# 🤖 AI Security Agent - Intelligent Crypto Miner Detection AI-powered security agent that uses local LLM (Ollama qwen3:8b) to detect and mitigate cryptocurrency mining malware on NODE1. ## Features ### 🔍 Intelligent Detection - **LLM-powered analysis**: Uses Ollama qwen3:8b for contextual threat analysis - **Multi-signal detection**: CPU usage, process names, network connections, filesystem - **Known miner signatures**: Detects patterns from previous incidents - **Fallback rules**: Works even if LLM is unavailable ### ⚡ Auto-Mitigation - **Automatic response**: Kills malicious processes (>70% confidence) - **File cleanup**: Removes suspicious executables from /tmp - **Selective action**: Manual review for lower confidence threats ### 📊 Monitoring - **Real-time scanning**: Continuous monitoring every 5 minutes - **Smart optimization**: Skips LLM analysis if system is clean - **Comprehensive logging**: Detailed logs at `/var/log/ai-security-agent.log` ## Known Threats Detected From previous incidents on NODE1: **Incident #3 (postgres:15-alpine):** - `cpioshuf` - 1764% CPU - `ipcalcpg_recvlogical` - Auto-restart variant - `mysql` - 933% CPU **Incident #4 (postgres:16-alpine):** - `bzip2egrep` - 1694% CPU - `flockresize` - 1628% CPU **Common patterns:** - Hidden directories: `/tmp/.perf.c/` - Process masquerading: Disguised as `postgres`, `mysql`, etc. - High CPU usage: >1000% (multi-threaded mining) - Mining pool connections: Ports 3333, 4444, 5555, 7777, 8888, 9999, 14444 ## Installation ### 1. Deploy to NODE1 ```bash # Copy service to NODE1 scp -r services/ai-security-agent root@144.76.224.179:/opt/microdao-daarion/services/ # SSH to NODE1 ssh root@144.76.224.179 # Navigate to service directory cd /opt/microdao-daarion/services/ai-security-agent # Build and start docker compose up -d --build ``` ### 2. Verify Deployment ```bash # Check container status docker ps | grep ai-security-agent # View logs docker logs -f ai-security-agent # Check log file tail -f logs/ai-security-agent.log ``` ## Configuration Environment variables (in `docker-compose.yml`): | Variable | Default | Description | |----------|---------|-------------| | `OLLAMA_BASE_URL` | `http://host.docker.internal:11434` | Ollama API endpoint | | `OLLAMA_MODEL` | `qwen3:8b` | LLM model for analysis | | `CHECK_INTERVAL` | `300` | Scan interval in seconds (5 min) | | `ALERT_THRESHOLD` | `0.7` | Confidence threshold for auto-mitigation | ## How It Works ### 1. Data Collection Every 5 minutes, the agent collects: - System load average and CPU usage - Processes using >50% CPU - Known miner process names - Executable files in `/tmp` (created in last 24h) - Network connections to suspicious ports ### 2. Quick Check If system is clean (load <5, no suspicious activity): - ✅ Skip LLM analysis - Log "System clean" - Wait for next interval ### 3. LLM Analysis If suspicious activity detected: - 🧠 Send metrics to Ollama qwen3:8b - LLM analyzes with cybersecurity expertise - Returns JSON with: - `threat_detected`: boolean - `confidence`: 0.0-1.0 - `threat_type`: crypto_miner | suspicious_activity | false_positive - `indicators`: List of specific findings - `recommended_actions`: What to do ### 4. Auto-Mitigation If confidence >= 70%: - ⚡ Kill high CPU processes - ⚡ Kill known miner processes - ⚡ Remove suspicious /tmp files - ⚡ Clean /tmp/.perf.c/ - 📝 Log all actions If confidence < 70%: - ⚠️ Log for manual review - No automatic action ### 5. Fallback Mode If LLM fails: - Use rule-based detection - Check: load average, high CPU, known signatures, /tmp files, network - Calculate confidence based on multiple indicators ## Example Logs ### Clean System ``` [2026-01-10 10:00:00] [INFO] 🔍 Starting security scan... [2026-01-10 10:00:01] [INFO] ✅ System clean (quick check) ``` ### Threat Detected (Low Confidence) ``` [2026-01-10 10:05:00] [INFO] 🔍 Starting security scan... [2026-01-10 10:05:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)... [2026-01-10 10:05:05] [INFO] Analysis complete: threat=True, confidence=45% [2026-01-10 10:05:05] [ALERT] 🚨 THREAT DETECTED (Incident #1) [2026-01-10 10:05:05] [ALERT] Confidence: 45% [2026-01-10 10:05:05] [ALERT] Type: suspicious_activity [2026-01-10 10:05:05] [ALERT] Summary: High CPU process detected but no known signatures [2026-01-10 10:05:05] [ALERT] ⚠️ Confidence 45% below threshold 70%, manual review recommended ``` ### Threat Detected (High Confidence - Auto-Mitigation) ``` [2026-01-10 10:10:00] [INFO] 🔍 Starting security scan... [2026-01-10 10:10:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)... [2026-01-10 10:10:08] [INFO] Analysis complete: threat=True, confidence=95% [2026-01-10 10:10:08] [ALERT] 🚨 THREAT DETECTED (Incident #2) [2026-01-10 10:10:08] [ALERT] Confidence: 95% [2026-01-10 10:10:08] [ALERT] Type: crypto_miner [2026-01-10 10:10:08] [ALERT] Summary: Known miner signature 'bzip2egrep' detected with high CPU [2026-01-10 10:10:08] [ALERT] 📍 Known miner signature: bzip2egrep (PID 123456) [2026-01-10 10:10:08] [ALERT] 📍 Suspicious executable: /tmp/.perf.c/bzip2egrep [2026-01-10 10:10:08] [ALERT] 📍 High CPU usage: 1694% [2026-01-10 10:10:08] [ALERT] ⚡ EXECUTING AUTO-MITIGATION [2026-01-10 10:10:08] [ACTION] Killing known miner PID 123456 (bzip2egrep) [2026-01-10 10:10:08] [ACTION] Removing /tmp/.perf.c/bzip2egrep [2026-01-10 10:10:08] [ACTION] Cleaning /tmp/.perf.c/ [2026-01-10 10:10:09] [ALERT] ✅ AUTO-MITIGATION COMPLETED ``` ## Advantages Over Bash Script ### Old Script (`/root/monitor_scanning.sh`) - ✅ Simple and fast - ✅ No dependencies - ❌ Rule-based only (can miss new variants) - ❌ No contextual analysis - ❌ Manual threshold tuning - ❌ No learning capability ### New AI Agent - ✅ **Contextual understanding**: LLM analyzes patterns holistically - ✅ **Adaptive**: Can detect new miner variants by behavior - ✅ **Confidence scoring**: Nuanced threat assessment - ✅ **Detailed explanations**: Understands WHY something is suspicious - ✅ **Future-proof**: Can be updated with new threat intelligence - ✅ **Fallback safety**: Works even if LLM fails ## Architecture ``` ┌─────────────────────────────────────────┐ │ NODE1 Host System │ │ │ │ ┌──────────────────────────────────┐ │ │ │ AI Security Agent (Container) │ │ │ │ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ 1. Metric Collector │ │ │ │ │ │ - psutil (CPU, procs) │ │ │ │ │ │ - find (/tmp scan) │ │ │ │ │ │ - network connections │ │ │ │ │ └────────────────────────────┘ │ │ │ │ ↓ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ 2. Quick Filter │ │ │ │ │ │ - Skip if clean │ │ │ │ │ └────────────────────────────┘ │ │ │ │ ↓ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ 3. LLM Analyzer │ │ │ │ │ │ - Ollama qwen3:8b │←─┼──┼─┐ │ │ │ - Contextual AI │ │ │ │ │ │ └────────────────────────────┘ │ │ │ │ │ ↓ │ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ │ 4. Decision Engine │ │ │ │ │ │ │ - Confidence threshold │ │ │ │ │ │ └────────────────────────────┘ │ │ │ │ │ ↓ │ │ │ │ │ ┌────────────────────────────┐ │ │ │ │ │ │ 5. Auto-Mitigation │ │ │ │ │ │ │ - Kill processes │ │ │ │ │ │ │ - Clean files │ │ │ │ │ │ └────────────────────────────┘ │ │ │ │ └──────────────────────────────────┘ │ │ │ │ │ │ ┌──────────────────────────────────┐ │ │ │ │ Ollama Service │ │ │ │ │ localhost:11434 │◄─┼─┘ │ │ qwen3:8b (8B params) │ │ │ └──────────────────────────────────┘ │ └─────────────────────────────────────────┘ ``` ## Monitoring Agent Health ```bash # Check agent status docker ps | grep ai-security-agent # View real-time logs docker logs -f ai-security-agent # Check log file tail -f /opt/microdao-daarion/services/ai-security-agent/logs/ai-security-agent.log # Check resource usage docker stats ai-security-agent # Restart if needed cd /opt/microdao-daarion/services/ai-security-agent docker compose restart ``` ## Troubleshooting ### Agent not detecting processes **Issue**: Can't see host processes **Fix**: Ensure `pid: host` in docker-compose.yml ### Can't kill processes **Issue**: Permission denied **Fix**: Ensure `privileged: true` in docker-compose.yml ### LLM connection failed **Issue**: Can't reach Ollama **Fix**: Check `OLLAMA_BASE_URL`, ensure Ollama is running ```bash curl http://localhost:11434/api/tags ``` ### High memory usage **Issue**: Agent using >512MB **Fix**: Reduce `CHECK_INTERVAL` or limit `num_predict` in LLM call ## Security Considerations ### Privileges - Agent runs with `privileged: true` to kill processes - Has access to host PID namespace - Can modify host /tmp directory **Mitigation**: Agent runs in Docker container with resource limits ### False Positives - Agent requires 70% confidence for auto-kill - Lower confidence threats logged for manual review - Legitimate high-CPU processes might be flagged **Mitigation**: Adjust `ALERT_THRESHOLD`, add process whitelist if needed ## Future Improvements - [ ] **Telegram alerts**: Send notifications on threat detection - [ ] **Prometheus metrics**: Expose threat count, confidence scores - [ ] **Process whitelist**: Exclude known-good high-CPU processes - [ ] **Network blocking**: Block mining pool IPs via iptables - [ ] **Image scanning**: Scan Docker images before they run - [ ] **Historical analysis**: Track patterns over time - [ ] **Multi-node**: Extend to NODE2 and NODE3 ## Contributing To update threat signatures: 1. Edit `KNOWN_MINER_SIGNATURES` in `security_agent.py` 2. Rebuild container: `docker compose up -d --build` To adjust detection logic: 1. Modify `_fallback_analysis()` for rule-based detection 2. Update LLM prompt in `analyze_with_llm()` for AI analysis --- **Version**: 1.0.0 **Created**: 2026-01-10 **Maintained by**: DAARION Security Team **Status**: ✅ Production Ready