameter of said at least one measured node; and injecting at least one measured value of said at least one operational parameter that is measured into a predetermined heuristic model signaling a possible anomaly within said blockchain network based on said at least one measured value.

14. The blockchain network according to claim 13, wherein said at least one node comprises at least one decoy node.

15. The blockchain network according to claim 13, further comprising a central module.

Description

DESCRIPTION OF FIGURES AND EMBODIMENTS

[0079] Other benefits and features will become evident upon examining the detailed description of an entirely non-limiting embodiment, and from the enclosed drawings in which:

[0080] FIG. 1 is a schematic representation of an entirely non-limiting exemplary embodiment of a method according to the invention;

[0081] FIG. 2 is a schematic representation of another entirely non-limiting exemplary embodiment of a method according to the invention;

[0082] FIG. 3 is a schematic representation of an entirely non-limiting exemplary embodiment of a blockchain network according to the invention;

[0083] FIG. 4 is a schematic representation of another entirely non-limiting exemplary embodiment of a blockchain network according to the invention;

[0084] FIG. 5 is a schematic representation of another entirely non-limiting exemplary embodiment of a blockchain network according to the invention; and

[0085] FIG. 6 is a schematic representation of another non-limiting exemplary embodiment of a blockchain network according to the invention.

[0086] It is understood that the embodiments disclosed hereunder are by no means limiting. In particular, it is possible to imagine variants of the invention that comprise only a selection of the features disclosed hereinafter in isolation from the other features disclosed, if this selection of features is sufficient to confer a technical benefit or to differentiate the invention with respect to the prior state of the art. This selection comprises at least one preferably functional feature which lacks structural details, or only has a portion of the structural details if that portion is only sufficient to confer a technical benefit or to differentiate the invention with respect to the prior state of the art.

[0087] In the figures the same reference has been used for the elements that are common to several figures.

[0088] FIG. 1 is a schematic representation of an entirely non-limiting exemplary embodiment of a method according to the invention.

[0089] The method 100 of FIG. 1 is a method of detecting an anomaly within a blockchain network comprising a plurality of nodes.

[0090] The method 100 comprises a step 102 of measuring at least one operational parameter of at least one node, called measured node, of the blockchain network.

[0091] At least one node measured in step 102 may be a real node of the blockchain network, that is, a node participating in creating new blocks of the blockchain.

[0092] Alternatively or in addition, at least one node measured during step 102 may be a decoy node, deployed within the blockchain network, but not participating in creating new blocks of the blockchain.

[0093] In an entirely non-limiting way, for at least one node, the at least one operational parameter measured in step 102 may for example be or comprise:

[0094] a communication latency of one node with at least another node of the network,

[0095] a communication topology of a node, that is, with which other nodes of the network the measured node communicates,

[0096] a data from the internal clock of the node,

[0097] a local representation status of the node,

[0098] a sending quality,

[0099] ownership of the “fragments” of the blockchain,

[0100] etc. . . .

[0101] The method 100 further comprises, after the measuring step 102, a step 104 of injecting said at least one measured value of at least one operational parameter into a predetermined heuristic model signaling a possible anomaly within said blockchain network based on said at least one measured value.

[0102] Because the operation of at least one node of the blockchain network is disturbed during a cyberattack, it is therefore possible with the method 100 to detect an anomaly symptomatic of a cyberattack by injecting into a predetermined heuristic model, during step 104, at least one value of an operational parameter measured during step 102.

[0103] The heuristic model may for example be provided to compare at least one measured value to at least one predefined threshold.

[0104] Alternatively, the heuristic model may for example be or comprise a neuronal network previously trained to detect anomalies.

[0105] The injection step 104 may for example be implemented at a decoy node deployed within the blockchain network but not participating in creating new blocks of the blockchain.

[0106] The measuring step 102 and injection step 104 may for example be implemented at the same decoy node.

[0107] According to another example, the injection step 104 may be implemented at the central module of the blockchain network but which does not form a node of the blockchain network.

[0108] FIG. 2 is a schematic representation of another entirely non-limiting exemplary embodiment of a method according to the invention.

[0109] The method 200 comprises all the steps of the method 100 described in relation to FIG. 1.

[0110] In the method 200 of FIG. 2, the measuring step 102 of measuring at least one operational parameter of at least one measured node comprises the following steps:

[0111] a step 202 of sending, by a decoy node of the network to a measured node, a request to send at least a portion of its operational log,

[0112] a step 204 of emitting said at least a portion of the operational log by the measured node to the decoy node, in response to the request, and

[0113] a step 206 of reading at least a portion of the operational log.

[0114] The measured node may for example be a real node or a decoy node different from the one sending the request.

[0115] The method 200 further comprises, after the measuring step 102 and before the injection step 104 a step 208 of transmitting, to a central module of the blockchain network, at least one value measured during step 102.

[0116] In this exemplary embodiment, the step 104 of injecting at least one measured value into a heuristic model is carried out at said central module.

[0117] The method 200 further comprises, when an anomaly is signaled by the heuristic model, a step 208 of sending an alert message to each of the nodes of the network or only to the node concerned by the anomaly.

[0118] According to an alternative embodiment, the measured node, preferably a decoy node, may be configured to emit automatically and at a given frequency at least a portion of its operational log to the decoy node responsible for the reading. In this case, the step 202 of sending a request is not necessary and therefore not carried out.

