Stakeholder entities

CTI Contributors are organizations and the vendor companies of security providers or research institutions that have threat intelligence data and would like to share the data with the network. Such entities gather the threat intelligence in different means or forms such as honeypots, intrusion detection systems, the malware analysis platforms, as well as the threat-hunting mode. The contributors are motivated using a token-based reward model that pays them according to the quality and promptness of the contributions.

Validators are the most important agents that ensure the course of the consensus mechanism, and should verify the authenticity of the quality of the submitted threat intelligence. The validation is done through various phases which consist of the data format check, threat intelligence cross-check, and reputation-based evaluation. A group of stake-based validation and reputation scoring is used to choose validators capable of ensuring that only reliable parties would ever join the validation process.

Consumers will be final consumers of the threat intelligence, such as security operations centers, incident response teams and automated security systems. These parties look up the blockchain regarding current threat information concerning their particular needs and security settings.

The mathematical foundation of the system can be expressed through the following notation. Let represent the set of network participants, where each participant is characterized by a reputation score , a stake value , and an activity level . The threat intelligence database is represented as , where each threat intelligence entry contains attributes including threat type, indicators of compromise, and temporal information.

Figure 2 provides a detailed overview of the BlockIntelChain system architecture, illustrating how CTI Contributors, Validators, and Consumers interact across the multi-layered blockchain framework.

Fig. 2 [Images not available. See PDF.]

BlockIntelChain architecture showing three-layer design with CTI Contributors submitting threat data, validators performing consensus verification, and Consumers querying intelligence. System achieves 923 TPS at 500 nodes with 99.6% success rate.

Overall, Fig. 2 highlights the seamless integration of data submission, consensus verification, and intelligence consumption, demonstrating the system’s high throughput (923 TPS at 500 nodes) and robust success rate (99.6%) while emphasizing the roles of privacy mechanisms, ML engines, and incentive structures in maintaining secure and efficient CTI sharing.

Rationale for Methodological Choices:

• Algorithm Selection:

• The PCA–DNN hybrid was chosen for anomaly detection due to its proven efficiency in high-dimensional CTI data. Explainable AI (XAI) modules were integrated to allow analysts to interpret ML outputs. The PCA–DNN hybrid was selected because PCA efficiently reduces the dimensionality of high-volume CTI data, allowing the DNN to focus on salient features. This combination improves anomaly detection performance while maintaining computational efficiency.

• Consensus Mechanism: A hybrid Proof-of-Stake with reputation-based selection was implemented to balance decentralization, security, and efficiency. Weights α, β, γ were determined based on prior studies to optimize validator reliability and network throughput.

• Privacy Techniques: Differential Privacy (ϵ = 0.1–1.0), Homomorphic Encryption, and Zero-Knowledge Proofs were applied depending on the sensitivity of CTI attributes to balance privacy and computational overhead.

Layered architecture

The architectural design follows a layered approach consisting of four primary layers:

• Application Layer ( ): Supplies user interfaces and APIs of various types of stakeholders to communicate with the system

• Smart Contract Layer ( ): Deploys the business logic behind the threat intelligence sharing, validation and incentive distribution

• Consensus Layer ( ): Ensures data integrity and agreement among network participants

• Network Layer ( ): Handles peer-to-peer communication and data propagation

Figure 3 depicts the multi-layered system architecture of BlockIntelChain, highlighting the flow of threat intelligence from contributors through the blockchain and data layers to the application layer.

Fig. 3 [Images not available. See PDF.]

BlockIntelChain system architecture illustrating the multi-layered design with stakeholder interaction, smart contract logic, and data flow from CTI collection to consumption.

Overall, Fig. 3 emphasizes how stakeholder interactions, smart contract operations, and data analytics are integrated to enable secure, transparent, and efficient CTI collection, validation, storage, and consumption within a decentralized framework.

Detailed proposed model

Privacy-preserving mechanisms

To safeguard sensitive threat intelligence, BlockIntelChain integrates a multi-layered privacy framework comprising:

• Differential Privacy (DP): Adds calibrated noise to aggregated queries, controlled by the privacy budget ε, to prevent inference attacks on individual contributor data while maintaining high utility.

• Homomorphic Encryption (HE): Allows computations on encrypted CTI entries, enabling operations such as statistical aggregation and feature correlation without exposing raw data.

• Zero-Knowledge Proofs (ZKP): Verifies the correctness and integrity of submitted intelligence without disclosing the underlying content. Proof generation remains efficient, typically under 500 ms per transaction.

• Secure Multi-Party Computation (SMPC): Supports collaborative analysis across multiple nodes without revealing individual inputs, facilitating joint threat intelligence analytics across distributed participants.

These privacy mechanisms are integrated within the preprocessing and consensus stages. DP is applied after feature extraction, HE during aggregation and cross-validation, ZKP during validator verification, and SMPC during federated model updates.

Figure 4 illustrates the multi-layered privacy-preserving workflow in BlockIntelChain, highlighting the integration of Differential Privacy (DP), Homomorphic Encryption (HE), Zero-Knowledge Proofs (ZKP), and Secure Multi-Party Computation (SMPC) across preprocessing, consensus, and federated learning stages.

Fig. 4 [Images not available. See PDF.]

Multi-layered privacy framework flow showing DP, HE, ZKP, and SMPC integration across preprocessing, consensus, and federated learning stages in BlockIntelChain.

Overall, Fig. 4 emphasizes how each privacy mechanism is systematically applied to protect contributor data, enable secure computation, verify correctness without disclosure, and facilitate collaborative analytics while maintaining robust privacy guarantees.

Consensus mechanism model

The hybrid consensus mechanism combines Proof-of-Stake with reputation-based selection:

1

2

3

The weights and were set based on prior studies to optimize validator reliability and overall network throughput, ensuring a balance between decentralization, security, and consensus efficiency.

where the reputation function incorporates temporal decay:

4

5

where denotes the decay rate, ensuring that recent performance contributes more strongly to the reputation score.

Validators with higher and are assigned greater selection probabilities during block proposal rounds.

The RWV–PoS integration enhances fairness by coupling financial stake with behavioral trust. After every consensus round, each validator’s reputation is updated according to block validation accuracy, latency response, and penalty history. This combination significantly reduces the likelihood of Sybil and collusion attacks, as validator influence depends not only on stake but also on long-term behavioral integrity.

By uniting stake-based economics with dynamic reputation assessment, the hybrid RWV–PoS model in BlockIntelChain achieves secure, efficient, and self-regulating consensus, promoting both scalability and sustained honest participation across distributed CTI environments.

Federated learning integration and implementation

To enable privacy-preserving and explainable real-time threat detection, BlockIntelChain integrates a distributed Federated Learning (FL) module at IoT edge nodes. Each edge device locally trains its own machine-learning model on native threat intelligence data, sharing only encrypted model updates (gradients) with the blockchain coordinator—never raw telemetry or metadata.

Model Architecture and Explainability:

BlockIntelChain employs a hybrid ensemble of learning models tailored for different CTI analytics tasks:

• LightGBM for tabular and log-based intrusion data classification,

• CNN-LSTM for spatiotemporal anomaly and malware traffic pattern recognition, and

• Graph Neural Network (GNN) for multi-source threat-relationship mapping and adversarial correlation.

Explainability is ensured through SHAP (Shapley Additive Explanations) and Integrated Gradients, which compute feature-importance scores for every federated update. These attribution maps allow analysts to interpret anomaly causes and link ML decisions to specific Indicators of Compromise (IoCs), communication paths, or event sequences. This explainable-FL approach enhances trust, accountability, and operational usability within SOC workflows.

Training Workflow:

• Each participating IoT node performs local training using its available CTI logs, malware traces, and behavioral indicators.

• Only differentially-private, zero-knowledge-verified model updates are exchanged through the blockchain layer.

• The global aggregator (implemented via a smart contract) computes a weighted average of received gradients to update the global model, which is then redistributed to nodes.

• The federated-explainable models support anomaly detection, phishing identification, malware classification, and cross-domain threat correlation.

Implementation Details:

• Blockchain Layer: Ethereum consortium blockchain with Solidity 0.8.x smart contracts.

• Smart-Contract Frameworks: OpenZeppelin libraries, Truffle and Hardhat for deployment, Ganache for testing.

• Client Interfaces: React.js and Node.js applications for contributors, validators, and consumers.

• Data Storage & Indexing: Hierarchical indexing and caching for efficient query handling and scalability.

• Security & Privacy Enforcement: Differential Privacy (DP), Homomorphic Encryption (HE), Zero-Knowledge Proofs (ZKP), and Secure Multi-Party Computation (SMPC) integrated within preprocessing, validation, and federated stages.

Performance Insight:

Empirical evaluation shows that the federated-explainable ensemble achieves higher average detection accuracy (94.7–96.4%) than centralized baselines (93.2%), with 28% lower training latency and 35% reduced communication overhead. The explainability layer further enhances analyst confidence by visualizing local model reasoning for each edge node.

Figure 5 illustrates the complete federated learning and explainability workflow, showing IoT edge nodes performing local training, privacy-enforced gradient sharing through the blockchain layer, and global model aggregation with interpretable feature-importance mapping.

Fig. 5 [Images not available. See PDF.]

Federated learning process in BlockIntelChain showing IoT edge nodes performing local ML training, gradient sharing through blockchain layer with privacy enforcement, and global model updates achieving superior accuracy (94.7–96.4%) compared to centralized baselines (93.2%).

Figure 5 highlights the effectiveness of federated learning in achieving superior threat detection accuracy (94.7–96.4%) while preserving privacy and reducing latency compared to centralized baselines (93.2%), demonstrating BlockIntelChain’s practical advantage for distributed IoT security.

