Filter unit based data communication system including a blockchain platform

BACKGROUND

In the present time of a rising demand for cross-company IT solutions, information between companies are to be transmit- ted in the form of transactions. In several cases, such as in the case of the Bitcoin technology or Smart Contracts, these transactions may be based on the blockchain technology, of ^¬ fering an open or public platform for sharing, executing, and reviewing the respective transactions.

In the case of such open transaction platforms, there is a risk that inadvertently sensitive company information or not released transactions or not duly approved transactions may be transmitted into an open transaction database, e.g. the blockchain database. This can e.g. occur by the fact that em ^¬ ployees use a blockchain software, the right of which is not conferred to use, or by using a company-used blockchain plat ^¬ form, which is used in an inadmissible manner. SUMMARY

Therefore, there is a need to prevent invalid and/or unwanted data traffic from a first network to a second, blockchain- based network.

It is an object of the present application to provide a sys ^¬ tem and a respective method for performing data communication in between a first network and a second, blockchain-based network, which is adapted to prevent invalid and/or unwanted data traffic. A system and a method according to the independent claims are provided. Further embodiments are defined in the dependent claims . According to an embodiment, a system adapted for performing data communication is disclosed. The system comprises a first interface adapted to communicate with a first network. The system further comprises a filter unit. The system further comprises a second interface adapted to communicate with a second network connected to the first network via the filter unit, wherein the second network is adapted to operate as a blockchain platform. According to this, the filter unit is adapted to selectively permit data received from the first network via the first interface to be transmitted to the se- cond network via the second interface.

Such an approach may be based on the finding that the arrangement of a filter unit in between a first network and a blockchain-based second network may provide a technical im- plementation enabling an additional restriction of the data traffic originating from the first network and reaching the second network. Since such a blockchain based second network may operate by processing data in an irreversible manner, such technical means may help to prevent publishing data which otherwise could not be deleted, or to prevent pro ^¬ cessing of transactions comprised within the data for which the effect of processing could not be reversed anymore. The filtering realizing the additional restriction can be defined independently of the blockchain logic for verifying the va- lidity of transactions. This allows to flexibly define which transactions can be submitted by a firm to the blockchain based second network, e.g. to an open or public blockchain platform for processing. Company-specific authorizations, ap ^¬ provals, can be flexibly checked, without the blockchain platform being required to process company-internal permis ^¬ sion information. Company-internal authorization services and authorization information can be easily integrated, without exposing the company-internal authorization information to an open or public blockchain platform. Changes within the organization of the firm can be reflected by modified filter rules, i.e. without requiring changes to the blockchain plat ^¬ form or to the data processed by the blockchain infrastruc- ture .

The filtering of data before being submitted to the

blockchain based second network, e.g., a blockchain platform or a blockchain infrastructure, for processing is required when using open or public blockchain platforms by a firm or in enterprise environments. In contrast to a conventional firewall, the purpose is not to prevent network attacks on the company network by limiting network communication, but to enforce rules on outgoing transactions that cannot be deleted or reversed once accepted and processed by the blockchain in ^¬ frastructure. So, the invention enables the safe, controlled use of an open or public blockchain infrastructure. Incoming transactions can be filtered as well before importing the transactions in company-internal IT systems.

According to another embodiment, a method for performing data communication is disclosed. The method comprises selectively permitting data received from a first network to be transmit ^¬ ted to a second network. According to this method, the second network is operated as a blockchain platform based on the permitted data.

Such an approach may be based on selectively filtering data before reaching the blockchain based second network. Data, which are not determined as suitable for processing by the blockchain technology, may therefore be prevented reaching the second network, which may operate in an irreversible man ^¬ ner . A network within the meaning of the present disclosure may refer to any set of nodes which enables a plurality of par ^¬ ticipants to perform data communication with each other. The network may be a public network or a private network. The network may or may not be based on a blockchain platform. The network may be connected to at least one further network. The network may irreversibly process the data based on blockchain techniques .

A filter unit within the meaning of the present disclosure may refer to any unit, which is adapted to separate first set of data from a second set of data. The data may comprise at least one transaction to be processed by a blockchain plat- form. Separation may take place in that the first set of data is permitted to pass the filter unit and the second set of data is not permitted to pass the filter unit. Here, separa ^¬ tion may be controlled by a user input. A blockchain platform within the meaning of the present disclosure may refer to any database implemented in a network, which is at least partly based on the blockchain technique. The blockchain may comprise a plurality of blocks comprising data related to transactions and/or Smart Contracts. Chaining of different blocks may be implemented by cryptographic hash values stored in each block, wherein each hash value may refer to data of a previous block.

