Eclipse Attack Detection on a Blockchain Network as a Non-Parametric Change Detection Problem

Anurag Gupta and Vikram Krishnamurthy and Brian Sadler Anurag Gupta is with the School of Electrical & Computer Engineering, Cornell University, Ithaca NY, 14853, USA. (e-mail: [email protected]).Vikram Krishnamurthy is with the School of Electrical & Computer Engineering, Cornell University, Ithaca NY, 14853, USA. (e-mail: [email protected]).Brian Sadler is with DEVCOM Army Research Laboratory, Adelphi, Maryland, U.S. (e-mail: [email protected])

Abstract

This paper introduces a novel non-parametric change detection algorithm to identify eclipse attacks on a blockchain network; the non-parametric algorithm relies only on the empirical mean and variance of the dataset, making it highly adaptable. An eclipse attack occurs when malicious actors isolate blockchain users, disrupting their ability to reach consensus with the broader network, thereby distorting their local copy of the ledger. To detect an eclipse attack, we monitor changes in the Fréchet mean and variance of the evolving blockchain communication network connecting blockchain users. First, we leverage the Johnson-Lindenstrauss lemma to project large-dimensional networks into a lower-dimensional space, preserving essential statistical properties. Subsequently, we employ a non-parametric change detection procedure, leading to a test statistic that converges weakly to a Brownian bridge process in the absence of an eclipse attack. This enables us to quantify the false alarm rate of the detector. Our detector can be implemented as a smart contract on the blockchain, offering a tamper-proof and reliable solution. Finally, we use numerical examples to compare the proposed eclipse attack detector with a detector based on the random forest model.

I Introduction

Blockchain, an immutable ledger distributed across multiple users [1], relies on consensus among its users to share data. This paper studies adversarial attacks on blockchains, with a specific focus on eclipse attacks [2]. In an eclipse attack, malicious users isolate a victim user, disrupting their ability to reach a consensus with the rest of the network. For example, if a user has eight incoming connections from other users, and an attacker controls all eight of those nodes, the attacker can refuse to relay any new blocks that rest of the network produce. Hence, detecting eclipse attacks are crucial for safeguarding blockchain networks.

Main Results and Organization

To detect an eclipse attack, we propose a non-parametric change detection algorithm that identifies changes in the Fréchet mean and variance [3] (these are topological generalizations of mathematical expectation and variance) within a sequence of randomly evolving blockchain communication networks (BCNs). We exploit the Johnson-Lindenstrauss (JL) lemma [4] to extract essential features from the large-dimensional BCN, ensuring that the test statistic is approximately preserved. In blockchain, a smart contract is a computer program that automatically executes a task based on a pre-specified conditions. Our proposed detector can be implemented as a smart contract on blockchain to detect an eclipse attack using a network monitor; this information can then be relayed to the blockchain users.

Sec.II formulates eclipse attack detection as a change detection problem on a space of directed graph and describes our proposed detector. In Sec.III, we analyze the performance of the detector using weak convergence methods. Specifically, Theorem 1 shows that the scaled detector statistic converges weakly to a Brownian bridge process. As a result we can explicitly determine the false alarm by calculating the quantiles of a Brownian bridge. In the presence of an eclipse attack, Theorem 2 estimates the onset of the eclipse attack. Finally, Theorem 3 shows the effect of the JL lemma on the false positive alarm rate of the detector.

Sec.IV assesses the performance of our eclipse attack detector using numerical examples on simulated datasets. We also provide numerical examples comparing the proposed eclipse attack detector and a detector based on the random forest model (RFM).

Related Works

In the literature, several detectors have been proposed for detecting eclipse attacks. [5] and [6] utilize random forest classification to analyze communication traffic and train their models on eclipse attack datasets. [7] employs deep learning technique for detecting eclipse attacks. [8] uses the blockchain’s block creation rate as a detection metric. [9] monitors change in the proof-of-work difficulty levels to identify eclipse attacks.

Related to attack mitigation, a peer selection strategy introduced by [10] offers a way to reduce the likelihood of eclipse attacks. Eclipse attacks share similarities with Sybil attacks [11] and routing attacks [12], both of which can impact the integrity of the blockchain consensus protocol.

Our eclipse attack detection approach distinguishes itself by not requiring training data. Instead, we employ statistical tools from [3], which offer a generalized solution for change detection in arbitrary object spaces. We identify eclipse attacks by tracking changes in the Fréchet mean and variance within the sequence of randomly evolving BCN.

II Detecting Eclipse Attack on a Blockchain Network

In this section, we formulate detecting eclipse attacks on a blockchain network as a change detection problem and present our detection algorithm.

II-A Model for Eclipse Attack

We begin by modeling the BCN as a directed graph and defining its adjacency matrix.

Definition 1.

A BCN is represented as a directed graph $G=(V,E)\in\mathcal{G}$ , where $\mathcal{G}$ is the graph space comprising $p$ vertices. Each vertex has $q$ outgoing edges.

The adjacency matrix $A_{G}\in\mathbb{R}^{|V|\times|V|}$ of the BCN $G$ is defined as follows:

\displaystyle A_{G}(i,j)=\begin{cases}1,&\text{$\exists$ an edge from the % vertex $j$}\\ &\text{to the vertex $i$}\\ 0,&\text{otherwise}\end{cases}

(1)

Consensus in blockchain relies on peer-to-peer (P2P) communication. The BCN serves to illustrate the flow of information among blockchain users. In the absence of an eclipse attack, the BCN at each time $t$ resembles a random graph with uniform distribution. Here, each user simply selects $q$ neighbors in a random and uniform manner to share information. However, during an eclipse attack, malicious users target victim users with substantial computational power. These malicious actors choose their neighbors in a non-uniform manner to disrupt the consensus of the victim users.

In this work, we assume: (1) When all users select their neighbour honestly using the blockchain communication protocol, the random BCN $G$ follows an unknown but fixed distribution $P_{1}$ . (2) The eclipse attack strategy is time-invariant¹¹1For an eclipse attack, multiple malicious users must communicate continuously with the victim user(s). A complex eclipse attack strategy can slow the communication rate and make the attack ineffective. Therefore, the assumption of a time-invariant eclipse attack strategy is justified.. Consequently, in the presence of an eclipse attack, the BCN $G$ follows an unknown but fixed distribution $P_{2}$ . For instance, a common eclipse attack strategy employed by malicious users is to choose the victim users as their neighbors with a significantly higher probability compared to other users. Now, let’s provide a formal definition of our model for the eclipse attack.

Definition 2 (Eclipse attack).

A blockchain is free from an eclipse attack if the random BCN, as represented by the graph $G$ (Definition 1), is sampled from $\mathcal{G}$ following the distribution $P_{1}$ . Conversely, a blockchain is under an eclipse attack if the random graph $G$ is sampled from $\mathcal{G}$ following the distribution $P_{2}$ .

