CN115714811A - Threat information sharing method and device - Google Patents
Threat information sharing method and device Download PDFInfo
- Publication number
- CN115714811A CN115714811A CN202110961529.XA CN202110961529A CN115714811A CN 115714811 A CN115714811 A CN 115714811A CN 202110961529 A CN202110961529 A CN 202110961529A CN 115714811 A CN115714811 A CN 115714811A
- Authority
- CN
- China
- Prior art keywords
- threat
- threat intelligence
- sharing
- intelligence
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000003860 storage Methods 0.000 claims abstract description 60
- 238000001514 detection method Methods 0.000 claims abstract description 31
- 230000007246 mechanism Effects 0.000 claims description 70
- 230000035945 sensitivity Effects 0.000 claims description 35
- 238000012545 processing Methods 0.000 claims description 26
- 230000008520 organization Effects 0.000 claims description 13
- 230000002085 persistent effect Effects 0.000 description 33
- 230000008569 process Effects 0.000 description 15
- 238000004590 computer program Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 239000004744 fabric Substances 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012797 qualification Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 235000015122 lemonade Nutrition 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- RWSOTUBLDIXVET-UHFFFAOYSA-N Dihydrogen sulfide Chemical compound S RWSOTUBLDIXVET-UHFFFAOYSA-N 0.000 description 1
- 241000424792 Perionyx excavatus Species 0.000 description 1
- 241000122932 Strongylus Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The method comprises the steps that a first agent node receives a threat information acquisition request generated by any member in a sharing group, content detection is carried out on a block chain account book corresponding to each owned threat information sharing type, whether a threat identifier in the threat information acquisition request exists in the block chain account book corresponding to the threat information sharing type is determined, if yes, a request threat information transaction is generated on the basis of the threat identifier, an account address of the first agent node and an account address of a second agent node, the request threat information transaction is carried out to the block chain account book corresponding to the threat information sharing type, and after authorized threat information transaction is detected in the block chain account book corresponding to the threat information sharing type, threat information corresponding to the threat identifier provided by the second agent node is downloaded through a storage address of the threat information corresponding to the threat identifier, so that the security of shared threat information can be effectively ensured.
Description
Technical Field
The present application relates to the field of block chain technologies, and in particular, to a method and an apparatus for sharing threat information.
Background
With the rapid development of network information security technology, more and more people are becoming aware of the importance of sharing threat intelligence, thereby minimizing the leakage of personal or enterprise information and the loss of assets.
At present, the sharing of threat intelligence is mainly realized in a centralized manner. Specifically, an organization trusted by each sharer is selected as an information center, any sharer can share threat information to the information center after acquiring the threat information, and the information center is responsible for storing and managing the threat information uploaded by each sharer. If a user or an enterprise is under a malicious attack (for example, a virus or a lawbreaker attacks with a security vulnerability, etc.), the user or the enterprise can query and obtain threat intelligence corresponding to the malicious attack from the intelligence center, and process the malicious attack based on emergency treatment measures in the threat intelligence. However, this processing method is centralized, and if the intelligence center fails or is attacked, the information of the sharer and the threat intelligence shared by the sharer may be leaked, and the privacy security of the threat intelligence shared by the sharer cannot be ensured, so that the sharer may have a trust worry about the intelligence center.
In summary, a threat information sharing method is needed to effectively ensure the privacy security of the shared threat information.
Disclosure of Invention
The exemplary embodiments of the present application provide a threat intelligence sharing method and apparatus, so as to effectively ensure privacy security of the shared threat intelligence.
In a first aspect, an exemplary embodiment of the present application provides a method for sharing threat intelligence, which is applicable to a blockchain network having m proxy nodes; each agent node is generated by election of a sharing group where the agent node is located; the method comprises the following steps:
a first proxy node receives a threat information acquisition request generated by any member in a sharing group where the first proxy node is located; the first proxy node is any one of the m proxy nodes;
the first agent node determines whether a threat identifier in the threat intelligence acquisition request exists in a blockchain account book corresponding to the threat intelligence sharing type or not by detecting the content of the blockchain account book corresponding to each threat intelligence sharing type in the blockchain account book corresponding to at least one threat intelligence sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the first proxy node;
if so, the first proxy node acquires an account address of a second proxy node for storing threat intelligence corresponding to the threat identification from a blockchain account book corresponding to the threat intelligence sharing type;
the first agent node generates a request threat intelligence transaction based on the threat identification, the account address of the first agent node and the account address of the second agent node, and links the request threat intelligence transaction to a block chain account book corresponding to the threat intelligence sharing type; the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating a blockchain account book which is linked to the threat intelligence sharing type and corresponds to the authorized threat intelligence transaction after the requested threat intelligence transaction is detected through the blockchain account book corresponding to the threat intelligence sharing type; the second agent node follows a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type;
and after the first agent node detects the authorized threat intelligence transaction through the blockchain ledger corresponding to the threat intelligence sharing type, downloading the threat intelligence corresponding to the threat identification through the storage address of the threat intelligence corresponding to the threat identification provided by the second agent node.
In the above technical solutions, since the threat information shared by the sharers is stored and managed in a centralized manner in the prior art solutions, if the information center fails or is attacked, the risk of leakage exists between the information of the sharers and the threat information shared by the sharers, and the privacy security of the threat information shared by the sharers cannot be effectively ensured. Based on this, the technical scheme in the application stores operations such as sharing and access of any agent node for threat intelligence into a blockchain ledger in a transaction form which can not be tampered in the blockchain by introducing a blockchain mechanism. Specifically, after receiving a threat intelligence acquisition request generated by any node in a sharing group where a first proxy node is located, the first proxy node performs content detection on a blockchain ledger corresponding to each threat intelligence sharing type in a blockchain ledger corresponding to at least one owned threat intelligence sharing type, if a threat identifier in the threat intelligence request is determined to exist in the blockchain ledger corresponding to a certain threat intelligence sharing type, acquires an account address of a second proxy node for storing the threat identifier from the blockchain ledger corresponding to the threat intelligence sharing type, generates a request threat intelligence transaction based on the threat identifier, the account address of the first proxy node and the account address of the second proxy node, and uploads the request threat intelligence transaction to the blockchain ledger corresponding to the threat intelligence sharing type. And the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating an authorized threat intelligence transaction uplink to the blockchain ledger corresponding to the threat intelligence sharing type after detecting the request threat intelligence transaction through the blockchain ledger corresponding to the threat intelligence sharing type. Therefore, the scheme is based on the characteristics of decentralized and traceable block chains, and can enable operations such as sharing, access and the like of any agent node for threat intelligence to be traced and verified, so that the threat intelligence shared by sharers can be prevented from being maliciously forged, tampered and utilized, and the safety and integrity of the shared threat intelligence can be effectively ensured. And on the other hand, by introducing a threat intelligence sharing mechanism, sharing types of threat intelligence to be shared are divided, and the sharing types of different threat intelligence correspond to different threat intelligence sharing mechanisms. If the agent node sharing the threat intelligence selects a threat intelligence sharing mechanism of a certain sharing type, the threat intelligence to be shared by the agent node is only shared based on the threat intelligence sharing mechanism, and the agent node according with the sharing type of the threat intelligence sharing mechanism can access and obtain the corresponding threat intelligence. Specifically, after the second agent node (i.e., the agent node sharing the threat intelligence) detects the request threat intelligence transaction in the blockchain account book corresponding to a certain threat intelligence sharing type, it can be determined that both the agent node (e.g., the first agent node) requesting the threat intelligence transaction and the second agent node follow the threat intelligence sharing mechanism corresponding to the threat intelligence sharing type, that is, after determining whether the first agent node has the right to access the threat intelligence corresponding to the threat identification, it can be determined whether the threat intelligence corresponding to the threat identification in the request threat intelligence transaction can be shared between the first agent node and the second agent node. Then, after determining that the first agent node has the right to access threat intelligence corresponding to the threat identifier, the first agent node may download the threat intelligence corresponding to the threat identifier through a storage address of the threat intelligence corresponding to the threat identifier provided by the second agent node. Therefore, the scheme can ensure that the threat information shared by the sharer cannot be revealed to the nodes which are not checked under the authority, thereby effectively ensuring the privacy security of the shared threat information.
In some exemplary embodiments, before receiving a request for obtaining threat intelligence generated by any member of a sharing group in which the first proxy node is located, the method further includes:
the first proxy node sends a shared account registration request to a third proxy node; the third agent node is a node which has the authority of managing the registration of the shared account number in the m agent nodes;
after the first agent node determines that the registration is successful, obtaining threat information downloading permission from the third agent node;
and the first agent node generates an identity management transaction according to the threat intelligence download authority and the account address and the identity certificate of the first agent node, and links the identity management transaction to a block chain account book corresponding to the threat intelligence sharing type.
In the above technical solution, a third agent node (i.e. an expert group agent node) in the blockchain network may be used for managing the shared account registration of other agent nodes, in addition to sharing threat information in the blockchain network. Before other agent nodes join in threat information sharing of the block chain network, the agent nodes of the expert group need to apply for sharing account registration, and after approval of the sharing account registration application is obtained, the agent nodes can perform subsequent threat information sharing in the block chain network. Meanwhile, after obtaining the approval of the expert group agent node, the blockchain system also distributes a public key and a private key for the first agent node and proves the identity certificate with the threat intelligence downloading authority, so that the first agent node can conveniently sign each operation transaction in the blockchain, the signature and the operation transaction of the first agent node can be conveniently verified, and the agent node providing the threat intelligence can conveniently verify the identity information of the first agent node.
In some exemplary embodiments, the method further comprises:
for each agent node, after acquiring threat intelligence corresponding to any threat identifier, the agent node encrypts the threat intelligence corresponding to the threat identifier by using a symmetric key and uploads the encrypted threat intelligence corresponding to the threat identifier to a storage device; threat intelligence corresponding to any threat identification is shared to the agent node after being acquired by any member in a sharing group where the agent node is located;
the agent node carries out Hash operation on threat intelligence corresponding to the threat identification to generate a first Hash value of the threat intelligence corresponding to the threat identification;
the agent node generates a threat intelligence transaction based on the threat identification, the account address of the agent node and a first hash value of threat intelligence corresponding to the threat identification;
and the agent node determines a threat information sharing type matched with the sensitivity level from a threat information sharing type record based on the sensitivity level to which the threat information corresponding to the threat identification belongs, and links the threat information transaction to a block chain account book corresponding to the threat information sharing type.
In the above technical solution, after obtaining threat information of a certain threat identifier, for each agent node, such as a second agent node, the symmetric key may be used to encrypt the threat information corresponding to the threat identifier, and store the encrypted threat information corresponding to the threat identifier in the storage device, so that the security of the threat information corresponding to the threat identifier can be ensured. Meanwhile, based on the threat identification, the account address of the second proxy node and the first hash value of the threat intelligence corresponding to the threat identification, threat intelligence transaction is generated, and based on the sensitivity level of the threat intelligence corresponding to the threat identification, the threat intelligence transaction is linked to the block chain ledger corresponding to the threat intelligence sharing type matched with the sensitivity level, so that the integrity of the threat intelligence corresponding to the threat identification can be ensured, and a certain proxy node needing the threat intelligence corresponding to the threat identification in the block chain network can timely detect the threat intelligence transaction through the block chain ledger corresponding to the threat intelligence sharing type, thereby providing support for obtaining the threat intelligence corresponding to the threat identification.
