CN114095186A

CN114095186A - Threat information emergency response method and device

Info

Publication number: CN114095186A
Application number: CN202010751273.5A
Authority: CN
Inventors: 程叶霞; 何申; 顾宁伦; 李伟; 付俊; 陈东; 陈敏时; 胡古宇
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-07-30
Filing date: 2020-07-30
Publication date: 2022-02-25
Also published as: WO2022022248A1

Abstract

The embodiment of the application provides a threat information emergency response method and a device, wherein the method comprises the following steps: acquiring threat information; running an intelligent contract to obtain a first state, wherein the first state is used for describing the result of the first node executing the emergency response operation; the emergency response operation is preset in an intelligent contract and corresponds to the threat information; writing the first state onto a chain of blocks. In the embodiment of the application, the emergency response intelligent contract of the threat information is constructed based on the block chain technology, so that the automatic emergency response of the threat information in the nodes and the linkage emergency response among the nodes can be realized, and the threat information can be protected timely and efficiently.

Description

Threat information emergency response method and device

Technical Field

The embodiment of the application relates to the technical field of block chains, in particular to a threat information emergency response method and device based on a block chain.

Background

With the rapid development of computers and network technologies, various network security events frequently occur, new vulnerabilities are developed endlessly, a large number of new security risks are induced, and serious threats are caused to network security and business security. In the traditional network security mode, security protection is respectively camp, all information is relatively isolated, and the network security protection lags behind the development of attack technology. The safety subsystems are mutually independent, and the island effect is easily caused. The systems lack coordination, and are difficult to work cooperatively and efficiently. In the aspect of emergency response, all systems are mutually independent and cannot respond in a linkage manner. The problem is more prominent particularly when the method relates to cross-industry, cross-organization and cross-region.

And along with the increasing fierce defense and attack of network security, the strategy that the network security solely depends on prevention and stopping is invalid, the threat information and the linkage response of the threat information must be paid more attention, and a novel security protection system integrating threat information sharing, application, response and prevention is constructed.

Therefore, the linkage response of threat intelligence information needs to be solved urgently.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method and an apparatus for emergency response of threat intelligence, which solve the problem of linkage response of threat intelligence information.

In a first aspect, an embodiment of the present application provides a threat information emergency response method, applied to a first node, including:

acquiring threat information;

running an intelligent contract to obtain a first state, wherein the first state is used for describing the result of the first node executing the emergency response operation; the emergency response operation is preset in an intelligent contract and corresponds to the threat information;

writing the first state onto a chain of blocks.

Optionally, the running the smart contract obtains a first state, including:

matching corresponding response operation in the intelligent contract according to the type of the threat intelligence information;

or, matching the type of the threat intelligence information and the information of the first node to the corresponding response operation in the intelligent contract, wherein the information of the first node comprises: a type of the first node and/or a rank of the first node;

and executing the response operation to obtain a first state.

Optionally, the writing the first state onto a block chain includes:

sending the first state to other nodes except the first node in the block chain so that the other nodes can commonly identify the first state;

and if the first state is passed through, writing the first state into a block chain.

Optionally, the method further comprises:

creating an intelligent contract according to the threat intelligence emergency response requirement;

and issuing the intelligent contract to a block chain.

Optionally, one or more of the following combinations are encapsulated in the smart contract:

a state comprising any one of: an enabled state, a disabled state, a frozen state, and a unfrozen state;

a conversion rule, wherein the state of the intelligent contract is converted when the conversion rule is satisfied;

the intelligent contract runs when the triggering condition is met;

in response to an operation, an action performed by a node in the blockchain network with respect to threat intelligence information it obtains.

Optionally, the response operation corresponds to one or more of the following:

the type of node in the blockchain network;

a rank of a node in a blockchain network;

the type of threat intelligence information.

Optionally, the type of nodes in the blockchain network and/or the rank of nodes in the blockchain network are divided based on one or more of the following combinations: the type of application carried by the node in the blockchain network, the type of protocol, the type of operating system, the type of data operated, the type of software operated, or the type of hardware, the service provided by the node, and the functions of the node.

