CN114666157A - Block chain cross-chain threat information sharing system and method - Google Patents
Block chain cross-chain threat information sharing system and method Download PDFInfo
- Publication number
- CN114666157A CN114666157A CN202210391982.6A CN202210391982A CN114666157A CN 114666157 A CN114666157 A CN 114666157A CN 202210391982 A CN202210391982 A CN 202210391982A CN 114666157 A CN114666157 A CN 114666157A
- Authority
- CN
- China
- Prior art keywords
- information
- chain
- transaction
- intelligence
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000003860 storage Methods 0.000 claims abstract description 52
- 238000012545 processing Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims abstract description 9
- 230000007246 mechanism Effects 0.000 claims description 25
- 230000008520 organization Effects 0.000 claims description 21
- 238000011156 evaluation Methods 0.000 claims description 15
- 230000010365 information processing Effects 0.000 claims description 15
- 230000003993 interaction Effects 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 13
- 230000010354 integration Effects 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 14
- 230000008569 process Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000002688 persistence Effects 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A sharing system of block chain cross-chain threat intelligence comprises an intelligence processing layer, an intelligent contract layer, a multi-chain layer and a cloud storage layer; the sharing method comprises the following steps: firstly, when a contract request is initiated to call different intelligent contracts; secondly, the client builds a transaction according to the request and signs the transaction, the client sends the transaction to a local node, the local node checks the transaction for correct signing, then verifies whether the transaction is legal and repeated, and the transaction meeting the verification condition is added into a transaction pool; thirdly, the transaction is broadcasted to the consensus nodes in the block chain network, and the consensus nodes assemble the transactions in the transaction pool into the block to be identified and send the block to all the consensus nodes in the network; after receiving the block to be identified, the common identification node verifies the transactions one by one, the execution result is packaged in the transaction receipt and returned, and the block is linked out to finish storage; the method has the characteristics of improving the intelligence sharing performance, preventing the intelligence from being leaked, facilitating the large-scale sharing and use of threat intelligence by multiple parties and improving the retrieval performance.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a system and a method for sharing block chain cross-chain threat information.
Background
With the development of computer technology and internet industry, various industries and systems face more and more network attacks and threats. By integrating the current network security situation, the network attack presents stronger and stronger concealment, persistence and purposiveness. The traditional security protection only depends on static control carried out by security equipment such as a firewall, an intrusion detection system, an intrusion prevention system and the like which are deployed at a boundary or a special node, network security monitoring mainly based on feature detection is carried out, alarm information is generated based on preset rule matching, and the passive defense is no longer suitable for novel network security threats such as advanced continuous threats, 0day attacks and the like. There is a need to optimize and improve the traditional security defense approach to form a security system that can cope with diverse and persistent threats.
The information security guarantee framework taking threat information as the center has great significance for stable operation of life and production key infrastructure, military operational command capability guarantee and peace and stability of the international society. The threat intelligence is extracted network security threat information, has the characteristics of sensitivity, timeliness, isomerism and the like, is shared in a structured mode, and is beneficial to improving the efficiency of automatically collecting the threat information and improving the attack detection and response capability. The block chain has the characteristics of decentralization, durability, anonymity, traceability and the like, and the cloud storage has the advantages of strong storage capacity, scalability and the like, so that threat information can be shared by combining the block chain and the cloud storage technology. By means of the traceability of the block chain, the personnel behaviors in the information utilization process can be effectively supervised, the information sharing behavior is ensured to be in accordance with the specification, and the trust of the information utilization party on the information source is enhanced. Threat intelligence sharing helps to actively respond to high-level network threats by collecting relevant threat information, thereby strengthening the threat response capability of information infrastructure. However, threat information is multi-element heterogeneous information, which is not beneficial to retrieval and sharing, and is limited by transaction processing performance and storage capacity of a single blockchain, and the efficiency of sharing threat information in a single-chain mode is low. The prior art has the problems that:
when the threat situation report is shared by using the block chains, some technical problems will be faced, for example:
threat intelligence is sensitive data, and once the intelligence is leaked and maliciously utilized, damage can be caused to a plurality of information facilities, so that the information service provided by enterprises is stopped.
Only the blockchain is stored in the network, a large amount of redundant information is generated, and as the redundant information increases, the blockchain performance will continuously decrease.
The existing work only provides a block chain shared threat information mode, and does not improve the insufficient performance of the block chain shared threat information, so that the large-scale sharing of the threat information is difficult to realize.