Example. Consider a blockchain network with $p$ blockchain users, each of whom selects $q$ neighbors for consensus. An example of the distribution $P_{1}$ is when each of the neighbors in the BCN is selected uniformly at random, i.e.,

\displaystyle\operatorname{Pr}{\left(A_{G}(i,j)=1\right)}=\frac{q}{p}\quad% \text{s.t. }\sum_{i}A_{G}(i,j)=q,\forall j

where, $q$ is defined in Definition 1.

Now, let’s consider an example of the distribution $P_{2}$ . Here, $r$ malicious blockchain users, denoted as $v_{p-r-1},v_{p-r},\ldots,v_{p}\in V$ , choose $v_{1}\in V$ as their victim.

For $j=v_{p-r-1},v_{p-r},\ldots,v_{p}\in V$

	$\displaystyle\operatorname{Pr}{\left(A_{G}(i,j)=1\right)}$	$\displaystyle>\frac{q}{p},\quad i=v_{1}$
	$\displaystyle\operatorname{Pr}{\left(A_{G}(i,j)=1\right)}$	$\displaystyle<\frac{q}{p},\quad\text{otherwise}$

For $j\neq v_{p-r-1},v_{p-r},\ldots,v_{p}\in V$

\displaystyle\operatorname{Pr}{\left(A_{G}(i,j)=1\right)}

\displaystyle=\frac{q}{p}\quad\text{s.t. }\sum_{i}A_{G}(i,j)=q,\forall j

In this example, the victim user heavily depends on information provided by attackers to keep up with the current state of the blockchain. As a result, the victim’s local copy of the distributed ledger no longer aligns with the majority consensus of the blockchain network.

II-B Eclipse Attack Detection Problem

We now formulate the eclipse attack detection problem as a change detection problem. The proposed detector operates on an offline dataset of BCNs²²2Note that changes in the BCN occurs at a faster rate than the addition of new blocks to the blockchain. This allows us to observe a substantial sample of BCNs before a double spend attack resulting from an eclipse attack is achieved. Therefore, using offline datasets for eclipse attack detection is practical.; the BCN can be monitored using a network monitor. We formulate the eclipse attack detection problem as a hypothesis testing problem.

Definition 3 (Eclipse attack detection problem).

Let the sequence of random graphs $\{G_{i}\in\mathcal{G},\;i=1,2,\ldots,N\}$ denote the sequence of BCNs observed. The eclipse attack detection problem on a blockchain network is the following hypothesis testing problem

\displaystyle\begin{aligned} H_{0}&:G_{1},G_{2},\ldots,G_{N}\sim P_{1}\\ H_{1}&:\exists\;\tau\in\{1,\ldots,N\}\\ &s.t.\>\left\{\begin{array}[]{l}G_{1},G_{2},\ldots,G_{\tau-1}\sim P_{1}\\ G_{\tau},G_{\tau+1},\ldots,G_{N}\sim P_{2}\end{array}\right.\end{aligned}

(2)

Here, $\tau$ denotes the the onset of the eclipse attack on the blockchain network. The eclipse attack detection problem (2) is a change detection problem on a space of directed graphs.

II-C Test Statistic for Detecting Eclipse Attack

In this section, we present a test statistic to solve the eclipse attack detection problem (2). The proposed test statistic estimates changes in the mean and variance of the sequence of BCNs. However, the communication network do not lie in the Euclidean space. So, we use the concept of Fréchet mean and variance [3], a topological generalization of mean and variance³³3Fréchet mean $\mu$ and Fréchet variance $V$ of a probability measure $P$ is defined as follow: $\displaystyle\mu=\arg\min_{\omega\in\mathcal{G}}\mathbb{E}\left[d^{2}(G,\omega% )\right],\quad V=\min_{\omega\in\mathcal{G}}\mathbb{E}\left[d^{2}(G,\omega)\right]$ Here, $G\sim P$ denotes a random object with probability measure $P$ ; $\mathcal{G}$ denotes the sample space of the random object $G$ ; and $d$ denotes a suitable choice of distance metric on the space $\mathcal{G}$ .. To calculate the Fréchet mean and variance, we define a distance metric $d$ on the space of the BCN $\mathcal{G}$ (Definition 1). This metric measures the dissimilarity between two BCNs $G_{1}$ and $G_{2}$ using the Frobenius norm.

Definition 4.

The distance $d$ between two BCNs $G_{1},G_{2}\in\mathcal{G}$ , (Definition 1), is defined as the Frobenius norm⁴⁴4Our model assumes that the number of users in the blockchain is fixed. Hence, distance between two BCNs is well-defined. of the difference between their adjacency matrices (1).

\displaystyle d(G_{1},G_{2})

\displaystyle=\left(\sum_{i,j}|A_{G_{1}}(i,j)-A_{G_{2}}(i,j)|^{2}\right)^{% \frac{1}{2}}

(3)

The test statistic partitions the sequence of BCNs into two parts. The goal is to determine if the BCNs in these two components are sampled from the same or distinct distributions. To achieve this, the test statistic examines the Fréchet mean and variance of the BCNs in each component.

Under the null hypothesis $H_{0}$ (2), i.e., absence of an eclipse attack on the blockchain network, the Fréchet mean and variance of the BCNs in both parts are the same. Conversely, under the alternate hypothesis $H_{1}$ (2), the Fréchet mean and variance of the BCNs in these parts differ, signaling the presence of an eclipse attack.

Before introducing our test statistic for eclipse attack detection, we define several mathematical quantities that rely on the adjacency matrices $A_{G_{i}},\;i=1,2,\ldots,N$ of the sequence of BCNs. We also introduce the term $n$ , which represents an estimate for the change point $\tau$ in the eclipse attack detection problem (2). For each $n\in\{1,\ldots,N-1\}$ , we proceed to define these quantities and present our test statistic.

$\displaystyle\hat{\mu}_{n}$	$\displaystyle:=\arg\min_{\omega\in\mathcal{G}}\frac{1}{n}\sum_{i=1}^{n}d^{2}% \left(G_{i},G_{\omega}\right)$
$\displaystyle\hat{V}_{n}$	$\displaystyle:=\frac{1}{n}\sum_{i=1}^{n}d^{2}\left(G_{i},\hat{\mu}_{n}\right)$
$\displaystyle\hat{\mu}_{N-n}$	$\displaystyle:=\arg\min_{\omega\in\mathcal{G}}\frac{1}{(N-n)}\sum_{i=n+1}^{N}d% ^{2}\left(G_{i},G_{\omega}\right)$
$\displaystyle\hat{V}_{N-n}$	$\displaystyle:=\frac{1}{(N-n)}\sum_{i=n+1}^{N}d^{2}\left(G_{i},\hat{\mu}_{N-n}\right)$
$\displaystyle\hat{V}_{n}^{C}$	$\displaystyle:=\frac{1}{n}\sum_{i=1}^{n}d^{2}\left(G_{i},\hat{\mu}_{N-n}\right)$
$\displaystyle\hat{V}_{N-n}^{C}$	$\displaystyle:=\frac{1}{N-n}\sum_{i=n+1}^{N}d^{2}\left(G_{i},\hat{\mu}_{n}\right)$
$\displaystyle\hat{\mu}$	$\displaystyle:=\arg\min_{\omega\in\mathcal{G}}\frac{1}{N}\sum_{i=1}^{N}d^{2}% \left(G_{i},G_{\omega}\right)$
$\displaystyle\hat{V}$	$\displaystyle:=\frac{1}{N}\sum_{i=1}^{N}d^{2}\left(G_{i},\hat{\mu}\right)$
$\displaystyle\hat{\sigma}^{2}$	$\displaystyle:=\frac{1}{N}\left[\sum_{i=1}^{N}d^{4}\left(G_{i},\hat{\mu}\right% )-\hat{V}^{2}\right]$	(4)

The test statistic compares the Fréchet mean and variance of the BCNs $G_{1},G_{2},\ldots,G_{n}$ and $G_{n+1},G_{n+2},\ldots G_{N}$ .

