A blockchain-based information security detection system

Abstract

This invention discloses a blockchain-based information security detection system, relating to the field of information security technology. It includes: an off-chain monitoring node that uses a non-linear algorithm to calculate the dynamic reputation score of the monitored entity in real time. A trigger signal is generated only when the reputation score crosses a preset reporting threshold. This trigger signal then backtracks to the local cache and extracts the Merkle root hash of key events and related data, assembling them into a standardized evidence package and constructing a notarization transaction. The notarization smart contract responds to this transaction, recording the evidence package in the blockchain state ledger and reading the current block height as the unique temporal trust benchmark for the evidence package for associated storage. This invention, through the combination of off-chain dynamic risk threshold triggering and on-chain consensus time anchoring, achieves an automated, high-fidelity conversion from dynamic risk states to tamper-proof on-chain evidence, and establishes a network-wide consensus time trust root that does not rely on a single node's clock.

Description

Technical Field

[0001] This invention relates to the field of information security technology, and in particular to an information security detection system based on blockchain. Background Technology

[0002] In a cybersecurity defense system, real-time detection and reliable evidence storage of security incidents are crucial for tracing attack behavior and securing legal evidence. However, when faced with massive amounts of heterogeneous security data in a distributed network environment, existing detection and evidence storage technologies face irreconcilable systemic contradictions.

[0003] On the one hand, traditional security information and event management systems rely on centralized servers to record logs, which poses a risk that the data can be easily tampered with by insiders or erased by attackers, and lacks sufficient judicial evidentiary value. On the other hand, although introducing blockchain technology can solve the problem of tamper-proofing, directly uploading massive amounts of raw logs to the chain would lead to unacceptable transaction costs and storage pressure, lacking economic feasibility; while selective uploading to the chain often lacks an objective and automated triggering mechanism to define which data is worth uploading, resulting in a disconnect between the evidence storage process and the risk assessment process.

[0004] More critically, existing evidence storage schemes typically rely on the local physical clock of the data acquisition device or upload node to generate timestamps. Because local clocks are susceptible to tampering, rollback, or desynchronization, timestamps based on a single trusted source cannot constitute objective and non-repudiable temporal proof. Therefore, how to achieve the automated conversion from dynamic risk perception to highly reliable on-chain evidence while ensuring system economy, and how to construct a temporal trust root that does not rely on a single node, are urgent technical problems to be solved in this field. Summary of the Invention

[0005] This invention provides a blockchain-based information security detection system designed to address the lack of a technical solution in existing technologies that can natively bind off-chain dynamic risk assessment with on-chain trusted evidence storage and ensure the absolute reliability of timestamps.

[0006] In view of the above problems, the present invention provides a blockchain-based information security detection system, the system including off-chain monitoring nodes and evidence storage smart contracts deployed on the blockchain network; The off-chain monitoring node includes a processor, a memory, and a communication interface. When the processor executes instructions in the memory, it performs the following modules: The dynamic reputation score calculation module is used to receive security event data streams for the monitored entity and update the entity's dynamic reputation score in real time using a nonlinear algorithm based on the inherent threat level and the spatiotemporal concentration of the events. The threshold crossing trigger module is used to monitor the dynamic reputation score and generate a threshold crossing event signal only when the dynamic reputation score changes from a state higher than the preset reporting threshold to a state less than or equal to the preset reporting threshold. The evidence assembly and transaction construction module is used to respond to the threshold crossing event signal, backtrack the local cache and extract related data, generate a standardized evidence package, and construct a storage transaction request that calls the evidence storage smart contract; The evidence storage smart contract is configured to be executed on a blockchain network for: In response to the notarization transaction request, the evidence package is recorded in the state ledger of the blockchain network; Read the current block height of the record for the evidence storage transaction request, and associate the current block height as the unique temporal trust benchmark for the evidence package.

[0007] Preferably, the dynamic credit score calculation module is specifically used to calculate the change in credit score according to the following nonlinear power function formula ( ): Where L is the inherent threat level of the new security event, C is the spatiotemporal concentration of the event, and α is the preset attack mode amplification coefficient, and the value of α is greater than 1.

[0008] Preferably, the spatiotemporal concentration of the event is calculated by counting the total number of similar security events generated by the monitored entity within a preset sliding time window before the current time point.

