daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
744c1493006f7fab4103edb347d3311008f9daef
microdao-daarion/services/ai-security-agent/README.md
Apple 744c149300
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
Details
Add automated session logging system 
- Created logs/ structure (sessions, operations, incidents)
- Added session-start/log/end scripts
- Installed Git hooks for auto-logging commits/pushes
- Added shell integration for zsh
- Created CHANGELOG.md
- Documented today's session (2026-01-10)
2026-01-10 04:53:17 -08:00

318 lines
12 KiB
Markdown
Raw Blame History

# 🤖 AI Security Agent - Intelligent Crypto Miner Detection
AI-powered security agent that uses local LLM (Ollama qwen3:8b) to detect and mitigate cryptocurrency mining malware on NODE1.
## Features
### 🔍 Intelligent Detection
- **LLM-powered analysis**: Uses Ollama qwen3:8b for contextual threat analysis
- **Multi-signal detection**: CPU usage, process names, network connections, filesystem
- **Known miner signatures**: Detects patterns from previous incidents
- **Fallback rules**: Works even if LLM is unavailable
### ⚡ Auto-Mitigation
- **Automatic response**: Kills malicious processes (>70% confidence)
- **File cleanup**: Removes suspicious executables from /tmp
- **Selective action**: Manual review for lower confidence threats
### 📊 Monitoring
- **Real-time scanning**: Continuous monitoring every 5 minutes
- **Smart optimization**: Skips LLM analysis if system is clean
- **Comprehensive logging**: Detailed logs at `/var/log/ai-security-agent.log`
## Known Threats Detected
From previous incidents on NODE1:
**Incident #3 (postgres:15-alpine):**
- `cpioshuf` - 1764% CPU
- `ipcalcpg_recvlogical` - Auto-restart variant
- `mysql` - 933% CPU
**Incident #4 (postgres:16-alpine):**
- `bzip2egrep` - 1694% CPU
- `flockresize` - 1628% CPU
**Common patterns:**
- Hidden directories: `/tmp/.perf.c/`
- Process masquerading: Disguised as `postgres`, `mysql`, etc.
- High CPU usage: >1000% (multi-threaded mining)
- Mining pool connections: Ports 3333, 4444, 5555, 7777, 8888, 9999, 14444
## Installation
### 1. Deploy to NODE1
```bash
# Copy service to NODE1
scp -r services/ai-security-agent root@144.76.224.179:/opt/microdao-daarion/services/
# SSH to NODE1
ssh root@144.76.224.179
# Navigate to service directory
cd /opt/microdao-daarion/services/ai-security-agent
# Build and start
docker compose up -d --build
```
### 2. Verify Deployment
```bash
# Check container status
docker ps | grep ai-security-agent
# View logs
docker logs -f ai-security-agent
# Check log file
tail -f logs/ai-security-agent.log
```
## Configuration
Environment variables (in `docker-compose.yml`):
| Variable | Default | Description |
|----------|---------|-------------|
| `OLLAMA_BASE_URL` | `http://host.docker.internal:11434` | Ollama API endpoint |
| `OLLAMA_MODEL` | `qwen3:8b` | LLM model for analysis |
| `CHECK_INTERVAL` | `300` | Scan interval in seconds (5 min) |
| `ALERT_THRESHOLD` | `0.7` | Confidence threshold for auto-mitigation |
## How It Works
### 1. Data Collection
Every 5 minutes, the agent collects:
- System load average and CPU usage
- Processes using >50% CPU
- Known miner process names
- Executable files in `/tmp` (created in last 24h)
- Network connections to suspicious ports
### 2. Quick Check
If system is clean (load <5, no suspicious activity):
- ✅ Skip LLM analysis
- Log "System clean"
- Wait for next interval
### 3. LLM Analysis
If suspicious activity detected:
- 🧠 Send metrics to Ollama qwen3:8b
- LLM analyzes with cybersecurity expertise
- Returns JSON with:
- `threat_detected`: boolean
- `confidence`: 0.0-1.0
- `threat_type`: crypto_miner | suspicious_activity | false_positive
- `indicators`: List of specific findings
- `recommended_actions`: What to do
### 4. Auto-Mitigation
If confidence >= 70%:
- ⚡ Kill high CPU processes
- ⚡ Kill known miner processes
- ⚡ Remove suspicious /tmp files
- ⚡ Clean /tmp/.perf.c/
- 📝 Log all actions
If confidence < 70%:
- ⚠️ Log for manual review
- No automatic action
### 5. Fallback Mode
If LLM fails:
- Use rule-based detection
- Check: load average, high CPU, known signatures, /tmp files, network
- Calculate confidence based on multiple indicators
## Example Logs
### Clean System
```
[2026-01-10 10:00:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:00:01] [INFO] ✅ System clean (quick check)
```
### Threat Detected (Low Confidence)
```
[2026-01-10 10:05:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:05:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)...