Threat information is multi-element heterogeneous information, is not easy to retrieve and exchange, and the existing work does not provide a threat information conversion model suitable for a block chain, which is not beneficial to promoting multi-party threat information sharing. In view of this, it is necessary to adopt a multi-chain threat intelligence sharing mode to prevent the threat of diversity and persistence.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide a system and a method for sharing block chain cross-chain threat intelligence, which have the characteristics of improving the intelligence sharing performance, preventing the intelligence from being leaked, facilitating the large-scale sharing and use of the threat intelligence by multiple parties and improving the overall retrieval and sharing performance.
In order to achieve the purpose, the invention adopts the technical scheme that: a sharing system of block chain cross-chain threat intelligence comprises an intelligence processing layer, an intelligent contract layer, a multi-chain layer and a cloud storage layer;
the information processing layer comprises an information element information extraction node module, an information standardization node module and an information value evaluation node module; the intelligence meta-information extraction node module is used for collecting and extracting threat meta-information; the intelligent standardized node module is used for converting the multi-element heterogeneous threat information into threat intelligent information; the information value evaluation node module is used for evaluating the information value;
the cloud storage layer comprises a public cloud module and a private cloud module, and the public cloud module is used for storing general threat information; the private cloud module is used for agency private threat information;
the intelligent contract layer comprises a cross-chain interaction module, an intelligence sharing module, an intelligence corresponding module, an operation recording module and an intelligence cloud storage module; the cross-chain interaction module is used for cross-chain communication; the information sharing module is used for sharing threat information by multiple mechanisms; the intelligence response module is used for responding to the network threat; the operation recording module is used for recording the behavior of an intelligence operator in a block chain; the intelligence cloud storage module is used for storing threat intelligence;
the multi-chain layer comprises an information chain, a supervision chain, an integration chain and a cross chain; the intelligence chain is used for storing intelligence metadata; the supervision chain is used for storing behavior data when the employee visits; the integral chain is used for storing the intelligence contribution value of the mechanism; the cross-chain is used for cross-chain interaction.
A method for sharing block chain cross-chain threat intelligence comprises the following steps:
when a user initiates a contract request to call different intelligent contracts, the content in input data is different, when the information sharing contracts on an information chain are called, the input data comprises information meta-information and information identifiers, when a supervision chain uplink is called to record the contracts, the input data comprises mechanism identifiers, operator identifiers, specific operations and information identifiers, and when the score contracts on a score chain are called, the input data comprises the mechanism identifiers, the operator identifiers and the information identifiers;
step two, the client side constructs a transaction according to the request and signs the transaction, and the signed transaction comprises the transaction request, a timestamp and a signature; the client sends the signed transaction to a local node, the local node checks the transaction firstly, the signature is correct, then whether the transaction is legal and repeated is verified, if the verification condition is not met, the transaction is discarded, and the transaction meeting the verification condition is added into a transaction pool;
step three, the transaction in the transaction pool is broadcasted to all the consensus nodes in the block chain network through the P2P network, the consensus nodes assemble the transaction in the transaction pool into the block to be consensus, and the block to be consensus is sent to all the consensus nodes in the network;
and step four, after the consensus node receives the block to be consensus, the transactions in the block to be consensus are verified one by one, the transaction execution result is packaged in the transaction receipt and returned, and the block chain generates a block according to the consensus and completes storage.
The storage in the fourth step is the mixed intelligence cloud storage, and the storage and query comprise the following steps:
step 1, uploading original information CTI to an organization private cloud server;
step 2, the private cloud module delivers the original threat information to an information processing node, encrypts the original information by using an organization key, calculates an encrypted information identifier, and uploads the encrypted information identifier to the public cloud module;
step 3, firstly, the private cloud module extracts keywords { k ] from IOC meta information returned by the information processing node1,k2,…,knCreating a search index I ═ I1,i2,…,in}; then the private cloud module encrypts the search index I and then associates the search index I with the index file identifier and the encrypted intelligence identifier, and finally stores the encrypted index file identifier and the encrypted intelligence identifier on a CBC chain;
step 4, the user initiates a search request and inputs a search keyword { k1,k2,…,knUsing search key term { k }1,k2,…,knInquiring the index on the CBC chain to obtain a document identifier (ID (CTI')) containing keywords1),ID(CTI`2) A root ofReturning a file identifier list on a data link to obtain a ciphertext file { CTI' -stored in a public cloud module1,CTI`2,…}。
The invention has the beneficial effects that:
compared with the prior art, the invention has the following differences:
the invention designs a multi-chain sharing scheme to effectively stimulate the participants who participate in sharing threat intelligence, and under the condition of cross-chain, the trust of the participants on the source of the threat intelligence is enhanced, and the intelligence sharing performance is improved.
The invention designs a method for monitoring an intelligence sharing process, which can record the sharing behavior of the participants on a block chain, prevent the intelligence from being leaked and trace the sharing behavior of the participants.
