A Cybersecurity Detection Platform Integrating IOTA DLT and IPFS for Vulnerability Management
Abstract
:1. Introduction
Research Objectives
2. Testing of Information Security
2.1. Testing
2.2. Blockchain
2.3. IPFS Interstellar Archive System
2.4. IOTA
2.5. Proposed Architecture: Secure Vulnerability Reporting Framework with IOTA and IPFS
Architectural Innovation Overview
3. Research Methods and Procedures
3.1. Research Methods
3.2. Establish a Testing Platform
- Create a virtual machine using VirtualBox (version 7.1.8) and install Kali Linux.
- As soon as Kali is installed, the first step is to update the system. To ensure that all OpenVAS packages have the latest version, the Kali system will release tool version updates from time to time:
- Once the system update is complete, install OpenVAS. Here are the instructions for installation:
- 4.
- Set up OpenVAS. The admin account and password will appear after the execution is complete. It should be saved. When you log in later, it will be used as your username. Passwords are long strings.
- 5.
- Run the check command to confirm that there are no problems with the installation. The message “It seems like your GVM-XXX installation is OK.” means that the installation was successful.
- 6.
- Update the vulnerability database manually, the update will take some time to complete.
- 7.
- Enable GVM service.
3.3. Blockchain System Functional Architecture
3.4. Blockchain and IPFS Integration
4. Experimental Results and Discussion
4.1. Is Rapid7, a Paid Detection Tool, or OpenVAS, an Open-Source Free Detection Tool, More Accurate?
4.1.1. A Comparative Analysis of Rapid7 and OpenVAS, Two Paid Detection Tools
- Security research: In addition to having better detection interfaces and customized reporting functions, paid tools are maintained by professional research teams; open-source tools are mainly promoted by their communities, and their interfaces and report outputs are relatively simple. In spite of this, both open-source and paid tools will be included in the public CVE vulnerability database, and their final detection results are quite good.
- Cost: The cost of paid tools varies depending on the software, the manufacturer, and the number of years of use. Open-source tools, on the other hand, provide the software for free and only require the configuration of the required resources (such as virtual machines or physical machines). In contrast, open-source tools require professional engineers to build, maintain, and update them.
- Benefits: Detection and patching reports can be provided by both tools, enabling host system maintenance vendors to more effectively improve and reduce vulnerability risks.
4.1.2. Test Comparison Results Between Open-Source and Paid Tools
4.2. Test Results-Based Repair Suggestions
4.2.1. Version Update/Patch Enhancement: Program Version, Database Version, Server, and OpenSSL
- (1)
- PHP, APACHE
- (2)
- Open SSL
- (3)
- Apache Tomcat
- (4)
- WordPress
4.2.2. Security Protocols/Certificates: HTTPS Certificates, TLS/SSL Protocols, and Weak Encryption Suites
- (1)
- Disable insecure TLS/SSL protocols or packages
- (2)
- A valid HTTPS certificate chain must be set up correctly and within the validity period
4.2.3. Protocol Settings for Network Communication Services: FTP (Transfer Protocol), RDP/SSH (Remote Desktop Protocol), IIS (Internet Information Services), SMB (Server Message Block)
- (1)
- Enable encryption for FTP or disable plain text authentication
- (2)
- The initial settings of IIS
- (3)
- Fix the problem of weak encryption suites (SSH, weak encryption, and weak algorithms).
- (4)
- Disable SMB1
4.2.4. Access Permissions for Databases and Files
Access Restrictions to Databases
5. Conclusions and Recommendations
Future Directions for Research and Development
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Chen, X.; Lin, Y.; Wu, Z. Cybersecurity Law Compliance in Taiwan: Challenges and Opportunities. J. Cybersecur. 2020, 1, 100–110. [Google Scholar]
- National Communications Commission (NCC). Guidelines on Information and Communication Security Management for Government Agencies; National Communications Commission: Taipei, Taiwan, 2022.
- National Institute of Standards and Technology (NIST). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53 Revision 5); NIST: Gaithersburg, MD, USA, 2020. [CrossRef]
- Amankwah, R.; Chen, J.; Kudjo, P.K.; Towey, D. An empirical comparison of commercial and open-source web vulnerability scanners. Softw. Pr. Exp. 2020, 50, 1842–1857. [Google Scholar] [CrossRef]
- European Union Agency for Cybersecurity (ENISA). ENISA Threat Landscape 2022; Publications Office of the European Union: Luxembourg, 2002; Available online: https://cymarop.ro/ENISA_Threat_Landscape.pdf (accessed on 5 May 2025).
