Giters

JawedCIA / ArkThor

Threat Categorization Based on Malware’s C2 Communication in PCAP file

Home Page:https://arkthor.azurewebsites.net/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

asp-net-corecapstoneprojectcategorizationcontainerscyberdefensecybersecuritypython3threat

ArkThor Front Engine Docker ArkThor UI Image CI Docker ArkThor API ImageDocker Image CORE

ArkThor

image

Safety and Strength to an organization in Cyber Security Cyber Defence

The threat landscape facing modern organizations is constantly evolving and becoming increasingly complex. With policies like BYOD and social data of individuals available on the social media, Passwords and 2 FA are not going to stop the cyber attacks. Understanding the threat discovered in a corporate environment will help the infosec team to assess the impact of the attack and take measures accordingly Cyber attacks are becoming more sophisticated and complex, and it is becoming increasingly difficult to detect and block /prevent them.

One of the key challenges in effectively defending against cyber threats is the ability to accurately categorize and analyze potential threats.

In particular, understanding the Command and Control (C2) communications used by attackers is critical in identifying and responding to cyber attacks. Command and Control (C2) communication is a common technique used by attackers to control the infected hosts and steal sensitive information. It is crucial to identify C 2 communication and categorize the network threats accurately to prevent and mitigate cyber attacks.

This project aims at looking into the networking concept of these C2 communicating malwares and tries to parse the network packets and classify the threats based on the unique communication pattern used by these malware families.

The rules also involve fingerprinting the TLS certificates used in the communication.

During our CSCD (Advanced Certification Program in Cyber Security and Cyber Defense) program for 2022-2023 at IIT Kanpur, in collaboration with TalentSprint, we began this as a Capstone project.

As we continued to develop the project, we discovered that it had evolved into a product, and thus, ArkThor was born..

The ArkThor team is committed to providing a comprehensive view of analyzed files, including threat categorization and rich details.

"Ark" imply safety or protection
"Thor" is associated with strength or power

Team

  • [Contributor] Mohammed Jawed
  • [Contributor] SriRam P
  • [Mentor] Prof. Anand handa, IIT-K
  • [Mentor] Nitesh Kumar, IIT-K

A Sample ArkThor site is available for public view

https://arkthor.azurewebsites.net/

Project Core Architect Idea

The entire project is comprised of three distinct layers: a platform-independent layer that is scalable and built using microservices. It is also designed to be easy to deploy and relies entirely on an opensource technology stack, As illustrated in the diagram below. image

The fundamental concept behind the ArkThor project is to ensure that it is:,

  1. Platform independent by leveraging containerization
  2. Scalable
  3. Composed of microservices
  4. Easy to plug in and analyze, with the option to run the Core layer using a simple Python command
  5. Easy to deploy
  6. Built exclusively on open-source technology
  7. Capable of presenting the analyzed results on the UI in a manner that is easily comprehensible even to non-security professionals..

"The most important principle we follow is that organizations do not buy products, but solutions to their problems. This means that we strive to provide solutions that address the specific needs and challenges of an organization, rather than just providing a generic product."

ArkThor WorkFlow Architect with various components

With common direct workflow path.

End -to-End Working based on above workflow diagram

image image image

Requirements

In order to run this project, you'll need to have installed on your machine (Windows, Mac, Linux):

  • Docker Desktop (or Docker on Linux)

Docker Images Registry

https://hub.docker.com/r/arkthor/arkthor-ui
https://hub.docker.com/r/arkthor/arkthor-api
https://hub.docker.com/r/arkthor/arkthor-core

Running ArkThor Public view (preloaded Database, CORE Engine is not included)

docker run -d -p 24297:80 --name arkthorpublic  arkthor/arkthor-ui:publicview

Running ArkThor Engine

  • Download DockerCompose.yml file to your local drive
  • Run dockerCompose.yml using command
docker-compose -f .\DockerCompose.yml up -d

image

To Access ArkThor UI, In browser type http://localhost:24297

To Access ArkThor API, In browser type http://localhost:33900/swagger/index.html

Glimps of ArkThor

UI Dashboard

ArkThor Live Tracking Board

Analyzed File Information

image

UI Statistics Page

image

Refrences used in ArkThor

[AdminLTE] https://github.com/ColorlibHQ/AdminLTE
[Bootstarp] https://getbootstrap.com/
[Flags] https://tabler.io/docs/plugins/flags
[SQLite] https://sqlite.org/index.html
[RabbitMQ] https://www.rabbitmq.com/
[SCAPY] https://github.com/secdev/scapy
[Rule Engine] https://pypi.org/project/rule-engine/
[ThreatFox] https://threatfox.abuse.ch/
[ASPNet Core] https://learn.microsoft.com/en-us/aspnet/core/introduction-to-aspnet-core?view=aspnetcore-7.0
[Pyhton] https://www.python.org/
[Docker] https://www.docker.com/

About

Threat Categorization Based on Malware’s C2 Communication in PCAP file

https://arkthor.azurewebsites.net/

asp-net-corecapstoneprojectcategorizationcontainerscyberdefensecybersecuritypython3threat

Languages

Language:JavaScript 61.5%Language:CSS 34.0%Language:SCSS 1.9%Language:C# 1.1%Language:HTML 0.9%Language:Python 0.6%Language:PowerShell 0.0%