Semi-Markov Based Dependability Modeling of Bitcoin Nodes Under Eclipse Attacks and State-Dependent Mitigation

The block chain technology has immense potential in many different applications, including but not limited to cryptocurrencies, financial services, smart contracts, supply chains, healthcare services, and energy trading. Due to the critical nature of these applications, it is pivotal to model and evaluate dependability of the block chain-based systems, contributing to their reliable and robust operation. This paper models and analyzes the dependability of Bitcoin nodes subject to Eclipse attacks and state-dependent mitigation activities. Built upon the block chain technology, the Bitcoin is a peer-to-peer cryptocurrency system enabling an individual user to trade freely without the involvement of banks or any other types of intermediate agents. However, a node in the Bitcoin is vulnerable to the Eclipse attack, which aims to monopolize the information flow of the victim node. A semi-Markov process (SMP) based approach is proposed to model the Eclipse attack behavior and possible mitigation activities that may prevent the attack from being successful during the attack process. The SMP model is then evaluated to determine the steady-state dependability of the Bitcoin node. Numerical examples are provided to demonstrate the influence of the time to restart the Bitcoin software and time to detect and delete the malicious message on the Bitcoin node dependability. KeywordsBitcoin, Block chain, Dependability, Eclipse attack, Semi-Markov process (SMP).


Introduction
The block chain technology has received lots of attentions from academia, governments, and industries in the last decade (Akbari et al., 2017;Atzei et al., 2017;Dai et al., 2019;Ferrag et al., 2018;Kang et al., 2018;Li et al., 2020). As a revolutionary invention in computer science, it has immense potential in many critical applications, including for example, cryptocurrencies, financial services, smart contracts, supply chains, energy trading, and the Internet of Things (Frizzo-Barker et al., 2020;Garay et al., 2017;Xing, 2020Xing, , 2021. This paper focuses on Bitcoin (Satoshi, 2008;Wingreen et al., 2020), a peer-to-peer cryptocurrency network system based on the block chain with a market cap of 199 billion (Rudden, 2020). Different from the fiat currency, the Bitcoin is a decentralized network system that enables an individual to trade freely without the involvement of banks.
Despite being built on the secure block chain technology; the Bitcoin network has vulnerability to various cyberattacks or threats. For example, exploiting the open network of the Bitcoin, an attacker may track correspondence of IP addresses and the Bitcoin addresses to gain control of the block chain data (creating incorrect data or gain illegal access to the data) (Koshy et al., 2014). Further, the privacy of users (e.g., personal information) can be in danger as an attacker may track relationships between addresses based on the Bitcoin transactions (Reid and Harrigan, 2013). In addition, the block chain data may be tempered by an attacker through attacking the consensus mechanism of the block chain (Bag et al., 2016). The Bitcoin is also subject to the Crypto Lockerbased attack, where a ransomware encrypts files of a victim until a ransom can be paid (Liao et al., 2016). The Bitcoin network is vulnerable to many other types of cyberattacks, including but not limited to the Eclipse attacks (Heilman et al., 2015), Sybil attacks (Zhang and Lee, 2019), mining pool attacks (Bahack, 2013), miner attacks (Rosenfeld, 2011), selfish mining (Eyal and Sirer, 2014), and re-identification attacks (Meiklejohn et al., 2013).
Extensive research efforts have been dedicated to defending the Bitcoin system against diverse security attacks. For example, Gervais et al. (2015) showed that an attacker may delay the propagation of a Bitcoin transaction to a specific node and proposed several countermeasures (dynamic timeouts, penalizing non-responding nodes, and updating block advertisements) to enhance the Bitcoin security. Eyal and Sirer (2014) suggested a mitigation scheme based on practical revision of the Bitcoin protocol to defend Bitcoin against colluding selfish mining attacks. Pustogarov (2015a, 2015b) investigated the Bitcoin over Tor system and showed that such a system is not effective in solving the security problem. Bamert et al. (2014) proposed a hardware token for securing Bitcoin transactions. Sasson et al. (2014) and Monaco (2015) investigated the weakness of Bitcoin in the privacy protection and suggested a decentralized anonymous payment mechanism to improve the privacy protection. Kroll et al. (2013) showed that many Nash equilibria exist for mining strategies and discussed the governance structure requirements. Joux (2004) showed that in multiple hash functions the difficulty of identifying simultaneous collisions is not higher than identifying individual ones. Bastiaan (2015) studied the pool mining threat and performed the stochastic analysis of the Bitcoin using Markov chains. Göbel et al. (2016) applied Markov Chains for detecting block-hiding attacks based on the monitoring of production rate of orphan blocks.
As exemplified above, existing works have mostly focused on detecting potential threats and investigating impacts from the malicious behavior. Only little work has been expended in the dependability modeling and analysis of Bitcoin. Particularly in Zhou et al. (2020), a continuoustime Markov chain-based method was proposed to assess the dependability of a Bitcoin node and effects of several parameters relevant to a miner's habits were examined. However, the model of Zhou et al. (2020) is limited to the exponential state transition time distribution; it is not applicable to the practical cases with other distribution types, where the memoryless property (the past history has no influence on the system's future behavior) does not hold.
In this paper we make advancement in the state of the art by proposing a semi-Markov process (SMP)-based method to model and analyze the dependability of Bitcoin nodes subject to the Eclipse attack. The attack aims to control the information flow (including reception and transmission) of a victim node so that the node loses its connection with other legitimate nodes in the Bitcoin network. Possible mitigation activities that may prevent the attack from being successful during the attack process are considered. The transition time between different states appearing during the attack process can follow any arbitrary type of distributions. Influences of several parameters (related to the time to restart the Bitcoin software and time to detect and delete malicious messages containing forged IP addresses) on the Bitcoin node dependability are examined using examples.
The remainder of the paper is structured as follows: Section 2 presents how an Eclipse attack works and the state transition diagram in the SMP-based method modeling the attack behavior and the possible mitigation activities that may be conducted under each state. Section 3 presents the SMPbased method to evaluate the dependability of Bitcoin nodes. Section 4 investigates impacts of several parameters on the Bitcoin node dependability. Section 5 concludes our study and points out future research directions.

