digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add hands-on phishing attack for CKIM2024 tutorial

Browse Source
This commit is contained in:
Frank Xu
2024-07-20 15:07:49 -04:00
parent 82179170b3
commit 85386310f9
29 changed files with 3300 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

365
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb Normal file
View File

@@ -0,0 +1,365 @@
{
"cells": [
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [],
"source": [
"#!pip install graphviz\n",
"\n",
"import dspy\n",
"import os\n",
"import openai\n",
"import json\n",
"from dotenv import load_dotenv\n",
"\n",
"from graphviz import Digraph\n",
"from IPython.display import display"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [],
"source": [
"def set_dspy():\n",
" # ==============set openAI enviroment=========\n",
" # Path to your API key file\n",
" key_file_path = \"openai_api_key.txt\"\n",
"\n",
" # Load the API key from the file\n",
" with open(key_file_path, \"r\") as file:\n",
" openai_api_key = file.read().strip()\n",
"\n",
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
"turbo=set_dspy()\n",
"# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n"
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n",
"\n",
"Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from.\n",
"\n",
"Alice: Sure, forwarding it now.\n",
"\n",
"Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n",
"\n",
"Alice: Thats definitely not right. Should I be worried?\n",
"\n",
"Bob: We should investigate further. Did you click on any links or download any attachments?\n",
"\n",
"Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n",
"\n",
"Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site.\n",
"\n",
"Alice: What should I do next?\n",
"\n",
"Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n",
"\n",
"Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n",
"Visited at 10:15 AM: http://banksecure-verification.com/login\n",
"Visited at 10:17 AM: http://banksecure-verification.com/account-details\n",
"\n",
"Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n",
"\n",
"Alice: There's a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM.\n",
"\n",
"Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it?\n",
"\n",
"Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n",
"\n",
"Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n",
"\n",
"Alice: Is there anything else I need to do?\n",
"\n",
"Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts.\n",
"\n",
"Alice: Thanks, Bob. Ill follow these steps immediately.\n"
]
}
],
"source": [
"conversation=load_text_file(\"conversation.txt\")\n",
"print(conversation)"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [],
"source": [
"class EvidenceIdentifier(dspy.Signature):\n",
" \"\"\"Idenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\"\"\"\n",
"\n",
" question = dspy.InputField(\n",
" desc=\"a conversation between -Alex (IT Security Specialist) and Bob (Employee).\"\n",
" )\n",
" answer = dspy.OutputField(\n",
" desc=\"a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\"\n",
" )"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [],
"source": [
"def generate_answer(signature, conversation, output_file):\n",
" generate_answer = dspy.Predict(signature)\n",
" answer=generate_answer(question=conversation).answer # here we use the module\n",
"\n",
" with open(output_file, \"w\") as json_file:\n",
" result = json.loads(answer)\n",
" print(result)\n",
" json.dump(result, json_file, indent=4)\n",
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Email From': 'support@banksecure.com', 'Email Subject': 'Urgent: Verify Your Account Now', 'IP Address': '192.168.10.45', 'Domain': 'banksecure.com', 'Actual Domain Registration': 'Russia', 'URL Clicked': 'http://banksecure-verification.com/login', 'URL Visited 1': 'http://banksecure-verification.com/login', 'URL Visited 2': 'http://banksecure-verification.com/account-details', 'File Downloaded': 'AccountDetails.exe', 'File Creation Time': '10:20 AM', 'MD5 Hash': 'e99a18c428cb38d5f260853678922e03', 'Network Logs Timestamp': '10:20 AM'}\n",
"The evidence has been saved to the file 01_output_evidence_entity.txt\n"
]
}
],
"source": [
"output_file = \"01_output_entity.txt\"\n",
"generate_answer(\n",
" EvidenceIdentifier, conversation, \n",
" output_file,\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"\n",
"\n",
"\n",
"Idenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\n",
"\n",
"---\n",
"\n",
"Follow the following format.\n",
"\n",
"Question: a conversation between -Alex (IT Security Specialist) and Bob (Employee).\n",
"Answer: a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\n",
"\n",
"---\n",
"\n",
"Question: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. Alice: Thats definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There's a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. Ill follow these steps immediately.\n",
"Answer: {\n",
" \"Email From\": \"support@banksecure.com\",\n",
" \"Email Subject\": \"Urgent: Verify Your Account Now\",\n",
" \"IP Address\": \"192.168.10.45\",\n",
" \"Domain\": \"banksecure.com\",\n",
" \"Actual Domain Registration\": \"Russia\",\n",
" \"URL Clicked\": \"http://banksecure-verification.com/login\",\n",
" \"URL Visited 1\": \"http://banksecure-verification.com/login\",\n",
" \"URL Visited 2\": \"http://banksecure-verification.com/account-details\",\n",
" \"File Downloaded\": \"AccountDetails.exe\",\n",
" \"File Creation Time\": \"10:20 AM\",\n",
" \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\",\n",
" \"Network Logs Timestamp\": \"10:20 AM\"\n",
"}\n",
"\n",
"\n",
"\n"
]
},
{
"data": {
"text/plain": [
"'\\n\\n\\nIdenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\\n\\n---\\n\\nFollow the following format.\\n\\nQuestion: a conversation between -Alex (IT Security Specialist) and Bob (Employee).\\nAnswer: a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\\n\\n---\\n\\nQuestion: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It\\'s actually registered to someone in Russia. Alice: Thats definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn\\'t enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There\\'s a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. Ill follow these steps immediately.\\nAnswer:\\x1b[32m {\\n \"Email From\": \"support@banksecure.com\",\\n \"Email Subject\": \"Urgent: Verify Your Account Now\",\\n \"IP Address\": \"192.168.10.45\",\\n \"Domain\": \"banksecure.com\",\\n \"Actual Domain Registration\": \"Russia\",\\n \"URL Clicked\": \"http://banksecure-verification.com/login\",\\n \"URL Visited 1\": \"http://banksecure-verification.com/login\",\\n \"URL Visited 2\": \"http://banksecure-verification.com/account-details\",\\n \"File Downloaded\": \"AccountDetails.exe\",\\n \"File Creation Time\": \"10:20 AM\",\\n \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\",\\n \"Network Logs Timestamp\": \"10:20 AM\"\\n}\\x1b[0m\\n\\n\\n'"
]
},
"execution_count": 19,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"turbo.inspect_history(n=1)"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [],
"source": [
"class EvidenceRelationIdentifier(dspy.Signature):\n",
" \"\"\"Idenitfy evidence entities and their relationships from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\"\"\"\n",
"\n",
" question = dspy.InputField(\n",
" desc=\"a conversation between -Alex (IT Security Specialist) and Bob (Employee).\"\n",
" )\n",
"\n",
" answer_relations: str = dspy.OutputField(\n",
" desc=\"relatioinships between evidence entities. Output in JSON format: {Relationship name: evidence -> evidence, ...}.\"\n",
" )\n",
" \n",
" answer_evidence : str = dspy.OutputField(\n",
" desc=\"a list of evidence type and the value, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, idenified from the conversation. Output in JSON format: {evidence type: evidence value, ...}\"\n",
" )"
]
},
{
"cell_type": "code",
"execution_count": 21,
"metadata": {},
"outputs": [],
"source": [
"# deal with multiple output fields\n",
"def generate_answers(\n",
" signature, conversation, output_file, attributes_to_extract=[\"answer\"]\n",
"):\n",
" generate_answer = dspy.Predict(signature)\n",
" result = generate_answer(question=conversation) # Call the module\n",
" print(result)\n",
"\n",
" # Write the answers to the JSON file\n",
" with open(output_file, \"w\") as json_file:\n",
" # Extract specified attributes\n",
" for attr in attributes_to_extract:\n",
" if hasattr(result, attr):\n",
" # print(attr)\n",
" # print(getattr(result, attr))\n",
" # json_file.write(getattr(result, attr))\n",
" results = json.loads(getattr(result, attr))\n",
"\n",
" json.dump(results, json_file, indent=4)\n",
"\n",
" else:\n",
" print(f\"Warning: Attribute '{attr}' not found in the result.\")\n",
"\n",
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Prediction(\n",
" answer_relations='{\\n \"Email Header Analysis\": \"IP Address -> Domain\",\\n \"URL Analysis\": \"URL -> Domain\",\\n \"Browser History Analysis\": \"URL -> Timestamp\",\\n \"File Analysis\": \"File Name -> Timestamp, File Name -> MD5 Hash\",\\n \"Malware Analysis\": \"MD5 Hash -> Malware Database\"\\n}',\n",
" answer_evidence='{\\n \"Email Sender\": \"support@banksecure.com\",\\n \"Email Subject\": \"Urgent: Verify Your Account Now\",\\n \"IP Address\": \"192.168.10.45\",\\n \"Domain\": \"banksecure.com\",\\n \"Domain Registration\": \"Russia\",\\n \"URL\": \"http://banksecure-verification.com/login\",\\n \"URL Registration Date\": \"Two days ago\",\\n \"File Name\": \"AccountDetails.exe\",\\n \"File Creation Timestamp\": \"10:20 AM\",\\n \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\"\\n}'\n",
")\n",
"The evidence has been saved to the file 01_output_evidence_entity_relation.txt\n"
]
}
],
"source": [
"output_file = \"01_output_entity_relation.txt\"\n",
"generate_answers(\n",
" EvidenceRelationIdentifier,\n",
" conversation,\n",
" output_file,\n",
" [\"answer_evidence\", \"answer_relations\"],\n",
")"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.3"
}
},
"nbformat": 4,
"nbformat_minor": 2
}

14
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity.txt Normal file
View File

@@ -0,0 +1,14 @@
{
"Email From": "support@banksecure.com",
"Email Subject": "Urgent: Verify Your Account Now",
"IP Address": "192.168.10.45",
"Domain": "banksecure.com",
"Actual Domain Registration": "Russia",
"URL Clicked": "http://banksecure-verification.com/login",
"URL Visited 1": "http://banksecure-verification.com/login",
"URL Visited 2": "http://banksecure-verification.com/account-details",
"File Downloaded": "AccountDetails.exe",
"File Creation Time": "10:20 AM",
"MD5 Hash": "e99a18c428cb38d5f260853678922e03",
"Network Logs Timestamp": "10:20 AM"
}

18
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity_relation.txt Normal file
View File

@@ -0,0 +1,18 @@
{
"Email Sender": "support@banksecure.com",
"Email Subject": "Urgent: Verify Your Account Now",
"IP Address": "192.168.10.45",
"Domain": "banksecure.com",
"Domain Registration": "Russia",
"URL": "http://banksecure-verification.com/login",
"URL Registration Date": "Two days ago",
"File Name": "AccountDetails.exe",
"File Creation Timestamp": "10:20 AM",
"MD5 Hash": "e99a18c428cb38d5f260853678922e03"
}{
"Email Header Analysis": "IP Address -> Domain",
"URL Analysis": "URL -> Domain",
"Browser History Analysis": "URL -> Timestamp",
"File Analysis": "File Name -> Timestamp, File Name -> MD5 Hash",
"Malware Analysis": "MD5 Hash -> Malware Database"
}

