WO2022022361A1 - Threat intelligence application method and device - Google Patents

Abstract

Provided are a threat intelligence application method and device. The method comprises: acquiring threat intelligence information; running a first smart contract, and automatically screening out a second node, wherein the second node is an operated device to which the threat intelligence information needs to be issued; on the basis of a consensus mechanism, writing, into a blockchain, automatic screening state information, which is output from the first smart contract, and information of the second node; running a second smart contract, automatically issuing the threat intelligence information to the second node, and on the basis of the consensus mechanism, writing, into the blockchain, issuing state information which is output from the second smart contract; and running a third smart contract, and on the basis of the consensus mechanism, writing threat intelligence application state information of the second node into the blockchain.

Description

Threat intelligence application method and device

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to Chinese Patent Application No. 202010754576.2 filed in China on Jul. 30, 2020, the entire contents of which are incorporated herein by reference.

technical field

The present disclosure relates to the field of blockchain technology, and in particular, to an application method and device for threat intelligence.

Background technique

With the rapid development of computer and network technologies, various network security incidents occur frequently, and new vulnerabilities emerge one after another, giving rise to a large number of new security risks, posing serious threats to network security and business security. In the traditional network security model, security protection is independent, and various information is relatively isolated, and network security protection has lagged behind the development of attack technology. The security subsystems are independent of each other, which is easy to cause the island effect. Various systems lack coordination, making it difficult to work collaboratively and efficiently. This is especially true when it involves cross-industry, cross-organization, and cross-region, and the problem is more prominent.

In terms of the issuance and application of threat intelligence, each system is also independent of each other. On the one hand, large manual intervention is required for the application of threat intelligence, and on the other hand, automatic issuance and linkage application cannot be realized.

Therefore, the automatic distribution and linkage application of threat intelligence information needs to be solved urgently to improve the efficiency and effect of network security protection, which is conducive to the continuous and effective development of the closed loop of the entire threat intelligence ecosystem.

SUMMARY OF THE INVENTION

At least one embodiment of the present disclosure provides a threat intelligence application method and device, which utilizes the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, which can improve the efficiency of network security protection.

According to one aspect of the present disclosure, at least one embodiment provides a threat intelligence application method, applied to a first node, including:

Obtain threat intelligence information;

Running the first smart contract to automatically screen out the second node, where the second node is the operated device that needs to deliver the threat intelligence information;

Based on the consensus mechanism, the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain;

Running the second smart contract, automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;

Run the third smart contract, and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.

In addition, according to at least one embodiment of the present disclosure, the running of the first smart contract to automatically filter out the second node includes:

Determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain and determine the first intelligence type of the threat intelligence information;

According to the preset correspondence between different intelligence types and device classifications, determine the first device classification corresponding to the threat intelligence information and the node under the first device classification, obtain the second node, and output the output for indicating The automatic filtering status information of whether the device filtering is successful or not.

Furthermore, according to at least one embodiment of the present disclosure, the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type, and file MD5 type;

The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.

In addition, according to at least one embodiment of the present disclosure, the running of the second smart contract to automatically deliver the threat intelligence information to the second node includes:

In the case that the automatic screening status information in the blockchain indicates that the device screening is successful, the threat intelligence information in the blockchain is sent to the second node, and the information used to indicate whether the intelligence distribution is successful is obtained. Deliver status information.

Furthermore, according to at least one embodiment of the present disclosure, the threat intelligence application status information is used to indicate whether the remediation is successfully performed based on the threat intelligence information.

In addition, according to at least one embodiment of the present disclosure, after the threat intelligence application state information of the second node is written into the blockchain based on the consensus mechanism, the block body in the block on the blockchain includes the following information :

The threat intelligence information to be distributed obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the distribution status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.

According to one aspect of the present disclosure, at least one embodiment provides a threat intelligence application method, applied to a second node, including:

Obtain the threat intelligence information sent by the first node;

Running a third smart contract, performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;

Based on a consensus mechanism, the threat intelligence application state information is written into the blockchain.

In addition, according to at least one embodiment of the present disclosure, the executing a third smart contract to perform a repair operation corresponding to the threat intelligence information includes:

According to the preset correspondence between different threat intelligence/intelligence types and repair operations, the repair operation corresponding to the threat intelligence information is determined and executed, and a threat indicating whether the repair operation is successfully performed based on the threat intelligence information is obtained. Intelligence application status information.

In addition, according to at least one embodiment of the present disclosure, after the threat intelligence application state information is written into the blockchain based on a consensus mechanism, the block body in the block of the blockchain includes the following information:

The threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation.

According to one aspect of the present disclosure, at least one embodiment provides a first node, including: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application sub-module; the smart contract layer module Including automatic screening sub-modules, automatic distribution sub-modules, and linkage application and repair sub-modules;

The threat intelligence application sub-module is used to obtain threat intelligence information;

The automatic screening sub-module is used to run the first smart contract and automatically screen out the second node, the second node is the operated device that needs to deliver the threat intelligence information; and, the first smart contract is The output automatic screening status information and the information of the second node are written into the blockchain

The automatic sending sub-module is used to run the second smart contract, automatically send the threat intelligence information to the second node, and based on the consensus mechanism, send the sending status information output by the second smart contract write to the blockchain;

The linkage application and repair submodule is used to run the third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application state information is: The information obtained by the second node after running the third smart contract to perform the repair operation.