[0119] According to another alternative embodiment, the measuring of at least one operational parameter of a measured node may be implemented by the node itself. Thus, neither the sending of a request nor the emission of at least a portion of the log is required to read said log during the step. In this case, neither step 202 of sending a request nor step 204 of emitting at least a portion of the log are carried out.

[0120] According to still another alternative embodiment, the injection of at least one measured value of at least one operational parameter into a heuristic model may be carried out at the measured decoy node. In this case, neither step 202 of sending a request, nor step 204 of emitting at least a portion of the log, nor the transmission step 208 are carried out.

[0121] FIG. 3 is a schematic representation of an entirely non-limiting exemplary embodiment of a blockchain network according to the invention.

[0122] FIG. 3 shows a blockchain network 300 configured to implement the method 100 described in relation to FIG. 1, and more generally a method according to the invention.

[0123] In the example represented, the network 300 comprises four real nodes 302 and one decoy node 304.

[0124] For reasons of readability, the number of real nodes 302 shown in FIG. 3 is four. However, it will seem obvious that a blockchain network may comprise a number of real nodes other than four.

[0125] Again in the example of FIG. 3, all the nodes 302, 304 are in communication with one another. However, depending on the blockchain protocol used and depending on the number of nodes of the blockchain network, it is possible that all the nodes of the blockchain network are not in communication with one another.

[0126] According to one exemplary embodiment, each node of the network 300 may be a measured node. Thus, a value of at least one operational parameter may be measured during the measuring step, for each real node 302 and the decoy node 304.

[0127] Again according to one exemplary embodiment, the injection step, and in particular step 104, may be carried out in the decoy node 304. In this case, each real node 302 communicates the value of the measured parameter(s) to the decoy node, either in an automated manner at a given frequency, or upon request from the decoy node 304. Thus, the decoy node 304 receives the values of the operational parameters of all the real nodes 302 of the network 300. It also has values of its own operational parameters. Thus, it may carry out an anomaly detection by injecting these measured values into a heuristic model, together or separately.

[0128] The injection of the values into a heuristic model may be carried out for each measured node individually.

[0129] Alternatively, the injection of the values into a heuristic model may be carried out individually for each operational parameter. In this case, it is possible to inject together several measured values of this operational parameter at several measured nodes. For example, it is possible to inject the communication topology of several measured nodes into a heuristic model in order to detect if one of these measured nodes has an anomaly.

[0130] FIG. 4 is a schematic representation of another entirely non-limiting exemplary embodiment of a blockchain network according to the invention.

[0131] The blockchain network 400 shown in FIG. 4 differs from the network 300 shown in FIG. 3 in that the decoy node 304 is replaced by a central module 402. The central module 402 is in communication with each of the nodes 302 of the network 400. However, contrary to a decoy node 304, the central module 402 does not act as a node within the network 400 in the sense of a real node or a decoy node.

[0132] According to one exemplary embodiment, each real node of the network 400 can be measured. Thus, a value of at least one operational parameter may be measured during the measuring step, for each real node 302.

[0133] Still in accordance with one exemplary embodiment, the injection step, and in particular step 104, may be carried out in the central module 402. In this case, each real node 302 communicates the value of the measured parameter(s) to the central module 402, either in an automated manner at a given frequency, or upon request from the central module 402. Thus, central module 402 receives the values of the operational parameters of all the real nodes 302 of the network 400. Thus, it may carry out an anomaly detection by injecting these measured values into a heuristic model, together or separately.

[0134] FIG. 5 is a schematic representation of another non-limiting exemplary embodiment of a blockchain network according to the invention.

[0135] The blockchain network 500 shown in FIG. 5 comprises all the elements of the network 300 of FIG. 3.

[0136] The network 500 further comprises two other decoy nodes 304. All the nodes 302, 304 are in communication with one another.

[0137] According to one exemplary embodiment, each node 302 and 304 of the network 500 may be a measured node. Thus, a value of at least one operational parameter may be measured during the measuring step, for each real node 302 and each decoy node 304.

[0138] Still in accordance with one exemplary embodiment, the injection step, and in particular step 104, may be carried out in any of the decoy nodes 304.

[0139] In this case, the decoy node 304 at which the injection step is implemented may receive the values of the operational parameters from all the other nodes of the network, real 302 and decoy 304.

[0140] It also has values of its own operational parameters. Thus, it may carry out an anomaly detection by injecting these measured values into a heuristic model, together or separately.

[0141] FIG. 6 is a schematic representation of another non-limiting exemplary embodiment of a blockchain network according to the invention.

[0142] The blockchain network 600 shown in FIG. 6 comprises all the elements of the network 500 of FIG. 5.

[0143] The network 600 further comprises a central module 402 in communication with each of the real nodes 302 and decoy nodes 304.

[0144] According to one exemplary embodiment, each node 302 and 304 of the network 600 may be a measured node. Thus, a value of at least one operational parameter may be measured during the measuring step, for each real node 302 and each decoy node 304.

[0145] Still in accordance with one exemplary embodiment, the injection step, and in particular step 104, may be carried out in the central module 402.

[0146] In this case, each real node 302 and each decoy node communicates the value of the measured parameter(s) to the central module 402, either in an automated manner at a given frequency, or upon request from the central module 402. Thus, the central module 402 receives the values of the functional parameters of all the real nodes 302 and decoy nodes 304 of the network 600. Thus, it may carry out an anomaly detection by injecting these measured values into a heuristic model, together or separately.

[0147] Of course, the invention is not limited to the examples detailed above.