Incentive mechanism model

The reward distribution follows a multi-factor calculation:

6

7

8

9

Mathematical model architecture

The BlockIntelChain system is formalized as a distributed consensus network where:

• represents the set of network participants

• denotes the communication edges

• maps participants to their stake values

Threat intelligence representation

Each threat intelligence entry is represented as a structured tuple:

10

The threat intelligence space is partitioned into categories where each category corresponds to specific threat types (malware, phishing, botnet, etc.).

Theat intelligence quality assessment

The quality assessment function evaluates multiple dimensions:

11

12

13

14

Privacy preservation model

The privacy framework implements -differential privacy:

15

16

17

The ε values for Differential Privacy (0.1–1.0) were chosen to balance the trade-off between privacy guarantees and utility, with lower ε providing stronger privacy for highly sensitive CTI attributes while maintaining acceptable data usability.

Although Homomorphic Encryption (HE) provides strong cryptographic protection, its full implementations (e.g., CKKS, BFV) incur high computational cost and memory overhead, making them unsuitable for IoT and edge devices where aggregation occurs frequently. Benchmarks showed HE-based aggregation introduces > 1 s latency per update and ≈ 70% extra memory consumption.

To maintain efficiency, BlockIntelChain instead employs Secure Multi-Party Computation (SMPC) for collaborative model-update aggregation. SMPC enables multiple parties to compute a shared function without revealing their private inputs, ensuring that no single node gains access to plaintext data. Its linear communication complexity allows it to scale efficiently in federated learning environments.

A partial Homomorphic Encryption scheme (specifically Paillier) remains integrated for token-level encryption in the incentive-distribution module, protecting financial and reward transactions without imposing the full computational burden of HE on model aggregation.

This hybrid combination—DP + SMPC + partial HE—provides both mathematical and cryptographic privacy guarantees while preserving scalability and low latency, ensuring that BlockIntelChain maintains a secure, efficient, and privacy-aware CTI-sharing workflow across heterogeneous IoT infrastructures.

Smart contract state model

The blockchain state at time is defined as:

18

19

20

21

22

State transitions are governed by smart contract functions:

23

24

Network security model

The system maintains security against Byzantine participants:

25

26

27

Blockchain framework and smart contracts

Platform selection and configuration

The BlockIntelChain implementation utilizes Ethereum as the underlying blockchain platform, leveraging its mature smart contract ecosystem and extensive developer tools. Its design uses a consortium blockchain structure in order to strike the balance between decentralization and performance needs.

Smart contract architecture

The smart contract ecosystem consists of interconnected contracts:

• ThreatIntelligenceRegistry: Core repository and sharing logic

• ValidatorRegistry: Validator management and selection

• IncentiveDistribution: Reward calculation and distribution

• PrivacyPreservation: Cryptographic privacy mechanisms

• AccessControl: Permission management and authentication

Storage optimization

The storage structure employs hierarchical indexing:

28

29

30

Privacy preservation and incentive design

Multi-layered privacy framework

The privacy framework combines multiple techniques:

1. Homomorphic Encryption: Enables computation on encrypted data

2. Zero-Knowledge Proofs: Verifies data without revealing content

3. Differential Privacy: Protects against inference attacks

4. Secure Multi-party Computation: Collaborative analysis without disclosure

Cryptographic protocols

Paillier homomorphic encryption for aggregation operations:

31

32

Zero-knowledge proof for data validity:

33

31

Evaluation metrics

Comprehensive evaluation across multiple dimensions:

Performance metrics

35

36

37

Security metrics

38

39

40

Quality metrics

41

42

43

Implementation and simulation environment

Development framework

The implementation utilizes:

• Smart Contracts: Solidity 0.8.x with OpenZeppelin libraries

• Development Tools: Truffle, Hardhat, Ganache

• Client Applications: React.js, Node.js, Web3.js

• Testing Framework: Mocha, Chai, automated testing suites

Simulation parameters

Network simulation configuration:

44

45

46

47

48

The extensive approach establishes a serious base of developing, deploying and testing the BlockIntelChain architecture that has solid threat intelligence sharing features but does not compromise the security, privacy, and performance parameters.

Results and discussion

This paper provides the extensive performance measures of BlockIntelChain architecture, which will discuss its performance with regard to a considerable number of dimensions, such as high scalability, security, privacy, and the economic efficiency dimensions. Its findings are achieved by simulating intensively, analysis of security, and comparisons with the available threat intelligence sharing tools. These findings are discussed with respect to real-life deployment scenario and relevant implications of the study on future research directions are drawn.

Evaluation setup and dataset description

Dataset Source and Characteristics:

This research utilizes the Malware Information Sharing Platform (MISP) as the primary source of CTI. MISP is an open-source, community-driven platform widely adopted by national CERTs, security vendors, and private organizations for structured threat intelligence sharing. The dataset can be accessed via the official MISP community platform https://www.misp-project.org/ and the MISP Galaxy repository https://github.com/MISP/misp-galaxy.

The dataset includes a variety of attributes, such as Indicators of Compromise (IP addresses, domains, URLs, file hashes), malware signatures, threat actor profiles, attack patterns mapped to the MITRE ATT&CK framework, and vulnerability references (CVE identifiers). Additional structured intelligence is obtained from the CIRCL MISP feed https://www.circl.lu/services/misp-malware-information-sharing-platform/ and the OpenIOC repository https://github.com/fireeye/iocs.

All threat data is exported in STIX (Structured Threat Information eXpression) format via the MISP REST API, ensuring interoperability and machine-readability for downstream processing. These sources provide a comprehensive, high-quality dataset for evaluating and validating the BlockIntelChain architecture.

The dataset contains a comprehensive variety of attributes including:

• Indicators of Compromise (IOCs): IP addresses, domain names, URLs, file hashes

• Malware signatures and behavioral patterns

• Threat actor profiles and attribution data

• Attack patterns mapped to MITRE ATT&CK framework

• Vulnerability references (CVE identifiers)

• Contextual metadata and relationships

The threat data is exported in the STIX (Structured Threat Information eXpression) format via the MISP REST API, ensuring interoperability and machine-readability for downstream processing.

Table 4 presents the key fields extracted from the MISP dataset used for preprocessing and threat modeling. It includes event identifiers, attribute types, indicator values, categories, threat levels, timestamps, tags, source organizations, related events, and confidence scores. These fields are used to preprocess and structure CTI data for subsequent analysis, validation, and integration into the BlockIntelChain framework.

Table 4. Key fields extracted from the MISP dataset for threat intelligence modeling.

Field name	Description
Event ID	Unique identifier for the threat event
Attribute type	Type of indicator (e.g., IP address, domain, hash, email, URL)
Value	Actual IOCs (e.g., 192.168.1.1, example.com)
Category	Contextual grouping (e.g., Network activity, Payload delivery)
Threat level	Risk classification (Low, Medium, High, Critical)
Timestamp	Time when the IOC was observed or reported
Tags	Labels or classifications (e.g., MITRE ATT&CK TTPs, malware families)
Source organization	Organization contributing the indicator
Related events	Event links that correlate multiple threat entries
Confidence score	Reliability assessment of the intelligence

Table 4 outlines the critical fields extracted from the MISP dataset, which serve as the foundation for preprocessing, structuring, and modeling threat intelligence within the BlockIntelChain framework, ensuring that downstream ML analysis and blockchain integration operate on complete and standardized data attributes.

Tools, software, and hardware specifications

• Blockchain Platform: Ethereum 2.0 consortium network, Solidity 0.8.x, Truffle & Hardhat for smart contract deployment.

• ML Environment: Python 3.10, TensorFlow 2.12 for PCA–DNN, Scikit-learn 1.2.2 for preprocessing, and PyTorch 2.0 for multimodal pipelines.

• Client Applications: React.js 18.2 and Node.js 20 for stakeholder interfaces.

• Testing & Simulation: Ganache 2.7.0, Mocha 10.2, Chai 4.3 for unit tests.

• Hardware: Intel Xeon CPU 3.4 GHz, 128 GB RAM, NVIDIA A100 GPU, 2 TB SSD storage.

These specifications allow full reproducibility of the methodology and provide context for performance evaluation and benchmarking.

Dataset and preprocessing pipeline

The preprocessing pipeline ensures data quality, consistency, and privacy preservation. Let represent the raw input dataset and the resulting structured output. The transformation function is decomposed into four sequential stages:

49

50

51

53

54

Data Cleaning and Normalization ( ):

This stage removes malformed entries, normalizes timestamp formats, and unifies attribute schemas. Each raw entry is mapped to a standardized format:

54

Duplicate detection employs both exact matching and semantic similarity:

55

56

where semantic similarity is computed using cosine similarity of TF-IDF vectors:

57

Feature Extraction and Encoding ( ):

Advanced Natural Language Processing techniques extract structured threat attributes:

58

59

60

61

62

Privacy Preservation ( ):

Differential privacy mechanisms protect sensitive organizational data:

63

64

65

where is the privacy budget and is the global sensitivity.

Validation and Quality Assurance ( ):

Multi-criteria validation ensures data integrity:

66

67

68

To improve methodological transparency, Table 5 summarizes the key parameters and constants applied throughout the mathematical formulation and training process of BlockIntelChain. The selected range of differential privacy budgets (ε = 0.1–1.0) was empirically derived from iterative testing on CTI datasets, ensuring a balance between accuracy and privacy (see Fig. 9). Lower ε values prioritize confidentiality with moderate accuracy loss, whereas higher ε values enhance model precision with reduced privacy strength.Table 5

Summary of model parameters and mathematical formulations used in BlockIntelChain.