In addition, according to at least one embodiment of the present disclosure, the automatic screening sub-module is further configured to determine the device classification of the operated device, obtain the threat intelligence information in the blockchain, and determine the first intelligence type of the threat intelligence information; according to Preset the correspondence between different intelligence types and device classifications, determine the first device classification corresponding to the threat intelligence information and the nodes under the first device classification, obtain the second node, and output it to represent the device Autofilter status information for whether the filter was successful or not.

Furthermore, according to at least one embodiment of the present disclosure, the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type, and file MD5 type;

The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.

In addition, according to at least one embodiment of the present disclosure, the automatic distribution sub-module is further configured to send the automatic screening status information in the blockchain to a successful device screening. The threat intelligence information is delivered to the second node, and delivery status information indicating whether the intelligence delivery is successful is obtained.

Furthermore, according to at least one embodiment of the present disclosure, the threat intelligence application status information is used to indicate whether the remediation is successfully performed based on the threat intelligence information.

In addition, according to at least one embodiment of the present disclosure, after the threat intelligence application state information of the second node is written into the blockchain based on the consensus mechanism, the block body in the block on the blockchain includes the following information :

The threat intelligence information to be distributed obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the distribution status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.

According to one aspect of the present disclosure, at least one embodiment provides a first node, comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being The processor implements the steps of the aforementioned threat intelligence application method when executed.

According to one aspect of the present disclosure, at least one embodiment provides a second node, which includes: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application sub-module; the smart contract layer The module includes linkage application and repair sub-modules;

The threat intelligence application sub-module is used to obtain the threat intelligence information issued by the first node;

The linked application and repair sub-module is used to run a third smart contract, perform a repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application status information output by the third smart contract; based on a consensus mechanism, the Threat intelligence application state information is written to the blockchain.

In addition, according to at least one embodiment of the present disclosure, the linked application and repair sub-module is further configured to determine the repair corresponding to the threat intelligence information according to the preset correspondence between different threat intelligence/intelligence types and repair operations The operation is performed and executed to obtain threat intelligence application status information indicating whether the repair operation is successfully performed based on the threat intelligence information.

In addition, according to at least one embodiment of the present disclosure, after the threat intelligence application state information is written into the blockchain based on a consensus mechanism, the block body in the block of the blockchain includes the following information:

The threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation.

According to another aspect of the present disclosure, at least one embodiment provides a second node comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being The steps of implementing the above-mentioned application method of threat intelligence when executed by the processor are described.

According to another aspect of the present disclosure, at least one embodiment provides a computer-readable storage medium, where a program is stored on the computer-readable storage medium, and when the program is executed by a processor, the above-mentioned method is implemented. step.

It can be seen from the above that the embodiments of the present disclosure have at least the following advantages:

The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the problems that threat intelligence information is independent of each other, lack of coordination among various systems, and it is difficult to work collaboratively and efficiently, and can realize the automatic issuance of threat intelligence Linked with applications to improve the efficiency of network security protection. In addition, the embodiments of the present disclosure can also timely and effectively perform linkage application and repair of the latest and most valuable threat intelligence information obtained or analyzed, so as to improve the application effect of threat intelligence, and can track the application situation of threat intelligence. In addition, the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can also promote the continuous and effective development of the threat intelligence ecological closed loop.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for purposes of illustrating preferred embodiments only and are not to be considered limiting of the present disclosure. Also, the same components are denoted by the same reference numerals throughout the drawings. In the attached image:

FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present disclosure;

FIG. 2 is a schematic diagram of logic between various nodes involved in a blockchain-based threat intelligence application according to an embodiment of the present disclosure;

3 is a schematic block structure diagram of a node of an operation manager according to an embodiment of the present disclosure;

FIG. 4 is a schematic block structure diagram of a node of an operated device according to an embodiment of the present disclosure;

FIG. 5 is a schematic structural diagram of a first node according to an embodiment of the present disclosure;

FIG. 6 is a schematic structural diagram of a second node according to an embodiment of the present disclosure;

FIG. 7 is a flowchart when the method for applying threat intelligence according to an embodiment of the present disclosure is applied to a first node;

FIG. 8 is a flowchart when the method for applying threat intelligence according to an embodiment of the present disclosure is applied to a second node;

FIG. 9 is an interactive flowchart of a threat intelligence application method according to an embodiment of the present disclosure;

FIG. 10 is a schematic schematic diagram of various smart contract methods for threat intelligence application according to an embodiment of the disclosure;

FIG. 11 is another schematic structural diagram of a first node according to an embodiment of the present disclosure;

FIG. 12 is another schematic structural diagram of a second node according to an embodiment of the present disclosure.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.

The terms "first", "second" and the like in the description and claims of the present application are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used may be interchanged under appropriate circumstances such that the embodiments of the application described herein can, for example, be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having" and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed Rather, those steps or units may include other steps or units not expressly listed or inherent to these processes, methods, products or devices. In the description and the claims, "and/or" means at least one of the connected objects.

The following description provides examples and does not limit the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as appropriate. For example, the methods described may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to some examples may be combined in other examples.

As described in the background art, threat intelligence information in related technologies is independent of each other, and each system lacks coordination, making it difficult to work collaboratively and efficiently, and related systems require a lot of manual intervention, and cannot achieve automatic distribution and linkage application, which leads to threats The intelligence application effect is low, and the application situation cannot be tracked. In order to solve at least one of the above problems, the embodiments of the present disclosure provide a blockchain-based threat intelligence application method and related equipment, which utilizes blockchain technology to construct threat intelligence information and automatically issue and link application intelligence of threat intelligence. The blockchain of the contract, so as to realize the automatic screening of the application equipment, system, infrastructure, etc. corresponding to different threat intelligence information by the operation and maintenance administrator, and then carry out the corresponding automatic distribution, and then carry out the linkage application and repair.

