System Architecture

Comprehensive visualization of the entire system showing all components, data flows, and security layers

QGuardian: Quantum-Resilient AI for Predictive Cyber Defense Federated Learning + Post-Quantum Encryption + Blockchain Verification COORDINATOR Central Orchestration Server FedAvg Aggregation PQC Key Management Ledger Chain Manager CLIENT NODE 1 Organization A 📊 Local Dataset (Private) 🧠 Local Training ⚡ Real-time Score 🚨 Anomaly Detection CLIENT NODE 2 Organization B 📊 Local Dataset (Private) 🧠 Local Training ⚡ Real-time Score ✓ Normal Traffic CLIENT NODE 3 Organization C 📊 Local Dataset (Private) 🧠 Local Training ⚡ Real-time Score ✓ Normal Traffic CLIENT NODE N Organization N 📊 Local Dataset (Private) 🧠 Local Training ⚡ Real-time Score ✓ Normal Traffic 🔐 POST-QUANTUM ENCRYPTION LAYER (Phase 2) Kyber KEM | Secure Channels | Encrypted Model Updates Encrypt Transmit Decrypt ⛓️ BLOCKCHAIN VERIFICATION LAYER (Phase 3) Immutable Chain | Cryptographic Signatures | Event Logging Block 0 Genesis Hash: 0x0000... Block 1 Update Hash: 0xa3f2... Block 2 Alert Hash: 0x7b9c... Block 3 Update Hash: 0xd4e1... Block N Current Hash: 0xf2a8... Encrypted Updates Global Model 🚨 Alert Logged 🤝 FEDERATED LEARNING LAYER (Phase 1) - TensorFlow Federated | FedAvg | Autoencoder Models
📊 Diagram Explanation:
  • Coordinator (Center): Orchestrates federated learning, manages PQC encryption, and maintains blockchain ledger
  • Client Nodes (Bottom): Each organization maintains private local datasets, performs local training, and does real-time anomaly scoring
  • Encrypted Updates (Animated): Model weight updates flow from clients to coordinator, encrypted with post-quantum cryptography
  • Global Model (Dashed): Aggregated global model flows back to all clients for collaborative learning
  • Anomaly Alerts: Detected anomalies are logged to the immutable blockchain ledger
  • Three Security Layers: Federated Learning (Phase 1), PQC Encryption (Phase 2), Blockchain Verification (Phase 3)

System Overview

QGuardian is a federated AI system that detects network anomalies in real-time across distributed nodes without sharing raw data. It implements three layers of security: Federated Learning, Post-Quantum Encryption, and Blockchain Verification.

🎯 Core Purpose

  • Privacy-Preserving Anomaly Detection
  • Distributed Learning Across Organizations
  • Real-Time Threat Detection
  • Quantum-Resilient Security
  • Tamper-Proof Event Logging

🔑 Key Principles

  • Privacy: Raw data never leaves client nodes
  • Security: Post-quantum cryptography protection
  • Transparency: Blockchain-verified event logging
  • Collaboration: Federated learning for better models
  • Real-Time: Instant anomaly detection
⚠️ Privacy Guarantee: Raw network traffic data never leaves client nodes. Only model weight updates are shared between clients and the coordinator, preserving data privacy while enabling collaborative learning from diverse attack patterns.

System Architecture

🎛️
Coordinator
• Orchestrates federated learning
• Aggregates model updates
• Manages blockchain ledger
• Coordinates encryption
💻
Client Node 1
• Local dataset
• Local training
• Real-time scoring
• Encrypted updates
💻
Client Node 2
• Local dataset
• Local training
• Real-time scoring
• Encrypted updates
💻
Client Node N
• Local dataset
• Local training
• Real-time scoring
• Encrypted updates

Architecture Layers

📊 Phase 1: Federated Learning

  • TensorFlow Federated (TFF)
  • FedAvg Algorithm
  • Autoencoder Model
  • Privacy-Preserving Training

🔐 Phase 2: Post-Quantum Encryption

  • Kyber KEM
  • Secure Channels
  • Key Exchange
  • Model Update Encryption

⛓️ Phase 3: Blockchain Ledger

  • Immutable Chain
  • Cryptographic Signatures
  • Event Logging
  • Integrity Verification

Implementation Phases

Phase 1: Federated AI Threat Detection ✅ COMPLETE

Status: Fully implemented

Distributed learning nodes detect anomalies across networks while preserving data privacy.

