Skip to main content

AIEngine - An Artificial Intelligent Intrusion Detection System Engine

AIEngine - An Artificial Intelligent IDS Engine

AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics and many others.

It also helps network/security professionals to identify traffic and develop signatures for using them on NIDS, Firewalls, Traffic classifiers and so on.

The main functionalities of AIEngine are:
  • Support for interacting/programming with the user while the engine is running.
  • Support for PCRE JIT for regex matching.
  • Support for regex graphs (complex detection patterns).
  • Support five types of NetworkStacks (lan,mobile,lan6,virtual and oflow).
  • Support Sets and Bloom filters for IP searches.
  • Supports x86_64, ARM and MIPS architecture over operating systems such as Linux, FreeBSD and MacOS.
  • Support for HTTP,DNS and SSL Domains matching.
  • Support for banned domains and hosts for HTTP, DNS, SMTP and SSL.
  • Frequency analysis for unknown traffic and auto-regex generation.
  • Generation of Yara signatures.
  • Easy integration with databases (MySQL, Redis, Cassandra, Hadoop, etc...) for data correlation.
  • Easy integration with other packet engines (Netfilter).
  • Support memory clean caches for refresh stored memory information.
  • Support for detect DDoS at network/application layer.
  • Support for rejecting TCP/UDP connections.
  • Support for network forensics on real time.
  • Supports protocols such as Bitcoin, CoAP, DHCPv4/DHCPv6, DNS, GPRS, GRE, HTTP, ICMPv4/ICMPv6, IMAP, IPv4/v6, Modbus, MPLS, MQTT, Netbios, NTP, OpenFlow, PPPoE, POP, Quic, RTP, SIP, SMB, SMTP, SSDP, SSH, SSL, TCP, UDP, VLAN, VXLAN.

Using AIEngine

To use AIEngine (reduce version) just execute the binary aiengine or use the python/ruby/java/lua binding.
  luis@luis-xps:~/c++/aiengine/src$ ./aiengine -h
aiengine 1.8.0
Mandatory arguments:
  -I [ --input ] arg                Sets the network interface ,pcap file or
                                    directory with pcap files.

Link Layer optional arguments:
  -q [ --tag ] arg      Selects the tag type of the ethernet layer (vlan,mpls).

TCP optional arguments:
  -t [ --tcp-flows ] arg (=32768) Sets the number of TCP flows on the pool.

UDP optional arguments:
  -u [ --udp-flows ] arg (=16384) Sets the number of UDP flows on the pool.

Regex optional arguments:
  -R [ --enable-signatures ]     Enables the Signature engine.
  -r [ --regex ] arg (=.*)       Sets the regex for evaluate agains the flows.
  -c [ --flow-class ] arg (=all) Uses tcp, udp or all for matches the signature
                 on the flows.
  -m [ --matched-flows ]         Shows the flows that matchs with the regex.
  -M [ --matched-packet ]        Shows the packet payload that matchs with
                                 the regex.
  -C [ --continue ]              Continue evaluating the regex with the
                                 next packets of the Flow.
  -j [ --reject-flows ]          Rejects the flows that matchs with the
                                     regex.
  -w [ --evidence ]              Generates a pcap file with the matching
                                     regex for forensic analysis.

Frequencies optional arguments:
  -F [ --enable-frequencies ]       Enables the Frequency engine.
  -g [ --group-by ] arg (=dst-port) Groups frequencies by src-ip,dst-ip,src-por
                    t and dst-port.
  -f [ --flow-type ] arg (=tcp)     Uses tcp or udp flows.
  -L [ --enable-learner ]           Enables the Learner engine.
  -k [ --key-learner ] arg (=80)    Sets the key for the Learner engine.
  -b [ --buffer-size ] arg (=64)    Sets the size of the internal buffer for
                                    generate the regex.
      -Q [ --byte-quality ] arg (=80)   Sets the minimum quality for the bytes of
                                        the generated regex.
  -y [ --enable-yara ]              Generates a yara signature.


Optional arguments:
  -n [ --stack ] arg (=lan)    Sets the network stack (lan,mobile,lan6,virtual,
                   oflow).
  -d [ --dumpflows ]           Dump the flows to stdout.
  -s [ --statistics ] arg (=0) Show statistics of the network stack (5 levels).
  -T [ --timeout ] arg (=180)  Sets the flows timeout.
  -P [ --protocol ] arg        Show statistics of a specific protocol of the
                                   network stack.
  -e [ --release ]             Release the caches.
  -l [ --release-cache ] arg   Release a specific cache.
  -p [ --pstatistics ]         Show statistics of the process.
      -o [ --summary ]             Show protocol summmary statistics
                                   (bytes,packets,% bytes,cache miss,memory).
  -h [ --help ]                Show help.
  -v [ --version ]             Show version string.

NetworkStack Types

AIEngine supports five types of Network stacks depending on the network topology.
  • StackLan (LAN) Local Area Network based on IPv4.
  • StackLanIPv6 (lan6) Local Area Network with IPv6 support.
  • StackMobile (mobile) Network Mobile (Gn interface) for IPv4.
  • StackVirtual (virtual) Stack for virtual/cloud environments with VxLan and GRE Transparent.
  • StackOpenFlow (oflow) Stack for OpenFlow environments.



Download AIEngine




from Effect Hacking full article here

Popular posts from this blog

Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker , smart doorbell , or smart light bulb . Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note. Courtesy of Dan Goodin, Ars Technica Yes, Hron turned his coffee maker into a ransomware mach
Read more

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use
Read more

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s
Read more