Before introducing the application methods and devices of blockchain-based threat intelligence, the application scenarios of blockchain-based threat intelligence application methods and devices are explained, as shown in Figure 1, which shows the corresponding device/system composition. Among them, the blockchain corresponding to component 101 is a blockchain-based threat intelligence sharing chain. Here, the threat intelligence providers can be various professional threat intelligence manufacturers, antivirus manufacturers, and advanced persistent threat attacks (Advanced Persistent Threat, APT). ) manufacturers, detection product manufacturers, free intelligence alliances and other roles, threat intelligence users can be operators, financial institutions, energy institutions, industrial Internet institutions and other roles.

The blockchain corresponding to component 102 and component 103 is a blockchain-based threat intelligence application chain. Threat intelligence users are the threat intelligence users described in component 101, that is, operators, financial institutions, energy institutions, industrial Internet institutions, etc., and their roles corresponding to components 102 and 103 are generally operations managers. Through the sharing system of component 101 threat intelligence, the latest threat intelligence information can be obtained directly or through correlation analysis, and then through the smart contract in the automatic screening sub-module in the blockchain-based threat intelligence application system, the The latest threat intelligence information is used to screen the devices or systems that need to be issued for the corresponding intelligence; and then the intelligence information is issued to the screened devices or systems through the automatic distribution sub-module in the blockchain-based threat intelligence application system. and then perform the corresponding linkage application and repair.

FIG. 2 provides a schematic diagram of the logic among the various nodes involved in the blockchain-based threat intelligence application corresponding to the components 102 and 103 , wherein each node forms a point-to-point communication on a logical level. Each node can be the equipment of the operation manager or the equipment to be operated.

Next, the blockchain of each running node and its smart contract in the blockchain-based threat intelligence application system of the embodiment of the present disclosure will be introduced.

First of all, for the operation node with the role of the operation manager, there are 3 smart contracts that it runs, namely: the automatic screening of smart contracts by the operated equipment based on the blockchain-based threat intelligence application (for the convenience of description, this article is also referred to as The first smart contract), the automatic issuance of smart contracts based on blockchain-based threat intelligence applications (for ease of description, this article is also referred to as the second smart contract), the linkage application and repair smart contracts of blockchain-based threat intelligence applications (For the convenience of description, this article is also referred to as the third smart contract for short). Its block includes a block header and a block body. Please refer to Figure 3 for the specific structure.

As shown in Figure 3, the block header includes the hash value, Merkle root, random number and timestamp of the previous block; the block body includes threat intelligence information, automatic screening status information of the operated equipment and the first smart contract The filtered information of the operated devices, the delivery status information of the operated devices, and the status information of the threat intelligence application.

Among them, threat intelligence information is the latest and full threat intelligence obtained by the operation and maintenance administrator, which may include IP address information, domain name information, URL information, security event information, vulnerability information and other various types of information or variety. The threat intelligence information in this block can be obtained from the shared chain, or shared by other chains on the node, or written into the block by the first node of the operation manager.

The automatic screening status information of the operated device is the information related to the automatic screening status of the operated device corresponding to the threat intelligence application. The information is obtained after the first smart contract is executed, and is used to indicate whether the device screening is successful, that is, whether the first smart contract is successfully executed.

The status information delivered by the operated equipment is the information related to the status of the operated equipment issued by the threat intelligence corresponding to the threat intelligence application. The information is obtained after the execution of the second smart contract, and is used to indicate whether the information is issued successfully or not, that is, whether the second smart contract is successfully executed.

Threat intelligence application status information is the information about the linked application and repair status of threat intelligence on the operated device. The information is obtained after the third smart contract is executed, and is used to indicate whether the application and repair are successfully performed based on the threat intelligence information, that is, whether the third smart contract is successfully executed.

Secondly, for the running node of the role of the operated device, the smart contract it runs is the third smart contract. Its block includes a block header and a block body. Please refer to Figure 4 for the specific structure.

As shown in Figure 4, the block header includes the hash value, Merkle root, random number, and timestamp of the previous block; the block body includes threat intelligence information and threat intelligence application status information.

Among them, threat intelligence information is the latest threat intelligence information that is automatically screened by the node of the operation manager and sent to the corresponding equipment being operated. Specifically, it can be IP address information, domain name information, URL information, security event information, and vulnerability information. one or several types of threat intelligence information.

Threat intelligence application status information is the information about the linked application and repair status of threat intelligence on the operated device. The information is obtained after the third smart contract is executed, and is used to indicate whether the application and repair are successfully performed based on the threat intelligence information, that is, whether the third smart contract is successfully executed.

FIG. 5 provides a schematic structural diagram of a first node serving as an operation manager according to an embodiment of the present disclosure. As shown in FIG. 5 , the first node includes three parts, namely: the underlying blockchain module 201 , the smart contract layer module 202 , and the application layer module 203 . in,

The underlying blockchain module 201 is used to implement blockchain technology including consensus algorithm and block generation, etc., and to support and implement blockchain technology for all nodes of threat intelligence application. For more specific details of the implementation of blockchain technology, please refer to related technologies, which will not be repeated in this article.

The smart contract layer module 202 is used to implement a smart contract for threat intelligence applications. This module includes 3 sub-modules, namely: an automatic screening sub-module 2021 for running the first smart contract, an automatic issuing sub-module 2022 for running the second smart contract, a linkage application for running the third smart contract and The repair sub-module 2023 can realize the deployment, execution, query, etc. of smart contracts.

