TY - GEN
T1 - ConWatcher
T2 - 2025 IEEE Conference on Computer Communications, INFOCOM 2025
AU - Hu, Qinnan
AU - Wang, Yuntao
AU - Su, Zhou
AU - Luan, Tom H.
AU - Li, Ruidong
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Due to the immutable nature of smart contracts, online contract analysis is the only viable approach for revealing vulnerabilities in deployed contracts. Existing online approaches face significant challenges in terms of efficiency, adaptability, and reliance on vulnerability labels. This paper proposes ConWatcher, an adaptive and label-efficient online contract analysis framework capable to detect yet-unknown attacks under evolving tactics without reliance on vulnerability labels. ConWatcher simulates the Advanced Persistent Threat (APT) tactics commonly used in yet-unknown attacks by continuously applying minor perturbations to legitimate interaction behaviors. It then reversely learns the denoising process, guided by potential logic vulnerabilities (i.e., functionality dependencies), to adaptively identify stealthy anomalies and detect yet-unknown attacks without needing vulnerability labels. ConWatcher proceeds in four steps. First, interaction behavior modeling. Via bytecode-level, account-level, and revenue-level modeling, we propose behavior-aware multivariate time series model to accurately represent long-term contract interactions with multi-faceted behaviors. Second, APT-like noise adding. We leverage the forward diffusion model to produce minor and stochastic APT-like noises with efficiency. Third, reverse denoising learning. To effectively guide reverse denoising using functionality dependencies, we devise an adaptive contract analysis engine equipped with heterogeneous control flow graph modeling and heterogeneous message passing mechanisms to extract function-level and bytecode-level functionality dependencies. Last, contract anomaly detection. We design a label-efficient attack detector based on reconstruction error for contract anomaly detection. Extensive empirical validations on a manually constructed dataset, covering both mainstream and novel vulnerabilities, demonstrate ConWatcher's effectiveness, adaptability, and label efficiency, with an average F1-score of 0.88 across all types of attacks without prior knowledge of corresponding vulnerabilities.
AB - Due to the immutable nature of smart contracts, online contract analysis is the only viable approach for revealing vulnerabilities in deployed contracts. Existing online approaches face significant challenges in terms of efficiency, adaptability, and reliance on vulnerability labels. This paper proposes ConWatcher, an adaptive and label-efficient online contract analysis framework capable to detect yet-unknown attacks under evolving tactics without reliance on vulnerability labels. ConWatcher simulates the Advanced Persistent Threat (APT) tactics commonly used in yet-unknown attacks by continuously applying minor perturbations to legitimate interaction behaviors. It then reversely learns the denoising process, guided by potential logic vulnerabilities (i.e., functionality dependencies), to adaptively identify stealthy anomalies and detect yet-unknown attacks without needing vulnerability labels. ConWatcher proceeds in four steps. First, interaction behavior modeling. Via bytecode-level, account-level, and revenue-level modeling, we propose behavior-aware multivariate time series model to accurately represent long-term contract interactions with multi-faceted behaviors. Second, APT-like noise adding. We leverage the forward diffusion model to produce minor and stochastic APT-like noises with efficiency. Third, reverse denoising learning. To effectively guide reverse denoising using functionality dependencies, we devise an adaptive contract analysis engine equipped with heterogeneous control flow graph modeling and heterogeneous message passing mechanisms to extract function-level and bytecode-level functionality dependencies. Last, contract anomaly detection. We design a label-efficient attack detector based on reconstruction error for contract anomaly detection. Extensive empirical validations on a manually constructed dataset, covering both mainstream and novel vulnerabilities, demonstrate ConWatcher's effectiveness, adaptability, and label efficiency, with an average F1-score of 0.88 across all types of attacks without prior knowledge of corresponding vulnerabilities.
KW - Blockchain
KW - Label-efficient detection
KW - Online contract anal-ysis
KW - Smart contract
KW - Stealthy contract anomalies
UR - https://www.scopus.com/pages/publications/105011091423
U2 - 10.1109/INFOCOM55648.2025.11044590
DO - 10.1109/INFOCOM55648.2025.11044590
M3 - 会议稿件
AN - SCOPUS:105011091423
T3 - Proceedings - IEEE INFOCOM
BT - INFOCOM 2025 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 May 2025 through 22 May 2025
ER -