WO2022022361A1 - Procédé et dispositif d'application de surveillance de menace - Google Patents

Procédé et dispositif d'application de surveillance de menace Download PDF

Info

Publication number
WO2022022361A1
WO2022022361A1 PCT/CN2021/107639 CN2021107639W WO2022022361A1 WO 2022022361 A1 WO2022022361 A1 WO 2022022361A1 CN 2021107639 W CN2021107639 W CN 2021107639W WO 2022022361 A1 WO2022022361 A1 WO 2022022361A1
Authority
WO
WIPO (PCT)
Prior art keywords
threat intelligence
information
node
smart contract
application
Prior art date
Application number
PCT/CN2021/107639
Other languages
English (en)
Chinese (zh)
Inventor
程叶霞
何申
顾宁伦
李伟
付俊
郭智慧
陈璨璨
胡古宇
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2022022361A1 publication Critical patent/WO2022022361A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security

Definitions

  • the present disclosure relates to the field of blockchain technology, and in particular, to an application method and device for threat intelligence.
  • each system is also independent of each other. On the one hand, large manual intervention is required for the application of threat intelligence, and on the other hand, automatic issuance and linkage application cannot be realized.
  • At least one embodiment of the present disclosure provides a threat intelligence application method and device, which utilizes the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, which can improve the efficiency of network security protection.
  • At least one embodiment provides a threat intelligence application method, applied to a first node, including:
  • the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain
  • Running the second smart contract automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;
  • Run the third smart contract and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.
  • the running of the first smart contract to automatically filter out the second node includes:
  • the first device classification corresponding to the threat intelligence information and the node under the first device classification obtain the second node, and output the output for indicating The automatic filtering status information of whether the device filtering is successful or not.
  • the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type, and file MD5 type;
  • the device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.
  • the running of the second smart contract to automatically deliver the threat intelligence information to the second node includes:
  • the threat intelligence information in the blockchain is sent to the second node, and the information used to indicate whether the intelligence distribution is successful is obtained. Deliver status information.
  • the threat intelligence application status information is used to indicate whether the remediation is successfully performed based on the threat intelligence information.
  • the block body in the block on the blockchain includes the following information :
  • the threat intelligence information to be distributed obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the distribution status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.
  • At least one embodiment provides a threat intelligence application method, applied to a second node, including:
  • Running a third smart contract performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;
  • the threat intelligence application state information is written into the blockchain.
  • the executing a third smart contract to perform a repair operation corresponding to the threat intelligence information includes:
  • the repair operation corresponding to the threat intelligence information is determined and executed, and a threat indicating whether the repair operation is successfully performed based on the threat intelligence information is obtained.
  • Intelligence application status information is obtained.
  • the block body in the block of the blockchain includes the following information:
  • the threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation are provided.
  • At least one embodiment provides a first node, including: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application sub-module; the smart contract layer module Including automatic screening sub-modules, automatic distribution sub-modules, and linkage application and repair sub-modules;
  • the threat intelligence application sub-module is used to obtain threat intelligence information
  • the automatic screening sub-module is used to run the first smart contract and automatically screen out the second node, the second node is the operated device that needs to deliver the threat intelligence information; and, the first smart contract is The output automatic screening status information and the information of the second node are written into the blockchain
  • the automatic sending sub-module is used to run the second smart contract, automatically send the threat intelligence information to the second node, and based on the consensus mechanism, send the sending status information output by the second smart contract write to the blockchain;
  • the linkage application and repair submodule is used to run the third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application state information is: The information obtained by the second node after running the third smart contract to perform the repair operation.
  • the automatic screening sub-module is further configured to determine the device classification of the operated device, obtain the threat intelligence information in the blockchain, and determine the first intelligence type of the threat intelligence information; according to Preset the correspondence between different intelligence types and device classifications, determine the first device classification corresponding to the threat intelligence information and the nodes under the first device classification, obtain the second node, and output it to represent the device Autofilter status information for whether the filter was successful or not.
  • the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type, and file MD5 type;
  • the device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.
  • the automatic distribution sub-module is further configured to send the automatic screening status information in the blockchain to a successful device screening.
  • the threat intelligence information is delivered to the second node, and delivery status information indicating whether the intelligence delivery is successful is obtained.
  • the threat intelligence application status information is used to indicate whether the remediation is successfully performed based on the threat intelligence information.
  • the block body in the block on the blockchain includes the following information :
  • the threat intelligence information to be distributed obtained by the first node, the automatic screening status information output by the first smart contract, the information of the second node, the distribution status information output by the second smart contract, and the The state information of the threat intelligence application obtained by the second node after running the third smart contract to perform the repair operation.
  • At least one embodiment provides a first node, comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being The processor implements the steps of the aforementioned threat intelligence application method when executed.
  • At least one embodiment provides a second node, which includes: an application layer module and a smart contract layer module, wherein the application layer module includes a threat intelligence application sub-module; the smart contract layer The module includes linkage application and repair sub-modules;
  • the threat intelligence application sub-module is used to obtain the threat intelligence information issued by the first node
  • the linked application and repair sub-module is used to run a third smart contract, perform a repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application status information output by the third smart contract; based on a consensus mechanism, the Threat intelligence application state information is written to the blockchain.
