Next Article in Journal
Suicide-Related Groups and School Shooting Fan Communities on Social Media: A Network Analysis
Previous Article in Journal
Static Malware Analysis Using Low-Parameter Machine Learning Models
Previous Article in Special Issue
Introducing a Fair Tax Method to Harden Industrial Blockchain Applications against Network Attacks: A Game Theory Approach
 
 
Systematic Review
Peer-Review Record

Cyber Threat Intelligence on Blockchain: A Systematic Literature Review

by Dimitrios Chatziamanetoglou * and Konstantinos Rantos
Reviewer 1: Anonymous
Reviewer 2:
Reviewer 3: Anonymous
Submission received: 3 January 2024 / Revised: 22 February 2024 / Accepted: 23 February 2024 / Published: 26 February 2024
(This article belongs to the Special Issue BLockchain Enabled Sustainable Smart Cities (BLESS 2022))

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The paper emphasizes the combination of Cyber Threat Intelligence (CTI) and blockchain in enhancing data security, quality assurance, trust, and privacy. It identifies critical themes like trust and privacy in blockchain-based CTI, the significance of the dissemination phase in the CTI lifecycle, and the focus on different types of blockchains and supporting technologies.

1) Prisma method implementation concerns:

1.       Keyword Selection and Scope: The primary concern is that the keyword "cyber AND threat AND intelligence AND blockchain" is too narrow, potentially omitting relevant literature on Cyber Threat Intelligence (CTI), encompassing a range of activities beyond just blockchain applications. CTI includes a spectrum of operations from Tactical to Strategic levels, with varying complexities and requirements. The selected keyword may not capture literature addressing these nuances, thus limiting the breadth of your review.

2.       Research Coverage: By focusing on a narrow keyword, the review risks missing critical literature that could comprehensively inform the intersection of CTI and blockchain. A systematic literature review (SLR) must cast a wide net to include various aspects of CTI, such as 'Threat Feeds,' 'Real Time Alerts,' 'Threat Monitoring,' 'Incident Response,' 'Campaign Tracking,' and 'Threat Research.' These terms represent different levels and types of threat intelligence activities, which could significantly intersect with blockchain technology in various ways.

3.       Methodological Rigor: A more robust SLR would involve developing a complex keyword strategy that captures the multifaceted nature of CTI. This might include using broader terms, synonyms, and related concepts in the search criteria to ensure a comprehensive dataset is collected.

4.       Discussion and Analysis: Due to the narrow keyword selection, the discussion in the SLR is likely limited and does not fully explore the potential of blockchain within the broader context of CTI. The paper should address this by discussing the implications of the results within the broader spectrum of CTI activities and how blockchain could influence or enhance these at different levels of operation.

5.       Proposal for Keyword Refinement: Before conducting another search, it is recommended that a more extensive literature review on CTI is performed. This would provide a refined and more inclusive keyword strategy. The goal would be to develop a layered keyword approach that includes general terms, specific activities, and variations to encompass the full scope of CTI regarding blockchain.

2) Data Presentation:

Enhancing your review with the inclusion of perspectives and summarizations for different CTI perspectives could improve the depth of your analysis:

1.       Perspectives of Security Team Members: Your results currently do not provide insights into how different security team roles might leverage the findings. For a more robust discussion, consider how the integration of CTI and blockchain impact roles like Security Analysts, SOC teams, CSIRT, and Executive Management. Different roles may have varying interests and requirements from the intersection of CTI and blockchain.

2.       CTI Levels Visualization: Adding visual elements such as charts or tables that summarize findings across the Tactical, Operational, and Strategic levels of CTI would aid in comprehension. Such visualization would make the paper more engaging, and help readers quickly grasp how blockchain technology can be applied across the different layers of CTI.

3.       Tailored Results Presentation: Tailoring the presentation of results to reflect the utility for various CTI levels and security roles can provide a multi-faceted view of the research landscape. This approach would highlight how different CTI strategies can be enhanced by blockchain, thereby making the paper more relevant to practitioners and decision-makers in the field.

Implementing my suggestion will lead to significant enhancement of the discussion section.