Wherein, the automatic screening sub-module 2021 is used to run the first smart contract to automatically screen out the second node, the second node is the operated device that needs to deliver the threat intelligence information; The automatic screening status information output by a smart contract and the information of the second node are written into the blockchain.

The automatic issuing sub-module 2022 is used for running the second smart contract, automatically issuing the threat intelligence information to the second node, and based on the consensus mechanism, issuing the issued state of the output of the second smart contract Information is written to the blockchain.

The linkage application and repair sub-module 2023 is used to run the third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application state information is: : Information obtained by the second node after running the third smart contract to perform the repair operation.

The application layer module 203 is used to apply the threat intelligence in the blockchain. This module includes a sub-module, that is, a blockchain-based threat intelligence application sub-module 2031, which is used to obtain threat intelligence information, so as to perform linkage application and repair of the threat intelligence information in the blockchain.

Specifically, the automatic screening sub-module 2021 is also used to determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain, and determine the first intelligence type of the threat intelligence information; Correspondence between device classifications, determine the first device classification corresponding to the threat intelligence information and the node under the first device classification, obtain the second node, and output the automatic screening status indicating whether the device screening is successful or not information.

Here, the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type. The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level may be obtained by classification according to the level of the function or service performed by the device.

The automatic distribution sub-module 2022 is further configured to distribute the threat intelligence information in the blockchain to the second block chain when the automatic screening status information in the block chain indicates that the device is successfully screened. The node obtains the delivery status information indicating whether the information delivery is successful.

Here, the threat intelligence application state information is used to indicate whether the repair is successfully performed based on the threat intelligence information.

Here, the block structure of the blockchain agreed by the first node includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and timestamp . After the threat intelligence application status information of the second node is written into the blockchain based on the consensus mechanism, the block body in the block on the blockchain includes the following information: the threat to be issued obtained by the first node Intelligence information, automatic screening status information output by the first smart contract and information of the second node, delivery status information output by the second smart contract, and, the second node is running the third smart contract Threat Intelligence application status information obtained after performing a remediation operation.

FIG. 6 provides a schematic structural diagram of a second node of an operated device serving as threat intelligence according to an embodiment of the present disclosure. As shown in FIG. 6 , the second node includes three parts, namely: the underlying blockchain module 301 , the smart contract layer module 302 , and the application layer module 303 . in,

The underlying blockchain module 301 is used to implement blockchain technology including consensus algorithm and block generation, etc., to support and implement blockchain technology for all nodes of threat intelligence application. For more specific details of the implementation of blockchain technology, please refer to related technologies, which will not be repeated in this article.

The smart contract layer module 302 is used to realize the smart contract of the threat intelligence application. This module includes a linkage application and repair sub-module 3023 for running the third smart contract, which can realize the deployment, execution, and query of smart contracts. The linked application and repair sub-module 3023 is used to run the third smart contract, execute the repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application status information output by the third smart contract; The aforementioned threat intelligence application status information is written into the blockchain.

The application layer module 303 is used to apply the threat intelligence in the blockchain. This module includes a sub-module, namely the blockchain-based threat intelligence application sub-module 3031, which is used to obtain the threat intelligence information issued by the first node, so as to perform linkage application and repair of the threat intelligence information in the blockchain .

Here, the linked application and repair sub-module is further configured to determine and execute the repair operation corresponding to the threat intelligence information according to the preset correspondence between different threat intelligence/intelligence types and repair operations, and obtain a value indicating whether Threat intelligence application status information for which a repair operation has been successfully performed based on the threat intelligence information.

Here, at the second node, the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp. After the threat intelligence application state information is written into the blockchain based on the consensus mechanism, the block body in the block of the blockchain includes the following information: the threat intelligence information issued by the first node, and the Threat intelligence application status information obtained by the second node after running the third smart contract to perform the repair operation.

Next, the blockchain-based threat intelligence application method according to the embodiment of the present disclosure is introduced.

Referring to FIG. 7 , the application method of threat intelligence provided by the embodiment of the present disclosure, when applied to the first node serving as an operation manager, includes:

Step 71: Obtain threat intelligence information.

Step 72: Run the first smart contract to automatically screen out a second node, where the second node is an operated device that needs to deliver the threat intelligence information.

Here, the first smart contract that runs the blockchain-based threat intelligence application is automatically screened by the operating device, and the second node as the operating device that needs to be issued by the threat intelligence information is screened out.

Step 73, based on the consensus mechanism, write the automatic screening status information output by the first smart contract and the information of the second node into the blockchain.

Step 74: Run the second smart contract, automatically deliver the threat intelligence information to the second node, and write the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism .

Here, the second smart contract automatically issued by the blockchain-based threat intelligence application is run, the threat intelligence information is issued to the second node, and the issued status information output by the second smart contract is issued consensus into the blockchain.

Step 75: Run a third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on a consensus mechanism, wherein the threat intelligence application state information is: the second node is running the first node. The information obtained after the smart contract performs the repair operation.

Through the above steps, the embodiments of the present disclosure utilize the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, which can improve the efficiency of network security protection.

Here, the running of the first smart contract to automatically filter out the second node may specifically include:

Determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain and determine the first intelligence type of the threat intelligence information;

According to the preset correspondence between different intelligence types and device classifications, determine the first device classification corresponding to the threat intelligence information and the node under the first device classification, obtain the second node, and output the output for indicating The automatic filtering status information of whether the device filtering is successful or not.

Specifically, the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type;

The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.

