Kalipso

Kalipso is a terminal interface created specifically for the Stratosphere Linux IPS [1], shortly Slips. Kalipso provides Slips user with a brief overview of analyzed data and found malicious behavior. Kalipso is very friendly and easy to use.

Slips overview

The Stratosphere Linux IPS is a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors in the network traffic.

Slips Architecture

Slips works at a flow level. Its core is to separate the traffic into profiles for each IP address that appeared in the traffic. A profile is a complete behavior of the IP in the traffic and the simplest data structure in Slips. Each profile is divided into time windows. Each time window is 1 hour long by default, and it contains dozens of features computed for all connections that start in that time window.

Zeek

Zeek [2], formerly known as Bro, is an open-source software framework for analyzing network traffic that is most commonly used to detect behavioral anomalies on a network. Zeek generates a wide range of log files for different protocols, including logs for: DNS, HTTP, DHCP, SMTP, and a conn log with all the connections independently of their protocol.

Slips uses Zeek logs to create a profile. For example, the timeline for each time window interprets what the profile IP did during 1 hour. The timeline consists of Zeek generated conn.log and additional interpretation from other logs like dns.log or http.log.

Kalipso tools

Redis [3]

An in-memory data structure store.The connection between Kalipso and Slips is done through Redis database. Slips uses Redis to store the data about the analyzed pcap, meanwhile Kalipso retrieves this data from Redis and fills dashboards and widgets with it.

Node.js [4]

A JavaScript runtime environment that executes JavaScript code outside of a browser.

Blessed library [5]

A high-level terminal interface library for Node.js.

Blessed-contrib library [6]

A high-level terminal interface library that builds terminal dashboards using ascii/ansi art and JavaScript. This is an extended version of blessed library.

Async [7]

A utility module which provides straight-forward, powerful functions for working with asynchronous programming in JavaScript.

Fs [8]

A file system module allows to work with the file system on the computer.

Ansi-colors [9]

The fastest Node.js library for terminal styling.

Kalipso structure

Kalipso consists of two main parts: main board and hotkeys. The structure and the functionality of both parts are below.

Kalipso main board

profile tree
All profiles generated by Slips and all corresponding time windows when this profile communicated. Detected profiles and time windows are highlighted in red.
timeline
A combined timeline of what happened and when. Based on Zeek files. Timeline consists of Zeek conn.log and additional interpretation from other Zeek logs like dns.log, http.log.
IP-info box
IP information - asn, geocountry, VirusTotal [10] - of a clicked IP in the profile tree or a destination IP in a timeline.
Evidence box
The evidence that is generated by all detection modules. This is the supporting evidence for the detection.
Help menu for hotkeys
The list of Kalipso hotkeys. The current position: main board or a hotkey is highlighted in red.

Kalipso hotkeys

1.E hotkey - SrcPortClient

Shows the amount of total flows, total packets and total bytes going into source ports when the IP of the profile acts as a client. Separated in Established and Not Established scrollable histograms. Bars are in a logarithmic scale.

2. C hotkey - DstIPsClient

Shows the amount of total flows, total packets and total bytes going to destination IPs when the IP of the profile acts as a client. Separated in Established and Not Established scrollable histograms. Bars are in a logarithmic scale.

3. B hotkey - dstPortServer

Shows the amount of total flows, total bytes and total packets going to destination ports when the IP of the profile acts as a server. Separated in Established and Not Established scrollable histograms. Bars are in a logarithmic scale.

4. P hotkey - dstPortsClient

Shows the amount of total flows, total bytes and total packets going to destination ports when the IP of the profile acts as a client. Separated in Established and Not Established scrollable histograms. Bars are in a logarithmic scale.

5. N hotkey - dstPortsClientIPs

Shows the amount of packets to a destination IP on a specific port when the IP of the profile acts as a client. Separated in Established and not Established scrollable histograms. Bars are in a logarithmic scale.

6. H hotkey - OutTuples

Shows Out Tuples Behavioral letters [11] combined together with asn, geocountry and VirusTotal summary for every Out Tuple - the combination of an IP, port, protocol used for the communication.

7. M hotkey - map

Shows geolocations of all destination IPs to which the IP of the profile connected during one time window.

Kalipso developed feature

W hotkey - IP copy

It is possible to copy an IP of a profile from the profile tree widget to help the analyst check necessary information about an IP outside of the interface.