Vulture next filtering engine

•

1 j'aime•738 vues

This document provides a preview of Vulture's upcoming web filtering engine called D.A.R.W.I.N. It discusses D.A.R.W.I.N.'s architecture, which uses multiple small filters chained together in a workflow to filter requests. The filters will include reputation, SQL injection detection, and a decision filter using artificial intelligence to predict requests. D.A.R.W.I.N. is designed for high performance, high availability, precision, intelligence, simplicity, and being "no bullshit". It will also be portable and replaceable beyond HTTP.

Technologie

Preview of Vulture’s upcoming web
filtering engine
Pass the SALT 2018.
Security And Libre Talks.
2-4 juillet 2018 - Lille, France.

Vulture ?
• A brief history
• 2003: Linux software (httpd / mod_perl + PHP Web UI)
• 2016: FreeBSD Cluster (pf, haproxy, httpd + Django Web UI)
• Web SSO: mod_vulture + django portal
• Web application firewall
• Clustered mod_security, using hiredis [blacklisting]
• mod_defender, aka "Naxsi for Apache2" [whitelisting]
• mod_svm [machine learning]

Vulture’s current filtering engine
Client
FreeBSD pf
Apache
httpd
IP Reputation
GeoIP
mod_defender
mod_security
mod_vulture
mod_svm
Immediate block
Immediate block
Authentication &SSO
Request scoring ++
Request scoring ++
Request scoring ++

Current limits
• Works well
• No performance issue, but we can do much better
• 3 engines => quite complex
• Code overlapping
• Complex UI, httpd knowledge recommended
• Rule-based approach
• Human-based approach
• Time consuming
• Need tuning
• Not mistake proof configuration

The need for a better, unified engine
• Focused on performance
• High availability required
• Precision and intelligence
• No bullshit
• Simplicity -> For users AND for filter devs
Internal name: « D.A.R.W.I.N. »

Overview: XSS Filter
XSS
Core
Filter
Filter
Thread 1
Thread 2
Thread 3
Thread 4
...
Thread N
Monitoring
UNIX
Socket
HTTP POST BODY
XSS Score: 87%

Overview: Filter Workflow
Filter 1 (ex: reputation)
Filter 2 (ex: SQLi)
Filter N
D.A.R.W.I.N.

Overview: Filter Workflow
Filter 1 (ex: reputation)
Filter 2 (ex: SQLi) Manager
Management
Socket
Filter N
D.A.R.W.I.N.

Performance ?
• HAProxy asynchronousevents
• C/C++14
• UNIX socket
• Shared in-memory cache (REDIS)
• Context-sharing between filters among the Vulture cluster
• Used by Darwin’s Neural Networks to track events in time
• Supports GPU acceleration
• TensorFlow as AI library

$High Availability Filter N Decision Manager Management Socket {"type":"update_filters","filters":["Decision"]}$

$High Availability Filter N Decision Decision Manage r Management Socket {"type":"update_filters","filters":["Decision"]} Manager$

$High Availability Filter N Decision Manager Management Socket {"type":"update_filters","filters":["Decision"]} {"status":"OK"} Manager$

Precision and Intelligence
• Precision
• Multiple small filters
• Very efficient for one unit task
• Ability to chain filters (workflow)
• Intelligence
• Decision filter based on Artificial Intelligence
• Prediction based on filters’ results
• Active learning capabilities: Interact with human to correct itself
• Human focuses on high-level “decisions”
• The AI manages the technical security rules

No Bullshit
• Heuristic / basic correlation in a black box is not AI
• Those methods are promising but…
• We use some of them in v3 (SVM, regression…)
• Few false-positives
• Unfortunately, few false-negatives: rules still needed
• We work hard to take it to the next level!
• “AI first”: by design, not an add-on component
• Excellent results so far, beta-version coming this year

Simplicity
• Easy for users
• Minimalist configuration
• Autonomoussystem
• Simple feedback (Normal or Malicious request)
• Easy for developers
• Filters mostly independent
• Simple SDK
• On Github soon ;)

Portable
• Replace HAProxy with anything you want
• Simply develop a connector
• Not only HTTP !
• Real world example (aDvens): DARWIN + Rsyslog
• mmdarwin plugin
• Real time log analysis
• Real time log enrichment
• On Github soon… ;)

hugo.soszynski@advens.fr
jeremie.jourdin@advens.fr
https://www.vultureproject.org
https://github.com/VultureProject/mod_defender
https://github.com/VultureProject/darwin (coming soon)
Thank You !