[0009] Preferably, the dynamic reputation score calculation module is further configured with reputation recovery logic: when the monitored entity does not generate a new security event within a consecutive preset event-free period, the dynamic reputation score of the entity is increased in reverse using a time decay function until it is restored to the preset initial reputation score upper limit.

[0010] Preferably, when generating the evidence package, the evidence assembly and transaction construction module performs the following operations: Backtrack the local log cache of the off-chain monitoring node; Extract the set of all associated security events that caused the dynamic reputation score to drop from its initial value to its current value; A hash operation is performed on the set of associated security events to construct a Merkle tree, and the root hash value of the Merkle tree is encapsulated into the evidence package.

[0011] Preferably, the off-chain monitoring node further includes a policy synchronization module, used for: Periodically read the global configuration parameters in the evidence storage smart contract through the communication interface; Based on the read global configuration parameters, the reporting threshold and the attack mode amplification coefficient stored locally are dynamically updated.

[0012] Preferably, the evidence assembly and transaction construction module is further used for: Before broadcasting the evidence storage transaction request, the evidence package is digitally signed using the private key of the off-chain monitoring node; The evidence storage smart contract also includes permission verification logic, which is used to verify whether the digital signature belongs to a pre-registered authorized monitoring node before recording data.

[0013] Preferably, before encapsulating the evidence package, the evidence assembly and transaction construction module also performs a privacy desensitization operation: identifying sensitive fields in the associated data, and performing one-way hashing or symmetric encryption on the sensitive fields, and encapsulating only the processed ciphertext data into the evidence package.

[0014] Preferably, the evidence storage smart contract utilizes the immutability of the current block height to provide the evidence package with a network-wide consensus timestamp that does not depend on the local clock of any single node.

[0015] The technical solution provided in this application has at least the following technical effects: This invention achieves intelligent filtering and high-fidelity conversion of massive amounts of security data through off-chain nonlinear reputation score calculation and threshold crossing triggering mechanism. Evidence storage is triggered only at the critical moment when the accumulated risk reaches a qualitative change, which significantly reduces the transaction costs and storage pressure of the blockchain, ensuring the economic feasibility of the system, while also guaranteeing the high value and relevance of on-chain evidence.

[0016] This invention utilizes the block height generated by the blockchain consensus mechanism as a timestamp for evidence, thereby eliminating the reliance on the local clock of a single off-chain node. This objective time benchmark, guaranteed by the computing power of the entire network, ensures that the solidified evidence possesses the characteristics of being tamper-proof and non-repudiable in terms of time sequence, significantly improving the judicial credibility of electronic evidence.

[0017] This invention combines Merkle tree tracing, digital signature verification, and dynamic policy synchronization mechanisms to construct a closed-loop detection system with data integrity verification, identity and access control, and adaptive defense strategies. It solves problems such as the disconnect between risk assessment and evidence storage processes, delayed rule updates, and data privacy leaks in existing technologies. Attached Figure Description

[0018] Figure 1 This is a structural diagram of a blockchain-based information security monitoring system provided in an embodiment of the present invention. Detailed Implementation

[0019] The above technical solutions will now be described in detail with reference to the accompanying drawings and specific embodiments to provide a better understanding of them. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of them. It should be understood that the present invention is not limited to the exemplary embodiments used only to explain the present invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention. Furthermore, it should be noted that, for ease of description, only the parts related to the present invention are shown in the drawings, not all of them.

[0020] Please see Figure 1 The present invention provides a blockchain-based information security detection system, the system comprising off-chain monitoring nodes and evidence storage smart contracts deployed on a blockchain network; The off-chain monitoring node includes a processor, a memory, and a communication interface. When the processor executes instructions in the memory, it performs the following modules: The dynamic reputation score calculation module is used to receive security event data streams for the monitored entity and update the entity's dynamic reputation score in real time using a nonlinear algorithm based on the inherent threat level and the spatiotemporal concentration of the events. The threshold crossing trigger module is used to monitor the dynamic reputation score and generate a threshold crossing event signal only when the dynamic reputation score changes from a state higher than the preset reporting threshold to a state less than or equal to the preset reporting threshold. The evidence assembly and transaction construction module is used to respond to the threshold crossing event signal, backtrack the local cache and extract related data, generate a standardized evidence package, and construct a storage transaction request that calls the evidence storage smart contract; The evidence storage smart contract is configured to be executed on a blockchain network for: In response to the notarization transaction request, the evidence package is recorded in the state ledger of the blockchain network; Read the current block height of the record for the evidence storage transaction request, and associate the current block height as the unique temporal trust benchmark for the evidence package.