Modeling the Eclipse Attack
To launch an Eclipse attack, an attacker node floods the victim node with its own IP address to which the victim node will likely connect when restarting the Bitcoin software. In other words, the attacker node tries to fill the routing table of the victim node before the victim node restarts its software. The restart can be forced to happen, or the attacker node can just wait for the restart to happen. Once the restart happens, the victim node builds an outgoing connection with the attacker's IP address in the routing table. At the same time, the attacker node continuously builds an incoming connection to the victim node. Consequently, the victim node's information flow channel is controlled or monopolized by the malicious node; the victim node can be fed incorrect or fake data by the attacker node (Heilman et al., 2015).
In the case of the attacker node being able to implement the Eclipse attack to more nodes, information flows of more nearby nodes may be controlled, and gradually the block chain network may be compromised. Therefore, a successful Eclipse attack may lead to other more sever cyberattacks like selfish mining, double-spending, and block withholding (Heilman et al., 2015).
To model the dependability of a Bitcoin node, we build a state transition diagram as shown in Figure 1. During the Eclipse attack process five major states can be differentiated, which are the initial good state 0, state 1 where the routing table has been hacked, state 2 where the node has restarted its software, state 3 where the node is connected to the attacker node, and state 4 where the node is monopolized by the attacker node. Mitigation actions under some states may be performed to prevent or alleviate the consequence of the Eclipse attack.  Specifically, under the initial state 0, the Bitcoin node operates correctly without being compromised by any attack. During this state 0, a malicious attacker node sends mmessages containing many forged IP addresses, which may gradually overwrite all the legal IP addresses in the routing table of the node causing the transition from state 0 to state 1. Under state 1, if the victim node executes the restart, then the node transits its state to state 2; if the suspicious message containing the forged IP addresses is detected and deleted by the user, then the node transits its state back to the initial good state 0. Under state 2, if the victim node is connected to the attacker's IP address, then the node transits to state 3; if the user cleans the routing table of the victim node with a certain tool, then the node transits back to state 1. Under state 3, if the victim node selects an IP address from the hacked routing table and establishes an outgoing connection, then the node transits to state 4; if the user restores the healthy connection through a certain maintenance action successfully, then the node transits back to state 0. Under state 4, the attacker node establishes and controls all the incoming connections to the victim node, fully monopolizing the information flow (incoming and outgoing) of the victim node, i.e., the Eclipse attack is successful. Under state 4, if the user detects the malicious connection from the attacker node and re-establishes connections with legitimate nodes, then the node transits its state back to state 3.

Evaluating Bitcoin Node Dependability
In this section, based on the state transition diagram in Figure 1, the SMP-based method is applied to assess the dependability of a Bitcoin node undergoing the Eclipse attack and mitigation actions. Let Fij(t) represent the cumulative distribution function (CDF) of the transition time from state i to state j (i, j = 0, 1, 2, 3, 4). There is no limitation to the distribution type of the state transition time. For illustration purpose, the Weibull distribution is selected due to its flexibility in representing different types of transition rates (decreasing, constant, and increasing) (Trivedi, 1982;Dohi et al., 2001;Xing and Amari, 2015;Xing et al., 2019). The CDF of the Weibull distribution is ( ; , ) = 1 − −( ) with ( , ) denoting the scale and shape parameters, respectively. The exponential distribution and the Rayleigh distribution are special cases of the Weibull distribution when the shape parameter is 1 and 2 respectively.
There are two major steps in the steady state probability analysis of the SMP (Kharoufeh et al., 2010;Kumar et al., 2013;Liu et al., 2019).
(1) Evaluate the one-step transition probability matrix of the embedded Markov chain (EMC) of the SMP (refer to appendices (A1-A3) of Kumar et al. (2013)).
(2) Calculate the sojourn time Ti in each state i.
The steady-state probability Pi of each state i ∈ {0,1,2,3,4} can thus be evaluated using (1), where vi is the steady-state probability of state i in the EMC. = ∑ ∈{0,1,2,3,4} . (1) Specifically, expression (2) presents the kernel matrix K(t) of the SMP model in Figure 1, where ( ) is the probability that the SMP has entered state i, the next state transition takes place within time t and the next state is state j (Kumar et al., 2013). The sum of elements on the same row of ( ) is always 1.
In the case of the Weibull state transition time, the non-zero elements in K(t) are defined by (3) The one-step transition probability matrix of the EMC in step (1) is thus determined as (∞), as shown in (11) (Kulkarni, 2016). Since the sum of elements on the same row of (∞) is always 1, 01 (∞) = 1 and 43 (∞) = 1 (they are the only element in row 1 and row 5, respectively).
In this study, in order to estimate the steady-state probabilities of the EMC for the SMP, we apply Wolfram Mathematics to solve the EMC steady-state equations = • (∞) and • = , where row vectors = [ 0 1 2 3 4 ] and = [1 1 1 1 1].
In step (2), based on Kumar et al. (2013) we use (12) With vi and Ti evaluated, based on (1) the steady state probabilities (i =0, 1, 2, 3, 4) can be obtained. Further, D = P0 + P1 + P2 gives the probability that the Bitcoin node can operate correctly, i.e., the dependability of the Bitcoin node; ̅ = P3 + P4 gives the probability that the node is compromised or fully controlled by an attacker node, that is, the Bitcoin system is not dependable any more.