445
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb Normal file
View File

@@ -0,0 +1,445 @@
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"#!pip install graphviz\n",
"\n",
"import dspy\n",
"import os\n",
"import openai\n",
"import json\n",
"from dotenv import load_dotenv\n",
"\n",
"from graphviz import Source\n",
"from IPython.display import display"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"def set_dspy():\n",
" # ==============set openAI enviroment=========\n",
" # Path to your API key file\n",
" key_file_path = \"openai_api_key.txt\"\n",
"\n",
" # Load the API key from the file\n",
" with open(key_file_path, \"r\") as file:\n",
" openai_api_key = file.read().strip()\n",
"\n",
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
"turbo=set_dspy()\n",
"# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n",
"\n",
"Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from.\n",
"\n",
"Alice: Sure, forwarding it now.\n",
"\n",
"Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n",
"\n",
"Alice: Thats definitely not right. Should I be worried?\n",
"\n",
"Bob: We should investigate further. Did you click on any links or download any attachments?\n",
"\n",
"Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n",
"\n",
"Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site.\n",
"\n",
"Alice: What should I do next?\n",
"\n",
"Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n",
"\n",
"Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n",
"Visited at 10:15 AM: http://banksecure-verification.com/login\n",
"Visited at 10:17 AM: http://banksecure-verification.com/account-details\n",
"\n",
"Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n",
"\n",
"Alice: There's a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM.\n",
"\n",
"Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it?\n",
"\n",
"Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n",
"\n",
"Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n",
"\n",
"Alice: Is there anything else I need to do?\n",
"\n",
"Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts.\n",
"\n",
"Alice: Thanks, Bob. Ill follow these steps immediately.\n"
]
}
],
"source": [
"conversation = load_text_file(\"conversation.txt\")\n",
"print(conversation)"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [],
"source": [
"class DotGenerator(dspy.Signature):\n",
" \"\"\"Generate a evidence knowledge graph based on a conversation between an IT Security Specialist and an Employee. \"\"\"\n",
"\n",
" question: str = dspy.InputField(\n",
" desc=\"a conversation describing a cyber incident between an IT Security Specialist and an employee.\"\n",
" )\n",
"\n",
" answer: str = dspy.OutputField(\n",
" desc=\"a graph in a dot format. The nodes of the graph are evidence entities and the edges of the graph are the relationship between evidence entities. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
" )"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"def generate_answer_CoT(signature, text, output_file):\n",
" generate_answer = dspy.ChainOfThought(signature)\n",
" answer = generate_answer(question=text).answer # here we use the module\n",
"\n",
" with open(output_file, \"w\") as dot_file:\n",
" print(answer)\n",
" dot_file.write(answer)\n",
" return answer\n",
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"digraph cyber_incident {\n",
" \"Suspicious Email\" -> \"IP Address: 192.168.10.45\"\n",
" \"Suspicious Email\" -> \"Domain: banksecure.com (Registered to someone in Russia)\"\n",
" \"Suspicious Email\" -> \"URL: http://banksecure-verification.com/login\"\n",
" \"Suspicious Email\" -> \"URL: http://banksecure-verification.com/account-details\"\n",
" \"URL: http://banksecure-verification.com/login\" -> \"Domain: banksecure-verification.com (Registered 2 days ago)\"\n",
" \"URL: http://banksecure-verification.com/account-details\" -> \"Domain: banksecure-verification.com (Registered 2 days ago)\"\n",
" \"Browser History Entries\" -> \"Visited at 10:15 AM: http://banksecure-verification.com/login\"\n",
" \"Browser History Entries\" -> \"Visited at 10:17 AM: http://banksecure-verification.com/account-details\"\n",
" \"Downloaded File: AccountDetails.exe\" -> \"Created at 10:20 AM\"\n",
" \"Downloaded File: AccountDetails.exe\" -> \"MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\"\n",
" \"MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\" -> \"Quarantined File: AccountDetails.exe\"\n",
" \"IP Address: 192.168.10.45\" -> \"Network Logs Analysis around 10:20 AM\"\n",
"}\n"
]
}
],
"source": [
"output_file = \"02_output.dot\"\n",
"dot_description = generate_answer_CoT(\n",
" DotGenerator,\n",
" conversation,\n",
" output_file,\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [
{
"data": {
"image/svg+xml": [
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n",
"<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\n",
" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n",
"<!-- Generated by graphviz version 2.47.1 (20210417.1919)\n",
" -->\n",
"<!-- Title: cyber_incident Pages: 1 -->\n",
"<svg width=\"3402pt\" height=\"188pt\"\n",
" viewBox=\"0.00 0.00 3402.31 188.00\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n",
"<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 184)\">\n",
"<title>cyber_incident</title>\n",
"<polygon fill=\"white\" stroke=\"transparent\" points=\"-4,4 -4,-184 3398.31,-184 3398.31,4 -4,4\"/>\n",
"<!-- Suspicious Email -->\n",
"<g id=\"node1\" class=\"node\">\n",
"<title>Suspicious Email</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"731.49\" cy=\"-162\" rx=\"73.39\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"731.49\" y=\"-158.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Suspicious Email</text>\n",
"</g>\n",
"<!-- IP Address: 192.168.10.45 -->\n",
"<g id=\"node2\" class=\"node\">\n",
"<title>IP Address: 192.168.10.45</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"162.49\" cy=\"-90\" rx=\"107.78\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"162.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">IP Address: 192.168.10.45</text>\n",
"</g>\n",
"<!-- Suspicious Email&#45;&gt;IP Address: 192.168.10.45 -->\n",
"<g id=\"edge1\" class=\"edge\">\n",
"<title>Suspicious Email&#45;&gt;IP Address: 192.168.10.45</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M665.92,-153.89C577.92,-144.21 416.77,-126.02 279.49,-108 269.87,-106.74 259.82,-105.36 249.82,-103.96\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"250.25,-100.48 239.85,-102.55 249.26,-107.42 250.25,-100.48\"/>\n",
"</g>\n",
"<!-- Domain: banksecure.com (Registered to someone in Russia) -->\n",
"<g id=\"node3\" class=\"node\">\n",
"<title>Domain: banksecure.com (Registered to someone in Russia)</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"518.49\" cy=\"-90\" rx=\"230.16\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"518.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Domain: banksecure.com (Registered to someone in Russia)</text>\n",
"</g>\n",
"<!-- Suspicious Email&#45;&gt;Domain: banksecure.com (Registered to someone in Russia) -->\n",
"<g id=\"edge2\" class=\"edge\">\n",
"<title>Suspicious Email&#45;&gt;Domain: banksecure.com (Registered to someone in Russia)</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M689.4,-147.17C657.82,-136.79 614.13,-122.43 578.83,-110.83\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"579.7,-107.43 569.11,-107.64 577.52,-114.08 579.7,-107.43\"/>\n",
"</g>\n",
"<!-- URL: http://banksecure&#45;verification.com/login -->\n",
"<g id=\"node4\" class=\"node\">\n",
"<title>URL: http://banksecure&#45;verification.com/login</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"943.49\" cy=\"-90\" rx=\"176.57\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"943.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">URL: http://banksecure&#45;verification.com/login</text>\n",
"</g>\n",
"<!-- Suspicious Email&#45;&gt;URL: http://banksecure&#45;verification.com/login -->\n",
"<g id=\"edge3\" class=\"edge\">\n",
"<title>Suspicious Email&#45;&gt;URL: http://banksecure&#45;verification.com/login</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M773.37,-147.17C805.03,-136.72 848.9,-122.23 884.17,-110.59\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"885.47,-113.84 893.87,-107.38 883.27,-107.2 885.47,-113.84\"/>\n",
"</g>\n",
"<!-- URL: http://banksecure&#45;verification.com/account&#45;details -->\n",
"<g id=\"node5\" class=\"node\">\n",
"<title>URL: http://banksecure&#45;verification.com/account&#45;details</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1352.49\" cy=\"-90\" rx=\"213.66\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1352.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">URL: http://banksecure&#45;verification.com/account&#45;details</text>\n",
"</g>\n",
"<!-- Suspicious Email&#45;&gt;URL: http://banksecure&#45;verification.com/account&#45;details -->\n",
"<g id=\"edge4\" class=\"edge\">\n",
"<title>Suspicious Email&#45;&gt;URL: http://banksecure&#45;verification.com/account&#45;details</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M796.77,-153.64C896.77,-142.37 1089.95,-120.59 1220.07,-105.93\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"1220.57,-109.39 1230.11,-104.79 1219.78,-102.44 1220.57,-109.39\"/>\n",
"</g>\n",
"<!-- Network Logs Analysis around 10:20 AM -->\n",
"<g id=\"node14\" class=\"node\">\n",
"<title>Network Logs Analysis around 10:20 AM</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"162.49\" cy=\"-18\" rx=\"162.47\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"162.49\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Network Logs Analysis around 10:20 AM</text>\n",
"</g>\n",
"<!-- IP Address: 192.168.10.45&#45;&gt;Network Logs Analysis around 10:20 AM -->\n",
"<g id=\"edge12\" class=\"edge\">\n",
"<title>IP Address: 192.168.10.45&#45;&gt;Network Logs Analysis around 10:20 AM</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M162.49,-71.7C162.49,-63.98 162.49,-54.71 162.49,-46.11\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"165.99,-46.1 162.49,-36.1 158.99,-46.1 165.99,-46.1\"/>\n",
"</g>\n",
"<!-- Domain: banksecure&#45;verification.com (Registered 2 days ago) -->\n",
"<g id=\"node6\" class=\"node\">\n",
"<title>Domain: banksecure&#45;verification.com (Registered 2 days ago)</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1147.49\" cy=\"-18\" rx=\"234.76\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1147.49\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Domain: banksecure&#45;verification.com (Registered 2 days ago)</text>\n",
"</g>\n",
"<!-- URL: http://banksecure&#45;verification.com/login&#45;&gt;Domain: banksecure&#45;verification.com (Registered 2 days ago) -->\n",
"<g id=\"edge5\" class=\"edge\">\n",
"<title>URL: http://banksecure&#45;verification.com/login&#45;&gt;Domain: banksecure&#45;verification.com (Registered 2 days ago)</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M991.31,-72.59C1020.54,-62.56 1058.12,-49.67 1089.09,-39.04\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"1090.57,-42.23 1098.89,-35.67 1088.3,-35.61 1090.57,-42.23\"/>\n",
"</g>\n",
"<!-- URL: http://banksecure&#45;verification.com/account&#45;details&#45;&gt;Domain: banksecure&#45;verification.com (Registered 2 days ago) -->\n",
"<g id=\"edge6\" class=\"edge\">\n",
"<title>URL: http://banksecure&#45;verification.com/account&#45;details&#45;&gt;Domain: banksecure&#45;verification.com (Registered 2 days ago)</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M1303.9,-72.41C1274.63,-62.42 1237.15,-49.62 1206.22,-39.06\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"1207.02,-35.63 1196.43,-35.71 1204.76,-42.26 1207.02,-35.63\"/>\n",
"</g>\n",
"<!-- Browser History Entries -->\n",
"<g id=\"node7\" class=\"node\">\n",
"<title>Browser History Entries</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2074.49\" cy=\"-162\" rx=\"98.28\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2074.49\" y=\"-158.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Browser History Entries</text>\n",
"</g>\n",
"<!-- Visited at 10:15 AM: http://banksecure&#45;verification.com/login -->\n",
"<g id=\"node8\" class=\"node\">\n",
"<title>Visited at 10:15 AM: http://banksecure&#45;verification.com/login</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1815.49\" cy=\"-90\" rx=\"231.26\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1815.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Visited at 10:15 AM: http://banksecure&#45;verification.com/login</text>\n",
"</g>\n",
"<!-- Browser History Entries&#45;&gt;Visited at 10:15 AM: http://banksecure&#45;verification.com/login -->\n",
"<g id=\"edge7\" class=\"edge\">\n",
"<title>Browser History Entries&#45;&gt;Visited at 10:15 AM: http://banksecure&#45;verification.com/login</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M2021.76,-146.75C1982.65,-136.18 1928.93,-121.66 1886.11,-110.09\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"1886.88,-106.67 1876.32,-107.44 1885.06,-113.43 1886.88,-106.67\"/>\n",
"</g>\n",
"<!-- Visited at 10:17 AM: http://banksecure&#45;verification.com/account&#45;details -->\n",
"<g id=\"node9\" class=\"node\">\n",
"<title>Visited at 10:17 AM: http://banksecure&#45;verification.com/account&#45;details</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2333.49\" cy=\"-90\" rx=\"268.35\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2333.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Visited at 10:17 AM: http://banksecure&#45;verification.com/account&#45;details</text>\n",
"</g>\n",
"<!-- Browser History Entries&#45;&gt;Visited at 10:17 AM: http://banksecure&#45;verification.com/account&#45;details -->\n",
"<g id=\"edge8\" class=\"edge\">\n",
"<title>Browser History Entries&#45;&gt;Visited at 10:17 AM: http://banksecure&#45;verification.com/account&#45;details</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M2127.21,-146.75C2166.18,-136.22 2219.67,-121.76 2262.41,-110.21\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"2263.45,-113.55 2272.19,-107.57 2261.62,-106.8 2263.45,-113.55\"/>\n",
"</g>\n",
"<!-- Downloaded File: AccountDetails.exe -->\n",
"<g id=\"node10\" class=\"node\">\n",
"<title>Downloaded File: AccountDetails.exe</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2904.49\" cy=\"-162\" rx=\"147.57\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2904.49\" y=\"-158.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Downloaded File: AccountDetails.exe</text>\n",
"</g>\n",
"<!-- Created at 10:20 AM -->\n",
"<g id=\"node11\" class=\"node\">\n",
"<title>Created at 10:20 AM</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2706.49\" cy=\"-90\" rx=\"86.38\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2706.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Created at 10:20 AM</text>\n",
"</g>\n",
"<!-- Downloaded File: AccountDetails.exe&#45;&gt;Created at 10:20 AM -->\n",
"<g id=\"edge9\" class=\"edge\">\n",
"<title>Downloaded File: AccountDetails.exe&#45;&gt;Created at 10:20 AM</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M2858.56,-144.76C2828.57,-134.16 2789.34,-120.29 2758.24,-109.3\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"2759.04,-105.87 2748.45,-105.83 2756.71,-112.47 2759.04,-105.87\"/>\n",
"</g>\n",
"<!-- MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware) -->\n",
"<g id=\"node12\" class=\"node\">\n",
"<title>MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"3102.49\" cy=\"-90\" rx=\"291.65\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"3102.49\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)</text>\n",
"</g>\n",
"<!-- Downloaded File: AccountDetails.exe&#45;&gt;MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware) -->\n",
"<g id=\"edge10\" class=\"edge\">\n",
"<title>Downloaded File: AccountDetails.exe&#45;&gt;MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M2950.41,-144.76C2978.65,-134.78 3015.08,-121.9 3045.2,-111.25\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"3046.48,-114.51 3054.74,-107.88 3044.15,-107.91 3046.48,-114.51\"/>\n",
"</g>\n",
"<!-- Quarantined File: AccountDetails.exe -->\n",
"<g id=\"node13\" class=\"node\">\n",
"<title>Quarantined File: AccountDetails.exe</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"3102.49\" cy=\"-18\" rx=\"144.87\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"3102.49\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Quarantined File: AccountDetails.exe</text>\n",
"</g>\n",
"<!-- MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)&#45;&gt;Quarantined File: AccountDetails.exe -->\n",
"<g id=\"edge11\" class=\"edge\">\n",
"<title>MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)&#45;&gt;Quarantined File: AccountDetails.exe</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M3102.49,-71.7C3102.49,-63.98 3102.49,-54.71 3102.49,-46.11\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"3105.99,-46.1 3102.49,-36.1 3098.99,-46.1 3105.99,-46.1\"/>\n",
"</g>\n",
"</g>\n",
"</svg>\n"
],
"text/plain": [
"<graphviz.sources.Source at 0x272a4f0cef0>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/plain": [
"'02_output_email_analysis.png'"
]
},
"execution_count": 11,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"# Create a Digraph object and render the graph\n",
"graph = Source(dot_description)\n",
"display(graph)\n",
"\n",
"# Render the graph within the notebook\n",
"graph.render(\"02_output_email_analysis\", format=\"png\", cleanup=True)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.3"
}
},
"nbformat": 4,
"nbformat_minor": 2
}