[0021] The off-chain monitoring node processor initializes the multi-source heterogeneous data acquisition interface. This interface binds to either a Network User Datagram Protocol (NAT) port or a Transmission Control Protocol (TCP) port. The interface continuously listens for and receives raw security event data streams from monitored network devices, servers, or cloud hosts. The off-chain monitoring node processor allocates a fixed-size memory space in its local volatile memory. Within this fixed-size memory space, it constructs a circular buffer. The processor sequentially writes the received raw security event data, along with a nanosecond-level timestamp, to the head pointer position of the circular buffer. When the circular buffer is full, the processor controls new raw security event data to overwrite the oldest data pointed to by the tail pointer of the circular buffer.

[0022] The off-chain monitoring node processor initiates a parsing thread. This thread reads the latest raw security event data from the circular buffer. Based on a predefined binary mask, the parsing thread extracts the source Internet Protocol address, event type code, and attack payload signature from the raw security event data. The off-chain monitoring node processor then accesses a pre-configured threat knowledge base in its local read-only memory. This threat knowledge base stores the intrinsic threat level value L corresponding to the event type code in key-value pairs. Based on the parsed event type code, the off-chain monitoring node processor matches and extracts the corresponding intrinsic threat level value L from the threat knowledge base.

[0023] The off-chain monitoring node processor maintains a deque for each active source Internet Protocol address in its local volatile memory. The deque stores historical timestamps of security events occurring at the source Internet Protocol address within a past period. Whenever a new security event arrives, the off-chain monitoring node processor pushes the current system timestamp onto the tail of the deque. The off-chain monitoring node processor checks the head of the deque for old timestamps. Any old timestamps earlier than the current system time minus a preset sliding window width are removed from the head of the deque. The off-chain monitoring node processor counts the total number of remaining timestamp elements in the deque. The total number of remaining timestamp elements in the deque is determined as the current event spatiotemporal concentration value C.

[0024] The off-chain monitoring node processor reads the current dynamic reputation score corresponding to the source Internet Protocol address from its local volatile memory. The off-chain monitoring node processor loads a preset attack mode amplification factor α. The attack mode amplification factor α is set to a floating-point number greater than 1. The off-chain monitoring node processor performs a non-linear power function operation to calculate the change in reputation score. The off-chain monitoring node processor calculates the change in reputation score based on the following formula. : In the formula, L represents the intrinsic threat level, C represents the event spatiotemporal concentration, and α represents the attack mode amplification coefficient.

[0025] The off-chain monitoring node processor will calculate the change in reputation score. With current dynamic credit score Add them together, according to the formula. The updated dynamic credit score is calculated. The off-chain monitoring node processor will update the dynamic reputation score. Write back to local volatile memory, overwriting the current dynamic credit score. .

[0026] The off-chain monitoring node processor runs a reputation recovery daemon thread. This daemon thread scans all recorded source Internet Protocol address objects (IPAs) in local volatile memory at preset time intervals. For each IPA object, the reputation recovery daemon thread compares the current system time with the timestamp of the last recorded security event for that IPA object. If the difference between the current system time and the timestamp of the last recorded security event exceeds a preset silence period threshold, the off-chain monitoring node processor executes a recovery function.

[0027] The execution process of the recovery function is as follows: The off-chain monitoring node processor reads the current dynamic reputation score of the source Internet Protocol address object. The off-chain monitoring node processor adds the product of the preset recovery rate factor and the difference to the current dynamic reputation score. The off-chain monitoring node processor determines whether the calculation result exceeds the preset initial reputation score limit. If the calculation result does not exceed the preset initial reputation score limit, the off-chain monitoring node processor updates the calculation result to the dynamic reputation score of the source Internet Protocol address object. If the calculation result exceeds the preset initial reputation score limit, the off-chain monitoring node processor updates the preset initial reputation score limit to the dynamic reputation score of the source Internet Protocol address object.