  • the linked application and repair sub-module is further configured to determine the repair corresponding to the threat intelligence information according to the preset correspondence between different threat intelligence/intelligence types and repair operations The operation is performed and executed to obtain threat intelligence application status information indicating whether the repair operation is successfully performed based on the threat intelligence information.
  • the block body in the block of the blockchain includes the following information:
  • the threat intelligence information issued by the first node, and the threat intelligence application state information obtained by the second node after running the third smart contract to perform the repair operation are provided.
  • At least one embodiment provides a second node comprising: a processor, a memory, and a program stored on the memory and executable on the processor, the program being The steps of implementing the above-mentioned application method of threat intelligence when executed by the processor are described.
  • At least one embodiment provides a computer-readable storage medium, where a program is stored on the computer-readable storage medium, and when the program is executed by a processor, the above-mentioned method is implemented. step.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the problems that threat intelligence information is independent of each other, lack of coordination among various systems, and it is difficult to work collaboratively and efficiently, and can realize the automatic issuance of threat intelligence Linked with applications to improve the efficiency of network security protection.
  • the embodiments of the present disclosure can also timely and effectively perform linkage application and repair of the latest and most valuable threat intelligence information obtained or analyzed, so as to improve the application effect of threat intelligence, and can track the application situation of threat intelligence.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can also promote the continuous and effective development of the threat intelligence ecological closed loop.
  • FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present disclosure
  • FIG. 2 is a schematic diagram of logic between various nodes involved in a blockchain-based threat intelligence application according to an embodiment of the present disclosure
  • FIG. 3 is a schematic block structure diagram of a node of an operation manager according to an embodiment of the present disclosure
  • FIG. 4 is a schematic block structure diagram of a node of an operated device according to an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of a first node according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of a second node according to an embodiment of the present disclosure.
  • FIG. 7 is a flowchart when the method for applying threat intelligence according to an embodiment of the present disclosure is applied to a first node
  • FIG. 8 is a flowchart when the method for applying threat intelligence according to an embodiment of the present disclosure is applied to a second node
  • FIG. 9 is an interactive flowchart of a threat intelligence application method according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic schematic diagram of various smart contract methods for threat intelligence application according to an embodiment of the disclosure.
  • FIG. 11 is another schematic structural diagram of a first node according to an embodiment of the present disclosure.
  • FIG. 12 is another schematic structural diagram of a second node according to an embodiment of the present disclosure.
  • the embodiments of the present disclosure provide a blockchain-based threat intelligence application method and related equipment, which utilizes blockchain technology to construct threat intelligence information and automatically issue and link application intelligence of threat intelligence.
  • the blockchain of the contract so as to realize the automatic screening of the application equipment, system, infrastructure, etc. corresponding to different threat intelligence information by the operation and maintenance administrator, and then carry out the corresponding automatic distribution, and then carry out the linkage application and repair.
  • the blockchain corresponding to component 101 is a blockchain-based threat intelligence sharing chain.
  • the threat intelligence providers can be various professional threat intelligence manufacturers, antivirus manufacturers, and advanced persistent threat attacks (Advanced Persistent Threat, APT). ) manufacturers, detection product manufacturers, free intelligence alliances and other roles, threat intelligence users can be operators, financial institutions, energy institutions, industrial Internet institutions and other roles.
  • APT Advanced Persistent Threat
  • the blockchain corresponding to component 102 and component 103 is a blockchain-based threat intelligence application chain.
  • Threat intelligence users are the threat intelligence users described in component 101, that is, operators, financial institutions, energy institutions, industrial Internet institutions, etc., and their roles corresponding to components 102 and 103 are generally operations managers.
  • the latest threat intelligence information can be obtained directly or through correlation analysis, and then through the smart contract in the automatic screening sub-module in the blockchain-based threat intelligence application system, the The latest threat intelligence information is used to screen the devices or systems that need to be issued for the corresponding intelligence; and then the intelligence information is issued to the screened devices or systems through the automatic distribution sub-module in the blockchain-based threat intelligence application system. and then perform the corresponding linkage application and repair.
  • FIG. 2 provides a schematic diagram of the logic among the various nodes involved in the blockchain-based threat intelligence application corresponding to the components 102 and 103 , wherein each node forms a point-to-point communication on a logical level.
  • Each node can be the equipment of the operation manager or the equipment to be operated.
  • the block header includes the hash value, Merkle root, random number and timestamp of the previous block;
  • the block body includes threat intelligence information, automatic screening status information of the operated equipment and the first smart contract The filtered information of the operated devices, the delivery status information of the operated devices, and the status information of the threat intelligence application.
  • threat intelligence information is the latest and full threat intelligence obtained by the operation and maintenance administrator, which may include IP address information, domain name information, URL information, security event information, vulnerability information and other various types of information or variety.
  • the threat intelligence information in this block can be obtained from the shared chain, or shared by other chains on the node, or written into the block by the first node of the operation manager.
  • the automatic screening status information of the operated device is the information related to the automatic screening status of the operated device corresponding to the threat intelligence application.
  • the information is obtained after the first smart contract is executed, and is used to indicate whether the device screening is successful, that is, whether the first smart contract is successfully executed.
  • the status information delivered by the operated equipment is the information related to the status of the operated equipment issued by the threat intelligence corresponding to the threat intelligence application.
  • the information is obtained after the execution of the second smart contract, and is used to indicate whether the information is issued successfully or not, that is, whether the second smart contract is successfully executed.
  • Threat intelligence application status information is the information about the linked application and repair status of threat intelligence on the operated device. The information is obtained after the third smart contract is executed, and is used to indicate whether the application and repair are successfully performed based on the threat intelligence information, that is, whether the third smart contract is successfully executed.