Definition 5 (Test statistic for detecting an eclipse attack).

Let $n$ denote the estimate for the change point $\tau$ in the eclipse attack detection problem (2). The test statistic $S_{n,N}$ is defined as follows:

\displaystyle\begin{aligned} S_{n,N}&=\frac{n(N-n)}{N^{2}\hat{\sigma}^{2}}% \left\{\left(\hat{V}_{n}-\hat{V}_{N-n}\right)^{2}+\right.\\ &\left.\left(\hat{V}_{n}^{C}-\hat{V}_{n}+\hat{V}_{N-n}^{C}-\hat{V}_{N-n}\right% )^{2}\right\}\end{aligned}

(5)

Here, $\hat{V}_{n},\hat{V}_{N-n}^{C}\hat{V}_{n}^{C},\hat{V}_{N-n}^{C},\hat{\sigma}^{2}$ are defined in (II-C).

The test statistic $S_{n,N}$ in (5) comprises two terms: the first term estimates the change in Fréchet variance, while the second term estimates the change in the Fréchet mean of the BCNs in the two components.

II-D Dimensionality Reduction of the Adjacency Matrices

In this section, we use the JL lemma to to reduce the dimension of the adjacency matrix. Remember that the proposed test statistic (5) is computed using the sequence of adjacency matrices for the BCNs. The number of elements in the adjacency matrix grows as the square of the number of blockchain users. Hence, it is necessary to reduce the dimension of the adjacency matrices $A_{G}$ to decrease the computational cost of the test statistic $S_{n,N}$ (5). In this work, we leverage the JL lemma to project the adjacency matrices of BCNs into a lower-dimensional subspace while approximately preserving the test statistic.

Lemma 1 (Johnson-Lindenstrauss (JL) lemma).

Given any $\epsilon\in(0,1)$ and an integer $N$ , let $k$ be a positive integer satisfying $k\geq\frac{24}{3\epsilon^{2}-2\epsilon^{3}}\log N$ . For any set $A$ containing $N$ points in $\mathbb{R}^{m}$ , there exists a map** $f:\mathbb{R}^{m}\rightarrow\mathbb{R}^{k}$ such that for all $x,y\in A$ , the following inequality holds: $(1-\epsilon)\|x-y\|^{2}\leq\|f(x)-f(y)\|^{2}\leq(1+\epsilon)\|x-y\|^{2}$

The linear map $f$ in Lemma 1 can be found using random projections in randomized polynomial time [13]. Now, we apply the JL lemma on the adjacency matrices to obtain the projected adjacency matrices.

Definition 6 (Projected adjacency matrices).

The projected adjacency matrices, denoted as $\tilde{A}_{G_{i}},\;i=1,2,\ldots,N$ for the BCNs $G_{i}\in\mathcal{G},\;i=1,2,\ldots,N$ , are obtained by applying the JL lemma (Lemma 1) to the adjacency matrices $A_{G_{i}},\;i=1,2,\ldots,N$ (1), with an appropriately chosen value of $\epsilon$ . Equivalently,

\displaystyle\tilde{A}_{G_{i}}=f(A_{G_{i}}),i=1,2,\ldots,N

(6)

where the linear map $f$ satisfies Lemma 1.

Comparison between the Adjacency Matrix $A_{G}$ of the BCN And The Projected Adjacency Matrix $\tilde{A}_{G}$

To apply the JL lemma (Lemma 1), we first vectorize the adjacency matrix $A_{G}$ . Denote the vectorized $A_{G}$ as $X$ . Then, we compute a suitable linear transformation $Q$ that satisfies the JL lemma for the chosen value of $\epsilon$ . Now, $Y=QX\Rightarrow\mathbb{E}\left[Y\right]=Q\mathbb{E}\left[X\right]\Rightarrow% \Sigma_{Y}=Q\Sigma_{X}Q^{\intercal}$ . As the proposed non-parametric statistical detector detects a change in the mean and the variance of the adjacency matrices of the random BCNs, we can use the projected adjacency matrix $\tilde{A}_{G}$ to compute the test statistic. This is because the mean of the projected adjacency $\tilde{A}_{G}$ is a linear transformation of the mean of the adjacency matrix $A_{G}$ , and the variance of the projected adjacency matrix $\tilde{A}_{G}$ is similar to the variance of the adjacency matrix $A_{G}$ .

II-E Algorithm for Detecting Eclipse Attack

Having developed the necessary mathematical tools, we present the eclipse attack detection algorithm. Algorithm 1 outlines the steps in this algorithm. Given the large dimension of the BCN, we initially employ the JL lemma to reduce dimensionality while approximately preserving the test statistic defined in (5). We also assume that the eclipse attack do not occur near the endpoints⁵⁵5We assume that the eclipse attack do not occur near the endpoints of the sequence of communication networks. To detect an eclipse attack near the endpoints, the detector can use an overlap** sequence of BCNs, ensuring that the attack takes place away from the endpoints for at least one batch. Alternatively, one can refine the test statistic to detect an eclipse attack near endpoints (as explored in [14]), a topic we plan to investigate in future research. , i.e., $\tau\in\mathbb{I}^{+},\frac{\tau}{N}\in(\delta,1-\delta)$ for some $\delta>0$ .

Algorithm 1 Algorithm for detecting an eclipse attack on a blockchain network

1:Sequence of adjacency matrices

A_{G_{i}},\;i=1,2,\ldots,N

of the random BCNs

G_{i}\in\mathcal{G},\;i=1,2,\ldots,N

at time

t=1,2,\ldots,N

, respectively (Definition 3).

2:Dimensionality reduction: Compute the projected adjacency matrices

\tilde{A}_{G_{i}},\;i=1,2,\ldots,N

(6) using the JL lemma.

3:Test statistic: Compute the test statistic

S_{n,N}

(5) using the projected adjacency matrices

\tilde{A}_{G_{i}},\;i=1,2,\ldots,N

for

n=1,2,\ldots,N-1,\frac{n}{N}\in(\delta,1-\delta)

for some

\delta>0

4:Asymptotic quantile: Choose a level of significance

\alpha\in[0,1]

. Compute

q_{1-\alpha}=(1-\alpha)

quantile of the distribution

\max_{n\in\{1,2,\ldots,N-1\},\frac{n}{N}\in(\delta,1-\delta)}\mathcal{B}^{2}% \left(\frac{n}{N}\right)

. Here,

\mathcal{B}(t)

is a Brownian bridge process on

[0,1]

with the covariance function

C(t_{1},t_{2})=1

for

0\leq t_{1}\leq t_{2}\leq 1

5:if

\max_{n\in\{1,2,\ldots N-1\},\frac{n}{N}\in(\delta,1-\delta)}NS_{n,N}<q_{1-\alpha}

then return No eclipse attack detected.

