Skip to main content

AIEngine - An Artificial Intelligent Intrusion Detection System Engine

AIEngine - An Artificial Intelligent IDS Engine

AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics and many others.

It also helps network/security professionals to identify traffic and develop signatures for using them on NIDS, Firewalls, Traffic classifiers and so on.

The main functionalities of AIEngine are:
  • Support for interacting/programming with the user while the engine is running.
  • Support for PCRE JIT for regex matching.
  • Support for regex graphs (complex detection patterns).
  • Support five types of NetworkStacks (lan,mobile,lan6,virtual and oflow).
  • Support Sets and Bloom filters for IP searches.
  • Supports x86_64, ARM and MIPS architecture over operating systems such as Linux, FreeBSD and MacOS.
  • Support for HTTP,DNS and SSL Domains matching.
  • Support for banned domains and hosts for HTTP, DNS, SMTP and SSL.
  • Frequency analysis for unknown traffic and auto-regex generation.
  • Generation of Yara signatures.
  • Easy integration with databases (MySQL, Redis, Cassandra, Hadoop, etc...) for data correlation.
  • Easy integration with other packet engines (Netfilter).
  • Support memory clean caches for refresh stored memory information.
  • Support for detect DDoS at network/application layer.
  • Support for rejecting TCP/UDP connections.
  • Support for network forensics on real time.
  • Supports protocols such as Bitcoin, CoAP, DHCPv4/DHCPv6, DNS, GPRS, GRE, HTTP, ICMPv4/ICMPv6, IMAP, IPv4/v6, Modbus, MPLS, MQTT, Netbios, NTP, OpenFlow, PPPoE, POP, Quic, RTP, SIP, SMB, SMTP, SSDP, SSH, SSL, TCP, UDP, VLAN, VXLAN.

Using AIEngine

To use AIEngine (reduce version) just execute the binary aiengine or use the python/ruby/java/lua binding.
  luis@luis-xps:~/c++/aiengine/src$ ./aiengine -h
aiengine 1.8.0
Mandatory arguments:
  -I [ --input ] arg                Sets the network interface ,pcap file or
                                    directory with pcap files.

Link Layer optional arguments:
  -q [ --tag ] arg      Selects the tag type of the ethernet layer (vlan,mpls).

TCP optional arguments:
  -t [ --tcp-flows ] arg (=32768) Sets the number of TCP flows on the pool.

UDP optional arguments:
  -u [ --udp-flows ] arg (=16384) Sets the number of UDP flows on the pool.

Regex optional arguments:
  -R [ --enable-signatures ]     Enables the Signature engine.
  -r [ --regex ] arg (=.*)       Sets the regex for evaluate agains the flows.
  -c [ --flow-class ] arg (=all) Uses tcp, udp or all for matches the signature
                 on the flows.
  -m [ --matched-flows ]         Shows the flows that matchs with the regex.
  -M [ --matched-packet ]        Shows the packet payload that matchs with
                                 the regex.
  -C [ --continue ]              Continue evaluating the regex with the
                                 next packets of the Flow.
  -j [ --reject-flows ]          Rejects the flows that matchs with the
                                     regex.
  -w [ --evidence ]              Generates a pcap file with the matching
                                     regex for forensic analysis.

Frequencies optional arguments:
  -F [ --enable-frequencies ]       Enables the Frequency engine.
  -g [ --group-by ] arg (=dst-port) Groups frequencies by src-ip,dst-ip,src-por
                    t and dst-port.
  -f [ --flow-type ] arg (=tcp)     Uses tcp or udp flows.
  -L [ --enable-learner ]           Enables the Learner engine.
  -k [ --key-learner ] arg (=80)    Sets the key for the Learner engine.
  -b [ --buffer-size ] arg (=64)    Sets the size of the internal buffer for
                                    generate the regex.
      -Q [ --byte-quality ] arg (=80)   Sets the minimum quality for the bytes of
                                        the generated regex.
  -y [ --enable-yara ]              Generates a yara signature.


Optional arguments:
  -n [ --stack ] arg (=lan)    Sets the network stack (lan,mobile,lan6,virtual,
                   oflow).
  -d [ --dumpflows ]           Dump the flows to stdout.
  -s [ --statistics ] arg (=0) Show statistics of the network stack (5 levels).
  -T [ --timeout ] arg (=180)  Sets the flows timeout.
  -P [ --protocol ] arg        Show statistics of a specific protocol of the
                                   network stack.
  -e [ --release ]             Release the caches.
  -l [ --release-cache ] arg   Release a specific cache.
  -p [ --pstatistics ]         Show statistics of the process.
      -o [ --summary ]             Show protocol summmary statistics
                                   (bytes,packets,% bytes,cache miss,memory).
  -h [ --help ]                Show help.
  -v [ --version ]             Show version string.

NetworkStack Types

AIEngine supports five types of Network stacks depending on the network topology.
  • StackLan (LAN) Local Area Network based on IPv4.
  • StackLanIPv6 (lan6) Local Area Network with IPv6 support.
  • StackMobile (mobile) Network Mobile (Gn interface) for IPv4.
  • StackVirtual (virtual) Stack for virtual/cloud environments with VxLan and GRE Transparent.
  • StackOpenFlow (oflow) Stack for OpenFlow environments.



Download AIEngine




from Effect Hacking full article here

Popular posts from this blog

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe . It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated with native executables. The involved Python script was not obfuscated, and the user was supposed to adapt it for the purpose of finding the solution. The CrackMe was made of three components, cooperating with each other: a Python script (converted to EXE with the help of PyInstaller) a native DLL, loaded with the help of the above script a Python script unpacked by the DLL and injected into Actxproxy.dll In the first level, the user was supposed to find a valid PIN to decode a URL, from which the next level was downloaded. The next level was a native DLL that was inject...
Read more

Windows Driver Backup and Restore Guide and Software for All Versions

Computer is a collection of hardware and To work properly these hardware we need to install some drivers. Drivers may vary for different versions of operating systems. By default an operating system doesn't have all your computer drivers so we need to take driver backup from current OS for future use. Virus and Worms becomes more popular now to corrupt our computer or their software and that is another reason to always keep your computer driver backup to re-use them without any issue. Taking your driver backup can solve a lot of issue related to your computer. Windows Driver Backup and Restore Guide The method is very manageable and smooth, You will need to use a utility software that will create backup of all drivers in your Windows operating system and later you can restore them whenever you change your operating system, or some of your drivers get corrupted. So proceed with some simple steps below. Steps to Backup and Restore Drivers on Windows Using Double Driver Fi...
Read more

Malwarebytes CrackMe 2: try another challenge

Last November, we released the first edition of the  Malwarebytes CrackMe . Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining. As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That's why it is not just a set of some abstract riddles, but an exercise that walks through selected tricks that were used in real malware. (Expect some original schemes designed just for this game, too.) Of course, all is demonstrated on harmless examples, but we still recommend you use VM for reversing it so that it will not interfere with any antivirus protection. Rules of the contest There are two CrackMe contests: Capture the flag.  The first three submitted flags win. The flag should be submitted along with (minimalistic) notes about the steps taken to find it. (No detailed write-up is required.) Best write-up . Th...
Read more