In some exemplary embodiments, the threat intelligence sharing type record is determined by:
aiming at threat intelligence corresponding to any threat identification, determining a threat intelligence sharing type of the threat intelligence corresponding to the threat identification based on the sensitivity level of the threat intelligence corresponding to the threat identification;
if the sharing type of the threat intelligence corresponding to the threat identification is a free sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a first threat intelligence sharing mechanism; the first threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same industry sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a second threat intelligence sharing mechanism; the second threat information sharing mechanism is used for indicating that threat information can be shared among all agent nodes belonging to the same industry in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same-region sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a third threat intelligence sharing mechanism; the third threat information sharing mechanism is used for indicating that threat information can be shared among agent nodes belonging to the same area in the block chain network;
if the sharing type of the threat intelligence corresponding to the threat identification is a private sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a fourth threat intelligence sharing mechanism; the fourth threat intelligence sharing mechanism is configured to indicate that threat intelligence is sharable between a private organization agent node in the blockchain network and any other agent node in the blockchain network that has a cooperative relationship.
In the technical scheme, four threat intelligence sharing mechanisms with different sharing types can be determined by dividing the sensitivity levels of threat intelligence to be shared, namely dividing the sensitivity levels of the threat intelligence to be shared, and determining the threat intelligence sharing type corresponding to each sensitivity level, namely determining which sharing objects corresponding to each sensitivity level of the sharing objects are. The threat intelligence sharing mechanism corresponding to each threat intelligence sharing type comprises attribute types of objects to be shared, namely, the agent nodes providing the threat intelligence allow the threat intelligence to be shared to which objects. Therefore, the scheme can ensure that the threat intelligence corresponding to a certain threat identifier cannot be revealed to the node without permission to view, so as to ensure the privacy security of the threat intelligence corresponding to the threat identifier. For example, if the sensitivity level of threat intelligence corresponding to a certain threat identifier is low, the threat intelligence sharing type corresponding to the threat intelligence corresponding to the threat identifier is set to be a free sharing type, it may be determined that any agent node in the blockchain network can access the threat intelligence corresponding to the threat identifier, or if the sensitivity level of the threat intelligence corresponding to the threat identifier is high, the threat intelligence sharing type corresponding to the threat intelligence corresponding to the threat identifier is set to be the same industry sharing type, it may be determined that threat intelligence can be shared between agent nodes belonging to the same industry in the blockchain network, and the like.
In some exemplary embodiments, the first proxy node generating a request threat intelligence transaction based on the threat identification, the account address of the first proxy node, and the account address of the second proxy node, includes:
the first proxy node generates the requested threat intelligence transaction based on the threat identification, the identity credential of the first proxy node, the account address of the first proxy node, and the account address of the second proxy node.
In the above technical solution, since the request for threat intelligence corresponding to a certain threat identifier is completed through the blockchain account, the transaction for the threat intelligence generated by the requesting node (e.g. the first proxy node) includes the account address of the requested node (e.g. the second proxy node). Therefore, the account address of the second agent node in the request threat intelligence transaction can enable each agent node to timely and accurately determine whether the agent node needs to process the request threat intelligence transaction when detecting the block chain account book. Meanwhile, the identity information of the first agent node can be verified through the identity certificate of the first agent node in the request threat information transaction, so that malicious tampering or malicious utilization of threat information by an illegal request node can be avoided.
In some exemplary embodiments, after linking the requested threat intelligence transaction to a blockchain ledger corresponding to the threat intelligence share type, further comprising:
when a first detection time interval arrives, the second proxy node detects the content of a blockchain account book corresponding to each threat intelligence sharing type in a blockchain account book corresponding to at least one threat intelligence sharing type, and determines whether a requested threat intelligence transaction needing to be confirmed by the second proxy node exists in the blockchain account book corresponding to the threat intelligence sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the second proxy node;
if yes, the second agent node verifies the identity information of the first agent node, and after the identity information of the first agent node is successfully verified, the first agent node is confirmed to have the authority of accessing the threat information corresponding to the threat identification;
the second agent node generates an authorized threat information transaction based on the threat identification, the account address of the first agent node, the encrypted symmetric key, the account address of the second agent node and the storage address of threat information corresponding to the threat identification, and links the authorized threat information transaction to a blockchain account book corresponding to the threat information sharing type; the encrypted symmetric key is encrypted by using a public key of the first proxy node; and the symmetric key is used for decrypting the threat intelligence corresponding to the encrypted threat identification.
In the above technical solution, the second proxy node automatically and periodically performs content detection on the blockchain ledger corresponding to each threat intelligence sharing type in the blockchain ledger corresponding to at least one threat intelligence sharing type according to a set detection time period (for example, at an interval of 5s, 10s, or 15 s), so as to determine which block chain ledger corresponding to the threat intelligence sharing type has a requested threat intelligence transaction that needs to be processed by the second proxy node. If it is determined that a block chain account book corresponding to a certain threat intelligence sharing type has a requested threat intelligence transaction which needs to be processed by the agent node, the agent node (such as a first agent node) and a second agent node which request the threat intelligence transaction are determined to be both in accordance with a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type, threat intelligence corresponding to a threat identifier in the requested threat intelligence transaction can be shared to the first agent node, but identity information of the first agent node needs to be verified, so that whether the first agent node is allowed to access the threat intelligence corresponding to the threat identifier in the requested threat intelligence transaction is determined. If the identity information of the first proxy node is verified successfully, an authorized threat information transaction aiming at the requested threat information transaction can be generated, and the authorized threat information transaction is linked to the block chain ledger corresponding to the threat information sharing type, so that the first proxy node can acquire the storage address of the threat information corresponding to the threat identification in time through the block chain ledger corresponding to the threat information sharing type and download the threat information based on the storage address. Meanwhile, the second agent node can be traced and verified aiming at the sharing operation of threat intelligence.
In some exemplary embodiments, the verifying the identity information of the first proxy node includes:
the second agent node inquires the identity management transaction of the first agent node from a blockchain account book corresponding to the threat intelligence sharing type;
the second agent node determining whether the identity credential of the first agent node in the identity management transaction is consistent with the identity credential of the first agent node in the request threat intelligence transaction;
if so, the second proxy node determines that the identity information of the first proxy node is successfully verified.
In the technical scheme, the identity information of the first agent node is verified, so that some nodes can be prevented from intentionally forging identities to acquire threat information, meanwhile, some nodes which do not have the authority of downloading the threat information can be prevented from maliciously requesting the threat information and maliciously tampering or maliciously utilizing the threat information, and therefore, only authorized agent nodes can be ensured to access the threat information corresponding to the threat identification.
In some exemplary embodiments, downloading threat intelligence corresponding to the threat identification through a storage address of threat intelligence corresponding to the threat identification provided by the second agent node includes:
when a second detection time interval arrives, the first proxy node detects the content of a blockchain account book corresponding to each threat intelligence sharing type in a blockchain account book corresponding to at least one threat intelligence sharing type, and determines whether an authorized threat intelligence transaction corresponding to a request threat intelligence transaction exists in the blockchain account book corresponding to the threat intelligence sharing type;
if so, the first proxy node decrypts the encrypted symmetric key in the authorized threat information transaction by using a private key to obtain a decrypted symmetric key;
the first agent node accesses a corresponding storage device through a storage address of threat intelligence corresponding to the threat identification in the authorized threat intelligence transaction, and downloads the encrypted threat intelligence corresponding to the threat identification from the storage device;
and the first proxy node decrypts the threat intelligence corresponding to the encrypted threat identification by using the decrypted symmetric key to obtain the threat intelligence corresponding to the decrypted threat identification.
In the technical scheme, the first proxy node automatically and periodically performs content detection on the blockchain account book corresponding to each threat intelligence sharing type in the blockchain account book corresponding to at least one threat intelligence sharing type according to a set detection time period, so as to determine which block chain account book corresponding to the threat intelligence sharing type has authorized threat intelligence transactions corresponding to the requested threat intelligence transactions generated by the first proxy node. If yes, a storage address of threat intelligence corresponding to the threat identification and a symmetric key encrypted by a public key of the first proxy node can be obtained from authorized threat intelligence transaction, the symmetric key is used for decrypting the threat intelligence corresponding to the encrypted threat identification, so the encrypted symmetric key can only be decrypted by the first proxy node, the threat intelligence corresponding to the threat identification can only be obtained by the first proxy node, even if any other node detects the authorized threat intelligence transaction, only the threat intelligence corresponding to the encrypted threat identification can be obtained through the storage address in the authorized threat intelligence transaction, but the threat intelligence corresponding to the decrypted threat identification cannot be obtained, because the threat intelligence corresponding to the threat identification is encrypted by the symmetric key, and the symmetric key is encrypted by the public key of the first proxy node, even if any other node detects the authorized intelligence transaction, the encrypted symmetric key in the authorized threat intelligence transaction cannot be decrypted, and the decrypted threat intelligence corresponding to the threat identification cannot be obtained.
In some exemplary embodiments, after obtaining the threat intelligence corresponding to the decrypted threat identification, the method further includes:
the first agent node performs hash operation on the threat intelligence corresponding to the decrypted threat identification to generate a second hash value of the threat intelligence corresponding to the decrypted threat identification;
the first proxy node determining whether the second hash value is consistent with the first hash value;
and if so, the first agent node generates a transaction of downloading threat information based on the threat identification, the account address of the first agent node, the account address of the second agent node and the decrypted second hash value of the threat information corresponding to the threat identification, and links the transaction of downloading threat information to a block chain account book corresponding to the threat information sharing type.
In the above technical solution, after the threat information corresponding to the encrypted threat identifier is decrypted, the integrity of the threat information corresponding to the threat identifier needs to be verified, that is, whether the threat information corresponding to the threat identifier is complete is determined by generating the second hash value of the threat information corresponding to the decrypted threat identifier and comparing the second hash value with the first hash value in the previous uplink threat information transaction. Thus, the scheme can prevent the shared threat intelligence from being forged and tampered maliciously, thereby ensuring the integrity of the shared threat intelligence. And meanwhile, the generated downloaded threat information transaction is linked to the blockchain account book corresponding to the threat information sharing type, so that the downloading operation of the first proxy node aiming at the threat information can be traced and verified.
In a second aspect, the exemplary embodiments of the present application provide a threat intelligence sharing apparatus, which is suitable for a blockchain network having m proxy nodes; each agent node is generated by election of a sharing group where the agent node is located; the apparatus comprises means for performing the threat intelligence sharing method of any of the first aspects above.
In a third aspect, an embodiment of the present application provides a computing device, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, the processor is caused to execute the threat intelligence sharing method according to any of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program executable by a computing device, the program, when executed on the computing device, causing the computing device to perform the threat intelligence sharing method according to any of the first aspects.
Drawings
In order to more clearly explain the technical solutions of the present application, the drawings required for the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of a threat intelligence sharing system architecture according to some embodiments of the present application;
fig. 2 is a flowchart illustrating a threat intelligence sharing method according to some embodiments of the present application;
fig. 3 is a schematic flowchart of identity registration performed by an agent node according to some embodiments of the present application;
fig. 4 is a schematic structural diagram of a threat intelligence sharing apparatus according to some embodiments of the present application;
fig. 5 is a schematic structural diagram of a computing device according to some embodiments of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the following, some terms referred to in the embodiments of the present application are first explained to facilitate understanding by those skilled in the art.
(1) Threat Intelligence (CTI) is a knowledge carrier that uses the related information about security and Threat generated by the experience and skill of security experts and professional groups, including vulnerability, threat, features, lists, attributes, solution suggestions, etc. in order to protect the network space resources from the Threat.