6:else return Eclipse attack detected at time

n^{*}:=\operatorname*{arg\,max}_{n\in\{1,2,\ldots,N-1\},\frac{n}{N}\in(\delta,% 1-\delta)}S_{n,N}

7:end if

Let $k$ denote the dimension of the adjacency matrices. Then, the complexity of the Algorithm 1 is $O\left(N^{2}k+N|\mathcal{G}|\right)$ , where $\mathcal{G}$ is defined in (1).

To summarize, we designed an algorithm to detect an eclipse attack on a blockchain network. The proposed test statistic was based on Fréchet change detection [3]. We also used the JL lemma to reduce the dimension of the BCNs.

III Weak Convergence Analysis of Eclipse Attack Detector

In this section, we analyze the test statistic for the proposed eclipse attack detector (Algorithm 1). Under $H_{0}$ (absence of an eclipse attack), we prove that a scaled test statistic converges weakly to the square of a Brownian bridge process. Under $H_{1}$ (presence of an eclipse attack), we show that the peak of the test statistic estimates the onset of the eclipse attack.

III-A Weak Convergence of Test Statistic

Our first result (Theorem 1) analyzes the asymptotics of the test statistic $S_{n,N}$ (5) under the null hypothesis $H_{0}$ (2), i.e., absence of an eclipse attack on the blockchain network. Note that $\{S_{n,N},n=1,2,\ldots,N-1\}$ (5), represents a discrete-time stochastic process. As is customary in weak convergence analysis [15, 16], we first construct a continuous time stochastic process $S_{N}(Nt)$ by interpolating the discrete time test statistic process $\{S_{n,N}\}$ .

	$\displaystyle S_{N}(Nt)$	$\displaystyle=S_{n,N}$		(7)
		$\displaystyle\text{ for }Nt\in[n,n+1),\;n=0,1,\ldots,N-1$

The continuous time process $S_{N}(Nt)$ has sample paths in the function space $D[0,1]$ , namely the space of functions that are continuous on the right with limit on the left (cadlag functions). We define a scaled test statistic continuous time stochastic process $T_{N}(t)$ as follows:

\displaystyle T_{N}(t):=NS_{N}(Nt)

(8)

Theorem 1 shows that as $N\rightarrow\infty$ , the scaled test statistic continuous time stochastic process $T_{N}(t)$ converges weakly (in Skorohod metric [17]) to the square of a Brownian bridge stochastic process. Note that the weak convergence approach deals with the convergence of scaled sequences of the test statistic that are treated as stochastic processes rather than random variables. Thus, the weak convergence approach specifies convergence for the entire trajectory of the test statistic of the detection algorithm.

Theorem 1.

Assume that the eclipse attack do not occur near the endpoints, i.e., $\frac{\tau}{N}\in[\delta,(1-\delta)]$ for some $\delta>0$ , where $\tau$ is defined in (2). Then, under $H_{0}$ (absence of an eclipse attack), the scaled test statistic (8) process converges weakly:

	$\displaystyle T_{N}(t)$	$\displaystyle\Rightarrow\mathcal{B}^{2}(t)$
Also, the continuous map** theorem implies
	$\displaystyle\max_{t\in[\delta,(1-\delta)]}T_{N}(t)$	$\displaystyle\Rightarrow\max_{t\in[\delta,(1-\delta)]}\mathcal{B}^{2}(t)$

Here $\Rightarrow$ denotes weak convergence⁶⁶6 Weak convergence in functional space is a generalization of the weak convergence in distribution for random variables. A sequence of probability measures $\mu_{n}$ converges weakly to the probability measure $\mu$ if, for all bounded and continuous test functionals $f$ , the expected value of $f$ with respect to $\mu_{n}$ converges to the expected value of $f$ with respect to $\mu$ , i.e., $\mathbb{E}_{\mu_{n}}[f]\rightarrow\mathbb{E}_{\mu}[f]$ . ; $\mathcal{B}$ is a standardized Brownian bridge process⁷⁷7A standardized Brownian bridge on $[0,T]$ is a continuous-time stochastic process whose probability distribution is the conditional probability of the Weiner process $W(t)$ subject to the condition that $W(0)=W(T)=0$ with the covariance function $C(t_{1},t_{2})=1,\,0\leq t_{1}\leq t_{2}\leq 1$ . with the covariance function $C(t_{1},t_{2})=1,\,0\leq t_{1}\leq t_{2}\leq 1$ .

Proof.

Appendix A of the supplementary material. ∎

Convergence to a Brownian bridge instead of Brownian process in Theorem 1 is intuitive because $T_{N}(t)\propto t(1-t)$ . Theorem 1 is used in steps 3-4 of Algorithm 1 to detect an eclipse attack. In practice, we declare the presence of an eclipse attack on a blockchain network if the maximum of the scaled test statistic exceeds the $0.95$ quantile, denoted as $q_{0.95}$ , of the distribution $\max_{t\in[\delta,1-\delta]}\mathcal{B}^{2}(t)$ .

Our second result (Theorem 2 below) investigates the test statistic $S_{N}(Nt)$ (5) under $H_{1}$ (2), i.e., presence of an eclipse attack on the blockchain network. This result estimates the onset of the eclipse attack. Before presenting the theorem, we need to define the limiting test statistic $S(Nt)$ :

\displaystyle S(t):=\lim_{N\rightarrow\infty}S_{N}(Nt)

(9)

Here, the test statistic $S_{N}(Nt)$ converges to $S(t)$ in probability [3].

Theorem 2.

Assume that the eclipse attack do not occur near the endpoints, i.e., $\frac{\tau}{N}\in[\delta,(1-\delta)]$ for some $\delta>0$ , where $\tau$ is defined in (2). Then, under $H_{1}$ (presence of an eclipse attack), the maximum of the limiting test statistic $S(Nt)$ defined in (9) occurs at the onset, $\tau$ of the eclipse attack:

\displaystyle\lim_{N\rightarrow\infty}\frac{\tau}{N}=\operatorname*{arg\,max}_% {t\in[\delta,(1-\delta)]}S(t)

Let $\tau_{N}=N\arg\max_{t\in[\delta,(1-\delta)]}S_{N}(Nt)$ where $S_{N}(Nt)$ is defined in (7). Then for $\gamma>0$ the following holds

\displaystyle\begin{aligned} \operatorname{Pr}{\left(\left|\frac{{\tau}_{N}-% \tau}{N}\right|>\gamma\right)}\rightarrow 0\end{aligned}

Proof.