In a second aspect, there is provided a threat information emergency response apparatus, applied to a first node, including:

the acquisition module is used for acquiring threat information;

the execution module is used for running the intelligent contract to obtain a first state, and the first state is used for describing the result of the first node executing the emergency response operation; the emergency response operation is preset in an intelligent contract and corresponds to the threat information;

and the issuing module is used for writing the first state into a block chain.

In a third aspect, a first node is provided, including: a processor, a memory, and a program stored on the memory and executable on the processor, the program when executed by the processor implementing steps comprising the threat intelligence emergency response method of the first aspect.

In a fourth aspect, a readable storage medium is provided, on which a program is stored, which program, when executed by a processor, performs steps comprising the method of the first aspect.

In the embodiment of the application, the emergency response intelligent contract of the threat information is constructed based on the block chain technology, so that the automatic emergency response of the threat information in the nodes and the linkage emergency response among the nodes can be realized, and the threat information can be protected timely and efficiently.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a schematic diagram including a plurality of operational nodes;

FIG. 2 is a schematic diagram of an operational node including an operation and maintenance administrator role;

FIG. 3 is a schematic diagram of a blockchain-based threat intelligence system;

FIG. 4 is a block chain diagram illustrating the construction of a threat intelligence emergency response based on a block chain technique according to an embodiment of the present application;

FIG. 5 is a block chain diagram illustrating the construction of a threat intelligence emergency response based on a block chain technique according to an embodiment of the present application;

FIG. 6 is a schematic diagram of an intelligent contract for a blockchain-based threat intelligence emergency response in an embodiment of the present application;

FIG. 7 is a schematic diagram of a method for issuing a threat intelligence emergency response intelligent contract according to an embodiment of the application;

FIG. 8 is a schematic diagram of an embodiment of a threat information emergency response method;

FIG. 9 is a second schematic diagram of a threat information emergency response method in an embodiment of the present application;

FIG. 10 is a schematic view of a threat intelligence emergency response apparatus in an embodiment of the present application;

fig. 11 is a schematic diagram of a first node in an embodiment of the present application;

FIG. 12 is a schematic diagram of a threat intelligence emergency response intelligent contract issuing apparatus in an embodiment of the application;

fig. 13 is a schematic diagram of a second node in the embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The terms "comprises," "comprising," or any other variation thereof, in the description and claims of this application, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the specification and claims means that at least one of the connected objects, such as a and/or B, means that three cases, a alone, B alone, and both a and B, exist.

In the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

The techniques described herein are not limited to Long Time Evolution (LTE)/LTE Evolution (LTE-Advanced) systems, and may also be used for various wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency-Division Multiple Access (SC-FDMA), and other systems.

The terms "system" and "network" are often used interchangeably. CDMA systems may implement Radio technologies such as CDMA1200, Universal Terrestrial Radio Access (UTRA), and so on. UTRA includes Wideband CDMA (Wideband Code Division Multiple Access, WCDMA) and other CDMA variants. TDMA systems may implement radio technologies such as Global System for Mobile communications (GSM). The OFDMA system may implement radio technologies such as Ultra Mobile Broadband (UMB), evolved-UTRA (E-UTRA), IEEE 802.11(Wi-Fi), IEEE 802.16(WiMAX), IEEE 802.12, Flash-OFDM, etc. UTRA and E-UTRA are parts of the Universal Mobile Telecommunications System (UMTS). LTE and higher LTE (e.g., LTE-A) are new UMTS releases that use E-UTRA. UTRA, E-UTRA, UMTS, LTE-A, and GSM are described in documents from an organization named "third Generation Partnership Project" (3 GPP). CDMA1200 and UMB are described in documents from an organization named "third generation partnership project 2" (3GPP 2). The techniques described herein may be used for both the above-mentioned systems and radio technologies, as well as for other systems and radio technologies.

