Blockchain enabled Adversarial Threat Intelligence Sharing for Robust Ransomware Detection in Air Gaps
This repository contains code and supporting files for the novel hybrid cybersecurity PoC (proof of concept) of the following journal arcticle:
The proposed system architecture, as provided below (Figure 1 in paper), is a PoC conceptualized as a network of simulated nodes of Permissioned Mission Critical Service Operator (PMCSO). PMCSOs are interconnected via a private blockchain, functioning as an immutable ledger. They share adversarial threat intelligence. This architecture allows deployment in restricted connectivity environments, such as air gaps.
The architecture visually presents the flow: Local ML Detection → Evasion → Adversarial Intelligence Generation → Blockchain Submission → Blockchain Retrieval → ML Model Fine-tuning → Enhanced Robustness across multiple simulated nodes.
main.ipynb: Main file with data preprocessing, model training, adversarial attacks, blockchain integration and evaluationRansomware_headers.csv: Real world dataset that was ued training and testing of ML models (source)ThreatIntelLedger_abi.json: Application Binary Interface (ABI) of smart contract (Solidity)ThreatIntelLedger_bytecode.txt: Bytecode of smart contractrequirements.txt: List of required Python libraries to run Jupyter Notebookcharts/: Contains the Draw.io diagram as well as the PNG/SVG plots generated by running notebook (robustness and accuracy visualizations)
The provided devcontainer in this repo is meant to run in GitHub Codespaces. This is the prefered enviornment for reproduction and evalution, over a local set-up.
Disclaimer: Billing of GitHub Codespaces is per user. User launching pays for their own usage.
- The devcontainer upgrades base Debian packages (
apt-get dist-upgrade) to pull patched system libraries (such as OpenEXR, tar, libwmf) and refreshesnpm/ganacheto pick up fixes for vulnerable transitive dependencies (cross-spawn,glob,brace-expansion) - To rebuild the Codespace/container:
Ctrl+Shift+P→ “Dev Containers: Rebuild Container” (or to re-create the Codespace)
To run this repository the following development (see requirements.txt and .devcontainer/devcontainer.json) environment is required which includes:
- Python (3.11+): Libraries specified in
requirements.txt - Jupyter Notebook or JupyterLab
- Node.js + npm: Required to run Ganache CLI
- Ganache CLI: A personal Ethereum blockchain for development. Install it using npm:
npm install -g ganache - A Solidity development environment like Remix IDE for contract development and compilation (optional, only if re-compiling the contract)
-
Clone repo
git clone https://github.com/hauni97/Blockchain-enabled-Adversarial-Threat-Intelligence-Sharing-for-Robust-Ransomware-Detection-air-gaps cd Blockchain-enabled-Adversarial-Threat-Intelligence-Sharing-for-Robust-Ransomware-Detection-air-gaps -
Get dependencies
pip install -r requirements.txt
-
Start Ganache
ganache
Local blockchain will usually be on
http://127.0.0.1:8545 -
Open & run Jupyter Notebook
jupyter notebook main.ipynb
Follow instructions in notebook to execute cells sequentially
Observed variation in outcomes from experimental runs are due to nondeterminism during model training. Including random parameter initiation and data shuffling and differences in the execution environment, such as library version mismatches. Furthermore, floating point arithmetic behavior or multithreaded execution order. To mitigate variances from experimental:
- Restart Jupyter Notebook kernel + run all cells sequentially in
main.ipynb - Use provided devcontainer/Codespaces environment to match Python and dependency versions
- Keep RNG seeding enabled (see the “Reproducibility Notes” section in
main.ipynb) - Avoid re-running partial cell ranges that advance the RNG state
This work is licensed under the MIT License.