Appendix B of supplementary material. ∎

The second statement of Theorem 2 gives an error bound for estimating the onset of the eclipse attack using finite samples of BCNs. Theorem 2 is used in step 5 of Algorithm 1 to estimate the onset of the eclipse attack using the discrete-time test statistic $S_{n,N}$ (7) .

III-B Effect of the Processed Adjacency Matrices on the Test Statistic

Our final result compares the test statistic computed using the projected adjacency matrices and the original adjacency matrices of the BCN⁸⁸8 See Sec.IV-D of the supplementary material for a numerical example illustrating Theorem 3.. It shows that the false positive alarm rate of the detector is higher when the test statistic is computed using the projected adjacency matrix $\tilde{A}_{G}$ .

Theorem 3.

Let $S_{N}(Nt)$ defined in (7) denote the test statistic computed using the original adjacency matrices (1). Let $\tilde{S}_{N}(Nt)$ denote the test statistic computed using the projected adjacency matrices (6). Under $H_{0}$ (2), as $N\rightarrow\infty$ , using projected adjacency matrices to compute the test statistic leads to a higher false positive alarm rate:

\displaystyle\lim_{N\rightarrow\infty}\tilde{S}_{N}(Nt)\geq\lim_{N\rightarrow% \infty}S_{N}(Nt)

Here, the convergence to the limit is in probability. Furthermore,

\displaystyle\lim_{N\rightarrow\infty}\tilde{S}_{N}(Nt)\geq\frac{5\epsilon\,t(% 1-t)V}{\hat{\sigma}^{2}}

where $V=\lim_{N\rightarrow\infty}\hat{V}$ ( $\hat{V}$ is defined in (II-C)); $\epsilon\in(0,1)$ ; and $\hat{\sigma}^{2}$ is the empirical variance computed in (II-C).

Proof.

Appendix C of supplementary material. ∎

In summary, we have presented three key results on the test statistic (5) for detecting an eclipse attack: 1) Under the null hypothesis $H_{0}$ (2), the first result ensures weak convergence of the maximum of the scaled test statistic to the maximum of the square of the Brownian bridge process. 2) Under the alternate hypothesis $H_{1}$ (2), the second result estimates the onset of the eclipse attack on the blockchain network. 3) The third result investigates the impact on the false alarm rate of the detector when using the projected adjacency matrices (6) to compute the test statistic.

IV Numerical Examples

Refer to caption — (a) Absence of an eclipse attack.

In this section, we illustrate our eclipse attack detection algorithm (Algorithm 1) on a simulated dataset. Sec.IV-A describes the process of generating a simulated dataset using the eclipse attack model in Definition 2. Sec.IV-B studies the performance of the proposed eclipse detector when applied to the simulated dataset. Sec.IV-C plots the ROC curve for the proposed eclipse detector on a noisy dataset. Sec.IV-D studies the effect of projected adjacency matrices on the false alarm rate of the detector. Sec.IV-E compares the proposed eclipse attack detector against an eclipse attack detector based on the RFM. Sec.IV-F implements a RFM based regressor to estimate the onset of the eclipse attack. Sec.IV-G studies the sensitivity of the RFM based detector to variations in the training dataset.⁹⁹9All numerical examples use Matlab. Our source codes are available in the Sec.LABEL:sec:source-code of the supplementary material.

IV-A Simulation Setup

We use Definition 2 to generate a simulated dataset to illustrate the performance of the eclipse attack detector (Algorithm 1). Our dataset represents a large-dimensional¹⁰¹⁰10The number of elements in the adjacency matrix for the BCN is $10^{4}$ . blockchain network with 100 users; it consists of a sequence of $1000$ adjacency matrices (1) for the BCNs. In the absence of an eclipse attack, each blockchain user randomly and uniformly selects five neighbors. However, to simulate an eclipse attack, we introduced one victim user and two malicious users into the blockchain. The malicious users always include the victim user as one of their neighbors and other four neighbors are chosen uniformly at random. Equivalently, $P_{1},P_{2}$ in Definition 2 are given by

	$\displaystyle P_{1}(A_{G}(i,j)=1)$	$\displaystyle=\frac{5}{100}$
	$\displaystyle P_{2}(A_{G}(i,j)=1)$	$\displaystyle=\begin{cases}1,\quad i=1,j=99,100\\ \frac{4}{99},\quad i\neq 1,j=99,100\\ \frac{5}{100},\quad\text{otherwise}\end{cases}$

Here, the blockchain user with index 1 is the victim, and those with indexes 99 and 100 are the attackers. We assume that the nodes in the graph are labeled in descending order of their computation power. Since eclipse attacks target users with high computational power, our numerical examples focus on the first four rows of the adjacency matrix to reduce computational cost. Henceforth, with an abuse of the notation, $A_{G}$ refers to the first four rows of the adjacency matrix.

IV-B Numerical Examples for the Proposed Eclipse Attack Detector

We employ Algorithm 1 to detect an eclipse attack on the blockchain network. In step 1, we used the projected adjacency matrices (6) with the number of elements equal to 100. In step 2, we used the projected adjacency matrices to compute the scaled test statistic $T_{N}(t)$ (8). In step 3, we set a significance level of 0.05 for rejecting the null hypothesis $H_{0}$ . We computed the $q_{0.95}$ quantile of the distribution $\max_{t\in[\delta,1-\delta]}\mathcal{B}^{2}(t)$ to be 9.05. Fig. 1 plots the scaled test statistic $T_{N}(t)$ defined in (8) for both the absence and presence of an eclipse attack. In the presence of an eclipse attack, the peak of the test statistic surpasses the threshold $q_{0.95}$ . Moreover, the peak of the scaled test statistic gives the onset of the eclipse attack (Theorem 2).

IV-C ROC Curves for the Proposed Eclipse Attack Detector

In this section, we investigate how the signal-to-noise ratio (SNR) of the dataset impacts the performance of the proposed eclipse attack detector (Algorithm 1). We added noise in the adjacency matrix as follows:

\displaystyle Y=X\wedge N,\quad N=\mathbb{1}\left\{U>\operatorname{SNR}^{-1}\right\}

(10)

Here, $X,Y$ denote the noise-free and noisy adjacency matrix, respectively; $U$ denotes a uniform random variable on $[0,1]$ ; and $\wedge$ denotes the logical and operator. This noise simulates scenarios where the network monitor misses communication between two nodes.

Fig. 2 displays the ROC curve [18] for the proposed eclipse attack detector with various SNR values. As observed, the eclipse attack detector is robust to noise.

IV-D Comparison of the Test Statistic Computed using Original and Projected Adjacency Matrices

Recall that in Theorem 3, we showed that using the projected adjacency matrices to compute the scaled test statistic leads to a higher false positive alarm rate. Fig. 3(a) illustrates the impact of projected adjacency matrices on the false alarm rate. As in Sec.IV-B, we use the first four rows of the adjacency matrices. Therefore, number of elements in the original adjacency matrix is 400. We used the JL lemma to obtain the projected adjacency matrices of dimension 100.

Moreover, in Fig. 3(b), we show using a numerical example that computing the scaled test statistics using the projected adjacency matrices leads to higher false negative rate.

The two numerical examples justifies the heuristic that the JL lemma approximately preserves the test statistic.