5
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output.dot Normal file
View File

@@ -0,0 +1,5 @@
digraph file_not_found {
File [label="File" shape="rectangle" color="blue"]
NotFound [label="Not Found" shape="ellipse" color="red"]
File -> NotFound [label="Indicator"]
}

BIN
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output_email_analysis.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

355
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb Normal file
View File

@@ -0,0 +1,355 @@
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"#!pip install graphviz\n",
"\n",
"import dspy\n",
"import os\n",
"import openai\n",
"import json\n",
"from dotenv import load_dotenv\n",
"from IPython.display import display"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"def set_dspy():\n",
" # ==============set openAI enviroment=========\n",
" # Path to your API key file\n",
" key_file_path = \"openai_api_key.txt\"\n",
"\n",
" # Load the API key from the file\n",
" with open(key_file_path, \"r\") as file:\n",
" openai_api_key = file.read().strip()\n",
"\n",
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
"turbo=set_dspy()\n",
"# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n",
"\n",
"Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from.\n",
"\n",
"Alice: Sure, forwarding it now.\n",
"\n",
"Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n",
"\n",
"Alice: Thats definitely not right. Should I be worried?\n",
"\n",
"Bob: We should investigate further. Did you click on any links or download any attachments?\n",
"\n",
"Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n",
"\n",
"Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site.\n",
"\n",
"Alice: What should I do next?\n",
"\n",
"Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n",
"\n",
"Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n",
"Visited at 10:15 AM: http://banksecure-verification.com/login\n",
"Visited at 10:17 AM: http://banksecure-verification.com/account-details\n",
"\n",
"Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n",
"\n",
"Alice: There's a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM.\n",
"\n",
"Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it?\n",
"\n",
"Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n",
"\n",
"Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n",
"\n",
"Alice: Is there anything else I need to do?\n",
"\n",
"Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts.\n",
"\n",
"Alice: Thanks, Bob. Ill follow these steps immediately.\n"
]
}
],
"source": [
"conversation=load_text_file(\"conversation.txt\")\n",
"print(conversation)"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [],
"source": [
"class SITXGenerator(dspy.Signature):\n",
" \"\"\"Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\"\"\"\n",
"\n",
" question: str = dspy.InputField(\n",
" desc=\"a conversation describing a cyber incident between an IT Security Specialist and an employee.\"\n",
" )\n",
"\n",
" answer: str = dspy.OutputField(\n",
" desc=\"the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\"\n",
" )"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"def generate_answer_CoT(signature, conversation, output_file):\n",
" generate_answer = dspy.ChainOfThought(signature)\n",
" answer = generate_answer(question=conversation).answer # here we use the module\n",
"\n",
" with open(output_file, \"w\") as json_file:\n",
" result = json.loads(answer)\n",
" print(answer)\n",
" json.dump(result, json_file, indent=4)\n",
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"[\n",
" {\n",
" \"email\": {\n",
" \"sender\": \"support@banksecure.com\",\n",
" \"subject\": \"Urgent: Verify Your Account Now\",\n",
" \"headers\": {\n",
" \"IP_address\": \"192.168.10.45\",\n",
" \"domain\": \"banksecure.com\",\n",
" \"registered_to\": \"Russia\"\n",
" },\n",
" \"links_clicked\": [\n",
" {\n",
" \"URL\": \"http://banksecure-verification.com/login\",\n",
" \"timestamp\": \"10:15 AM\"\n",
" },\n",
" {\n",
" \"URL\": \"http://banksecure-verification.com/account-details\",\n",
" \"timestamp\": \"10:17 AM\"\n",
" }\n",
" ],\n",
" \"attachments\": [\n",
" {\n",
" \"file_name\": \"AccountDetails.exe\",\n",
" \"created_at\": \"10:20 AM\",\n",
" \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\n",
" \"status\": \"known_malware\"\n",
" }\n",
" ]\n",
" }\n",
" },\n",
" {\n",
" \"actions_taken\": [\n",
" \"Clear browser history and cache\",\n",
" \"Run full antivirus scan\",\n",
" \"Provide browser history entries and cookies\",\n",
" \"Quarantine suspicious file\",\n",
" \"Check network connections\",\n",
" \"Reset passwords and enable two-factor authentication\"\n",
" ]\n",
" }\n",
"]\n",
"The evidence has been saved to the file 03_output.json\n"
]
}
],
"source": [
"output_file = \"03_output.json\"\n",
"generate_answer_CoT(\n",
" SITXGenerator,\n",
" conversation,\n",
" output_file,\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"\n",
"\n",
"\n",
"Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\n",
"\n",
"---\n",
"\n",
"Follow the following format.\n",
"\n",
"Question: a conversation describing a cyber incident between an IT Security Specialist and an employee.\n",
"Reasoning: Let's think step by step in order to ${produce the answer}. We ...\n",
"Answer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\n",
"\n",
"---\n",
"\n",
"Question: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. Alice: Thats definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There's a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. Ill follow these steps immediately.\n",
"Reasoning: Let's think step by step in order to produce the answer. We need to formalize the conversation into STIX objects that represent the cyber threat information discussed between Alice and Bob.\n",
"\n",
"Answer: \n",
"[\n",
" {\n",
" \"email\": {\n",
" \"sender\": \"support@banksecure.com\",\n",
" \"subject\": \"Urgent: Verify Your Account Now\",\n",
" \"headers\": {\n",
" \"IP_address\": \"192.168.10.45\",\n",
" \"domain\": \"banksecure.com\",\n",
" \"registered_to\": \"Russia\"\n",
" },\n",
" \"links_clicked\": [\n",
" {\n",
" \"URL\": \"http://banksecure-verification.com/login\",\n",
" \"timestamp\": \"10:15 AM\"\n",
" },\n",
" {\n",
" \"URL\": \"http://banksecure-verification.com/account-details\",\n",
" \"timestamp\": \"10:17 AM\"\n",
" }\n",
" ],\n",
" \"attachments\": [\n",
" {\n",
" \"file_name\": \"AccountDetails.exe\",\n",
" \"created_at\": \"10:20 AM\",\n",
" \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\n",
" \"status\": \"known_malware\"\n",
" }\n",
" ]\n",
" }\n",
" },\n",
" {\n",
" \"actions_taken\": [\n",
" \"Clear browser history and cache\",\n",
" \"Run full antivirus scan\",\n",
" \"Provide browser history entries and cookies\",\n",
" \"Quarantine suspicious file\",\n",
" \"Check network connections\",\n",
" \"Reset passwords and enable two-factor authentication\"\n",
" ]\n",
" }\n",
"]\n",
"\n",
"\n",
"\n"
]
},
{
"data": {
"text/plain": [
"'\\n\\n\\nDescribe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\\n\\n---\\n\\nFollow the following format.\\n\\nQuestion: a conversation describing a cyber incident between an IT Security Specialist and an employee.\\nReasoning: Let\\'s think step by step in order to ${produce the answer}. We ...\\nAnswer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\\n\\n---\\n\\nQuestion: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It\\'s actually registered to someone in Russia. Alice: Thats definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn\\'t enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There\\'s a file named \"AccountDetails.exe\" that I dont remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. Ill follow these steps immediately.\\nReasoning: Let\\'s think step by step in order to\\x1b[32m produce the answer. We need to formalize the conversation into STIX objects that represent the cyber threat information discussed between Alice and Bob.\\n\\nAnswer: \\n[\\n {\\n \"email\": {\\n \"sender\": \"support@banksecure.com\",\\n \"subject\": \"Urgent: Verify Your Account Now\",\\n \"headers\": {\\n \"IP_address\": \"192.168.10.45\",\\n \"domain\": \"banksecure.com\",\\n \"registered_to\": \"Russia\"\\n },\\n \"links_clicked\": [\\n {\\n \"URL\": \"http://banksecure-verification.com/login\",\\n \"timestamp\": \"10:15 AM\"\\n },\\n {\\n \"URL\": \"http://banksecure-verification.com/account-details\",\\n \"timestamp\": \"10:17 AM\"\\n }\\n ],\\n \"attachments\": [\\n {\\n \"file_name\": \"AccountDetails.exe\",\\n \"created_at\": \"10:20 AM\",\\n \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\\n \"status\": \"known_malware\"\\n }\\n ]\\n }\\n },\\n {\\n \"actions_taken\": [\\n \"Clear browser history and cache\",\\n \"Run full antivirus scan\",\\n \"Provide browser history entries and cookies\",\\n \"Quarantine suspicious file\",\\n \"Check network connections\",\\n \"Reset passwords and enable two-factor authentication\"\\n ]\\n }\\n]\\x1b[0m\\n\\n\\n'"
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"turbo.inspect_history(n=1)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.3"
}
},
"nbformat": 4,
"nbformat_minor": 2
}

