[论文解读] Bet and Attack: Incentive Compatible Collaborative Attacks Using Smart Contracts
本文提出了一种基于智能合约的框架,支持无信任、激励相容的协同网络攻击——通过投注机制协调(伪)匿名攻击者针对现实世界目标(如DDoS攻击)实施攻击。通过将奖励结构化为投注金额,并证明机制的策略无关性与预算平衡性,该框架确保攻击者按其投注比例协作,从而在均衡状态下实现可预测且公平的结果。
Smart contract-enabled blockchains allow building decentralized applications in which mutually-distrusted parties can work together. Recently, oracle services emerged to provide these applications with real-world data feeds. Unfortunately, these capabilities have been used for malicious purposes under what is called criminal smart contracts. A few works explored this dark side and showed a variety of such attacks. However, none of them considered collaborative attacks against targets that reside outside the blockchain ecosystem. In this paper, we bridge this gap and introduce a smart contract-based framework that allows a sponsor to orchestrate a collaborative attack among (pseudo)anonymous attackers and reward them for that. While all previous works required a technique to quantify an attacker's individual contribution, which could be infeasible with respect to real-world targets, our framework avoids that. This is done by developing a novel scheme for trustless collaboration through betting. That is, attackers bet on an event (i.e., the attack takes place) and then work on making that event happen (i.e., perform the attack). By taking DDoS as a usecase, we formulate attackers' interaction as a game, and formally prove that these attackers will collaborate in proportion to the amount of their bets in the game's unique equilibrium. We also model our framework and its reward function as an incentive mechanism and prove that it is a strategy proof and budget-balanced one. Finally, we conduct numerical simulations to demonstrate the equilibrium behavior of our framework.
研究动机与目标
- 为填补现有犯罪智能合约(CSC)研究的空白,实现对区块链生态系统外真实世界目标的协同攻击。
- 解决在真实世界攻击中无法验证个体攻击者贡献的问题,因为密码学证明不可行。
- 设计一种无信任、激励相容的机制,确保理性攻击者在无需量化贡献的情况下协作。
- 将攻击建模为博弈论问题,并证明攻击者将在唯一纳什均衡中按其投注比例协作。
- 通过数值模拟证明可行性,并表明该机制既具备策略无关性又满足预算平衡。
提出的方法
- 采用投注机制,攻击者就真实世界攻击(如DDoS)的成功性下注,奖励与投注金额挂钩。
- 将攻击者互动建模为非合作博弈,证明存在唯一纳什均衡,其中协作程度与投注金额成比例。
- 设计一种策略无关的奖励函数:攻击者无法通过虚报投注金额获利。
- 确保预算平衡:支付的总奖励不超过攻击者投入的总金额。
- 采用机制设计方法以对齐激励,确保个体理性与公平性。
- 通过数值模拟,利用参数θ(相对于赞助奖励的总投注额)和γ(相对于奖励的攻击成本)评估系统行为。
实验结果
研究问题
- RQ1智能合约能否在无需验证个体贡献的前提下,实现对真实世界目标的协调、匿名攻击?
- RQ2如何设计一种无信任、激励相容的机制,确保攻击者按其投注金额比例协作?
- RQ3所提出的奖励机制是否具备策略无关性,即攻击者无法通过谎报投注金额获益?
- RQ4通过调整总投注额和攻击成本等参数,能否预测并控制攻击结果?
- RQ5该机制是否能确保预算平衡与奖励分配的公平性?
主要发现
- 在唯一纳什均衡中,攻击者按其投注金额比例协作,确保激励与贡献一致。
- 当总投注水平相同时,二次奖励函数吸引的攻击贡献显著高于线性函数,在θ = 1时可实现约90%的预期攻击效果。
- 当θ = 1时,二次方案分配了赞助方奖励的75%,而攻击者承担了约80%的总攻击成本,表明机制具有高效率与公平性。
- 随着θ增加,攻击效果与公平性评分均提升,且公平性超过预期攻击阈值。
- 随着攻击成本γ升高,所需总投注额θ也随之增加,意味着防御方可通过提高运营成本来威慑攻击。
- 在适度条件下,该机制满足个体理性:当θ与γ处于可行范围时,攻击者预期获得非负效用。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。