Key Features:

  • Privacy: Raw network traffic data never leaves client nodes
  • Model Sharing: Only model weight updates are shared
  • Training: Collaborative training using FedAvg algorithm
  • Detection: Autoencoder-based anomaly detection
  • Real-Time: Live scoring of network events

Phase 1 Workflow

1 Data Generation
Each client generates/maintains local network traffic dataset
2 Model Initialization
Coordinator creates initial global model
3 Local Training
Clients train model on their local data (data stays local)
4 Update Aggregation
Coordinator aggregates weight updates from all clients
5 Global Model Update
New global model broadcasted to all clients
6 Real-Time Detection
Each node uses global model to detect anomalies locally

Phase 2: Post-Quantum Encryption Layer ✅ COMPLETE

Status: Implemented (with fallback)

Lattice-based cryptography secures communication and model parameters against quantum attacks.

Modes:

  • Kyber Mode (Real PQC): Uses pqcrypto library with Kyber KEM - Secure for production use
  • Stub Mode (Demo): Deterministic "toy" encryption for demonstration - NOT SECURE
⚠️ Security Note: Stub mode is for demonstration and testing only. Production deployments must use Kyber mode with proper PQC libraries.

Phase 3: Blockchain Verification Framework ✅ COMPLETE

Status: Fully implemented

A tamper-proof ledger ensures transparency, node integrity, and authenticated threat updates.

Features:

  • Cryptographic Chain: Immutable block structure with hashes
  • Event Logging: Model updates, anomaly alerts, handshakes
  • Integrity Verification: Detects tampering and validates chain
  • Signature-Based Auth: Ed25519/RSA/HMAC signing
  • Export/Import: JSON-based ledger persistence

Data Flow & Communication

Federated Learning Data Flow

Step 1: Data Generation

Each client node generates/maintains its own network traffic dataset locally. Data includes features like packet counts, connection durations, failed login attempts, etc.

client_data = generate_synthetic_data(client_id) # Data stays on client node

Step 2: Model Broadcast

Coordinator sends the current global model (weights) to all client nodes. Model structure is shared, but no raw data is transmitted.

global_model → encrypt → send → decrypt → client_nodes # Only model weights, not data

Step 3: Local Training

Each client trains the model on its local dataset. Training happens completely locally - no data leaves the client node.

for epoch in local_epochs: loss = train_on_local_data(model, local_data) # Training is completely local

Step 4: Weight Updates

Clients compute weight updates (gradients) and encrypt them using post-quantum cryptography before sending to coordinator.

weight_updates = compute_updates(model) encrypted_updates = pqc_encrypt(weight_updates) send_to_coordinator(encrypted_updates) # Updates are encrypted with PQC

Step 5: Aggregation

Coordinator decrypts updates, aggregates them using FedAvg (weighted average), and logs the event to blockchain ledger.

decrypted_updates = pqc_decrypt(encrypted_updates) global_weights = fedavg_aggregate(decrypted_updates) ledger.add_event('MODEL_UPDATE_RECEIVED', ...) # Updates aggregated, logged to blockchain

Step 6: Global Model Update

New global model is created from aggregated weights and broadcasted back to clients. Process repeats for N rounds.

global_model = update_weights(global_weights) broadcast_to_all_clients(global_model) # Cycle repeats for next round

Real-Time Anomaly Detection Flow

1 Network Event Arrives
Client node receives new network traffic event
2 Feature Extraction
Extract features (packet count, duration, etc.)
3 Model Inference
Use global model to compute reconstruction error
4 Anomaly Score
Calculate anomaly score (reconstruction error)
5 Threshold Check
Compare score against calibrated threshold
6 Alert & Log
If anomaly: alert user, log to blockchain ledger
🔒 Privacy Protection: At no point in the data flow does raw network traffic data leave the client node. Only encrypted model weight updates are transmitted, ensuring complete privacy preservation.

