Blockchain-Based Cyber Threat Intelligence Sharing Using Proof-of-Quality Consensus

Abstract

Cyber threat intelligence (CTI) is contextualised knowledge, built on information that is collected, processed, analysed, and disseminated to the right audience, in order to comprehend a malicious threat actor’s motivation, goals, objectives, targets, and attack behaviours. The CTI value increases by the ability to be shared, consumed, and actioned timely, by the right stakeholders, based always on quality standards and parameters, which boost the cyber security community to understand how adversaries act and to counter the constantly emerging sophisticated cyber threats. In this article, along with the identification of research gaps, after a comparison between existing research studies in the similar scope of CTI evaluation and sharing mechanisms, we propose a blockchain-based cyber threat intelligence system architecture, which collects, evaluates, stores, and shares CTI, enabling tamper-proof data and exclusion of untrustworthy evaluation peers, while evaluating, at the same time, the quality of CTI Feeds against a defined set of quality standards. The evaluation of the data is performed utilising a reputation and trust-based mechanism for selecting validators, who further rate the CTI feeds using quality-based CTI parameters, while the consensus for preserving the fairness of the results and their final storage is performed via the recently introduced proof-of-quality (PoQ) consensus algorithm. The data, which are stored in the proposed ledger, constitute a reliable, distributed, and secure repository of CTI Feeds and contain their objective evaluation, as well as the performance of the validators who participated in each evaluation, while these data can be further used for assessing the reputation of CTI Sources. Finally, in order to assess the proposed system’s reliability, integrity, and tolerance against malicious activities, the model is subject to a theoretical analysis using a probabilistic simulation, taking into account various aspects and features of the integrated mechanisms. The results show that the tolerance against malicious validators is acceptable, even when the ratio between legitimately vs. maliciously behaving validators is 1 : 50.