41
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_output.json Normal file
View File

@@ -0,0 +1,41 @@
[
{
"email": {
"sender": "support@banksecure.com",
"subject": "Urgent: Verify Your Account Now",
"headers": {
"IP_address": "192.168.10.45",
"domain": "banksecure.com",
"registered_to": "Russia"
},
"links_clicked": [
{
"URL": "http://banksecure-verification.com/login",
"timestamp": "10:15 AM"
},
{
"URL": "http://banksecure-verification.com/account-details",
"timestamp": "10:17 AM"
}
],
"attachments": [
{
"file_name": "AccountDetails.exe",
"created_at": "10:20 AM",
"MD5_hash": "e99a18c428cb38d5f260853678922e03",
"status": "known_malware"
}
]
}
},
{
"actions_taken": [
"Clear browser history and cache",
"Run full antivirus scan",
"Provide browser history entries and cookies",
"Quarantine suspicious file",
"Check network connections",
"Reset passwords and enable two-factor authentication"
]
}
]

726
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb Normal file
View File

File diff suppressed because one or more lines are too long

88
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output.json Normal file
View File

@@ -0,0 +1,88 @@
[
{
"type": "identity",
"id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "OurCompany",
"identity_class": "organization",
"sectors": [
"technology"
],
"contact_information": "info@ourcompany.com"
},
{
"type": "email-addr",
"id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"value": "hr-dept@ourcompany-security.com"
},
{
"type": "email-message",
"id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97",
"is_multipart": false,
"subject": "Urgent Benefits Package Update",
"from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"body": "Please click the link to review the changes to your benefits package."
},
{
"type": "url",
"id": "url--4c3b-4c4b-bb6c-ded6b2a4a567",
"value": "http://phishing-link.com/login"
},
{
"type": "user-account",
"id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400",
"user_id": "Taylor",
"account_login": "taylor@ourcompany.com"
},
{
"type": "observable",
"id": "observable--001",
"observable_type": "email",
"observable_value": "hr-dept@ourcompany-security.com"
},
{
"type": "observable",
"id": "observable--002",
"observable_type": "url",
"observable_value": "http://phishing-link.com/login"
},
{
"type": "indicator",
"id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "Phishing Email Indicator",
"pattern": "[email-message:subject = 'Urgent Benefits Package Update']",
"valid_from": "2024-07-17T00:00:00Z"
},
{
"type": "incident",
"id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"name": "Phishing Attack on OurCompany",
"description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.",
"first_seen": "2024-07-17T08:00:00Z",
"last_seen": "2024-07-17T08:10:00Z",
"status": "ongoing",
"affected_assets": [
"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400"
]
},
{
"type": "relationship",
"id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d",
"relationship_type": "indicates",
"source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857"
},
{
"type": "relationship",
"id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed",
"relationship_type": "attributed-to",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f"
},
{
"type": "relationship",
"id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051",
"relationship_type": "uses",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567"
}
]

88
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output_for_viz.json Normal file
View File

@@ -0,0 +1,88 @@
[
{
"type": "identity",
"id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "OurCompany",
"identity_class": "organization",
"sectors": [
"technology"
],
"contact_information": "info@ourcompany.com"
},
{
"type": "email-addr",
"id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"value": "hr-dept@ourcompany-security.com"
},
{
"type": "email-message",
"id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97",
"is_multipart": false,
"subject": "Urgent Benefits Package Update",
"from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"body": "Please click the link to review the changes to your benefits package."
},
{
"type": "url",
"id": "url--4c3b-4c4b-bb6c-ded6b2a4a567",
"value": "http://phishing-link.com/login"
},
{
"type": "user-account",
"id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400",
"user_id": "Taylor",
"account_login": "taylor@ourcompany.com"
},
{
"type": "observable",
"id": "observable--001",
"observable_type": "email",
"observable_value": "hr-dept@ourcompany-security.com"
},
{
"type": "observable",
"id": "observable--002",
"observable_type": "url",
"observable_value": "http://phishing-link.com/login"
},
{
"type": "indicator",
"id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "Phishing Email Indicator",
"pattern": "[email-message:subject = 'Urgent Benefits Package Update']",
"valid_from": "2024-07-17T00:00:00Z"
},
{
"type": "incident",
"id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"name": "Phishing Attack on OurCompany",
"description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.",
"first_seen": "2024-07-17T08:00:00Z",
"last_seen": "2024-07-17T08:10:00Z",
"status": "ongoing",
"affected_assets": [
"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400"
]
},
{
"type": "relationship",
"id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d",
"relationship_type": "indicates",
"source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857"
},
{
"type": "relationship",
"id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed",
"relationship_type": "attributed-to",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f"
},
{
"type": "relationship",
"id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051",
"relationship_type": "uses",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567"
}
]

8
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.dot Normal file
View File

@@ -0,0 +1,8 @@
digraph Phishing_Attack {
"OurCompany" -> "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" [label="attributed-to"];
"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798" -> "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" [label="from"];
"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" -> "url--4c3b-4c4b-bb6c-ded6b2a4a567" [label="contains"];
"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" -> "observable--001" [label="observable"];
"url--4c3b-4c4b-bb6c-ded6b2a4a567" -> "observable--002" [label="observable"];
"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" -> "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f" [label="indicates"];
}

BIN
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

259
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_stix_dot_generator.ipynb Normal file
View File

@@ -0,0 +1,259 @@
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"#!pip install graphviz\n",
"import dspy\n",
"import os\n",
"import openai\n",
"import json\n",
"from dotenv import load_dotenv\n",
"from graphviz import Source\n",
"from IPython.display import display"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"def set_dspy():\n",
" # ==============set openAI enviroment=========\n",
" # Path to your API key file\n",
" key_file_path = \"openai_api_key.txt\"\n",
"\n",
" # Load the API key from the file\n",
" with open(key_file_path, \"r\") as file:\n",
" openai_api_key = file.read().strip()\n",
"\n",
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
"turbo=set_dspy()\n",
"# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"File not found.\n"
]
}
],
"source": [
"conversation = load_text_file(\"04_output_for_viz.json\")\n",
"print(conversation)"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [],
"source": [
"class DotGenerator(dspy.Signature):\n",
" \"\"\"Generate a evidence knowledge graph based on a cyber incident expressed in Structured Threat Information Expression (STIX).\"\"\"\n",
"\n",
" question: str = dspy.InputField(\n",
" desc=\"a cyber incident expressed in Structured Threat Information Expression with JSON format.\"\n",
" )\n",
"\n",
" answer: str = dspy.OutputField(\n",
" desc=\"a graph in a dot format. The nodes of the graph are evidence entities in STIX and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
" )"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"def generate_answer_CoT(signature, text, output_file):\n",
" generate_answer = dspy.ChainOfThought(signature)\n",
" answer = generate_answer(question=text).answer # here we use the module\n",
"\n",
" with open(output_file, \"w\") as dot_file:\n",
" print(answer)\n",
" dot_file.write(answer)\n",
" return answer\n",
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"digraph file_not_found {\n",
" File [label=\"File\" shape=\"rectangle\" color=\"blue\"]\n",
" NotFound [label=\"Not Found\" shape=\"ellipse\" color=\"red\"]\n",
" File -> NotFound [label=\"Indicator\"]\n",
"}\n"
]
}
],
"source": [
"output_file = \"05_output.dot\"\n",
"dot_description = generate_answer_CoT(\n",
" DotGenerator,\n",
" conversation,\n",
" output_file,\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"data": {
"image/svg+xml": [
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n",
"<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\n",
" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n",
"<!-- Generated by graphviz version 2.47.1 (20210417.1919)\n",
" -->\n",
"<!-- Title: file_not_found Pages: 1 -->\n",
"<svg width=\"110pt\" height=\"131pt\"\n",
" viewBox=\"0.00 0.00 109.70 131.00\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n",
"<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 127)\">\n",
"<title>file_not_found</title>\n",
"<polygon fill=\"white\" stroke=\"transparent\" points=\"-4,4 -4,-127 105.7,-127 105.7,4 -4,4\"/>\n",
"<!-- File -->\n",
"<g id=\"node1\" class=\"node\">\n",
"<title>File</title>\n",
"<polygon fill=\"none\" stroke=\"blue\" points=\"77.7,-123 23.7,-123 23.7,-87 77.7,-87 77.7,-123\"/>\n",
"<text text-anchor=\"middle\" x=\"50.7\" y=\"-101.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">File</text>\n",
"</g>\n",
"<!-- NotFound -->\n",
"<g id=\"node2\" class=\"node\">\n",
"<title>NotFound</title>\n",
"<ellipse fill=\"none\" stroke=\"red\" cx=\"50.7\" cy=\"-18\" rx=\"50.89\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"50.7\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Not Found</text>\n",
"</g>\n",
"<!-- File&#45;&gt;NotFound -->\n",
"<g id=\"edge1\" class=\"edge\">\n",
"<title>File&#45;&gt;NotFound</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M50.7,-86.8C50.7,-75.16 50.7,-59.55 50.7,-46.24\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"54.2,-46.18 50.7,-36.18 47.2,-46.18 54.2,-46.18\"/>\n",
"<text text-anchor=\"middle\" x=\"76.2\" y=\"-57.8\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Indicator</text>\n",
"</g>\n",
"</g>\n",
"</svg>\n"
],
"text/plain": [
"<graphviz.sources.Source at 0x1433c0be7e0>"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"data": {
"text/plain": [
"'02_output_email_analysis.png'"
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"# Create a Digraph object and render the graph\n",
"graph = Source(dot_description)\n",
"display(graph)\n",
"\n",
"# Render the graph within the notebook\n",
"graph.render(\"05_output\", format=\"png\", cleanup=True)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.12.3"
}
},
"nbformat": 4,
"nbformat_minor": 2
}

39
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt Normal file
View File

@@ -0,0 +1,39 @@
Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was "Urgent: Verify Your Account Now". The email looks suspicious to me.
Bob: Hi Alice, that does sound fishy. Can you forward me the email? Ill take a look at the headers to see where it came from.
Alice: Sure, forwarding it now.
Bob: Got it. Lets see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.
Alice: Thats definitely not right. Should I be worried?
Bob: We should investigate further. Did you click on any links or download any attachments?
Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.
Bob: Good call on not entering your details. Lets check the URL. This domain was just registered two days ago. Its highly likely its a phishing site.
Alice: What should I do next?
Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?
Alice: Ive cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:
Visited at 10:15 AM: http://banksecure-verification.com/login
Visited at 10:17 AM: http://banksecure-verification.com/account-details
Bob: Thanks. Ill analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.
Alice: There's a file named "AccountDetails.exe" that I dont remember downloading. It was created at 10:20 AM.
Bob: Definitely suspicious. Dont open it. Lets hash the file to verify its integrity. Can you run an MD5 hash on it?
Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.
Bob: This hash matches known malware in our database. Well need to quarantine it and check if it has established any network connections. Ill look into our network logs for the IP 192.168.10.45 around 10:20 AM.
Alice: Is there anything else I need to do?
Bob: For now, avoid using your computer for sensitive tasks. Well also reset your passwords from a different device and enable two-factor authentication on your accounts.
Alice: Thanks, Bob. Ill follow these steps immediately.