User Journey

Scenario: Detecting a DDoS Attack

Scene 1: System Initialization

Time: Day 1, 9:00 AM

Action: Coordinator initializes federated learning system with 5 client nodes (organizations).

  • Generate initial global autoencoder model
  • Establish secure channels with PQC encryption
  • Initialize blockchain ledger
  • Distribute model to all client nodes

Scene 2: Federated Training

Time: Day 1, 9:00 AM - 9:30 AM

Action: Multiple rounds of federated training across all nodes.

  • Round 1: Clients train locally, send encrypted updates
  • Round 2-10: Repeat training and aggregation
  • Each update encrypted with Kyber KEM
  • All events logged to blockchain ledger

Scene 3: Real-Time Monitoring

Time: Day 1, 2:00 PM

Action: All client nodes now using trained global model for real-time anomaly detection.

  • Client nodes monitor network traffic continuously
  • Each event scored using global model
  • Anomaly threshold calibrated from normal traffic
  • Normal events: low reconstruction error

Scene 4: Attack Detection

Time: Day 1, 3:45 PM

Action: Client Node 3 detects unusual traffic patterns indicating DDoS attack.

  • Event received: High packet count, many connections
  • Model inference: Reconstruction error = 0.85
  • Threshold: 0.12 (calibrated)
  • Decision: ANOMALY DETECTED ⚠️

Scene 5: Alert & Logging

Time: Day 1, 3:45 PM (immediate)

Action: Anomaly alert generated and logged to blockchain.

  • Alert sent to security team
  • Event logged to blockchain ledger
  • Block includes: timestamp, score, metadata, signature
  • Ledger integrity verified

Scene 6: Response & Verification

Time: Day 1, 4:00 PM

Action: Security team verifies attack and ledger integrity.

  • Verify blockchain ledger integrity
  • Confirm attack was legitimate DDoS
  • Take mitigation actions
  • Ledger provides audit trail
✅ Success Metrics:
  • Attack detected within seconds of occurrence
  • Privacy preserved: No raw traffic data shared
  • Security maintained: All communications encrypted with PQC
  • Transparency ensured: Event logged to tamper-proof ledger
  • Collaborative learning: Model improved by data from all nodes

System Components

Core Modules

📁 data/

  • generate_synthetic_data.py
    Generates synthetic network traffic datasets for each client with non-IID distributions
  • cicids2017/
    Real-world dataset for intrusion detection evaluation
  • unsw-nb15/
    UNSW-NB15 dataset for network behavior analysis

🤝 federated/

  • models.py
    Autoencoder model definitions for anomaly detection
  • federated_pipeline.py
    TensorFlow Federated pipeline implementation
  • robust_aggregation.py
    Byzantine-robust aggregation algorithms

💻 nodes/

  • client_simulation.py
    Simulates federated client nodes with local datasets
  • realtime_scoring.py
    Real-time anomaly scoring on network events

🔐 qguardian/pqc/

  • pqc_interface.py
    Abstract interface for PQC operations
  • pqc_kyber.py
    Real PQC implementation using Kyber KEM
  • pqc_stub.py
    Stub implementation (demo only, not secure)
  • secure_channel.py
    Secure communication channels with encryption

⛓️ qguardian/ledger/

  • block.py
    Block data structure for blockchain
  • chain.py
    Ledger chain implementation and management
  • crypto.py
    Cryptographic utilities (signing, hashing)
  • verify.py
    CLI tool for ledger verification

🔧 qguardian/

  • integration.py
    SecureFederatedWrapper integrating PQC + Ledger
  • config.py
    Configuration management system
  • run_demo.py
    Demo runner CLI with all security layers