Files

Build and Deploy Docs / build-and-deploy (push) Has been cancelled

Details

- Created logs/ structure (sessions, operations, incidents)
- Added session-start/log/end scripts
- Installed Git hooks for auto-logging commits/pushes
- Added shell integration for zsh
- Created CHANGELOG.md
- Documented today's session (2026-01-10)

2026-01-10 04:53:17 -08:00

12 KiB

Raw Blame History

🤖 AI Security Agent - Intelligent Crypto Miner Detection

AI-powered security agent that uses local LLM (Ollama qwen3:8b) to detect and mitigate cryptocurrency mining malware on NODE1.

Features

🔍 Intelligent Detection

LLM-powered analysis: Uses Ollama qwen3:8b for contextual threat analysis
Multi-signal detection: CPU usage, process names, network connections, filesystem
Known miner signatures: Detects patterns from previous incidents
Fallback rules: Works even if LLM is unavailable

⚡ Auto-Mitigation

Automatic response: Kills malicious processes (>70% confidence)
File cleanup: Removes suspicious executables from /tmp
Selective action: Manual review for lower confidence threats

📊 Monitoring

Real-time scanning: Continuous monitoring every 5 minutes
Smart optimization: Skips LLM analysis if system is clean
Comprehensive logging: Detailed logs at /var/log/ai-security-agent.log

Known Threats Detected

From previous incidents on NODE1:

Incident #3 (postgres:15-alpine):

cpioshuf - 1764% CPU
ipcalcpg_recvlogical - Auto-restart variant
mysql - 933% CPU

Incident #4 (postgres:16-alpine):

bzip2egrep - 1694% CPU
flockresize - 1628% CPU

Common patterns:

Hidden directories: /tmp/.perf.c/
Process masquerading: Disguised as postgres, mysql, etc.
High CPU usage: >1000% (multi-threaded mining)
Mining pool connections: Ports 3333, 4444, 5555, 7777, 8888, 9999, 14444

Installation

1. Deploy to NODE1

# Copy service to NODE1
scp -r services/ai-security-agent root@144.76.224.179:/opt/microdao-daarion/services/

# SSH to NODE1
ssh root@144.76.224.179

# Navigate to service directory
cd /opt/microdao-daarion/services/ai-security-agent

# Build and start
docker compose up -d --build

2. Verify Deployment

# Check container status
docker ps | grep ai-security-agent

# View logs
docker logs -f ai-security-agent

# Check log file
tail -f logs/ai-security-agent.log

Configuration

Environment variables (in docker-compose.yml):

Variable	Default	Description
`OLLAMA_BASE_URL`	`http://host.docker.internal:11434`	Ollama API endpoint
`OLLAMA_MODEL`	`qwen3:8b`	LLM model for analysis
`CHECK_INTERVAL`	`300`	Scan interval in seconds (5 min)
`ALERT_THRESHOLD`	`0.7`	Confidence threshold for auto-mitigation

How It Works

1. Data Collection

Every 5 minutes, the agent collects:

System load average and CPU usage
Processes using >50% CPU
Known miner process names
Executable files in /tmp (created in last 24h)
Network connections to suspicious ports

2. Quick Check

If system is clean (load <5, no suspicious activity):

✅ Skip LLM analysis
Log "System clean"
Wait for next interval

3. LLM Analysis

If suspicious activity detected:

🧠 Send metrics to Ollama qwen3:8b
LLM analyzes with cybersecurity expertise
Returns JSON with:
- threat_detected: boolean
- confidence: 0.0-1.0
- threat_type: crypto_miner | suspicious_activity | false_positive
- indicators: List of specific findings
- recommended_actions: What to do

4. Auto-Mitigation

If confidence >= 70%:

⚡ Kill high CPU processes
⚡ Kill known miner processes
⚡ Remove suspicious /tmp files
⚡ Clean /tmp/.perf.c/
📝 Log all actions

If confidence < 70%:

⚠️ Log for manual review
No automatic action

5. Fallback Mode

If LLM fails:

Use rule-based detection
Check: load average, high CPU, known signatures, /tmp files, network
Calculate confidence based on multiple indicators

Example Logs

Clean System

[2026-01-10 10:00:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:00:01] [INFO] ✅ System clean (quick check)

Threat Detected (Low Confidence)

[2026-01-10 10:05:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:05:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)...
[2026-01-10 10:05:05] [INFO]    Analysis complete: threat=True, confidence=45%
[2026-01-10 10:05:05] [ALERT] 🚨 THREAT DETECTED (Incident #1)
[2026-01-10 10:05:05] [ALERT]    Confidence: 45%
[2026-01-10 10:05:05] [ALERT]    Type: suspicious_activity
[2026-01-10 10:05:05] [ALERT]    Summary: High CPU process detected but no known signatures
[2026-01-10 10:05:05] [ALERT] ⚠️  Confidence 45% below threshold 70%, manual review recommended

Threat Detected (High Confidence - Auto-Mitigation)