(2) PKI (public Key Infrastructure): the public key infrastructure PKI is an infrastructure for providing security services, which is established by using public key theory and technology, in short. Public key infrastructure PKI, as it were, is a set of hardware, software, policies and procedures required to create, manage, distribute, use, store and revoke digital certificates and public keys.
As described above, some terms related to the embodiments of the present application are described, and the technical features related to the embodiments of the present application are described below.
To facilitate understanding of the embodiment of the present application, first, a threat intelligence sharing system architecture applicable to the embodiment of the present application is described by taking the system architecture shown in fig. 1 as an example. The threat intelligence sharing system architecture can be applied to a blockchain network under a certain area sharing environment, or can be applied to a blockchain network under a plurality of area sharing environments and the like. As shown in fig. 1, the system architecture may include a blockchain network 100. The blockchain network 100 may include at least one proxy node, such as a proxy node 101, a proxy node 102, a proxy node 103, an expert group proxy node 104, and the like. For each agent node, the agent node corresponds to a sharing group, the agent node is used for maintaining a block chain account book and sharing threat intelligence on a block chain network on behalf of the sharing group, the sharing group at least comprises one node member, and the attribute types of the at least one node member are the same, for example, the industry attributes of the at least one node member belong to the same industry, for example, the industry attributes of the at least one node member are all financial industries, and the agent node is also elected from the at least one node member; the expert group is composed of a plurality of third party trusted organizations, and the agent nodes of the expert group are selected by the at least one trusted third party trusted organization, for example, the expert group can be composed of a plurality of government organizations approved by the threat intelligence sharing participants. If the threat intelligence sharing system architecture can be applied to a blockchain network under a certain area sharing environment, the expert group can be composed of various government agencies approved by threat intelligence sharing participants in the area, or a certain number of government agencies can be selected from various government agencies approved by the threat intelligence sharing participants in the area to form the expert group; if the threat intelligence sharing system architecture can be applied to a blockchain network under a multi-region sharing environment, the expert group can be composed of various government agencies approved by threat intelligence sharing participants in a plurality of regions, or a certain number of government agencies selected from various government agencies approved by threat intelligence sharing participants in a plurality of regions to form the expert group.
The threat intelligence sharing system architecture can be applied to a blockchain network in a certain area sharing environment for description. For example, assuming that agent node 101 is an agent node of a fusion industry group in region a, agent node 102 is an agent node of an energy industry group in region a, agent node 103 is an agent node of an education industry group in region a, and expert group agent node 104 is an agent node of an expert group formed by selecting a certain number of government agencies from the government agencies approved by threat information sharing participants in region a. For example, if a node member (e.g., member a) in the financial industry group in region a obtains threat intelligence threatening a vulnerability attack identified as a, then the member a may share the threat intelligence threatening the vulnerability attack identified as a to other node members in the financial industry group, including agent node 101. Agent node 101 may encrypt threat intelligence of the vulnerability attack whose threat identifier is a using a symmetric key, store the encrypted threat intelligence of the vulnerability attack whose threat identifier is a in a configured storage device (i.e., a storage device under the chain), and perform hash operation on the threat intelligence whose threat identifier is a to generate a hash value of the threat intelligence of the vulnerability attack whose threat identifier is a. Agent node 101 generates an uploaded threat information transaction based on the account address of agent node 101, threat identifier a, and a hash value of threat information of vulnerability attack with threat identifier a, signs the uploaded threat information transaction using its own private key, and uploads the signed uploaded threat information transaction to a block chain ledger. Assuming that a certain node member (for example, a member B) in the area a is attacked by a certain vulnerability, the threat identifier of the vulnerability attack is a, assuming that the member B is a node member of an education industry group in the area a, the member B shares the vulnerability attack with the threat identifier a in the education industry group, after receiving the vulnerability attack with the threat identifier a, the agent node 103 performs content detection on a local block chain account book, determines whether the threat identifier a exists in the block chain account book, and if so, generates a request threat information transaction based on the threat identifier a, an account address of the agent node 103 and an account address of the agent node 101 for storing the threat identifier a, so that it is expected to be able to acquire threat information of the vulnerability attack with the threat identifier a, thereby enabling the member B to process the vulnerability attack with the threat identifier a based on a countermeasure processing measure in the vulnerability attack with the threat identifier a.
It should be noted that the system structure shown in fig. 1 is only an example, and the embodiment of the present application does not limit this.
Based on the above description, fig. 2 schematically shows a flow of a threat intelligence sharing method provided by an embodiment of the present application, where the flow may be executed by a threat intelligence sharing apparatus. The threat intelligence sharing method in the embodiment of the application is suitable for a block chain network with m proxy nodes.
As shown in fig. 2, the process specifically includes:
In the embodiment of the present application, for the whole blockchain network, each blockchain node is generated by electing the sharing group where the blockchain node is located, that is, the blockchain node is an agent node of the sharing group, and is responsible for an agent to maintain at least one blockchain account book and perform sharing threat intelligence on the blockchain network. For each agent node, the sharing group in which the agent node is located may select the agent node from the members in the sharing group according to the organization structure of the group, or may select the agent node in a random drawing manner, or may select the agent node in a voting manner, and the like, which is not limited in this embodiment of the present application. For example, the voting method is used as an example to describe, and it is assumed that a sharing group has 5 members, for example, member a obtains 3 votes, member B obtains 1 vote, and member C obtains 1 vote, so that it can be determined that member a is an agent node according to the principle of high or low votes. Alternatively, the description is made by determining the agent nodes according to the organizational structure of the group, and assuming that a certain sharing group is a financial industry sharing group, the financial industry sharing group has 3 members, that is, the industry attribute of each member in the sharing group belongs to the financial industry, the agent nodes may be elected according to the credit degree of the financial industry, for example, the credit degree of the member a is 90, the credit degree of the member B is 85, and the credit degree of the member B is 80, the member a may be elected as the agent node, or the agent nodes may be elected according to the function level of each member in the sharing group belonging to the financial industry, and the application is not limited thereto. It should be noted that the entire blockchain network may be composed of agent nodes of shared groups of multiple industries in a certain region, or may be composed of agent nodes of shared groups of multiple industries in multiple regions. For example, for a same region, for example, region a, a plurality of financial industry members in the region a form a sharing group, a plurality of educational industry members in the region a form a sharing group, a plurality of logistics industry members in the region a form a sharing group, and the like, the plurality of sharing groups in the region a participate in a blockchain network. Of course, the same industry in the area a may also form a plurality of sharing groups, for example, the member 1, the member 2, and the member 3 in the financial industry form a financial industry sharing group a, the member 4, the member 5, and the member 6 in the financial industry form a financial industry sharing group B, and so on, or the member 1, the member 2, and the member 3 in the education industry form an education industry sharing group a, and the member 4, the member 5, and the member 6 in the education industry form an education industry sharing group B, and so on. Alternatively, for multiple regions, such as region a and region B, the plurality of financial industry members in region a form a sharing group, the plurality of educational industry members in region a form a sharing group, the plurality of catering industry members in region a form a sharing group, the plurality of energy industry members in region B form a sharing group, the plurality of financial industry members in region B form a sharing group, the plurality of logistics industry members in region B form a sharing group, etc., and then the plurality of sharing groups in region a and the plurality of sharing groups in region B are all joined in a blockchain network.
After a plurality of agent nodes are elected, the agent nodes all participate in a unified blockchain network, and share of threat intelligence is processed through a set of mutually agreed rules (such as consensus algorithm) and predefined contracts. Wherein the predefined contract comprises a mutually agreed upon set of operation logics, i.e. an intelligent contract, which automatically manages the data sharing logics and operations that may occur between different sharing teams.
After a member of a certain sharing group is attacked by a malicious attack, the member can share information of the malicious attack in the sharing group, hope to acquire an emergency treatment measure effectively aiming at the malicious attack, simultaneously generate a request for acquiring the emergency treatment measure aiming at the malicious attack, and send the request to an agent node, so that after the agent node in the sharing group where the member is located receives the request information of the member, the agent node can inquire and acquire the relevant emergency treatment measure aiming at the malicious attack. Illustratively, a member of a financial industry sharing team in a blockchain network is under attack from a "persistent blue" Lesojous worm. For example, there are 3 members in a financial industry sharing group, that is, a member a, a member B, and a member C, where the member B is an agent node in the financial industry sharing group, and assuming that the member a is attacked by a "persistent blue" lemma, the member a may share corresponding information of the "persistent blue" lemma in the financial industry sharing group, generate a request for obtaining an emergency treatment measure of the "persistent blue" lemma, and send the request to the agent node member B. After receiving the request, the proxy node member B will start the operation flow of threat intelligence acquisition and processing for the request.
In addition, before the first proxy node receives a threat information acquisition request generated by any member in the sharing group where the first proxy node is located, a threat information sharing account registration application needs to be performed in advance. That is, before the first proxy node participates in operations such as threat information sharing and downloading in the blockchain network, if the first proxy node never registers the threat information sharing network, the first proxy node needs to apply for registering an identity related to threat information sharing to a proxy node with an identity management authority so as to have the identity authority participating in the threat information sharing. The first proxy node is any one of the m proxy nodes; the first proxy node is generated by election of the sharing group in which the first proxy node is located.
Referring to fig. 3, an identity management implementation process of the agent node in the threat intelligence sharing process in the embodiment of the present application is specifically described, taking a third agent node as a node having a registration authority for managing a shared account. Fig. 3 is a schematic flowchart of a process of identity registration performed by a proxy node according to an embodiment of the present application.
In step 301, the first proxy node generates a shared account registration request.
In the embodiment of the application, when a first proxy node needs to participate in threat intelligence sharing in a blockchain network, a shared account registration request needs to be generated so as to apply for obtaining a shared account registration qualification to a node having a management shared account registration authority, so that a corresponding threat intelligence download authority and an identity certificate are obtained, and thus operations such as sharing, downloading and the like of threat intelligence can participate in the blockchain network.
Step 302, the first proxy node sends the request for registering the shared account to a third proxy node.
And 303, the third proxy node approves the first proxy node to obtain a registration qualification of the shared account number based on the registration request of the shared account number, and grants a downloading permission of threat information to the first proxy node.
In the embodiment of the application, after the third proxy node approves the first proxy node to obtain the registration qualification of the shared account, the first proxy node is also granted with the threat information downloading authority, so that when the first proxy node needs an emergency treatment measure in the threat information corresponding to a certain threat identifier to process a malicious attack corresponding to the threat identifier, the threat information corresponding to the threat identifier can be downloaded in time through a threat information storage address provided by the proxy node sharing the threat information corresponding to the threat identifier in the block chain network. Meanwhile, the third proxy node is responsible for maintaining a proxy node shared account registration table, and the first proxy node is added into the proxy node shared account registration table.
Step 304, the third agent node sends a threat intelligence download right to the first agent node.
In the embodiment of the present application, by linking the registered identity management transaction to the blockchain ledger corresponding to the threat intelligence sharing type, the identity registration-revocation operation log data when a certain proxy node (e.g., a first proxy node) joins the blockchain network can be digitized into a transaction on the blockchain commonly maintained by a plurality of proxy nodes. By the method, the identity registration-revocation operation flow can be automatically managed by the digital document and the digital signature, so that a certain proxy node can be prevented from denying the behavior of the certain proxy node, and the aim of tracing the corresponding operation behavior of the certain proxy node can be fulfilled.
