Detection of malicious nodes based on consortium blockchain

SIoT and blockchain technologies and principles

This section focuses on two background technologies utilized in this article, which will be described in detail here.

Overview of blockchain technology

Blockchain technology initially originated from Bitcoin and is the core support technology for virtual digital currencies such as Bitcoin, aiming to solve the problem of how to build a “trust” ecosystem to meet the needs of activity occurrence and development in the absence of a credible centralized institution, as well as information asymmetry and uncertainty (Dong et al., 2023). Later, Vitalik Buterin pioneered Ether, and blockchain technology came to the smart contracts age, making the blockchain programmable and leading to the birth of decentralized applications (Buterin, 2014). Later, the open-source distributed ledger platform Superledger, directed and created by the Linux Foundation, opened the era of the blockchain’s consortium blockchain, allowing the blockchain to expand and extend to more areas (Pilkington, 2016; Dong et al., 2023). The underlying principle is a distributed ledger technology that forms a chain of continuously lengthening blocks of data by linking transaction records together in a kind of sequence, containing in each block the hash value of the previous block, forming a tamper-proof blockchain structure at a time. The blockchain is equivalent to a distributed database in every participant or trader’s computer node, and every transaction will be recorded on the blockchain (Abdelghani et al., 2016). This blockchain structure ensures data security, transparency, and comparability.

In this article, the consensus algorithm used by the consortium blockchain is the Proof of Authority (POA) algorithm, which uses a specific authenticator to validate and create new blocks rather than relying on computational power or token equity. POA algorithm can provide high performance and low energy consumption for SIoT systems. POA does not require many computational resources, and it can achieve efficient transaction processing speed and low energy consumption, which also realizes the lightweight nature of SIoT. Consortium blockchain can also bring more effective security protection mechanisms for SIoT’s data, giving SIoT safe and reliable information storage and management means. When the consortium blockchain is applied to SIoT, it should consider the node’s private data protection, lightweight security mechanism, malicious node detection and defense, automated access control policy, and system scalability. In this article, we focus on detecting malicious nodes and data privacy protection, and the specific detection method is to distinguish malicious nodes from normal nodes to provide a secure foundation for future work.

The security and efficiency of SIoT systems and the reduction of their costs can be significantly enhanced by applying a consortium blockchain to them. The advantages of consortium blockchain in SIoT are explored in this article.

1. Privacy protection: Consortium blockchain can ensure that sensitive data is only visible to authorized participants. This is important for situations involving personal privacy in SIoT;

2. Transaction transparency: consortium blockchain provides a transparent record of transactions, with all participants able to view the history of transactions, and this transparency can help build trust and be more traceable;

3. Consensus mechanisms: The POA consensus mechanism can ensure data consistency and credibility and prevent malicious nodes from damaging the system. This mechanism can provide high performance and improve system efficiency;

4. Smart contract enforcementfast trading and settlement: Consensus mechanisms and optimized design enable fast transaction confirmation and settlement, accelerating interaction and business processing between SIoT devices;

5. Data sharing and collaboration: The consortium blockchain can provide a secure data sharing and collaboration mechanism to promote cooperation between SIoT devices, such as joint monitoring and automated collaborative operation;

6. Reduced transaction costs: Automating processes and reducing intermediaries through smart contracts can reduce the cost of transactions and data processing and increase efficiency.

Definition of malicious node

In this section, we are going to define the malicious nodes.

(Definition) Malicious nodes: In the consortium blockchain based SIoT system, we will determine whether a node is a malicious node or not by a combination of delayed or negative services and categorize such nodes as malicious nodes.

(Definition) Delay service: Delayed service implies that there is an intentional delay in service or delay in transaction by the node. In specific data, the presence of delayed service in that node can be detected by our proposed algorithm.

(Definition) Interval: The distance between any behavioral record of a node and the most recent behavioral record of a node within the selected block interval is taken as the interval of the node.