The invention introduces an information processing flow, converts the threat information into a retrievable and easily-exchanged format, and is convenient for multiple parties to share and use the threat information in a large scale.
The invention introduces a cloud storage mechanism, provides a mixed cloud storage mode for participants, avoids excessive redundancy of information, and improves the scale of information sharing.
The invention designs a threat information uploading and sharing mechanism based on an intelligent contract, the intelligent contract can not be tampered once being linked, and the sharing process is normalized by means of the characteristics of the intelligent contract, so that the threat information can be flexibly managed.
The invention introduces a chain-crossing mechanism to realize multi-chain inter-chain cross-chain interaction, and distributes information access and storage pressure on a plurality of block chains by exchanging information sharing information, thereby improving the overall retrieval and sharing performance.
The invention provides a collaborative paradigm for block chain cross-chain threat intelligence sharing.
In the invention, a cross-chain mode is adopted for cooperation, so that a single block chain is prevented from bearing larger access pressure, the single block chain is dispersedly searched and stored in a multi-block chain, and the performance and the scale of threat intelligence sharing are improved.
The information processing method designed by the invention can ensure that the multi-element heterogeneous threat information is integrated into the searchable and easily exchanged threat information, and promote different organization organizations to share and use the threat information.
The invention stores redundant threat information into a hybrid cloud, provides a safe storage mechanism, and reduces the storage pressure on a block chain through cloud storage, thereby avoiding the reduction of information sharing performance caused by overlarge performance pressure on the chain.
The invention introduces an intelligent contract mechanism, normalizes the sharing behavior through an intelligent contract, records the behavior of the participants, avoids information leakage and is maliciously utilized, and once an accident happens, the uplink of the participant chain can be traced as a record to determine the responsible party.
Through research and analysis of a large amount of domestic and foreign related documents, the threat information sharing is mainly based on the domestic specification, and although the domestic policy guidance provides a certain guidance for the threat information sharing, enterprises following the domestic specification are still few. The block chain based network security threat intelligence sharing scheme has gradually reduced retrieval and storage performance along with the increase of the length of the block chain, so that intelligence access and sharing are affected. Existing related work follows the non-conformance of specifications such that multiple parties to intelligence sharing cannot fully utilize and exchange existing intelligence data.
The invention provides a threat information sharing scheme based on cross-chain interaction in a multi-chain mode, and provides a good mode of multi-party participation and large-scale sharing for block chain threat information sharing. A multi-chain structure model for network security threat information sharing is provided by combining with domestic threat information sharing specifications, different service data are respectively stored on isomorphic or heterogeneous block chains, and the problems of low information query and transaction efficiency caused by simultaneous processing of a large number of service requests in a single-chain mode are solved. Cross-chain information interaction between isomorphic/heterogeneous chains is carried out by adopting a cross-chain interaction contract based on Hash locking, and information assets related to threat intelligence between multiple chains are exchanged by using the cross-chain contract, so that information exchange between a plurality of block chains is promoted, and information 'isolated islands' formed by different block chains is avoided. And an intelligence extraction, intelligence standardization and intelligence value evaluation mechanism is introduced, and the diversified and heterogeneous threat information is converted into the searchable, structured and easily-exchanged standardized threat intelligence, so that the multi-party intelligence intercommunication is promoted and the sharing willingness is enhanced. A mixed cloud storage mechanism is integrated, threat information is safely stored in a cloud end, the problem of data storage redundancy on a block chain is relieved, and meanwhile information leakage is prevented.
In conclusion, the threat information sharing scheme designed by the invention has good robustness and expansibility, and is beneficial to safely and compliantly sharing network space threat information in a large scale.
Drawings
FIG. 1 is a schematic diagram of a multi-chain architecture of a cyber-security threat intelligence sharing system according to the present invention.
Fig. 2 is a flow chart of information transmission among the agents in the intelligence sharing process of the present invention.
FIG. 3 is a flow chart of the intelligence processing of the present invention.
Fig. 4 is a flow chart of the hybrid cloud reporting secure storage of the present invention.
