The Pet-HMR Project Reached its End

As the Pet-HMR project reached its conclusion, we take the opportunity to reflect on its outcome and present the results that we hope, offer valuable insights into the AI-supported detection of vulnerabilities.

Summary

The goal of Pet-HMR is to detect new and known attack vectors and patterns in IT infrastructures and to give companies an automated and affordable way to find and patch known and unknown vulnerabilities in their applications. These requirements were fulfilled through the development and integration of SHoP (Smart Honeypot System) and APeT (Automated Penetration Tester).

X41 D-Sec was commissioned to develop two main components to achieve these goals, namely:

  • SHoP: an intelligent honeypot network that lures attackers into attacking it to collect intelligence on their attack techniques and general behavior. It is composed of a Central Collection System (CCS) which is responsible of aggregating, processing and enriching the telemetry data collected by the different honeypots composing the network. This collection system is composed of three important software components for the detection of malicious behavior: the detection engine, the HAD AI model and the attack confirmation engine.
  • Patch Generator: a software component that relies on SHoP telemetry data to deploy virtual patches using ModSecurity rules.

Another project partner, Lufthansa Industry Solutions (LHIND) was commissioned to develop APeT, an intelligent penetration test component that supports reconnaissance, the discovery and the exploitation of vulnerabilities.

The role of X41 D-Sec was to integrate SHoP and APet in such a way that SHoP generates and exports abstract attack definitions based on the observed attackers’ data, which can then be used by APeT to create variations of these attacks. This approach makes it possible for APeT to attack SHoP in a different way, improving APeT’s attack strategies and SHoP’s detection capabilities.

Artificial intelligence and machine learning methods were used to detect novel attacks that can bypass traditional detection technologies as well as to improve the scalability and applicability of the overall attack detection solution. Heuristics were also used, particularly in the internal functioning of the detection and the attack confirmation engines.

The development of the latter led to an improvement of application monitoring in offensive and defensive scenarios by combining the system events collected by SHoP and its detection capabilities. On one hand, this attack confirmation engine represents a novel approach in testing web services, as it can determine whether a particular attack attempt was successful by extracting and analyzing system traces in the form of a sequence of events after a malicious payload is sent to the monitored system. This way, a penetration tester can examine the execution traces and correlate them with the distributed services to determine if a particular software component is vulnerable. On the other hand, the attack confirmation engine can also be used as a mechanism to raise urgent alerts after confirming that the processing of a malicious payload indeed resulted in a software component being compromised.

Finally, the data collected by the detection engine was used to generate patches to prevent the possible exploitation of critical services. The Patch Generator component automatically generates these patches as configuration objects that are sent to the monitored system to virtually patch its network perimeter or prevent the exploitation of installed and vulnerable software components. This automatic process reduces the attack surface and at the same time the manual workload for security analysts.

Conclusion

During the Pet HMR project, X41 D-Sec and its partners developed defensive and offensive technologies for the collection of attackers’ data, the detection of known and previously unseen vulnerabilities as well as the improvement of automated penetration testing using AI-based techniques.

X41’s work on Pet-HMR can help improve the security monitoring and the testing of web applications. On one hand, a security analyst can rely on the generated alerts and their severity and particularly those provided by the attack confirmation engine to react to potential compromises of the monitored infrastructure. On the other hand, a penetration tester can leverage the attack confirmation engine to analyse execution traces and correlate them across distributed services, enabling them to understand how a particular service reacts to a given malicious payload.

The next steps are to build an interactive loop and automatic generation of traces between the APet scanner and the instrumented application and to develop a technology that automatically recognizes and extracts traces for different attacks. An ideal solution here would be to train a specialized machine learning model on behavioral sequences as an extension of the current HAD model.

In addition to the main objectives of Pet-HMR, SHoP as a whole can be used to enhance detection and response capabilities. As the advent of the cloud has drastically changed the way applications are developed and deployed, a technology that performs a reliable security monitoring and provides owners with in-depth system events and insights can be beneficial and important. By coupling the monitoring of real-world applications with the use of honeypots, more attackers’ data can be collected, which would in turn improve the detection capabilities. This means that a product can automatically analyze all requests and system telemetry and warn of abuse. Global attackers’ data, paired with a dedicated team analyzing these signals, would make it possible to not only improve prevention, but also offer services like some established market leaders.