We are excited to announce that two of our projects, Slips and the AI VPN, were selected to participate in the upcoming Black Hat Europe Arsenal 2023, taking place on December 6-7 in London, UK!
What is the Black Hat Arsenal?
Black Hat is a world-renowned leading information security conference, every year taking place at three major locations: Asia, Europe and North America. Black Hat features exclusive intensive training courses, groundbreaking research through briefing sessions, and the latest open-source tools demoed at the Arsenal.
Black Hat Arsenal is a space where free software developers can present their tools, new or existing ones, showcasing new features and novel additions. The space is very dynamic, encouraging participation between presenters and attendees.
Slips at Black Hat Europe 2023 Arsenal!
In the upcoming conference, Alya Gomaa and Sebastian Garcia will present “Slips: A machine-learning based, free-software, P2P Network Intrusion Prevention System“.
For the last 7 years we developed Slips, a behavioral-based intrusion prevention system, and the first free-software network IDS using machine learning. Slips profiles the behavior of IP addresses and performs detections inside each time window in order to also *unblock* IPs. Slips has more than 20 modules that detect a range of attacks both to and from the protected device. It is an network EDR with the capability to also protect small networks.
Slips consumes multiple packets and flows, exporting data to SIEMs. More importantly, Slips is the first IDS to automatically create a local P2P network of sensors, where instances share detections following a trust model resilient to adversaries..
Slips works in several directionality modes. The user can choose to detect attacks coming *to* or going *from* these profiles, or both. This makes it easy to protect your network but also to focus on infected computers inside your network, which is a novel technique.
Among its modules, Slips includes the download/manage of external Threat Intelligence feed (including our laboratory's own TI feed), whois/asn/geocountry enrichment, a LSTM neural net for malicious behavior detection, port scanning detection (vertical and horizontal) on flows, long connection detection, etc. The decisions to block profiles or not are based on ensembling
algorithms. The P2P module connects to other Slips to share detection alerts.
Slips can read packets from the network, pcap, Suricata, Zeek, Argus and Nfdump, and can output alerts files and summaries. Having Zeek as a base tool, Slips can correctly build a sorted timeline of flows combining all Zeek logs. Slips can send alerts using the STIX/TAXII protocol.
Slips web interface allows to clearly see the detections and behaviors, including threat inteligence enhancements. The interface can show multiple Slips runs, summarize whois/asn/geocountry information and much more.
AI VPN at Black Hat Europe 2023 Arsenal!
In the upcoming arsenal, Veronica Valeros and Sebastian Garcia will present “AI VPN: A Free-Software AI-Powered Network Forensics Tool”.
The AI VPN is an AI-based traffic analysis tool to detect and block threats, ensuring enhanced privacy protection automatically. It offers modular management of VPN accounts, automated network traffic analysis, and incident reporting. Using the free-software IDS system, Slips, the AI VPN employs machine learning and threat intelligence for comprehensive traffic analysis. Multiple VPN technologies, such as OpenVPN and Wireguard, are supported, and in-line blocking technologies like Pi-hole provide additional protection.
The AI VPN was built to help journalists, activists and NGOs against targeted digital attacks. The goal of the tool is to provide an easy-to-use, fast, automated service to perform network forensics on any type of device without physical access to it. The user seamlessly connects to the Internet as with any other VPN while the traffic analysis and reporting happens on the AI VPN server.
The AI VPN is designed as a modular collection of micro-services using Docker technology. The AI VPN currently has ten modules taking care of the following functionalities: management, database, communication, VPNs, PiHole, Slips and reporting.