[2026-01-10 10:05:05] [INFO] Analysis complete: threat=True, confidence=45%
[2026-01-10 10:05:05] [ALERT] 🚨 THREAT DETECTED (Incident #1)
[2026-01-10 10:05:05] [ALERT] Confidence: 45%
[2026-01-10 10:05:05] [ALERT] Type: suspicious_activity
[2026-01-10 10:05:05] [ALERT] Summary: High CPU process detected but no known signatures
[2026-01-10 10:05:05] [ALERT] ⚠️ Confidence 45% below threshold 70%, manual review recommended
```
### Threat Detected (High Confidence - Auto-Mitigation)
```
[2026-01-10 10:10:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:10:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)...
[2026-01-10 10:10:08] [INFO] Analysis complete: threat=True, confidence=95%
[2026-01-10 10:10:08] [ALERT] 🚨 THREAT DETECTED (Incident #2)
[2026-01-10 10:10:08] [ALERT] Confidence: 95%
[2026-01-10 10:10:08] [ALERT] Type: crypto_miner
[2026-01-10 10:10:08] [ALERT] Summary: Known miner signature 'bzip2egrep' detected with high CPU
[2026-01-10 10:10:08] [ALERT] 📍 Known miner signature: bzip2egrep (PID 123456)
[2026-01-10 10:10:08] [ALERT] 📍 Suspicious executable: /tmp/.perf.c/bzip2egrep
[2026-01-10 10:10:08] [ALERT] 📍 High CPU usage: 1694%
[2026-01-10 10:10:08] [ALERT] ⚡ EXECUTING AUTO-MITIGATION
[2026-01-10 10:10:08] [ACTION] Killing known miner PID 123456 (bzip2egrep)
[2026-01-10 10:10:08] [ACTION] Removing /tmp/.perf.c/bzip2egrep
[2026-01-10 10:10:08] [ACTION] Cleaning /tmp/.perf.c/
[2026-01-10 10:10:09] [ALERT] ✅ AUTO-MITIGATION COMPLETED
```
## Advantages Over Bash Script
### Old Script (`/root/monitor_scanning.sh`)
- ✅ Simple and fast
- ✅ No dependencies
- ❌ Rule-based only (can miss new variants)
- ❌ No contextual analysis
- ❌ Manual threshold tuning
- ❌ No learning capability
### New AI Agent
-**Contextual understanding**: LLM analyzes patterns holistically
-**Adaptive**: Can detect new miner variants by behavior
-**Confidence scoring**: Nuanced threat assessment
-**Detailed explanations**: Understands WHY something is suspicious
-**Future-proof**: Can be updated with new threat intelligence
-**Fallback safety**: Works even if LLM fails
## Architecture
```
┌─────────────────────────────────────────┐
│ NODE1 Host System │
│ │
│ ┌──────────────────────────────────┐ │
│ │ AI Security Agent (Container) │ │
│ │ │ │
│ │ ┌────────────────────────────┐ │ │
│ │ │ 1. Metric Collector │ │ │
│ │ │ - psutil (CPU, procs) │ │ │
│ │ │ - find (/tmp scan) │ │ │
│ │ │ - network connections │ │ │
│ │ └────────────────────────────┘ │ │
│ │ ↓ │ │
│ │ ┌────────────────────────────┐ │ │
│ │ │ 2. Quick Filter │ │ │
│ │ │ - Skip if clean │ │ │
│ │ └────────────────────────────┘ │ │
│ │ ↓ │ │
│ │ ┌────────────────────────────┐ │ │
│ │ │ 3. LLM Analyzer │ │ │
│ │ │ - Ollama qwen3:8b │←─┼──┼─┐
│ │ │ - Contextual AI │ │ │ │
│ │ └────────────────────────────┘ │ │ │
│ │ ↓ │ │ │
│ │ ┌────────────────────────────┐ │ │ │
│ │ │ 4. Decision Engine │ │ │ │