20
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_evidence_graph.txt Normal file
View File

@@ -0,0 +1,20 @@
Entities:
Email Address: support@banksecure.com
IP Address: 192.168.10.45
Domain: banksecure.com
Domain: banksecure-verification.com
URL: http://banksecure-verification.com/login
URL: http://banksecure-verification.com/account-details
File Name: AccountDetails.exe
Hash: e99a18c428cb38d5f260853678922e03
Timestamps: 10:15 AM, 10:17 AM, 10:20 AM
Relationships:
Email Address -> IP Address (origin of email)
IP Address -> Domain (registered to IP address)
Domain -> URL (composed URLs)
URL -> Timestamp (visited at specific time)
URL -> File Name (downloaded file)
File Name -> Hash (MD5 hash of file)

133
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz.svg Normal file
View File

@@ -0,0 +1,133 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: EvidenceGraph Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="919pt" height="404pt" viewBox="0.00 0.00 919.07 404.00">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 400)">
<title>EvidenceGraph</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-400 915.0707,-400 915.0707,4 -4,4"/>
<!-- Email -->
<g id="node1" class="node">
<title>Email</title>
<ellipse fill="none" stroke="#000000" cx="254.8455" cy="-378" rx="111.2406" ry="18"/>
<text text-anchor="middle" x="254.8455" y="-373.8" font-family="Times,serif" font-size="14.00" fill="#000000">support@banksecure.com</text>
</g>
<!-- IP -->
<g id="node2" class="node">
<title>IP</title>
<ellipse fill="none" stroke="#000000" cx="254.8455" cy="-306" rx="66.6279" ry="18"/>
<text text-anchor="middle" x="254.8455" y="-301.8" font-family="Times,serif" font-size="14.00" fill="#000000">192.168.10.45</text>
</g>
<!-- Email&#45;&gt;IP -->
<g id="edge1" class="edge">
<title>Email-&gt;IP</title>
<path fill="none" stroke="#000000" d="M254.8455,-359.8314C254.8455,-352.131 254.8455,-342.9743 254.8455,-334.4166"/>
<polygon fill="#000000" stroke="#000000" points="258.3456,-334.4132 254.8455,-324.4133 251.3456,-334.4133 258.3456,-334.4132"/>
</g>
<!-- Domain1 -->
<g id="node3" class="node">
<title>Domain1</title>
<ellipse fill="none" stroke="#000000" cx="148.8455" cy="-234" rx="73.5184" ry="18"/>
<text text-anchor="middle" x="148.8455" y="-229.8" font-family="Times,serif" font-size="14.00" fill="#000000">banksecure.com</text>
</g>
<!-- IP&#45;&gt;Domain1 -->
<g id="edge2" class="edge">
<title>IP-&gt;Domain1</title>
<path fill="none" stroke="#000000" d="M229.9932,-289.1192C215.7431,-279.4399 197.6685,-267.1628 182.1964,-256.6534"/>
<polygon fill="#000000" stroke="#000000" points="184.1482,-253.7481 173.9094,-251.0245 180.215,-259.5387 184.1482,-253.7481"/>
</g>
<!-- Domain2 -->
<g id="node4" class="node">
<title>Domain2</title>
<ellipse fill="none" stroke="#000000" cx="361.8455" cy="-234" rx="121.4681" ry="18"/>
<text text-anchor="middle" x="361.8455" y="-229.8" font-family="Times,serif" font-size="14.00" fill="#000000">banksecure-verification.com</text>
</g>
<!-- IP&#45;&gt;Domain2 -->
<g id="edge3" class="edge">
<title>IP-&gt;Domain2</title>
<path fill="none" stroke="#000000" d="M279.9323,-289.1192C293.8738,-279.738 311.4418,-267.9165 326.7297,-257.6293"/>
<polygon fill="#000000" stroke="#000000" points="329.0803,-260.2663 335.4229,-251.7797 325.1723,-254.4587 329.0803,-260.2663"/>
</g>
<!-- URL1 -->
<g id="node5" class="node">
<title>URL1</title>
<ellipse fill="none" stroke="#000000" cx="166.8455" cy="-162" rx="166.6912" ry="18"/>
<text text-anchor="middle" x="166.8455" y="-157.8" font-family="Times,serif" font-size="14.00" fill="#000000">http://banksecure-verification.com/login</text>
</g>
<!-- Domain2&#45;&gt;URL1 -->
<g id="edge4" class="edge">
<title>Domain2-&gt;URL1</title>
<path fill="none" stroke="#000000" d="M316.1267,-217.1192C288.5161,-206.9245 253.1009,-193.8481 223.6949,-182.9906"/>
<polygon fill="#000000" stroke="#000000" points="224.5661,-179.5813 213.9728,-179.4009 222.1415,-186.148 224.5661,-179.5813"/>
</g>
<!-- URL2 -->
<g id="node6" class="node">
<title>URL2</title>
<ellipse fill="none" stroke="#000000" cx="556.8455" cy="-162" rx="205.3906" ry="18"/>
<text text-anchor="middle" x="556.8455" y="-157.8" font-family="Times,serif" font-size="14.00" fill="#000000">http://banksecure-verification.com/account-details</text>
</g>
<!-- Domain2&#45;&gt;URL2 -->
<g id="edge5" class="edge">
<title>Domain2-&gt;URL2</title>
<path fill="none" stroke="#000000" d="M407.5644,-217.1192C435.0738,-206.9619 470.3308,-193.9439 499.6727,-183.11"/>
<polygon fill="#000000" stroke="#000000" points="501.2083,-186.274 509.3769,-179.5269 498.7836,-179.7073 501.2083,-186.274"/>
</g>
<!-- Timestamp1 -->
<g id="node7" class="node">
<title>Timestamp1</title>
<ellipse fill="none" stroke="#000000" cx="166.8455" cy="-90" rx="51.0074" ry="18"/>
<text text-anchor="middle" x="166.8455" y="-85.8" font-family="Times,serif" font-size="14.00" fill="#000000">10:15 AM</text>
</g>
<!-- URL1&#45;&gt;Timestamp1 -->
<g id="edge6" class="edge">
<title>URL1-&gt;Timestamp1</title>
<path fill="none" stroke="#000000" d="M166.8455,-143.8314C166.8455,-136.131 166.8455,-126.9743 166.8455,-118.4166"/>
<polygon fill="#000000" stroke="#000000" points="170.3456,-118.4132 166.8455,-108.4133 163.3456,-118.4133 170.3456,-118.4132"/>
</g>
<!-- Timestamp2 -->
<g id="node8" class="node">
<title>Timestamp2</title>
<ellipse fill="none" stroke="#000000" cx="478.8455" cy="-90" rx="51.0074" ry="18"/>
<text text-anchor="middle" x="478.8455" y="-85.8" font-family="Times,serif" font-size="14.00" fill="#000000">10:17 AM</text>
</g>
<!-- URL2&#45;&gt;Timestamp2 -->
<g id="edge7" class="edge">
<title>URL2-&gt;Timestamp2</title>
<path fill="none" stroke="#000000" d="M537.1628,-143.8314C527.2849,-134.7132 515.195,-123.5534 504.5895,-113.7637"/>
<polygon fill="#000000" stroke="#000000" points="506.9044,-111.1373 497.1823,-106.9263 502.1564,-116.2809 506.9044,-111.1373"/>
</g>
<!-- File -->
<g id="node10" class="node">
<title>File</title>
<ellipse fill="none" stroke="#000000" cx="634.8455" cy="-90" rx="86.8358" ry="18"/>
<text text-anchor="middle" x="634.8455" y="-85.8" font-family="Times,serif" font-size="14.00" fill="#000000">AccountDetails.exe</text>
</g>
<!-- URL2&#45;&gt;File -->
<g id="edge8" class="edge">
<title>URL2-&gt;File</title>
<path fill="none" stroke="#000000" d="M576.5282,-143.8314C586.0945,-135.001 597.7353,-124.2556 608.0932,-114.6944"/>
<polygon fill="#000000" stroke="#000000" points="610.7343,-117.0197 615.7084,-107.665 605.9863,-111.876 610.7343,-117.0197"/>
</g>
<!-- Timestamp3 -->
<g id="node9" class="node">
<title>Timestamp3</title>
<ellipse fill="none" stroke="#000000" cx="519.8455" cy="-18" rx="51.0074" ry="18"/>
<text text-anchor="middle" x="519.8455" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">10:20 AM</text>
</g>
<!-- File&#45;&gt;Timestamp3 -->
<g id="edge9" class="edge">
<title>File-&gt;Timestamp3</title>
<path fill="none" stroke="#000000" d="M607.3001,-72.7542C591.2299,-62.6929 570.8288,-49.92 553.7737,-39.242"/>
<polygon fill="#000000" stroke="#000000" points="555.5338,-36.2146 545.2006,-33.8745 551.8192,-42.1477 555.5338,-36.2146"/>
</g>
<!-- Hash -->
<g id="node11" class="node">
<title>Hash</title>
<ellipse fill="none" stroke="#000000" cx="749.8455" cy="-18" rx="161.4507" ry="18"/>
<text text-anchor="middle" x="749.8455" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">e99a18c428cb38d5f260853678922e03</text>
</g>
<!-- File&#45;&gt;Hash -->
<g id="edge10" class="edge">
<title>File-&gt;Hash</title>
<path fill="none" stroke="#000000" d="M662.3909,-72.7542C677.4166,-63.3468 696.2285,-51.5689 712.5515,-41.3493"/>
<polygon fill="#000000" stroke="#000000" points="714.7054,-44.1302 721.3239,-35.857 710.9907,-38.1971 714.7054,-44.1302"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

24
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz_dot.txt Normal file
View File

@@ -0,0 +1,24 @@
digraph EvidenceGraph {
Email [label="support@banksecure.com"];
IP [label="192.168.10.45"];
Domain1 [label="banksecure.com"];
Domain2 [label="banksecure-verification.com"];
URL1 [label="http://banksecure-verification.com/login"];
URL2 [label="http://banksecure-verification.com/account-details"];
Timestamp1 [label="10:15 AM"];
Timestamp2 [label="10:17 AM"];
Timestamp3 [label="10:20 AM"];
File [label="AccountDetails.exe"];
Hash [label="e99a18c428cb38d5f260853678922e03"];
Email -> IP;
IP -> Domain1;
IP -> Domain2;
Domain2 -> URL1;
Domain2 -> URL2;
URL1 -> Timestamp1;
URL2 -> Timestamp2;
URL2 -> File;
File -> Timestamp3;
File -> Hash;
}

75
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graph.json Normal file
View File

@@ -0,0 +1,75 @@
{
"type": "email-addr",
"id": "email-addr--9c7ef4f7-4655-448e-aeb8-97f623b82948",
"value": "support@banksecure.com"
},
{
"type": "ipv4-addr",
"id": "ipv4-addr--a539bfe7-1c82-4d3b-9b5e-6cf2c6a2b4cf",
"value": "192.168.10.45"
},
{
"type": "domain-name",
"id": "domain-name--b1c2b7f3-4b14-4ae7-8d6f-54d36b07380c",
"value": "banksecure.com"
},
{
"type": "domain-name",
"id": "domain-name--5d4ed8d1-2e45-4c6b-a5c9-f45c3131e3e2",
"value": "banksecure-verification.com"
},
{
"type": "url",
"id": "url--0cf22d29-b3bb-46a2-b92e-16f92d39b290",
"value": "http://banksecure-verification.com/login"
},
{
"type": "url",
"id": "url--bda54241-9bde-4f4e-a447-9fbfd03fbc5f",
"value": "http://banksecure-verification.com/account-details"
},
{
"type": "file",
"id": "file--3ac1c982-ff0a-45c3-8127-5d1b2d2fd06c",
"name": "AccountDetails.exe",
"hashes": {
"MD5": "e99a18c428cb38d5f260853678922e03"
}
},
{
"type": "observed-data",
"id": "observed-data--1ff3c3a7-424f-4879-a9f3-1f6b7d6c75d4",
"first_observed": "2024-07-18T10:15:00Z",
"last_observed": "2024-07-18T10:20:00Z",
"number_observed": 1,
"objects": {
"0": {
"type": "email-addr",
"id": "email-addr--9c7ef4f7-4655-448e-aeb8-97f623b82948"
},
"1": {
"type": "ipv4-addr",
"id": "ipv4-addr--a539bfe7-1c82-4d3b-9b5e-6cf2c6a2b4cf"
},
"2": {
"type": "domain-name",
"id": "domain-name--b1c2b7f3-4b14-4ae7-8d6f-54d36b07380c"
},
"3": {
"type": "domain-name",
"id": "domain-name--5d4ed8d1-2e45-4c6b-a5c9-f45c3131e3e2"
},
"4": {
"type": "url",
"id": "url--0cf22d29-b3bb-46a2-b92e-16f92d39b290"
},
"5": {
"type": "url",
"id": "url--bda54241-9bde-4f4e-a447-9fbfd03fbc5f"
},
"6": {
"type": "file",
"id": "file--3ac1c982-ff0a-45c3-8127-5d1b2d2fd06c"
}
}
}