The problem that threat information is independent of each other, each system lacks cooperation, is difficult to cooperate and work efficiently, and the problem that each existing system lacks linkage response of the threat information and lacks automatic response is solved, so that the latest and most valuable threat information cannot be timely and effectively obtained or analyzed for protection and emergency response, and safety risks and safety attacks are caused.

The application provides a threat information emergency response method, an intelligent contract issuing method and an intelligent contract issuing device. An emergency response intelligent contract of threat information is constructed based on a block chain technology, and then automatic emergency response of the threat information in each system is realized, so that the threat information is protected and responded timely and efficiently.

Before introducing the implementation modes of the intelligent contract issuing method, the emergency response method and the device for threat intelligence based on the blockchain, a logic schematic diagram among various operation nodes (or simply referred to as nodes) related to the threat intelligence emergency response is introduced, as shown in fig. 1. The running nodes form point-to-point communication on a logic level.

It is understood that each operation node may be a device of an operation manager or a device operated, etc.

Referring to fig. 2, the role of the operation node 1 as an operation maintenance administrator, the role of the operation node 2 as an operated device 1 (or simply referred to as device 1), the role of the operation node 3 as an operated device 2 (or simply referred to as device 2), the role of the operation node n-1 as an operated device n-1 (or simply referred to as device n-1), and the role of the operation node n as an operated device n (or simply referred to as device n) are taken as examples.

Referring to fig. 3, a threat information user is generally an operation and maintenance manager, obtains the latest threat information directly through a threat information sharing system or obtains the latest threat information through correlation analysis, issues the latest threat information to all the devices to be operated, managed and maintained through a threat information emergency response system based on a blockchain, and performs automatic linkage response through an intelligent contract for emergency response in the threat information emergency response system based on the blockchain.

Referring to fig. 4, a blockchain of threat intelligence emergency response is constructed based on blockchain technology, and the blockchain has a blockchain block structure as shown in the figure.

The block includes a block head and a block body. Wherein the block header includes: hash value of previous block, Merkle root, random number, timestamp. The block body includes: threat intelligence information, threat intelligence emergency response status. Specifically.

(1) The hash value of the previous block is a value generated by hashing all information of the previous block with a previous time stamp.

(2) The Merkle root is a Merkle tree formed by all information in the block body, and the hash value of the Merkle tree root is calculated, and the Merkle root can bind the block head and the block body.

(3) The random number is generated by the current node according to all public key information and the current timestamp through the SHA256 hash algorithm, and requires a string of numbers beginning with the number for the hash value of the next chunk. An attacker can be prevented from forging a block of the blockchain.

(4) The timestamp, which is the timestamp stamped by the node that issued the tile at the time of issue, is, for example, the number of seconds from 1 month 1 day 00:00UTC of 1970 to the tile generation time interval.

(5) The threat information is the latest total threat information issued by an operation maintenance administrator, and may be various types such as Internet Protocol (IP) address information, domain name information, Uniform Resource Locator (URL) information, security event information, vulnerability information, and the like.

(6) The threat information emergency response state is the relevant information of the threat information emergency response state. The information is obtained after an intelligent contract of emergency response in the threat intelligence emergency response system based on the block chain is executed.

Referring to fig. 5, a blockchain of threat intelligence emergency responses is constructed based on blockchain techniques. The blockchain consists of founder block, block 1, block 2, … … block n-1, block n.

Referring to fig. 6, a chain of blocks-based intelligent contract for threat intelligence emergency response, wherein the intelligent contract is a set of scenario-oriented programming rules and logic, and is decentralized and trusted shared program code deployed on the chain of blocks.

The smart contracts also have the general characteristics of blockchain data, such as distributed recording, storage and verification, non-falsification and forgery. Each participant in signing the contract agrees on the contract content, default conditions, default liability and external audit data sources, checks and tests contract code if necessary to ensure no errors, and deploys the contract on the blockchain in the form of intelligent contracts, thus automatically executing contracts on behalf of each signing party without any central authority. The programmable nature of intelligent contracts allows the signing party to add arbitrarily complex terms.