In an embodiment of the system, the filter unit is adapted to selectively permit the data based on a data content and/or a data origin.

The provision of a unit adapted for filtering data based on its data content may thereby enable to control a distribution of information based on the level of confidentiality of these information. The provision of a unit adapted for filtering data based on its data origin may thereby enable to distrib ^¬ ute data based on given regulations, such as a firm policy. For example, a policy may be compared with the data content and/or the data origin to decide whether to permit the data or not. In another embodiment, the filter unit is adapted to selec ^¬ tively permit the data based on a user input.

Thereby, selection criteria of a filter unit may be adapted according to the present circumstances and the user's needs.

In another embodiment, the filter unit is part of a) a net ^¬ work firewall located at a transition in between the first network and the second network or b) a cloud-based service.

With respect to the network firewall, the filter unit may be implemented by preferably simple technical means. Pertaining to the cloud-based service, filtering data traffic may be outsourced from a present network connection, thereby saving resources of the present networks.

In another embodiment, the data comprises a transaction, which may be processed by the blockchain platform. Thereby, the second network comprising the blockchain plat ^¬ form may be used as an openly accessible database, enabling any participants sharing and reviewing the transactions to be performed. The second network may be a permissioned

blockchain platform that is accessible by a multitude of firms.

In another embodiment, the filter unit is adapted to perform the selective permission of the data comprising the transac ^¬ tion independent from or of other transactions, which have been received by the filter device previously.

Thereby, a reliable permission of transactions to be pro ^¬ cessed by the blockchain platform independent from or of a transaction protocol may be provided.

In another embodiment, the filter unit is adapted to perform the selective permission of the data comprising the transac- tion based on other transactions, which have been received by the filter unit previously.

Thereby, e.g. the amount of transactions processed by the blockchain platform previously may be taken into account for providing further transactions to the blockchain platform. As a matter of consequence, the number of transactions performed in a predefined time interval may be limited. Also, other properties of the earlier transactions may be taken into ac- count, e.g., data content and/or data origin, etc. Heuristic rule sets for permitting the data may be developed.

In another embodiment, the data comprises a classification of the transaction and the selective permission of the filter unit is adapted to be based on the classification of the transaction .

Thereby, based on any transaction characteristic, different transactions can be handled in a different manner. The clas- sification may parameterize certain details of the transac ^¬ tion such that different transactions can be easily compared.

In another embodiment, the classification of the transaction comprises a security label of the transaction.

Thereby, the level of confidentiality referring to a transac ^¬ tion may be taken into account for an evaluation, whether a transaction is provided for processing to the blockchain platform of the second network.

In another embodiment, the filter unit is adapted for receiv ^¬ ing, from a transaction approval unit of the first network, instructions for blocking the transaction, e.g. if the trans ^¬ action approval unit does not receive a predetermined number of approval messages from respective participants.

Thereby, the filter unit is adapted to be controlled - at least partly - by regulations implemented in the first net- work, which correspond to approvals of participants sharing the first network. These approvals to be given for transmit ^¬ ting a transaction to a blockchain platform may represent the authority of the respective participants in a community, e.g. a firm. As a matter of consequence, such an adaption may e.g. implement a given firm policy. The firm policy may also re ^¬ flect regulations that allow the firm to comply with company rules or regulatory limitations. In another embodiment, the system further comprises a label ^¬ ling unit, which is adapted to label the data comprising the transaction permitted by the filter unit using a checksum, wherein the label is indicative of the respective filter unit of a plurality of filter units. The labelling unit may also label the transaction using another unique key, alternatively or additionally to the checksum. The checksum may be a cryp ^¬ tographic checksum, e.g. a message authentication code or a digital signature. Thereby, any data received by the first network may be as ^¬ signed to a specific filter unit, which is adapted to control permission of the data for reaching the second network.

Therefore, these means may facilitate the inspection of fil ^¬ tering processes.