Wherein the transaction T is managed for identity idm The transaction records the operation of each sharing group agent node for registering or canceling the threat intelligence block chain network, and the specific form is as follows. Wherein the identity manages the transaction T idm The symbol descriptions in (1) can be as shown in table 1. Table 1 is only an exemplary illustration, and the content listed therein is only for illustrating the present invention, and does not constitute a limitation to the embodiments of the present application, and those skilled in the art can expand according to actual needs in an actual application scenario.
T idm :<timestamp,A u ,certification,right[null,download]>
TABLE 1
It should be noted that since there is an identity registration application of the proxy node, there is also an identity revocation application of the proxy node. For example, continuing to take the first proxy node and the third proxy node as an example, if the sharing group where the first proxy node is located needs to solve or propose a threat intelligence sharing blockchain network for a special reason, the first proxy node generates a sharing account revocation request and sends the sharing account revocation request to the third proxy node. And after receiving the shared account revocation request, the third proxy node approves the shared account revocation application of the first proxy node and recovers the first proxy node threat information downloading permission. Meanwhile, the third proxy node updates the proxy node shared account registration table and deletes the first proxy node from the proxy node shared account registration table. After the first proxy node knows that the shared account revocation application passes, the first proxy node downloads the authority and the account address and the identity certificate of the first proxy node according to the retrieved threat intelligence, generates a revoked identity management transaction, and links the revoked identity management transaction to a block chain account book corresponding to the threat intelligence sharing type.
Illustratively, taking a financial industry sharing team as an example, assume that there are three members within the financial industry sharing team, namely member a, member b, and member c. Wherein, the member a is the proxy node. Under the premise that a threat intelligence sharing blockchain network is not registered, a proxy node member a can apply for registering a sharing account number to a third proxy node (such as an expert group proxy node spg), after the approval of the expert group proxy node spg is obtained, the threat intelligence downloading authority can be obtained, and meanwhile, a blockchain system can distribute public and private keys to the proxy node member a according to a cryptology rule packaged at the bottom layer of the blockchain. The public key can be used for generating an account address A of the proxy node member a participating in the blockchain network a The generation process generally includes a series of hash algorithms and obfuscation algorithms. Furthermore, the blockchain system can distribute identity certificate verification to the proxy node member a through a PKI method a Then, the identity information and the operable authority of the member a of the agent node are digitalized into identity management transaction T idm1 And manages transaction T for identity using private key idm1 And processing and issuing the digital signature to a block chain account book corresponding to at least one threat intelligence sharing type participated by the agent node member a. Where the expert group proxy spg is responsible for maintaining the proxy node registry for the entire threat intelligence shared blockchain network. Wherein the transaction T is managed for the registered identity idm1 The concrete form of (A) can be as follows。
T idm1 :<timestamp 1 ,A a ,certification a ,[read,download]>
In addition, if the financial industry sharing group needs to be dismissed or provide a threat information sharing blockchain network for a special reason, the agent node member a can send a sharing account revocation request to the expert group agent node spg to apply for identity qualifications of revocation of threat information sharing, downloading and the like of the agent node member a. Because the PKI method comprises a sound identity certificate revocation mechanism, the identity certificate revocation process is simpler, and the transaction T is managed aiming at the revoked identity idm2 The form of (c) is also relatively brief. Wherein, for the transaction T of the revocation idm2 The specific form of (2) is as follows. Wherein, the authority is null, which means that the identity qualification of the proxy node has been revoked.
T idm2 :<timestamp 2 ,A a ,certification a ,null>
Furthermore, for each agent node, such as a first agent node or a second agent node, the second agent node is any one of the m agent nodes except the first agent node, taking the second agent node as an example, after obtaining the threat information corresponding to any threat identifier, the second agent node encrypts the threat information corresponding to the threat identifier by using a symmetric key, and uploads the encrypted threat information corresponding to the threat identifier to the storage device. And the threat intelligence corresponding to any threat identification is shared to the second agent node by any member in the sharing group where the second agent node is located after being obtained. And carrying out Hash operation on the threat intelligence corresponding to the threat identification to generate a first Hash value of the threat intelligence corresponding to the threat identification, and generating a threat intelligence transaction based on the threat identification, the account address of the second proxy node and the first Hash value of the threat intelligence corresponding to the threat identification. And then, determining a threat information sharing type matched with the sensitivity level from the threat information sharing type record based on the sensitivity level to which the threat information corresponding to the threat identification belongs, and uploading the threat information transaction to a block chain account book corresponding to the threat information sharing type. Therefore, the integrity of the threat information corresponding to the threat identifier can be ensured, and a certain agent node in the blockchain network, which needs the threat information corresponding to the threat identifier, can conveniently detect the transaction of the threat information in time through the blockchain account book corresponding to the threat information sharing type, thereby providing support for obtaining the threat information corresponding to the threat identifier.
It should be noted that, when joining the blockchain network, any proxy node may involve a series of operations such as identity registration-revocation, request-authorization for accessing data, storage-download, and the like. The log data of the operations can be digitalized into a transaction form, and through the transaction form, data request, approval and use processes are automatically managed by digitalized documents and digital signatures, so that not only can an agent node be prevented from denying the behavior of the agent node, but also the purpose of tracking and auditing the transaction is achieved. The transaction form related in the embodiment of the application mainly comprises identity management transaction and data operation transaction. Wherein transaction T is operated on data info The transaction records operations of storing or retrieving threat information by the respective corresponding nodes of each sharing team agent, and the specific form is as follows.
Wherein the data operates a transaction T info The symbol descriptions in (1) can be as shown in table 2. Table 2 is only an exemplary illustration, and the content listed therein is only for illustrating the present invention, and does not constitute a limitation to the embodiments of the present application, and those skilled in the art can expand according to actual needs in an actual application scenario.
TABLE 2
Before sharing threat intelligence, sharers deal with the sensitive threat intelligence to process according to specific requirements, so that leakage of sensitive information is prevented. For example, a blockchain network must have access control, and a common blockchain system is not suitable for sharing highly sensitive threat intelligence between organizations. Thus, based on the requirements of the private/licensed network, hyper ledger Project (Hyperhedger Project) can be used to implement specific processing for sensitive threat intelligence. The Fabric is a plug and play style architecture, is well suited for such work, and provides flexibility for the development phase.
In the embodiment of the application, threat intelligence to be shared is classified into sensitivity levels by using a Traffic Light Protocol (TLP), and a threat intelligence sharing type corresponding to each sensitivity level is determined, that is, what sharing objects correspond to each sensitivity level of a sharing object is determined, so that four threat intelligence sharing mechanisms with different sharing types can be determined. The threat intelligence sharing mechanism corresponding to each threat intelligence sharing type includes the attribute type of the object to be shared, namely, the proxy node providing the threat intelligence allows the threat intelligence to be shared to which objects. TLP is a common protocol used in threat intelligence sharing, and classifies threat intelligence to be shared to control the sharing range, and this protocol may be implemented by smart contracts. In this way, the participating teams can ensure that only threat intelligence related data is shared with the intended team, without revealing sensitive data to the sharing team that does not have sufficient authority to view such data.
The threat intelligence sharing type record may be determined by: and aiming at the threat intelligence corresponding to any threat identification, determining the threat intelligence sharing type of the threat intelligence corresponding to the threat identification based on the sensitivity level of the threat intelligence corresponding to the threat identification. If the threat intelligence sharing type to which the threat intelligence corresponding to the threat identification belongs is a free sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a first threat intelligence sharing mechanism, wherein the first threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes in a block chain network; if the threat intelligence sharing type to which the threat intelligence corresponding to the threat identification belongs is the same industry sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a second threat intelligence sharing mechanism, wherein the second threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes belonging to the same industry in a blockchain network; if the threat intelligence sharing type to which the threat intelligence corresponding to the threat identification belongs is the same area sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a third threat intelligence sharing mechanism, wherein the third threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes belonging to the same area in a block chain network; and if the sharing type of the threat intelligence corresponding to the threat identification is a private sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a fourth threat intelligence sharing mechanism, wherein the fourth threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared between a private organization agent node in the blockchain network and any other agent node with a cooperative relationship.
The structural form of the threat intelligence sharing type record may be as shown in table 3. Table 3 is only an exemplary illustration, and the content listed therein is only for illustrating the present invention, and does not constitute a limitation to the embodiments of the present application, and those skilled in the art can expand according to actual needs in an actual application scenario.
TABLE 3
Illustratively, the embodiment of the present application defines four Fabric channels (channels) based on the sensitivity level of threat intelligence, or may also be referred to as four different sharing type threat intelligence sharing mechanisms, namely All-channel, industry-channel, community-channel and Privacy-channel. The channels of the Fabric are isolated from each other, and each channel has its own independent block chain (or block chain account), for example, all-channel has its own block chain account, industry-channel has its own block chain account, community-channel has its own block chain account, and Privacy-channel has its own block chain account. Each proxy node may join 1 or more channels, for example, the first proxy node may join an All-channel, and the first proxy node selects an All-channel for sharing with a threat intelligence owned by itself, so that the threat intelligence owned by the first proxy node may be shared with other proxy nodes participating in the All-channel, and proxy nodes not participating in the All-channel have no authority to access the threat intelligence, or the first proxy node may join an All-channel and an Industry-channel, and assuming that the first proxy node also has the authority for sharing with a threat intelligence owned by itself, the intelligence owned by the first proxy node may be shared with other proxy nodes participating in the All-channel, and the proxy nodes not participating in the All-channel may also have the authority for sharing with the threat intelligence owned by itself, and the first proxy node may also assume that the first proxy node has no authority for sharing with the threat intelligence owned by itself, and the proxy node may also have the authority for sharing with the first proxy node or the first proxy node has no authority-channel access to share with the threat intelligence owned by itself, and the first proxy node may also assume that the first proxy node has the authority-channel-access to share with the threat intelligence owned by the first proxy node. For example, for threat intelligence corresponding to a certain threat identifier, if an agent node having the threat intelligence corresponding to the threat identifier considers that the sensitivity level of the threat intelligence corresponding to the threat identifier is a first sensitivity level, and an All-channel is selected, it indicates that All participants in the block chain network have permission to access the threat intelligence corresponding to the threat identifier; assuming that the agent node having the threat intelligence corresponding to the threat identifier considers that the sensitivity level of the threat intelligence corresponding to the threat identifier is a second sensitivity level, and the selected one is an Industry-channel, indicating that participants belonging to the same Industry in the blockchain network have the authority to access the threat intelligence corresponding to the threat identifier; assuming that the agent node having the threat intelligence corresponding to the threat identifier considers that the sensitivity level of the threat intelligence corresponding to the threat identifier is a third sensitivity level, and if a public-channel is selected, it indicates that participants belonging to the same area in the blockchain network have the right to access the threat intelligence corresponding to the threat identifier; and assuming that the agent node possessing the threat intelligence corresponding to the threat identifier considers that the sensitivity level of the threat intelligence corresponding to the threat identifier is a fourth sensitivity level, and the selected one is Privacy-channel, the method indicates that a certain participant in the block chain network, which has a cooperative relationship with the agent node possessing the threat intelligence corresponding to the threat identifier, has the authority of accessing the threat intelligence corresponding to the threat identifier.