Referring to fig. 6, after being signed by each party, the smart contract may be attached to the blockchain data in the form of program code, and after being propagated through the peer-to-peer network and verified by the node, the smart contract is posted in a specific block of the blockchain. Smart contracts encapsulate predefined states (such as enabled, disabled, frozen and unfrozen) and transition rules, trigger conditions that trigger contract execution (such as reaching a particular time or occurrence of a particular event, a particular type of threat intelligence, etc.), response operations (such as particular action execution, particular response execution), etc. The block chain can monitor the state of the intelligent contract in real time, and activate and execute the contract after the data source is checked and the specific trigger condition is met.

It will be appreciated that the input to the intelligent contract is the data on the blockchain-threat intelligence information, i.e., the most recent threat intelligence information on the blockchain. The output result of the intelligent contract is the state of emergency response and is output to the block chain.

The internal logical operation process of the intelligent contract is as follows:

(1) in the intelligent contract, the system or the device of the running node is classified and classified, and the specific classification and classification standard can be divided according to the application type, the protocol type, the operating system type, the running data category, the running software type and/or the running hardware type and the like carried by the system or the device. It is to be understood that the software type or the hardware type of the node is not particularly limited.

For example, simple classification rules may be set, such as partitioning according to the type of software and the type of hardware being carried; or when the software and hardware types are divided, the levels are divided into a first level, a second level, a third level and the like according to the different services provided by the nodes or the different functions.

(2) In smart contracts, the type of threat intelligence information that is newly entered is classified.

Optionally, the classification of the type of threat intelligence information comprises:

the method comprises the following steps: and (4) directly classifying the threat intelligence information according to the type of the threat intelligence information, wherein the threat intelligence information is divided into an IP type, a domain name type, a URL (Uniform resource locator) type, an event type, a vulnerability type, a file MD5 type and the like.

The method 2 comprises the following steps: the method for classifying devices or System types affected by threat information is divided into an operating System class, a protocol class, a router class, a switch class, a Domain Name Server (DNS), an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), a firewall, and the like.

(3) In a smart contract, different response operations may be set for different types of threat intelligence information, types of nodes, and/or levels of nodes.

Specifically, the node (such as a network element, a security device, an early warning center and the like) can respond according to the obtained threat intelligence information. The intelligent contract can generate new security policies according to the threat intelligence information and then deploy the new security policies to the network elements and the security devices. If necessary, the software version can be updated, and the configuration of the network element and the safety equipment can be modified.

And (3) according to the threat intelligence information classification in the step (2), if the intelligence type is taken as a condition and corresponds to the response operation, triggering the response operation to execute, and finally executing the response operation to the affected node to carry out actual response operation, wherein other unaffected nodes do not have corresponding actual response operation in the process of executing the intelligent contract.

For example, for malicious URL type intelligence, it may be applied to the gateway, which may then update its security policy by filtering the malicious URL to a blacklist. It can also be applied to IDS or IPS by updating the protection rules of the corresponding URL. For malicious domain name type intelligence, it can be applied to DNS servers, which can update the configuration by setting the malicious domain as a black list. For malicious IP type intelligence, it can be applied to firewalls, which can update their security policies by filtering malicious IP. This kind of intelligence can also be applied to IDS or IPs by updating the protection rules of the corresponding IP. The vulnerability type information can be applied to various network devices, and each network element device can repair the vulnerability by updating software or hardware. At the same time, it can be used to make a detection plug-in, which is then updated to the scanner to detect affected assets and network elements, etc.

In this way, threat intelligence information is automatically responded to by the intelligent contract. Centralized instruction execution is converted into distributed instruction execution, and cross-industry, cross-organization and cross-region threat information emergency response can be realized.

Referring to fig. 7, an embodiment of the present application provides a method for issuing an intelligent contract for threat intelligence emergency response, which includes the specific steps of: step 701 and step 702.

Step 701: creating an intelligent contract according to the threat intelligence emergency response requirement;

step 702: and issuing the intelligent contract to a block chain.