 

 

Comments on the Quality of English Language

Minor editing of English language required

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

Summary: 

 

The article examines how Cyber Threat Intelligence (CTI) and blockchain technology intersect, recognizing the growing importance of CTI in safeguarding organizations against cyber threats and the difficulties related to handling, storing, analyzing, and sharing extensive and sensitive threat intelligence data. The authors perform a comprehensive review of existing literature to explore recent progress and emerging patterns in this intersection. They discover that blockchain technology presents a promising solution to tackle these challenges. The review uncovers an even distribution across the operational, tactical, and technical aspects of CTI, with a dual emphasis on both permissioned, private blockchains and permissionless, public blockchains. Additionally, the authors identify a diverse range of supporting technologies, such as smart contracts, machine learning, federated learning, consensus algorithms, IPFS, deep learning, and encryption. The article also evaluates the maturity of these technologies, showing an overall balance between early to mid-stages of maturity in implementation. The authors highlight trust and privacy as key themes within the realm of CTI based on blockchain technology, emphasizing the dissemination phase as critical in the CTI lifecycle.

 

Identified issues:

 

In my opinion, the biggest issue with this paper is Section 5. This section is called "Literature review" and contains descriptions or summaries of all the papers that were identified as relevant in the systematic literature review. However, by placing all these descriptions in this lengthy section, the paper becomes less interesting for the readers. The readers want some kind of summary. They want to get some main insights from the SLR. I would advise changing this section to the "Results" section and presenting the main results there. This would also mean that Section 6 needs to be updated too as it currently contains both the results and the discussion. Section 6 is also missing some references that would show from which papers some of the mentioned statements come.

 

In the abstract, the authors should be specific and state directly that they conduct a systematic literature review.

 

"This definition guides our exploration, ensuring a consistent and precise framework for our study." - The authors state that the definition of the CTI from NIST that they use ensures a consistent and precise framework for our study. The authors should elaborate on how this is ensured.

 

"Specifically, we reviewed research papers published in recent years to investigate the various proposals, methodologies, models and implementations related to the distributed ledger technology and how this technology can be used to collect, store, analyse and share CTI in a secured and controlled manner, as well as how this combination can further support additional dimensions such as quality assurance, reputation and trust." -> The authors should directly state which time period this study encompasses. They should not be vague by stating "in recent years". As this is Section 1, the reader should have some idea of what is all covered in this study.

 

In Section 2, it would be highly beneficial to provide a table that compares this work to related work. It is not fully clear what are the differences. In addition, the authors state: "however is not considered as comprehensive since it did not cover all existing literature researches in the field by the time it was conducted", which is very confusing and hard to understand what the authors want to state here.

 

The authors mention that they have applied the PRISMA methodology for the systematic literature review. What is the reason for focusing on such a methodology? Why did you not apply the methodology by B. Kitchenhamm? It would be beneficial to provide some additional statements in this regard as well as a short description of what the PRISMA methodology involves. 

 

The authors should consider applying snowballing methodology on the final set obtained from the application of the search string method.

 

In RQ4, the authors mention some examples of technologies and methodologies. In my opinion, it would be better to mention these somewhere else and keep the research question compact.

 

"The search criteria were based on the English language and there were no exclusions since the intent was to gather first all the relevant output and then screen the content on a manual basis for more accuracy." -> Why were non-full articles not excluded instantly?

 

"13 found to have a general reference to CTI but with no contributing value to the present research." -> How did the authors determine whether the certain paper does not contribute to the present research?

 

"The next procedural step that have to be applied is the definition of the research strategy, which encompasses the selection of data sources, research string, and the criteria for selection." -> In this sentence, the authors mention selection criteria. However, I could not find any other mention or description of the selection criteria that they applied. Perhaps it would be beneficial to explicitly state what are inclusion and exclusion criteria. 

 

"TITLE-ABS-KEY (cyber AND threat AND 

intelligence AND blockchain)" -> Why is the search string not in a single line?

 

"This approach stems from the need for simplicity and a focus on presenting a higher level overview." -> The authors mentioned in the related work that other approaches lean towards simplicity. However, in the methodology section, they also state that their approach focuses on a higher-level overview. This brings up the question of what is the difference between this work and the related work.

 

The authors should consider creating a background section since many parts of Section 4 can be considered as background information.

 

In Section 5, some of the papers are described as a single sentence, even though most of the others are presented as a paragraph.

 

The authors should provide a link to the external repository that presents the classification of all the papers. This would benefit the replicability of the study. 

 

It would be highly beneficial to provide threats to validity systematically. 

 

The authors should consider discussing future work.