107
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz.svg Normal file
View File

@@ -0,0 +1,107 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: STIXGraph Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1752pt" height="161pt" viewBox="0.00 0.00 1752.48 160.80">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 156.8)">
<title>STIXGraph</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-156.8 1748.4811,-156.8 1748.4811,4 -4,4"/>
<!-- email -->
<g id="node1" class="node">
<title>email</title>
<polygon fill="none" stroke="#000000" points="202.4304,-38.8 -.1436,-38.8 -.1436,-2.8 202.4304,-2.8 202.4304,-38.8"/>
<text text-anchor="middle" x="101.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">Email: support@banksecure.com</text>
</g>
<!-- ipv4 -->
<g id="node2" class="node">
<title>ipv4</title>
<polygon fill="none" stroke="#000000" points="385.8485,-38.8 220.4383,-38.8 220.4383,-2.8 385.8485,-2.8 385.8485,-38.8"/>
<text text-anchor="middle" x="303.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">IP Address: 192.168.10.45</text>
</g>
<!-- domain1 -->
<g id="node3" class="node">
<title>domain1</title>
<polygon fill="none" stroke="#000000" points="562.7052,-38.8 403.5816,-38.8 403.5816,-2.8 562.7052,-2.8 562.7052,-38.8"/>
<text text-anchor="middle" x="483.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">Domain: banksecure.com</text>
</g>
<!-- domain2 -->
<g id="node4" class="node">
<title>domain2</title>
<polygon fill="none" stroke="#000000" points="809.3933,-38.8 580.8935,-38.8 580.8935,-2.8 809.3933,-2.8 809.3933,-38.8"/>
<text text-anchor="middle" x="695.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">Domain: banksecure-verification.com</text>
</g>
<!-- url1 -->
<g id="node5" class="node">
<title>url1</title>
<polygon fill="none" stroke="#000000" points="1104.9115,-38.8 827.3753,-38.8 827.3753,-2.8 1104.9115,-2.8 1104.9115,-38.8"/>
<text text-anchor="middle" x="966.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">URL: http://banksecure-verification.com/login</text>
</g>
<!-- url2 -->
<g id="node6" class="node">
<title>url2</title>
<polygon fill="none" stroke="#000000" points="1455.8709,-38.8 1122.4159,-38.8 1122.4159,-2.8 1455.8709,-2.8 1455.8709,-38.8"/>
<text text-anchor="middle" x="1289.1434" y="-16.6" font-family="Times,serif" font-size="14.00" fill="#000000">URL: http://banksecure-verification.com/account-details</text>
</g>
<!-- file -->
<g id="node7" class="node">
<title>file</title>
<polygon fill="none" stroke="#000000" points="1744.319,-41.4019 1473.9678,-41.4019 1473.9678,-.1981 1744.319,-.1981 1744.319,-41.4019"/>
<text text-anchor="middle" x="1609.1434" y="-25" font-family="Times,serif" font-size="14.00" fill="#000000">File: AccountDetails.exe</text>
<text text-anchor="middle" x="1609.1434" y="-8.2" font-family="Times,serif" font-size="14.00" fill="#000000">MD5: e99a18c428cb38d5f260853678922e03</text>
</g>
<!-- observed_data -->
<g id="node8" class="node">
<title>observed_data</title>
<polygon fill="none" stroke="#000000" points="814.552,-153.0014 575.7348,-153.0014 575.7348,-94.1986 814.552,-94.1986 814.552,-153.0014"/>
<text text-anchor="middle" x="695.1434" y="-136.2" font-family="Times,serif" font-size="14.00" fill="#000000">Observed Data</text>
<text text-anchor="middle" x="695.1434" y="-119.4" font-family="Times,serif" font-size="14.00" fill="#000000">First Observed: 2024-07-18T10:15:00Z</text>
<text text-anchor="middle" x="695.1434" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">Last Observed: 2024-07-18T10:20:00Z</text>
</g>
<!-- observed_data&#45;&gt;email -->
<g id="edge1" class="edge">
<title>observed_data-&gt;email</title>
<path fill="none" stroke="#000000" d="M575.7289,-105.919C520.0116,-97.4261 452.8433,-86.8408 392.609,-76.4 328.8058,-65.3406 257.3864,-51.7365 201.2137,-40.7534"/>
<polygon fill="#000000" stroke="#000000" points="201.7518,-37.2923 191.2655,-38.8045 200.406,-44.1617 201.7518,-37.2923"/>
<text text-anchor="middle" x="418.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;ipv4 -->
<g id="edge2" class="edge">
<title>observed_data-&gt;ipv4</title>
<path fill="none" stroke="#000000" d="M579.2828,-94.39C556.1866,-88.4925 532.1161,-82.2931 509.609,-76.4 466.2407,-65.0447 417.8429,-52.0298 378.8119,-41.448"/>
<polygon fill="#000000" stroke="#000000" points="379.667,-38.0535 369.0994,-38.8126 377.8339,-44.8092 379.667,-38.0535"/>
<text text-anchor="middle" x="535.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;domain1 -->
<g id="edge3" class="edge">
<title>observed_data-&gt;domain1</title>
<path fill="none" stroke="#000000" d="M634.6764,-94.2792C601.2919,-78.0909 560.4677,-58.295 529.6073,-43.3306"/>
<polygon fill="#000000" stroke="#000000" points="530.8942,-40.0649 520.3691,-38.8509 527.8399,-46.3634 530.8942,-40.0649"/>
<text text-anchor="middle" x="621.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;domain2 -->
<g id="edge4" class="edge">
<title>observed_data-&gt;domain2</title>
<path fill="none" stroke="#000000" d="M695.1434,-94.1416C695.1434,-79.958 695.1434,-63.0301 695.1434,-49.0129"/>
<polygon fill="#000000" stroke="#000000" points="698.6435,-48.9548 695.1434,-38.9549 691.6435,-48.9549 698.6435,-48.9548"/>
<text text-anchor="middle" x="720.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;url1 -->
<g id="edge5" class="edge">
<title>observed_data-&gt;url1</title>
<path fill="none" stroke="#000000" d="M772.4385,-94.2792C815.9417,-77.7769 869.3277,-57.5257 909.0295,-42.4654"/>
<polygon fill="#000000" stroke="#000000" points="910.4492,-45.6702 918.5577,-38.8509 907.9664,-39.1253 910.4492,-45.6702"/>
<text text-anchor="middle" x="888.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;url2 -->
<g id="edge6" class="edge">
<title>observed_data-&gt;url2</title>
<path fill="none" stroke="#000000" d="M814.6336,-102.9205C919.6569,-84.7448 1071.4552,-58.474 1174.8862,-40.5738"/>
<polygon fill="#000000" stroke="#000000" points="1175.4848,-44.0223 1184.7415,-38.8682 1174.2911,-37.1249 1175.4848,-44.0223"/>
<text text-anchor="middle" x="1088.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
<!-- observed_data&#45;&gt;file -->
<g id="edge7" class="edge">
<title>observed_data-&gt;file</title>
<path fill="none" stroke="#000000" d="M814.3503,-112.2987C963.6709,-97.8268 1227.6044,-71.2065 1463.7197,-41.7592"/>
<polygon fill="#000000" stroke="#000000" points="1464.3883,-45.2029 1473.8764,-40.4886 1463.5193,-38.2571 1464.3883,-45.2029"/>
<text text-anchor="middle" x="1322.4106" y="-63.8" font-family="Times,serif" font-size="14.00" fill="#000000">observed</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

24
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz_dot.txt Normal file
View File

@@ -0,0 +1,24 @@
digraph PhishingIncident {
Email [label="Email"];
EmailDomain [label="Email Domain"];
SuspiciousLink [label="Suspicious Link"];
LoginPage [label="Login Page"];
Credentials [label="Credentials"];
Alert [label="Security Alert"];
EmployeeAccount [label="Employee Account"];
ForwardedEmail [label="Forwarded Email"];
NetworkScan [label="Network Scan"];
TeamNotification [label="Team Notification"];
ITSecuritySpecialist [label="IT Security Specialist"];
Email -> EmailDomain [label="from"];
Email -> SuspiciousLink [label="contains"];
SuspiciousLink -> LoginPage [label="redirects to"];
LoginPage -> Credentials [label="requests"];
Credentials -> Alert [label="triggered"];
Alert -> EmployeeAccount [label="related to"];
Email -> ForwardedEmail [label="forwarded by Taylor"];
ForwardedEmail -> ITSecuritySpecialist [label="received by"];
ITSecuritySpecialist -> NetworkScan [label="initiates"];
ITSecuritySpecialist -> TeamNotification [label="sends"];
}

20
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/conversation.txt Normal file
View File

@@ -0,0 +1,20 @@
Taylor: Hey Alex, I think I might have clicked on a suspicious link in an email.
Alex: Oh no, Taylor. Can you describe what happened?
Taylor: I got an email from what looked like our HR department. It said there was an urgent update to our benefits package, and I needed to click a link to review the changes.
Alex: Did the email address seem legitimate?
Taylor: At first glance, yes, but now that I think about it, the domain was slightly different. It was hr-dept@ourcompany-security.com instead of @ourcompany.com.
Alex: That sounds like phishing. What happened after you clicked the link?
Taylor: It took me to a login page that looked just like our internal portal. I entered my username and password.
Alex: Did you notice anything unusual after entering your credentials?
Taylor: Not immediately, but a few minutes later, I got an alert that someone attempted to log into my account from a different location.
Alex: Okay, this sounds serious. I need you to change your password immediately and enable two-factor authentication if you haven't already.
Taylor: Done. What should we do next?
Alex: I'll start by examining the email headers to trace the origin. Also, I need to check the link you clicked on to understand its structure and where it leads.
Taylor: Alright, Ill forward you the email.
Alex: Thanks. Ill also run a network scan to see if any other devices might have been compromised.
Taylor: Should I inform the rest of the team?
Alex: Yes, let them know about the phishing attempt and advise them to be cautious. Ill send an official email with detailed instructions.
Taylor: Got it. Thanks, Alex. Is there anything else I should do?
Alex: Just keep an eye out for any unusual activities in your accounts. Ill handle the technical investigation and follow up with you if I need more information.
Taylor: Will do. Thanks again.
Alex: No problem. Stay safe online.