In another embodiment, the system further comprises a modifi ^¬ cation unit, which is adapted to modify the transaction permitted by the filter unit, wherein the modified transaction is transmitted to the second network via the second interface and the non-modified transaction is not transmitted to the second network via the second interface.

Thereby, the modified transaction, which is permitted to reach the blockchain platform, and the non-modified transac- tion, which is not permitted to reach the blockchain plat ^¬ form, may carry different information. As an example, information, which is to be available to participants of the first network, but which is not to be available to participants of the second network, may merely be included in the non- modified, but not in the modified, transaction. Consequently, these means may enable a desired distribution of information. Anonymisation is possible. Privacy-sensitive information may be filtered.

In another embodiment, the filter unit is further adapted to selectively permit data received from the second network to be transmitted to the first network.

Thereby, malware resided in the second network may be blocked from also reaching the first network. Furthermore, only transactions that comply with filter rules may be imported and may be processed in company-internal IT systems. In par ^¬ ticular, only transactions complying with filter rules may be imported automatically. Other transactions may be rejected, or may require an explicit approval before importing them in a company-internal IT system. In another embodiment, the first network is a private network and/or the second network is a public network.

Thereby, the filter unit may be implemented in filtering data traffic originating from a first network to a second network, wherein the first network comprises a smaller number of participants than the second network. Thus, these means are adapted to control the data traffic to different circles of participants . In an embodiment of the method, the method is performed by a system according to any of the embodiments above.

Thereby, the method may be performed based on a preferably simple technical implementation.

A network firewall within the meaning of the present disclo ^¬ sure may refer to a security system in between different net ^¬ works that controls the incoming and/or outgoing data traffic based on predetermined security rules. The data traffic may comprise transactions to be processed by a blockchain plat ^¬ form. The security rules may be controlled by a user input. A cloud-based service within the meaning of the present dis ^¬ closure may refer to any technical concepts implemented in a cloud-computing infrastructure. Hereby, it may be enabled to computing capabilities storing and processing data in either a privately owned cloud, or on a third-party server located in a data center in order to make data accessing mechanisms more efficient and reliable.

A security level within the meaning of the present disclosure may refer to a characteristic of a transaction, which refers to a requirement of controlling a transaction when transmit ^¬ ting from a first network to a second network. The security level of the transaction may be assigned by a participant of the first network. The security level may refer to a level of confidentiality of the transaction. For example, restricted information may be discriminated from top secret information, etc ..

A private network within the meaning of the present disclo ^¬ sure may refer to a network accessible to a smaller or re- stricted number of participants than a public network. A pri ^¬ vate network may refer to a company-internal network. The private network may be adapted to be used for transmitting data to which a higher confidentiality is attributed. A public network within the meaning of the present disclosure may refer to a network accessible to a larger number of participants than a private network. For example, unrestricted access may be provided to the public network. A public net ^¬ work may refer to an open network, but may also refer to a company-internal network. The public network may be adapted not to be used for transmitting data to which a higher confidentiality is attributed. According to an embodiment, a computer program product comprises program code. The program code may be executed by at least one processor. Executing the program code causes the at least one processor to perform a method for performing data communication. The method comprises selectively permitting data received from a first network to be transmitted to a se ^¬ cond network. The second network is operated as a blockchain platform based on the permitted data. According to an embodiment, a computer program comprises pro ^¬ gram code. The program code may be executed by at least one processor. Executing the program code causes the at least one processor to perform a method for performing data communication. The method comprises selectively permitting data re- ceived from a first network to be transmitted to a second network. The second network is operated as a blockchain plat ^¬ form based on the permitted data.

The above summary is merely intended to give a short overview over some features of some embodiments and implementations and is not to be construed as limiting. Other embodiments may comprise other features than the ones explained above.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other elements, features, steps and character ^¬ istics of the present disclosure will be more apparent from the following detailed description of embodiments with reference to the following figures:

Figure 1 schematically illustrates a blockchain section,

which may be assembled based on a system and a method according to the present disclosure. Figure 2 schematically illustrates another blockchain sec ^¬ tion, which may be assembled based on a system and a method according to the present disclosure. Figure 3 schematically illustrates a filter unit based data communication system according to various examples.

Figure 4 represents a flowchart of a method performed by the data communication system according to various examples .