IV-E Comparison of the Proposed Eclipse Attack Detector with a RFM based Detector

This section compares the performance of our proposed eclipse attack detector with a RFM [19] based detector.

To begin, we trained a random forest classifier to detect an eclipse attack on a blockchain network. The training dataset consisted of 390 data points, each corresponding to a sequence of 1000 adjacency matrices for the BCNs (Sec. IV-A). The simulated dataset was free from noise. If a sequence of BCNs was free from an eclipse attack, it was labeled as ‘0’; otherwise, it was labeled as ‘1’. Following the training of the random forest classifier, we validated its performance on a test dataset of size 287. The accuracy of the RFM based detector¹¹¹¹11The RFM based detector requires a separate regressor to detect the onset of the eclipse attack. We study its performance in Appendix IV-F of the supplementary material. and the proposed eclipse attack detector (Algorithm 1) is summarized in Table I. Fig.4 plots the ROC curve of the two detectors.

Detector	Accuracy
Proposed Detector (Algorithm 1)	97.49%
Random Forest Model	85.31%

TABLE I: Accuracy of eclipse attack detectors on a dataset with SNR=

\infty

(10) (100 simulations).

IV-F RFM based Detector to Estimate the Onset of the Eclipse Attack

Recall that in Sec.IV-E, we employed a detector based on a RFM to detect an eclipse attack on the blockchain network. In this section, we implement a random forest based regressor to estimate the onset of the eclipse attack $\tau$ under $H_{1}$ (2), i.e., presence of an eclipse attack on a blockchain network. Our training dataset comprised 81 data points, each associated with a sequence of $1000$ adjacency matrices denoted as $A_{G_{i}},\;i=1,2,\ldots,N$ for the BCNs (Sec. IV-A). The labels assigned to these data points corresponded to the onset of the eclipse attack. To compare the accuracy in predicting the onset of the eclipse attack, we computed the root mean squared error for both the proposed eclipse attack detector (Algorithm 1) and the eclipse attack detector based on the RFM. The results are summarized in Table II.

Detector	RMSE
Proposed Detector (Algorithm 1)	1.55
Random Forest Model	38.63

TABLE II: Comparison of root mean squared error (RMSE) in estimating the onset of the eclipse attack on a blockchain network. Our test dataset consisted of 83 data points, each corresponding to a sequence of 1000 adjacency matrices for the BCNs (Sec. IV-A). The RMSE values were averaged over 5 runs.

The proposed eclipse attack detector outperforms the eclipse attack detector based on the RFM without requiring a training dataset.

IV-G Sensitivity of the RFM based Detector to Training Dataset

Recall that in Sec.IV-E, we implemented a RFM based detector to detect an eclipse attack on the blockchain network. In this section, we study the sensitivity of the eclipse attack detector, based on the RFM, to variations in the training dataset. To investigate this, we generated a training dataset and a test dataset consisting of 390 and 287 data points, respectively. The procedure for generating the dataset is outlined in Sec.IV-A. The primary distinction between the training and test datasets lies in the number of malicious users. Specifically, the training dataset was designed with 4 malicious users, while the test dataset was configured to include only 2 malicious users.

Once we trained the random forest classifier, we validated its performance on the test dataset We observed a decrease in overall accuracy to 72.25%. Consequently, achieving a precise random forest regressor requires careful feature extraction from the dataset, with an emphasis on selecting features that remain consistent with the parameters in the eclipse attack model (Definition 2).

To summarize, we used a simulated dataset to test the proposed eclipse attack detector (Algorithm 1). We also compared the proposed detector with an eclipse detector based on the RFM. Our model stood out by concurrently addressing the two aspects of eclipse attack detection: 1) detecting the presence of an eclipse attack, and 2) estimating the onset of the eclipse attack. Moreover, the proposed eclipse attack detector did not require a training dataset.

V Conclusion

This paper addressed the problem of detecting an eclipse attack on a blockchain network by designing a non-parametric change detection algorithm. In an eclipse attack, malicious users isolate a victim user, disrupting their ability to reach a consensus with the rest of the network. Our eclipse attack detection approach involved estimating changes in the Fréchet mean and variance of the BCN. We showed that the test statistic for the proposed eclipse attack detector weakly converges to a Brownian bridge process. This allowed us to quantify the false alarm rate of the detector. The proposed statistical detector can be implemented as a smart contract on top of the blockchain to mitigate the impact of an eclipse attack. Finally, we used ROC curves to characterize the performance of the proposed eclipse attack detector and the RFM based detector. It is also worthwhile exploring detection of jump Markov dynamics and the resulting weak convergent statistic; see [20]

In future work, we will explore: (1) detecting an eclipse attack on a blockchain network with time-varying blockchain users, (2) theoretical bounds on the accuracy of the test statistic when the BCNs are observed in noise, (3) refining the proposed test statistic to effectively detect an eclipse attack near endpoints, and (4) generalizing the change detection algorithm to address time-varying eclipse attack strategies. These extensions will improve the applicability and effectiveness of the proposed eclipse attack detection algorithm.

Acknowledgments

This research was supported in part by the U.S. Army Research Office grant W911NF-21-1-0093, National Science Foundation grant CCF-2112457, and the Army Research Laboratory under Cooperative Agreement Number W911NF-23-2-0124.