  • the smart contract it runs is the third smart contract.
  • Its block includes a block header and a block body. Please refer to Figure 4 for the specific structure.
  • the block header includes the hash value, Merkle root, random number, and timestamp of the previous block; the block body includes threat intelligence information and threat intelligence application status information.
  • threat intelligence information is the latest threat intelligence information that is automatically screened by the node of the operation manager and sent to the corresponding equipment being operated. Specifically, it can be IP address information, domain name information, URL information, security event information, and vulnerability information. one or several types of threat intelligence information.
  • Threat intelligence application status information is the information about the linked application and repair status of threat intelligence on the operated device. The information is obtained after the third smart contract is executed, and is used to indicate whether the application and repair are successfully performed based on the threat intelligence information, that is, whether the third smart contract is successfully executed.
  • FIG. 5 provides a schematic structural diagram of a first node serving as an operation manager according to an embodiment of the present disclosure.
  • the first node includes three parts, namely: the underlying blockchain module 201 , the smart contract layer module 202 , and the application layer module 203 . in,
  • the underlying blockchain module 201 is used to implement blockchain technology including consensus algorithm and block generation, etc., and to support and implement blockchain technology for all nodes of threat intelligence application.
  • blockchain technology including consensus algorithm and block generation, etc.
  • support and implement blockchain technology for all nodes of threat intelligence application For more specific details of the implementation of blockchain technology, please refer to related technologies, which will not be repeated in this article.
  • the smart contract layer module 202 is used to implement a smart contract for threat intelligence applications.
  • This module includes 3 sub-modules, namely: an automatic screening sub-module 2021 for running the first smart contract, an automatic issuing sub-module 2022 for running the second smart contract, a linkage application for running the third smart contract and
  • the repair sub-module 2023 can realize the deployment, execution, query, etc. of smart contracts.
  • the automatic screening sub-module 2021 is used to run the first smart contract to automatically screen out the second node, the second node is the operated device that needs to deliver the threat intelligence information;
  • the automatic screening status information output by a smart contract and the information of the second node are written into the blockchain.
  • the automatic issuing sub-module 2022 is used for running the second smart contract, automatically issuing the threat intelligence information to the second node, and based on the consensus mechanism, issuing the issued state of the output of the second smart contract Information is written to the blockchain.
  • the linkage application and repair sub-module 2023 is used to run the third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application state information is: : Information obtained by the second node after running the third smart contract to perform the repair operation.
  • the application layer module 203 is used to apply the threat intelligence in the blockchain.
  • This module includes a sub-module, that is, a blockchain-based threat intelligence application sub-module 2031, which is used to obtain threat intelligence information, so as to perform linkage application and repair of the threat intelligence information in the blockchain.
  • the automatic screening sub-module 2021 is also used to determine the equipment classification of the operated equipment, obtain the threat intelligence information in the blockchain, and determine the first intelligence type of the threat intelligence information; Correspondence between device classifications, determine the first device classification corresponding to the threat intelligence information and the node under the first device classification, obtain the second node, and output the automatic screening status indicating whether the device screening is successful or not information.
  • the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type.
  • the device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level may be obtained by classification according to the level of the function or service performed by the device.
  • the automatic distribution sub-module 2022 is further configured to distribute the threat intelligence information in the blockchain to the second block chain when the automatic screening status information in the block chain indicates that the device is successfully screened.
  • the node obtains the delivery status information indicating whether the information delivery is successful.
  • the threat intelligence application state information is used to indicate whether the repair is successfully performed based on the threat intelligence information.
  • the block structure of the blockchain agreed by the first node includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and timestamp .
  • the block body in the block on the blockchain includes the following information: the threat to be issued obtained by the first node Intelligence information, automatic screening status information output by the first smart contract and information of the second node, delivery status information output by the second smart contract, and, the second node is running the third smart contract Threat Intelligence application status information obtained after performing a remediation operation.
  • FIG. 6 provides a schematic structural diagram of a second node of an operated device serving as threat intelligence according to an embodiment of the present disclosure.
  • the second node includes three parts, namely: the underlying blockchain module 301 , the smart contract layer module 302 , and the application layer module 303 . in,
  • the underlying blockchain module 301 is used to implement blockchain technology including consensus algorithm and block generation, etc., to support and implement blockchain technology for all nodes of threat intelligence application.
  • blockchain technology including consensus algorithm and block generation, etc., to support and implement blockchain technology for all nodes of threat intelligence application.
  • related technologies which will not be repeated in this article.
  • the smart contract layer module 302 is used to realize the smart contract of the threat intelligence application.
  • This module includes a linkage application and repair sub-module 3023 for running the third smart contract, which can realize the deployment, execution, and query of smart contracts.
  • the linked application and repair sub-module 3023 is used to run the third smart contract, execute the repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application status information output by the third smart contract;
  • the aforementioned threat intelligence application status information is written into the blockchain.
  • the application layer module 303 is used to apply the threat intelligence in the blockchain.
  • This module includes a sub-module, namely the blockchain-based threat intelligence application sub-module 3031, which is used to obtain the threat intelligence information issued by the first node, so as to perform linkage application and repair of the threat intelligence information in the blockchain .
  • the linked application and repair sub-module is further configured to determine and execute the repair operation corresponding to the threat intelligence information according to the preset correspondence between different threat intelligence/intelligence types and repair operations, and obtain a value indicating whether Threat intelligence application status information for which a repair operation has been successfully performed based on the threat intelligence information.