Here, the running of the second smart contract to automatically deliver the threat intelligence information to the second node may specifically include: when the automatic screening status information in the blockchain indicates that the device screening is successful, Sending the threat intelligence information in the blockchain to the second node, and obtaining distribution status information indicating whether the intelligence distribution is successful.

Here, the threat intelligence application status information is specifically used to indicate whether the repair is successfully performed based on the threat intelligence information.

Here, on the first node side, the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp. After the threat intelligence application status information of the second node is written into the blockchain based on the consensus mechanism, the block body in the block on the blockchain includes the following information: the threat to be issued obtained by the first node Intelligence information, automatic screening status information output by the first smart contract and information of the second node, delivery status information output by the second smart contract, and, the second node is running the third smart contract Threat Intelligence application status information obtained after performing a remediation operation.

Referring to FIG. 8 , the application method of threat intelligence provided by the embodiment of the present disclosure, when applied to the second node serving as the operated device, includes:

Step 81, obtaining the threat intelligence information issued by the first node;

Here, the second node obtains the threat intelligence information issued by the first node, which is the operation manager.

Step 82: Run a third smart contract, perform a repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application state information output by the third smart contract.

Step 83: Write the threat intelligence application status information into the blockchain based on the consensus mechanism.

Through the above steps, the embodiments of the present disclosure utilize the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, and improve the efficiency of network security protection.

Here, on the second node side, the operation of the third smart contract to execute the repair operation corresponding to the threat intelligence information may specifically include: according to the preset correspondence between different threat intelligence/intelligence types and the repair operation, A repair operation corresponding to the threat intelligence information is determined and executed, to obtain threat intelligence application state information indicating whether the repair operation is successfully performed based on the threat intelligence information.

Here, on the second node side, the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp. After the threat intelligence application state information is written into the blockchain based on the consensus mechanism, the block body in the block of the blockchain includes the following information: the threat intelligence information issued by the first node, and the Threat intelligence application status information obtained by the second node after running the third smart contract to perform the repair operation.

FIG. 9 further shows the interaction flow of the blockchain-based threat intelligence application method according to the embodiment of the present disclosure. As shown in FIG. 9 , the flow includes the following steps:

Step 901 : the operation manager obtains the latest threat intelligence information, and then outputs it to step 902 .

Step 902: The first smart contract is executed, and the information corresponding to the required distribution device or system is screened out. That is, the output of step 901 is received, the smart contract is executed, and the operating equipment is automatically screened.

Step 903: Feeding back the automatic screening status information of the operated equipment, that is, receiving the output of step 902, and feeding back the automatic screening status information of the operated equipment.

Step 904: Consensus the automatic screening status information of the operated equipment into the blockchain, that is, receive the output of step 903, and write the automatic screening status information of the operated equipment into the blockchain according to the consensus mechanism in the blockchain .

Step 905: The second smart contract runs, and the intelligence information is sent to the selected devices or systems. That is, the output of step 904 is received, the smart contract is executed, and the threat intelligence information is delivered to the corresponding operated device.

Step 906: Feed back the delivered status information of the operated equipment, that is, receive the output of step 905, and feed back the delivered status information of the operated equipment.

Step 907: Consensus the delivered status information of the operated equipment to the blockchain, that is, receive the output of step 906, and write the delivered status information of the operated equipment into the blockchain according to the consensus mechanism in the blockchain .

Step 908 : the third smart contract runs, and the corresponding linkage application and repair are performed, that is, the output of step 907 is received, and the corresponding threat intelligence linkage application and repair are performed.

Step 909: Feedback the latest threat intelligence application state information, that is, receive the output of step 908, and feed back the latest threat intelligence application state information.

Step 910: Consensus the threat intelligence application state information into the blockchain, that is, receiving the output of step 909, and writing the threat intelligence application state information into the blockchain according to the consensus mechanism in the blockchain.

It can be seen from the above that the embodiments of the present disclosure have at least the following advantages:

1. The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the situation that threat intelligence information is independent of each other, and each system lacks coordination, making it difficult to collaborate and work efficiently.

2. The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the problem that the related systems require relatively large manual intervention and cannot realize automatic distribution and linkage application.

3. The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can timely and effectively carry out the linkage application and repair of the latest and most valuable threat intelligence information obtained or analyzed, so as to enhance the threat Intelligence application effect, and can track threat intelligence application.

4. The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can promote the continuous and effective development of the threat intelligence ecological closed loop.

5. The blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure have certain commercial application and promotion value.

The principles of various smart contract methods for the blockchain-based threat intelligence application in the embodiment of the present disclosure are shown in FIG. 10 . specific,

After the smart contract is signed by all parties, it is attached to the blockchain data in the form of program code, and is recorded in a specific block of the blockchain after being propagated through a peer-to-peer network and verified by nodes. Smart contracts encapsulate a number of predefined states and transition rules, scenarios that trigger contract execution (such as reaching a specific time or occurrence of a specific event, specific threat intelligence types, etc.), and response actions in specific scenarios (specific action execution, specific response execution), etc. The blockchain can monitor the status of smart contracts in real time, and activate and execute contracts by verifying data sources and confirming that certain trigger conditions are met. The principle of each functional contract is introduced from the first node side.

In the first smart contract, the preset trigger condition is the acquired threat intelligence information, and the preset response rule is, if it is a certain type of threat intelligence information, which devices it corresponds to. That is, the condition is the type of threat intelligence information or specific threat intelligence information, and the response is the operated device or the set of operated devices corresponding to the threat intelligence information.

Specifically, the first smart contract, its method logic framework process is as follows.