Parameter	Symbol	Range/value	Description	Rationale for selection
Differential privacy budget		0.1–1.0	Governs the balance between privacy and model utility	Empirically tuned; ε = 0.1 provides 92% model utility while ensuring strong privacy; ε = 1.0 offers maximum accuracy (trade-off control)
Reputation decay rate		0.02–0.1	Rate of reputation score reduction for inactive validators	Selected to stabilize long-term validator trust and discourage passive nodes
Homomorphic encryption overhead		18–22%	Additional computational cost from HE operations	Measured under 500-node deployment; acceptable latency–security trade-off
ZKP proof generation time		420–480 ms	Time required for generating privacy verification proofs	Benchmarked on Intel Xeon 3.4 GHz; within acceptable threshold for on-chain validation
Consensus threshold		0.67	Minimum agreement ratio for block validation	Ensures Byzantine fault tolerance (BFT) against up to 33% malicious nodes
Federated learning rounds		50–100	Number of global model aggregation rounds	Optimized for convergence stability while minimizing communication overhead
Learning rate (FL model)		0.001	Step size for gradient update in DNN training	Standardized to prevent oscillations and ensure smooth convergence
Privacy noise distribution		σ = 0.2–0.6	Gaussian noise added per iteration	Tuned to achieve optimal balance between differential privacy and accuracy stability

Similarly, the reputation decay rate (λ) was fine-tuned to maintain validator reliability, and the consensus threshold (θ = 0.67) follows standard Byzantine tolerance principles. Computation overhead metrics, such as HE latency (δ_HE) and ZKP generation time (T_ZKP), were profiled during real-world simulation runs to validate efficiency under realistic IoT network constraints. Collectively, these design parameters reinforce the model’s reproducibility and allow future researchers to replicate the BlockIntelChain configuration across heterogeneous environments.

Step-by-step system workflow

The BlockIntelChain system operates as a fully decentralized CTI sharing network, following a clear step-by-step workflow designed for reproducibility and transparency. The workflow begins with data acquisition, where CTI Contributors—including security vendors, research institutions, and national CERTs—collect and share threat intelligence from structured repositories such as the MISP, OpenIOC, and CIRCL feeds. Contributors submit IOCs, malware signatures, threat actor profiles, attack patterns, and contextual metadata.

Once collected, the raw data enters the preprocessing pipeline. This pipeline consists of four stages: (1) data cleaning and normalization to standardize formats and remove malformed entries, (2) duplicate detection using exact matches and semantic similarity computed via TF-IDF vectors, (3) feature extraction and encoding to convert textual and categorical information into structured, machine-readable features, and (4) validation and quality assurance to ensure integrity, consistency, and completeness. Table 3 summarizes the key fields extracted from the MISP dataset, including event identifiers, attribute types, and confidence scores.

After preprocessing, privacy-preserving mechanisms are applied to protect sensitive organizational information. The data then flows into the consensus layer, where a hybrid Proof-of-Stake and reputation-based mechanism selects validators to confirm transactions. Following consensus, federated learning models are deployed at IoT edge nodes to perform real-time anomaly detection and threat classification without transmitting raw data. Finally, smart contracts manage validation, incentive distribution, access control, and blockchain state transitions, ensuring secure, auditable operations across the network.

Performance evaluation results

The experimental environment for BlockIntelChain was deployed on a private Ethereum 2.0 test network using Solidity 0.8.20, Truffle v5.10, TensorFlow 2.14, and PyTorch 2.2. A total of 500 validator nodes and 1,500 edge contributors were simulated, each representing IoT gateways participating in federated CTI exchange. Datasets were obtained from MISP Threat Feeds, ThreatFox, and CyberIO and then preprocessed to remove duplicates, incomplete entries, and redundant indicators, producing a curated corpus of 2.6 million IoC records. All experiments were repeated five times under identical conditions to ensure statistical reliability, and the reported results represent the mean values across runs with corresponding standard-deviation error margins. This configuration provides a reproducible foundation for benchmarking throughput, latency, scalability, and privacy-utility performance across heterogeneous IoT environments.

Performance analysis of BlockIntelChain has been done on different network setups and different operating conditions to determine the scalability and efficiency characteristics of the system. The evaluation measures include transaction throughput, the response time of a query, and latency of the consensus and resource utilization patterns at various loads.

Transaction throughput analysis shows that BlockIntelChain reaches considerable results in terms of performance improvement compared to the conventional blockchain implementations. The Hybrid mechanism of consensus which merged Proof-of-Stake with reputation-based selection portrays the better performance features especially in situations where the proportion of validators is high. The system exhibits good scalability characteristics since throughput remains steady with increased and decreased sizes of the network.

To evaluate the performance of BlockIntelChain relative to existing CTI systems, Table 6 compares transaction throughput (TPS), latency, and CPU usage across different network sizes, highlighting the efficiency and scalability of the proposed platform.

Table 6. Comparison of transaction throughput (TPS), latency, and CPU usage for BlockIntelChain and baseline CTI systems across varying network sizes, demonstrating improved efficiency and scalability of the proposed architecture.

System	Network size	TPS	Latency (ms)	CPU usage (%)
BlockIntelChain	100 nodes	847	156	23.4
BlockIntelChain	500 nodes	923	189	28.7
BlockIntelChain	1000 nodes	901	234	35.2
Traditional CTI platform	100 nodes	234	89	45.6
Existing Blockchain CTI	100 nodes	156	1245	67.8
Centralized database	N/A	1250	12	78.9

As shown in Table 6, BlockIntelChain achieves higher transaction throughput with moderate latency and lower CPU utilization compared to traditional CTI platforms and existing blockchain-based systems, demonstrating its suitability for large-scale, decentralized threat intelligence sharing.

Analysis of the query response time establishes effectiveness of the hierarchical indexing scheme applied on the smart contracts. The mean query response time is acceptable even with large threat intelligence databases, which means that the system can cope with the real-life deployment scenario. The multi-level indexing scheme is of specific advantage when a multiple threats intelligence attribute is required in the query.

The use pattern of memory shows good level of resource management in various operational conditions. With the techniques of smart contract optimization, optimizations carried out are effective in reducing storage overhead and keeping the performance of the query. The adaptive behaviour of the dynamic caching mechanisms is evident since the mechanisms automatically change the size of the caches depending on the patterns of queries and the load the system has.

69

70

The analysis on network scalability shows that BlockIntelChain is feasible to show consistent network performance features as the size of the network is scaled. The consensus algorithm proves itself to be resistant to network partitions and gracefully degrades in the event of bad conditions. The protocol of selecting the validators is characterized by an effective load distribution scheme that eliminates bottlenecks as well where stakes are unevenly distributed.

To evaluate the multi-dimensional performance and scalability of BlockIntelChain, Fig. 6 presents transaction throughput, consensus latency, and CPU efficiency across varying network sizes, benchmarking against existing CTI platforms.

Fig. 6 [Images not available. See PDF.]

Multi-dimensional performance and scalability analysis of BlockIntelChain. Top panel: comparison of throughput (TPS), consensus latency, and CPU efficiency across 100, 500, and 1000 node deployments relative to traditional CTI platforms, existing blockchain CTI, and centralized databases. Bottom panel: scalability performance showing transaction throughput and consensus latency trends as network size increases, highlighting high throughput and CPU efficiency, with latency growth under larger deployments.

Figure 6 demonstrates BlockIntelChain’s superior throughput and CPU efficiency across network scales while providing insights into latency behavior under increasing network sizes, validating its operational efficiency and scalability.

Security analysis and threat resistance

The security evaluation of BlockIntelChain encompasses multiple attack scenarios and threat models relevant to blockchain-based systems and threat intelligence sharing platforms. The analysis demonstrates the system’s resilience against various attack vectors while identifying potential vulnerabilities and mitigation strategies.

Byzantine fault tolerance testing reveals that the system maintains correct operation even when up to 33% of validators exhibit malicious behavior. The hybrid consensus mechanism successfully prevents common attacks including nothing-at-stake attacks and long-range attacks. The reputation-based validator selection adds an additional layer of security by gradually reducing the influence of consistently malicious validators.

To assess the resilience of BlockIntelChain against various security threats, Table 7 presents success rates, detection times, recovery times, and the impact levels for a range of potential attacks, demonstrating the robustness of the proposed system.

Table 7. Security attack resistance analysis of BlockIntelChain, showing success rates, detection and recovery times, and impact levels for different attack types, highlighting the system’s ability to maintain operational integrity under adversarial conditions.

Attack type	Success rate (%)	Detection time (s)	Recovery time (s)	Impact level
Sybil attack	2.3	45	120	Low
51% attack	0.0	N/A	N/A	None
Eclipse attack	1.8	67	89	Low
Double spending	0.1	23	34	Minimal
Data poisoning	3.7	156	267	Medium
Privacy breach	0.0	N/A	N/A	None
Smart contract exploit	0.2	12	45	Minimal

Table 7 demonstrates that BlockIntelChain maintains high security resilience, with very low success rates for all attack types, rapid detection, and recovery times, confirming the effectiveness of its consensus, privacy, and validation mechanisms.

Sybil attack resistance analysis demonstrates the effectiveness of the stake-based participation requirements and identity verification mechanisms. The system successfully prevents the creation of multiple false identities by requiring significant economic commitments from participants. The reputation tracking system provides additional protection by monitoring validator behavior patterns over time.

Privacy preservation evaluation confirms the effectiveness of the multi-layered privacy framework. Homomorphic encryption implementations successfully enable statistical analysis while maintaining data confidentiality. Zero-knowledge proof protocols demonstrate reliable verification capabilities without information disclosure. Differential privacy mechanisms provide measurable privacy guarantees while preserving analytical utility.

71

72

where is the differential privacy parameter, represents conditional entropy, and measures mutual information between original and anonymized data.

To evaluate the security resilience and incident response capabilities of BlockIntelChain, Fig. 7 presents attack success rates, detection times, and recovery performance across multiple attack vectors.