23
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_evidence_graph.txt Normal file
View File

@@ -0,0 +1,23 @@
Nodes:
Email (Entity: Email)
Email Domain (Entity: Domain)
Suspicious Link (Entity: URL)
Login Page (Entity: Web Page)
Credentials (Entity: Username/Password)
Alert (Entity: Security Alert)
Employee Account (Entity: Account)
Forwarded Email (Entity: Email)
Network Scan (Entity: Network Activity)
Team Notification (Entity: Communication)
Edges:
Email -> Email Domain (Relationship: "from")
Email -> Suspicious Link (Relationship: "contains")
Suspicious Link -> Login Page (Relationship: "redirects to")
Login Page -> Credentials (Relationship: "requests")
Credentials -> Alert (Relationship: "triggered")
Alert -> Employee Account (Relationship: "related to")
Email -> Forwarded Email (Relationship: "forwarded by Taylor")
Forwarded Email -> IT Security Specialist (Relationship: "received by")
IT Security Specialist -> Network Scan (Relationship: "initiates")
IT Security Specialist -> Team Notification (Relationship: "sends")

143
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz.svg Normal file
View File

@@ -0,0 +1,143 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: PhishingIncident Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="637pt" height="488pt" viewBox="0.00 0.00 636.73 488.00">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 484)">
<title>PhishingIncident</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-484 632.7262,-484 632.7262,4 -4,4"/>
<!-- Email -->
<g id="node1" class="node">
<title>Email</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-462" rx="34.2045" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-457.8" font-family="Times,serif" font-size="14.00" fill="#000000">Email</text>
</g>
<!-- EmailDomain -->
<g id="node2" class="node">
<title>EmailDomain</title>
<ellipse fill="none" stroke="#000000" cx="67.6272" cy="-373.2" rx="67.7546" ry="18"/>
<text text-anchor="middle" x="67.6272" y="-369" font-family="Times,serif" font-size="14.00" fill="#000000">Email Domain</text>
</g>
<!-- Email&#45;&gt;EmailDomain -->
<g id="edge1" class="edge">
<title>Email-&gt;EmailDomain</title>
<path fill="none" stroke="#000000" d="M203.1662,-448.8973C177.5669,-434.6003 136.1949,-411.4944 105.8844,-394.5663"/>
<polygon fill="#000000" stroke="#000000" points="107.2999,-391.348 96.8626,-389.5277 103.8866,-397.4595 107.2999,-391.348"/>
<text text-anchor="middle" x="175.2331" y="-413.4" font-family="Times,serif" font-size="14.00" fill="#000000">from</text>
</g>
<!-- SuspiciousLink -->
<g id="node3" class="node">
<title>SuspiciousLink</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-373.2" rx="73.5764" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-369" font-family="Times,serif" font-size="14.00" fill="#000000">Suspicious Link</text>
</g>
<!-- Email&#45;&gt;SuspiciousLink -->
<g id="edge2" class="edge">
<title>Email-&gt;SuspiciousLink</title>
<path fill="none" stroke="#000000" d="M226.6272,-443.6006C226.6272,-431.4949 226.6272,-415.4076 226.6272,-401.6674"/>
<polygon fill="#000000" stroke="#000000" points="230.1273,-401.272 226.6272,-391.272 223.1273,-401.2721 230.1273,-401.272"/>
<text text-anchor="middle" x="249.9547" y="-413.4" font-family="Times,serif" font-size="14.00" fill="#000000">contains</text>
</g>
<!-- ForwardedEmail -->
<g id="node8" class="node">
<title>ForwardedEmail</title>
<ellipse fill="none" stroke="#000000" cx="396.6272" cy="-373.2" rx="78.1892" ry="18"/>
<text text-anchor="middle" x="396.6272" y="-369" font-family="Times,serif" font-size="14.00" fill="#000000">Forwarded Email</text>
</g>
<!-- Email&#45;&gt;ForwardedEmail -->
<g id="edge7" class="edge">
<title>Email-&gt;ForwardedEmail</title>
<path fill="none" stroke="#000000" d="M250.984,-449.2771C278.4258,-434.9428 323.4634,-411.4173 356.2001,-394.3172"/>
<polygon fill="#000000" stroke="#000000" points="357.8394,-397.4097 365.0825,-389.6775 354.5984,-391.2052 357.8394,-397.4097"/>
<text text-anchor="middle" x="385.5452" y="-413.4" font-family="Times,serif" font-size="14.00" fill="#000000">forwarded by Taylor</text>
</g>
<!-- LoginPage -->
<g id="node4" class="node">
<title>LoginPage</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-284.4" rx="55.0797" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Login Page</text>
</g>
<!-- SuspiciousLink&#45;&gt;LoginPage -->
<g id="edge3" class="edge">
<title>SuspiciousLink-&gt;LoginPage</title>
<path fill="none" stroke="#000000" d="M226.6272,-354.8006C226.6272,-342.6949 226.6272,-326.6076 226.6272,-312.8674"/>
<polygon fill="#000000" stroke="#000000" points="230.1273,-312.472 226.6272,-302.472 223.1273,-312.4721 230.1273,-312.472"/>
<text text-anchor="middle" x="257.9179" y="-324.6" font-family="Times,serif" font-size="14.00" fill="#000000">redirects to</text>
</g>
<!-- Credentials -->
<g id="node5" class="node">
<title>Credentials</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-195.6" rx="55.0304" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-191.4" font-family="Times,serif" font-size="14.00" fill="#000000">Credentials</text>
</g>
<!-- LoginPage&#45;&gt;Credentials -->
<g id="edge4" class="edge">
<title>LoginPage-&gt;Credentials</title>
<path fill="none" stroke="#000000" d="M226.6272,-266.0006C226.6272,-253.8949 226.6272,-237.8076 226.6272,-224.0674"/>
<polygon fill="#000000" stroke="#000000" points="230.1273,-223.672 226.6272,-213.672 223.1273,-223.6721 230.1273,-223.672"/>
<text text-anchor="middle" x="249.562" y="-235.8" font-family="Times,serif" font-size="14.00" fill="#000000">requests</text>
</g>
<!-- Alert -->
<g id="node6" class="node">
<title>Alert</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-106.8" rx="65.4435" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">Security Alert</text>
</g>
<!-- Credentials&#45;&gt;Alert -->
<g id="edge5" class="edge">
<title>Credentials-&gt;Alert</title>
<path fill="none" stroke="#000000" d="M226.6272,-177.2006C226.6272,-165.0949 226.6272,-149.0076 226.6272,-135.2674"/>
<polygon fill="#000000" stroke="#000000" points="230.1273,-134.872 226.6272,-124.872 223.1273,-134.8721 230.1273,-134.872"/>
<text text-anchor="middle" x="251.893" y="-147" font-family="Times,serif" font-size="14.00" fill="#000000">triggered</text>
</g>
<!-- EmployeeAccount -->
<g id="node7" class="node">
<title>EmployeeAccount</title>
<ellipse fill="none" stroke="#000000" cx="226.6272" cy="-18" rx="85.1378" ry="18"/>
<text text-anchor="middle" x="226.6272" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">Employee Account</text>
</g>
<!-- Alert&#45;&gt;EmployeeAccount -->
<g id="edge6" class="edge">
<title>Alert-&gt;EmployeeAccount</title>
<path fill="none" stroke="#000000" d="M226.6272,-88.4006C226.6272,-76.2949 226.6272,-60.2076 226.6272,-46.4674"/>
<polygon fill="#000000" stroke="#000000" points="230.1273,-46.072 226.6272,-36.072 223.1273,-46.0721 230.1273,-46.072"/>
<text text-anchor="middle" x="252.8653" y="-58.2" font-family="Times,serif" font-size="14.00" fill="#000000">related to</text>
</g>
<!-- ITSecuritySpecialist -->
<g id="node11" class="node">
<title>ITSecuritySpecialist</title>
<ellipse fill="none" stroke="#000000" cx="396.6272" cy="-284.4" rx="94.9148" ry="18"/>
<text text-anchor="middle" x="396.6272" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">IT Security Specialist</text>
</g>
<!-- ForwardedEmail&#45;&gt;ITSecuritySpecialist -->
<g id="edge8" class="edge">
<title>ForwardedEmail-&gt;ITSecuritySpecialist</title>
<path fill="none" stroke="#000000" d="M396.6272,-354.8006C396.6272,-342.6949 396.6272,-326.6076 396.6272,-312.8674"/>
<polygon fill="#000000" stroke="#000000" points="400.1273,-312.472 396.6272,-302.472 393.1273,-312.4721 400.1273,-312.472"/>
<text text-anchor="middle" x="429.082" y="-324.6" font-family="Times,serif" font-size="14.00" fill="#000000">received by</text>
</g>
<!-- NetworkScan -->
<g id="node9" class="node">
<title>NetworkScan</title>
<ellipse fill="none" stroke="#000000" cx="380.6272" cy="-195.6" rx="66.0115" ry="18"/>
<text text-anchor="middle" x="380.6272" y="-191.4" font-family="Times,serif" font-size="14.00" fill="#000000">Network Scan</text>
</g>
<!-- TeamNotification -->
<g id="node10" class="node">
<title>TeamNotification</title>
<ellipse fill="none" stroke="#000000" cx="546.6272" cy="-195.6" rx="82.1983" ry="18"/>
<text text-anchor="middle" x="546.6272" y="-191.4" font-family="Times,serif" font-size="14.00" fill="#000000">Team Notification</text>
</g>
<!-- ITSecuritySpecialist&#45;&gt;NetworkScan -->
<g id="edge9" class="edge">
<title>ITSecuritySpecialist-&gt;NetworkScan</title>
<path fill="none" stroke="#000000" d="M393.312,-266.0006C391.1092,-253.775 388.1747,-237.4887 385.683,-223.6599"/>
<polygon fill="#000000" stroke="#000000" points="389.1013,-222.8929 383.8834,-213.672 382.2122,-224.1342 389.1013,-222.8929"/>
<text text-anchor="middle" x="412.7906" y="-235.8" font-family="Times,serif" font-size="14.00" fill="#000000">initiates</text>
</g>
<!-- ITSecuritySpecialist&#45;&gt;TeamNotification -->
<g id="edge10" class="edge">
<title>ITSecuritySpecialist-&gt;TeamNotification</title>
<path fill="none" stroke="#000000" d="M425.9048,-267.0677C449.7001,-252.9808 483.4249,-233.0157 509.1834,-217.7667"/>
<polygon fill="#000000" stroke="#000000" points="511.1108,-220.6931 517.933,-212.587 507.5448,-214.6694 511.1108,-220.6931"/>
<text text-anchor="middle" x="500.1791" y="-235.8" font-family="Times,serif" font-size="14.00" fill="#000000">sends</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 8.6 KiB

24
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz_dot.txt Normal file
View File

@@ -0,0 +1,24 @@
digraph PhishingIncident {
Email [label="Email"];
EmailDomain [label="Email Domain"];
SuspiciousLink [label="Suspicious Link"];
LoginPage [label="Login Page"];
Credentials [label="Credentials"];
Alert [label="Security Alert"];
EmployeeAccount [label="Employee Account"];
ForwardedEmail [label="Forwarded Email"];
NetworkScan [label="Network Scan"];
TeamNotification [label="Team Notification"];
ITSecuritySpecialist [label="IT Security Specialist"];
Email -> EmailDomain [label="from"];
Email -> SuspiciousLink [label="contains"];
SuspiciousLink -> LoginPage [label="redirects to"];
LoginPage -> Credentials [label="requests"];
Credentials -> Alert [label="triggered"];
Alert -> EmployeeAccount [label="related to"];
Email -> ForwardedEmail [label="forwarded by Taylor"];
ForwardedEmail -> ITSecuritySpecialist [label="received by"];
ITSecuritySpecialist -> NetworkScan [label="initiates"];
ITSecuritySpecialist -> TeamNotification [label="sends"];
}

88
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graph.json Normal file
View File

@@ -0,0 +1,88 @@
{
"type": "bundle",
"id": "bundle--b5d5f5d4-4c5a-4c3d-9224-5d91b0df6fd5",
"objects": [
{
"type": "identity",
"id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "OurCompany",
"identity_class": "organization",
"sectors": ["technology"],
"contact_information": "info@ourcompany.com"
},
{
"type": "email-addr",
"id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"value": "hr-dept@ourcompany-security.com"
},
{
"type": "email-message",
"id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97",
"is_multipart": false,
"subject": "Urgent Benefits Package Update",
"from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798",
"body": "Please click the link to review the changes to your benefits package."
},
{
"type": "url",
"id": "url--4c3b-4c4b-bb6c-ded6b2a4a567",
"value": "http://phishing-link.com/login"
},
{
"type": "user-account",
"id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400",
"user_id": "Taylor",
"account_login": "taylor@ourcompany.com"
},
{
"type": "observable",
"id": "observable--001",
"observable_type": "email",
"observable_value": "hr-dept@ourcompany-security.com"
},
{
"type": "observable",
"id": "observable--002",
"observable_type": "url",
"observable_value": "http://phishing-link.com/login"
},
{
"type": "indicator",
"id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"name": "Phishing Email Indicator",
"pattern": "[email-message:subject = 'Urgent Benefits Package Update']",
"valid_from": "2024-07-17T00:00:00Z"
},
{
"type": "incident",
"id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"name": "Phishing Attack on OurCompany",
"description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.",
"first_seen": "2024-07-17T08:00:00Z",
"last_seen": "2024-07-17T08:10:00Z",
"status": "ongoing",
"affected_assets": ["user-account--bd5631cf-2af6-4bba-bc92-37c60d020400"]
},
{
"type": "relationship",
"id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d",
"relationship_type": "indicates",
"source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f",
"target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857"
},
{
"type": "relationship",
"id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed",
"relationship_type": "attributed-to",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f"
},
{
"type": "relationship",
"id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051",
"relationship_type": "uses",
"source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857",
"target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567"
}
]
}