The input of the first smart contract is data on the blockchain - threat intelligence information, that is, the latest threat intelligence information on the blockchain.

The internal logic operation and operation process of the first smart contract are as follows:

1. First of all, in the first smart contract, the operating equipment is classified and graded. The specific classification and classification standards can be based on the application type, protocol type, operating system type, data type of operation, operation type carried by its system or equipment. software type, hardware type, etc. Here, no specific limitation is made. For example, simple classification rules can be set, such as directly using the simplest classification and grading standards to classify according to the type of software and hardware carried; or more complex, while classifying software and hardware types, according to different services or functions. Divide the level into one, two, three and so on. For example, the operated devices can be divided into operating systems, protocols, routers, switches, DNS servers, IDS, IPS, firewalls, and so on.

2. In the first smart contract, the type of the newly entered intelligence is classified. The classification method of the intelligence type is a direct classification method according to the type of intelligence, which is divided into IP class, domain name class, URL class, event class, vulnerability class, File MD5 class, etc.

3. In the first smart contract, different types of responses are set for different types of intelligence information. Specifically, according to the obtained intelligence type, the operated device or the operated device set corresponding to the threat intelligence type is obtained. According to the type of intelligence, the smart contract generates the type of equipment or system affected by the type of intelligence. For example, it can be divided into operating system, protocol, router, switch, DNS server, IDS, IPS, firewall, etc., and then will be operated The device performs mapping according to the obtained device or system type, and finally obtains a corresponding operated device or a set of operated devices. For example, for malicious URL type intelligence, it is aggregated by operational devices as gateways, IDS or IPS. For malicious domain name type intelligence, the operated device is the DNS server. For malicious IP type intelligence, it is aggregated by operational devices as firewall, IDS or IPS. For vulnerability type intelligence, it is collected by operating devices into various network devices or affected assets and network element devices detected by scanners, etc. In this way, the affected operating equipment is automatically screened out through smart contracts, which lays the premise for converting the full centralized command execution into a specific distributed command execution.

The output result of the first smart contract is the state of the information being automatically screened by the operating equipment, and the automatically screened operating equipment or the set of operating equipment, which are output to the blockchain.

In the second smart contract, the preset trigger condition is the screened operated equipment, and the preset response condition is to issue the corresponding threat intelligence. That is, the condition is which or which type of equipment is operated, and the response is threat intelligence information.

Specifically, for the second smart contract method, the method logic framework flow is as follows.

The input of this second smart contract is the data on the blockchain - the screened equipment to be operated.

The internal logical operation process of the second smart contract is as follows: In the smart contract, the latest threat intelligence information on the blockchain is obtained for the screened operating equipment.

The output result of the second smart contract is the state issued by the operating device, which is output to the blockchain.

For the third smart contract, the preset trigger condition is the issued threat intelligence information, and the preset response rule is what repair operations and linkage response applications it performs if it is a certain type of threat intelligence information. That is, the condition is the threat intelligence information type or specific threat intelligence information, and the response is the linkage response application and repair operation corresponding to the threat intelligence information.

Specifically, the third smart contract, its method logic framework process is as follows.

The input of the third smart contract is the data on the blockchain - threat intelligence information, that is, the latest threat intelligence information on the blockchain.

The internal logical operation process of the third smart contract is as follows:

1. First of all, in the smart contract, the equipment to be operated is classified and graded. The specific classification and classification standards can be based on the application type, protocol type, operating system type, operating data category, and operating software carried by its system or equipment. type, hardware type, etc. For example, the operated devices can be divided into operating systems, protocols, routers, switches, DNS servers, IDS, IPS, firewalls, and so on.

2. In the third smart contract, the type of the newly entered intelligence is classified. The classification method of the intelligence type is a direct classification method according to the type of intelligence, which is divided into IP class, domain name class, URL class, event class, vulnerability class, File MD5 class, etc.

3. In the third smart contract, different types of responses are set for different types of intelligence information. Specifically, it is set as the linkage response application and repair operation corresponding to the threat intelligence information. According to the obtained intelligence, it can respond to network elements, security equipment and early warning centers, etc. Smart contracts can generate new security policies based on intelligence, and then deploy these new security policies to network elements and security devices. If necessary, you can also update the software version and modify the configuration of network elements and security devices. In this way, according to the intelligence classification in the above step 2, taking the intelligence type as the condition and corresponding to the response action, the execution of the response action will be triggered, and the execution of the response action will finally correspond to the affected device or system type to perform the actual response operation, and others will not be affected. The device or type of the smart contract will not have corresponding actual response operations during the execution of the smart contract. The response operation is described in detail in the following example. For example, malicious URL type intelligence can be applied to a gateway, which can then update its security policy by filtering malicious URLs to a blacklist. It can also be applied to IDS or IPS by updating the protection rules for the corresponding URL. For malicious domain type intelligence, it can be applied to DNS servers, which can update the configuration by blacklisting malicious domains. For malicious IP type intelligence, it can be applied to firewalls, which can update their security policies by filtering malicious IPs. This type of intelligence can also be applied to IDS or IPS by updating the protection rules of the corresponding IP. For vulnerability type intelligence, it can be applied to various network devices, and each network element device can fix vulnerabilities by updating software or hardware. At the same time, it can be used to make detection plug-ins, which can then be updated to scanners to detect affected assets and network elements, etc. In this way, the linkage response application and repair corresponding to threat intelligence can be realized.

The output of the third smart contract is threat intelligence application status information, which is output to the blockchain.