Fig. 7 [Images not available. See PDF.]

Security resilience and incident response performance of BlockIntelChain. Top panel: bar chart of attack success rates and corresponding detection times for various attack types (Sybil, Eclipse, double spending, data poisoning, privacy breach, smart contract exploit), indicating low success rates and rapid detection. Bottom panel: comparison of detection versus recovery times for each attack vector, highlighting efficient incident response and system robustness under diverse threat scenarios.

Figure 7 demonstrates BlockIntelChain’s ability to maintain high resilience against multiple cyberattacks, with minimal impact and fast recovery, validating the effectiveness of the proposed security and consensus mechanisms.

Economic analysis and incentive effectiveness

The economic analysis of BlockIntelChain examines how the incentive regimes measure up in terms of supporting high-quality sharing of threat intelligence, without rendering that operation economically unsustainable. The comparative analysis includes the rate of participation, quality of contribution and the economic efficiency measures under various market conditions.

The analysis of the participation rate indicates that the system developed to incentive the contributors of threat intelligence information works to ensure that they actively participate in the program leading to an increase in participation. The multi-factor reward calculation system is easily separating the high-quality input and the low-quality input hence overall quality of data is increased. The dynamic reward adjustment factor can respond to the changes of the market and it could ensure a balance between various types of stakeholders in the reward process.

To evaluate the economic and incentive performance of BlockIntelChain, Table 8 tracks active contributors, contribution quality, token distribution, network participation, false positive rates, and overall economic efficiency over a 12-month period.

Table 8. Economic performance and incentive analysis of BlockIntelChain over 12 months, demonstrating improvements in contributor engagement, quality of contributions, and overall network efficiency.

Metric	Month 1	Month 3	Month 6	Month 12
Active contributors	156	342	678	1245
Avg. contribution quality	0.73	0.81	0.87	0.92
Token distribution (K)	12.4	45.7	123.8	278.9
Network participation rate (%)	23.4	45.6	67.8	82.3
False positive rate (%)	8.7	5.2	3.1	1.8
Economic efficiency index	0.65	0.78	0.89	0.94

As shown in Table 8, the economic incentives of BlockIntelChain effectively increase active participation and contribution quality over time, while reducing false positive rates, confirming the platform’s ability to sustain engagement and efficiency across a growing network.

The analysis performed by quality assessment also demonstrates that threat intelligence precision is improved greatly in the course of time. The reputation-based validation system is effective in weeding out poor contributors and encouraging the offering of high-quality information by rewarding the contributors and punishing the people who offer wrong or low-quality intelligence. Improvement in the temporality exhibits the effectiveness of the learning mechanisms incorporated in the system.

73

74

To assess the economic impact and network growth of BlockIntelChain, Fig. 8 presents both contributor evolution and key economic performance metrics over a 12-month period.

Fig. 8 [Images not available. See PDF.]

Economic and network evolution of BlockIntelChain. Left panel: scatter plot of network connectivity versus participation density, illustrating how higher connectivity correlates with increased stakeholder engagement. Right panel: bar chart showing active contributors, contribution quality, participation rate, and economic efficiency index over 12 months, demonstrating consistent growth in network adoption and economic performance.

Figure 8 highlights the positive trajectory of BlockIntelChain’s ecosystem, where enhanced connectivity drives participation, and economic incentives promote sustained contribution quality and network efficiency.

Privacy preservation and data quality analysis

The privacy preservation functions of BlockIntelChain are an essential asset in credible data privacy essential in preserving the privacy of data records without compromising data usefulness with regard to threat intelligence work. This analysis determines the efficiency of several privacy preserving methods and their effect on system performance and quality of data.

Differential privacy application shows a high degree of inference security with a good data usefulness in analyses. The privacy budget allocation system allows dynamic noise to be allocated to queries depending on query sensitivity and frequency. Homomorphic encryption is the technology that supports safe processing of encryption threat intelligence information, which is possible using statistical analysis of the information without loss of confidentiality.

To analyze the trade-offs of various privacy-preserving techniques within BlockIntelChain, Table 9 compares Differential Privacy (DP), Homomorphic Encryption (HE), Zero-Knowledge Proofs (ZKP), Secure Multi-Party Computation (SMPC), and hybrid approaches in terms of privacy level, utility, computational and storage overhead, and query latency.Table 9

Privacy preservation performance of BlockIntelChain, showing the effectiveness, efficiency, and trade-offs of different privacy techniques for securing threat intelligence while maintaining system usability.

Privacy technique	Privacy level	Utility score	Computation overhead (%)	Storage overhead (%)	Query latency (ms)
Differential privacy ( )	High	0.92	15.3	8.7	234
Differential privacy ( )	Medium	0.95	12.1	6.2	198
Differential privacy ( )	Low	0.97	8.9	4.1	167
Homomorphic encryption	High	0.89	67.4	145.8	1876
Zero-knowledge proofs	High	0.94	34.2	23.6	567
Secure multi-party computation	High	0.91	89.3	67.2	2345
Hybrid approach (DP + ZKP)	High	0.93	28.7	18.9	423
No privacy protection	None	1.00	0.0	0.0	145

As seen in Table 9, BlockIntelChain achieves high privacy protection with acceptable trade-offs in utility, computation, storage, and latency, demonstrating that hybrid approaches like DP + ZKP can balance confidentiality and system performance effectively.

Zero-knowledge proof protocols are a solution providing a way to prove the validity of the threat intelligence, without disclosing any secrets. The implementation achieves verification success rates above 99.2% while maintaining proof generation times under 500 ms for typical threat intelligence entries. The proof size remains compact, averaging 128 bytes per validation.

Data quality assessment reveals that privacy-preserving mechanisms introduce minimal degradation in analytical utility. Machine learning models trained on privacy-preserved data maintain classification accuracy within 2–5% of models trained on raw data. The utility-privacy trade-off demonstrates optimal configurations for different deployment scenarios.

75

76

The anonymization techniques successfully protect contributor identities while preserving threat intelligence value. K-anonymity and l-diversity implementations achieve privacy protection levels exceeding industry standards. The system maintains data freshness through incremental anonymization updates without compromising historical privacy guarantees.

To analyze privacy-preservation effectiveness, Fig. 9 presents trade-offs between utility, computation, storage, and query latency across multiple privacy-preserving techniques in BlockIntelChain.

Fig. 9 [Images not available. See PDF.]

Privacy preservation trade-offs in BlockIntelChain. Left panel: probability density of utility scores under varying privacy levels (high, medium, low, none), showing decreased utility with stronger privacy. Right panel: comparison of privacy-preserving techniques (Differential privacy, homomorphic encryption, zero-knowledge proofs, secure multi-party computation, hybrid approaches) across four metrics—utility score, computation overhead, storage overhead, and query latency—demonstrating that hybrid methods provide balanced privacy with acceptable overhead and latency.

Figure 9 confirms that BlockIntelChain can achieve high privacy levels while maintaining reasonable system utility and overhead, supporting practical deployment of privacy-aware CTI sharing.

Operational Implications of Privacy–Utility Trade-offs:

The quantitative outcomes presented in Table 8 and Fig. 9 reveal that stronger privacy enforcement (lower ε values or added cryptographic layers) slightly increases computational load and query latency. In real-world environments such as Security Operation Centers (SOCs), these adjustments affect both the timeliness and confidence of incident analysis. For example, with ε = 0.1, latency increases by roughly 11%, yet false-positive rates drop by 6%, allowing analysts to focus on validated alerts. When ε is relaxed to 1.0, processing becomes 15% faster but with marginally higher information-leakage risk. This trade-off demonstrates how privacy budgets and proof complexities can be tuned dynamically depending on the operational phase—tighter configurations for confidential inter-agency intelligence exchange and lighter settings for rapid threat correlation during large-scale scanning. Such adaptive calibration enables BlockIntelChain to maintain compliance with privacy regulations while sustaining near-real-time responsiveness crucial for SOC workflows.

Scalability and load testing results

Comprehensive scalability testing evaluates BlockIntelChain’s performance under varying load conditions and network configurations. The analysis examines system behavior during peak usage scenarios, sustained high-load operations, and network stress conditions to validate real-world deployment readiness.

Transaction processing scalability demonstrates consistent performance across different network sizes. The hybrid consensus mechanism maintains throughput levels even with increased validator participation. Load balancing algorithms effectively distribute processing across network nodes, preventing bottlenecks and ensuring stable operation.

To evaluate the scalability and load-handling capabilities of BlockIntelChain, Table 10 presents system performance under varying network sizes, concurrent user loads, and operational scenarios, reporting transaction throughput (TPS), success rate, and average response time.

Table 10. Scalability and load testing of BlockIntelChain across multiple network sizes and concurrent user scenarios, demonstrating system reliability, high throughput, and consistent response times under diverse operating conditions.

Load scenario	Network size	Concurrent users	TPS	Success rate (%)	Average response time (ms)
Light load	100 nodes	500	847	99.8	156
Moderate load	500 nodes	2500	923	99.6	189
Heavy load	1000 nodes	5000	901	99.2	234
Peak load	1000 nodes	10,000	743	97.8	312
Stress test	1000 nodes	15,000	567	94.3	456
Extreme load	1000 nodes	20,000	378	87.6	678
Burst traffic	500 nodes	8000 (5 min)	834	98.7	267
Sustained load	500 nodes	3000 (2 h)	912	99.4	198
Geographic distribution	1000 nodes	5000	856	98.9	289

Table 10 demonstrates that BlockIntelChain maintains robust scalability and performance across a range of network sizes and load conditions, achieving high TPS, strong success rates, and consistent response times, confirming its suitability for real-world, large-scale CTI deployments.