- Symantec Corporation. Internet Security Threat Report. 2018, Volume 23. Available online: https://docs.broadcom.com/docs/istr-23-2018-en (accessed on 20 April 2025).
- National Institute of Standards and Technology. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST Special Publication 800-218); U.S. Department of Commerce: Washington, WA, USA, 2022. [CrossRef]
- ISO/IEC 27036-3:2023; Cybersecurity—Supplier Relationships—Part 3: Guidelines for Hardware, Software, and Services Supply Chain Security. International Organization for Standardization/International Electrotechnical Commission: Geneva, Switzerland, 2023.
- Benet, J. IPFS—Content Addressed, Versioned, P2P File System. arXiv 2014, arXiv:1407.3561. [Google Scholar] [CrossRef]
- Chen, F. Enhancing Cloud Computing Security with Blockchain: A Hybrid Approach to Data Privacy and Integrity. J. Comput. Electron. Inf. Manag. 2024, 14, 75–79. [Google Scholar] [CrossRef]
- Zyskind, G.; Nathan, O.; Pentland, A. Decentralizing Privacy: Using Blockchain to Protect Personal Data. In Proceedings of the Security and Privacy Workshops, San Jose, CA, USA, 21–22 May 2015; pp. 180–184. [Google Scholar] [CrossRef]
- Grance, T.; Jansen, W. Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2011. [Google Scholar] [CrossRef]
- OWASP Foundation. OWASP API Security Top 10—2023. 2023. Available online: https://owasp.org/API-Security/ (accessed on 5 May 2025).
- Christidis, K.; Devetsikiotis, M. Blockchains and Smart Contracts for the Internet of Things. IEEE Access 2016, 4, 2292–2303. [Google Scholar] [CrossRef]
- Haque, M.R.; Munna, S.I.; Ahmed, S.; Islam, M.T.; Onik, M.M.H.; Rahman, A.B.M.A. An Integrated Blockchain and IPFS Solution for Secure and Efficient Source Code Repository Hosting using Middleman Approach. arXiv 2024, arXiv:2409.14530. [Google Scholar] [CrossRef]
- Chhillar, K.; Shrivastava, S. Vulnerability Scanning and Management of University Computer Network. In Proceedings of the 2021 10th International Conference on Internet of Everything, Microwave Engineering, Communication and Networks (IEMECON), Jaipur, India, 1–2 December 2021; pp. 1–6. [Google Scholar]
- Tudela, F.M.; Higuera, J.-R.B.; Higuera, J.B.; Montalvo, J.-A.S.; Argyros, M.I. On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications. Appl. Sci. 2020, 10, 9119. [Google Scholar] [CrossRef]
- Cruz, D.B.; Almeida, J.R.; Oliveira, J.L. Open Source Solutions for Vulnerability Assessment: A Comparative Analysis. IEEE Access 2023, 11, 100234–100255. [Google Scholar] [CrossRef]
- Imtiaz, N.; Thorn, S.; Williams, L. A comparative study of vulnerability reporting by software composition analysis tools. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), New York, NY, USA, 11 October 2021; pp. 1–11. [Google Scholar]
- Wei, Q.; Li, B.; Chang, W.; Jia, Z.; Shen, Z.; Shao, Z. A Survey of Blockchain Data Management Systems. ACM Trans. Embed. Comput. Syst. 2022, 21, 25. [Google Scholar] [CrossRef]
- Sun, J.; Yao, X.; Wang, S.; Wu, Y. Blockchain-Based Secure Storage and Access Scheme for Electronic Medical Records in IPFS. IEEE Access 2022, 8, 59389–59401. [Google Scholar] [CrossRef]
- Kang, P.; Yang, W.; Zheng, J. Blockchain Private File Storage-Sharing Method Based on IPFS. Sensors 2022, 22, 5100. [Google Scholar] [CrossRef] [PubMed]
- Silvano, W.F.; Marcelino, R. Iota Tangle: A cryptocurrency to communicate Internet-of-Things data. Future Gener. Comput. Syst. 2020, 112, 307–319. [Google Scholar] [CrossRef]
- Lin, I.-C.; Chang, C.-C.; Chang, Y.-S. Data Security and Preservation Mechanisms for Industrial Control Network Using IOTA. Symmetry 2022, 14, 237. [Google Scholar] [CrossRef]
- Ritesh, V. Cybersecurity Challenges in the Era of Digital Transformation. ResearchGate. 2023. Available online: https://www.researchgate.net/publication/377625512_CYBERSECURITY_CHALLENGES_IN_THE_ERA_OF_DIGITAL_TRANSFORMATION (accessed on 5 May 2025).