DETAILED DESCRIPTION OF EMBODIMENTS In the following, embodiments of the invention will be de ^¬ scribed in detail with reference to the accompanying draw ^¬ ings. It is to be understood that the following description of embodiments is not to be taken in a limiting sense. The scope of the invention is not intended to be limited by the embodiments described hereinafter or by the drawings, which are taken to be illustrative only.

The drawings are to be regarded as being schematic represen ^¬ tations and elements illustrated in the drawings, which are not necessarily shown to scale. Rather, the various elements are represented such that their function and general purpose become apparent to a person skilled in the art. Any connec ^¬ tion or coupling between functional blocks, devices, compo ^¬ nents, or other physical or functional units shown in the drawings or described herein may also be implemented by an indirect connection or coupling. A coupling between components may also be established over a wireless connection. Functional blocks may be implemented in hardware, firmware, software, or a combination thereof.

Figure 1 schematically illustrates a blockchain section, which may be assembled based on a system 1 and a method 100 according to the present disclosure. According to this, such a blockchain 13 may comprise a plu ^¬ rality of blocks 14a-14c connected to each other. In such an assembling, each block 14a, 14b, 14c may be coupled with two neighboring blocks 14a-14c, wherein coupling is - according to Figure 1 - depicted as chain 16. A new block 14a-14c to be included in the blockchain 13 may be assembled at an open end of the chain 16 of the block chain 13. Each block 14a-14c may comprise a plurality of transactions 9 to be processed. The creation of the chain 16 coupling the blocks 14a-14c to as ^¬ semble the blockchain 13 may be supported by hash values 15a- 15c, each implemented in their respective block 14a-14c.

Hereby, each hash value for 15a to 15c depends on the prede ^¬ cessor block 14a to 14c. Specifically, the respective hash value 15a-15c is evaluated based on the data of the respec ^¬ tive predecessor block 14a-14c.

With respect to the transactions 9 implemented in each block 14a-14c, the program code may be implemented as a smart con- tract. The program code may carry information with respect to whether a transaction 9 is admissible. According to this, different business processes may be flexibly realized by a common blockchain infrastructure. Usually, a hash tree, e.g. a Merkle tree or a Patricia tree, may be used for storing the respective hash values in each of the blocks 14a-14c.

Figure 2 schematically illustrates another blockchain sec ^¬ tion, which may be assembled based on a system and a method according to the present disclosure.

According to this, the blockchain 13 comprises blocks 14a- 14c, which are connected by chain 16. The creation of the blockchain 13 by assembling blocks 14a-14c by chain 16 is hereby supported by hash values 15a-15c, each of them is im- plemented in the respective block 14a-14c.

Specifically, each of the blocks 14a to 14c comprises specif ^¬ ic configurations of the transactions 9. As an example, the transactions 9 may be configured as payment transaction 17, ownership transfer transaction 18 and register smart contract 19. Hereby, the transaction 9 may comprise further attrib ^¬ utes, which may e.g. be adapted to indicate a receiver of a payment, an object and its new owner or a program code of a smart contract. Blockchain transactions may be used also to control an energy automation network. A transaction may cause an energy generator to feed a certain amount of electric energy into the energy grid, to cause an energy consumer to limit the energy consumption, or to perform a switching operation in the energy grid. The attributes of a blockchain transaction may indicate an electric device and the action to be performed by the device. Figure 3 schematically illustrates a filter unit based data communication system 1 according to various examples.

According to this, the system 1 comprises at least one first interface 2 adapted to communicate with a first network 3. The first network 3 may be a private network 11, such as a firm network. Access to the private network 11 may be re ^¬ stricted. Any arbitrary number of first network nodes 22 may be provided by the first network 3. In addition, the system 1 also comprises at least one second interface 5 adapted to communicate with a second network 6. The second network 6 may be a public network 12, such as the internet or any further network available to different firms and/or communities. Hereby, the second network 6 may be adapted to operate as a blockchain platform 7. Any arbitrary number of second network nodes 23 may be provided by the se ^¬ cond network 6.

The first network 3 and the second network 6 may be connected to each other via a filter unit 4. The filter unit 4 may be adapted to selectively permit data received from the first network 3 via the first interface 2 to be transmitted to the second network 6 via the second interface 5. These data may comprise at least one transaction 9, which may be processed by the blockchain platform 7.