142
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz.svg Normal file
View File

@@ -0,0 +1,142 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: PhishingIncident Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1175pt" height="310pt" viewBox="0.00 0.00 1174.71 310.40">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 306.4)">
<title>PhishingIncident</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-306.4 1170.7069,-306.4 1170.7069,4 -4,4"/>
<!-- Identity -->
<g id="node1" class="node">
<title>Identity</title>
<polygon fill="none" stroke="#000000" points="143.22,-124.8 -.0734,-124.8 -.0734,-88.8 143.22,-88.8 143.22,-124.8"/>
<text text-anchor="middle" x="71.5733" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">Identity: OurCompany</text>
</g>
<!-- EmailAddress -->
<g id="node2" class="node">
<title>EmailAddress</title>
<polygon fill="none" stroke="#000000" points="686.6547,-302.4 380.4919,-302.4 380.4919,-266.4 686.6547,-266.4 686.6547,-302.4"/>
<text text-anchor="middle" x="533.5733" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Email Address: hr-dept@ourcompany-security.com</text>
</g>
<!-- EmailMessage -->
<g id="node3" class="node">
<title>EmailMessage</title>
<polygon fill="none" stroke="#000000" points="679.9728,-213.6 387.1738,-213.6 387.1738,-177.6 679.9728,-177.6 679.9728,-213.6"/>
<text text-anchor="middle" x="533.5733" y="-191.4" font-family="Times,serif" font-size="14.00" fill="#000000">Email Message: Urgent Benefits Package Update</text>
</g>
<!-- EmailAddress&#45;&gt;EmailMessage -->
<g id="edge1" class="edge">
<title>EmailAddress-&gt;EmailMessage</title>
<path fill="none" stroke="#000000" d="M533.5733,-266.0006C533.5733,-253.8949 533.5733,-237.8076 533.5733,-224.0674"/>
<polygon fill="#000000" stroke="#000000" points="537.0734,-223.672 533.5733,-213.672 530.0734,-223.6721 537.0734,-223.672"/>
<text text-anchor="middle" x="547.1792" y="-235.8" font-family="Times,serif" font-size="14.00" fill="#000000">from</text>
</g>
<!-- URL -->
<g id="node4" class="node">
<title>URL</title>
<polygon fill="none" stroke="#000000" points="493.3574,-124.8 273.7892,-124.8 273.7892,-88.8 493.3574,-88.8 493.3574,-124.8"/>
<text text-anchor="middle" x="383.5733" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">URL: http://phishing-link.com/login</text>
</g>
<!-- EmailMessage&#45;&gt;URL -->
<g id="edge2" class="edge">
<title>EmailMessage-&gt;URL</title>
<path fill="none" stroke="#000000" d="M502.8566,-177.4157C479.7265,-163.7227 447.8416,-144.8468 422.8562,-130.0555"/>
<polygon fill="#000000" stroke="#000000" points="424.3804,-126.8905 413.9923,-124.808 420.8144,-132.9141 424.3804,-126.8905"/>
<text text-anchor="middle" x="507.5414" y="-147" font-family="Times,serif" font-size="14.00" fill="#000000">contains link</text>
</g>
<!-- ObservableEmail -->
<g id="node6" class="node">
<title>ObservableEmail</title>
<polygon fill="none" stroke="#000000" points="681.5201,-124.8 511.6265,-124.8 511.6265,-88.8 681.5201,-88.8 681.5201,-124.8"/>
<text text-anchor="middle" x="596.5733" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">Observable: Email Address</text>
</g>
<!-- EmailMessage&#45;&gt;ObservableEmail -->
<g id="edge4" class="edge">
<title>EmailMessage-&gt;ObservableEmail</title>
<path fill="none" stroke="#000000" d="M546.6269,-177.2006C555.6406,-164.4956 567.7656,-147.4051 577.8118,-133.2448"/>
<polygon fill="#000000" stroke="#000000" points="580.8202,-135.0532 583.7519,-124.872 575.111,-131.0027 580.8202,-135.0532"/>
<text text-anchor="middle" x="593.5081" y="-147" font-family="Times,serif" font-size="14.00" fill="#000000">matches</text>
</g>
<!-- UserAccount -->
<g id="node5" class="node">
<title>UserAccount</title>
<polygon fill="none" stroke="#000000" points="278.6351,-36 140.5115,-36 140.5115,0 278.6351,0 278.6351,-36"/>
<text text-anchor="middle" x="209.5733" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">User Account: Taylor</text>
</g>
<!-- URL&#45;&gt;UserAccount -->
<g id="edge3" class="edge">
<title>URL-&gt;UserAccount</title>
<path fill="none" stroke="#000000" d="M310.5173,-88.7115C296.4791,-83.868 282.2216,-77.9407 269.5683,-70.8 256.5689,-63.464 243.9004,-52.9696 233.5802,-43.2667"/>
<polygon fill="#000000" stroke="#000000" points="235.7876,-40.5312 226.1794,-36.0666 230.9063,-45.5485 235.7876,-40.5312"/>
<text text-anchor="middle" x="323.5758" y="-58.2" font-family="Times,serif" font-size="14.00" fill="#000000">requests credentials</text>
</g>
<!-- ObservableURL -->
<g id="node7" class="node">
<title>ObservableURL</title>
<polygon fill="none" stroke="#000000" points="441.206,-36 325.9406,-36 325.9406,0 441.206,0 441.206,-36"/>
<text text-anchor="middle" x="383.5733" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">Observable: URL</text>
</g>
<!-- URL&#45;&gt;ObservableURL -->
<g id="edge5" class="edge">
<title>URL-&gt;ObservableURL</title>
<path fill="none" stroke="#000000" d="M383.5733,-88.4006C383.5733,-76.2949 383.5733,-60.2076 383.5733,-46.4674"/>
<polygon fill="#000000" stroke="#000000" points="387.0734,-46.072 383.5733,-36.072 380.0734,-46.0721 387.0734,-46.072"/>
<text text-anchor="middle" x="406.5081" y="-58.2" font-family="Times,serif" font-size="14.00" fill="#000000">matches</text>
</g>
<!-- Indicator -->
<g id="node8" class="node">
<title>Indicator</title>
<polygon fill="none" stroke="#000000" points="286.4745,-302.4 72.6721,-302.4 72.6721,-266.4 286.4745,-266.4 286.4745,-302.4"/>
<text text-anchor="middle" x="179.5733" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Indicator: Phishing Email Indicator</text>
</g>
<!-- Incident -->
<g id="node9" class="node">
<title>Incident</title>
<polygon fill="none" stroke="#000000" points="307.8695,-213.6 51.2771,-213.6 51.2771,-177.6 307.8695,-177.6 307.8695,-213.6"/>
<text text-anchor="middle" x="179.5733" y="-191.4" font-family="Times,serif" font-size="14.00" fill="#000000">Incident: Phishing Attack on OurCompany</text>
</g>
<!-- Indicator&#45;&gt;Incident -->
<g id="edge6" class="edge">
<title>Indicator-&gt;Incident</title>
<path fill="none" stroke="#000000" d="M179.5733,-266.0006C179.5733,-253.8949 179.5733,-237.8076 179.5733,-224.0674"/>
<polygon fill="#000000" stroke="#000000" points="183.0734,-223.672 179.5733,-213.672 176.0734,-223.6721 183.0734,-223.672"/>
<text text-anchor="middle" x="204.4534" y="-235.8" font-family="Times,serif" font-size="14.00" fill="#000000">indicates</text>
</g>
<!-- Incident&#45;&gt;Identity -->
<g id="edge7" class="edge">
<title>Incident-&gt;Identity</title>
<path fill="none" stroke="#000000" d="M123.7565,-177.4923C114.2647,-172.7081 105.0578,-166.8074 97.5305,-159.6 90.2703,-152.6483 84.7562,-143.2392 80.7186,-134.2891"/>
<polygon fill="#000000" stroke="#000000" points="83.9094,-132.8439 76.9041,-124.8955 77.4237,-135.4776 83.9094,-132.8439"/>
<text text-anchor="middle" x="131.5947" y="-147" font-family="Times,serif" font-size="14.00" fill="#000000">attributed to</text>
</g>
<!-- Incident&#45;&gt;URL -->
<g id="edge8" class="edge">
<title>Incident-&gt;URL</title>
<path fill="none" stroke="#000000" d="M221.348,-177.4157C253.6328,-163.3623 298.459,-143.8498 332.8113,-128.8964"/>
<polygon fill="#000000" stroke="#000000" points="334.4315,-132.0084 342.2035,-124.808 331.6376,-125.5901 334.4315,-132.0084"/>
<text text-anchor="middle" x="311.6252" y="-147" font-family="Times,serif" font-size="14.00" fill="#000000">uses</text>
</g>
<!-- Incident&#45;&gt;UserAccount -->
<g id="edge9" class="edge">
<title>Incident-&gt;UserAccount</title>
<path fill="none" stroke="#000000" d="M180.0454,-177.3092C180.8522,-155.9203 183.0183,-119.5278 188.7941,-88.8 191.5016,-74.3957 195.9396,-58.7248 200.0204,-45.7966"/>
<polygon fill="#000000" stroke="#000000" points="203.4117,-46.6853 203.1766,-36.0931 196.755,-44.5201 203.4117,-46.6853"/>
<text text-anchor="middle" x="227.4629" y="-102.6" font-family="Times,serif" font-size="14.00" fill="#000000">affected asset</text>
</g>
<!-- RelationshipIndicates -->
<g id="node10" class="node">
<title>RelationshipIndicates</title>
<polygon fill="none" stroke="#000000" points="848.4969,-302.4 704.6497,-302.4 704.6497,-266.4 848.4969,-266.4 848.4969,-302.4"/>
<text text-anchor="middle" x="776.5733" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Relationship: indicates</text>
</g>
<!-- RelationshipAttributedTo -->
<g id="node11" class="node">
<title>RelationshipAttributedTo</title>
<polygon fill="none" stroke="#000000" points="1030.4405,-302.4 866.7061,-302.4 866.7061,-266.4 1030.4405,-266.4 1030.4405,-302.4"/>
<text text-anchor="middle" x="948.5733" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Relationship: attributed-to</text>
</g>
<!-- RelationshipUses -->
<g id="node12" class="node">
<title>RelationshipUses</title>
<polygon fill="none" stroke="#000000" points="1166.8408,-302.4 1048.3058,-302.4 1048.3058,-266.4 1166.8408,-266.4 1166.8408,-302.4"/>
<text text-anchor="middle" x="1107.5733" y="-280.2" font-family="Times,serif" font-size="14.00" fill="#000000">Relationship: uses</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

26
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz_dot.txt Normal file
View File

@@ -0,0 +1,26 @@
digraph PhishingIncident {
node [shape=box];
Identity [label="Identity: OurCompany"];
EmailAddress [label="Email Address: hr-dept@ourcompany-security.com"];
EmailMessage [label="Email Message: Urgent Benefits Package Update"];
URL [label="URL: http://phishing-link.com/login"];
UserAccount [label="User Account: Taylor"];
ObservableEmail [label="Observable: Email Address"];
ObservableURL [label="Observable: URL"];
Indicator [label="Indicator: Phishing Email Indicator"];
Incident [label="Incident: Phishing Attack on OurCompany"];
RelationshipIndicates [label="Relationship: indicates"];
RelationshipAttributedTo [label="Relationship: attributed-to"];
RelationshipUses [label="Relationship: uses"];
EmailAddress -> EmailMessage [label="from"];
EmailMessage -> URL [label="contains link"];
URL -> UserAccount [label="requests credentials"];
EmailMessage -> ObservableEmail [label="matches"];
URL -> ObservableURL [label="matches"];
Indicator -> Incident [label="indicates"];
Incident -> Identity [label="attributed to"];
Incident -> URL [label="uses"];
Incident -> UserAccount [label="affected asset"];
}

BIN
papers/CIKM2024.pdf Normal file
View File

Binary file not shown.