Introducing CHIRON: A Case for Home Network Monitoring and Defense

Chiron is an innovative solution developed by JASK’s Director of Security Research, Rod Soto, and Director of Data Science, Joseph Zadeh.  While JASK fully supports our team’s innovation, CHIRON is not a product of JASK, nor is it represented or sold by JASK.

Nowadays, all our homes have become microenvironments for complex networking, composed of almost every single home appliance with added processing and networking capabilities. Examples of these home appliances include toasters, refrigerators, thermostats, cameras, TVs, wearables, door locks, light bulbs, vacuum cleaners, routers, printers, as well as personal computing products such as laptops, desktops, phones, tablets, etc.

Most of these devices, once connected, interact not only with the user but also with the internet. One of the reasons why they constantly interact with the internet is because these devices are basically propped-up sensors, that have enough processing power to interact among each other and send information to the cloud where very large distributed computing infrastructure ingests it, processes it and responds to requests from these devices. This type of architecture requires a lot of computing power and expensive infrastructure, making it only affordable by very large enterprises.

However, at home, these interactions require a networking infrastructure that is very simple: an internet connection, a router and a WiFi access point. These interactions are transparent to the end user, as multiple network connections and data (some of it containing very personal information) goes from home to the cloud. Home users do not have any insight into these exchanges. They have no idea what is transferred to and from their home networks except for what they immediately see on their screens. This blind spot is a very dangerous, as home networking is faced with many challenges including:

  • Malicious file downloads: Many Drive-by malicious sites will push malicious files into unsuspecting victims, as well as phishing emails which lead victims into executing malicious code via browser or fake/malicious applications.
  • Privacy risks: Many devices can lead to loss of privacy. A simple example is how malicious actors were able to spy on victims via webcams.
  • Data theft: Malicious actors have been known to target home based Network Attached Storage exfiltration personal data such as photos, financial data, sensitive private data.
  • Piracy: Are there torrent peer-to-peer type of file sharing software running inside homes? Is their home network running a node for a piracy service?
  • Are there people using their home networks without their knowledge? People using WiFi for personal use, downloading movies.
  • Are they being targeted by malicious organizations or even state sponsor actors?
  • Are there malicious/criminal linked services running at their home networks like Dark Web TOR services or SPAM email servers?


The above items are legitimate use cases for home networking monitoring and defense. Today, home defense is usually limited to antivirus software, but considering that many devices in the home network cannot run antiviruses, and users only count with common sense to face many of current internet threats, the home network is pretty much defenseless.


Enter CHIRON: a home-based analytics, machine learning threat detection tool

CHIRON is a home analytics framework based on ELK stack combined with Machine Learning threat detection framework AKTAIONCHIRON parses and displays data from P0f, Nmap, and BRO IDS. CHIRON is designed for home use and will give great visibility into home internet devices (IoT, computers, cell phones, tablets, etc).

It provides a picture of who and what your home devices are communicating to and interacting with. This graph below shows examples of how IoT devices such as Google Chrome and Amazon Firesticks, dots and echos can be seen by CHIRON.

The following is a CHIRON dashboard that shows identified operating systems, most active services/ports, and the most active local and external IP addresses.

These dashboards are simple and easy to read, however they reveal a great deal of what is happening in the home network. This would allow users to find unusual services, operating systems, communications and services that may indicate something suspicious is occurring in the home network.

The line between home networks and internet is blurring, as all these internet-enabled devices are constantly communicating back and forth. CHIRON seeks to provide basic answers for home network monitoring such as:

  • Do you live in highly dense building? Is anybody poaching your Internet service?
  • Where do all those devices connect to?
  • Where are all my users connecting to?
  • Is there any suspicious NORTH-SOUTH traffic? Are there suspicious IPs connecting to your webcam or door locking system?
  • Dynamic asset discovery (know what devices in your home are actually live and communicating).


CHIRON will perform the following basic tasks:

  • Performs basic discovery and analytics of home network assets (IoT devices, workstations, laptops, servers, routers)
  • Fingerprints users, services, and protocols
  • Applies analytics to users and devices (Average session length, Traffic, Visited sites)
  • Identifies odd application/traffic/services


AKTAION – Machine Learning Threat Detection framework

Besides providing simple and easy to understand analytics, CHIRON also works with AKTAION a Machine Learning framework for threat detection and active defense. Aktaion is scheduled to run every 4 hours and comes with its own benign training dataset.

If either phishing or ransomware delivery is discovered, Micro behavior indicators will be shown as in the following picture.

Future CHIRON iterations will incorporate other home related protocols and tools such as BlueTooth, Zigbee, Kismet and popular open source IDS.

CHIRON framework was conceived to be open source. The objective is to bring collaboration from the security community in developing a home based monitoring, analytics, detection framework that is easy to use and transparent for end users. With collaboration and feedback from the community this framework can eventually become a free and easy to use and deploy tool for those who do not have technical knowledge yet are exposed to the dangers of the internet.

Give CHIRON a try, go ahead and download the virtual machine here.  You can also reach out to the creators via twitter @rodsoto @josephzadeh


Share on