The filter unit 4 may be implemented in a network firewall 8, as depicted in Figure 3. Such a network firewall 8 may addi- tionally comprise a memory 21 for storing rules. In addition, the filter unit 4 may also be implemented in a cloud-based service. Further, for filtering data, a cross-domain security solution may also be used.

The filter unit 4 may be adapted to selectively permit the data based on a data content. Such a data content may e.g. refer to the content of the transaction 9. The filter unit 4 may also be adapted to selectively permit the data based on a data origin. Such a data origin may refer to an origin of a transaction 9, e.g. a computer from which the transaction 9 is transmitted or a user logged in the respective computer. These transaction data may refer to attributes and/or smart contracts .

Further, the filter unit 4 may also be adapted to selectively permit the data based on a user input, which may change the filter criteria based on modified circumstances, such as a modified firm policy or modified public regulations.

The filter unit 4 may further be adapted to perform the se ^¬ lective permission of the data comprising the transaction 9 independent of other transactions 9, which have been received by the filter unit 4 previously. In addition, the filter unit 4 may also be adapted to perform the selective permission of the data comprising the transaction 9 based on other transactions 9, which have been received by the filter unit 4 previ ^¬ ously. In the latter case, these means can be implemented in payment actions, which may only be admissible in the case that a total amount of money spent during a time interval re ^¬ mains below an admissible, predetermined threshold value.

Further, the filter unit 4 may be adapted to selectively per ^¬ mit data received from the second network 6 to be transmitted to the first network 3. In such a case, the respective fil ^¬ tering mechanism may operate bidirectional. Such a mechanism may e.g. be used for blocking data traffic originating from the public network 12 and flowing towards the private network 11. Such a blocked data traffic may e.g. be constructive with respect to malware adapted to damage the private network 11, such as a firm network. In addition, the filter unit 4 may also be adapted for receiving, from a transaction approval unit 10 of the first network 3, instructions for blocking the transaction 9, if the transaction approval unit 10 does not receive a predetermined number of approval messages from re ^¬ spective participants. As can be deduced from Figure 3, the first network 3 config ^¬ ured as a private network 11 may additionally provide for a transaction classification unit 20. Based on this unit, the data may comprise a classification of the transaction 9, and the selective permission of the filter unit 4 may be adapted to be based on the classification of the transaction. Such a classification may e.g. comprise a security label of the transaction 9 and may be used to attribute a level of confi ^¬ dentiality to the respective transactions 9. In addition, the first network 3 configured as a private network 11 may addi- tionally provide for a transaction approval unit 10 adapted to receive a plurality of approvals from different partici ^¬ pants of the private network 11 before a transaction 9 is permitted reaching the blockchain platform 7. Figure 4 represents a flowchart of a method 100 performed by the data communication system 1 according to various examples, wherein - according to this example - the communicated data correspond to a transaction 9. Herein, 110, 150, 160, 165 and 170 refer to the common handling of transactions 9 to be performed in a blockchain environment.

At 110, a transaction 9 is released by a participant of the first network 3, e.g., a private network 11. Subsequently at 120, the released transaction 9 is received by a filter unit 4 connected to the first network 3 via the first interface 2. Subsequently at 130, the filter unit 130 examines whether the received transaction 9 is to be permitted to reach the blockchain platform 7. According to this, transactions 9 received from a first network 3 via a first interface 2 is se- lectively permitted by the filter unit 4.

In case that, based on 130, the transaction 9 is not permit ^¬ ted reaching the blockchain platform 7, the blockchain transaction is blocked at 145 - e.g., discarded or rejected. Oth- erwise and with respect to 140, the transaction 9 is forward ^¬ ed to the blockchain platform 7 via a second interface 5.

At the blockchain platform 7, common transaction 9 handling is performed. The blockchain platform 7 checks the validity of the transaction 7 before including the transaction 9 in a block of the blockchain, confirming the transaction to be valid. At 150, the blockchain platform 7 examines whether the transaction 9 are valid. For this purpose, hash values 15a- 15c may be taken into account, and smart contracts may be processed according to the common proceedings.

In case that, based on 150, the transaction 9 may not be val ^¬ idated, the non-valid transaction 9 is refused at 165. Other ^¬ wise, a block comprising the validated transaction 9 is at- tached to the blockchain 13 at 160 and the transaction 9 is performed .

Subsequently at 170, the method 100 is stopped.