WO2022022248A1 - Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace - Google Patents

Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace Download PDF

Info

Publication number
WO2022022248A1
WO2022022248A1 PCT/CN2021/104931 CN2021104931W WO2022022248A1 WO 2022022248 A1 WO2022022248 A1 WO 2022022248A1 CN 2021104931 W CN2021104931 W CN 2021104931W WO 2022022248 A1 WO2022022248 A1 WO 2022022248A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
node
threat intelligence
smart contract
type
Prior art date
Application number
PCT/CN2021/104931
Other languages
English (en)
Chinese (zh)
Inventor
程叶霞
何申
顾宁伦
李伟
付俊
陈东
陈敏时
胡古宇
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2022022248A1 publication Critical patent/WO2022022248A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • Embodiments of the present disclosure relate to the technical field of blockchain, and in particular, to a method and device for emergency response to threat intelligence based on blockchain.
  • One objective of the embodiments of the present disclosure is to provide a method and apparatus for emergency response to threat intelligence, which solves the problem of coordinated response to threat intelligence information.
  • an embodiment of the present disclosure provides a threat intelligence emergency response method, applied to a first node, including:
  • the running smart contract obtains the first state, including:
  • a corresponding response operation is matched in the smart contract according to the type of the threat intelligence information
  • the information of the first node includes: the type of the first node and/or the level of the first node;
  • the response operation is performed to obtain the first state.
  • the writing the first state to the blockchain includes:
  • the first state is written into the blockchain.
  • the method further includes:
  • the state includes any one of the following: enabled state, disabled state, frozen state and unfrozen state;
  • Conversion rules the state of the smart contract will be converted when the conversion rules are met
  • Trigger conditions the smart contract runs when the trigger conditions are met
  • the response operation corresponds to one or more of the following:
  • the level of nodes in the blockchain network is the level of nodes in the blockchain network
  • the types of nodes in the blockchain network and/or the levels of nodes in the blockchain network are divided based on a combination of one or more of the following: the type of applications carried by the nodes in the blockchain network , protocol type, operating system type, operating data type, operating software type, or hardware type, service provided by the node, function of the node.
  • a threat intelligence emergency response device applied to the first node, including:
  • the acquisition module is used to acquire threat intelligence information
  • the execution module is used for running the smart contract to obtain a first state, and the first state is used to describe the result of the emergency response operation performed by the first node; the emergency response operation is preset in the smart contract, the threat intelligence information corresponding to the operation;
  • a publishing module used to write the first state to the blockchain.
  • a first node comprising: a processor, a memory, and a program stored on the memory and executable on the processor. The steps of the threat intelligence emergency response method described in one aspect.
  • a readable storage medium is provided, and a program is stored on the readable storage medium, and when the program is executed by a processor, the steps including the method of the first aspect are implemented.
  • building an emergency response smart contract for threat intelligence based on blockchain technology can realize automatic emergency response of threat intelligence information in nodes and linkage emergency response between nodes, so as to timely and efficiently respond to threat intelligence information.
  • Fig. 1 is a schematic diagram including a plurality of running nodes
  • FIG. 2 is a schematic diagram of a running node including an operation and maintenance administrator role
  • Figure 3 is a schematic diagram of a blockchain-based threat intelligence system
  • FIG. 4 is a schematic diagram of constructing a blockchain for threat intelligence emergency response based on blockchain technology in an embodiment of the disclosure
  • FIG. 5 is a schematic diagram of constructing a blockchain for threat intelligence emergency response based on blockchain technology in an embodiment of the disclosure
  • FIG. 6 is a schematic diagram of a smart contract for a blockchain-based threat intelligence emergency response in an embodiment of the disclosure
  • FIG. 7 is a schematic diagram of a method for publishing a threat intelligence emergency response smart contract in an embodiment of the disclosure
  • FIG. 8 is one of the schematic diagrams of a threat intelligence emergency response method in an embodiment of the disclosure.
  • FIG. 9 is a second schematic diagram of a threat intelligence emergency response method in an embodiment of the disclosure.
  • FIG. 10 is a schematic diagram of a threat intelligence emergency response apparatus in an embodiment of the disclosure.
  • FIG. 11 is a schematic diagram of a first node in an embodiment of the disclosure.
  • FIG. 12 is a schematic diagram of a threat intelligence emergency response smart contract publishing device in an embodiment of the disclosure.
  • FIG. 13 is a schematic diagram of a second node in an embodiment of the disclosure.
  • words such as “exemplary” or “such as” are used to mean serving as an example, illustration, or illustration. Any embodiments or designs described in the embodiments of the present disclosure as “exemplary” or “such as” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as “exemplary” or “such as” is intended to present the related concepts in a specific manner.