FIG. 5 is a flow chart of the information uplink transaction of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
A sharing system of block chain cross-chain threat intelligence comprises an intelligence processing layer, an intelligent contract layer, a multi-chain layer and a cloud storage layer;
the information processing layer comprises an information element information extraction node module, an information standardization node module and an information value evaluation node module; the intelligence meta-information extraction node module is used for collecting and extracting threat meta-information; the intelligent standardized node module is used for converting the multi-element heterogeneous threat information into threat intelligent information; the information value evaluation node module is used for evaluating the information value;
the cloud storage layer (also called a multi-cloud layer) comprises a public cloud module and a private cloud module, wherein the public cloud module is used for storing general threat intelligence; the private cloud module is used for agency private threat information;
the intelligent contract layer comprises a cross-chain interaction module, an intelligence sharing module, an intelligence corresponding module, an operation recording module and an intelligence cloud storage module; the cross-chain interaction module is used for cross-chain communication; the information sharing module is used for sharing threat information by multiple mechanisms; the intelligence response module is used for responding to the network threat; the operation recording module is used for recording the behavior of an intelligence operator in a block chain; the intelligence cloud storage module is used for storing threat intelligence;
the multi-chain layer comprises an intelligence chain, a supervision chain, an integration chain and a cross chain; the intelligence chain is used for storing intelligence metadata; the supervision chain is used for storing behavior data when the employee visits; the integral chain is used for storing the intelligence contribution value of the mechanism; the cross-chain is used for cross-chain interaction.
Referring to fig. 1, the invention adopts a hierarchical system architecture to realize a block chain cross-chain threat intelligence sharing scheme. FIG. 1 is a network security threat intelligence sharing multi-chain architecture, which includes an intelligence processing layer, an intelligent contract layer, a multi-chain layer, and a cloud storage layer.
Information processing layer: threat intelligence is heterogeneous data, the effective use of which needs to follow a uniform data standard; the information processing layer comprises an information element information extraction node, an information standardization node and an information value evaluation node, and processes of extraction, standardization and value evaluation are respectively carried out on the information shared by the users, so that network security threat information standardization data meeting the specification is produced.
Intelligent contract layer: since threat intelligence data has sensitivity, business data and supervision data are recorded by virtue of the characteristics of automation, tamper resistance, irreversible and the like of intelligent contracts. The traceability of the on-chain transaction generated after the intelligent contract is executed can be used for determining the responsibility attribution party of the information leakage accident.
Multi-chain layer: the blockchain layer is composed of a plurality of single chains which are related to each other. Based on the purposes of improving query efficiency and reducing the coupling degree between platform services, different service data are recorded in corresponding block chains, and information on the chains is exchanged and states are mutually transmitted among a plurality of block chains through a cross-chain protocol. The intelligence metadata, the behavior data when the staff visit and the intelligence contribution value of the organization are respectively stored in a intelligence chain (CBC), a supervision chain (SBC) and an integration chain (IBC), thereby improving the intelligence utilization efficiency of the intelligence consumers and providers and the sharing enthusiasm of the participating organizations.
A cloud storage layer: the storage layer is composed of a public cloud provided by a cloud service provider and a private cloud built in an organization, and stores general threat intelligence and private threat intelligence held by the organization respectively. The private information of the organization lacks use value for most organizations, but the private information is stored in the public cloud, so that the utilization approach of an attacker is expanded, the scheme that the public cloud is combined with the private cloud is adopted for a platform storage layer in order to prevent the attacker from directly utilizing the private information of the company, and the safety of information management of the organization is enhanced.
The subjects of intelligence sharing include regulatory authorities, parallel organizations such as internet companies, traditional security companies, cloud security companies, security laboratories, and the like. The regulatory department is responsible for examining registration requests provided by the institutions, permitting the institutions meeting the conditions to join the platform, recording the information of the institutions on the SBC chain, and giving unique institution identifications to the institutions. The internal employees of the organization participate in sharing and need to submit applications in the organization, and after the applications are approved, the supervision department gives unique identification to the internal employees of the organization. The method has the advantages that unique identification is distributed for parallel institutions and employees, people in charge can be determined, and when information leakage events occur, monitoring departments can inquire employee behaviors on an SBC chain to generate digital evidences.
Parallel organizations are both contributors to intelligence and consumers of intelligence. When an organization provides the information, the information is firstly processed by an information processing layer, after information extraction, standardization and value evaluation, the organization uploads Complete Threat Information (CTI) to the cloud to obtain an identifier (CTI _ ID) of the threat information in the cloud, the identifier (CTI _ ID) is combined with information extracted by an extraction node to obtain information meta-information, staff sharing behaviors are recorded, finally, the information meta-data and the operator behaviors are respectively recorded on CBC and SBC chains, and information contribution values calculated by a value evaluation node are recorded on the IBC chain. The information interaction flow between the subjects in the intelligence sharing process is shown in fig. 2.
Information processing mechanism
The information can be linked after extraction, standardization, value evaluation and cloud storage of the information data. When an organization submits a report, the information is processed through a CTI Extract Node, a CTI Normalization Node, and a CTI Evaluation Node, as shown in FIG. 3.