[0028] The off-chain monitoring node processor runs a status monitor thread. At the end of each computation cycle, the status monitor thread reads the current dynamic reputation score of the monitored entity. The off-chain monitoring node processor simultaneously reads the historical dynamic reputation score of the monitored entity from its local volatile memory in the previous computation cycle. The off-chain monitoring node processor loads the preset reporting threshold. The off-chain monitoring node processor performs a logical comparison operation. The judgment condition for the logical comparison operation is: historical dynamic reputation score. Greater than the reporting threshold And the current dynamic credit score Less than or equal to the reporting threshold.

[0029] When the logical comparison operation returns true, the off-chain monitoring node processor determines that a threshold crossing event has occurred. The off-chain monitoring node processor immediately generates a single-pulse trigger signal. The trigger signal contains the unique identifier of the monitored entity and a nanosecond-level timestamp of the trigger moment. If the current dynamic reputation score... Continuously maintain a value less than or equal to the reporting threshold In this state, the off-chain monitoring node processor does not generate new trigger signals in subsequent calculation cycles.

[0030] The off-chain monitoring node processor receives a trigger signal. Based on the unique identifier in the trigger signal, the off-chain monitoring node processor locks the data region in the circular buffer related to the monitored entity. The off-chain monitoring node processor extracts the most recent security event directly causing the threshold crossing event from the circular buffer as the critical security event. The off-chain monitoring node processor backtracks through historical data in the circular buffer. The off-chain monitoring node processor identifies and extracts all associated security events from the moment the current dynamic reputation score begins to decline until the moment the threshold crossing event occurs. The critical security event and associated security events together constitute the associated security event set.

[0031] The off-chain monitoring node processor performs a hash operation on each security event data in the associated security event set. The hash operation uses a 256-bit version of the secure hash algorithm. The hash value generated by the hash operation serves as the leaf node of the Merkle tree. The off-chain monitoring node processor concatenates the hash values ​​of adjacent leaf nodes pairwise. The off-chain monitoring node processor then performs the 256-bit version of the secure hash algorithm again on the concatenated data to generate the parent node hash value. The off-chain monitoring node processor repeats the concatenation and hash operation steps until a unique Merkle tree root hash value is calculated.

[0032] The off-chain monitoring node processor scans the raw data in the associated security event set. It identifies sensitive information in the data based on a predefined list of sensitive fields. This list includes the source Internet Protocol address, attack payload content, and user login credentials. For each identified sensitive field, the off-chain monitoring node processor generates a random salt value. This random salt value is appended to the end of the sensitive field data. Finally, the off-chain monitoring node processor performs a one-way hash operation or Advanced Encryption Standard (AES) symmetric encryption on the appended data.

[0033] The off-chain monitoring node processor replaces sensitive fields in the original data with ciphertext data generated through computation. The off-chain monitoring node processor then marks the associated security event set containing the ciphertext data as a de-identified dataset. This de-identified dataset is used for subsequent evidence packet encapsulation, ensuring that the original sensitive information does not leave the local controlled environment of the off-chain monitoring node.

[0034] The off-chain monitoring node processor constructs a standardized data structure object in its local memory. This data structure object uses either a JavaScript object notation format or a protocol buffer format. The off-chain monitoring node processor populates the critical event field of the data structure object with detailed information about key security events. The off-chain monitoring node processor populates the associated digest field of the data structure object with the calculated Merkle root hash value. The off-chain monitoring node processor populates the node identity field of the data structure object with the device unique identifier of the off-chain monitoring node. The completed data structure object is then defined as a packet to be sent.

[0035] The off-chain monitoring node processor invokes the onboard secure encryption coprocessor or trusted platform module. The off-chain monitoring node processor retrieves the asymmetric private key from the secure storage area of ​​the secure encryption coprocessor or trusted platform module. The off-chain monitoring node processor uses the asymmetric private key to perform an elliptic curve digital signature algorithm operation on the binary data of the evidence packet to be sent. The resulting digital signature data is appended to the end of the evidence packet to be sent by the off-chain monitoring node processor. The evidence packet to be sent with the digital signature appended is marked as a signed evidence packet.

[0036] The off-chain monitoring node processor invokes the blockchain client software development kit. It reads the deployment address of the evidence storage smart contract stored in its local configuration. Using the application's binary interface encoding rules, it serializes the signed evidence package into a hexadecimal string. Finally, it concatenates the function selector of the evidence storage function in the smart contract with the serialized hexadecimal string to generate the transaction data payload.