References

[1] M. Nofer, P. Gomber, O. Hinz, and D. Schiereck, “Blockchain,” Business & Information Systems Engineering, vol. 59, pp. 183–187, 2017.
[2] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse attacks on bitcoin’s peer-to-peer network,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 129–144.
[3] P. Dubey and H. Müller, “Fréchet change-point detection,” The Annals of Statistics, vol. 48, no. 6, pp. 3312 – 3335, 2020. [Online]. Available: https://doi.org/10.1214/19-AOS1930
[4] J. Matoušek, “On variants of the Johnson-Lindenstrauss lemma,” Random Structures & Algorithms, vol. 33, no. 2, pp. 142–156, 2008.
[5] D. Bhumichai and R. Benton, “Detection of Ethereum eclipse attack based on hybrid method and dynamic weighted entropy,” in SoutheastCon 2023, 2023, pp. 779–786.
[6] G. Xu, B. Guo, C. Su, X. Zheng, K. Liang, D. Wong, and H. Wang, “Am I eclipsed? a smart detector of eclipse attacks for ethereum,” Computers & Security, vol. 88, p. 101604, 2020.
[7] Q. Dai, B. Zhang, and S. Dong, “Eclipse attack detection for blockchain network layer based on deep feature extraction,” Wireless Communications and Mobile Computing, vol. 2022, 2022.
[8] B. Alangot, D. Reijsbergen, S. Venugopalan, and P. Szalachowski, “Decentralized lightweight detection of eclipse attacks on bitcoin clients,” in 2020 IEEE International Conference on Blockchain (Blockchain), 2020, pp. 337–342.
[9] H. Zheng, T. Tran, and O. Arden, “Total eclipse of the enclave: Detecting eclipse attacks from inside tees,” in 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2021, pp. 1–5.
[10] A. Yıldız, A. Atmaca, A. Solak, Y. Tursun, and S. Bahtiyar, “A trust based dns system to prevent eclipse attack on blockchain networks,” in 2022 15th International Conference on Security of Information and Networks (SIN), 2022, pp. 01–08.
[11] M. Iqbal and R. Matulevičius, “Exploring sybil and double-spending risks in blockchain systems,” IEEE Access, vol. 9, pp. 76 153–76 177, 2021.
[12] R. Chaganti, R. Boppana, V. Ravi, K. Munir, M. Almutairi, F. Rustam, E. Lee, and I. Ashraf, “A comprehensive review of denial of service attacks in blockchain ecosystem and open challenges,” IEEE Access, 2022.
[13] J. Gill, “Computational complexity of probabilistic turing machines,” in Proceedings of the sixth annual ACM symposium on Theory of computing, 1974, pp. 91–95.
[14] L. Horváth, C. Miller, and G. Rice, “A new class of change point test statistics of Rényi type,” Journal of Business & Economic Statistics, vol. 38, no. 3, pp. 570–579, 2020.
[15] H. Kushner, Approximation and weak convergence methods for random processes, with applications to stochastic systems theory. MIT press, 1984, vol. 6.
[16] S. Ethier and T. Kurtz, Markov processes: characterization and convergence. John Wiley & Sons, 2009.
[17] P. Billingsley, Convergence of probability measures. John Wiley & Sons, 2013.
[18] V. Bewick, L. Cheek, and J. Ball, “Statistics review 13: receiver operating characteristic curves,” Critical care, vol. 8, no. 6, pp. 1–5, 2004.
[19] J. Speiser, M. Miller, J. Tooze, and E. Ip, “A comparison of random forest variable selection methods for classification prediction modeling,” Expert systems with applications, vol. 134, pp. 93–101, 2019.
[20] G. Yin, C. Ion, and V. Krishnamurthy, “How does a stochastic optimization/approximation algorithm adapt to a randomly evolving optimum/root with jump Markov sample paths,” Mathematical programming B. (Special Issue dedicated to B.T. Polyak’s 70th Birthday), vol. 120, no. 1, pp. 67–99, 2009.

Appendix A Proof of Theorem 1 in Sec.III

The outline of the proof is as follows. Observe that

	$\displaystyle NS_{N}(Nt)$	$\displaystyle=NS_{N}^{A}(Nt)+NS_{N}^{B}(Nt)$
	$\displaystyle NS_{N}^{A}(Nt)$	$\displaystyle:=\frac{Nt(1-t)}{\hat{\sigma}^{2}}\left(\hat{V}_{Nt}-\hat{V}_{N(1% -t)}\right)^{2}$
	$\displaystyle NS_{N}^{B}(Nt)$	$\displaystyle:=\frac{Nt(1-t)}{\hat{\sigma}^{2}}\left(\hat{V}_{Nt}^{C}-\hat{V}_% {Nt}+\right.$
		$\displaystyle\left.\hat{V}_{N(1-t)}^{C}-\hat{V}_{N(1-t)}\right)^{2}$

Step 1: Show that $NS_{N}^{A}(Nt)\xrightarrow{w}\mathcal{B}^{2}(t),t\in[\delta,1-\delta]$ .
To show this, first define $Z_{N}(t)=\sqrt{NS_{N}^{A}(Nt)}$ . Then, for $t_{0}=\delta\leq t_{1}\leq\ldots\leq t_{k}\leq 1=t_{k+1}$ show that

(Z_{N}(t_{1}),Z_{N}(t_{2}),\ldots,Z_{N}(t_{k})\xrightarrow{w}\mathcal{N}(0,\Sigma)

where,

	$\displaystyle\Sigma_{t_{1},t_{2}}$	$\displaystyle=\mathbb{1}(t_{1}=t_{2})$
		$\displaystyle+[t_{1}(1-t_{2})/t_{2}(1-t_{1})]^{\frac{1}{2}}\mathbb{1}(t_{1}% \neq t_{2}),\;t_{1}\leq t_{2}$

Finally, show that $Z_{N}(t)$ is asymptotically equicontinuous in probability. Step 1 follows from Donsker’s theorem.
Step 2: Show that $NS_{N}^{B}(Nt)\xrightarrow{w}0$ by proving the consistency of estimators under $H_{0}$ .
Theorem 1 follows from combining Step 1 and Step 2 using Slutsky’s theorem. Refer [3] for the detailed proof of Theorem 1.

Appendix B Proof of Theorem 2 in Sec.III.

Proof.

The outline of the proof is as follows. Consider two cases: (1) $n\geq\tau$ and (2) $n\leq\tau$ . The proof of case (2) is similar to case (1). For case (1), one can show that

	$\displaystyle S(Nt)$	$\displaystyle\leq\frac{t(1-t)}{\sigma^{2}}\left(\max(\alpha^{2}(V_{1}-V_{2})^{% 2},\right.$
		$\displaystyle\left.(\alpha(V_{1}-V_{2})+\min(\alpha\Delta_{1},(1-\alpha)\Delta% _{2}))^{2})\right)$
		$\displaystyle\leq\alpha(V_{1}-V_{2})^{2}+\alpha(\Delta_{1}+\Delta_{2})^{2}=S(N\tau)$

where,

	$\displaystyle\alpha$	$\displaystyle=\frac{\tau}{n}$
	$\displaystyle\Delta_{1}$	$\displaystyle=\mathbb{E}_{P_{1}}\left[d^{2}\left(A_{G},\mu_{2}\right)\right]-% \mathbb{E}_{P_{1}}\left[d^{2}\left(A_{G},\mu_{1}\right)\right]$
	$\displaystyle\Delta_{2}$	$\displaystyle=\mathbb{E}_{P_{2}}\left[d^{2}\left(A_{G},\mu_{1}\right)\right]-% \mathbb{E}_{P_{2}}\left[d^{2}\left(A_{G},\mu_{2}\right)\right]$
	$\displaystyle\sigma^{2}$	$\displaystyle=\tau\mathbb{E}_{P_{1}}\left[d^{4}(A_{G},\tilde{\mu})\right]+(1-% \tau)\mathbb{E}_{P_{2}}\left[d^{4}(A_{G},\tilde{\mu})\right]-\tilde{V}^{2}$
	$\displaystyle\tilde{\mu}$	$\displaystyle=\arg\min_{\omega\in\mathcal{G}}\left\{\tau\mathbb{E}_{P_{1}}% \left[d^{2}(A_{G},A_{\omega})\right]\right.$
		$\displaystyle\left.+(1-\tau)\mathbb{E}_{P_{2}}\left[d^{2}(A_{G},A_{\omega})% \right]\right\}$
	$\displaystyle\tilde{V}$	$\displaystyle=\tau\mathbb{E}_{P_{1}}\left[d^{2}(A_{G},\tilde{\mu})\right]+(1-% \tau)\mathbb{E}_{P_{2}}\left[d^{2}(A_{G},\tilde{\mu})\right]$
	$\displaystyle\mu_{i}$	$\displaystyle=\operatorname*{arg\,min}_{\omega\in\mathcal{G}}\mathbb{E}_{P_{i}% }\left[d^{2}(A_{G},A_{\omega})\right],\;i=1,2$
	$\displaystyle V_{i}$	$\displaystyle=\min_{\omega\in\mathcal{G}}\mathbb{E}_{P_{i}}\left[d^{2}(A_{G},A% _{\omega})\right],\;i=1,2$

The second inequality is obtained from the first inequality by considering multiple sub-cases. Refer [3] for the detailed proof of Theorem 2. ∎

Appendix C Proof of Theorem 3 in Sec.III

Proof.