- FS Community. What Are the Advantages of Open Source Software? FS Community. 2 November 2023. Available online: https://community.fs.com/blog/what-are-the-advantages-of-open-source-software.html (accessed on 5 May 2025).
- Householder, A.D.; Wassermann, G.; Manion, A.; King, C. The CERT® Guide to Coordinated Vulnerability Disclosure (CMU/SEI-2017-SR-022); Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA, USA, 2017. [Google Scholar] [CrossRef]
- Gundu, T. Learn, Unlearn and Relearn: Adaptive Cybersecurity Culture Model. Int. Conf. Cyber Warf. Secur. 2024, 19, 95–102. [Google Scholar] [CrossRef]
- MITRE Corporation. MITRE ATT&CK® Framework: Adversary Emulation and Red Teaming. 2023. Available online: https://attack.mitre.org/resources/get-started/adversary-emulation-and-red-teaming/ (accessed on 5 May 2025).
- Pescatore, J.; Hicks, T.A. SANS 2022 Top New Attacks and Threat Report; SANS Institute: Maryland, MD, USA, 2022; Available online: https://www.sans.org/white-papers/sans-2022-top-new-attacks-threat-report/ (accessed on 5 May 2025).
Vulnerability Scanning | Penetration Testing | Source Code Detection | |
---|---|---|---|
Introduction | It can be divided into two types: host weak scanning and web page weak scanning. | Simulate hacker attack methods and try to find loopholes that can be used for entry, thereby helping companies detect security risks. | Using source code detection during program development can reduce the risk of system launch. |
Common tools | Host weak scan: Rapid7, OpenVAS (22.4.1), etc. Weak web scanning: Acunetix (25.3.0), OWASP ZAP (2.11.0), etc. | Security penetration testing experts use penetration testing techniques and tools to further test | FORTIFY SCA, Checkmarx, etc. |
Methods | Uses automated detection tools to scan and execute. Just enter the URL or IP to execute. Host weak scans can find related vulnerabilities in OS, version, and settings. Web weak scans are a dynamic detection of online systems. Common vulnerabilities include SQL injection, XXS, and other vulnerability issues. | By combining the project experience of information security experts with various penetration testing techniques, the tool performs in-depth testing on the system and provides detection reports, detailed records, and patching suggestions to help enterprises strengthen information security defense. | By using tools to detect all source codes, it is possible to find the actual location where the vulnerability occurs and provide a more accurate patching method. |
Benefits | 1. Fast detection speed 2. Lower cost 3. Comply with basic regulatory requirements | 1. Combine the experience of professional information security experts to help enterprises discover exploitable risks early. 2. Provide relevant patching suggestions and professional consultants to effectively improve the effectiveness of vulnerability patching and further reduce information security risks. | 1. 100% code coverage. 2. It will not cause any impact on the online system and can prevent the detection process from affecting the system operation. |
Costs | Low | High | High |
Innovation | Description | Advantage |
---|---|---|
Dual-layer Storage | IPFS stores full reports; IOTA stores only metadata and hash | Reduces on-chain storage burden; ensures data traceability |
Feeless Micro-logging | IOTA Tangle enables zero-cost data anchoring | Supports frequent updates without cost overhead |
Dynamic Access Control via Hash Matching | File retrieval via IPFS only succeeds if hash matches IOTA-anchored hash | Prevents tampering and spoofed uploads |
Decentralized Retention Policy | Reports are pinned across federated IPFS nodes (e.g., university/government) | Avoids single point of failure; ensures long-term availability |
Severity Summary Encoding in IOTA Payload | Stores critical/high/medium/low counts | Facilitates quick visual severity dashboards |
Feature | Traditional File Sharing | Proposed IPFS + IOTA Framework |
---|---|---|
Integrity Guarantee | Weak (manual file lock/passwords) | Cryptographically anchored |
Traceability | Manual versioning | On-chain timestamped history |
Redundancy | Centralized (e.g., Google Drive) | Decentralized IPFS node sharing |
Cost | Low, but vulnerable to tampering | Zero-fee with security hardening |
Scalability | Limited | Horizontally scalable across units |
Hardware | Specification |
---|---|
CPU | Intel® Core™ i7-1065G7 |