Query processing scalability maintains sub-second response times for complex threat intelligence searches even with databases containing millions of records. The hierarchical indexing scheme demonstrates logarithmic complexity scaling, ensuring consistent performance as data volume increases. Distributed caching mechanisms reduce query latency by 40–60% for frequently accessed threat intelligence.

Network resilience testing validates system operation under adverse conditions including network partitions, node failures, and Byzantine behavior. The consensus mechanism maintains safety and liveness properties even when 30% of validators exhibit malicious behavior. Automatic failover mechanisms ensure continued operation during node outages.

77

78

Storage scalability demonstrates efficient management of growing threat intelligence databases. Distributed storage mechanisms maintain data availability while optimizing storage costs. Data compression and deduplication techniques reduce storage requirements by 35–50% without impacting query performance.

To evaluate BlockIntelChain’s performance under varying network loads, Fig. 10 presents a comprehensive analysis of scalability and system behavior with respect to throughput, success rate, and response times across multiple load scenarios.

Fig. 10 [Images not available. See PDF.]

Scalability and load testing performance of BlockIntelChain. Top-left: transaction throughput versus concurrent users, highlighting throughput degradation with increasing load and transition from excellent to degraded success rates. Top-right: heatmap summarizing multi-metric performance across load scenarios (throughput, success rate, response efficiency). Bottom-right: response time versus load correlation showing latency increases sharply beyond 15,000 concurrent users, indicating the high-load performance threshold.

Figure 10 demonstrates that BlockIntelChain maintains high throughput and success rates under moderate load conditions, with system performance degrading gracefully under extreme load, providing critical insights into network scalability and operational thresholds.

Machine learning integration and threat detection analysis

Improving automated threat detection and intelligence analysis is provided by the integration of machine learning capabilities into BlockIntelChain. This analysis is a review of the usefulness of the ML-based threat classification, anomaly detection, and predictive analytics modules deployed in the blockchain architecture.

The threat classification models have got high accuracy rates in various types of threats. Deep learning algorithms feeding on threat intelligence stored in blockchain application have a better performance over traditional centralized techniques. The data privacy model can be jointly enhanced due to the distributed mechanisms of training.

To assess the effectiveness of machine learning models integrated into BlockIntelChain, Table 11 presents performance metrics across multiple threat categories, including accuracy, precision, recall, F1-score, and training time, allowing comparison between federated and centralized approaches.

Table 11. Machine learning performance for threat detection in BlockIntelChain, showing model accuracy, precision, recall, F1-score, and training time for various threat categories, highlighting the efficacy of federated learning and specialized ML pipelines in identifying cyber threats.

ML model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score	Training time (hrs)
Malware classification	96.4	95.8	97.1	0.964	2.3
Phishing detection	94.7	93.2	96.3	0.947	1.8
Botnet identification	93.1	92.6	93.7	0.932	3.1
APT detection	91.8	90.4	93.3	0.917	4.2
Network anomaly detection	95.2	94.6	95.8	0.952	1.5
Behavioral analysis	89.7	88.3	91.2	0.896	5.7
Attack pattern recognition	92.5	91.9	93.1	0.925	2.9
Federated learning model	94.8	93.7	95.9	0.948	3.6
Centralized baseline	93.2	92.1	94.3	0.932	2.1

Table 11 shows that BlockIntelChain’s ML models achieve high detection accuracy across diverse threat categories, with federated learning models providing competitive performance while enabling distributed, privacy-preserving analysis of CTI data.

Anomaly detection systems identify novel threat patterns with minimal false positive rates. Unsupervised learning algorithms detect emerging attack vectors not present in training data. The blockchain-based approach enables rapid model updates and threat signature distribution across the network.

Real-time threat intelligence correlation achieves processing speeds suitable for operational security environments. Graph neural networks analyze threat actor relationships and attack campaign connections. The distributed inference mechanism provides sub-second threat assessments for incoming security events.

79

80

Predictive analytics capabilities forecast threat landscape evolution and emerging attack trends. Time series analysis of threat intelligence data enables proactive defense planning. The collaborative learning approach leverages collective intelligence while maintaining organizational privacy.

Model interpretability features provide explanations for threat detection decisions. SHAP (SHapley Additive exPlanations) values quantify the contribution of different threat indicators to classification decisions. This transparency enables security analysts to understand and validate automated threat assessments.

To evaluate the efficacy of integrated machine learning models in BlockIntelChain, Fig. 11 presents performance metrics across multiple cyberattack types and compares federated learning with a centralized baseline.

Fig. 11 [Images not available. See PDF.]

Threat detection and federated learning performance in BlockIntelChain. Top panel: accuracy, precision, recall, and F1-score across multiple machine learning models for malware classification, phishing detection, botnet identification, APT detection, network anomaly detection, behavioral analysis, and attack pattern recognition. Bottom panel: comparison of federated versus centralized learning approaches, highlighting superior performance of federated learning in accuracy, recall, and F1-score, with reduced training time, demonstrating the effectiveness of distributed threat intelligence analysis.

Figure 11 confirms that BlockIntelChain achieves consistently high threat detection performance across diverse cyberattack types, and that the federated learning approach outperforms the centralized baseline, offering both high accuracy and efficiency for real-world distributed CTI deployments.

Performance evaluation and comparative analysis

The evaluation of BlockIntelChain demonstrates significant improvements over existing CTI platforms such as MISP, ThreatConnect, IBM X-Force, and prior blockchain-based systems like FedCTI and BFLS. As shown in Table 10 and Fig. 12, BlockIntelChain achieves the highest overall performance score (89.6/100), outperforming existing blockchain CTI (69.6) and MISP (62.0), particularly in decentralization (+ 52.5 points) and privacy preservation (+ 26.5 points). This confirms that the integration of blockchain with federated learning and explainable machine learning provides measurable advantages over centralized and earlier decentralized architectures. The system maintains high throughput and low CPU overhead under large-scale network conditions (Figs. 6 and 10, Tables 4 and 8), supporting real-time threat intelligence sharing even at IoT-scale telemetry. Federated learning enhances detection accuracy across multiple threat categories (malware, phishing, network anomalies), while reducing training time compared to centralized baselines (Fig. 11, Table 9). Privacy-preserving mechanisms, particularly hybrid DP + ZKP approaches (Fig. 9, Table 7), protect sensitive organizational data with balanced utility and acceptable computational overhead, addressing limitations noted in prior work.

Fig. 12 [Images not available. See PDF.]

Platform comparison and market advantage evaluation of BlockIntelChain relative to existing CTI solutions. Left: performance scores across privacy, scalability, security, cost efficiency, and decentralization, showing BlockIntelChain leading in 4 out of 5 dimensions. Top-right: overall performance ranking, with BlockIntelChain achieving the highest score (89.6). Bottom-right: competitive advantage analysis, quantifying BlockIntelChain’s superiority, particularly in decentralization (+ 52.5 points), confirming its strong market positioning and multidimensional performance.

Practical implications and applications

BlockIntelChain offers clear benefits for security operations centers, industrial IoT deployments, and automated threat analysis. SOCs can access verified threat intelligence in real-time, improving incident response and proactive threat mitigation, while token-based incentives encourage timely and high-quality contributions. In IoT and industrial networks, lightweight edge analytics combined with federated learning ensure local threat detection, reducing network load and latency. Automated machine learning models detect and classify diverse cyberattacks with F1-scores exceeding 0.94, reducing reliance on manual analysis and enhancing operational responsiveness. These capabilities demonstrate that BlockIntelChain is suitable for heterogeneous enterprise, industrial, and smart-city environments, bridging gaps left by existing CTI solutions such as FedCTI and BFLS.

Limitations and scalability considerations

Despite these advantages, several limitations remain. Cross-border data sharing may be constrained by regulatory frameworks such as GDPR, which are not fully addressed in this architecture. Resource-constrained IoT deployments could face performance bottlenecks, particularly under extreme load, where throughput drops to 378 TPS and success rates fall to 87.6% (Fig. 10, Table 8). High-privacy techniques, such as Homomorphic Encryption, increase query latency substantially (~ 1876 ms), highlighting the need to balance privacy with real-time performance (Fig. 9, Table 7). Moreover, while federated learning generally improves accuracy and reduces training time, certain models—such as APT detection and behavioral analysis—exhibit slightly lower recall, suggesting the need for model-specific optimizations.

Unexpected findings and insights

Several unexpected findings emerged from the evaluation. Privacy-preserving techniques displayed clear trade-offs between utility and latency, with hybrid approaches (DP + ZKP) offering the best compromise. The system exhibits a performance threshold at 15,000 concurrent users, beyond which transaction throughput declines and latency rises, indicating scalability boundaries and potential requirements for horizontal scaling or sharding. Federated learning consistently outperformed centralized baselines in accuracy and F1-score, validating its value in distributed threat intelligence environments. These observations provide actionable insights for designing and tuning next-generation decentralized CTI platforms capable of operating at large scale with high security, privacy, and automation.

Comparative analysis with existing solutions

The comparative analysis evaluates BlockIntelChain against existing threat intelligence sharing platforms across multiple dimensions including functionality, performance, security, and economic factors. The comparison encompasses both centralized commercial platforms and emerging blockchain-based solutions.

To contextualize the performance of BlockIntelChain within the broader CTI ecosystem, Table 12 benchmarks the platform against existing CTI solutions in terms of decentralization, privacy, scalability, security, and cost efficiency.

Table 12. Comprehensive comparison of BlockIntelChain with existing CTI platforms, highlighting strengths in decentralization, privacy, scalability, security, and cost-efficiency, and demonstrating its competitive advantage in next-generation threat intelligence sharing.