 

 

Comments on the Quality of English Language

Below you can find minor issues that were identified. These relate to grammar, typos, sentence structure issues, etc. This is shown by indicating the page number, a sentence with an issue, and a corrected sentence. The page number indicates the issue that is located on a page on which an addressed sentence starts (it may finish on the following page). These issues are presented in order to improve the overall readability of the publication. I would suggest someone proofread your paper in detail.

 

pg.2 line 56: "Their collective effort is geared towards establishing a dependable, timely, and accurate framework for the dissemination of CTI." -> "Their collective effort is geared toward establishing a dependable, timely, and accurate framework for the dissemination of CTI."

 

pg. 3 line 118: "This study, presented a very high level overview of the related research areas, however is not considered as comprehensive since it did not cover all existing literature researches in the field by the time it was conducted." -> "This study, presented a very high-level overview of the related research areas, however, is not considered as comprehensive since it did not cover all existing literature research in the field by the time it was conducted."

 

pg. 4 line 146: "Our research scope is focusing on the dynamic interplay and overlap between blockchain technology and CTI, with a particular emphasis on their integration within the broader framework of the various other contributing factors, such as stages of the CTI Lifecycle, supporting technology, CTI levels and blockchain type." -> "Our research scope focuses on the dynamic interplay and overlap between blockchain technology and CTI, with a particular emphasis on their integration within the broader framework of the various other contributing factors, such as stages of the CTI Lifecycle, supporting technology, CTI levels, and blockchain type."

 

pg. 4 line 152: "Taking into consideration that the research in the field of CTI and blockchain is growing during the last years, the objective of the present review is to present a comprehensive and systematic bibliographic review of related work which is published the last five years and if possible identify the areas and potential trends which show increased research interest." -> "Taking into consideration that the research in the field of CTI and blockchain has grown during the last years, the objective of the present review is to present a comprehensive and systematic bibliographic review of related work which is published in the last five years and if possible identify the areas and potential trends which show increased research interest."

 

pg. 5 line 181: "The next procedural step that have to be applied is the definition of the research strategy, which encompasses the selection of data sources, research string, and the criteria for selection." -> "The next procedural step that has to be applied is the definition of the research strategy, which encompasses the selection of data sources, research string, and the criteria for selection."

 

pg. 5 line 204: "During the initial screening process, 79 publications passed as being withing the margins of the research scope and 79 were filtered out.During the initial screening process, 79 publications passed as being withing the margins of the research scope and 79 were filtered out." -> "During the initial screening process, 79 publications passed as being within the margins of the research scope and 79 were filtered out."

 

pg. 8 line 305: "However, this assessment will not take place on a comprehensive basis, as a detailed assessment is not on the objectives of this review." -> "However, this assessment will not take place on a comprehensive basis, as a detailed assessment is not one the objectives of this review."

 

pg. 9 line 325: "This research demonstrate that the proposed framework is secure against common privacy and trust issues and provide some evidence that the proof-of-concept prototype using Ethereum is both scalable and cost-effective." -> "This research demonstrates that the proposed framework is secure against common privacy and trust issues and provides some evidence that the proof-of-concept prototype using Ethereum is both scalable and cost-effective."

 

pg. 9 line 331: "Moreover, by leveraging blockchain technology, trust among sharing members is increased, while eliminate the need for trusted third parties, and ensure both security and efficiency in CTI sharing." -> "Moreover, by leveraging blockchain technology, trust among sharing members is increased, while eliminating the need for trusted third parties, and ensuring both security and efficiency in CTI sharing."

 

pg. 10 line 364: "Al-Sharu et at. [35] introduce a blockchain-based data sharing approach that focuses on safeguarding the privacy of CTI sharing entities while preventing unauthorized sharing and benefiting legitimate sharing parties." -> "Al-Sharu et al. [35] introduce a blockchain-based data sharing approach that focuses on safeguarding the privacy of CTI sharing entities while preventing unauthorized sharing and benefiting legitimate sharing parties."

 

pg. 12 line 502: "The modified Proof-of-Vote (PoV) consensus algorithm is utilized to address latency issues during block mining, and the threat intelligence model employs an autoencoder to tranform data and an RNN-DL to identify cyber-attacks." -> "The modified Proof-of-Vote (PoV) consensus algorithm is utilized to address latency issues during block mining, and the threat intelligence model employs an autoencoder to transform data and an RNN-DL to identify cyber-attacks."