Intelligence extraction Node (CTI Extract Node): the method comprises the steps that information is uploaded by an information provider, the information is processed by a CTI (computer telephony integration) Extractnode, meta information is extracted from original information, then complete information is uploaded to an organization private cloud, an information sharing contract on a chain is called after an information mark returned by the private cloud is obtained, and finally information meta information and provider operation information are stored on the chain. The intelligence meta-information is expressed as octave < IP, Domain, fileHash, Email, Org, DomainOwner, attester, and hint >, and respectively represents malicious IP, malicious Domain name, malicious file Hash, mailbox, attack organization, Domain name holder, attacker, and threat Mitigation measures.
Intelligence standardization Node (CTI standardization Node): because the intelligence comes from different organizations, the descriptions of the network security threat information by the organizations are not consistent, and most of the intelligence is unstructured data. In order to make all organizations fully share and use the Information and a computer can conveniently process the Information data, the Threat Information is divided into object domain Threat Information and relation domain Threat Information according to the STIX (structured Threat Information expression) and the current standard of Information security technology network security Threat Information format in China.
The Object Domain Threat intelligence (Object Domain CTI) mainly includes a Threat Indicator (thread Indicator), a Threat subject (thread Indicator), a Threat Target (thread Target), an Attack mode (Attack Pattern), and the like. The object domain threat intelligence is described using a five-tuple < id, type, content, tp, context >, where id represents the intelligence identity, type represents the object type, content represents the specific content, tp represents the timestamp, and context represents the context information. Relational Domain threat intelligence (Relationship Domain CTI) describing the relation between object Domain threat intelligence, and < id, CTI _ id, type, desc, tp > where id is used as a unique identifier, CTI _ id represents the relation between related intelligence identifiers, type represents the relation between intelligence, desc represents the detailed description of the relation between intelligence, and tp represents a timestamp.
After the CTI Normalization Node converts unstructured data submitted by an organization into standard data, the unstructured data are converted into structured data convenient for machine reading by adopting a JSON (JavaScript Object Notification) data exchange format, and the readability and the usability of information are further improved.
Intelligence evaluation Node (CTI evaluation Node): complete and high-value threat information comes from threat information contributed by a plurality of organizations, only the threat information is actively shared by a plurality of parties, the threat information sharing can be continuously developed and attract more organizations to participate, the threat information is cooperatively shared by the plurality of organizations, and the threat information is generated after integration. In order to improve the enthusiasm of participating institutions, institution points are awarded based on institution contribution degrees and the points are recorded on an IBC chain.
Intelligent cloud storage method
While multi-chain storage relieves the on-chain storage pressure to some extent, continuously storing a large amount of intelligence data on the chain reduces the transaction processing capacity of the blockchain. In order to further improve the information transaction processing and storage capacity, a hybrid cloud storage scheme commonly used by enterprises is adopted, threat information is stored in a private cloud (PrivCloud), information meta-information returned by nodes is extracted according to the information, information such as indexes is stored on a CBC chain, and then the general information is stored in a public cloud (PubCloud) in an encrypted manner.
A method for sharing block chain cross-chain threat intelligence comprises the following steps:
when a user initiates a contract request to call different intelligent contracts, the content in input data is different, when a message sharing contract on a CBC chain is called, the input data comprises message meta-information and message identifiers, when an SBC chain uplink is called to record the contract, the input data comprises a mechanism identifier, an operator identifier, specific operation and a message identifier, and when a score contract on the IBC chain is called, the input data comprises the mechanism identifier, the operator identifier and the message identifier;
step two, the client side constructs a transaction according to the request and signs the transaction, and the signed transaction comprises the transaction request, a timestamp and a signature; the client sends the signature transaction to a local node, the local node checks the signature of the transaction, the signature is correct, whether the transaction is legal and repeated is verified, if the verification condition is not met, the transaction is discarded, and finally the transaction meeting the verification condition is added into a transaction pool;
step three, the transaction is broadcasted to all the consensus nodes in the block chain network through the P2P network, the consensus nodes assemble the transactions in the transaction pool into the block to be consensus, and the block is sent to all the consensus nodes in the network;
and step four, after the block to be identified is received by the common identification node, the transactions in the block are verified one by one, the transaction execution result is packaged in the transaction receipt and returned, and the block chain generates a block according to the common identification to finish storage.