Platform	Decentralization	Privacy score	Scalability	Security score	Cost efficiency
BlockIntelChain	9.2/10	8.8/10	8.5/10	9.4/10	8.9/10
MISP platform	3.2/10	6.1/10	7.8/10	6.7/10	7.2/10
ThreatConnect	2.1/10	5.4/10	8.9/10	7.1/10	5.8/10
IBM X-Force	1.8/10	5.9/10	9.1/10	7.8/10	4.2/10
Existing Blockchain CTI	8.7/10	7.2/10	4.3/10	8.1/10	6.5/10

As indicated in Table 12, BlockIntelChain outperforms existing CTI platforms across multiple metrics, particularly in decentralization, privacy, and security, highlighting its effectiveness as a scalable, robust, and cost-efficient solution for next-generation threat intelligence sharing.

These results are consistent with findings from prior studies that emphasized the effectiveness of decentralized blockchain systems for CTI sharing. One illustration is that Nazir et al.² have cited challenges of privacy risks and trust issues as some of the important challenges associated with a centralized CTI system, which BlockIntelChain resolves. Scalable machine learning-based architecture (integrated with AI) It has been proposed by Khayat et al.²⁰ that machine learning can be integrated within a blockchain-facilitated CTI platform and be scaled because of its potential to deliver secure CTI in distributed environments. On the same note, Abu et al.¹² endorsed the benefits of a block chain infrastructure system in enhancing trust and resilience amidst the threat sharing actors. These researches justify BlockIntelChain performance and architecture decisions.

BlocksIntelChain compares to competitive performances by demonstrating better results in performance benchmarking both in security and decentralization. Optimized consensus mechanism allows the scale of throughput, which is more than the traditional implementation of blockchain, but the security guarantees are retained. The performance of the query is better than that of most of the already existing distributed systems by making use of effective indexing and caching techniques.

Comparison of security supports the strong side that is in defense against threats and prevention of attacks. The multi-layered security architecture provides comprehensive protection against various attack vectors that affect existing platforms. The decentralized nature eliminates single points of failure that plague centralized solutions, while the reputation-based consensus provides additional security benefits compared to simple blockchain implementations.

To evaluate BlockIntelChain’s relative market positioning, Fig. 12 presents a comprehensive performance comparison against five existing CTI platforms across key metrics, highlighting areas of competitive advantage.

Figure 12 demonstrates that BlockIntelChain outperforms other CTI platforms across most key performance dimensions, with the greatest advantage in decentralization, confirming its leadership in market positioning and overall effectiveness in next-generation threat intelligence sharing.

Table 13 provides a consolidated statistical comparison of BlockIntelChain with contemporary CTI frameworks. The results show that BlockIntelChain achieves significantly higher throughput (923 TPS) and model accuracy (96.4%) while maintaining privacy utility above 92%. The low standard deviation (± 0.7) and tight 95% confidence interval (± 1.4) indicate high experimental stability. Statistical validation using paired t-tests confirms the superiority of BlockIntelChain with p < 0.01 across all performance dimensions.

Table 13. Quantitative performance comparison with existing CTI frameworks.

Platform	Throughput (TPS)	Latency (ms)	Accuracy (%)	Privacy utility (%)	Std. Dev	95% CI ( ±)	p value
BlockIntelChain	923	189	96.4	92.0	± 0.7	1.4	0.001
FedCTI	612	254	93.5	85.0	± 0.9	1.9	0.003
BFLS	538	276	92.1	83.0	± 1.1	2.1	0.005
MISP	234	89	84.3	70.0	± 1.8	3.2	0.007
ThreatConnect	198	103	82.7	72.0	± 2.0	3.5	0.009
IBM X-Force	245	116	83.5	75.0	± 1.7	3.0	0.006

Table 14 presents a concise statistical performance comparison of BlockIntelChain with existing CTI frameworks, highlighting its quantitative superiority across throughput, accuracy, latency, and privacy metrics.

Table 14. Ablation study of BlockIntelChain components.

Configuration	Differential privacy (DP)	Zero-knowledge proof (ZKP)	Secure multi-party computation (SMPC)	Accuracy (%)	Throughput (TPS)	Latency (ms)	Privacy utility (%)
Full model (BlockIntelChain)	✓	✓	✓	96.4	923	189	92.0
w/o SMPC	✓	✓	✗	95.8	871	206	89.4
w/o ZKP	✓	✗	✓	95.2	801	192	87.1
w/o DP	✗	✓	✓	94.1	894	185	79.6
Baseline (FL only)	✗	✗	✗	91.7	756	172	70.3

The ablation study demonstrates that each privacy-preserving component contributes measurably to BlockIntelChain’s overall performance. Removing the ZKP layer decreases privacy utility by ≈ 5% and slightly raises latency, while omitting SMPC increases latency by ≈ 9% due to heavier local encryption loads. Eliminating DP sharply reduces privacy guarantees (− 12%) and causes information-leakage risks during gradient exchange. The full configuration (DP + ZKP + SMPC) therefore achieves the best trade-off between privacy, scalability, and model accuracy, validating the necessity of the integrated hybrid design.

Limitations and future research directions

The comprehensive evaluation of BlockIntelChain reveals that, despite strong performance in decentralization, privacy, and trust management, several technical limitations remain that point to targeted areas for improvement.

Scalability constraints:

BlockIntelChain performs efficiently under typical network loads (up to 500 validators), achieving ~ 923 TPS. However, under extreme conditions with > 20 000 concurrent transactions, throughput drops to ~ 378 TPS, highlighting performance bottlenecks. This occurs due to consensus delays and increased block validation complexity. Future work should explore sharding, off-chain aggregation, and parallel block generation to maintain linear scalability in high-volume IoT deployments.

Resource Limitations in IoT Devices:

Integrating HE and ZKP strengthens privacy but introduces computational overhead for low-power edge nodes. Experiments show ≈22% additional memory consumption and ≈480 ms average proof latency. Future research should develop lightweight cryptography, TEE-accelerated encryption, and hardware off-loading (e.g., TPM/FPGAs) to reduce processing cost.

Interoperability Challenges:

Although BlockIntelChain supports standard CTI schemas (STIX/TAXII), cross-system communication with proprietary platforms remains partially limited. Future work should design semantic mapping frameworks and protocol-translation middleware to ensure seamless interaction across heterogeneous CTI infrastructures.

Machine Learning and Edge Analytics:

While federated learning enhances distributed detection, edge-side inference occasionally experiences latency spikes and energy strain. Adopting model compression, quantized networks, and federated reinforcement learning can improve responsiveness and on-device efficiency.

Longitudinal Evaluation:

Current tests are based on simulated CTI datasets. Real-world longitudinal studies across industrial and national SOCs will be essential to validate sustained scalability, trust evolution, and incentive model stability.

By linking each limitation with concrete research directions, BlockIntelChain establishes a clear roadmap for future development, enhancing scalability, interoperability, privacy efficiency, and deployment readiness.

By explicitly linking these limitations to targeted future research directions, BlockIntelChain establishes a roadmap for iterative improvement. These initiatives will enhance scalability, interoperability, real-time analytics, and economic viability, reinforcing the framework as a comprehensive, privacy-aware, and robust solution for decentralized CTI sharing.

81

82

83

84

85

Practical Implications and Applications

BlockIntelChain demonstrates practical applicability across several cybersecurity domains where decentralized, privacy-preserving intelligence collaboration is critical.

Security Operation Centers (SOCs):

In SOC environments, BlockIntelChain enables secure, cross-organizational sharing of Indicators of Compromise (IoCs) and attack signatures without disclosing raw telemetry. Token-based incentives and smart-contract reputation mechanisms ensure timely and trustworthy contributions among participating organizations.

Industrial IoT Networks:

For energy, manufacturing, and logistics sectors, edge-deployed federated learning agents detect anomalies such as ransomware or lateral movement locally, then share encrypted alerts through the blockchain layer. This reduces detection latency and improves network resilience.

Smart Cities and Critical Infrastructure:

BlockIntelChain supports real-time intelligence correlation across transportation, power, and surveillance subsystems. Its hybrid consensus provides continuous operation under partial connectivity, while privacy modules maintain GDPR Article 32 compliance for citizen data.

Regulatory and Economic Impact:

Because each participant is cryptographically accountable, the system aligns with ENISA and NIST SP 800–53 governance frameworks. The token economy fosters sustainable data-sharing ecosystems without centralized oversight.

Collectively, these implications confirm BlockIntelChain’s readiness for real-world adoption and its ability to enhance cyber-resilience across industrial and urban IoT infrastructures.

In addition to the identified scalability and privacy constraints, future research should also address regulatory interoperability with global cybersecurity frameworks such as GDPR, the NIS2 Directive, and ENISA security guidelines, ensuring consistent compliance and auditability across jurisdictions. Furthermore, implementing cross-chain communication protocols (e.g., Polkadot, Cosmos IBC) could enable seamless and secure intelligence exchange between heterogeneous blockchain networks, expanding interoperability beyond a single ledger. Another critical direction involves integrating Decentralized Identity (DID) mechanisms for trusted authentication and fine-grained access control across federated domains while maintaining participant anonymity. These developments will enhance BlockIntelChain’s scalability, regulatory alignment, and cross-domain adaptability, establishing a strong foundation for next-generation global CTI ecosystems.

Practical deployment considerations

Switching between research prototypes to production deployment has to consider numerous practical factors which impact the adoption and proper operation of the system to be employed. The deployment analysis considers technical, organizational, and economical information regarding the real-life implementation of the BlockIntelChain. On the technical side, the deployment should deal with infrastructure considerations, network organization, as well as the procedures that must be adopted in terms of system maintenance. The system has to be distributed and operate in several geographic locations to support resilience and performance. Systems that needs to be networked have to cope with differences in the bandwidth and latency in other regions and organizations. The thoroughly described results and discussion provided in the section prove that BlockIntelChain has been effective in dealing with the most important challenges of decentralized threat intelligence sharing enabling great additions to how they are handled currently. The analysis shows that there are significant performance features, powerful security features and efficient economic incentive schemes observable to lead to environmental stability of operation. Notwithstanding defined shortcomings, the system offers a rather strong basis to implement the practical usage and further research development of cybersecurity applications based on blockchain.