Contenu connexe

Similaire à Vulture next filtering engine

From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered: • What do i actually need? • Real-world framework to categorize endpoint capabilities • Map vendors into buckets within the framework • Housekeeping, what's needed before you even start? • Cheat sheet of probing questions to ask vendors • Best practices of deploying best of breed solutions

NextGen Endpoint Security for Dummies

Atif Ghauri

Filar seymour oreilly_bot_story_

EndgameInc

Monitorama 2015 talk by Brendan Gregg, Netflix. With our large and ever-changing cloud environment, it can be vital to debug instance-level performance quickly. There are many instance monitoring solutions, but few come close to meeting our requirements, so we've been building our own and open sourcing them. In this talk, I will discuss our real-world requirements for instance-level analysis and monitoring: not just the metrics and features we desire, but the methodologies we'd like to apply. I will also cover the new and novel solutions we have been developing ourselves to meet these needs and desires, which include use of advanced Linux performance technologies (eg, ftrace, perf_events), and on-demand self-service analysis (Vector).

Monitorama 2015 Netflix Instance Analysis

Brendan Gregg

Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.

BSIDES-PR Keynote Hunting for Bad Guys

Joff Thyer

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

Code Quality - Security

sedukull

Resolving problems & high availability

Zend by Rogue Wave Software

How to write secure code

Flaskdata.io

Building next gen malware behavioural analysis environment

isc2-hellenic

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Security research over Windows #defcon china

Peter Hlavaty

This presentation was from Joomla day 2016 held right here in KLCC Malaysia. Astiostech presented several important factors to consider when monitoring a web service with of course special focus on Joomla. However, these guidelines can be used for just about any web service you may want to monitor. Monitoring is pivotal to a web infrastructure and it should not be considered today as a luxury. With tools like Nagios XI, we can simply start monitoring with mere clicks of a web browser and you're pretty much on the right track.

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Sanjay Willie

Building a data pipeline to ingest data into Hadoop in minutes using Streamse...

Guglielmo Iozzia

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

Robert Conti Jr.

Real time web

Medhat Dawoud

Nicolas destor pres_f5agility2018

Nicolas Destor

MySQL Monitoring Shoot Out

Kris Buytaert

Metasploitation part-1 (murtuja)

ClubHack

Hyperledger Blockchain

Afraz Khan

Real World Application Threat Modelling By Example

NCC Group

As the Yelp infrastructure and engineering team grew, so did the pain of managing Nagios. Problems like splitting alerting across multiple teams, providing high availability and managing nagios systems in multiple environments had become pressing. As we grew towards a service oriented architecture and pushed some services out into the cloud, we rapidly needed more automated monitoring configuration. An evolutionary solution wasn’t going to solve all of our problems, we needed to revolutionize our monitoring. Sensu is built from the ground up to solve many of our issues and be easy to extend. This talk covers our puppet ‘monitoring_check’ API (that sets up monitoring for our services within puppet), how and why we deploy Sensu and our custom handlers and escalations, along with how we provide automatic ‘self service’ monitoring for dynamic services and how we deal with the challenges posed by the more ephemeral nature of cloud architectures.

Sensu and Sensibility - Puppetconf 2014

Tomas Doran

Similaire à Vulture next filtering engine (20)

NextGen Endpoint Security for Dummies

Filar seymour oreilly_bot_story_

Monitorama 2015 Netflix Instance Analysis

BSIDES-PR Keynote Hunting for Bad Guys

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Code Quality - Security

Resolving problems & high availability

How to write secure code

Building next gen malware behavioural analysis environment

Security research over Windows #defcon china

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Building a data pipeline to ingest data into Hadoop in minutes using Streamse...

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

Real time web

Nicolas destor pres_f5agility2018

MySQL Monitoring Shoot Out

Metasploitation part-1 (murtuja)

Hyperledger Blockchain

Real World Application Threat Modelling By Example

Sensu and Sensibility - Puppetconf 2014

Dernier

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

DBX First Quarter 2024 Investor Presentation

Dropbox

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

DBX First Quarter 2024 Investor Presentation

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Strategies for Landing an Oracle DBA Job as a Fresher

Boost Fertility New Invention Ups Success Rates.pdf

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Elevate Developer Efficiency & build GenAI Application with Amazon Q

FWD Group - Insurer Innovation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

MINDCTI Revenue Release Quarter One 2024

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Vector Search -An Introduction in Oracle Database 23ai.pptx

Apidays New York 2024 - The value of a flexible API Management solution for O...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

MS Copilot expands with MS Graph connectors

Vulture next filtering engine

1. Preview of Vulture’s upcoming web filtering engine Pass the SALT 2018. Security And Libre Talks. 2-4 juillet 2018 - Lille, France.