(Definition) Negative service: Negative service exists for a node if there is an anomaly in the transaction interval of the node over a period of time.

In the consortium blockchain network, the operation record and operation time of each user can be obtained, in which each block can record the operation record of some users, and the record time has a sequential order. If a node has negative service in the specified block interval, the node may have malicious behavior in this operation. Anomalous intervals are reflected in excessive fluctuations in node operation intervals, as shown in Fig. 2. When the inter-block interval is significantly large between the eighth interaction, it can be deduced that the node produced a negative service during that period.

Handling delay algorithm

This chapter will specify the proposed node processing delay algorithm. It mainly reflects whether the interaction interval of distributed SIoT nodes over a period of time is abnormal or whether delayed services occur. In the consortium chain, the block number of each block is sorted in chronological order. In addition, each block has a corresponding hash address. The associated processing delay of that node can be calculated by obtaining the block number and hash address of each block and the operation records of each node.

Suppose A is an SIoT user on the consortium blockchain. In the selected time domain T(t), the collection of all operation records for A is X:

$$X=\{x_1,x_2,\dots ,x_n\}.$$

The operation interval can be expressed as:

$$Y=\{(x_2-x_1),(x_3-x_2),\dots ,(x_n-x_{n-1})\}=\{y_1,y_2,\dots ,y_{n-1}\}$$

$$Y_{\mathrm{a}\mathrm{v}\mathrm{g}}=\frac{1}{n-2}{\sum }_{n=1}^{n-2}Y.$$

So, the processing delay formula is as follows:

$$delay=\ln (|Y_{\mathrm{a}\mathrm{v}\mathrm{g}}-y_{n-1}|+1)\cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(Y_{\mathrm{a}\mathrm{v}\mathrm{g}}-y_{n-1})$$where sign(x) is the sign function, which returns the sign of the argument x, i.e.:

$$\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}(x)=\{\begin{array}{cc}-1\hfill & \mathrm{i}\mathrm{f}x<0\hfill \\ 0\hfill & \mathrm{i}\mathrm{f}x=0\hfill \\ 1\hfill & \mathrm{i}\mathrm{f}x>0\hfill \end{array}.$$

Delay is a mathematical calculation of the difference between a node’s transaction intervals and its historical average transaction intervals for all transactions. Our latency algorithm determines whether a node is anomalous by comparing the node itself with its history. A node is not directly determined to be malicious when its computational resources are low but rather when the node makes its historical average transaction interval change abnormally in a single transaction.

The evaluation criteria for the result are as follows: When the delay is greater than 0, the average interval in the time domain, except the last interval, is greater than the previous interval, indicating that the current service duration is longer than the average. Currently, the corresponding node A can be judged as the present positive; otherwise, node A is the recent negative. When the delay is much greater than 0, it can be seen that the last operation interval is positive. Still, if an operation before this period is negative, it is determined that the node is negative in this period. When the delay is much less than 0, the last operation interval is negative, but the previous operation interval is positive. Considering that distributed network nodes have some network delays, the delay of normal nodes should fluctuate around zero. Figure 3 shows the distribution of malicious and normal nodes with different delay values.

Data set introduction and preprocessing

In SIoT, user transactions and services play a crucial role. Transactions and services are regarded as essential carriers of economic activities and user value creation in SIoT, driving the development and prosperity of the entire SIoT ecosystem. By detecting transaction and service delays, user experience and system efficiency can be improved, and the stability and reliability of the SIoT system can be enhanced. Excessive service or transaction latency may lead to resource wastage and cost increase. For example, system resources are still occupied while the user is waiting, but no effective service can be provided, leading to wasted resources and increased costs. At the same time, protecting the privacy of SIoT users is fundamental to building trust and ensuring security. Our dataset focuses on transactions and services executed by SIoT nodes and captures only transparent and tamper-proof transaction data on the consortium blockchain. This not only ensures user privacy but also the trustworthiness and accuracy of transactions.