The flow is shown in fig. 4, the storage in the step four is intelligence mixed under-cloud storage, and the storage and query comprise the following steps:
step 1, uploading original information CTI to an organization private cloud server;
step 2, the private cloud module delivers the original threat information to an information processing node, encrypts the original information by using an organization key, calculates an encrypted information identifier, and uploads the encrypted information identifier to the public cloud module;
step 3, firstly, the private cloud module extracts keywords { k ] from IOC meta information returned by the information processing node1,k2,…,knCreating a search index I ═ I1,i2,…,in}; then the private cloud module encrypts the search index I and then associates the search index I with the index file identifier and the encrypted intelligence identifier, and finally stores the encrypted index file identifier and the encrypted intelligence identifier on a CBC chain;
step 4, the user initiates a search request and inputs a search keyword { k1,k2,…,knUsing search key term { k }1,k2,…,knInquiring the index on the CBC chain to obtain a document identifier (ID (CTI')) containing keywords1),ID(CTI`2) … obtaining a ciphertext document CTI stored in a public cloud module based on a list of chain return document identifiers1,CTI`2,…}。
Information uplink sharing
The intelligence is stored in the cloud in a ciphertext mode, so that the safety of intelligence storage is guaranteed, but a mode for safely sharing and using threat intelligence is still needed among multiple organizations. Therefore, a multi-chain model consisting of an intelligence chain, a monitoring chain and an integration chain is provided on the basis of the hybrid cloud storage. The multi-chain transaction does not depend on a single-chain bottom layer architecture completely any more, the multi-chain can be formed by combining heterogeneous or homogeneous chains, and information interaction among the multi-chains is carried out through a chain-crossing mechanism. Although the underlying details of the blockchain transaction flow vary from architecture to architecture, such as consensus mechanisms, security components, node functions, etc., the life cycle of the transactions on the chain is similar. To further illustrate the multi-chain model formed by CBC, SBC, and IBC, the uplink flow of the information is described in more detail according to the service type of each chain, as shown in fig. 5, which includes the following steps:
when a user initiates a contract request to call different intelligent contracts, the content in input data is different, when a CBC chain is called for sharing contracts, the input data comprises an intelligence meta-information and an intelligence identifier, when an SBC chain is called for recording contracts, the input data comprises a mechanism identifier, an operator identifier, specific operation and the intelligence identifier, and when an IBC chain is called for integrating the contracts, the input data comprises the mechanism identifier, the operator identifier and the intelligence identifier;
step two, the client side constructs a transaction according to the request and signs the transaction, and the signed transaction comprises the transaction request, a timestamp and a signature; the client sends the signature transaction to a local node, the local node checks the signature of the transaction, the signature is correct, whether the transaction is legal and repeated is verified, if the verification condition is not met, the transaction is discarded, and finally the transaction meeting the verification condition is added into a transaction pool;
step three: the transaction is broadcasted to all the consensus nodes in the blockchain network through the P2P network, the consensus nodes assemble the transactions in the transaction pool into the block to be consensus, and the block is sent to all the consensus nodes in the network;
step four: after the block to be identified is received by the common identification node, the transactions in the block are verified one by one, the transaction execution result is packaged in the transaction receipt and returned, and the block chain generates a block according to the common identification mechanism to finish storage.
Claims (3)
1. A sharing system of block chain cross-chain threat intelligence is characterized by comprising an intelligence processing layer, an intelligent contract layer, a multi-chain layer and a cloud storage layer;
the information processing layer comprises an information element information extraction node module, an information standardization node module and an information value evaluation node module; the intelligence meta-information extraction node module is used for collecting and extracting threat meta-information; the intelligent standardized node module is used for converting the multi-element heterogeneous threat information into threat intelligent information; the information value evaluation node module is used for evaluating the information value;
the cloud storage layer comprises a public cloud module and a private cloud module, and the public cloud module is used for storing general threat information; the private cloud module is used for agency private threat information;
the intelligent contract layer comprises a cross-chain interaction module, an information sharing module, an information corresponding module, an operation recording module and an information cloud storage module; the cross-chain interaction module is used for cross-chain communication; the information sharing module is used for sharing threat information by multiple mechanisms; the intelligence response module is used for responding to the network threat; the operation recording module is used for recording the behavior of an intelligence operator in a block chain; the intelligence cloud storage module is used for storing threat intelligence;
the multi-chain layer comprises an intelligence chain, a supervision chain, an integration chain and a cross chain; the intelligence chain is used for storing intelligence metadata; the supervision chain is used for storing behavior data when the employee visits; the integral chain is used for storing the intelligence contribution value of the mechanism; the cross-chain is used for cross-chain interaction.