2. Vulture ? • A brief history • 2003: Linux software (httpd / mod_perl + PHP Web UI) • 2016: FreeBSD Cluster (pf, haproxy, httpd + Django Web UI) • Web SSO: mod_vulture + django portal • Web application firewall • Clustered mod_security, using hiredis [blacklisting] • mod_defender, aka "Naxsi for Apache2" [whitelisting] • mod_svm [machine learning]

3. Vulture’s current filtering engine Client FreeBSD pf Apache httpd IP Reputation GeoIP mod_defender mod_security mod_vulture mod_svm Immediate block Immediate block Authentication &SSO Request scoring ++ Request scoring ++ Request scoring ++

4. Current limits • Works well • No performance issue, but we can do much better • 3 engines => quite complex • Code overlapping • Complex UI, httpd knowledge recommended • Rule-based approach • Human-based approach • Time consuming • Need tuning • Not mistake proof configuration

5. The need for a better, unified engine • Focused on performance • High availability required • Precision and intelligence • No bullshit • Simplicity -> For users AND for filter devs Internal name: « D.A.R.W.I.N. »

6. Overview Architecture

7. Overview: XSS Filter XSS Core Filter Filter Thread 1 Thread 2 Thread 3 Thread 4 ... Thread N Monitoring UNIX Socket HTTP POST BODY XSS Score: 87%

8. Overview: Filter Workflow Filter 1 (ex: reputation) Filter 2 (ex: SQLi) Filter N D.A.R.W.I.N.

9. Overview: Filter Workflow Filter 1 (ex: reputation) Filter 2 (ex: SQLi) Manager Management Socket Filter N D.A.R.W.I.N.

10. Performance ? • HAProxy asynchronousevents • C/C++14 • UNIX socket • Shared in-memory cache (REDIS) • Context-sharing between filters among the Vulture cluster • Used by Darwin’s Neural Networks to track events in time • Supports GPU acceleration • TensorFlow as AI library

11. High Availability Filter N Decision Manager Management Socket {"type":"update_filters","filters":["Decision"]}

12. High Availability Filter N Decision Decision Manage r Management Socket {"type":"update_filters","filters":["Decision"]} Manager

13. High Availability Filter N Decision Decision Manage r Management Socket {"type":"update_filters","filters":["Decision"]} Manager

14. High Availability Filter N Decision Manager Management Socket {"type":"update_filters","filters":["Decision"]} {"status":"OK"} Manager

15. Precision and Intelligence • Precision • Multiple small filters • Very efficient for one unit task • Ability to chain filters (workflow) • Intelligence • Decision filter based on Artificial Intelligence • Prediction based on filters’ results • Active learning capabilities: Interact with human to correct itself • Human focuses on high-level “decisions” • The AI manages the technical security rules

16. No Bullshit • Heuristic / basic correlation in a black box is not AI • Those methods are promising but… • We use some of them in v3 (SVM, regression…) • Few false-positives • Unfortunately, few false-negatives: rules still needed • We work hard to take it to the next level! • “AI first”: by design, not an add-on component • Excellent results so far, beta-version coming this year

17. Simplicity • Easy for users • Minimalist configuration • Autonomoussystem • Simple feedback (Normal or Malicious request) • Easy for developers • Filters mostly independent • Simple SDK • On Github soon ;)

18. Portable • Replace HAProxy with anything you want • Simply develop a connector • Not only HTTP ! • Real world example (aDvens): DARWIN + Rsyslog • mmdarwin plugin • Real time log analysis • Real time log enrichment • On Github soon… ;)

19. Questions ?

20. hugo.soszynski@advens.fr jeremie.jourdin@advens.fr https://www.vultureproject.org https://github.com/VultureProject/mod_defender https://github.com/VultureProject/darwin (coming soon) Thank You !

Vulture next filtering engine

Recommandé

Recommandé

Contenu connexe

Similaire à Vulture next filtering engine

Similaire à Vulture next filtering engine (20)

Dernier

Dernier (20)

Vulture next filtering engine