There are a lot of different ways to detect potential intruders on an enterprise network, but what about smaller businesses or consumers? That’s the challenge that Rob Soto, director of security research at Jask wants to help solve with the Chiron project that he is set to demonstrate at the Black Hat USA 2018 conference on Aug. 9.
Chiron is a home-based network analytics and machine learning threat detection framework. The system integrates an open-source ELK stack, which includes Elasticsearch, Logstash and Kibana components, together with the AKTAION machine learning threat detection technology.
“The idea we had was to take some of the principles of advanced machine learning technologies and put it together in something that’s automated and easy to use and give it away to everybody,” Soto told eWEEK. “We call it Chiron, named after the healer from Greek mythology.”
The ELK stack is commonly used to collect log data, which is done with the logstash component. Providing an interface to search the data is what elasticsearch enables and the visualization dashboard component is what kibana provides. Along with the ELK stack, Chiron also includes the open-source Bro intrusion detection system (IPS) as well as the Nmap port scanner tools.
Soto explained that Chiron is self-contained within a Virtual Machine image that a user can deploy on their home machine or network. VMs can run in multiple desktop virtualization tools including the freely available VirtualBox technology and VMware Player.
“Chiron executes a series of automated tasks and will provide basic analytics on your connection and how much data is going out and coming in,” Soto said. “Chiron will also scan the user’s network to profile devices, which is important to identify what is on a given network.”
With Chiron, Soto said that users are able to see how talkative the devices in an internal network are and how outside devices interact with the local network. With botnets such as Mirai compromising millions of unsuspecting user devices, Soto said that there is a real need for tools to help consumers and small business understand their network activity.
“Once you have the information you have the power to act,” he said.”We’re basically providing users with visibility into what they have.”
The current iteration of Chiron that Soto will demonstrate at Black Hat can run on desktop systems, but isn’t yet optimized for smaller systems such as a Raspberry Pi. He noted that he’s currently working on enabling Chiron for smaller systems and devices, though the challenge is that the machine learning capabilities are resource intensive.
“Chiron is basically big data at home,” Soto said.
There a multiple open-source tools that Soto could have chosen to include in Chiron to help detect anomalous activity.
The Wireshark packet capture tool, which is commonly used by security researchers to find clear text passwords and irregular network activity is one tool that Soto decided not to include as part of Chiron. Soto said he decided to include the Bro IDS instead, since it requires less data storage. With Wireshark, all packets are captured which can require the storage of large volumes of data, while Bro strips the packets to provide only the essential information, Soto explained.
Chiron also makes use of P0f passive TCP/IP stack fingerprinting tool that can be used to identify systems on a network. Rounding out the tools in Chiron is the integrated AKTAION machine learning technology that can detect exploit delivery mechanisms and phishing.
The Chiron tool is freely available for anyone to download and use. Organizations that need or want an enterprise grade platform for threat hunting and anomaly detection, Jask has a commercial platform, Soto added.
“The principles behind Chiron is basically what we do at Jask,” Soto said. “Though Jask is at a much bigger scale, using Apache Spark and Hadoop for Big Data.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.