 

pg. 12 line 513: "Furthermore, the proposal includes an profit distribution method based on an improved Shapley value to enhance the motivation of contributors within the threat intelligence sharing process." -> "Furthermore, the proposal includes a profit distribution method based on an improved Shapley value to enhance the motivation of contributors within the threat intelligence sharing process."

 

pg. 16 line 587: "Analytic depiction of the research papers’ distribution per research question of this study, is shown in Figure 4." -> "An analytic depiction of the research papers’ distribution per research question of this study, is shown in Figure 4."

 

pg. 18 line 696: "Finally, the aspects of encryption, mostly homomorphic encryption, introduces a critical dimension, emphasizing the role of secure communication and data protection in the fusion of blockchain and CTI." -> "Finally, the aspects of encryption, mostly homomorphic encryption, introduce a critical dimension, emphasizing the role of secure communication and data protection in the fusion of blockchain and CTI."

pg. 20 line 787: "The future convergence of CTI and blockchain technology is subject of steadily growing significant advancements, with several key trajectories shaping the landscape." -> "The future convergence of CTI and blockchain technology is the subject of steadily growing significant advancements, with several key trajectories shaping the landscape."

Author Response

Please see the attachment.

Also please find in the below link, the file you requested, showing the categorization of the papers.

https://docs.google.com/spreadsheets/d/1Loe_mOgBsYsC29xKv7qAPq8pOOMXpfapO7qjhs9iUNE/edit?usp=drive_link

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors
  • Summary: This paper provide a systematic review on state-of-the-arts on cyber threat intelligence (CIT), especially focusing on the integration of CIT and BC.
  • Strong points:
    • The research questions are clearly defined and main contributions are highlighted by comparing with related work.
    • Author provide details on research methodology, like research scope and SLR methods.
    • The findings are clearly demonstrated as figures and tables, which help readers gain a overview about the CTI-BC topics.
  • Weak points
    • The abstract should be reorganized to justify novelty, explain findings and contributions, and impacts of the research. Especially for these sentences starting from line 10, which just list some findings or tasks but without logic connections. Author need rewrite them to offer summary of key contributions and clearly present merit, and impact of research. 
    • Author put summary of research papers in section 5. Literature review as a whole without using sub-section to classify them. Although table 2 shows summary of papers regarding their characteristics, but it still hard to understand how these papers can contribute to your RQ. I strong suggest: 1) category reviewed research papers into several sub-sections and explain how they fulfill QR; 2) For each sub-section (topics), provide "lesson and learn" to briefly discuss advantages and limitations of existing solutions.
    • In section discussion, author could add discussions on challenges and future research opportunities. This is one of most important survey work that provide inspirations to researchers who work on CTI or related fields.
Comments on the Quality of English Language

This paper is well written.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

My comments were responded to.

Author Response

Dear Reviewer,

We greatly appreciate your constructive feedback, as it has definitely contributed to improving our research results.

Respectfully

Reviewer 2 Report

Comments and Suggestions for Authors

I would like to thank the authors for taking the time to improve the paper. The paper is now in a better state. However, there are still some minor issues that should be addressed. These can be found below.

I would suggest exchanging the order of the last two sections. The Conclusion Section should be after the Threats to Validity Section.

In Section 9, it would be beneficial to mention how do you/would you address the mentioned threats to validity. In addition, you could structure this section by using one of the methodologies for addressing threats to validity.

 

In Table 1, the authors wrote "SRL" instead of "SLR".

 

Even though the authors in related work papers do not explicitly mention the period that they target in their literature reviews, this can be deduced based on the papers they collected. It would be beneficial to enter this information in Table 1.

 

It would be beneficial for the readers if the authors would put a text box with the main takeaways after each research question was answered (for subsection of Section 6). 

 

Comments on the Quality of English Language

"Different configurations, whether public, private, or consortium, introduce distinct considerations that shape the collaborative CTI sharing landscape." -> "Different configurations, whether public, private, or consortium, introduce distinct considerations that shape the collaborative CTI-sharing landscape."

"The emphasis lies in overcoming trust barriers and addressing data privacy concerns inherent in the domain of CTI. " -> "The emphasis lies on overcoming trust barriers and addressing data privacy concerns inherent in the domain of CTI. "

 

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

Author has answered my questions in R1 review. 

Author Response

Dear Reviewer,

We greatly appreciate your constructive feedback, as it has definitely contributed to improving our research results.

Respectfully

Back to TopTop