The ManaTI project consists of a front-end web application and a back-end server infras- tructure. The web application centralizes all the operations of the analysts and the back-end infrastructure stores the data and runs the algorithms. The main goal of the web application is to provide the threat analysts a fast interface and analysis tools to speed up their research.
The goal of the ManaTI project is to develop machine learning techniques to assist an intuitive threat analyst to speed the discovery of new security problems. The machine learning will contribute to the analysis by finding new relationships and inferences. The project will include the development of a web interface for the analyst to interact with the data and the machine learning output.
The official repository can be found on GitHub.
WEBLOGS TABLE
The main functionality of ManaTI is the weblogs table. This is the structure that holds all the data from the session and where most of the interaction is done. The weblogs table consists of a fast and dynamic JavaScript table of all the weblogs in the session of the analyst. The table is very important because is how ManaTI stores all the weblogs in the memory of the web browser. As soon as a session is created, ManaTI stores the weblogs in the table and it does not send them to the back-end server. This is only done upon request of the analyst by pressing the Save button on top of the page.
Weblog Labelling
The most important usage of the weblogs table is the assignment of verdicts by the analyst. This can be done in several ways. The first way is to select one or more weblogs with the mouse, to right click on the weblogs and to select the verdict to assign.
THIRD-PARTY INTELLIGENCE TOOLS
In the process of studying a weblog to identify if it is malicious or not, analysts use external tools to help them. These tools are important for querying the reputation of IP addresses, the reputation of domains, which URLs are blocked and the WHOIS information of IP addresses and domains. This information is paramount for a successful analysis. The most used third-party tool is VirusTotal since it can provide a very large amount of reputation indicators about IP addresses and domains. ManaTI incorporates a module for searching IP addresses and do- mains in VirusTotal as well as a module for searching the WHOIS information of IP addresses and domains.
WHOIS SIMILARITY DISTANCE MODULE
One of the objectives of the ManaTI project is to create a module for the web application which would be able to calculate a numeric distance between two domains (dA and dB ) using their WHOIS information and at the same time try to relate them.
The idea behind the WHOIS Similarity Distance module is to facilitate the analysts’ work looking for malicious and legitimate domains. When an analyst selects a domain (regardless the domain verdict), the module must be able to find all the WHOIS related domains inside the analysis session with respect to the selected domain. In such manner, the analyst can know that those domains are related with the picked domain, so is highly probable that those domains share the same verdict.