In an embodiment of the present application, referring to fig. 6, one or more of the following may be encapsulated in the smart contract:

(1) a state comprising any one of: an enabled state, a disabled state, a frozen state, and a unfrozen state;

the enabled state represents that the intelligent contract can be normally used, the disabled state represents that the intelligent contract can not be normally used, and the frozen state represents that the intelligent contract is frozen and can be used after being unfrozen.

(2) A conversion rule, wherein the state of the intelligent contract is converted when the conversion rule is satisfied;

such as a transition rule from an enabled state to a disabled state, a transition rule from a disabled state to an enabled state, a transition rule from a frozen state to a thawed state, etc.

(3) The intelligent contract runs when the triggering condition is met;

for example, if a specific time or a specific event is met, or the type of threat intelligence information is a specified type, the intelligent contract is triggered to run.

(4) In response to an operation, an action performed by a node in the blockchain network with respect to threat intelligence information it obtains.

The response action is a specific action directed to the threat intelligence information for reducing or avoiding the risk created by the threat intelligence information.

In the embodiment of the present application, the response operation corresponds to one or more of the following:

(1) the type of node in the blockchain network;

for example, the type of a node in the blockchain network is obtained by dividing based on the type of an application, the type of a protocol, the type of an operating system, the type of data operated, the type of software operated, and/or the type of hardware carried by the node in the blockchain network.

(2) A level of a node in a blockchain network, the level of the node in the blockchain network indicating an importance level, a priority level, or the like of a service or a function provided by the node;

optionally, the type of the node in the blockchain network and/or the rank of the node in the blockchain network is divided based on one or more of the following combinations: the type of application carried by the node in the blockchain network, the type of protocol, the type of operating system, the type of data operated, the type of software operated, or the type of hardware, the service provided by the node, and the functions of the node.

(3) The type of threat intelligence information.

In the embodiment of the application, an emergency response intelligent contract of threat information is constructed based on a block chain technology, so that automatic emergency response of the threat information in nodes and linkage emergency response among the nodes are realized, and the threat information is protected timely and efficiently.

Referring to fig. 8, an execution subject of the method may be a first node (alternatively referred to as a first network element, or a first network element device), and it is understood that the first node is any operation node in a blockchain network, and the specific steps include:

step 801: acquiring threat information;

for example, threat intelligence information is obtained through blocks in a blockchain network;

it is understood that the threat intelligence information may be obtained in the block of the block, and the embodiment of the present application does not limit the specific content of the threat intelligence information.

Step 802: running an intelligent contract to obtain a first state, wherein the first state is used for describing the result of the first node executing the emergency response operation; the emergency response operation is preset in an intelligent contract and corresponds to the threat information;

for example, the corresponding response operation is matched in the intelligent contract according to the type of the threat intelligence information; or, matching corresponding response operation in the intelligent contract according to the type of the threat intelligence information and the information of the first node, wherein the information of the first node comprises: a type of the first node and/or a rank of the first node; and executing the response operation to obtain a first state.

Step 803: a first state is written onto the block chain.

That is, emergency response status is issued by the tiles onto the blockchain. For example, the emergency response state is sent to other nodes except the first node in the block chain network, so that the other nodes can commonly identify the emergency response state; and if the emergency response states pass the consensus, issuing the emergency response states to a block chain through the blocks.

In an embodiment of the present application, the method may further include: creating an intelligent contract according to the threat intelligence emergency response requirement; and issuing the intelligent contract to a block chain.

(3) The intelligent contract runs when the triggering condition is met;

(1) the type of node in the blockchain network;

(3) The type of threat intelligence information.

In the embodiment of the application, after each node in the blockchain network acquires threat intelligence information through a specific block in the blockchain, response operation required to be executed by the node can be obtained according to the type of the node, the level of the node and/or the type of the threat intelligence information defined in the corresponding intelligent contract, and then the response operation is automatically executed, so that linkage response and automatic emergency response of the threat intelligence information in each node can be realized, protection response is timely and efficiently carried out on the threat intelligence, and safety risk and safety attack are prevented. Furthermore, each node can be arranged in a cross-industry, cross-organization and cross-region mode, so that cross-industry, cross-organization and cross-region threat information emergency response is realized.