  • the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp.
  • the block body in the block of the blockchain includes the following information: the threat intelligence information issued by the first node, and the Threat intelligence application status information obtained by the second node after running the third smart contract to perform the repair operation.
  • the application method of threat intelligence provided by the embodiment of the present disclosure when applied to the first node serving as an operation manager, includes:
  • Step 71 Obtain threat intelligence information.
  • Step 72 Run the first smart contract to automatically screen out a second node, where the second node is an operated device that needs to deliver the threat intelligence information.
  • the first smart contract that runs the blockchain-based threat intelligence application is automatically screened by the operating device, and the second node as the operating device that needs to be issued by the threat intelligence information is screened out.
  • Step 73 based on the consensus mechanism, write the automatic screening status information output by the first smart contract and the information of the second node into the blockchain.
  • Step 74 Run the second smart contract, automatically deliver the threat intelligence information to the second node, and write the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism .
  • the second smart contract automatically issued by the blockchain-based threat intelligence application is run, the threat intelligence information is issued to the second node, and the issued status information output by the second smart contract is issued consensus into the blockchain.
  • Step 75 Run a third smart contract, and write the threat intelligence application state information of the second node into the blockchain based on a consensus mechanism, wherein the threat intelligence application state information is: the second node is running the first node.
  • the information obtained after the smart contract performs the repair operation.
  • the embodiments of the present disclosure utilize the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, which can improve the efficiency of network security protection.
  • the running of the first smart contract to automatically filter out the second node may specifically include:
  • the first device classification corresponding to the threat intelligence information and the node under the first device classification obtain the second node, and output the output for indicating The automatic filtering status information of whether the device filtering is successful or not.
  • the intelligence type includes at least one of the following types: IP type, domain name type, URL type, event type, vulnerability type and file MD5 type;
  • the device classification includes device type and/or device level, wherein the device type is based on the application type, protocol type, operating system type, operating data category, operating software type and hardware type carried by the device. At least one classification is obtained, and the device level is obtained by classification according to the level of the function or service performed by the device.
  • the running of the second smart contract to automatically deliver the threat intelligence information to the second node may specifically include: when the automatic screening status information in the blockchain indicates that the device screening is successful, Sending the threat intelligence information in the blockchain to the second node, and obtaining distribution status information indicating whether the intelligence distribution is successful.
  • the threat intelligence application status information is specifically used to indicate whether the repair is successfully performed based on the threat intelligence information.
  • the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp.
  • the block body in the block on the blockchain includes the following information: the threat to be issued obtained by the first node Intelligence information, automatic screening status information output by the first smart contract and information of the second node, delivery status information output by the second smart contract, and, the second node is running the third smart contract Threat Intelligence application status information obtained after performing a remediation operation.
  • the application method of threat intelligence provided by the embodiment of the present disclosure when applied to the second node serving as the operated device, includes:
  • Step 81 obtaining the threat intelligence information issued by the first node
  • the second node obtains the threat intelligence information issued by the first node, which is the operation manager.
  • Step 82 Run a third smart contract, perform a repair operation corresponding to the threat intelligence information, and obtain the threat intelligence application state information output by the third smart contract.
  • Step 83 Write the threat intelligence application status information into the blockchain based on the consensus mechanism.
  • the embodiments of the present disclosure utilize the blockchain technology and its smart contract to realize the automatic issuance and linkage application of threat intelligence, and improve the efficiency of network security protection.
  • the operation of the third smart contract to execute the repair operation corresponding to the threat intelligence information may specifically include: according to the preset correspondence between different threat intelligence/intelligence types and the repair operation, A repair operation corresponding to the threat intelligence information is determined and executed, to obtain threat intelligence application state information indicating whether the repair operation is successfully performed based on the threat intelligence information.
  • the block structure of the blockchain includes: a block header and a block body; wherein, the block header includes: the hash value of the previous block, Merkle root, random number and time stamp.
  • the block body in the block of the blockchain includes the following information: the threat intelligence information issued by the first node, and the Threat intelligence application status information obtained by the second node after running the third smart contract to perform the repair operation.
  • FIG. 9 further shows the interaction flow of the blockchain-based threat intelligence application method according to the embodiment of the present disclosure. As shown in FIG. 9 , the flow includes the following steps:
  • Step 901 the operation manager obtains the latest threat intelligence information, and then outputs it to step 902 .
  • Step 902 The first smart contract is executed, and the information corresponding to the required distribution device or system is screened out. That is, the output of step 901 is received, the smart contract is executed, and the operating equipment is automatically screened.
  • Step 903 Feeding back the automatic screening status information of the operated equipment, that is, receiving the output of step 902, and feeding back the automatic screening status information of the operated equipment.
  • Step 904 Consensus the automatic screening status information of the operated equipment into the blockchain, that is, receive the output of step 903, and write the automatic screening status information of the operated equipment into the blockchain according to the consensus mechanism in the blockchain .
  • Step 905 The second smart contract runs, and the intelligence information is sent to the selected devices or systems. That is, the output of step 904 is received, the smart contract is executed, and the threat intelligence information is delivered to the corresponding operated device.
  • Step 906 Feed back the delivered status information of the operated equipment, that is, receive the output of step 905, and feed back the delivered status information of the operated equipment.
  • Step 907 Consensus the delivered status information of the operated equipment to the blockchain, that is, receive the output of step 906, and write the delivered status information of the operated equipment into the blockchain according to the consensus mechanism in the blockchain .