  • LTE Long Time Evolution
  • LTE-A Long Time Evolution
  • CDMA Code Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • OFDMA Orthogonal Frequency Division Multiple Access
  • SC-FDMA single carrier frequency Division Multiple Access
  • a CDMA system may implement radio technologies such as CDMA1200, Universal Terrestrial Radio Access (UTRA).
  • UTRA includes Wideband Code Division Multiple Access (WCDMA) and other CDMA variants.
  • a TDMA system may implement a radio technology such as the Global System for Mobile Communication (GSM).
  • OFDMA system can realize such as Ultra Mobile Broadband (UMB), Evolved UTRA (Evolution-UTRA, E-UTRA), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.12, Flash-OFDM, etc. radio technology.
  • UMB Ultra Mobile Broadband
  • Evolution-UTRA Evolved UTRA
  • E-UTRA IEEE 802.11
  • WiMAX IEEE 802.16
  • IEEE 802.12, Flash-OFDM etc.
  • LTE and higher LTE are new UMTS releases that use E-UTRA.
  • UTRA, E-UTRA, UMTS, LTE, LTE-A, and GSM are described in documents from an organization named "3rd Generation Partnership Project” (3GPP).
  • CDMA1200 and UMB are described in documents from an organization named "3rd Generation Partnership Project 2" (3GPP2).
  • the techniques described herein may be used for both the systems and radio technologies mentioned above, as well as for other systems and radio technologies.
  • each system In order to solve the problem that threat intelligence information is independent of each other, each system lacks coordination, it is difficult to cooperate and work efficiently, and each system in related technologies lacks the problem of joint response of threat intelligence and the problem of lack of automatic response, which leads to the inability to timely and effectively respond to the obtained information. Or analyze the latest and most valuable threat intelligence information for protection and emergency response, resulting in security risks and security attacks.
  • the present disclosure proposes a threat intelligence emergency response method, a smart contract publishing method, and a device.
  • threat intelligence emergency response method and device Before introducing the implementation of the blockchain-based threat intelligence emergency response smart contract release method, threat intelligence emergency response method and device, first introduce the logic between the various operating nodes (or nodes for short) involved in threat intelligence emergency response A schematic diagram is shown in Figure 1. A point-to-point communication is formed between each running node on a logical level.
  • each operating node may be an operation manager's device or an operated device or the like.
  • the operation node 1 is the operation and maintenance administrator role
  • the operation node 2 is the operated device 1 (or simply referred to as the device 1)
  • the operation node 3 is the operated device 2 (or simply referred to as the device 2)
  • the operation The node n-1 is the operated device n-1 (or simply referred to as the device n-1)
  • the running node n is the operated device n (or referred to as the device n for short) as an example.
  • threat intelligence users are generally operation and maintenance administrators, who directly obtain the latest threat intelligence information through the threat intelligence sharing system or obtain the latest threat intelligence information through correlation analysis, and pass the latest threat intelligence information through block-based
  • the chain's threat intelligence emergency response system is fully distributed to all devices that are operated, managed and maintained, and then the smart contract for emergency response in the blockchain-based threat intelligence emergency response system performs automated linkage response.
  • a blockchain for threat intelligence emergency response is constructed based on blockchain technology, and the block structure of the blockchain is shown in the figure.
  • a block includes a block header and a block body.
  • the block header includes: the hash value of the previous block, the Merkle root, the random number, and the timestamp.
  • the block body includes: threat intelligence information, threat intelligence emergency response status. specifically.
  • the hash value of the previous block is the value generated by hashing all the information of the previous block plus the previous timestamp.
  • the Merkle root is a Merkle tree composed of all the information in the block body, and the hash value of the root of the Merkle tree is calculated, which can bind the block header and the block body.
  • Random number the current node generates a random number through the SHA256 hash algorithm based on all public key information and the current timestamp. This random number requires the hash value of the next block to start with this number a string of numbers. It prevents attackers from forging blocks of the blockchain.
  • Timestamp is the time stamp marked by the node publishing the block when it is published, for example, the number of seconds between the time when the block is generated from 00:00UTC on January 1, 1970.
  • Threat intelligence information which is the latest full-scale threat intelligence information issued by the operation and maintenance administrator.
  • the threat intelligence information can be Internet Protocol (Internet Protocol, IP) address information, domain name information, and uniform resource locator (Uniform Resource Locator). Uniform Resource Locator, URL) information, security event information, vulnerability information and other types.
  • Threat intelligence emergency response status which is information related to the emergency response status of threat intelligence. This information is obtained after the execution of the smart contract for emergency response in the blockchain-based threat intelligence emergency response system.
