Chiron is an innovative solution developed by JASK’s Director of Security Research, Rod Soto, and Director of Data Science, Joseph Zadeh. While JASK fully supports our team’s innovation, CHIRON is not a product of JASK, nor is it represented or sold by JASK.
Nowadays, all our homes have become microenvironments for complex networking, composed of almost every single home appliance with added processing and networking capabilities. Examples of these home appliances include toasters, refrigerators, thermostats, cameras, TVs, wearables, door locks, light bulbs, vacuum cleaners, routers, printers, as well as personal computing products such as laptops, desktops, phones, tablets, etc.
Most of these devices, once connected, interact not only with the user but also with the internet. One of the reasons why they constantly interact with the internet is because these devices are basically propped-up sensors, that have enough processing power to interact among each other and send information to the cloud where very large distributed computing infrastructure ingests it, processes it and responds to requests from these devices. This type of architecture requires a lot of computing power and expensive infrastructure, making it only affordable by very large enterprises.
However, at home, these interactions require a networking infrastructure that is very simple: an internet connection, a router and a WiFi access point. These interactions are transparent to the end user, as multiple network connections and data (some of it containing very personal information) goes from home to the cloud. Home users do not have any insight into these exchanges. They have no idea what is transferred to and from their home networks except for what they immediately see on their screens. This blind spot is a very dangerous, as home networking is faced with many challenges including:
The above items are legitimate use cases for home networking monitoring and defense. Today, home defense is usually limited to antivirus software, but considering that many devices in the home network cannot run antiviruses, and users only count with common sense to face many of current internet threats, the home network is pretty much defenseless.
Enter CHIRON: a home-based analytics, machine learning threat detection tool
CHIRON is a home analytics framework based on ELK stack combined with Machine Learning threat detection framework AKTAION. CHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility into home internet devices (IoT, computers, cell phones, tablets, etc).
It provides a picture of who and what your home devices are communicating to and interacting with. This graph below shows examples of how IoT devices such as Google Chrome and Amazon Firesticks, dots and echos can be seen by CHIRON.
The following is a CHIRON dashboard that shows identified operating systems, most active services/ports, and the most active local and external IP addresses.
These dashboards are simple and easy to read, however they reveal a great deal of what is happening in the home network. This would allow users to find unusual services, operating systems, communications and services that may indicate something suspicious is occurring in the home network.
The line between home networks and internet is blurring, as all these internet-enabled devices are constantly communicating back and forth. CHIRON seeks to provide basic answers for home network monitoring such as:
CHIRON will perform the following basic tasks:
AKTAION – Machine Learning Threat Detection framework
Besides providing simple and easy to understand analytics, CHIRON also works with AKTAION a Machine Learning framework for threat detection and active defense. Aktaion is scheduled to run every 4 hours and comes with its own benign training dataset.
If either phishing or ransomware delivery is discovered, Micro behavior indicators will be shown as in the following picture.
Future CHIRON iterations will incorporate other home related protocols and tools such as BlueTooth, Zigbee, Kismet and popular open source IDS.
CHIRON framework was conceived to be open source. The objective is to bring collaboration from the security community in developing a home based monitoring, analytics, detection framework that is easy to use and transparent for end users. With collaboration and feedback from the community this framework can eventually become a free and easy to use and deploy tool for those who do not have technical knowledge yet are exposed to the dangers of the internet.
Give CHIRON a try, go ahead and download the virtual machine here. You can also reach out to the creators via twitter @rodsoto @josephzadeh