2. A method for sharing block chain cross-chain threat intelligence is characterized by comprising the following steps:
when a user initiates a contract request to call different intelligent contracts, the content in input data is different, when the information sharing contracts on an information chain are called, the input data comprises information meta-information and information identifiers, when a supervision chain uplink is called to record the contracts, the input data comprises mechanism identifiers, operator identifiers, specific operations and information identifiers, and when the score contracts on a score chain are called, the input data comprises the mechanism identifiers, the operator identifiers and the information identifiers;
step two, the client side constructs a transaction according to the request and signs the transaction, and the signature transaction comprises the transaction request, a timestamp and a signature; the client sends the signed transaction to a local node, the local node checks the transaction firstly, the signature is correct, then whether the transaction is legal and repeated is verified, if the verification condition is not met, the transaction is discarded, and the transaction meeting the verification condition is added into a transaction pool;
step three, the transaction in the transaction pool is broadcasted to all the consensus nodes in the block chain network through the P2P network, the consensus nodes assemble the transaction in the transaction pool into the block to be consensus, and the block to be consensus is sent to all the consensus nodes in the network;
and step four, after the consensus node receives the block to be consensus, the transactions in the block to be consensus are verified one by one, the transaction execution result is packaged in the transaction receipt and returned, and the block chain generates a block according to the consensus and completes storage.
3. The method as claimed in claim 2, wherein the step four of storage is mixed intelligence storage under cloud, and the storage and query comprises the following steps:
step 1, uploading original information CTI to an organization private cloud server;
step 2, the private cloud module delivers the original threat information to an information processing node, encrypts the original information by using an organization key, calculates an encrypted information identifier, and uploads the encrypted information identifier to the public cloud module;
step 3, firstly, the private cloud module extracts keywords { k } from IOC meta information returned by the information processing node1,k2,…,knCreating a search index I ═ I1,i2,…,in}; then the private cloud module encrypts the search index I and associates the encrypted search index I with the index file identifier and the encrypted intelligence identifier, and finally the encrypted index file identifier and the encrypted intelligence label are associatedThe identifier is stored on the CBC chain;
step 4, the user initiates a search request and inputs a search keyword { k1,k2,…,knUsing search key term { k }1,k2,…,knInquiring the index on the CBC chain to obtain a document identifier (ID (CTI')) containing keywords1),ID(CTI`2) … obtaining a ciphertext document { CTI' stored in a public cloud module based on a list of on-chain return document identifiers1,CTI`2,…}。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391982.6A CN114666157A (en) | 2022-04-14 | 2022-04-14 | Block chain cross-chain threat information sharing system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391982.6A CN114666157A (en) | 2022-04-14 | 2022-04-14 | Block chain cross-chain threat information sharing system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114666157A true CN114666157A (en) | 2022-06-24 |
Family
ID=82035639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210391982.6A Pending CN114666157A (en) | 2022-04-14 | 2022-04-14 | Block chain cross-chain threat information sharing system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114666157A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801276A (en) * | 2022-11-28 | 2023-03-14 | 北京航空航天大学 | Automobile network threat information security sharing method, system and storage medium |
| CN115801276B (en) * | 2022-11-28 | 2024-06-11 | 北京航空航天大学 | Automobile network threat information secure sharing method, system and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108898021A (en) * | 2018-06-04 | 2018-11-27 | 北京奇虎科技有限公司 | Threat information processing method, system and calculating equipment based on block chain |
| CN108965247A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of threat information exchange shared system and method based on block chain |
| WO2019189954A1 (en) * | 2018-03-28 | 2019-10-03 | 주식회사 마크로젠 | Multiple blockchain-based data sharing method |
| KR20200044363A (en) * | 2018-10-19 | 2020-04-29 | 빅픽처랩 주식회사 | Method for managing trust information based on block-chain |
| WO2020103557A1 (en) * | 2018-11-20 | 2020-05-28 | 阿里巴巴集团控股有限公司 | Transaction processing method and device |
| US20200358801A1 (en) * | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| US20210065070A1 (en) * | 2018-12-18 | 2021-03-04 | Rokfin, Inc. | Dampening token allocations based on non-organic subscriber behaviors |
| CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
| CN113114498A (en) * | 2021-04-08 | 2021-07-13 | 同方股份有限公司 | Architecture system of trusted block chain service platform and construction method thereof |