To stay close to the transaction or service process in SIoT, we build a consortium blockchain based on Ethereum technology, adopting PoA as the consensus algorithm. PoA is a highly efficient consensus mechanism that verifies the transaction and packages the blocks through authorized nodes, ensuring the security and high performance of the network. On our consortium blockchain, the nodes participating in the consensus are licensed, and this consensus mechanism can be better adapted to the needs of our specific scenarios while guaranteeing the decentralization and security of the consortium blockchain. We generate and record data by executing transactions and smart contracts on the consortium blockchain and then intercepting data from the consortium blockchain over time. We will compare the transaction data on the consortium blockchain to the transaction data between SIoT users, where each address account corresponds to the resource user in the SIoT system, and each transaction information recorded in the consortium blockchain is the information of the SIoT user’s transaction resources.

Nodes are required to obtain authoritative permission to join the consortium blockchain, which reduces the likelihood of malicious nodes joining the system. Our dataset is derived from real transaction data in Ethereum, an approach that ensures the authenticity and diversity of the data. As an open and transparent blockchain network, Ether’s transaction data has a high degree of authenticity and accurately reflects the actual transaction behaviour and patterns on the blockchain. Moreover, the dataset on Ether is very rich, representing all possible malicious nodes in the real world. It also ensures the immutability and authenticity of malicious node behaviour. Modelling this data onto the consortium blockchain allows you to make the dataset more representative, covering different types of transactions and usage, thus increasing the diversity and value of the data. The period data has a total of 634 blocks recording 100,000 transactions. Firstly, empty entries in the data are cleaned, valid from_address and block_number fields are extracted, and each address in from_address is used as an indexing condition. The corresponding block/number is added to the corresponding address. As shown in Fig. 4, we can get the transaction information of all operations related to each account address during this period.

At this time, the amount of data is compressed to 12,418 rows. After removing the rows with a number of transactions less than 2 in the period, there are 5,899 rows left, which reduces the occasionality of the experimental results. According to the processing delay algorithm mentioned in the previous chapter, the acquired block data is calculated using the algorithm, and finally, the delay value and interval value are obtained. As shown in Fig. 5.

The scatter plot is shown in Fig. 6; the horizontal axis represents the block processing interval of the node, and the vertical axis represents the delay value obtained by the node through the algorithm.

Specific experiment and analysis

In SIoT, an encounter history-based discovery approach is mainly used: objects are discovered by exploiting the long-term social relationships between them (i.e., things that have been frequently encountered or encountered in the past). Therefore, the objects in SIoT are to be analyzed through historical data, and the malicious nature of the nodes obtained in the previous section is used to distinguish between malicious and normal nodes. Firstly, the K-means algorithm and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) algorithm in the unsupervised learning clustering algorithm are used to cluster the data. Then, the most reasonable algorithmic scheme is selected by comparing the resultant effects of the two algorithms.

K-means clustering: The algorithm divides the data set into K distinct clusters, each representing a data set. The algorithm’s goal is to minimize the sum of the square distance between the data and the center point of the cluster to which it belongs. Therefore, the clustering method must set the k value to distinguish the malicious node cluster from the normal node cluster. Considering that different k values can produce other clustering effects, we use the Elbow Method, Silhouette Coefficient Score, and Calinski-Harbasz Score to compare and analyze the best k value.

Elbow method: The elbow method selects the optimal K value by drawing the relationship between the number of clusters K and the corresponding sum of squares within the cluster, usually choosing the K value at the inflection point as the optimal number of clusters. As shown in Fig. 7, its inflection point should be at k = 2, and then the value of k is selected as 2.

Silhouette coefficient score: The Silhouette coefficient score measures cluster density and separation in the range of [−1, 1]. The larger the value is, the better the cluster distribution is. As shown in the Fig. 8, when k = 2, its score is the highest, then the k value is chosen as 2.

Calinski-Harbasz score: Calinski-Harabasz score is an index used to evaluate cluster quality. The higher the score, the more compact and dispersed the clusters are. As shown in the Fig. 9, when k = 2, its score is the highest, and the k value is chosen as 2.

