PolySwarm is a threat intelligence marketplace with Microengines supplying intelligence, Ambassadors brokering access to the intelligence and Arbiters determining ground truth, mediating the marketplace.
How it works (refer to this diagram):
- An Ambassador "bounties" a suspect
artifact(a file, URL, IP address or domain) on behalf of its customer.
- Microengines are alerted to the bounty and decide whether the artifact is within their area of expertise.
- If the Microengine feels that it is able to correctly categorize the artifact as malicious or benign, it produces an
assertionand places a
stakeof money in the form of a token, Nectar (NCT), on that
- The Ambassador considers all the Microengines'
assertionsand returns a
verdictto their customer.
- Some time passes.
- Arbiters offer ground truth regarding the malintent of the artifact.
- Microengines whose
assertionsmatch ground truth are rewarded with the escrowed funds of Microengines that disagreed.
For full details, please refer to the PolySwarm whitepaper.
Microengines offer threat intelligence in exchange for NCT.
Microengines are developed by individuals or organizations who have a knack for identifying malware. If you have unique insight into a particular malware family, class, file type, etc and want to access samples, boost your engine reputation, and earn money/tokens (NCT), then you want to develop a Microengine!
Microengines encapsulate security expertise in an autonomous process that earns Nectar (NCT) rewards for accurately identifying new strands of malware.
- Listen for bounties on the Ethereum blockchain (via
- Download artifacts (via
- Scan/analyze the artifacts
- Determine a Nectar (NCT) staking amount
- Deliver an assertion (their
stake) back to the marketplace
Ready to develop your first Microengine and start earning NCT?
Linux-based Microengines are far easier to test and come with more deployment options than Windows-based Microengines. If possible, we highly recommend building Linux-based Microengines.
Ambassadors place bounties (artifacts + NCT) and receive timely crowdsourced threat intelligence in response.
Enterprises seeking to query PolySwarm for threat intelligence may:
- purchase a subscription directly from Swarm Technologies
- work with a third party that runs an Ambassador on their behalf
- act as their own Ambassador
If your organization requires finer grained control over marketplace interactions or you wish to build value-added services on top of PolySwarm (e.g. as an MSSP), you may want to build an ambassador.
Ambassadors are only supported under Linux.
Arbiters are paid (via marketplace transaction fees) to determine ground truth.
Arbiters marshall the marketplace by way of determining "ground truth". Arbiter serve a critical role: Arbiter-derived ground truth is used to determine which Microengines are correct and thus rewarded. Crucially, Arbiters must expand their internal threat detection capabilities, taking into consideration the assertions of Microengines to push the boundaries of what the PolySwarm marketplace can detect.
With the exception of staking sufficient NCT to qualify for Arbitership, Arbiters perform the same action as Microengines. When a bounty is placed, Arbiters vote on the ground truth of that artifact.
Developing Microengines and Arbiters is a virtually identical process. As a first step, we'll need to set up a Linux development environment.
Arbiters are only supported under Linux.