-
-
First = Thumbnail on search/gallery pages
-
Severity analysis panel
-
Detection engine proof
-
Firewall integration proof
-
Before/after baseline
-
Key technical differentiator
💡 Inspiration
Most cybersecurity tools are built for enterprises with dedicated Security Operations Centers (SOCs) and six-figure budgets. Small organizations, indie researchers, and individuals are left with fragmented, siloed tools — when one server gets attacked, the others don't know about it until a human manually intervenes. We asked: what if every node on your network could automatically warn the others, in real-time, with cryptographic proof that the alert wasn't tampered with?
That question became CyberAlert Mesh Agent.
What We Built
CyberAlert Mesh Agent is a lightweight, decentralized security daemon that runs on Windows and Linux. It:
- Detects brute-force login attempts in real-time using regex-based log monitoring
- Blocks attacking IPs automatically via
iptables(Linux) ornetsh advfirewall(Windows) - Broadcasts a SHA256-chained alert block to all peer nodes on the mesh
- Verifies every incoming block's chain integrity before applying it — fake alerts are automatically rejected
- Advises via an AI Security Advisor (powered by Goose) that performs agentic threat analysis on aggregated mesh data
The entire detect → block → broadcast cycle completes in under 60 seconds.
⛓️ How the Blockchain Works
Every threat alert is packaged as a block containing:
{
"ip": "192.168.1.105",
"event": "SSH brute-force",
"attempts": 5,
"timestamp": "2026-01-15T10:23:41Z",
"previous_hash": "a3f9...",
"hash": "SHA256(previous_hash + payload)"
}
Peer nodes recompute the hash chain before accepting any block. A broken chain = automatic rejection. This makes alert injection attacks computationally infeasible.
🧠 AI Integration
The /advisor endpoint accepts aggregated mesh alert data and returns contextual threat
analysis powered by Goose (Block Goose). Rather than just raw IP blocks, operators
get actionable insight: attack pattern recognition, suggested response escalation, and
anomaly flags.
⚙️ How We Built It
| Layer | Technology |
|---|---|
| Detection Engine | Python + Regex (auth.log / Windows Event Log) |
| Firewall Integration | iptables (Linux), netsh advfirewall (Windows) |
| Blockchain Store | Python + SQLite (ACID-compliant, single-file portable) |
| Mesh API | Flask REST (HTTP polling for firewall-friendly comms) |
| AI Advisor | Goose agentic AI endpoint |
| Future Chain Bridge | Polygon/Amoy stub (v2.0 roadmap) |
🚧 Challenges We Faced
1. False Positive Blocking
Our first build would block any IP that hit the threshold — including the admin's own machine
after a typo. We solved this with a persistent WHITELIST_IPS Safe Zone in config.py that
is checked before any block action fires.
2. Mesh Flooding Attack A malicious peer could spam fake alert blocks to DOS other nodes. We solved this with full SHA256 chain verification on every incoming block — if the chain doesn't check out, the block is silently dropped.
3. Cross-Platform Firewall Commands
iptables and netsh have completely different syntax and privilege models. We abstracted
both behind a single block_ip(ip) interface in blocker.py with OS detection at runtime.
4. ACID vs. Speed NoSQL would have been faster for writes, but an immutable blockchain ledger requires ACID compliance. SQLite gave us both portability and transaction guarantees with zero external dependencies.
📚 What We Learned
- Building a working blockchain from scratch (SHA256 chaining, not just using a library) deepened our understanding of why tamper-evidence works
- Cross-platform system-level programming on both Windows and Linux in the same codebase requires disciplined abstraction layers
- The importance of whitelisting before you automate blocking — automation without safeguards is dangerous
- HTTP polling is underrated for adversarial network environments where WebSocket connections are regularly dropped
🚀 What's Next
- v2.0: Batch-anchor local chain hashes to Polygon/Amoy for world-state verifiability
(stubs already in
server/blockchain_bridge.py) - Dashboard UI: Real-time mesh visualization showing live threat propagation across nodes
- Rate-limit peer trust scoring: Nodes that send too many rejected blocks get deprioritized
- Mobile alerts: Push notifications when a new block propagates across the mess
📜 License
MIT — open source, free to use, attribution appreciated.
Aligned with UN SDG 9 (Industry, Innovation & Infrastructure) and SDG 16 (Peace, Justice & Strong Institutions) — making resilient cybersecurity infrastructure accessible to everyone.
Built With
- blockchain
- flask
- gooseai
- iptables
- linux
- netch
- ploygon
- python
- restapi
- sha-256
- sqlite
- window
Log in or sign up for Devpost to join the conversation.