To summarize, k-means clustering works best when the value of k is assigned to 2, so the value of k is assigned to 2. Its clustering result graph is shown in the following Fig. 10: Blue polka dots with gold border markers are normal nodes, and grey squares with black trim markers are malicious nodes.

DBSCAN clustering: DBSCAN is a density-based clustering algorithm that identifies regions with sufficiently high density and treats these regions as clusters. DBSCAN does not require a predetermined number of clusters. It can find clusters of arbitrary shape and recognize noisy points (points that do not belong to any cluster). The clustering algorithm has two parameters centered on the initial matter, the radius of the field of that point R and the minimum number of points in the area MinPoints. Since the method is a density-based unsupervised clustering method, no specific evaluation metric exists. However, in the previous chapter, the evaluation criteria for processing delay algorithms were analyzed, i.e., nodes with delay fluctuating around 0 are normal nodes. In contrast, the evaluation criteria for interval is judged by the block intervals, where the smaller the interval, the more positive the node is, and vice versa, the more negative the node is. To better realize the clustering, The data scatter plot is divided into four parts, with blue dot nodes representing services that are faster than average and have shorter-than-average service intervals, grey star areas representing services that are faster than average but have longer-than-average service intervals, orange triangle nodes representing services that are slower than average but have shorter-than-average service intervals, and Black square nodes representing services that are slower than average but have shorter-than-average service intervals. As shown in Fig. 11.

Next, each of the four areas is clustered according to the DBSCAN algorithm steps through the optimization of the parameters, in which Area A should be all normal nodes; R in Area B is set to 15, and MinPoints is set to 15; R in Area C is set to 10, and MinPoints is set to 20; R in Area D is set to 10, and MinPoints set to 15. The final result is obtained by clustering, where the blue polka with black trim means that the node is judged as a malicious node in the current time period, and the grey squares with black trim is the opposite. As shown in Fig. 12.

Based on the analysis of the results obtained by the two clustering algorithms, the density-based clustering algorithm DBSCAN algorithm can classify the processing delay as the evaluation criterion. In contrast, the distance-based clustering k-means algorithm can obtain the best classification effect under binary classification. Still, the generated results do not consider the evaluation criterion of processing delay. Therefore, considering the processing delay algorithm and interval, the clustering effect of the DBSCAN algorithm is the most satisfactory.

The final clustering result will get a data set, one of which is a malicious node and one of a normal node. The two data sets are set to Boolean type format, where True indicates normal node and False indicates malicious node. It also includes the original transaction address and the corresponding consortium blockchain address. Data upload: The data is uploaded to the consortium blockchain through the smart contract function, receives the original transaction address, and stores it in the smart contract. And write a query function or interface, allowing users to query the corresponding consortium blockchain address through the original transaction address. As shown in Algorithm 1.

We take the data obtained from clustering and uplink it through smart contracts. In this algorithm, OAddress represents the original address, AAddress represents the on-blockchain address, and Bvalue represents the Boolean value of the two kinds of data. The specific process of the smart contract algorithm is:

1. Create mapping variable address mapping to store the mapping from the original address to the consortium blockchain address;

2. Create the mapping variable booleanMapping to store the mapping from the original address to the Boolean value.;

3. Firstly, it detects whether the data in the dataset is empty; if it is empty, it means that the data up-chaining is finished. When it is not empty, store the mapping from the original address to the address on the blockchain in addressMapping and store the boolean value of the original address in booleanMapping. Read the corresponding consortium blockchain address from address mapping based on the original address. Read the boolean value from booleanMapping according to the original address, then check whether the original address and the address on the blockchain are the same; if they are the same, then the boolean value will be uplinked to the corresponding address of the consortium blockchain, and repeat this operation until the dataset is empty;

After we create the mapping, the time complexity of its lookup is O(1), significantly improving the lookup efficiency. Also, storing the data in the blockchain provides the following advantages.