│ │ │ - Confidence threshold │ │ │ │
│ │ └────────────────────────────┘ │ │ │
│ │ ↓ │ │ │
│ │ ┌────────────────────────────┐ │ │ │
│ │ │ 5. Auto-Mitigation │ │ │ │
│ │ │ - Kill processes │ │ │ │
│ │ │ - Clean files │ │ │ │
│ │ └────────────────────────────┘ │ │ │
│ └──────────────────────────────────┘ │ │
│ │ │
│ ┌──────────────────────────────────┐ │ │
│ │ Ollama Service │ │ │
│ │ localhost:11434 │◄─┼─┘
│ │ qwen3:8b (8B params) │ │
│ └──────────────────────────────────┘ │
└─────────────────────────────────────────┘
```
## Monitoring Agent Health
```bash
# Check agent status
docker ps | grep ai-security-agent
# View real-time logs
docker logs -f ai-security-agent
# Check log file
tail -f /opt/microdao-daarion/services/ai-security-agent/logs/ai-security-agent.log
# Check resource usage
docker stats ai-security-agent
# Restart if needed
cd /opt/microdao-daarion/services/ai-security-agent
docker compose restart
```
## Troubleshooting
### Agent not detecting processes
**Issue**: Can't see host processes
**Fix**: Ensure `pid: host` in docker-compose.yml
### Can't kill processes
**Issue**: Permission denied
**Fix**: Ensure `privileged: true` in docker-compose.yml
### LLM connection failed
**Issue**: Can't reach Ollama
**Fix**: Check `OLLAMA_BASE_URL`, ensure Ollama is running
```bash
curl http://localhost:11434/api/tags
```
### High memory usage
**Issue**: Agent using >512MB
**Fix**: Reduce `CHECK_INTERVAL` or limit `num_predict` in LLM call
## Security Considerations
### Privileges
- Agent runs with `privileged: true` to kill processes
- Has access to host PID namespace
- Can modify host /tmp directory
**Mitigation**: Agent runs in Docker container with resource limits
### False Positives
- Agent requires 70% confidence for auto-kill
- Lower confidence threats logged for manual review
- Legitimate high-CPU processes might be flagged
**Mitigation**: Adjust `ALERT_THRESHOLD`, add process whitelist if needed
## Future Improvements
- [ ] **Telegram alerts**: Send notifications on threat detection
- [ ] **Prometheus metrics**: Expose threat count, confidence scores
- [ ] **Process whitelist**: Exclude known-good high-CPU processes
- [ ] **Network blocking**: Block mining pool IPs via iptables
- [ ] **Image scanning**: Scan Docker images before they run
- [ ] **Historical analysis**: Track patterns over time
- [ ] **Multi-node**: Extend to NODE2 and NODE3
## Contributing
To update threat signatures:
1. Edit `KNOWN_MINER_SIGNATURES` in `security_agent.py`
2. Rebuild container: `docker compose up -d --build`
To adjust detection logic:
1. Modify `_fallback_analysis()` for rule-based detection
2. Update LLM prompt in `analyze_with_llm()` for AI analysis
---
**Version**: 1.0.0
**Created**: 2026-01-10
**Maintained by**: DAARION Security Team
**Status**: ✅ Production Ready
Reference in New Issue View Git Blame Copy Permalink