TU Darmstadt / ULB / TUbiblio

Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning

Sendner, Christoph ; Chen, Huili ; Fereidooni, Hossein ; Petzi, Lukas ; König, Jan ; Stang, Jasper ; Dmitrienko, Alexandra ; Sadeghi, Ahmad-Reza ; Koushanfar, Farinaz (2023)
Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning.
Network and Distributed Systems Security (NDSS) Symposium 2023. San Diego, USA (27.02.2023-03.03.2023)
doi: 10.14722/ndss.2023.23263
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts have been already exploited to lead to enormous financial loss. Hence, it is crucial to detect various vulnerability types in contracts effectively and efficiently. Existing vulnerability detection methods are limited in scope as they typically focus on one or a very limited set of vulnerabilities. Also, extending them to new vulnerability types requires costly re-design.

In this work, we develop ESCORT, a deep learning-based vulnerability detection method that uses a common feature extractor to learn generic bytecode semantics of smart contracts and separate branches to learn the features of each vulnerability type. As a multi-label classifier, ESCORT can detect multiple vulnerabilities of the contract at once. Compared to prior detection methods, ESCORT can be easily extended to new vulnerability types with limited data via transfer learning. When a new vulnerability type emerges, ESCORT adds a new branch to the trained feature extractor and trains it with limited data. We evaluated ESCORT on a dataset of 3.61 million smart contracts and demonstrate that it achieves an average F1 score of 98% on six vulnerability types in initial training and yields an average F1 score of 96% in transfer learning phase on five additional vulnerability types. To the best of our knowledge, ESCORT is the first deep learning-based framework that utilizes transfer learning on new vulnerability types with minimal model modification and re-training overhead. Compared with existing non-ML tools, ESCORT can be applied to contracts of arbitrary complexity and ensures 100% contract coverage. In addition, we enable concurrent detection of multiple vulnerability types using a single unified framework, thus avoiding the efforts of setting up multiple tools and greatly reducing the detection time. We will open source our dataset and the data labeling toolchain to facilitate future research.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2023
Autor(en): Sendner, Christoph ; Chen, Huili ; Fereidooni, Hossein ; Petzi, Lukas ; König, Jan ; Stang, Jasper ; Dmitrienko, Alexandra ; Sadeghi, Ahmad-Reza ; Koushanfar, Farinaz
Art des Eintrags: Bibliographie
Titel: Smarter Contracts: Detecting Vulnerabilities in Smart Contracts with Deep Transfer Learning
Sprache: Englisch
Publikationsjahr: Februar 2023
Veranstaltungstitel: Network and Distributed Systems Security (NDSS) Symposium 2023
Veranstaltungsort: San Diego, USA
Veranstaltungsdatum: 27.02.2023-03.03.2023
DOI: 10.14722/ndss.2023.23263
Kurzbeschreibung (Abstract):

Ethereum smart contracts are automated decentralized applications on the blockchain that describe the terms of the agreement between buyers and sellers, reducing the need for trusted intermediaries and arbitration. However, the deployment of smart contracts introduces new attack vectors into the cryptocurrency systems. In particular, programming flaws in smart contracts have been already exploited to lead to enormous financial loss. Hence, it is crucial to detect various vulnerability types in contracts effectively and efficiently. Existing vulnerability detection methods are limited in scope as they typically focus on one or a very limited set of vulnerabilities. Also, extending them to new vulnerability types requires costly re-design.

In this work, we develop ESCORT, a deep learning-based vulnerability detection method that uses a common feature extractor to learn generic bytecode semantics of smart contracts and separate branches to learn the features of each vulnerability type. As a multi-label classifier, ESCORT can detect multiple vulnerabilities of the contract at once. Compared to prior detection methods, ESCORT can be easily extended to new vulnerability types with limited data via transfer learning. When a new vulnerability type emerges, ESCORT adds a new branch to the trained feature extractor and trains it with limited data. We evaluated ESCORT on a dataset of 3.61 million smart contracts and demonstrate that it achieves an average F1 score of 98% on six vulnerability types in initial training and yields an average F1 score of 96% in transfer learning phase on five additional vulnerability types. To the best of our knowledge, ESCORT is the first deep learning-based framework that utilizes transfer learning on new vulnerability types with minimal model modification and re-training overhead. Compared with existing non-ML tools, ESCORT can be applied to contracts of arbitrary complexity and ensures 100% contract coverage. In addition, we enable concurrent detection of multiple vulnerability types using a single unified framework, thus avoiding the efforts of setting up multiple tools and greatly reducing the detection time. We will open source our dataset and the data labeling toolchain to facilitate future research.

Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
Hinterlegungsdatum: 06 Jul 2023 08:48
Letzte Änderung: 10 Jul 2023 13:30
PPN: 509470343
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen