TraceBlock: Cyberattack Traceback System Based on Blockchain

Dagula; Lei Xu; Keke Gai; Liehuang Zhu

doi:10.1007/978-3-032-21600-7_2

TraceBlock: Cyberattack Traceback System Based on Blockchain

Dagula
, Lei Xu^*
, Keke Gai
, Liehuang Zhu

^*Corresponding author for this work

Beijing Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

With the continuous development of cyberattack techniques, attack provenance graph has become an important tool for network defense decision-making. Although existing research has made progress in the logical representation and automatic generation of provenance graphs, the provenance graphs constructed by single organization cannot support collaborative traceability. This paper proposes a blockchain-based cyberattack traceback system called TraceBlock to enable the sharing of graphs across multiple organizations. In TraceBlock system, alert records, which are raw data for contracting, are generated by hosts, securely transmitted by oracle, and filtered by CTI filter. The CTI filter uses a pre-trained model to identify critical threat intelligences (CTIs) and uploads CTIs to the blockchain network. Three smart contracts are deployed on the blockchain network, respectively responsible for CTI verification, provenance graph construction, and subgraph extraction. We conduct simulations using an open-source blockchain platform and the DARPA 1999 dataset. The results demonstrate the feasibility of the proposed system.

Original language	English
Title of host publication	Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings
Editors	Weizhi Meng, Qingni Shen, Tao Zhang, Jing Yu
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	17-34
Number of pages	18
ISBN (Print)	9783032215994
DOIs	https://doi.org/10.1007/978-3-032-21600-7_2
Publication status	Published - 2026
Externally published	Yes
Event	4th International Conference on Advanced Security on Software and Systems, ASSS 2025 - Guilin, China Duration: 3 Dec 2025 → 5 Dec 2025

Publication series

Name	Communications in Computer and Information Science
Volume	2903 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	4th International Conference on Advanced Security on Software and Systems, ASSS 2025
Country/Territory	China
City	Guilin
Period	3/12/25 → 5/12/25

Keywords

Blockchain
Provenance graph
Smart Contract
Subgraph extraction

Access to Document

10.1007/978-3-032-21600-7_2

Cite this

Dagula, Xu, L., Gai, K., & Zhu, L. (2026). TraceBlock: Cyberattack Traceback System Based on Blockchain. In W. Meng, Q. Shen, T. Zhang, & J. Yu (Eds.), Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings (pp. 17-34). (Communications in Computer and Information Science; Vol. 2903 CCIS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-21600-7_2

Dagula, ; Xu, Lei ; Gai, Keke et al. / TraceBlock : Cyberattack Traceback System Based on Blockchain. Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings. editor / Weizhi Meng ; Qingni Shen ; Tao Zhang ; Jing Yu. Springer Science and Business Media Deutschland GmbH, 2026. pp. 17-34 (Communications in Computer and Information Science).

@inproceedings{40c8b68142cf4e288a721544c7a67aea,

title = "TraceBlock: Cyberattack Traceback System Based on Blockchain",

abstract = "With the continuous development of cyberattack techniques, attack provenance graph has become an important tool for network defense decision-making. Although existing research has made progress in the logical representation and automatic generation of provenance graphs, the provenance graphs constructed by single organization cannot support collaborative traceability. This paper proposes a blockchain-based cyberattack traceback system called TraceBlock to enable the sharing of graphs across multiple organizations. In TraceBlock system, alert records, which are raw data for contracting, are generated by hosts, securely transmitted by oracle, and filtered by CTI filter. The CTI filter uses a pre-trained model to identify critical threat intelligences (CTIs) and uploads CTIs to the blockchain network. Three smart contracts are deployed on the blockchain network, respectively responsible for CTI verification, provenance graph construction, and subgraph extraction. We conduct simulations using an open-source blockchain platform and the DARPA 1999 dataset. The results demonstrate the feasibility of the proposed system.",

keywords = "Blockchain, Provenance graph, Smart Contract, Subgraph extraction",

author = "Dagula and Lei Xu and Keke Gai and Liehuang Zhu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 4th International Conference on Advanced Security on Software and Systems, ASSS 2025 ; Conference date: 03-12-2025 Through 05-12-2025",

year = "2026",

doi = "10.1007/978-3-032-21600-7\_2",

language = "English",

isbn = "9783032215994",

series = "Communications in Computer and Information Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "17--34",

editor = "Weizhi Meng and Qingni Shen and Tao Zhang and Jing Yu",

booktitle = "Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings",

address = "Germany",

}

Dagula, , Xu, L , Gai, K & Zhu, L 2026, TraceBlock: Cyberattack Traceback System Based on Blockchain. in W Meng, Q Shen, T Zhang & J Yu (eds), Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings. Communications in Computer and Information Science, vol. 2903 CCIS, Springer Science and Business Media Deutschland GmbH, pp. 17-34, 4th International Conference on Advanced Security on Software and Systems, ASSS 2025, Guilin, China, 3/12/25. https://doi.org/10.1007/978-3-032-21600-7_2

TraceBlock: Cyberattack Traceback System Based on Blockchain. / Dagula, ; Xu, Lei ; Gai, Keke et al.
Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings. ed. / Weizhi Meng; Qingni Shen; Tao Zhang; Jing Yu. Springer Science and Business Media Deutschland GmbH, 2026. p. 17-34 (Communications in Computer and Information Science; Vol. 2903 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - TraceBlock

T2 - 4th International Conference on Advanced Security on Software and Systems, ASSS 2025

AU - Dagula,

AU - Xu, Lei

AU - Gai, Keke

AU - Zhu, Liehuang

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026

Y1 - 2026

N2 - With the continuous development of cyberattack techniques, attack provenance graph has become an important tool for network defense decision-making. Although existing research has made progress in the logical representation and automatic generation of provenance graphs, the provenance graphs constructed by single organization cannot support collaborative traceability. This paper proposes a blockchain-based cyberattack traceback system called TraceBlock to enable the sharing of graphs across multiple organizations. In TraceBlock system, alert records, which are raw data for contracting, are generated by hosts, securely transmitted by oracle, and filtered by CTI filter. The CTI filter uses a pre-trained model to identify critical threat intelligences (CTIs) and uploads CTIs to the blockchain network. Three smart contracts are deployed on the blockchain network, respectively responsible for CTI verification, provenance graph construction, and subgraph extraction. We conduct simulations using an open-source blockchain platform and the DARPA 1999 dataset. The results demonstrate the feasibility of the proposed system.

AB - With the continuous development of cyberattack techniques, attack provenance graph has become an important tool for network defense decision-making. Although existing research has made progress in the logical representation and automatic generation of provenance graphs, the provenance graphs constructed by single organization cannot support collaborative traceability. This paper proposes a blockchain-based cyberattack traceback system called TraceBlock to enable the sharing of graphs across multiple organizations. In TraceBlock system, alert records, which are raw data for contracting, are generated by hosts, securely transmitted by oracle, and filtered by CTI filter. The CTI filter uses a pre-trained model to identify critical threat intelligences (CTIs) and uploads CTIs to the blockchain network. Three smart contracts are deployed on the blockchain network, respectively responsible for CTI verification, provenance graph construction, and subgraph extraction. We conduct simulations using an open-source blockchain platform and the DARPA 1999 dataset. The results demonstrate the feasibility of the proposed system.

KW - Blockchain

KW - Provenance graph

KW - Smart Contract

KW - Subgraph extraction

UR - https://www.scopus.com/pages/publications/105039851772

U2 - 10.1007/978-3-032-21600-7_2

DO - 10.1007/978-3-032-21600-7_2

M3 - Conference contribution

AN - SCOPUS:105039851772

SN - 9783032215994

T3 - Communications in Computer and Information Science

SP - 17

EP - 34

BT - Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings

A2 - Meng, Weizhi

A2 - Shen, Qingni

A2 - Zhang, Tao

A2 - Yu, Jing

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 3 December 2025 through 5 December 2025

ER -

Dagula , Xu L , Gai K , Zhu L. TraceBlock: Cyberattack Traceback System Based on Blockchain. In Meng W, Shen Q, Zhang T, Yu J, editors, Advanced Security on Software and Systems - International Conference, ASSS 2025, Proceedings. Springer Science and Business Media Deutschland GmbH. 2026. p. 17-34. (Communications in Computer and Information Science). doi: 10.1007/978-3-032-21600-7_2