Illustratively, assume that there are five sharing groups in the blockchain network, namely a financial industry sharing group in region a, a financial industry sharing group in region B, an energy industry sharing group in region a, an expert sharing group in region a, and a private organization. If All-channel is selected by an agent node (such as the financial industry sharing group in region a) providing threat intelligence corresponding to a certain threat identifier, the financial industry sharing group in region B, the energy industry sharing group in region a, the expert sharing group in region a, and a private organization All have access to the threat intelligence corresponding to the threat identifier. If the agent node (such as the financial Industry sharing group in the region A) providing threat intelligence corresponding to a certain threat identifier selects Industry-channel, the financial Industry sharing group in the region B has the right to access the threat intelligence corresponding to the threat identifier, and the energy Industry sharing group in the region A, the expert sharing group in the region A and the private organization do not have the right to access the threat intelligence corresponding to the threat identifier. If the proxy node providing threat intelligence corresponding to a certain threat identifier (such as the financial industry sharing group in region a) selects a community-channel, the energy industry sharing group in region a and the expert sharing group in region a both have the right to access the threat intelligence corresponding to the threat identifier, while the financial industry sharing group and the private organization in region B have no right to access the threat intelligence corresponding to the threat identifier. If the proxy node (such as the financial industry sharing group in the region a) providing threat intelligence corresponding to a certain threat identifier selects Privacy-channel, the private organization in cooperative relationship has the right to access the threat intelligence corresponding to the threat identifier, and the energy industry sharing group in the region a, the financial industry sharing group in the region B, and the expert sharing group in the region a do not have the right to access the threat intelligence corresponding to the threat identifier.
Since one proxy node can be added to 1 or more channels, one proxy node may have one blockchain ledger or may have multiple blockchain ledgers. For example, taking the first proxy node as an example, assuming that the first proxy node is only added to All-channel, the first proxy node has a block chain account book, that is, a block chain account book corresponding to All-channel, that is, a block chain account book corresponding to a free sharing type; assuming that a first proxy node is added into All-channel and Industry-channel, the first proxy node has two block chain accounts, namely a block chain account corresponding to All-channel and a block chain account corresponding to Industry-channel, namely a block chain account corresponding to a free sharing type and a block chain account corresponding to a same Industry sharing type; assuming that the first proxy node is added to All-channel, industry-channel and community-channel, the first proxy node has three block chain accounts, namely, a block chain account corresponding to All-channel, a block chain account corresponding to Industry-channel and a block chain account corresponding to community-channel, that is, a block chain account corresponding to a free sharing type, a block chain account corresponding to a same Industry sharing type and a block chain account corresponding to a same area sharing type.
Additionally, illustratively, traded against a threat signatureThe example of a threat intelligence transaction of the persistent blue lemonades (WannaCry) is described in the context of uplink by an expert group proxy spg. After receiving the information about the persistent blue lemma, a member of the spg wishes to share the information about the persistent blue lemma in the area or industry where the spg is located, and additionally provides a corresponding emergency treatment measure against the persistent blue lemma, for example, using upgraded antivirus software to kill the lemma virus or provide a corresponding bug patch. Therefore, the agent nodes of the sharing groups to be shared can know the permanent blue Lesoworm virus, and can obtain corresponding emergency treatment measures and mitigation strategies in time when being attacked by the permanent blue Lesoworm virus. The expert group proxy spg needs to structure the information covering the attack details of the 'persistent blue' Lesochai worm in a standard format specification to form a sharable actual threat information CTI, wherein the information comprises standard components such as 'attack activity', 'attack method', 'emergency treatment measures' and the like. Then, the spg will upload the threat information of the constructed strongylus lemongiae after processing the data. The expert group proxy spg encrypts the actual threat information CTI by using the symmetric key, and then uploads the encrypted threat information CTI of the 'eternal blue' lasso worm to the down-chain storage device. Therefore, privacy protection requirements of sharers on sensitive information can be effectively guaranteed by carrying out privacy processing on the 'persistent blue' threat information. For example, a legitimate organization (e.g., a local government agency, etc.) may be designated to provide a storage facility to afford hosted storage of threat intelligence for the "persistent blueworm". Alternatively, threat intelligence for the "persistent blue" lemonades may be stored in a storage facility in the industry or region of the expert group broker node spg. Meanwhile, the expert group proxy spg is responsible for digitally recording the information of the threat information uploading operation of the 'eternal blue' Lesochai worm as an uploading operation transaction T info1 Namely, threat intelligence to the "eternal blue" Lesoxhlet wormHash operation is carried out to determine a first Hash value (ct) of threat information of the 'permanent blue' lemma, and to determine the sensitivity level of the threat information of the 'permanent blue' lemma as a first sensitivity level, then a free sharing type matched with the first sensitivity level can be determined from the threat information sharing type record, and the uploading operation transaction T is carried out info1 And after signature, the data is uplinked to a block chain account book corresponding to the free sharing type. Wherein the upload operation transaction T info1 The specific form of (2) is as follows. Wherein coa means an "emergency treatment action" component; a. The spg An account address representing the expert group proxy spg; upload represents the specific operation of threat intelligence against the "eternal blue" lemonades as upload.
T info1 :<timestamp 3 ,A spg ,upload,[WannaCry,coa_34098fce-…-ebd3cc5e41da],hash(cti)>
In the embodiment of the present application, the blockchain ledger corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the first proxy node. That is, if the first proxy node adds several threat intelligence sharing mechanisms (or called Fabric channels), the first proxy node will have blockchain ledgers corresponding to several threat intelligence sharing types. For example, the first proxy node is added to All-channel and Industry-channel, and then the first proxy node has two block chain accounts, that is, a block chain account corresponding to All-channel and a block chain account corresponding to Industry-channel, that is, a block chain account corresponding to a free sharing type and a block chain account corresponding to a sharing type in the same Industry. Specifically, when receiving a threat information acquisition request sent by any member of a sharing group where the first proxy node is located, the first proxy node performs content detection on a block chain account book corresponding to each threat information sharing type in a block chain account book corresponding to at least one locally owned threat information sharing type, and determines which block chain account book corresponding to the threat information sharing type contains a threat identifier in the threat information acquisition request. If the threat identification in the threat intelligence acquisition request is determined to be stored in the blockchain account book corresponding to a certain threat intelligence sharing type, the account address of the second proxy node storing the threat intelligence corresponding to the threat identification can be acquired from the blockchain account book corresponding to the threat intelligence sharing type.
Illustratively, the description continues with the example of a member A in a financial industry sharing team in the blockchain network being attacked by a "persistent blue" Lesojous worm. After receiving the request, the agent node member B performs content detection on a local block chain ledger corresponding to each threat intelligence sharing type in block chain ledgers corresponding to several threat intelligence sharing types owned locally, so as to determine which block chain ledger corresponding to the threat intelligence sharing type has the threat identifier in the request. Assuming that the threat identifier in the request exists in the blockchain ledger corresponding to the free sharing type, the proxy node member B may acquire the data operation transaction T uplinked by the expert group proxy node spg from the blockchain ledger corresponding to the free sharing type info1 And operating transaction T from the data info1 The account address of the expert group proxy spg is obtained.
In step 205, the first proxy node links the requested threat intelligence transaction to a blockchain ledger corresponding to the threat intelligence sharing type.
In the embodiment of the application, the first proxy node generates a request threat information transaction based on the threat identifier, the identity certificate of the first proxy node, the account address of the first proxy node and the account address of the second proxy node, and links the request threat information transaction to a block chain ledger corresponding to the threat information sharing type.
Illustratively, the description continues with the example of a member A in a financial industry sharing team in the blockchain network being attacked by a "persistent blue" Lesojous worm. Proxy node member B bases on the name or identification of the "eternal blue" Lesoxhlet worm (i.e., wannaCry), identity credential verification of proxy node member B B Specific operation request for threat information of 'eternal blue' lasso worm, account address A of proxy node member B B And account address A of the expert group proxy spg spg A request for a "persistent blue" Lesojous worm is generated for a threat intelligence transaction. And the requested threat intelligence transaction is subjected to digital signature processing and then linked up to a block chain account book corresponding to the free sharing type. Wherein the request threatens an intelligence transaction T info2 The specific form of (2) is as follows.
T info2 :<timestamp 4 ,A B ,A spg ,request,[WannaCry,coa_34098fce-…-ebd3cc5e41da],certification B >
In the embodiment of the present application, the blockchain ledger corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the second proxy node. That is, if the second agent node adds several threat intelligence sharing mechanisms (or called "Fabric channels"), the second agent node will have blockchain ledgers corresponding to several threat intelligence sharing types. For example, if the second proxy node is added to All-channel, industry-channel, and community-channel, the second proxy node has three block chain accounts, that is, a block chain account corresponding to All-channel, a block chain account corresponding to Industry-channel, and a block chain account corresponding to community-channel, that is, a block chain account corresponding to a free sharing type, a block chain account corresponding to a same Industry sharing type, and a block chain account corresponding to a same area sharing type.
The second proxy node automatically and periodically performs content detection on the blockchain ledger corresponding to each threat intelligence sharing type in the blockchain ledger corresponding to at least one threat intelligence sharing type according to a set first detection time period (for example, the interval is 5s, 10s, 15s, 20s, 1min or 5 min) so as to determine which block chain ledger corresponding to the threat intelligence sharing type has a request threat intelligence transaction needing to be processed by the second proxy node. If it is determined that a requested threat intelligence transaction which needs to be processed by the agent node (such as a first agent node) and a second agent node which request the threat intelligence transaction follow a threat intelligence sharing mechanism corresponding to a free sharing type, threat intelligence corresponding to a threat identifier in the requested threat intelligence transaction can be shared to the first agent node, but identity information of the first agent node needs to be verified, so that whether the first agent node is allowed to access a threat corresponding to the threat identifier in the requested threat intelligence transaction is determined. When the identity information of the first agent node is verified, the identity management transaction of the first agent node is inquired from the blockchain account book corresponding to the threat intelligence sharing type, the identity certificate of the first agent node is obtained from the identity management transaction of the first agent node, and then the identity certificate of the first agent node obtained from the identity management transaction is compared with the identity certificate of the first agent node in the request threat intelligence transaction, so that whether the identity certificate is consistent or not is determined. If the identity information of the first agent node is consistent with the identity information of the second agent node, the identity information of the first agent node is verified successfully, the identity of the first agent node is proved to be legal, and then the second agent node can give the first agent node the authority to access threat information corresponding to the threat identification; and if the identity information of the first agent node is inconsistent with the identity information of the second agent node, determining that the identity information of the first agent node fails to be verified, indicating that the identity of the first agent node is illegal, and then not giving the first agent node the authority to access the threat information corresponding to the threat identification by the second agent node.
Illustratively, the description continues with the example of a member A in a financial industry sharing team in the blockchain network being attacked by a "persistent blue" Lesojous worm. When a set first detection time period (for example, 20 s) arrives, the expert group proxy node spg performs content detection on a blockchain ledger corresponding to several threat intelligence sharing types, and if it is determined that there is a requested threat intelligence transaction that needs to be processed by the expert group proxy node spg in the blockchain ledger corresponding to the free sharing type, it can be determined that both the proxy node member B and the expert group proxy node spg that requested the threat intelligence transaction follow the threat intelligence sharing mechanism corresponding to the free sharing type, and can share the threat intelligence corresponding to the threat identifier in the requested threat intelligence transaction to the proxy node member B, but also needs to verify the identity information of the proxy node member B, so as to determine whether to allow the proxy node member B to access the threat intelligence corresponding to the threat identifier in the requested threat intelligence transaction. The identity management transaction of the uplink of the agent node member B is obtained from a block chain account book corresponding to the free sharing type, and the identity certificate of the agent node member B is obtained from the identity management transaction, so that the agent node member B can be used for acting in the identity management transactionNode member B identity credential and threat solicitation intelligence transaction T info2 And comparing the identity certificates of the member B of the middle proxy node. If the comparison is consistent, the identity information of the agent node member B is successfully verified, the identity of the agent node member B is legal, and the expert group agent node spg can give the agent node member B the authority to access threat information of the permanent blue Lesoxhlet. If the comparison is inconsistent, the identity information verification of the agent node member B is determined to be failed, the identity of the agent node member B is proved to be illegal, and the expert group agent node spg does not give the agent node member B the authority to access the threat information of the permanent blue Lesoxhlet.