Example Analysis and Discussions
This section illustrates the SMP-based method for the Bitcoin node dependability analysis. We also examine influences of parameters modeling the time to restart and time to detect and delete the malicious messages on the Bitcoin node dependability by varying the Weibull distribution parameters of 12 and 10 in the dependability analysis. Table 1 shows the baseline parameters used in the numerical analysis (based on data of Thoman et al., 1969;Bailey and Dell, 1973;Kumar et al., 2013).

Effects of Scale Parameters (α12, α10)
We vary the value of scale parameter (α12 and α10) from 1 hour to 96 hours and collect the system state probabilities and the final dependability D (evaluated as P0+P1+P2) in Tables 2-3. All other unchanging parameters use the values from Table 1. Figures 2 and 3 show the results of the node dependability graphically.  It can be observed from Figure 2 that when 12 (reflecting the time to restart the system) varies from 1 hour to 96 hours, the system dependability increases. This is intuitive since as the system restart rate decreases, the steady-state probabilities of being in state 2 (restart), and thus the subsequent states 3 (connected) and 4 (monopolized) decrease (as shown in Figure 2) while the steady-state probability of being in state 1 (the origin of the transition) and the initial state 0 have an increasing trend. Overall, the system dependability that is calculated as (P0+P1+P2) shows an increasing trend.    Figure 3 shows that when 10 (time to detect and delete the malicious message) varies from 1 hour to 96 hours, the node dependability decreases. The numerical results support the intuition that the node is more likely to get compromised when the time of detecting the malicious message increases. As the detection time increases, the probabilities of being in state 1 (the origin of the transition), and subsequent state 2 (restart), state 3 (connected), and state 4 (monopolized) all increase while the steady-state probability of the initial state 0 has a decreasing trend (as shown in Figure 3). Overall, the node dependability shows a decreasing trend as the value of 10 increases.

Effects of Shape Parameter (β12, β10)
The value of β has a distinct effect on the state transition rate. Specifically, β<1corresponds to a decreasing transition rate, β=1 corresponds to a constant transition rate, and β>1 corresponds to an increasing transition rate. In order to reflect all these characteristics in this case study, we vary β from 0.3 to 8. Tables 4 and 5 Figure 4 shows that as the value of 12 varies from 0.3 to 8, the overall trend of the node dependability decreases. This is because as the value of 12 increases, the probability of occupying state 2 increases and the probability of staying in state 1 decreases significantly, which further causes the decrease in the probability of state 0 (as demonstrated in Figure 4). Overall, the node dependability shows a decreasing trend. It is also intuitive that the node dependability has an overall increasing trend in Figure 5 as the value of 10 varies from 0.3 to 8.

Conclusion and Future Work
An Eclipse attack to a Bitcoin system aims to block a node's view of the block chain so that the victim node is at the mercy of the attacker node. The existing model on the Bitcoin node dependability analysis has the limitation of the memoryless property on the state transition time (i.e., the exponentially-distributed transition time). This paper contributes by proposing an SMPbased modeling method for dependability analysis of Bitcoin nodes subject to the eclipse attack and related mitigation actions during the attack process. The method is applicable to arbitrary types of state transition time distributions.
Using numerical examples, we examine the influences of parameters modeling the miner's habits in restart and malicious message detection on the Bitcoin node dependability.
This work has focused on the steady-state Bitcoin node dependability analysis. In the future we plan to extend the SMP-based method for time-dependent dependability analysis of the Bitcoin node and network under the Eclipse attack. We are also interested in modeling other types of cyberattacks such as block withholding mining (Qin et al., 2020) and selfish mining (Yang et al., 2020). In addition, we may investigate resilience strategies to enhance the robustness of Bitcoin operation and improve its immunity to different types of threats.