Research On Cyber Threat Intelligence Sharing Mechanism In Community Scenarios

With the continuous development of network technology,network attack has become a trend of generalization and diversification.New threats represented by Advanced Persistent Threats have emerged.In the face of these multi-stage,multi-vector and sustainable new threats,the traditional defense system,mainly including firewall,intrusion detection system and intrusion prevention system,cannot achieve effective detection and has been in a passive situation.In recent years,threat intelligence sharing has become a powerful tool to enhance cybersecurity situational awareness and defense capabilities.Through the interconnection of information systems,threat intelligence flows actively among organizations,to establish a healthy and efficient threat intelligence ecosystem.However,at present,related threat intelligence sharing research only stays at the government level,and the organizations directly share information with government entities to a centralized location.What is lacking is a collaboration among different organizations in the same sector or across different sectors in a community.Therefore,this paper,relying on the extended g-SIS model as the overall architecture,puts the cyber threat intelligence in the context of community and explores the cross-sector network security collaborative disposal in the community.Threat intelligence sharing enables community-wide security defenses to communicate and enable communities to identify potential risks early and prevent and deal with them promptly.On the one hand,most of the current research on threat intelligence sharing is from the perspective of architecture,ignoring the guidance of sharing operations and processes,and little attention has been paid to the techniques needed to maintain situational awareness.To this end,this paper firstly proposes a community collaborative threat intelligence sharing mechanism named CTIShare_Bb,based on the blackboard model,which can be used to identify potential risks,prevent network attacks in the early stage and promote community emergency response.According to the Chinese national standard,we divide threat intelligence sharing into the conventional one and the attack-specific one.Besides,based on the blackboard model,this paper designs a threat intelligence sharing module for specific attacks and describe the sharing process.Next,we design the blackboard monitoring mechanism into a multi-agent system to realize many functions in the sharing process.Finally,we describe the community threat intelligence sharing scenario from several aspects to demonstrate the effectiveness of the scheme.On the other hand,centralized threat intelligence sharing will bring weak reliability and low efficiency.Barriers of trust between sharers,privacy concerns about sensitive information,and sophisticated management strategies can also prevent effective threat intelligence sharing.To this end,this paper proposes a community threat intelligence sharing framework based on blockchain technology,called CTIShare_Bc,which can not only eliminate the barrier of trust between community members but also ensure the security,effectiveness,invariability,traceability and auditable process of threat intelligence sharing.In this framework,the on-chain and off-chain storage are designed,that is,operations on actual data in off-chain storage devices are recorded in on-chain storage in the form of transactions.At the same time,the introduction of security policies can limit access to sensitive data and prevent intruders.This paper also designed a detailed sharing scenario for CTIShare_Bc to demonstrate the feasibility of community threat intelligence sharing.This paper analyzes and discusses the performance of the two mechanisms,CTIShare_Bb and CTIShare_Bc,and explores the advantages brought by their respective core components and technologies.Through the comparison of the two mechanisms,this paper delves into the difference and connection between the centralized and decentralized methods in threat intelligence sharing: the centralized model represented by the blackboard model can provide prerequisites for early threat correlation analysis;the blockchain-centric decentralized model can provide strong support in solving trust and privacy issues.In addition,this paper selects representative network security information sharing methods in recent years,and compares them with the research of this paper from five aspects,highlighting the advantages of this research in terms of access control,early defense,data standardization,mitigation of trust and privacy.