And 208, the second proxy node generates an authorized threat intelligence transaction based on the threat identifier, the account address of the first proxy node, the encrypted symmetric key, the account address of the second proxy node and the storage address of the threat intelligence corresponding to the threat identifier.
Step 209, the second proxy node links the authorized threat intelligence transaction to a blockchain ledger corresponding to the threat intelligence sharing type.
In the embodiment of the application, after the first proxy node is determined to have the authority of accessing threat intelligence corresponding to the threat identification, authorized threat intelligence transaction is generated based on the threat identification, the account address of the first proxy node, the encrypted symmetric key, the account address of the second proxy node and the storage address of the threat intelligence corresponding to the threat identification, and the authorized threat intelligence transaction is linked to a block chain account book corresponding to the threat intelligence sharing type. The encrypted symmetric key is encrypted by using a public key of the first proxy node; the symmetric key is used for decrypting threat intelligence corresponding to the encrypted threat identification.
Illustratively, the description continues with the example of a member A in a financial industry sharing team in the blockchain network being attacked by a "persistent blue" Lesojous worm. After determining that proxy node member B has the authority to access threat information of 'persistent blue' Lesochaeta worm, the expert group proxy node spg uplinks authorization information in the form of transactionTo the block chain ledger corresponding to the free sharing type. Specifically, the expert group proxy spg is based on the name or identification of the "persistent blue" lasso worm (i.e., wannaCry), the specific operation approval of threat intelligence for the "persistent blue" lasso worm, the storage path URI (Uniform Resource Identifier) of threat intelligence for the "persistent blue" lasso worm, and the encrypted symmetric key pk Account address A of proxy node member B B And account address A of the expert group proxy spg spg Generating an authorized threat intelligence transaction T for threat intelligence requesting a "persistent blue" ransom worm info3 And transacting the authorized threat intelligence T info3 And after the digital signature processing is carried out, the data is uplinked to a block chain account book corresponding to the free sharing type. Wherein the authorized threat intelligence transaction T info3 The specific form of (2) is as follows.
T info3 :<timestamp 5 ,A B ,A spg ,approval,[WannaCry,coa_34098fce-…-ebd3cc5e41da],[URI,Key pk ]>
In this embodiment of the application, the first proxy node automatically and periodically performs content detection on the blockchain ledger corresponding to each threat intelligence sharing type in the blockchain ledger corresponding to at least one threat intelligence sharing type according to a set second detection period (for example, at an interval of 5s, 10s, 15s, 20s, 1min, or 5min, etc.), so as to determine which blockchain ledger corresponding to the threat intelligence sharing type has an authorized threat intelligence transaction corresponding to a requested threat intelligence transaction generated by the first proxy node. If the threat identification exists, the storage address of the threat intelligence corresponding to the threat identification and a symmetric key encrypted by the public key of the first proxy node can be obtained from authorized threat intelligence transaction, and the symmetric key is used for decrypting the threat intelligence corresponding to the encrypted threat identification. The first agent node decrypts the encrypted symmetric key in the authorized threat information transaction by using a private key of the first agent node to obtain the decrypted symmetric key. And accessing the corresponding storage equipment through the storage address of the threat intelligence corresponding to the threat identification in the authorized threat intelligence transaction so as to download the threat intelligence corresponding to the encrypted threat identification from the storage equipment. And then, decrypting the threat intelligence corresponding to the encrypted threat identification by using the decrypted symmetric key to obtain the threat intelligence corresponding to the decrypted threat identification. Therefore, the encrypted symmetric key can only be decrypted by the first proxy node, and the threat intelligence corresponding to the threat identifier can only be acquired by the first proxy node, so that the sharing pertinence of the threat intelligence corresponding to a certain threat identifier can be effectively ensured.
In addition, after the threat intelligence corresponding to the decrypted threat identification is obtained, the first proxy node verifies the integrity of the threat intelligence corresponding to the decrypted threat identification, so that the scheme can prevent the shared threat intelligence from being maliciously forged and tampered, and the integrity of the shared threat intelligence can be ensured. Specifically, the first agent node performs hash operation on threat information corresponding to the decrypted threat identifier to generate a second hash value of the threat information corresponding to the decrypted threat identifier, and meanwhile, obtains a threat information transaction of a link of the second agent node through a blockchain ledger corresponding to the free sharing type, and obtains a first hash value of the threat information corresponding to the threat identifier from the threat information transaction. And then, verifying whether the second hash value is consistent with the first hash value, if so, indicating that threat intelligence corresponding to the decrypted threat identification is complete and accurate, and if not, indicating that threat intelligence corresponding to the decrypted threat identification is incomplete. After determining that threat intelligence corresponding to the decrypted threat identifier is complete, the first proxy node generates a transaction of downloading the threat intelligence based on the threat identifier, the account address of the first proxy node, the account address of the second proxy node and a second hash value of the threat intelligence corresponding to the decrypted threat identifier, and links the transaction of downloading the threat intelligence to a blockchain account book corresponding to a threat intelligence sharing type.
Illustratively, the description continues with the example of a member A in a financial industry sharing team in the blockchain network being attacked by a "persistent blue" Lesojous worm. When a set second detection time period (such as 20 s) arrives, the agent node member B performs content detection on the blockchain ledger corresponding to the several threat intelligence sharing types, and supposing that the blockchain ledger corresponding to the free sharing type has an authorized threat intelligence transaction (such as authorized threat intelligence transaction T of expert group agent node spg uplink) corresponding to the request threat intelligence transaction generated by the agent node member B info3 ) Then proxy node member B can transact T from authorized threat intelligence info3 Storage path URI for obtaining threat information of 'permanent blue' lasso worm and encrypted symmetric key pk . The proxy node member B firstly utilizes the private key thereof to encrypt the encrypted symmetric key pk Decrypting to obtain a symmetric key, accessing a storage device for storing the threat information of the permanent blue lemma through a storage path URI of the threat information of the permanent blue lemma to obtain the threat information of the encrypted permanent blue lemma, and decrypting the threat information of the encrypted permanent blue lemma by using the symmetric key to obtain the threat information of the decrypted permanent blue lemma. Then, the agent node member B needs to verify the integrity of the threat information of the decrypted "persistent blue" lasso worm, that is, the agent node member B performs hash operation on the threat information of the decrypted "persistent blue" lasso worm to generate a second hash value of the threat information of the decrypted "persistent blue" lasso worm, and simultaneously obtains the threat information transaction of the expert group agent node spg uplink through the block chain account book corresponding to the free sharing type, and obtains the first hash value of the threat information of the "persistent blue" lasso worm from the threat information transaction. Then, whether the second hash value is consistent with the first hash value is verified, if so, the threat intelligence corresponding to the decrypted threat identification is complete and accurate,and the information of the downloaded threat intelligence is linked to the blockchain account book corresponding to the free sharing type in a transaction form. Specifically, the proxy node member B operates on the basis of the name or identification of the "permanent blue" lemma (i.e., wannaCry), the specific operation download for threat intelligence of the "permanent blue" lemma, the second hash value hash (ct) of the threat intelligence of the "permanent blue" lemma, the account address a of the proxy node member B B And account address A of the expert group proxy spg spg Generating a download threat information transaction T for threat information requesting a "persistent blue" ransom worm info4 And transacting the downloaded threat information T info4 And after the digital signature processing is carried out, the data is uplinked to a block chain account book corresponding to the free sharing type. Wherein the download threat information transaction T info4 The specific form of (2) is as follows.
T info4 :<timestamp 6 ,A B ,A spg ,download,[WannaCry,coa_34098fce-…-ebd3cc5e41da],hash(cti)>
After obtaining threat information of the 'permanent blue' lasso worm, the agent node member B can share the threat information of the 'permanent blue' lasso worm in a financial industry sharing group where the agent node member B is located, so that the member A under the attack of the 'permanent blue' lasso worm can obtain emergency treatment measures from the threat information of the 'permanent blue' lasso worm as soon as possible after receiving the threat information of the 'permanent blue' lasso worm, and can implement the emergency treatment measures to treat the attack of the 'permanent blue' lasso worm as soon as possible, thereby reducing loss to the maximum extent.
It should be noted that the expert group proxy spg may set the validity period of the symmetric key (for example, 5h, 10h, 20h, 1 day, 5 days, or 10 days), and when the validity period of the symmetric key arrives, the symmetric key is automatically invalidated. Then, after the symmetric key, the expert group proxy spg may obtain a new symmetric key from the blockchain system, or may generate a new symmetric key by using a key generation method, and re-encrypt the threat information of the persistent blue lasso worm by using the new symmetric key, and delete the encrypted threat information of the persistent blue lasso worm stored in the storage device, and store the newly encrypted threat information of the persistent blue lasso worm in the storage device. Furthermore, the storage path URI of the threat intelligence of the "persistent blueish" lemma may be temporary, and the expert group proxy node spg may periodically update the storage path URI of the threat intelligence of the "persistent blueish" lemma according to a certain period (for example, 5h, 10h, 20h, 1 day, 5 days, etc.). Thus, the privacy security of threat information of the 'eternal blue' Lesochak worm can be effectively ensured.
The above embodiments show that, in the prior art, since threat intelligence shared by sharers is stored and managed in a centralized manner, if an intelligence center fails or is attacked, information of the sharers and threat intelligence shared by the sharers are at risk of leakage, and privacy security of the threat intelligence shared by the sharers cannot be effectively ensured. Based on this, according to the technical scheme in the application, on one hand, by introducing a blockchain mechanism, operations such as sharing and access of any agent node for threat intelligence are stored in a blockchain account book in a transaction form which cannot be tampered in the blockchain. Specifically, after receiving a threat intelligence acquisition request generated by any node in a sharing group where a first proxy node is located, the first proxy node performs content detection on a blockchain ledger corresponding to each threat intelligence sharing type in a blockchain ledger corresponding to at least one owned threat intelligence sharing type, if a threat identifier in the threat intelligence request is determined to exist in the blockchain ledger corresponding to a certain threat intelligence sharing type, acquires an account address of a second proxy node for storing the threat identifier from the blockchain ledger corresponding to the threat intelligence sharing type, generates a request threat intelligence transaction based on the threat identifier, the account address of the first proxy node and the account address of the second proxy node, and uploads the request threat intelligence transaction to the blockchain ledger corresponding to the threat intelligence sharing type. And the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating an authorized threat intelligence transaction uplink to the blockchain ledger corresponding to the threat intelligence sharing type after detecting the request threat intelligence transaction through the blockchain ledger corresponding to the threat intelligence sharing type. Therefore, the scheme is based on the characteristics of decentralized and traceable block chains, and can enable operations such as sharing, access and the like of any agent node for threat intelligence to be traced and verified, so that the threat intelligence shared by sharers can be prevented from being maliciously forged, tampered and utilized, and the safety and integrity of the shared threat intelligence can be effectively ensured. And on the other hand, by introducing a threat intelligence sharing mechanism, sharing types of threat intelligence to be shared are divided, and the sharing types of different threat intelligence correspond to different threat intelligence sharing mechanisms. If the agent node sharing the threat intelligence selects a certain sharing type threat intelligence sharing mechanism, the threat intelligence to be shared by the agent node is shared only based on the threat intelligence sharing mechanism, and the agent node conforming to the sharing type of the threat intelligence sharing mechanism can access and acquire the corresponding threat intelligence. Specifically, after the second proxy node (i.e., the proxy node sharing the threat information) detects a request threat information transaction in the blockchain ledger corresponding to a certain threat information sharing type, it may be determined that both the proxy node (e.g., the first proxy node) requesting the threat information transaction and the second proxy node follow the threat information sharing mechanism corresponding to the threat information sharing type, that is, after determining whether the first proxy node has the right to access the threat information corresponding to the threat identifier, it may be determined whether the first proxy node and the second proxy node can share the threat information corresponding to the threat identifier in the request threat information transaction. Then, after determining that the first agent node has the right to access threat intelligence corresponding to the threat identifier, the first agent node may download the threat intelligence corresponding to the threat identifier through a storage address of the threat intelligence corresponding to the threat identifier provided by the second agent node. Therefore, the scheme can ensure that the threat information shared by the sharer cannot be revealed to the nodes which are not checked under the authority, thereby effectively ensuring the privacy security of the shared threat information.