  • a blockchain for threat intelligence emergency response is constructed based on blockchain technology.
  • the blockchain consists of genesis block, block 1, block 2, ... block n-1, block n.
  • the smart contract of blockchain-based threat intelligence emergency response in which the smart contract is a set of programmatic rules and logic for situational response, and is a decentralized, trusted and shared blockchain deployed on the blockchain. code.
  • Smart contracts also have the general characteristics of blockchain data, such as distributed recording, storage and verification, which cannot be tampered with and forged.
  • the parties who sign the contract agree on the content of the contract, the conditions for breach of contract, the liability for breach of contract and the external verification data source. If necessary, check and test the contract code to ensure that it is correct, and then deploy it on the blockchain in the form of a smart contract.
  • Any central facility automates the execution of contracts on behalf of the signatories.
  • the programmable nature of smart contracts allows signatories to add arbitrarily complex terms.
  • the smart contract after the smart contract is signed by all parties, it can be attached to the blockchain data in the form of program code, and is recorded in a specific block of the blockchain after peer-to-peer network propagation and node verification.
  • the smart contract encapsulates several predefined states (such as enabled state, disabled state, frozen state and unfrozen state) and transition rules, triggering conditions that trigger contract execution (such as reaching a specific time or a specific event, a specific threat intelligence type, etc.) , response operations (such as specific action execution, specific response execution), etc.
  • the blockchain can monitor the status of smart contracts in real time, and activate and execute contracts by verifying data sources and confirming that certain trigger conditions are met.
  • the input of the smart contract is the data on the blockchain - threat intelligence information, that is, the latest threat intelligence information on the blockchain.
  • the output of the smart contract is the state of emergency response, which is output to the blockchain.
  • the internal logic operation process of the smart contract is as follows:
  • the system or equipment of the running node is classified and graded.
  • the specific classification and classification standards can be based on the application type, protocol type, operating system type, operation data type, operation type carried by the system or equipment. software type and/or hardware type, etc. It can be understood that the software type or hardware type of the node is not specifically limited.
  • simple classification rules can be set, such as classification according to the type of software and hardware carried; or at the same time as the classification of software and hardware types, classification is carried out according to the nodes that provide different services or have different functions. 1st, 2nd, 3rd level etc.
  • the classification of types of threat intelligence information includes:
  • Method 1 Direct classification method according to the type of threat intelligence information, divided into IP type, domain name type, URL type, event type, vulnerability type, file MD5 type, etc.
  • Method 2 According to the method of classifying the type of equipment or system affected by threat intelligence information, it is divided into operating system class, protocol class, router class, switch class, Domain Name Server (DNS), Intrusion Detection System (Intrusion Detection System) , IDS), Intrusion Prevention System (Intrusion Prevention System, IPS), firewall, etc.
  • DNS Domain Name Server
  • IDS Intrusion Detection System
  • IDS Intrusion Prevention System
  • firewall etc.
  • nodes such as network elements, security devices, and early warning centers, etc.
  • Smart contracts can generate new security policies based on threat intelligence information, and then deploy these new security policies to network elements and security devices. If necessary, you can also update the software version and modify the configuration of network elements and security devices.
  • the execution of the response operation will be triggered, and the execution of the response operation will finally correspond to the actual response operation of the affected node, and the others will not be affected.
  • the node will not have the corresponding actual response operation during the execution of the smart contract.
  • malicious URL type intelligence can be applied to a gateway, which can then update its security policy by filtering malicious URLs to a blacklist. It can also be applied to IDS or IPS by updating the protection rules for the corresponding URL.
  • malicious domain type intelligence it can be applied to DNS servers, which can update the configuration by blacklisting malicious domains.
  • malicious IP type intelligence it can be applied to firewalls, which can update their security policies by filtering malicious IPs. This type of intelligence can also be applied to IDS or IPS by updating the protection rules for the corresponding IP.
  • vulnerability type intelligence it can be applied to various network devices, and each network element device can fix vulnerabilities by updating software or hardware. At the same time, it can be used to make detection plug-ins, which can then be updated to scanners to detect affected assets and network elements, etc.
  • an embodiment of the present disclosure provides a method for publishing a smart contract for threat intelligence emergency response, and the specific steps include: step 701 and step 702 .
  • Step 701 Create a smart contract according to the threat intelligence emergency response requirements
  • Step 702 Publish the smart contract on the blockchain.
