aktaion: Open Source ML tool and data samples for Exploit and Phishing Research
Aktaion: Open Source Tool For “Micro Behavior Based” Exploit Detection and Automated GPO Policy Generation
Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The key abstraction we wanted to prototype is the idea of a misbehavior. This concept helps to provide an expressive mechanism to add high-level IOCs such as timing behavior of a certain malware family in parallel to simple statistics, rules or anything relevant to building a programmatic descript of a sequential evolving set of adversary behaviors.
Aktaion version 2 continues the analysis of Ransomware Micro Behaviors including the following:
- Payload delivery. Focused on traffic to malicious sites and the related indicators when malicious code is served. Including things such as URI entropy, redirects, domain generated by algorithms (DGAs), types and sequences of MIME content presented to the victim during payload delivery.
- Callbacks (Phone home) patterns, including user agent, URI strings, HTTP “GET” or
“POST” requests, DNS queries, URI strings, the frequency of call-backs, periodicity of connections.
- Covert Channel indicators, such as non HTTP traffic (HTTPS), and non-DNS traffic present during such communications.
In version 2 Aktaion adds the following micro behaviors.
- Entropy in URI/URL (number of dots, special characters, URL crazy)
- Whois (registrar with bad rep / geolocation / bulletproof hosting
- URL Shorteners (Tiny URL, bit.ly, etc)
- Spelling errors, passwords fields
- Presence of iframes, javascript, pagerank?, source of images
- Presence of .exe .pdf .bat .ps1 .ps .bin .bat .jar .bin .zip
With the addition of these new micro behaviors Aktaion v2 aims to cover as many identifiable
behaviors as possible from a simple pcap capture. Once the models have been trained with
benign data and malicious data, based on the above criteria the tool will produce the following:
- Malicious URIs/URLs detected = I.E evil.com
- Indicator match of the criteria used by the learner (Ransomware delivery/Phishing behavior)
- Grade of confidence
- Prompt for action to create SNORT signature (Phishing)
- Prompt for action to execute SSH – GPO (prevents Ransomware exe execution)
Copyright 2016 jzadeh