Based on the same technical concept, fig. 4 exemplarily shows a threat intelligence sharing apparatus provided by an embodiment of the present application, which may execute a flow of the threat intelligence sharing method. The threat intelligence sharing device in the embodiment of the application is suitable for a block chain network with m proxy nodes.
As shown in fig. 4, the apparatus includes:
a receiving unit 401, configured to receive a threat intelligence acquisition request generated by any member in a sharing group where a first proxy node is located; the first proxy node is any one of the m proxy nodes;
a processing unit 402, configured to determine whether a threat identifier in the threat information acquisition request is stored in a blockchain ledger corresponding to at least one threat information sharing type by performing content detection on a blockchain ledger corresponding to each threat information sharing type in a blockchain ledger corresponding to the at least one threat information sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the first proxy node; if so, acquiring an account address of a second proxy node for storing threat intelligence corresponding to the threat identification from a blockchain account book corresponding to the threat intelligence sharing type; generating a request threat intelligence transaction based on the threat identification, the account address of the first proxy node and the account address of the second proxy node, and linking the request threat intelligence transaction to a blockchain account book corresponding to the threat intelligence sharing type; the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating a blockchain account book which is linked to the threat intelligence sharing type and corresponds to the authorized threat intelligence transaction after the requested threat intelligence transaction is detected through the blockchain account book corresponding to the threat intelligence sharing type; the second agent node follows a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type; after the authorized threat intelligence transaction is detected through the blockchain ledger corresponding to the threat intelligence sharing type, the threat intelligence corresponding to the threat identification is downloaded through the storage address of the threat intelligence corresponding to the threat identification provided by the second agent node.
In some exemplary embodiments, the processing unit 402 is further configured to:
sending a shared account registration request to a third proxy node before receiving a threat information acquisition request generated by any member in a shared group where the first proxy node is located; the third agent node is a node which has the authority of managing the registration of the shared account number in the m agent nodes;
after the successful registration is determined, obtaining threat information downloading permission from the third proxy node;
and generating an identity management transaction according to the threat intelligence downloading permission and the account address and the identity certificate of the first proxy node, and linking the identity management transaction to a block chain account book corresponding to the threat intelligence sharing type.
In some exemplary embodiments, the processing unit 402 is further configured to:
for each agent node, after acquiring threat intelligence corresponding to any threat identifier, the agent node encrypts the threat intelligence corresponding to the threat identifier by using a symmetric key and uploads the encrypted threat intelligence corresponding to the threat identifier to a storage device; threat intelligence corresponding to any threat identification is shared to the agent node after being acquired by any member in a sharing group where the agent node is located;
the agent node carries out Hash operation on threat intelligence corresponding to the threat identification to generate a first Hash value of the threat intelligence corresponding to the threat identification;
the agent node generates a threat intelligence transaction based on the threat identification, the account address of the agent node and a first hash value of threat intelligence corresponding to the threat identification;
and the agent node determines a threat information sharing type matched with the sensitivity level from a threat information sharing type record based on the sensitivity level to which the threat information corresponding to the threat identification belongs, and links the threat information transaction to a block chain account book corresponding to the threat information sharing type.
In some exemplary embodiments, the processing unit 402 is specifically configured to:
determining the threat intelligence sharing type record by:
aiming at threat intelligence corresponding to any threat identification, determining a threat intelligence sharing type to which the threat intelligence corresponding to the threat identification belongs based on the sensitivity level to which the threat intelligence corresponding to the threat identification belongs;
if the sharing type of the threat intelligence corresponding to the threat identification is a free sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a first threat intelligence sharing mechanism; the first threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same industry sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a second threat intelligence sharing mechanism; the second threat information sharing mechanism is used for indicating that threat information can be shared among all agent nodes belonging to the same industry in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same area sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification accords with a third threat intelligence sharing mechanism; the third threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among all agent nodes belonging to the same area in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is a private sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a fourth threat intelligence sharing mechanism; the fourth threat intelligence sharing mechanism is configured to indicate that threat intelligence is sharable between a private organization agent node in the blockchain network and any other agent node in the blockchain network that has a cooperative relationship.
In some exemplary embodiments, the processing unit 402 is specifically configured to:
generating the requested threat intelligence transaction based on the threat identification, the identity credential of the first proxy node, the account address of the first proxy node, and the account address of the second proxy node.
In some exemplary embodiments, the processing unit 402 is further configured to:
after the requested threat information transaction is linked to the block chain ledger corresponding to the threat information sharing type, when a first detection period arrives, performing content detection on the block chain ledger corresponding to each threat information sharing type in the block chain ledger corresponding to at least one owned threat information sharing type, and determining whether the requested threat information transaction needing to be confirmed by the user exists in the block chain ledger corresponding to the threat information sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the second proxy node;
if so, verifying the identity information of the first proxy node, and after the identity information of the first proxy node is successfully verified, confirming that the first proxy node has the authority of accessing threat information corresponding to the threat identifier;
generating an authorized threat intelligence transaction based on the threat identification, the account address of the first proxy node, the encrypted symmetric key, the account address of the second proxy node and a storage address of threat intelligence corresponding to the threat identification, and linking the authorized threat intelligence transaction to a blockchain account book corresponding to the threat intelligence sharing type; the encrypted symmetric key is encrypted by using a public key of the first proxy node; and the symmetric key is used for decrypting the threat intelligence corresponding to the encrypted threat identification.
In some exemplary embodiments, the processing unit 402 is specifically configured to:
inquiring the identity management transaction of the first proxy node from a blockchain account book corresponding to the threat intelligence sharing type;
determining whether an identity credential of the first proxy node in the identity management transaction is consistent with an identity credential of the first proxy node in the request threat intelligence transaction;
and if so, determining that the identity information of the first proxy node is successfully verified.
In some exemplary embodiments, the processing unit 402 is specifically configured to:
when a second detection period is reached, performing content detection on a blockchain ledger corresponding to each threat intelligence sharing type in a blockchain ledger corresponding to at least one owned threat intelligence sharing type, and determining whether an authorized threat intelligence transaction corresponding to a request threat intelligence transaction exists in the blockchain ledger corresponding to the threat intelligence sharing type;
if so, decrypting the encrypted symmetric key in the authorized threat information transaction by using a private key to obtain a decrypted symmetric key;
accessing a corresponding storage device through a storage address of threat intelligence corresponding to the threat identification in the authorized threat intelligence transaction, and downloading the encrypted threat intelligence corresponding to the threat identification from the storage device;
and decrypting the threat intelligence corresponding to the encrypted threat identification by using the decrypted symmetric key to obtain the threat intelligence corresponding to the decrypted threat identification.
In some exemplary embodiments, the processing unit 402 is further configured to:
after threat information corresponding to the decrypted threat identification is obtained, carrying out hash operation on the threat information corresponding to the decrypted threat identification to generate a second hash value of the threat information corresponding to the decrypted threat identification;
determining whether the second hash value is consistent with the first hash value;
and if so, generating a transaction for downloading threat intelligence based on the threat identification, the account address of the first proxy node, the account address of the second proxy node and a second hash value of threat intelligence corresponding to the decrypted threat identification, and linking the transaction for downloading the threat intelligence to a block chain ledger corresponding to the threat intelligence sharing type.
Based on the same technical concept, an embodiment of the present application further provides a computing device, as shown in fig. 5, including at least one processor 501 and a memory 502 connected to the at least one processor, where a specific connection medium between the processor 501 and the memory 502 is not limited in this embodiment of the present application, and the processor 501 and the memory 502 are connected through a bus in fig. 5 as an example. The bus may be divided into an address bus, a data bus, a control bus, etc.
In the embodiment of the present application, the memory 502 stores instructions executable by the at least one processor 501, and the at least one processor 501 may execute the steps included in the threat intelligence sharing method by executing the instructions stored in the memory 502.
The processor 501 is a control center of the computing device, and may connect various parts of the computing device by using various interfaces and lines, and implement data processing by executing or executing instructions stored in the memory 502 and calling data stored in the memory 502. Optionally, the processor 501 may include one or more processing units, and the processor 501 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application program, and the like, and the modem processor mainly processes an issued instruction. It will be appreciated that the modem processor described above may not be integrated into the processor 501. In some embodiments, the processor 501 and the memory 502 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 501 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, and may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present Application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the disclosed methods in connection with the embodiments of the threat intelligence sharing method may be embodied directly in a hardware processor, or in a combination of hardware and software modules within a processor.
The memory 502, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 502 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
Based on the same technical concept, embodiments of the present application also provide a computer-readable storage medium storing a computer program executable by a computing device, wherein when the program runs on the computing device, the computer program causes the computing device to execute the steps of the above-mentioned threat intelligence sharing method.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the scope of the present application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A threat information sharing method is characterized in that the method is suitable for a block chain network with m agent nodes; each agent node is generated by election of a sharing group where the agent node is located; the method comprises the following steps:
a first proxy node receives a threat information acquisition request generated by any member in a sharing group where the first proxy node is located; the first proxy node is any one of the m proxy nodes;
the first agent node determines whether a threat identifier in the threat intelligence acquisition request exists in a blockchain account book corresponding to the threat intelligence sharing type or not by detecting the content of the blockchain account book corresponding to each threat intelligence sharing type in the blockchain account book corresponding to at least one threat intelligence sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the first proxy node;
if so, the first proxy node acquires an account address of a second proxy node for storing threat intelligence corresponding to the threat identification from a block chain account book corresponding to the threat intelligence sharing type;
the first agent node generates a request threat intelligence transaction based on the threat identification, the account address of the first agent node and the account address of the second agent node, and links the request threat intelligence transaction to a block chain ledger corresponding to the threat intelligence sharing type; the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating a blockchain account book which is linked to the threat intelligence sharing type and corresponds to the authorized threat intelligence transaction after the requested threat intelligence transaction is detected through the blockchain account book corresponding to the threat intelligence sharing type; the second agent node follows a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type;
and after the first agent node detects the authorized threat intelligence transaction through the blockchain ledger corresponding to the threat intelligence sharing type, downloading the threat intelligence corresponding to the threat identification through the storage address of the threat intelligence corresponding to the threat identification provided by the second agent node.