1. Sharing data and cooperation: Allowing multiple organizations to co-manage and share data facilitates cross-organizational collaboration, where parties can view, verify, and participate in transactions on the blockchain. On the blockchain, not only can trust be built, but also the cost of cooperation and efficiency can be reduced;

2. Data traceability and non-tampering: Blockchain technology ensures the immutability of data, which cannot be altered once uploaded. This helps ensure trust in the data and reduces the risk of fraud and data tampering;

3. Privacy and security: Consortium blockchain offers a higher level of privacy and security compared to public blockchain, where only authorized nodes can process transactions on the blockchain;

4. Smart contract enforcement: Smart contracts on the consortium blockchain can automate business logic and perform operations based on predefined conditions. This helps to reduce human error, increase efficiency, and reduce operational costs.

In this article, the data of the malicious node will be recorded on the consortium blockchain after it is uploaded. Thus, it will be tamper-proof and provide a transparent history. This is crucial for detecting malicious nodes and behaviors and avoiding tampering or falsifying data. At the same time, the consortium chain offers a platform for multiple participants to share trusted data. SIoT users can share data and work together to detect malicious nodes, creating a win-win situation for cooperation and facilitating users to judge whether to conduct a transaction at a node by checking whether the node has any negative behaviors and, thus, whether to complete the transaction at that node. Finally, uplinking ensures auditable and traceable data and provides a reliable way for other users to discover better service providers.

Comparative analysis of experiments

We use real malicious node data for detection and comparison and form 100 consortium blockchain nodes through laboratory equipment, through which transactions or services are executed. We designed 20 true malicious nodes out of 100, mainly through delayed attacks, transaction interval attacks, denial of service attacks, negative transport attacks, and hybrid attacks. These nodes form a history through transactions on the consortium blockchain, which contains thousands of transaction histories of the nodes, and we detect the nodes through their history. We have collected a large amount of data, amounting to thousands, on each node. This data contains information about the communication, interaction and behaviour between nodes and is key to our research. Our goal is to use this data to validate the effectiveness of our proposed approach in defending against specific types of attacks, and to ensure that our experimental results are reliable and reproducible. By adequately collecting and analysing a large amount of data, we can gain a comprehensive understanding of the effectiveness of our approach (Frustaci et al., 2017). The main attack modes are as follows:

1. Delay attack (Wei, Yuan & Zheng, 2018): Nodes deliberately send transactions or messages with different delays to the network;

2. Transaction interval attack (Narang & Kar, 2021): Nodes interfere with the network by inserting abnormal time intervals in transactions;

3. Denial of service attacks (Lau et al., 2000): In a denial of service attack, a malicious node attempts to disrupt normal network communication by sending a large number of invalid transaction requests;

4. Negative transmission attack (Yin et al., 2022): In a negative transmission attack, a malicious node intentionally discards valid data transmitted by other nodes, thereby interfering with network communication or causing data loss;

5. Hybrid attacks (Liu et al., 2021): Multiple attacks occur simultaneously, such as sending a large number of invalid requests while dropping valid transaction data transmitted by other nodes.

Using a combination of these methods, a wide range of malicious behaviours can be simulated, which helps in evaluating the robustness and efficacy of malicious node detection methods. We have successfully detected the simulated malicious nodes using the proposed model. As shown in Fig. 13.

During our detection process, we set the tag value of the malicious node to 1 in advance and at the same time, we set the tag value of the node that is detected as malicious to −1. As shown in the Table 1, we will compare the real malicious node with the detected malicious nodes shown in the table. Where Est equal to −1 means detected malicious node and Label equal to 1 means real malicious node. We can clearly see that 18 nodes are detected as malicious nodes, and the remaining 82 nodes are normal nodes, as shown in Table 2. We can see that there are 18 pre-set malicious nodes that are detected as malicious nodes through our model. The accuracy of this test was ninety per cent. The results show that our proposed method is effective in malicious node detection.