Referring to FIG. 11, an embodiment of the present disclosure provides a schematic structural diagram of a first node 1100, including: a processor 1101, a transceiver 1102, a memory 1103, and a bus interface, wherein:

In this embodiment of the present disclosure, the first node 1100 further includes: a program stored on the memory 1103 and executable on the processor 1101, the program implements the following steps when executed by the processor 1101:

Obtain threat intelligence information;

Running the first smart contract to automatically screen out the second node, where the second node is the operated device that needs to deliver the threat intelligence information;

Based on the consensus mechanism, the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain;

Running the second smart contract, automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;

Run the third smart contract, and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.

It can be understood that, in the embodiment of the present disclosure, when the computer program is executed by the processor 1101, each process of the above-mentioned embodiment of the threat intelligence application method shown in FIG. 7 can be implemented, and the same technical effect can be achieved. , which will not be repeated here.

In FIG. 11 , the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by processor 1101 and various circuits of memory represented by memory 1103 linked together. The bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein. The bus interface provides the interface. Transceiver 1102 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.

The processor 1101 is responsible for managing the bus architecture and general processing, and the memory 1103 may store data used by the processor 1101 in performing operations.

It should be noted that the terminal in this embodiment is a node corresponding to the method shown in FIG. 7 , and the implementation manners in the above embodiments are all applicable to the embodiments of the node, and the same technical effect can also be achieved. In the terminal, the transceiver 1102 and the memory 1103, as well as the transceiver 1102 and the processor 1101 can be communicated and connected through a bus interface, the function of the processor 1101 can also be realized by the transceiver 1102, and the function of the transceiver 1102 can also be realized by the processor 1101 realized. It should be noted here that the above-mentioned first node provided by the embodiments of the present disclosure can implement all the method steps implemented by the above-mentioned method embodiments, and can achieve the same technical effect, and the method in this embodiment will not be implemented here. The same parts and beneficial effects of the examples will be described in detail.

In some embodiments of the present disclosure, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:

Obtain threat intelligence information;

Running the first smart contract to automatically screen out the second node, where the second node is the operated device that needs to deliver the threat intelligence information;

Based on the consensus mechanism, the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain;

Running the second smart contract, automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;

Run the third smart contract, and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.

When the program is executed by the processor, all the implementations in the above-mentioned application method of threat intelligence applied to the first node can be realized, and the same technical effect can be achieved. To avoid repetition, details are not described here.

Referring to FIG. 12, an embodiment of the present disclosure provides a schematic structural diagram of a second node 1200, including: a processor 1201, a transceiver 1202, a memory 1203, and a bus interface, wherein:

In this embodiment of the present disclosure, the second node 1200 further includes: a program stored on the memory 1203 and executable on the processor 1201, the program implements the following steps when executed by the processor 1201:

Obtain the threat intelligence information sent by the first node;

Running a third smart contract, performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;

Based on a consensus mechanism, the threat intelligence application state information is written into the blockchain.

It is understandable that in the embodiment of the present disclosure, when the computer program is executed by the processor 1201, each process of the above-mentioned embodiment of the threat intelligence application method shown in FIG. 8 can be implemented, and the same technical effect can be achieved. , which will not be repeated here.

In Figure 12, the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1201 and various circuits of memory represented by memory 1203 linked together. The bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein. The bus interface provides the interface. Transceiver 1202 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.

The processor 1201 is responsible for managing the bus architecture and general processing, and the memory 1203 may store data used by the processor 1201 in performing operations.

It should be noted that the terminal in this embodiment is a node corresponding to the method shown in FIG. 8 , and the implementation manners in the above embodiments are all applicable to the embodiments of the node, and the same technical effect can also be achieved. In the terminal, the transceiver 1202 and the memory 1203, as well as the transceiver 1202 and the processor 1201 can be communicated and connected through a bus interface, the function of the processor 1201 can also be realized by the transceiver 1202, and the function of the transceiver 1202 can also be realized by the processor 1201 realized. It should be noted here that the above-mentioned second node provided by the embodiment of the present disclosure can implement all the method steps implemented by the above-mentioned method embodiment, and can achieve the same technical effect, and the implementation of the method in this embodiment and the method will not be implemented here. The same parts and beneficial effects of the examples will be described in detail.

In some embodiments of the present disclosure, a computer-readable storage medium is also provided, on which a program is stored, and when the program is executed by a processor, the following steps are implemented:

Obtain the threat intelligence information sent by the first node;

Running a third smart contract, performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;

Based on a consensus mechanism, the threat intelligence application state information is written into the blockchain.

When the program is executed by the processor, all the implementations in the above-mentioned application method of threat intelligence applied to the second node can be realized, and the same technical effect can be achieved. To avoid repetition, details are not repeated here.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this disclosure.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units can refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

In the embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions of the embodiments of the present disclosure.

In addition, each functional unit in each embodiment of the present disclosure may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the present disclosure can be embodied in the form of software products in essence, or the parts that contribute to the prior art or the parts of the technical solutions. The computer software products are stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present disclosure. The aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.

It can be understood that the embodiments described in the embodiments of the present disclosure may be implemented by hardware, software, firmware, middleware, microcode, or a combination thereof. For hardware implementation, modules, units, sub-modules, sub-units, etc. can be implemented in one or more Application Specific Integrated Circuits (ASIC), Digital Signal Processing (DSP), digital signal processing equipment ( DSP Device, DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), general-purpose processor, controller, microcontroller, microprocessor, for in other electronic units or combinations thereof that perform the functions described in this disclosure.