2. The method of claim 1, prior to receiving a request for threat intelligence acquisition generated by any member of a shared team in which the first proxy node is located, further comprising:
the first proxy node sends a shared account registration request to a third proxy node; the third agent node is a node which has the authority of managing the registration of the shared account number in the m agent nodes;
after the first agent node determines that the registration is successful, obtaining threat information downloading permission from the third agent node;
and the first proxy node generates an identity management transaction according to the threat intelligence downloading authority and the account address and the identity certificate of the first proxy node, and links the identity management transaction to a block chain account book corresponding to the threat intelligence sharing type.
3. The method of claim 1, wherein the method further comprises:
for each agent node, after obtaining threat information corresponding to any threat identifier, the agent node encrypts the threat information corresponding to the threat identifier by using a symmetric key, and uploads the encrypted threat information corresponding to the threat identifier to a storage device; threat intelligence corresponding to any threat identification is shared to the agent node after being acquired by any member in a sharing group where the agent node is located;
the agent node carries out Hash operation on threat intelligence corresponding to the threat identification to generate a first Hash value of the threat intelligence corresponding to the threat identification;
the agent node generates a threat intelligence transaction based on the threat identification, the account address of the agent node and a first hash value of threat intelligence corresponding to the threat identification;
and the agent node determines a threat information sharing type matched with the sensitivity level from a threat information sharing type record based on the sensitivity level of the threat information corresponding to the threat identification, and links the threat information transaction to a block chain account book corresponding to the threat information sharing type.
4. The method of claim 3, wherein the threat intelligence sharing type record is determined by:
aiming at threat intelligence corresponding to any threat identification, determining a threat intelligence sharing type to which the threat intelligence corresponding to the threat identification belongs based on the sensitivity level to which the threat intelligence corresponding to the threat identification belongs;
if the sharing type of the threat intelligence corresponding to the threat identification is a free sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a first threat intelligence sharing mechanism; the first threat intelligence sharing mechanism is used for indicating that threat intelligence can be shared among agent nodes in the block chain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same industry sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a second threat intelligence sharing mechanism; the second threat information sharing mechanism is used for indicating that threat information can be shared among all agent nodes belonging to the same industry in the blockchain network;
if the sharing type of the threat intelligence corresponding to the threat identification is the same-region sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a third threat intelligence sharing mechanism; the third threat information sharing mechanism is used for indicating that threat information can be shared among agent nodes belonging to the same area in the block chain network;
if the sharing type of the threat intelligence corresponding to the threat identification is a private sharing type, determining that the sharing of the threat intelligence corresponding to the threat identification conforms to a fourth threat intelligence sharing mechanism; the fourth threat intelligence sharing mechanism is configured to indicate that threat intelligence is sharable between a private organization agent node in the blockchain network and any other agent node in the blockchain network that has a cooperative relationship.
5. The method of claim 1, wherein the first proxy node generating a request threat intelligence transaction based on the threat identification, the account address of the first proxy node, and the account address of the second proxy node comprises:
the first proxy node generates the requested threat intelligence transaction based on the threat identification, the identity credential of the first proxy node, the account address of the first proxy node, and the account address of the second proxy node.
6. The method of claim 1, wherein after uploading the requested threat intelligence transaction to a blockchain ledger corresponding to the threat intelligence sharing type, further comprising:
when a first detection period is reached, the second proxy node detects the content of a block chain ledger corresponding to each threat intelligence sharing type in a block chain ledger corresponding to at least one threat intelligence sharing type, and determines whether a requested threat intelligence transaction needing to be confirmed by the second proxy node exists in the block chain ledger corresponding to the threat intelligence sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the second proxy node;
if so, the second proxy node verifies the identity information of the first proxy node, and after the identity information of the first proxy node is successfully verified, the first proxy node is confirmed to have the authority of accessing threat information corresponding to the threat identifier;
the second agent node generates an authorized threat information transaction based on the threat identification, the account address of the first agent node, the encrypted symmetric key, the account address of the second agent node and the storage address of threat information corresponding to the threat identification, and links the authorized threat information transaction to a blockchain account book corresponding to the threat information sharing type; the encrypted symmetric key is encrypted by using a public key of the first proxy node; and the symmetric key is used for decrypting the threat intelligence corresponding to the encrypted threat identification.
7. The method of claim 6, wherein the verifying the identity information of the first proxy node comprises:
the second agent node inquires the identity management transaction of the first agent node from a blockchain account book corresponding to the threat intelligence sharing type;
the second agent node determining whether the identity credential of the first agent node in the identity management transaction is consistent with the identity credential of the first agent node in the request threat intelligence transaction;
if so, the second proxy node determines that the identity information of the first proxy node is successfully verified.
8. The method of any of claims 1 to 7, wherein downloading threat intelligence corresponding to the threat identification via a storage address of threat intelligence corresponding to the threat identification provided by the second proxy node comprises:
when a second detection period is reached, the first proxy node detects the content of a block chain ledger corresponding to each threat intelligence sharing type in a block chain ledger corresponding to at least one threat intelligence sharing type, and determines whether an authorized threat intelligence transaction corresponding to a request threat intelligence transaction exists in the block chain ledger corresponding to the threat intelligence sharing type;
if so, the first proxy node decrypts the encrypted symmetric key in the authorized threat information transaction by using a private key to obtain a decrypted symmetric key;
the first agent node accesses a corresponding storage device through a storage address of threat intelligence corresponding to the threat identification in the authorized threat intelligence transaction, and downloads the encrypted threat intelligence corresponding to the threat identification from the storage device;
and the first proxy node decrypts the threat intelligence corresponding to the encrypted threat identification by using the decrypted symmetric key to obtain the threat intelligence corresponding to the decrypted threat identification.
9. The method of claim 7, wherein after obtaining the decrypted threat intelligence corresponding to the threat identification, further comprising:
the first agent node performs hash operation on the threat intelligence corresponding to the decrypted threat identification to generate a second hash value of the threat intelligence corresponding to the decrypted threat identification;
the first proxy node determines whether the second hash value is consistent with the first hash value;
and if so, the first agent node generates a transaction of downloading threat information based on the threat identification, the account address of the first agent node, the account address of the second agent node and the decrypted second hash value of the threat information corresponding to the threat identification, and links the transaction of downloading threat information to a block chain account book corresponding to the threat information sharing type.
10. A threat information sharing device is characterized in that the device is suitable for a block chain network with m agent nodes; each agent node is generated by election of a sharing group where the agent node is located; the device comprises:
the system comprises a receiving unit, a judging unit and a sending unit, wherein the receiving unit is used for receiving a threat information acquisition request generated by any member in a sharing group where a first proxy node is located; the first proxy node is any one of the m proxy nodes;
the processing unit is used for determining whether threat identification in the threat intelligence acquisition request exists in a block chain ledger corresponding to the threat intelligence sharing type through content detection on the block chain ledger corresponding to each threat intelligence sharing type in the block chain ledger corresponding to at least one possessed threat intelligence sharing type; the block chain account book corresponding to each threat intelligence sharing type is established based on a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type followed by the first proxy node; if so, acquiring an account address of a second proxy node for storing threat intelligence corresponding to the threat identification from a blockchain account book corresponding to the threat intelligence sharing type; generating a request threat intelligence transaction based on the threat identification, the account address of the first proxy node and the account address of the second proxy node, and linking the request threat intelligence transaction to a block chain account book corresponding to the threat intelligence sharing type; the second proxy node is used for determining whether the first proxy node has the authority of accessing the threat intelligence corresponding to the threat identification and generating a blockchain account book which is linked to the threat intelligence sharing type and corresponds to the authorized threat intelligence transaction after the requested threat intelligence transaction is detected through the blockchain account book corresponding to the threat intelligence sharing type; the second agent node follows a threat intelligence sharing mechanism corresponding to the threat intelligence sharing type; and after the authorized threat intelligence transaction is detected through the blockchain ledger corresponding to the threat intelligence sharing type, downloading the threat intelligence corresponding to the threat identification through the storage address of the threat intelligence corresponding to the threat identification provided by the second agent node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110961529.XA CN115714811A (en) | 2021-08-20 | 2021-08-20 | Threat information sharing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110961529.XA CN115714811A (en) | 2021-08-20 | 2021-08-20 | Threat information sharing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115714811A true CN115714811A (en) | 2023-02-24 |
Family
ID=85230226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110961529.XA Withdrawn CN115714811A (en) | 2021-08-20 | 2021-08-20 | Threat information sharing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115714811A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965247A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of threat information exchange shared system and method based on block chain |
| US20190327079A1 (en) * | 2018-04-18 | 2019-10-24 | International Business Machines Corporation | Biometric threat intelligence processing for blockchains |
| US20200358801A1 (en) * | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| CN112448923A (en) * | 2019-08-30 | 2021-03-05 | 中国移动通信有限公司研究院 | Information sharing method, device, system, electronic device and storage medium |
-
2021
- 2021-08-20 CN CN202110961529.XA patent/CN115714811A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190327079A1 (en) * | 2018-04-18 | 2019-10-24 | International Business Machines Corporation | Biometric threat intelligence processing for blockchains |
| CN108965247A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of threat information exchange shared system and method based on block chain |
| US20200358801A1 (en) * | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| CN112448923A (en) * | 2019-08-30 | 2021-03-05 | 中国移动通信有限公司研究院 | Information sharing method, device, system, electronic device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 林玥: "基于区块链技术的社区威胁情报共享机制", 信息科技辑, 15 May 2021 (2021-05-15), pages 16 - 62 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10917246B2 (en) | System and method for blockchain-based cross-entity authentication | |
| US11533164B2 (en) | System and method for blockchain-based cross-entity authentication | |
| US10819503B2 (en) | Strengthening non-repudiation of blockchain transactions | |
| EP3788523B1 (en) | System and method for blockchain-based cross-entity authentication | |
| CN110875821B (en) | Cryptography blockchain interoperation | |
| WO2021000419A1 (en) | System and method for blockchain-based cross-entity authentication | |
| US20190378142A1 (en) | Biometric token for blockchain | |
| US20190333029A1 (en) | System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| CN114172735A (en) | Double-chain mixed block chain data sharing method and system based on intelligent contract | |
| US11121876B2 (en) | Distributed access control | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| Ulybyshev et al. | (WIP) blockhub: Blockchain-based software development system for untrusted environments | |
| CN115065542A (en) | Permission verification method and device, processor and electronic equipment | |
| JP2023551458A (en) | Key regeneration in blockchain networks via OPRF | |
| Xu et al. | Blockchain-based transparency framework for privacy preserving third-party services | |
| CN114239044A (en) | Decentralized traceable shared access system | |
| US20230208640A1 (en) | Selective audit process for privacy-preserving blockchain | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| WO2022057451A1 (en) | Threshold encryption for broadcast content | |
| CN112866235B (en) | Data processing method, device and equipment | |
| CN115174602A (en) | Data processing method and system applied to fishery management | |
| CN115714811A (en) | Threat information sharing method and device | |
| CN113946864B (en) | Confidential information acquisition method, device, equipment and storage medium | |
| Sneha et al. | Blockchain identity management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20230224 |
|
| WW01 | Invention patent application withdrawn after publication |