[0037] The off-chain monitoring node processor constructs an unsigned blockchain transaction object. This unsigned transaction object includes the target address, transaction value, gas limit, and transaction data payload. The off-chain monitoring node processor uses its blockchain account private key to sign the unsigned transaction object, generating a signed blockchain transaction. The off-chain monitoring node processor then sends the signed blockchain transaction to the access node of the blockchain network via a remote procedure call interface. The access node performs basic format verification on the signed blockchain transaction. Upon successful verification, the access node broadcasts the signed blockchain transaction to other nodes in the blockchain network via a peer-to-peer network protocol.

[0038] In the blockchain network, validator nodes select signed blockchain transactions from the pool of transactions to be confirmed. The validator nodes then launch the blockchain virtual machine execution environment. The blockchain virtual machine loads the bytecode deployed at the address of the evidence storage smart contract. The blockchain virtual machine parses the transaction data payload from the signed blockchain transaction. The blockchain virtual machine identifies the call instructions for the evidence storage function. Before executing the main logic of the evidence storage function, the blockchain virtual machine first executes the permission modifier logic.

[0039] The permission modifier logic invokes the elliptic curve signature recovery function. The elliptic curve signature recovery function takes the original data hash value and digital signature data of the signed evidence package as input parameters to calculate the signer's blockchain account address. The blockchain virtual machine reads the authorized monitoring node whitelist mapping table from the evidence storage smart contract state storage area. The blockchain virtual machine compares the calculated signer's blockchain account address with the address in the authorized monitoring node whitelist mapping table. If the comparison result shows that the signer's blockchain account address does not exist in the authorized monitoring node whitelist mapping table, the blockchain virtual machine immediately rolls back the transaction and throws an exception. If the comparison result matches, the blockchain virtual machine continues to execute the main logic of the evidence storage function. The blockchain virtual machine allocates a new storage slot in the evidence storage smart contract state storage area. The blockchain virtual machine writes the key security event details and Merkle root hash value from the signed evidence package into the key-value mapping structure corresponding to the storage slot.

[0040] During the execution of the notarization function, the blockchain virtual machine accesses the current execution context. The current execution context contains the header information of the block currently being built. The blockchain virtual machine reads the block height variable from the block header information. The block height variable represents the sequence number of the current block in the blockchain chain. This sequence number is guaranteed to be unique and unidirectionally increasing by the blockchain network's consensus algorithm mechanism, and cannot be modified by any single node after the block is confirmed.

[0041] The blockchain virtual machine (VM) forcibly converts the read block height variable into an unsigned integer. It then assigns this unsigned integer to the timestamp attribute field of the evidence structure defined in the evidence storage smart contract. The evidence structure contains details of the written key security events, the Merkle root hash value, and the timestamp attribute field. The VM persistently stores the complete evidence structure in the blockchain's global state tree. At this point, a permanent hard-binding relationship is established between the timing information of the evidence package and the consensus block height of the blockchain, forming an objective timing trust root independent of the local clock of off-chain monitoring nodes. The VM triggers the on-chain event log, broadcasting a notification of evidence storage completion containing the block height and evidence digest.

[0042] The system administrator's blockchain account initiates a policy update request. The system administrator's blockchain account digitally signs the policy update transaction using the system administrator's private key. The policy update transaction contains a call instruction to the global parameter configuration function in the evidence storage smart contract. The global parameter configuration function receives the new attack mode amplification factor α and the new reporting threshold. Numerical values ​​are used as input parameters.

[0043] The blockchain virtual machine executes the global parameter configuration function. First, the blockchain virtual machine compares the transaction initiator's address with the preset administrator address in the evidence storage smart contract storage area. After successful verification, the blockchain virtual machine locates the global configuration state variables in the blockchain state storage area. The blockchain virtual machine uses a new attack mode to amplify the value of the coefficient α and a new reporting threshold. The value overwrites the original value in the global configuration state variable. The blockchain virtual machine triggers a configuration update event log.

[0044] The off-chain monitoring node processor runs a policy synchronization thread. This thread maintains a network connection with the blockchain access node via a remote procedure call interface. The policy synchronization thread is configured for either a timed polling mode or an event subscription mode. In timed polling mode, the thread calls the parameter query function of the evidence storage smart contract at preset time intervals to obtain the current value in the global configuration state variables. In event subscription mode, the thread continuously listens for configuration update event logs broadcast on the blockchain network.