  • Step 908 the third smart contract runs, and the corresponding linkage application and repair are performed, that is, the output of step 907 is received, and the corresponding threat intelligence linkage application and repair are performed.
  • Step 909 Feedback the latest threat intelligence application state information, that is, receive the output of step 908, and feed back the latest threat intelligence application state information.
  • Step 910 Consensus the threat intelligence application state information into the blockchain, that is, receiving the output of step 909, and writing the threat intelligence application state information into the blockchain according to the consensus mechanism in the blockchain.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the situation that threat intelligence information is independent of each other, and each system lacks coordination, making it difficult to collaborate and work efficiently.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure solve the problem that the related systems require relatively large manual intervention and cannot realize automatic distribution and linkage application.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can timely and effectively carry out the linkage application and repair of the latest and most valuable threat intelligence information obtained or analyzed, so as to enhance the threat Intelligence application effect, and can track threat intelligence application.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure can promote the continuous and effective development of the threat intelligence ecological closed loop.
  • the blockchain-based threat intelligence application method and device provided by the embodiments of the present disclosure have certain commercial application and promotion value.
  • FIG. 10 The principles of various smart contract methods for the blockchain-based threat intelligence application in the embodiment of the present disclosure are shown in FIG. 10 . specific,
  • Smart contracts encapsulate a number of predefined states and transition rules, scenarios that trigger contract execution (such as reaching a specific time or occurrence of a specific event, specific threat intelligence types, etc.), and response actions in specific scenarios (specific action execution, specific response execution), etc.
  • the blockchain can monitor the status of smart contracts in real time, and activate and execute contracts by verifying data sources and confirming that certain trigger conditions are met. The principle of each functional contract is introduced from the first node side.
  • the preset trigger condition is the acquired threat intelligence information
  • the preset response rule is, if it is a certain type of threat intelligence information, which devices it corresponds to. That is, the condition is the type of threat intelligence information or specific threat intelligence information, and the response is the operated device or the set of operated devices corresponding to the threat intelligence information.
  • the first smart contract its method logic framework process is as follows.
  • the input of the first smart contract is data on the blockchain - threat intelligence information, that is, the latest threat intelligence information on the blockchain.
  • the internal logic operation and operation process of the first smart contract are as follows:
  • the operating equipment is classified and graded.
  • the specific classification and classification standards can be based on the application type, protocol type, operating system type, data type of operation, operation type carried by its system or equipment. software type, hardware type, etc.
  • simple classification rules can be set, such as directly using the simplest classification and grading standards to classify according to the type of software and hardware carried; or more complex, while classifying software and hardware types, according to different services or functions. Divide the level into one, two, three and so on.
  • the operated devices can be divided into operating systems, protocols, routers, switches, DNS servers, IDS, IPS, firewalls, and so on.
  • the classification method of the intelligence type is a direct classification method according to the type of intelligence, which is divided into IP class, domain name class, URL class, event class, vulnerability class, File MD5 class, etc.
  • the operated device or the operated device set corresponding to the threat intelligence type is obtained.
  • the smart contract generates the type of equipment or system affected by the type of intelligence. For example, it can be divided into operating system, protocol, router, switch, DNS server, IDS, IPS, firewall, etc., and then will be operated
  • the device performs mapping according to the obtained device or system type, and finally obtains a corresponding operated device or a set of operated devices.
  • For example, for malicious URL type intelligence it is aggregated by operational devices as gateways, IDS or IPS.
  • the operated device is the DNS server.
  • IP type intelligence For malicious IP type intelligence, it is aggregated by operational devices as firewall, IDS or IPS.
  • vulnerability type intelligence it is collected by operating devices into various network devices or affected assets and network element devices detected by scanners, etc. In this way, the affected operating equipment is automatically screened out through smart contracts, which lays the premise for converting the full centralized command execution into a specific distributed command execution.
  • the output result of the first smart contract is the state of the information being automatically screened by the operating equipment, and the automatically screened operating equipment or the set of operating equipment, which are output to the blockchain.
  • the preset trigger condition is the screened operated equipment, and the preset response condition is to issue the corresponding threat intelligence. That is, the condition is which or which type of equipment is operated, and the response is threat intelligence information.
  • the method logic framework flow is as follows.
  • the input of this second smart contract is the data on the blockchain - the screened equipment to be operated.
  • the internal logical operation process of the second smart contract is as follows: In the smart contract, the latest threat intelligence information on the blockchain is obtained for the screened operating equipment.
  • the output result of the second smart contract is the state issued by the operating device, which is output to the blockchain.
  • the preset trigger condition is the issued threat intelligence information
  • the preset response rule is what repair operations and linkage response applications it performs if it is a certain type of threat intelligence information. That is, the condition is the threat intelligence information type or specific threat intelligence information, and the response is the linkage response application and repair operation corresponding to the threat intelligence information.
  • the third smart contract its method logic framework process is as follows.
  • the input of the third smart contract is the data on the blockchain - threat intelligence information, that is, the latest threat intelligence information on the blockchain.
  • the internal logical operation process of the third smart contract is as follows:
  • the equipment to be operated is classified and graded.
  • the specific classification and classification standards can be based on the application type, protocol type, operating system type, operating data category, and operating software carried by its system or equipment. type, hardware type, etc.
  • the operated devices can be divided into operating systems, protocols, routers, switches, DNS servers, IDS, IPS, firewalls, and so on.
  • the classification method of the intelligence type is a direct classification method according to the type of intelligence, which is divided into IP class, domain name class, URL class, event class, vulnerability class, File MD5 class, etc.