To prove Theorem 3, we first derive an upper and a lower bound on the variance of the projected adjacency matrices $(\tilde{A}_{G_{i}})_{i}$ (6) in terms of the variance of the adjacency matrices of the BCNs $(A_{G_{i}})_{i}$ (1). Then, we compute the value of the test statistic $\tilde{S}_{N}(Nt)$ and $S_{N}(Nt)$ for $N\rightarrow\infty$ under $H_{0}$ .

Step1: Comparing the variances: Using triangle inequality, Lemma 1 and the fact that $\operatorname*{arg\,max}_{\lambda}\mathbb{E}\left[\|A-\lambda\|^{2}\right]=% \mathbb{E}\left[A\right]$ , we can compare the variance of the projected adjacency matrices $(\tilde{A}_{G_{i}})_{i}$ (6) and the variance of the adjacency matrices of the BCNs $(A_{G_{i}})_{i}$ (1). Let $\alpha$ be an adjacency matrix s.t. $f(\alpha)=\mathbb{E}\left[\tilde{A}_{G}\right]$ . We obtain

	$\displaystyle(1-\epsilon)\left\\|A_{G_{i}}-\alpha\right\\|^{2}$	$\displaystyle\leq\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G}\right]% \right\\|^{2}$
	$\displaystyle\Rightarrow(1-\epsilon)\sum_{i}\left\\|A_{G_{i}}-\alpha\right\\|^{2}$	$\displaystyle\leq\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G% }\right]\right\\|^{2}$
	$\displaystyle\Rightarrow(1-\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A% _{G}\right]\right\\|^{2}$	$\displaystyle\leq\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G% }\right]\right\\|^{2}$

Let $\beta$ be such that the linear map obtained from the JL lemma yields $f(\mathbb{E}\left[A_{G}\right])=\beta$ .

	$\displaystyle\left\\|\tilde{A}_{G_{i}}-\beta\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}\right]% \right\\|^{2}$
	$\displaystyle\Rightarrow\sum_{i}\left\\|\tilde{A}_{G_{i}}-\beta\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}% \right]\right\\|^{2}$
	$\displaystyle\Rightarrow\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[% \tilde{A}_{G}\right]\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}% \right]\right\\|^{2}$

Step 2: Comparing the value of the test statistic: Under $H_{0}$ (2) as $n\rightarrow\infty$ , $\hat{V}_{n}\rightarrow V,\,\hat{V}_{n}^{C}\rightarrow V,\,\hat{V}_{N-n}% \rightarrow V,\,\hat{V}_{N-n}^{C}\rightarrow V$ . Here, the convergence is in probability. This implies $S_{N}(Nt)=0$ . Using the previous inequalities, one obtains

\displaystyle\tilde{S}_{N}(Nt)\geq\frac{5\epsilon\,t(1-t)V}{\hat{\sigma}^{2}}

∎

	$\displaystyle(1-\epsilon)\left\\|A_{G_{i}}-\alpha\right\\|^{2}$	$\displaystyle\leq\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G}\right]% \right\\|^{2}$
	$\displaystyle\Rightarrow(1-\epsilon)\sum_{i}\left\\|A_{G_{i}}-\alpha\right\\|^{2}$	$\displaystyle\leq\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G% }\right]\right\\|^{2}$
	$\displaystyle\Rightarrow(1-\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A% _{G}\right]\right\\|^{2}$	$\displaystyle\leq\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[\tilde{A}_{G% }\right]\right\\|^{2}$

	$\displaystyle\left\\|\tilde{A}_{G_{i}}-\beta\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}\right]% \right\\|^{2}$
	$\displaystyle\Rightarrow\sum_{i}\left\\|\tilde{A}_{G_{i}}-\beta\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}% \right]\right\\|^{2}$
	$\displaystyle\Rightarrow\sum_{i}\left\\|\tilde{A}_{G_{i}}-\mathbb{E}\left[% \tilde{A}_{G}\right]\right\\|^{2}$	$\displaystyle\leq(1+\epsilon)\sum_{i}\left\\|A_{G_{i}}-\mathbb{E}\left[A_{G}% \right]\right\\|^{2}$

Eclipse Attack Detection on a Blockchain Network as a Non-Parametric Change Detection Problem

Abstract

I Introduction

Main Results and Organization

Related Works

II Detecting Eclipse Attack on a Blockchain Network

II-A Model for Eclipse Attack

Definition 1.

Definition 2 (Eclipse attack).

II-B Eclipse Attack Detection Problem

Definition 3 (Eclipse attack detection problem).

II-C Test Statistic for Detecting Eclipse Attack

Definition 4.

Definition 5 (Test statistic for detecting an eclipse attack).

II-D Dimensionality Reduction of the Adjacency Matrices

Lemma 1 (Johnson-Lindenstrauss (JL) lemma).

Definition 6 (Projected adjacency matrices).

Comparison between the Adjacency Matrix AGsubscript𝐴𝐺A_{G}italic_A start_POSTSUBSCRIPT italic_G end_POSTSUBSCRIPT of the BCN And The Projected Adjacency Matrix A~Gsubscript~𝐴𝐺\tilde{A}_{G}over~ start_ARG italic_A end_ARG start_POSTSUBSCRIPT italic_G end_POSTSUBSCRIPT

II-E Algorithm for Detecting Eclipse Attack

III Weak Convergence Analysis of Eclipse Attack Detector

III-A Weak Convergence of Test Statistic

Theorem 1.

Proof.

Theorem 2.

Proof.

III-B Effect of the Processed Adjacency Matrices on the Test Statistic

Theorem 3.

Proof.

IV Numerical Examples

IV-A Simulation Setup

IV-B Numerical Examples for the Proposed Eclipse Attack Detector

IV-C ROC Curves for the Proposed Eclipse Attack Detector

IV-D Comparison of the Test Statistic Computed using Original and Projected Adjacency Matrices

IV-E Comparison of the Proposed Eclipse Attack Detector with a RFM based Detector

IV-F RFM based Detector to Estimate the Onset of the Eclipse Attack

IV-G Sensitivity of the RFM based Detector to Training Dataset

V Conclusion

Acknowledgments

References

Appendix A Proof of Theorem 1 in Sec.III

Appendix B Proof of Theorem 2 in Sec.III.

Proof.

Appendix C Proof of Theorem 3 in Sec.III

Proof.

Comparison between the Adjacency Matrix $A_{G}$ of the BCN And The Projected Adjacency Matrix $\tilde{A}_{G}$