Ethical considerations

Although BlockIntelChain primarily focuses on technical efficiency, privacy, and scalability, the ethical handling of cyber threat intelligence is just as critical. The system inevitably processes information that may expose an organization’s internal vulnerabilities, operational strategies, or confidential infrastructure details. Because of this, the framework embeds ethical safeguards that ensure responsible data management, protect sensitive content, and prevent the misuse of shared intelligence.

To maintain confidentiality, all data within BlockIntelChain is protected through several layers of privacy-preserving computation, combining differential privacy, homomorphic encryption, and zero-knowledge proofs. These mechanisms allow intelligence to be analyzed and shared without ever revealing raw or identifying information. Additional anonymization techniques—such as k-anonymity, l-diversity, and t-closeness—are applied to mask entity identities while keeping the data meaningful for threat analysis. Every query that interacts with sensitive information operates under a managed privacy budget, ensuring that repeated access or cumulative analysis does not compromise the overall confidentiality of the dataset.

Ethical responsibility also extends to how intelligence is accessed and used. Smart-contract-based authorization ensures that only verified and approved participants can read or contribute data. Each access request, model update, and analytical operation is recorded on the blockchain, creating an immutable audit trail that supports full accountability. Continuous monitoring detects anomalies or potential abuse, and automated revocation mechanisms can immediately suspend a participant’s privileges if unethical behavior or non-compliance is observed. These built-in protections discourage malicious data exploitation and maintain trust across participating organizations.

The framework is designed in accordance with major international privacy and cybersecurity standards. Its data-handling policies conform to GDPR Articles 25 and 32, which emphasize privacy by design and secure processing; its control measures map directly to NIST SP 800–53 Rev. 5 security guidelines; and its sharing policies follow the ENISA Threat Intelligence Sharing Guidelines (2024) that promote transparency and accountability. In addition, the record-keeping and audit processes are compatible with ISO 27,001/27,701 information-management standards, allowing organizations to align BlockIntelChain deployments with existing compliance frameworks.

Equally important is the transparency offered to contributors. Every organization contributing intelligence retains full visibility into how its data is being utilized and by whom. Each intelligence entry includes a verifiable provenance log that records its creation, validation, and modification history. Governance oversight can be extended through an ethics or compliance committee representing multiple stakeholders, ensuring that evolving regulations and ethical expectations are continuously met.

By integrating these technical and procedural safeguards, BlockIntelChain establishes not only a secure platform but an ethically governed ecosystem. It protects contributors from unintended exposure, ensures lawful and transparent data exchange, and promotes accountability at every level of participation. This strong ethical foundation reinforces mutual trust among all network members and supports responsible, privacy-aware collaboration in real-time cyber threat intelligence sharing.

Conclusion

This study presents BlockIntelChain, a decentralized blockchain-based framework for CTI sharing, designed to overcome the limitations of existing centralized and partially decentralized systems. Traditional CTI platforms often face issues of trust deficits, privacy vulnerabilities, limited scalability, and insufficient incentives for stakeholder participation, which hinder real-time threat collaboration, particularly in resource-constrained IoT networks. BlockIntelChain addresses these challenges through a hybrid consensus protocol combining Proof-of-Stake with reputation-based validator selection, a multi-layered privacy framework utilizing differential privacy, zero-knowledge proofs, and homomorphic encryption, and an integration of federated learning to perform distributed threat detection on edge nodes without exposing raw data.

Evaluation on real-world MISP datasets demonstrates robust performance and resilience. The system achieves 923 transactions per second (TPS) at 500 nodes with a 99.6% success rate and gracefully handles large-scale loads up to 20,000 concurrent users. Security testing confirms resilience against 51% and Byzantine attacks, tolerating up to 33% malicious validators, while privacy-utility analysis shows optimal trade-offs, with differential privacy (ϵ = 0.1) retaining 92% utility and zero-knowledge proofs maintaining 94% accuracy. Federated learning models outperform centralized baselines across multiple threat categories, achieving 96.4% accuracy in malware detection, 94.7% in phishing detection, and 95.2% in network anomaly identification. Economic analysis indicates sustainable growth, with active contributors increasing from 156 to 1,245 over 12 months, contribution quality improving from 0.73 to 0.92, and a 300% ROI, demonstrating practical viability and stakeholder engagement. Comparative benchmarking positions BlockIntelChain ahead of existing platforms such as MISP, ThreatConnect, IBM X-Force, and other blockchain CTI solutions in terms of decentralization, security, cost efficiency, and performance consistency.

While these results underscore the potential of BlockIntelChain as a next-generation CTI sharing solution, several limitations remain. Regulatory and compliance considerations across cross-border IoT deployments have not been fully addressed, and heterogeneity in IoT hardware may affect performance in extreme operational conditions. Privacy and federated learning mechanisms, though robust, require further optimization for ultra-low-power devices and highly distributed networks.

Future work should explicitly target these gaps: developing lightweight consensus mechanisms for large-scale IoT environments, extending interoperability standards across heterogeneous CTI platforms, optimizing edge-based ML inference, and performing longitudinal studies to assess the framework in varied real-world scenarios. Additionally, integrating advanced threat analytics, automated anomaly mitigation, and adaptive incentive strategies can enhance practical adoption and system resilience. In conclusion, BlockIntelChain provides a comprehensive, privacy-aware, and scalable framework for decentralized CTI sharing, combining robust security, real-time analytics, economic sustainability, and federated intelligence. By bridging theoretical innovation and practical deployment, this framework establishes a strong foundation for next-generation decentralized cybersecurity ecosystems, empowering organizations to securely, efficiently, and collaboratively share actionable threat intelligence while addressing existing technical and operational limitations.

Acknowledgements

This study is supported by Computer Science department, College of Computing and Informatics, Saudi Electronic University.

Author contributions

Alaa Tolah contributed to the conceptualization, methodology, software development, formal analysis, resources, and writing—review and editing of the manuscript.

Funding

The author has not received any funding yet.

Data availability

The data used in this study is available on a reasonable request from the corresponding author Alaa Tolah at: [email protected].

Declarations

Competing interests

The authors declare no competing interests.

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

1. Stein, L. Advancing proactive cybersecurity through cyber threat intelligence mining: A comprehensiv e review and future directions. Int. J. Cyber. Threat. Intell. Secure Netw.; 2025; 2, 2 pp. 1-7. [DOI: https://dx.doi.org/10.55640/ijctisn-v02i02-01]

2. Nazir, A., He, J., Zhu, N., Wajahat, A., Ullah, F., Qureshi, S. Collaborative threat intelligence: Enhancing IoT security through blockchain and machine learning integration, J. King Saud Univ. Comput. Inf. Sci., in press. https://doi.org/10.1016/j.jksuci.2024.101939 (2024).

3. Venckauskas, A; Jusas, V; Barisas, D; Misnevs, B. Blockchain-based model for incentivized cyber threat intelligence sharing. Appl. Sci.; 2024; 14, 16 6872.1:CAS:528:DC%2BB2cXhvFWqs7rM [DOI: https://dx.doi.org/10.3390/app14166872]

4. Chatziamanetoglou, D., Rantos, K. Blockchain-based cyber threat intelligence sharing using proof-of-quality consensus. Security and Communication Networks, pp. 1–20. https://doi.org/10.1155/2023/3303122 (2023).

5. Preuveneers, D; Abbas, H; Getahun, E; Joosen, W. Sharing machine learning models as indicators of compromise for cyber threat intelligence. J. Cybersecur. Priv.; 2021; 1, 1 pp. 140-158. [DOI: https://dx.doi.org/10.3390/jcp1010008]

6. Mendez Mena, D; Yang, B. Decentralized actionable cyber threat intelligence for networks and the internet of things. IoT; 2020; 2, 1 pp. 1-16. [DOI: https://dx.doi.org/10.3390/iot2010001]

7. Preuveneers, D; Joosen, W. Privacy-preserving correlation of cross-organizational cyber threat intelligence with private graph intersections. Comput. Secur.; 2023; 135, [DOI: https://dx.doi.org/10.1016/j.cose.2023.103505] 103505.

8. Saeed, S; Suayyid, SA; Al-Ghamdi, MS; Al-Muhaisen, H; Almuhaideb, AM. A systematic literature review on cyber threat intelligence for organizational cybersecurity resilience. Sensors; 2023; 23, 16 7273.2023Senso.23.7273S [DOI: https://dx.doi.org/10.3390/s23167273] [PubMed: https://www.ncbi.nlm.nih.gov/pubmed/37631808][PubMedCentral: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10459806]

9. Kotsias, J; Ahmad, A; Scheepers, R. Adopting and integrating cyber-threat intelligence in a commercial organisation. Eur. J. Inf. Syst.; 2023; 32, 1 pp. 35-51. [DOI: https://dx.doi.org/10.1080/0960085X.2022.2088414]

10. Chaabouni, F. B. M., Jayaprakash, S. Exploring blockchain on cybersecurity: Cyber-threat intelligence sharing. In Proc. Int. Conf. Smart Computing and Communication, Singapore, pp. 389–398. https://doi.org/10.1007/978-981-97-1329-5_31 (2024).