  • the third smart contract different types of responses are set for different types of intelligence information. Specifically, it is set as the linkage response application and repair operation corresponding to the threat intelligence information. According to the obtained intelligence, it can respond to network elements, security equipment and early warning centers, etc. Smart contracts can generate new security policies based on intelligence, and then deploy these new security policies to network elements and security devices. If necessary, you can also update the software version and modify the configuration of network elements and security devices. In this way, according to the intelligence classification in the above step 2, taking the intelligence type as the condition and corresponding to the response action, the execution of the response action will be triggered, and the execution of the response action will finally correspond to the affected device or system type to perform the actual response operation, and others will not be affected.
  • malicious URL type intelligence can be applied to a gateway, which can then update its security policy by filtering malicious URLs to a blacklist. It can also be applied to IDS or IPS by updating the protection rules for the corresponding URL.
  • malicious domain type intelligence it can be applied to DNS servers, which can update the configuration by blacklisting malicious domains.
  • malicious IP type intelligence it can be applied to firewalls, which can update their security policies by filtering malicious IPs. This type of intelligence can also be applied to IDS or IPS by updating the protection rules of the corresponding IP.
  • each network element device can fix vulnerabilities by updating software or hardware.
  • detection plug-ins can then be updated to scanners to detect affected assets and network elements, etc. In this way, the linkage response application and repair corresponding to threat intelligence can be realized.
  • the output of the third smart contract is threat intelligence application status information, which is output to the blockchain.
  • an embodiment of the present disclosure provides a schematic structural diagram of a first node 1100, including: a processor 1101, a transceiver 1102, a memory 1103, and a bus interface, wherein:
  • the first node 1100 further includes: a program stored on the memory 1103 and executable on the processor 1101, the program implements the following steps when executed by the processor 1101:
  • the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain
  • Running the second smart contract automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;
  • Run the third smart contract and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.
  • the bus architecture may include any number of interconnected buses and bridges, in particular one or more processors represented by processor 1101 and various circuits of memory represented by memory 1103 linked together.
  • the bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein.
  • the bus interface provides the interface.
  • Transceiver 1102 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.
  • the processor 1101 is responsible for managing the bus architecture and general processing, and the memory 1103 may store data used by the processor 1101 in performing operations.
  • the terminal in this embodiment is a node corresponding to the method shown in FIG. 7 , and the implementation manners in the above embodiments are all applicable to the embodiments of the node, and the same technical effect can also be achieved.
  • the transceiver 1102 and the memory 1103, as well as the transceiver 1102 and the processor 1101 can be communicated and connected through a bus interface, the function of the processor 1101 can also be realized by the transceiver 1102, and the function of the transceiver 1102 can also be realized by the processor 1101 realized.
  • a computer-readable storage medium on which a program is stored, and when the program is executed by a processor, the following steps are implemented:
  • the automatic screening status information output by the first smart contract and the information of the second node are written into the blockchain
  • Running the second smart contract automatically delivering the threat intelligence information to the second node, and writing the delivery status information output by the second smart contract into the blockchain based on a consensus mechanism;
  • Run the third smart contract and write the threat intelligence application status information of the second node into the blockchain based on the consensus mechanism, wherein the threat intelligence application status information is: the second node is running the third smart contract Information obtained after performing a repair operation.
  • an embodiment of the present disclosure provides a schematic structural diagram of a second node 1200, including: a processor 1201, a transceiver 1202, a memory 1203, and a bus interface, wherein:
  • the second node 1200 further includes: a program stored on the memory 1203 and executable on the processor 1201, the program implements the following steps when executed by the processor 1201:
  • Running a third smart contract performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;
  • the threat intelligence application state information is written into the blockchain.
  • the bus architecture may include any number of interconnected buses and bridges, specifically one or more processors represented by processor 1201 and various circuits of memory represented by memory 1203 linked together.
  • the bus architecture may also link together various other circuits, such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be described further herein.
  • the bus interface provides the interface.
  • Transceiver 1202 may be a number of elements, including a transmitter and a receiver, that provide a means for communicating with various other devices over a transmission medium.
  • the processor 1201 is responsible for managing the bus architecture and general processing, and the memory 1203 may store data used by the processor 1201 in performing operations.
  • the terminal in this embodiment is a node corresponding to the method shown in FIG. 8 , and the implementation manners in the above embodiments are all applicable to the embodiments of the node, and the same technical effect can also be achieved.
  • the transceiver 1202 and the memory 1203, as well as the transceiver 1202 and the processor 1201 can be communicated and connected through a bus interface, the function of the processor 1201 can also be realized by the transceiver 1202, and the function of the transceiver 1202 can also be realized by the processor 1201 realized.
  • a computer-readable storage medium on which a program is stored, and when the program is executed by a processor, the following steps are implemented:
  • Running a third smart contract performing a repair operation corresponding to the threat intelligence information, and obtaining the threat intelligence application status information output by the third smart contract;
  • the threat intelligence application state information is written into the blockchain.
  • the disclosed apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions of the embodiments of the present disclosure.
  • each functional unit in each embodiment of the present disclosure may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the present disclosure can be embodied in the form of software products in essence, or the parts that contribute to the prior art or the parts of the technical solutions.
  • the computer software products are stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present disclosure.
  • the aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk and other mediums that can store program codes.
  • modules, units, sub-modules, sub-units, etc. can be implemented in one or more Application Specific Integrated Circuits (ASIC), Digital Signal Processing (DSP), digital signal processing equipment ( DSP Device, DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), general-purpose processor, controller, microcontroller, microprocessor, for in other electronic units or combinations thereof that perform the functions described in this disclosure.
  • ASIC Application Specific Integrated Circuits
  • DSP Digital Signal Processing
  • DSP Device digital signal processing equipment
  • PLD Programmable Logic Device
  • Field-Programmable Gate Array Field-Programmable Gate Array
  • FPGA Field-Programmable Gate Array