  • one or more of the following may be encapsulated in a smart contract:
  • a state includes any one of the following: an enabled state, a disabled state, a frozen state and a thawed state;
  • the enabled state indicates that the smart contract can be used normally
  • the disabled state indicates that the smart contract cannot be used normally
  • the frozen state indicates that the smart contract has been frozen and needs to be thawed before it can be used.
  • transition rule from the enabled state to the disabled state For example, the transition rule from the enabled state to the disabled state, the transition rule from the disabled state to the enabled state, the transition rule from the frozen state to the thawed state, etc.
  • the smart contract is triggered to run.
  • the response action is a specific action on the threat intelligence information to reduce or avoid the risk posed by the threat intelligence information.
  • the response operation corresponds to one or more of the following:
  • the type of node in the blockchain network is based on the application type, protocol type, operating system type, operating data type, operating software type and/or hardware type carried by the node in the blockchain network.
  • the level of the node in the blockchain network indicates the importance of the service or function provided by the node, or the priority, etc.
  • the types of nodes in the blockchain network and/or the levels of nodes in the blockchain network are divided based on one or more of the following combinations: application types, protocols borne by nodes in the blockchain network type, operating system type, operating data type, operating software type, or hardware type, services provided by the node, functions the node has.
  • each system In order to solve the problem that threat intelligence information is independent of each other, each system lacks coordination, it is difficult to cooperate and work efficiently, and each system in related technologies lacks the problem of joint response of threat intelligence and the problem of lack of automatic response, which leads to the inability to timely and effectively respond to the obtained information. Or analyze the latest and most valuable threat intelligence information for protection and emergency response, resulting in security risks and security attacks.
  • an emergency response smart contract for threat intelligence is constructed based on blockchain technology, so as to realize the automatic emergency response of threat intelligence information in nodes and the linkage emergency response between nodes, so as to timely and efficiently respond to threat intelligence information.
  • an embodiment of the present disclosure provides a threat intelligence emergency response method.
  • the execution body of the method may be a first node (or a first network element, or a first network element device). It can be understood that the The first node is any running node in the blockchain network, and the specific steps include:
  • Step 801 Obtain threat intelligence information
  • the obtained threat intelligence information may be set in the block body of the block, and the specific content of the threat intelligence information is not limited in this embodiment of the present disclosure.
  • Step 802 Run the smart contract to obtain a first state, where the first state is used to describe the result of the emergency response operation performed by the first node; the emergency response operation is an operation preset in the smart contract and corresponding to the threat intelligence information ;
  • a corresponding response operation is matched in the smart contract according to the type of the threat intelligence information; or, a corresponding response operation is matched in the smart contract according to the type of the threat intelligence information and the information of the first node,
  • the information of the first node includes: the type of the first node and/or the level of the first node; and the response operation is performed to obtain the first state.
  • Step 803 Write the first state to the blockchain.
  • the emergency response status is published on the blockchain through the block.
  • the emergency response status is sent to other nodes in the blockchain network except the first node, so that other nodes can reach a consensus on the emergency response status; if the emergency response status The emergency response status is published on the blockchain through blocks.
  • the method may further include: creating a smart contract according to threat intelligence emergency response requirements; and publishing the smart contract on the blockchain.
  • one or more of the following may be encapsulated in a smart contract:
  • a state includes any one of the following: an enabled state, a disabled state, a frozen state and a thawed state;
  • the enabled state indicates that the smart contract can be used normally
  • the disabled state indicates that the smart contract cannot be used normally
  • the frozen state indicates that the smart contract has been frozen and needs to be thawed before it can be used.
  • transition rule from the enabled state to the disabled state For example, the transition rule from the enabled state to the disabled state, the transition rule from the disabled state to the enabled state, the transition rule from the frozen state to the thawed state, etc.
  • the smart contract is triggered to run.
  • the response action is a specific action on the threat intelligence information to reduce or avoid the risk posed by the threat intelligence information.
  • the response operation corresponds to one or more of the following:
  • the type of a node in a blockchain network is based on the application type, protocol type, operating system type, operating data type, operating software type and/or hardware type carried by the node in the blockchain network.