The above are only specific embodiments of the present disclosure, but the protection scope of the present disclosure is not limited to this. should be included within the scope of protection of the present disclosure. Therefore, the protection scope of the present disclosure should be subject to the protection scope of the claims.

Claims (21)

1. An application method of threat intelligence, applied to a first node, comprising:

   Obtain threat intelligence information;

   Running the first smart contract to automatically screen out the second node, where the second node is the operated device that needs to deliver the threat intelligence information;

   Based on the consensus mechanism, the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain;

   Running the second smart contract, automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;

   Run the third smart contract, and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.
2. The method of claim 1, wherein the running the first smart contract to automatically filter out the second node comprises:

   Determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain and determine the first intelligence type of the threat intelligence information;

   According to the preset correspondence between different intelligence types and device classifications, determine the first device classification corresponding to the threat intelligence information and the node under the first device classification, obtain the second node, and output the output for indicating The automatic filtering status information of whether the device filtering is successful or not.
3. The method of claim 2, wherein,

   The intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type;

   The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.
4. The method of claim 1, wherein the running of the second smart contract to automatically deliver the threat intelligence information to the second node comprises:

   In the case that the automatic screening status information in the blockchain indicates that the device screening is successful, the threat intelligence information in the blockchain is sent to the second node, and the information used to indicate whether the intelligence distribution is successful is obtained. Deliver status information.
5. The method of claim 1, wherein,

   The threat intelligence application status information is used to indicate whether the repair is successfully performed based on the threat intelligence information.
6. The method of claim 1, wherein after the threat intelligence application state information of the second node is written into the blockchain based on a consensus mechanism, the block body in the block on the blockchain includes the following information :

   The threat intelligence information to be issued obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the issuing status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.
7. An application method of threat intelligence, applied to a second node, comprising:

   Obtain the threat intelligence information sent by the first node;

   Running a third smart contract, performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;

   Based on a consensus mechanism, the threat intelligence application state information is written into the blockchain.
8. The method according to claim 7, wherein the running a third smart contract to perform a repair operation corresponding to the threat intelligence information comprises:

   According to the preset correspondence between different threat intelligence/intelligence types and repair operations, the repair operation corresponding to the threat intelligence information is determined and executed, and a threat indicating whether the repair operation is successfully performed based on the threat intelligence information is obtained. Intelligence application status information.
9. The method of claim 7, wherein after the threat intelligence application state information is written into the blockchain based on a consensus mechanism, the block body in the block of the blockchain includes the following information:

   The threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation.
10. A first node, comprising: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application submodule; the smart contract layer module includes an automatic screening submodule, an automatic distribution submodule, and Link application and repair sub-modules;

    The threat intelligence application sub-module is used to obtain threat intelligence information;

    The automatic screening sub-module is used to run the first smart contract and automatically screen out the second node, the second node is the operated device that needs to deliver the threat intelligence information; and, the first smart contract is The output automatic screening status information and the information of the second node are written into the blockchain

    The automatic sending sub-module is used to run the second smart contract, automatically send the threat intelligence information to the second node, and based on the consensus mechanism, send the sending status information output by the second smart contract write to the blockchain;

    The linkage application and repair sub-module is used to run the third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application state information is: The information obtained by the second node after running the third smart contract to perform the repair operation.
11. The first node of claim 10, wherein,

    The automatic screening sub-module is also used to determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain, and determine the first intelligence type of the threat intelligence information; The corresponding relationship is determined, the first device classification corresponding to the threat intelligence information and the node under the first device classification are determined, the second node is obtained, and the automatic screening status information indicating whether the device screening is successful is output.
12. The first node of claim 11, wherein,

    The intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type;

    The device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.
13. The first node of claim 10, wherein,

    The automatic sending sub-module is further configured to send the threat intelligence information in the blockchain to the second node when the automatic screening status information in the blockchain indicates that the device is successfully screened , to obtain the delivery status information indicating whether the information delivery is successful.
14. The first node of claim 10, wherein,

    The threat intelligence application status information is used to indicate whether the repair is successfully performed based on the threat intelligence information.
15. The first node of claim 10, wherein after the threat intelligence application state information of the second node is written into the blockchain based on a consensus mechanism, the block body in the blocks on the blockchain comprises: The following information:

    The threat intelligence information to be issued obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the issuing status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.
16. A first node, comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being executed by the processor to implement any one of claims 1 to 6 The steps of the application method of threat intelligence described in item.
17. A second node, comprising: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application sub-module; the smart contract layer module includes a linkage application and repair sub-module;

    The threat intelligence application sub-module is used to obtain the threat intelligence information issued by the first node;

    The linked application and repair sub-module is used to run a third smart contract, perform a repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application status information output by the third smart contract; based on a consensus mechanism, the Threat intelligence application state information is written to the blockchain.
18. The second node of claim 17, wherein,

    The linkage application and repair sub-module is further configured to determine and execute the repair operation corresponding to the threat intelligence information according to the preset correspondence between different threat intelligence/intelligence types and repair operations, and obtain a value used to indicate whether the information is successfully based on the repair operation. The threat intelligence information is threat intelligence application state information on which a repair operation is performed.
19. The second node according to claim 17, wherein after the threat intelligence application state information is written into the blockchain based on a consensus mechanism, the block body in the block of the blockchain includes the following information:

    The threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation.
20. A second node, comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being executed by the processor to implement any one of claims 7 to 9 The steps of the application method of threat intelligence described in item.
21. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the application method of threat intelligence according to any one of claims 1 to 9 is implemented A step of.

Images