[2026-01-10 10:10:00] [INFO] 🔍 Starting security scan...
[2026-01-10 10:10:01] [INFO] 🧠 Analyzing with AI (suspicious activity detected)...
[2026-01-10 10:10:08] [INFO]    Analysis complete: threat=True, confidence=95%
[2026-01-10 10:10:08] [ALERT] 🚨 THREAT DETECTED (Incident #2)
[2026-01-10 10:10:08] [ALERT]    Confidence: 95%
[2026-01-10 10:10:08] [ALERT]    Type: crypto_miner
[2026-01-10 10:10:08] [ALERT]    Summary: Known miner signature 'bzip2egrep' detected with high CPU
[2026-01-10 10:10:08] [ALERT]    📍 Known miner signature: bzip2egrep (PID 123456)
[2026-01-10 10:10:08] [ALERT]    📍 Suspicious executable: /tmp/.perf.c/bzip2egrep
[2026-01-10 10:10:08] [ALERT]    📍 High CPU usage: 1694%
[2026-01-10 10:10:08] [ALERT] ⚡ EXECUTING AUTO-MITIGATION
[2026-01-10 10:10:08] [ACTION]    Killing known miner PID 123456 (bzip2egrep)
[2026-01-10 10:10:08] [ACTION]    Removing /tmp/.perf.c/bzip2egrep
[2026-01-10 10:10:08] [ACTION]    Cleaning /tmp/.perf.c/
[2026-01-10 10:10:09] [ALERT] ✅ AUTO-MITIGATION COMPLETED

Advantages Over Bash Script

Old Script (`/root/monitor_scanning.sh`)

✅ Simple and fast
✅ No dependencies
❌ Rule-based only (can miss new variants)
❌ No contextual analysis
❌ Manual threshold tuning
❌ No learning capability

New AI Agent

✅ Contextual understanding: LLM analyzes patterns holistically
✅ Adaptive: Can detect new miner variants by behavior
✅ Confidence scoring: Nuanced threat assessment
✅ Detailed explanations: Understands WHY something is suspicious
✅ Future-proof: Can be updated with new threat intelligence
✅ Fallback safety: Works even if LLM fails

Architecture

┌─────────────────────────────────────────┐
│         NODE1 Host System               │
│                                         │
│  ┌──────────────────────────────────┐  │
│  │  AI Security Agent (Container)   │  │
│  │                                  │  │
│  │  ┌────────────────────────────┐ │  │
│  │  │  1. Metric Collector       │ │  │
│  │  │     - psutil (CPU, procs)  │ │  │
│  │  │     - find (/tmp scan)     │ │  │
│  │  │     - network connections  │ │  │
│  │  └────────────────────────────┘ │  │
│  │            ↓                     │  │
│  │  ┌────────────────────────────┐ │  │
│  │  │  2. Quick Filter           │ │  │
│  │  │     - Skip if clean        │ │  │
│  │  └────────────────────────────┘ │  │
│  │            ↓                     │  │
│  │  ┌────────────────────────────┐ │  │
│  │  │  3. LLM Analyzer           │ │  │
│  │  │     - Ollama qwen3:8b      │←─┼──┼─┐
│  │  │     - Contextual AI        │ │  │ │
│  │  └────────────────────────────┘ │  │ │
│  │            ↓                     │  │ │
│  │  ┌────────────────────────────┐ │  │ │
│  │  │  4. Decision Engine        │ │  │ │
│  │  │     - Confidence threshold │ │  │ │
│  │  └────────────────────────────┘ │  │ │
│  │            ↓                     │  │ │
│  │  ┌────────────────────────────┐ │  │ │
│  │  │  5. Auto-Mitigation        │ │  │ │
│  │  │     - Kill processes       │ │  │ │
│  │  │     - Clean files          │ │  │ │
│  │  └────────────────────────────┘ │  │ │
│  └──────────────────────────────────┘  │ │
│                                         │ │
│  ┌──────────────────────────────────┐  │ │
│  │  Ollama Service                  │  │ │
│  │  localhost:11434                 │◄─┼─┘
│  │  qwen3:8b (8B params)            │  │
│  └──────────────────────────────────┘  │
└─────────────────────────────────────────┘

Monitoring Agent Health

# Check agent status
docker ps | grep ai-security-agent

# View real-time logs
docker logs -f ai-security-agent

# Check log file
tail -f /opt/microdao-daarion/services/ai-security-agent/logs/ai-security-agent.log

# Check resource usage
docker stats ai-security-agent

# Restart if needed
cd /opt/microdao-daarion/services/ai-security-agent
docker compose restart

Troubleshooting

Agent not detecting processes

Issue: Can't see host processes
Fix: Ensure pid: host in docker-compose.yml

Can't kill processes

Issue: Permission denied
Fix: Ensure privileged: true in docker-compose.yml

LLM connection failed

Issue: Can't reach Ollama
Fix: Check OLLAMA_BASE_URL, ensure Ollama is running

curl http://localhost:11434/api/tags

High memory usage

Issue: Agent using >512MB
Fix: Reduce CHECK_INTERVAL or limit num_predict in LLM call

Security Considerations

Privileges

Agent runs with privileged: true to kill processes
Has access to host PID namespace
Can modify host /tmp directory

Mitigation: Agent runs in Docker container with resource limits

False Positives

Agent requires 70% confidence for auto-kill
Lower confidence threats logged for manual review
Legitimate high-CPU processes might be flagged

Mitigation: Adjust ALERT_THRESHOLD, add process whitelist if needed

Future Improvements

Telegram alerts: Send notifications on threat detection
Prometheus metrics: Expose threat count, confidence scores
Process whitelist: Exclude known-good high-CPU processes
Network blocking: Block mining pool IPs via iptables
Image scanning: Scan Docker images before they run
Historical analysis: Track patterns over time
Multi-node: Extend to NODE2 and NODE3

Contributing

To update threat signatures:

Edit KNOWN_MINER_SIGNATURES in security_agent.py
Rebuild container: docker compose up -d --build

To adjust detection logic:

Modify _fallback_analysis() for rule-based detection
Update LLM prompt in analyze_with_llm() for AI analysis

Version: 1.0.0
Created: 2026-01-10
Maintained by: DAARION Security Team
Status: ✅ Production Ready

12 KiB Raw Blame History