RAM | DDR4 32 GB |
SSD | 512 GB |
OS | Win10 |
Item | RAPID7 | OpenVAS | |
---|---|---|---|
Vulnerability Assessment | CVE Coverage | 59,000 detected | 59,000 unique CVEs |
Audit Scan Template | Provide common templates, which can be further customized | None | |
Platform support capabilities | Supported OS | Windows, Linux, and Ubuntu all support | It can be executed on Linux, but it is recommended to install it on Kali Linux |
Safety studies | Experts on safety research | Have a professional security research team | Mainly driven by the community |
Features and performance | More automated features, more reports to choose from, a wider range of vulnerability database sources, and faster scanning speeds | Basic scanning function | |
Cost | Cost | 1. Annual payment required to purchase license 2. If you encounter any problems during the detection and scanning, you can consult professional customer service | 1. Free open-source software, only virtual machine resources are required 2. There must be IT professionals to handle all issues from system construction to subsequent updates |
Benefit | Expected Benefits | After the detection is completed, the report will be compiled to further analyze common vulnerability issues and provide relevant patching solutions for reference by the outsourced team so that they can complete the patching more efficiently and reduce the risks caused by the vulnerabilities. |
RAPID 7 | OpenVAS | |||||||
---|---|---|---|---|---|---|---|---|
Detection Target | Key | Severely | Medium | Illustrate | High | Medium | Low | Note |
Host computer 1 | 0 | 5 | 0 | ISC BIND updated to the latest version | 0 | 0 | 0 | |
Host computer 2 | 0 | 1 | 0 | Disable plain text authentication | 0 | 1 | 0 | Disable plain text authentication |
Host computer 3 | 0 | 0 | 0 | 0 | 0 | 0 | ||
Host computer 4 | 1 | 30 | 3 | php updated to the latest version | 0 | 8 | 1 | http security setting problem |
Host computer 5 | 1 | 0 | 0 | php updated to the latest version | 0 | 4 | 0 | http security setting problem |
Host computer 6 | 0 | 5 | 0 | ISC BIND updated to the latest version | 0 | 0 | 0 | |
Host computer 7 | 0 | 3 | 4 | Disable insecure settings and weak encryption algorithms | 0 | 0 | 1 | Disable TCP Timestamps |
Host computer 8 | 0 | 6 | 5 | Use TLS 1.2 and disable insecure TLS algorithms and weak encryption suites | 0 | 8 | 1 | Use TLS1.2 |
Host computer 9 | 0 | 3 | 2 | Disable TLS weak encryption algorithms | 0 | 0 | 1 | Disable TLS older protocols |
Host computer 10 | 0 | 0 | 0 | Disable TCP timestamps | 0 | 0 | 1 | Disable TCP Timestamps |
Host computer 11 | 0 | 0 | 0 | 0 | 0 | 0 | ||
Host computer 12 | 0 | 0 | 0 | 0 | 0 | 0 | ||
Host computer 13 | 1 | 0 | 1 | Update the OS version to the latest version and disable weak encryption suites | 0 | 1 | 0 | http security setting problem |
Host computer 14 | 0 | 0 | 0 | 0 | 0 | 0 | ||
Host computer 15 | 1 | 0 | 1 | Update the OS version to the latest version and disable weak encryption suites | 0 | 1 | 0 | http security setting problem |
Host computer 16 | 0 | 0 | 0 | 0 | 0 | 0 |
Evaluation Project | IOTA | Bitcoin |
---|---|---|
Transaction speed | quick | slow |
Transaction fees | zero cost | high |
Applicable scenarios | Suitable for a large number of small transactions and IoT applications | Suitable for transactions with high security requirements and large amounts |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Lin, I.-C.; Ruan, J.-Y.; Chang, C.-C.; Chang, C.-C.; Wang, C.-T. A Cybersecurity Detection Platform Integrating IOTA DLT and IPFS for Vulnerability Management. Electronics 2025, 14, 1929. https://doi.org/10.3390/electronics14101929
Lin I-C, Ruan J-Y, Chang C-C, Chang C-C, Wang C-T. A Cybersecurity Detection Platform Integrating IOTA DLT and IPFS for Vulnerability Management. Electronics. 2025; 14(10):1929. https://doi.org/10.3390/electronics14101929
Chicago/Turabian StyleLin, Iuon-Chang, Jyun-Yan Ruan, Ching-Chun Chang, Chin-Chen Chang, and Chun-Tse Wang. 2025. "A Cybersecurity Detection Platform Integrating IOTA DLT and IPFS for Vulnerability Management" Electronics 14, no. 10: 1929. https://doi.org/10.3390/electronics14101929
APA StyleLin, I.-C., Ruan, J.-Y., Chang, C.-C., Chang, C.-C., & Wang, C.-T. (2025). A Cybersecurity Detection Platform Integrating IOTA DLT and IPFS for Vulnerability Management. Electronics, 14(10), 1929. https://doi.org/10.3390/electronics14101929