Referring to fig. 9, the threat intelligence emergency response method based on the blockchain includes the following steps:

step 901: the operation and maintenance manager obtains the latest threat intelligence information and then outputs the information to step 902.

Step 902: and the operation and maintenance manager issues the acquired threat information to all the devices and the like.

That is, the output of step 901 is received, and the full amount is delivered.

Step 903: and carrying out emergency response intelligent contract operation based on the threat intelligence of the block chain.

That is, the output of step 902 is received and intelligent contract execution is performed on the threat intelligence.

Step 904: all equipment, assets and the like carry out emergency response and carry out repair operation given by the intelligent contract.

That is, the output of step 903 is received and the repair given by the corresponding threat intelligence emergency response corresponding to the intelligent contract is made.

Step 905: and feeding back the latest emergency response state.

That is, the output of step 904 is received and the latest feedback of the emergency response status is made.

Step 906: and the emergency response state is commonly known in the block chain.

That is, the output of step 905 is received and the emergency response status is written into the blockchain according to a consensus mechanism in the blockchain.

Referring to fig. 10, an embodiment of the present application provides a threat intelligence emergency response apparatus, which is applied to a first node, where the apparatus 1000 includes:

an obtaining module 1001 for obtaining threat information;

the executing module 1002 is configured to run an intelligent contract to obtain a first state, where the first state is used to describe a result of the first node performing an emergency response operation; the emergency response operation is preset in an intelligent contract and corresponds to the threat information;

an issuing module 1003, configured to write the first state onto a block chain.

In this embodiment of the application, the executing module 1002 is further configured to: matching corresponding response operation in the intelligent contract according to the type of the threat intelligence information; or, matching the type of the threat intelligence information and the information of the first node to the corresponding response operation in the intelligent contract, wherein the information of the first node comprises: a type of the first node and/or a rank of the first node; and executing the response operation to obtain a first state.

In this embodiment of the application, the issuing module 1003 is further configured to: sending the first state to other nodes except the first node in the block chain so that the other nodes can commonly identify the first state;

In this embodiment, the apparatus 1000 further includes: the creating module is used for creating an intelligent contract according to the threat information emergency response requirement; the issuing module 1003 is further configured to issue the intelligent contract onto the blockchain.

In the embodiment of the application, one or more of the following combinations are packaged in the intelligent contract:

the intelligent contract runs when the triggering condition is met;

in response to an operation, an action performed by a node in the blockchain network for threat intelligence information acquired by the node;

the type of node in the blockchain network;

a level of a node in a blockchain network, the level of a node in the blockchain network representing a level of service or function provided by the node;

the type of threat intelligence information.

In the embodiment of the present application, the types of nodes in the blockchain network and/or the grades of the nodes in the blockchain network are divided based on one or more of the following combinations: the type of application carried by the node in the blockchain network, the type of protocol, the type of operating system, the type of data operated, the type of software operated, or the type of hardware, the service provided by the node, and the functions of the node.

The threat information emergency response device provided in the embodiment of the application may implement the method embodiment shown in fig. 8, and the implementation principle and the technical effect are similar, which is not described herein again.

Referring to fig. 11, fig. 11 is a structural diagram of a first node applied in the embodiment of the present application, and as shown in fig. 11, the first node 1100 includes: a processor 1101, a transceiver 1102, a memory 1103, and a bus interface, wherein:

in one embodiment of the present application, the first node 1100 further comprises: a program stored on the memory 1103 and executable on the processor 1101, the program, when executed by the processor 1101, implements the functions of the various modules in the embodiment shown in fig. 10.

In fig. 11, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 1101, and various circuits, represented by memory 1103, linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1102 may be a plurality of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium.

The processor 1101 is responsible for managing the bus architecture and general processing, and the memory 1103 may store data used by the processor 1101 in performing operations.