  • the level of the node in the blockchain network indicates the importance of the service or function provided by the node, or the priority, etc.
  • the types of nodes in the blockchain network and/or the levels of nodes in the blockchain network are divided based on one or more of the following combinations: application types, protocols borne by nodes in the blockchain network type, operating system type, operating data type, operating software type, or hardware type, services provided by the node, functions the node has.
  • each node in the blockchain network after each node in the blockchain network obtains threat intelligence information through a specific block in the blockchain, it can be based on the type of the node, the level of the node and the level of the node defined in the corresponding smart contract. / or the type of threat intelligence information, get the response operation that the node needs to perform, and then automatically execute the response operation, which can realize the joint response and automatic emergency response of threat intelligence information in each node, and timely and efficiently protect and respond to threat intelligence , to prevent security risks and security attacks. Further, since each node can be set across industries, organizations, and regions, it realizes cross-industry, cross-organization, and cross-regional threat intelligence emergency response.
  • the blockchain-based threat intelligence emergency response method includes the following steps:
  • Step 901 the operation and maintenance administrator obtains the latest threat intelligence information, and then outputs the information to step 902 .
  • Step 902 The operation and maintenance administrator fully distributes the obtained threat intelligence information to all devices and the like.
  • step 901 the output of step 901 is received, and full distribution is performed.
  • Step 903 the blockchain-based threat intelligence emergency response smart contract runs.
  • step 902 the output of step 902 is received, and the smart contract is executed on the threat intelligence.
  • Step 904 All equipment, assets, etc. respond to emergency, and execute the repair operation given by the smart contract.
  • step 903 the output of step 903 is received, and the repair given by the smart contract corresponding to the emergency response of the threat intelligence is performed.
  • Step 905 Feedback the latest emergency response status.
  • step 904 the output of step 904 is received, and feedback of the latest emergency response state is performed.
  • Step 906 Consensus the emergency response status into the blockchain.
  • step 905 the output of step 905 is received, and the emergency response status is written into the blockchain according to the consensus mechanism in the blockchain.
  • an embodiment of the present disclosure provides a threat intelligence emergency response apparatus, which is applied to a first node.
  • the apparatus 1000 includes:
  • an acquisition module 1001 used for acquiring threat intelligence information
  • the execution module 1002 is used for running the smart contract to obtain a first state, where the first state is used to describe the result of the first node executing an emergency response operation; the emergency response operation is preset in the smart contract, the threat intelligence information corresponding operation;
  • the publishing module 1003 is used for writing the first state to the blockchain.
  • the execution module 1002 is further configured to: match a corresponding response operation in the smart contract according to the type of the threat intelligence information; or, according to the type of the threat intelligence information and the first node's The information is matched to the corresponding response operation in the smart contract, wherein the information of the first node includes: the type of the first node and/or the level of the first node; the response operation is executed to obtain the first node. state.
  • the publishing module 1003 is further configured to: send the first state to other nodes in the blockchain except the first node, so that other nodes can reach a consensus on the first state;
  • the first state is written into the blockchain.
  • the apparatus 1000 further includes: a creation module, configured to create a smart contract according to the threat intelligence emergency response requirements; the release module 1003 is further configured to publish the smart contract on the blockchain.
  • the state includes any one of the following: enabled state, disabled state, frozen state and unfrozen state;
  • Conversion rules the state of the smart contract will be converted when the conversion rules are met
  • Trigger conditions the smart contract runs when the trigger conditions are met
  • the response operation corresponds to one or more of the following:
  • the level of the node in the blockchain network represents the level of the service or function provided by the node
  • the types of nodes in the blockchain network and/or the levels of nodes in the blockchain network are divided based on a combination of one or more of the following: the type of applications carried by the nodes in the blockchain network , protocol type, operating system type, operating data type, operating software type, or hardware type, service provided by the node, function of the node.
  • the threat intelligence emergency response apparatus may execute the method embodiment shown in FIG. 8 above, and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • FIG. 11 is a structural diagram of a first node to which an embodiment of the present disclosure is applied.
  • the first node 1100 includes: a processor 1101, a transceiver 1102, a memory 1103, and a bus interface, wherein:
  • the first node 1100 further includes: a program stored on the memory 1103 and executable on the processor 1101 , when the program is executed by the processor 1101, each module in the embodiment shown in FIG. 10 is implemented function.
