Let'sTrace - Blockchain, Federated Learning and TUF/In-ToTo Enabled Cyber Supply Chain Provenance Platform

• Published in: MILCOM 2021 - 2021 IEEE Military Communications Conference (MILCOM) pp. 470 - 476
• Main Authors: Bandara, Eranga, Shetty, Sachin, Rahman, Abdul, Mukkamala, Ravi
• Format: Conference Proceeding
• Language: English
• Published: IEEE 29.11.2021
• Subjects: Blockchain; Collaborative work; Cyber Supply Chain; Federated Learning; In-ToTo; Metadata; Military communication; Prototypes; Smart contracts; Software; Supply chains; TUF
• ISSN: 2155-7586
• DOI: 10.1109/MILCOM52596.2021.9653024

"Let'sTrace" is a blockchain-enabled cyber supply chain provenance platform. It enables cyber supply chain verification with TUF (The update framework) and In-ToTo frameworks. In this paper, we discuss a prototype where the TUF and In-ToTo frameworks have been integrated into a blockchain smart contract platform to facilitate robust supply chain verification functions. In this paper, we describe the TUF and In-ToTo frameworks and how they are implemented as the secure software update system which can verify the software update and use In-ToTo metadata files as the software supply chain end-to-end verification. Further, we have proposed a mechanism to analyze cyber supply chain information and software updates on different parties using a blockchain-enabled federated learning system. With this approach, we make the cyber supply chain more secure, reliable, and meaningful to conduct further analytics efficiently. This paper aims to demonstrate how through the use of our integrated approach, cyber defenders can harden relevant SSCs thus reducing a multitude of attack vectors leading to a stronger overall security posture.