The first node provided in the embodiment of the present application may execute the method embodiment shown in fig. 8, which has similar implementation principles and technical effects, and this embodiment is not described herein again.

Referring to fig. 12, an embodiment of the present application provides an apparatus for issuing an intelligent contract for a threat intelligence emergency response, which is applied to a second node, where the apparatus 1200 includes:

the creating module 1201 is used for creating an intelligent contract according to the threat information emergency response requirement;

and the issuing module 1202 is configured to issue the intelligent contract to the blockchain.

In an embodiment of the present application, one or more of the following are encapsulated in the smart contract:

the intelligent contract runs when the triggering condition is met;

In the embodiment of the present application, the response operation corresponds to one or more of the following combinations:

the type of node in the blockchain network;

the type of threat intelligence information.

In an embodiment of the present application, the types of nodes in the blockchain network and/or the grades of the nodes in the blockchain network are divided based on one or more of the following combinations: the type of application carried by the node in the blockchain network, the type of protocol, the type of operating system, the type of data operated, the type of software operated, or the type of hardware, the service provided by the node, and the functions of the node.

The apparatus provided in the embodiment of the present application may perform the method embodiment shown in fig. 7, which achieves similar principles and technical effects, and this embodiment is not described herein again.

Referring to fig. 13, fig. 13 is a structural diagram of a second node applied in the embodiment of the present application, and as shown in fig. 13, a second node 1300 includes: a processor 1301, a transceiver 1302, a memory 1303 and a bus interface, wherein:

in one embodiment of the present application, the second node 1300 further comprises: a program stored on the memory 1303 and executable on the processor 1301, the program implementing the functions of the respective modules in the embodiment shown in fig. 12 when executed by the processor 1301.

In fig. 13, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by processor 1301 and various circuits of memory represented by memory 1303 linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1302 may be a plurality of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium.

The processor 1301 is responsible for managing a bus architecture and general processing, and the memory 1303 may store data used by the processor 1301 in performing operations.

The second node provided in the embodiment of the present application may execute the method embodiment shown in fig. 7, which has similar implementation principles and technical effects, and this embodiment is not described herein again.

An embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the method embodiment shown in fig. 7 or fig. 8, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, a removable hard disk, a compact disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.

Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.

Claims

1. A threat intelligence emergency response method is applied to a first node and is characterized by comprising the following steps:

acquiring threat information;

writing the first state onto a chain of blocks.

2. The method of claim 1, wherein running the smart contract results in a first state comprising:

and executing the response operation to obtain a first state.

3. The method of claim 1, wherein writing the first state onto a block chain comprises:

4. A method according to claim 1, 2 or 3, characterized in that the method further comprises:

and issuing the intelligent contract to a block chain.

5. The method of any of claims 1 to 4, wherein one or more of the following combinations are encapsulated in the smart contract:

the intelligent contract runs when the triggering condition is met;

in response to the operation, the node in the blockchain network performs an action with respect to the threat intelligence information it obtained.

6. The method of claim 5, wherein the response operation corresponds to one or more of:

the type of node in the blockchain network;

a rank of a node in a blockchain network;

the type of threat intelligence information.

7. The method of claim 6, wherein the type of nodes in the blockchain network and/or the rank of nodes in the blockchain network are partitioned based on one or more of the following combinations: the type of application carried by the node in the blockchain network, the type of protocol, the type of operating system, the type of data operated, the type of software operated, or the type of hardware, the service provided by the node, and the functions of the node.

8. A threat intelligence emergency response device is applied to a first node, and is characterized by comprising:

the acquisition module is used for acquiring threat information;

and the issuing module is used for writing the first state into a block chain.

9. A first node, comprising: a processor, a memory, and a program stored on and executable on the processor, the program when executed by the processor implementing steps comprising the threat intelligence emergency response method of any of claims 1 to 8.

10. A readable storage medium, characterized in that it has stored thereon a program which, when being executed by a processor, carries out steps comprising the method according to any one of claims 1 to 8.