  • the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by processor 1101 and various circuits of memory represented by memory 1103 linked together.
  • the bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein.
  • the bus interface provides the interface.
  • Transceiver 1102 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.
  • the processor 1101 is responsible for managing the bus architecture and general processing, and the memory 1103 may store data used by the processor 1101 in performing operations.
  • the first node provided by this embodiment of the present disclosure may execute the method embodiment shown in FIG. 8 above, and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • an embodiment of the present disclosure provides an apparatus for issuing a smart contract for threat intelligence emergency response, which is applied to a second node.
  • the apparatus 1200 includes:
  • a creation module 1201 is used to create a smart contract according to threat intelligence emergency response requirements
  • the publishing module 1202 is used to publish the smart contract on the blockchain.
  • one or more of the following are encapsulated in the smart contract:
  • the state includes any one of the following: enabled state, disabled state, frozen state and unfrozen state;
  • Conversion rules the state of the smart contract will be converted when the conversion rules are met
  • Trigger conditions the smart contract runs when the trigger conditions are met
  • the response operation corresponds to one or more of the following combinations:
  • the level of the node in the blockchain network represents the level of the service or function provided by the node
  • the types of nodes in the blockchain network and/or the levels of nodes in the blockchain network are divided based on a combination of one or more of the following: the applications carried by the nodes in the blockchain network Type, protocol type, operating system type, operating data type, operating software type, or hardware type, service provided by the node, function the node has.
  • the apparatus provided by this embodiment of the present disclosure can execute the above-mentioned method embodiment shown in FIG. 7 , and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • FIG. 13 is a structural diagram of a second node to which an embodiment of the present disclosure is applied.
  • the second node 1300 includes: a processor 1301, a transceiver 1302, a memory 1303, and a bus interface, where:
  • the second node 1300 further includes: a program stored on the memory 1303 and executable on the processor 1301 , when the program is executed by the processor 1301, each module in the embodiment shown in FIG. 12 is implemented function.
  • the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1301 and various circuits of memory represented by memory 1303 linked together.
  • the bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein.
  • the bus interface provides the interface.
  • Transceiver 1302 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.
  • the processor 1301 is responsible for managing the bus architecture and general processing, and the memory 1303 may store data used by the processor 1301 in performing operations.
  • the second node provided in this embodiment of the present disclosure may execute the method embodiment shown in FIG. 7 , and the implementation principle and technical effect thereof are similar, and details are not described herein again in this embodiment.
  • An embodiment of the present disclosure further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, each process of the method embodiment shown in FIG. 7 or FIG. 8 is implemented. , and can achieve the same technical effect, in order to avoid repetition, it is not repeated here.
  • the steps of the method or algorithm described in conjunction with the disclosure of the present disclosure may be implemented in a hardware manner, or may be implemented in a manner of a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, and the software modules may be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, removable hard disk, CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and storage medium may reside in an ASIC.
  • the ASIC may be located in the core network interface device.
  • the processor and the storage medium may also exist in the core network interface device as discrete components.
  • the functions described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof.
  • the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
  • embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, embodiments of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, CD-ROM, optical storage, and the like.
  • Embodiments of the present disclosure are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present disclosure. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Selon des modes de réalisation, la présente invention concerne un procédé et un appareil d'intervention d'urgence en cas de renseignements sur une menace. Le procédé comprend les étapes consistant à : obtenir des informations de renseignements sur une menace ; exécuter un contrat intelligent pour obtenir un premier état, le premier état étant utilisé pour décrire le résultat de l'exécution d'une opération d'intervention d'urgence par un premier nœud, et l'opération d'intervention d'urgence étant une opération préconfigurée dans le contrat intelligent et correspondant aux informations de renseignement sur une menace ; et écrire le premier état dans une chaîne de blocs.
PCT/CN2021/104931 2020-07-30 2021-07-07 Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace WO2022022248A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010751273.5 2020-07-30
CN202010751273.5A CN114095186A (zh) 2020-07-30 2020-07-30 威胁情报应急响应方法及装置

