Data Streams

Deploying new online threats is incredibly easy.

Bad actors can launch a malicious dApp and share the link to an audience of tens of thousands within seconds. The average lifespan of these malicious links is less than 15 hours [1].

Threats are deployed in seconds and vanish in less than a day. The value of threat signals, then, is highest when they’re new, but falls quickly. Existing crypto security tools are either too slow or lack the context required to keep up with the pace at which new threats emerge.

In this article, we describe how Oz uses streaming threat intelligence to rapidly discover emerging threats and protect users before they’re compromised.

Data Streams

To capture real-time threat signals from users, Oz uses a publish/subscribe data model. In this model, Oz doesn’t store the data but instead keeps a record of data providers and subscriptions.

When publishers have new data to share, they push it to their entire subscriber list. Subscribers can decide which publisher feeds they want to subscribe to based on each publisher’s on-chain reputation.

In most cases, subscribers are data aggregators that consume hundreds or thousands of publisher data streams. By assembling many streams, aggregators can use the data to identify anomalies, train AI models, and maintain the reputation of data providers by identifying low-quality submissions.

Reputation Providers

Publishers earn reputation scores by sharing data with special nodes called reputation providers. These nodes run subjective checks against the data they receive to determine if each publisher is honest or dishonest.

When a new publisher appears on the network, they have zero reputation, and thus their data quality is assumed to be very low. As the publisher shares high-quality data with reputation providers, they can earn a higher reputation.

Subscribers can use reputation scores to find honest, high-quality publishers and subscribe to their feeds.

Streaming Threat Signals

Let’s take a look at how threat signals can be shared directly with subscribers with an end to end example. Sharing data begins with a supported collector, in this case the Oz Threat Signal collector.

When a publisher finds a suspicious domain, they begin by reporting the signal using the collector. The collector checks the publisher’s list of subscribers to determine who is entitled to receive the data, then routes the submission to each of the subscribers.

In this example, the user shared a domain reputation report labeling an airdrop link as unsafe. The collector retrieves the list of subscribers from Oz, signs the transaction from the user, and distributes the report to each recipient.

By directly connecting applications with live threat signals, each provider can protect their users from threats directly.

References

1. https://www.infosecurity-magazine.com/news/84-of-phishing-sites-last-for-less/#:~:text=Tara%20Seals&text=Phishers%20are%20a%20nimble%20bunch,cycle%20of%20under%2015%20hours.