[0045] When the policy synchronization thread obtains a new attack mode amplification factor α value or a new reporting threshold When updating parameters, the policy synchronization thread sends a parameter update signal to the off-chain monitoring node processor. The off-chain monitoring node processor accesses the configuration parameter storage area in its local volatile memory using atomic write operations or read-write lock mechanisms. The off-chain monitoring node processor writes the new parameter values ​​to the configuration parameter storage area, replacing the old values. When the dynamic reputation score calculation module reads the configuration parameter storage area in the next calculation cycle, it automatically loads the new attack mode amplification factor α and the reporting threshold. The off-chain monitoring node processor can dynamically and hot-update policy parameters without stopping the data acquisition or analysis threads.

[0046] The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit it. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A blockchain-based information security detection system, characterized in that, The system includes off-chain monitoring nodes and evidence storage smart contracts deployed on the blockchain network; The off-chain monitoring node includes a processor, a memory, and a communication interface. When the processor executes instructions in the memory, it performs the following modules: The dynamic reputation score calculation module is used to receive security event data streams for the monitored entity and update the entity's dynamic reputation score in real time using a nonlinear algorithm based on the inherent threat level and the spatiotemporal concentration of the events. The threshold crossing trigger module is used to monitor the dynamic reputation score and generate a threshold crossing event signal only when the dynamic reputation score changes from a state higher than the preset reporting threshold to a state less than or equal to the preset reporting threshold. The evidence assembly and transaction construction module is used to respond to the threshold crossing event signal, backtrack the local cache and extract related data, generate a standardized evidence package, and construct a storage transaction request that calls the evidence storage smart contract; The evidence storage smart contract is configured to be executed on a blockchain network for: In response to the notarization transaction request, the evidence package is recorded in the state ledger of the blockchain network; Read the current block height of the record for the evidence storage transaction request, and associate the current block height as the unique temporal trust benchmark for the evidence package.

2. The information security detection system based on blockchain according to claim 1, characterized in that, The dynamic credit score calculation module is specifically used to calculate the change in credit score according to the following nonlinear power function formula ( ): Where L is the inherent threat level of the new security event, C is the spatiotemporal concentration of the event, and α is the preset attack mode amplification coefficient, and the value of α is greater than 1.

3. The information security detection system based on blockchain according to claim 2, characterized in that, The calculation method for the spatiotemporal concentration of the event is as follows: count the total number of similar security events generated by the monitored entity within a preset sliding time window before the current time point.

4. The information security detection system based on blockchain according to claim 2, characterized in that, The dynamic reputation score calculation module is also configured with reputation recovery logic: when the monitored entity does not generate a new security event within a consecutive preset event-free period, the dynamic reputation score of the entity is increased in reverse using a time decay function until it is restored to the preset initial reputation score upper limit.

5. The information security detection system based on blockchain according to claim 1, characterized in that, When generating the evidence package, the evidence assembly and transaction construction module performs the following operations: Backtrack the local log cache of the off-chain monitoring node; Extract the set of all associated security events that caused the dynamic reputation score to drop from its initial value to its current value; A hash operation is performed on the set of associated security events to construct a Merkle tree, and the root hash value of the Merkle tree is encapsulated into the evidence package.

6. The information security detection system based on blockchain according to claim 1, characterized in that, The off-chain monitoring node also includes a policy synchronization module, used for: Periodically read the global configuration parameters in the evidence storage smart contract through the communication interface; Based on the read global configuration parameters, the reporting threshold and the attack mode amplification coefficient stored locally are dynamically updated.

7. The information security detection system based on blockchain according to claim 1, characterized in that, The evidence assembly and transaction construction module is also used for: Before broadcasting the evidence storage transaction request, the evidence package is digitally signed using the private key of the off-chain monitoring node; The evidence storage smart contract also includes permission verification logic, which is used to verify whether the digital signature belongs to a pre-registered authorized monitoring node before recording data.

8. The information security detection system based on blockchain according to claim 1, characterized in that, Before encapsulating the evidence package, the evidence assembly and transaction construction module also performs a privacy desensitization operation: identifying sensitive fields in the associated data and performing one-way hashing or symmetric encryption on the sensitive fields, and only encapsulating the processed ciphertext data into the evidence package.

9. The information security detection system based on blockchain according to claim 1, characterized in that, The evidence storage smart contract utilizes the immutability of the current block height to provide the evidence package with a network-wide consensus timestamp that does not depend on the local clock of any single node.

Images