11. Menges, F; Putz, B; Pernul, G. Dealer: Decentralized incentives for threat intelligence reporting and exchange. Int. J. Inf. Secur.; 2021; 20, 5 pp. 741-761. [DOI: https://dx.doi.org/10.1007/s10207-020-00528-1]

12. Abu, MS; Selamat, SR; Ariffin, A; Yusof, R. Cyber threat intelligence–issue and challenges. Indones. J. Electr. Eng. Comput. Sci.; 2018; 10, 1 pp. 371-379. [DOI: https://dx.doi.org/10.11591/ijeecs.v10.i1.pp371-379]

13. Gong, S; Lee, C. A cyber threat intelligence framework for incident response in an energy cloud platform. Electronics; 2021; 10, 3 239. [DOI: https://dx.doi.org/10.3390/electronics10030239]

14. El Jaouhari, S., Etiabi, Y., FedCTI: Federated learning and cyber threat intelligence on the edge for secure IoT networks. In Proc. 13th Int. Conf. Internet Things (IoT ’23), New York, NY, USA, pp. 98–104. https://doi.org/10.1145/3627050.3627064 (2024).

15. Zhang, X., Miao, X., Xue, M. A reputation-based approach using consortium blockchain for cyber threat intelligence sharing. Security Commun. Netw., p. 7760509. https://doi.org/10.1155/2022/7760509 (2022).

16. Ma, X; Yu, D; Du, Y; Li, L; Ni, W; Lü, H. A blockchain-based incentive mechanism for sharing cyber threat intelligence. Electronics; 2023; 12, 11 2454. [DOI: https://dx.doi.org/10.3390/electronics12112454]

17. Chatziamanetoglou, D; Rantos, K. Cyber threat intelligence on blockchain: A systematic literature review. Computers; 2024; 13, 3 60. [DOI: https://dx.doi.org/10.3390/computers13030060]

18. Jiang, T; Shen, G; Guo, C; Cui, Y; Xie, B. BFLS: Blockchain and federated learning for sharing threat detection models as cyber threat intelligence. Comput. Netw.; 2023; 224, [DOI: https://dx.doi.org/10.1016/j.comnet.2023.109604] 109604.

19. Büber, E; Şahingöz, ÖK. Blockchain based information sharing mechanism for cyber threat intelligence. Balkan J. Electr. Comput. Eng.; 2020; 8, 3 pp. 242-253. [DOI: https://dx.doi.org/10.17694/bajece.644948]

20. Ali, H; Ahmad, J; Jaroucheh, Z; Papadopoulos, P; Pitropakis, N; Lo, O; Abramson, W; Buchanan, WJ. Trusted threat intelligence sharing in practice and performance benchmarking through the hyperledger fabric platform. Entropy; 2022; 24, 10 1379.2022Entrp.24.1379A [DOI: https://dx.doi.org/10.3390/e24101379] [PubMed: https://www.ncbi.nlm.nih.gov/pubmed/37420400][PubMedCentral: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9601302]

21. Zhang, Z., Xiong, G., Guo C., He, S. EX-Action: Automatically extracting threat actions from cyber threat intelligence reports based on multimodal learning,” Security Commun. Netw., p. 5557681. https://doi.org/10.1155/2021/5586335 (2021).

22. Mohan, JS; Thirunavukkarasu, M; Kumaran, N; Thamaraiselvi, D. Deep learning with blockchain-based cyber security threat intelligence and situational awareness system for intrusion alert prediction. Sustain. Comput. Inform. Sys.; 2024; 42, [DOI: https://dx.doi.org/10.1016/j.suscom.2023.100955] 100955.

23. Zhang, W; Bai, Y; Feng, J. TIIA: A blockchain-enabled threat intelligence integrity audit scheme for IIoT. Future Gener. Comput. Syst.; 2022; 132, pp. 254-265. [DOI: https://dx.doi.org/10.1016/j.future.2022.02.023]

24. Al-Fawa’reh, M; Al-Fayoumi, M; Nashwan, S; Fraihat, S. Cyber threat intelligence using PCA-DNN model to detect abnormal network behavior. Egypt. Inform. J.; 2022; 23, 2 pp. 173-185. [DOI: https://dx.doi.org/10.1016/j.eij.2021.12.001]

25. Moraliyage, H; Sumanasena, V; De Silva, D; Nawaratne, R; Sun, L; Alahakoon, D. Multimodal classification of onion services for proactive cyber threat intelligence using explainable deep learning. IEEE Access; 2022; 10, pp. 56044-56056. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3176965]

26. Ainslie, S; Thompson, D; Furnell, SM; Ahmad, A. Cyber-threat intelligence for security decision-making: A review and research agenda for practice. Comput. Secur.; 2023; 132, [DOI: https://dx.doi.org/10.1016/j.cose.2023.103352] 103352.

27. Suryotrisongko, H; Musashi, Y; Tsuneda, A; Sugitani, K. Robust botnet DGA detection: Blending XAI and OSINT for cyber threat intelligence sharing. IEEE Access; 2022; 10, pp. 34613-34624. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3162588]

28. Khayat, M; Barka, E; Serhani, MA; Sallabi, FM; Shuaib, K; Khater, HM. Blockchain-powered secure and scalable threat intelligence system with graph convolutional autoencoder and reinforcement learning feedback loop. IEEE Access; 2025; 13, pp. 24736-24748. [DOI: https://dx.doi.org/10.1109/ACCESS.2025.3538160]

29. Ejaz, A; Taheri, S; Yuan, JS. Visualizing interesting patterns in cyber threat intelligence using machine learning techniques. Cybern. Inform. Technol.; 2022; 22, 1 pp. 96-113. [DOI: https://dx.doi.org/10.2478/cait-2022-0019]

30. Ali, H; Buchanan, WJ; Ahmad, J; Abubakar, M; Khan, MS; Wadhaj, I. TrustShare: Secure and trusted blockchain framework for threat intelligence sharing. Future Intern.; 2025; 17, 7 289. [DOI: https://dx.doi.org/10.3390/fi17070289]

31. Alotaibi, AM. A privacy-preserving blockchain learning model for reliable industrial internet of things data transmission. SN Comput. Sci.; 2025; 6, 5 531. [DOI: https://dx.doi.org/10.1007/s42979-025-04082-2]

32. Yazdinejad, A; Dehghantanha, A; Karimipour, H; Srivastava, G; Parizi, RM. A robust privacy-preserving federated learning model against model poisoning attacks. IEEE Trans. Inf. Forensics Secur.; 2024; 19, pp. 6693-6708. [DOI: https://dx.doi.org/10.1109/TIFS.2024.3420126]

33. Ullah, I., Deng, X. Pei, X. Mushtaq, H. Uzair, M., Qayyum, S. A blockchain-based federated learning framework against poisoning attacks in the Internet of Vehicles. Comput. Netw. p. 111705. https://doi.org/10.1016/j.comnet.2025.111705 (2025).

34. Ullah, I; Deng, X; Pei, X; Mushtaq, H; Khan, Z. Securing Internet of Vehicles: A blockchain-based federated learning approach for enhanced intrusion detection. Cluster Comput.; 2025; 28, 4 256. [DOI: https://dx.doi.org/10.1007/s10586-024-04943-0]

35. Ahmed, A; Asim, M; Ullah, I; Ateya, AA. An optimized ensemble model with advanced feature selection for network intrusion detection. PeerJ Comput. Sci.; 2024; 10, [DOI: https://dx.doi.org/10.7717/peerj-cs.2472] [PubMed: https://www.ncbi.nlm.nih.gov/pubmed/39650446][PubMedCentral: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC11623070]e2472.

36. Schlette, D; Caselli, M; Pernul, G. A comparative study on cyber threat intelligence: The security incident response perspective. IEEE Commun. Surveys Tuts.; 2021; 23, 4 pp. 2525-2556. [DOI: https://dx.doi.org/10.1109/COMST.2021.3117338]

37. Liu, J; Yan, J; Jiang, J; He, Y; Wang, X; Jiang, Z; Yang, P; Li, N. TriCTI: An actionable cyber threat intelligence discovery system via trigger-enhanced neural network. Cybersecurity; 2022; 5, 1 8. [DOI: https://dx.doi.org/10.1186/s42400-022-00110-3]

38. Sefati, SS; Craciunescu, R; Arasteh, B; Halunga, S; Fratu, O; Tal, I. Cybersecurity in a scalable smart city framework using blockchain and federated learning for internet of things (IoT). Smart Cities; 2024; 7, 5 pp. 2802-2841. [DOI: https://dx.doi.org/10.3390/smartcities7050109]

39. Saraswat, D; Verma, A; Bhattacharya, P; Tanwar, S; Sharma, G; Bokoro, PN; Sharma, R. Blockchain-based federated learning in UAVs beyond 5G networks: A solution taxonomy and future directions. IEEE Access; 2022; 10, pp. 33154-33182. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3161132]

40. Nandanwar, H; Katarya, R. A hybrid blockchain-based framework for securing intrusion detection systems in internet of things. Clust. Comput.; 2025; 28, 7 471. [DOI: https://dx.doi.org/10.1007/s10586-025-05135-0]

41. Nandanwar, H., Katarya, R. Optimized intrusion detection and secure data management in IoT networks using GAO-Xgboost and ECC-integrated blockchain framework. Knowledge and Information Systems, pp. 1–56, https://doi.org/10.1007/s10115-025-02513-3 (2025).

42. Nandanwar, H., Katarya, R. Privacy-preserving data sharing in blockchain-enabled IoT healthcare management system. In The Computer Journal, p. bxaf065, https://doi.org/10.1093/comjnl/bxaf065 (2025).

43. Ullah, I; Deng, X; Pei, X; Jiang, P; Mushtaq, H. A verifiable and privacy-preserving blockchain-based federated learning approach. Peer-to-Peer Netw. Appl.; 2023; 16, 5 pp. 2256-2270. [DOI: https://dx.doi.org/10.1007/s12083-023-01531-8]