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un procédé et un dispositif d'application de surveillance de menace. Le procédé comprend les étapes consistant à : acquérir des informations de surveillance de menace ; exécuter un premier contrat intelligent et filtrer automatiquement un second nœud, le second nœud étant un dispositif actionné auquel les informations de surveillance de menace doivent être délivrées ; sur la base d'un mécanisme de consensus, écrire dans une chaîne de blocs des informations sur l'état du filtrage automatique qui proviennent du premier contrat intelligent, ainsi que des informations du second nœud ; exécuter un deuxième contrat intelligent, délivrer automatiquement les informations de surveillance de menace au second nœud et, sur la base du mécanisme de consensus, écrire dans la chaîne de blocs des informations sur l'état de la délivrance qui proviennent du deuxième contrat intelligent ; puis exécuter un troisième contrat intelligent et, sur la base du mécanisme de consensus, écrire des informations sur un état d'application de surveillance de menace du second nœud dans la chaîne de blocs.
PCT/CN2021/107639 2020-07-30 2021-07-21 Procédé et dispositif d'application de surveillance de menace WO2022022361A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010754576.2A CN114095187B (zh) 2020-07-30 2020-07-30 威胁情报的应用方法、设备及计算机可读存储介质
CN202010754576.2 2020-07-30

Publications (1)