| CN114006713A (en) * | 2020-10-22 | 2022-02-01 | 北京八分量信息科技有限公司 | Trust architecture for node diversity |
-
2022
- 2022-04-14 CN CN202210391982.6A patent/CN114666157A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019189954A1 (en) * | 2018-03-28 | 2019-10-03 | 주식회사 마크로젠 | Multiple blockchain-based data sharing method |
| CN108898021A (en) * | 2018-06-04 | 2018-11-27 | 北京奇虎科技有限公司 | Threat information processing method, system and calculating equipment based on block chain |
| CN108965247A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of threat information exchange shared system and method based on block chain |
| KR20200044363A (en) * | 2018-10-19 | 2020-04-29 | 빅픽처랩 주식회사 | Method for managing trust information based on block-chain |
| WO2020103557A1 (en) * | 2018-11-20 | 2020-05-28 | 阿里巴巴集团控股有限公司 | Transaction processing method and device |
| US20210065070A1 (en) * | 2018-12-18 | 2021-03-04 | Rokfin, Inc. | Dampening token allocations based on non-organic subscriber behaviors |
| US20200358801A1 (en) * | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| CN114006713A (en) * | 2020-10-22 | 2022-02-01 | 北京八分量信息科技有限公司 | Trust architecture for node diversity |
| CN112738126A (en) * | 2021-01-07 | 2021-04-30 | 中国电子科技集团公司第十五研究所 | Attack tracing method based on threat intelligence and ATT & CK |
| CN113114498A (en) * | 2021-04-08 | 2021-07-13 | 同方股份有限公司 | Architecture system of trusted block chain service platform and construction method thereof |
Non-Patent Citations (4)
| Title |
|---|
| JINGYU FENG, ET AL: "Blockchain-Based Data Management and Edge-Assisted Trusted Cloaking Area Construction for Location Privacy Protection in Vehicular Networks", 《IEEE INTERNET OF THINGS JOURNAL》, vol. 8, no. 4, pages 2087, XP011835697, DOI: 10.1109/JIOT.2020.3038468 * |
| 冯景瑜,等: "基于多云多链协同的医疗数据安全共享机制", 《技术研究》, no. 1, pages 9 * |
| 刘明达,等: "区块链在数据安全领域的研究进展", 《计算机学报》, vol. 44, no. 1, pages 1 - 27 * |
| 张成虎,等: "基于多链式区块链的互联网金融犯罪情报共享模型研究", 《情报杂志》, vol. 40, no. 6, pages 65 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801276A (en) * | 2022-11-28 | 2023-03-14 | 北京航空航天大学 | Automobile network threat information security sharing method, system and storage medium |
| CN115801276B (en) * | 2022-11-28 | 2024-06-11 | 北京航空航天大学 | Automobile network threat information secure sharing method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ryu et al. | A blockchain-based decentralized efficient investigation framework for IoT digital forensics | |
| Henry et al. | Blockchain access privacy: Challenges and directions | |
| Li et al. | RETRACTED ARTICLE: Information security model of block chain based on intrusion sensing in the IoT environment | |
| CN108964926B (en) | User trust negotiation establishing method, user behavior data storage method and medium | |
| Kim et al. | Data governance framework for big data implementation with NPS Case Analysis in Korea | |
| Zhang et al. | Toward effective big data analysis in continuous auditing | |
| Meng et al. | Enhancing challenge-based collaborative intrusion detection networks against insider attacks using blockchain | |
| JP2018516419A (en) | A computerized system that securely delivers and exchanges cyber threat information in a standardized format | |
| Weitzner et al. | Transparent accountable data mining: New strategies for privacy protection | |
| Sikos | AI in digital forensics: Ontology engineering for cybercrime investigations | |
| Zhu | Self-organized network management and computing of intelligent solutions to information security | |
| Miloslavskaya | Designing blockchain-based SIEM 3.0 system | |
| He et al. | Blotisrt: Blockchain-based threat intelligence sharing and rating technology | |
| Miloslavskaya et al. | IoTBlockSIEM for information security incident management in the internet of things ecosystem | |
| Liao et al. | Network security situation assessment model based on extended hidden Markov | |
| Alsammak et al. | A model for blockchain-based privacy-preserving for big data users on the internet of thing | |
| Baker et al. | The development of a common enumeration of vulnerabilities and exposures | |
| Altalbe et al. | Assuring enhanced privacy violation detection model for social networks | |
| Zhang et al. | A fuzzy collusive attack detection mechanism for reputation aggregation in mobile social networks: A trust relationship based perspective | |
| Kou et al. | Trust‐Based Missing Link Prediction in Signed Social Networks with Privacy Preservation | |
| Lu et al. | Research on agricultural internet of things data sharing system based on blockchain | |
| Kalugina et al. | Comparative analysis and experience of using social network analysis information systems | |
| CN114666157A (en) | Block chain cross-chain threat information sharing system and method | |
| Zhang et al. | A Reputation‐Based Approach Using Consortium Blockchain for Cyber Threat Intelligence Sharing | |
| Yang et al. | [Retracted] Framework Design of Science and Technology Venture Capital Salary Management System Driven by Blockchain Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240226 Address after: 518000 1002, Building A, Zhiyun Industrial Park, No. 13, Huaxing Road, Henglang Community, Longhua District, Shenzhen, Guangdong Province Applicant after: Shenzhen Wanzhida Technology Co.,Ltd. Country or region after: China Address before: 710061 No. 563 South Changan Road, Shaanxi, Xi'an Applicant before: XI'AN University OF POSTS & TELECOMMUNICATIONS Country or region before: China |