Publications (1)

Publication Number Publication Date
WO2022022248A1 true WO2022022248A1 (fr) 2022-02-03

Family

ID=80037479

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/104931 WO2022022248A1 (fr) 2020-07-30 2021-07-07 Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace

Country Status (2)

Country Link
CN (1) CN114095186A (fr)
WO (1) WO2022022248A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527323A (zh) * 2023-04-04 2023-08-01 中国华能集团有限公司北京招标分公司 一种动态威胁分析方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965247A (zh) * 2018-06-04 2018-12-07 上海交通大学 一种基于区块链的威胁情报交换共享系统和方法
CN109862037A (zh) * 2019-03-22 2019-06-07 泰康保险集团股份有限公司 基于区块链的数据设备管理方法、装置、介质及电子设备
CN109981564A (zh) * 2019-01-28 2019-07-05 中国科学院信息工程研究所 一种基于区块链的威胁情报交换共享方法
US20200153843A1 (en) * 2018-11-14 2020-05-14 F-Secure Corporation Threat Control Method and System

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737336B (zh) * 2017-04-18 2021-01-15 中国移动通信有限公司研究院 基于区块链的威胁行为处理方法及装置、设备及存储介质
CN108898021B (zh) * 2018-06-04 2021-06-01 北京奇虎科技有限公司 基于区块链的威胁情报处理方法、系统及计算设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965247A (zh) * 2018-06-04 2018-12-07 上海交通大学 一种基于区块链的威胁情报交换共享系统和方法
US20200153843A1 (en) * 2018-11-14 2020-05-14 F-Secure Corporation Threat Control Method and System
CN109981564A (zh) * 2019-01-28 2019-07-05 中国科学院信息工程研究所 一种基于区块链的威胁情报交换共享方法
CN109862037A (zh) * 2019-03-22 2019-06-07 泰康保险集团股份有限公司 基于区块链的数据设备管理方法、装置、介质及电子设备

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527323A (zh) * 2023-04-04 2023-08-01 中国华能集团有限公司北京招标分公司 一种动态威胁分析方法
CN116527323B (zh) * 2023-04-04 2024-01-30 中国华能集团有限公司北京招标分公司 一种动态威胁分析方法

Also Published As

Publication number Publication date
CN114095186A (zh) 2022-02-25

Similar Documents

Publication Publication Date Title
US10003610B2 (en) System for tracking data security threats and method for same
Brotsis et al. Blockchain solutions for forensic evidence preservation in IoT environments
US10033753B1 (en) System and method for detecting malicious activity and classifying a network communication based on different indicator types
US9985982B1 (en) Method and apparatus for aggregating indicators of compromise for use in network security
US20190109717A1 (en) Sharing network security threat information using a blockchain network
US11496387B2 (en) Auto re-segmentation to assign new applications in a microsegmented network
Wu et al. Network security assessment using a semantic reasoning and graph based approach
CN108028840B (zh) 实现建立安全的对等连接
US11792194B2 (en) Microsegmentation for serverless computing
CN113228585A (zh) 具有基于反馈回路的增强流量分析的网络安全系统
CN112534432A (zh) 不熟悉威胁场景的实时缓解
US20170187742A1 (en) Data Security Incident Correlation and Dissemination System and Method
US10673878B2 (en) Computer security apparatus
US11876827B2 (en) Multiple sourced classification
US20220201041A1 (en) Administrative policy override in microsegmentation
US20220092087A1 (en) Classification including correlation
WO2020035871A1 (fr) Procédé et système de prédiction de violation d'un contrat intelligent à l'aide d'une création d'espace d'états dynamique
US11381446B2 (en) Automatic segment naming in microsegmentation
US20230095870A1 (en) Iot security event correlation
US20240098062A1 (en) Iot device application workload capture
WO2022022248A1 (fr) Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace
Dakhnovich et al. An approach to building cyber-resistant interactions in the industrial Internet of Things
Papanikolaou et al. An autoML network traffic analyzer for cyber threat detection
CN113238923A (zh) 基于状态机的业务行为溯源方法及系统
Syed IoT-MQTT based denial of service attack modelling and detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21849991

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11.05.2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21849991

Country of ref document: EP

Kind code of ref document: A1