Publication Number Publication Date
WO2022022361A1 true WO2022022361A1 (fr) 2022-02-03

Family

ID=80037128

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/107639 WO2022022361A1 (fr) 2020-07-30 2021-07-21 Procédé et dispositif d'application de surveillance de menace

Country Status (2)

Country Link
CN (1) CN114095187B (fr)
WO (1) WO2022022361A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898021A (zh) * 2018-06-04 2018-11-27 北京奇虎科技有限公司 基于区块链的威胁情报处理方法、系统及计算设备
CN109981564A (zh) * 2019-01-28 2019-07-05 中国科学院信息工程研究所 一种基于区块链的威胁情报交换共享方法
CN110334155A (zh) * 2019-07-09 2019-10-15 佛山市伏宸区块链科技有限公司 一种基于大数据整合的区块链威胁情报分析方法及系统
US20200067963A1 (en) * 2019-10-28 2020-02-27 Olawale Oluwadamilere Omotayo Dada Systems and methods for detecting and validating cyber threats

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019170173A2 (fr) * 2019-06-27 2019-09-12 Alibaba Group Holding Limited Gestion de vulnérabilités de la cybersécurité à l'aide de réseaux de chaîne de blocs
CN110493345A (zh) * 2019-08-23 2019-11-22 北京智芯微电子科技有限公司 基于区块链的物联网终端软件升级方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898021A (zh) * 2018-06-04 2018-11-27 北京奇虎科技有限公司 基于区块链的威胁情报处理方法、系统及计算设备
CN109981564A (zh) * 2019-01-28 2019-07-05 中国科学院信息工程研究所 一种基于区块链的威胁情报交换共享方法
CN110334155A (zh) * 2019-07-09 2019-10-15 佛山市伏宸区块链科技有限公司 一种基于大数据整合的区块链威胁情报分析方法及系统
US20200067963A1 (en) * 2019-10-28 2020-02-27 Olawale Oluwadamilere Omotayo Dada Systems and methods for detecting and validating cyber threats

Also Published As

Publication number Publication date
CN114095187B (zh) 2023-05-09
CN114095187A (zh) 2022-02-25

Similar Documents

Publication Publication Date Title
EP3430783B1 (fr) Pistage de menaces multi-hôte
US10003610B2 (en) System for tracking data security threats and method for same
US9985982B1 (en) Method and apparatus for aggregating indicators of compromise for use in network security
Khairi et al. A Review of Anomaly Detection Techniques and Distributed Denial of Service (DDoS) on Software Defined Network (SDN).
US9565204B2 (en) Cyber-security system and methods thereof
Lai et al. Using the vulnerability information of computer systems to improve the network security
Dietzel et al. Stellar: network attack mitigation using advanced blackholing
Narang et al. Peershark: detecting peer-to-peer botnets by tracking conversations
US10187400B1 (en) Packet filters in security appliances with modes and intervals
US20160078236A1 (en) System and method for programmably creating and customizing security applications via a graphical user interface
Hyun et al. SDN-based network security functions for effective DDoS attack mitigation
Narang et al. PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification
US11343143B2 (en) Using a flow database to automatically configure network traffic visibility systems
US20240031380A1 (en) Unifying of the network device entity and the user entity for better cyber security modeling along with ingesting firewall rules to determine pathways through a network
Pavlidis et al. Orchestrating DDoS mitigation via blockchain-based network provider collaborations
KR20210012962A (ko) I2nsf nsf 모니터링 양 데이터 모델
WO2022022361A1 (fr) Procédé et dispositif d'application de surveillance de menace
US10038603B1 (en) Packet capture collection tasking system
Balistri et al. Design guidelines and a prototype implementation for cyber-resiliency in IT/OT scenarios based on blockchain and edge computing
WO2022022248A1 (fr) Procédé et appareil d'intervention d'urgence en cas de renseignements sur une menace
CN115396347B (zh) 一种基于中间人的路由协议模糊测试方法及系统
Cruz et al. A distributed IDS for industrial control systems
Kruegel Network alertness: towards an adaptive, collaborating intrusion detection system
Seo et al. An application of blackboard architecture for the coordination among the security systems
WO2022171380A1 (fr) Détection d'anomalie

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21849214

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 21849214

Country of ref document: EP

Kind code of ref document: A1