diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb new file mode 100644 index 0000000..1411d39 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb @@ -0,0 +1,365 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 12, + "metadata": {}, + "outputs": [], + "source": [ + "#!pip install graphviz\n", + "\n", + "import dspy\n", + "import os\n", + "import openai\n", + "import json\n", + "from dotenv import load_dotenv\n", + "\n", + "from graphviz import Digraph\n", + "from IPython.display import display" + ] + }, + { + "cell_type": "code", + "execution_count": 13, + "metadata": {}, + "outputs": [], + "source": [ + "def set_dspy():\n", + " # ==============set openAI enviroment=========\n", + " # Path to your API key file\n", + " key_file_path = \"openai_api_key.txt\"\n", + "\n", + " # Load the API key from the file\n", + " with open(key_file_path, \"r\") as file:\n", + " openai_api_key = file.read().strip()\n", + "\n", + " # Set the API key as an environment variable\n", + " os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + " # ==============end of set openAI enviroment=========\n", + "\n", + "\n", + "def set_dspy_hardcode_openai_key():\n", + " os.environ[\"OPENAI_API_KEY\"] = (\n", + " \"sk-proj-yourapikeyhere\"\n", + " )\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + "\n", + "turbo=set_dspy()\n", + "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n", + "# turbo=set_dspy_hardcode_openai_key()" + ] + }, + { + "cell_type": "code", + "execution_count": 14, + "metadata": {}, + "outputs": [], + "source": [ + "def load_text_file(file_path):\n", + " \"\"\"\n", + " Load a text file and return its contents as a string.\n", + "\n", + " Parameters:\n", + " file_path (str): The path to the text file.\n", + "\n", + " Returns:\n", + " str: The contents of the text file.\n", + " \"\"\"\n", + " try:\n", + " with open(file_path, \"r\") as file:\n", + " contents = file.read()\n", + " return contents\n", + " except FileNotFoundError:\n", + " return \"File not found.\"\n", + " except Exception as e:\n", + " return f\"An error occurred: {e}\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 15, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n", + "\n", + "Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from.\n", + "\n", + "Alice: Sure, forwarding it now.\n", + "\n", + "Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n", + "\n", + "Alice: That’s definitely not right. Should I be worried?\n", + "\n", + "Bob: We should investigate further. Did you click on any links or download any attachments?\n", + "\n", + "Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n", + "\n", + "Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site.\n", + "\n", + "Alice: What should I do next?\n", + "\n", + "Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n", + "\n", + "Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n", + "\n", + "Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM.\n", + "\n", + "Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it?\n", + "\n", + "Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n", + "\n", + "Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n", + "\n", + "Alice: Is there anything else I need to do?\n", + "\n", + "Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts.\n", + "\n", + "Alice: Thanks, Bob. I’ll follow these steps immediately.\n" + ] + } + ], + "source": [ + "conversation=load_text_file(\"conversation.txt\")\n", + "print(conversation)" + ] + }, + { + "cell_type": "code", + "execution_count": 16, + "metadata": {}, + "outputs": [], + "source": [ + "class EvidenceIdentifier(dspy.Signature):\n", + " \"\"\"Idenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\"\"\"\n", + "\n", + " question = dspy.InputField(\n", + " desc=\"a conversation between -Alex (IT Security Specialist) and Bob (Employee).\"\n", + " )\n", + " answer = dspy.OutputField(\n", + " desc=\"a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 17, + "metadata": {}, + "outputs": [], + "source": [ + "def generate_answer(signature, conversation, output_file):\n", + " generate_answer = dspy.Predict(signature)\n", + " answer=generate_answer(question=conversation).answer # here we use the module\n", + "\n", + " with open(output_file, \"w\") as json_file:\n", + " result = json.loads(answer)\n", + " print(result)\n", + " json.dump(result, json_file, indent=4)\n", + " print(f\"The evidence has been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 18, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{'Email From': 'support@banksecure.com', 'Email Subject': 'Urgent: Verify Your Account Now', 'IP Address': '192.168.10.45', 'Domain': 'banksecure.com', 'Actual Domain Registration': 'Russia', 'URL Clicked': 'http://banksecure-verification.com/login', 'URL Visited 1': 'http://banksecure-verification.com/login', 'URL Visited 2': 'http://banksecure-verification.com/account-details', 'File Downloaded': 'AccountDetails.exe', 'File Creation Time': '10:20 AM', 'MD5 Hash': 'e99a18c428cb38d5f260853678922e03', 'Network Logs Timestamp': '10:20 AM'}\n", + "The evidence has been saved to the file 01_output_evidence_entity.txt\n" + ] + } + ], + "source": [ + "output_file = \"01_output_entity.txt\"\n", + "generate_answer(\n", + " EvidenceIdentifier, conversation, \n", + " output_file,\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 19, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "\n", + "\n", + "\n", + "Idenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\n", + "\n", + "---\n", + "\n", + "Follow the following format.\n", + "\n", + "Question: a conversation between -Alex (IT Security Specialist) and Bob (Employee).\n", + "Answer: a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\n", + "\n", + "---\n", + "\n", + "Question: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\n", + "Answer: {\n", + " \"Email From\": \"support@banksecure.com\",\n", + " \"Email Subject\": \"Urgent: Verify Your Account Now\",\n", + " \"IP Address\": \"192.168.10.45\",\n", + " \"Domain\": \"banksecure.com\",\n", + " \"Actual Domain Registration\": \"Russia\",\n", + " \"URL Clicked\": \"http://banksecure-verification.com/login\",\n", + " \"URL Visited 1\": \"http://banksecure-verification.com/login\",\n", + " \"URL Visited 2\": \"http://banksecure-verification.com/account-details\",\n", + " \"File Downloaded\": \"AccountDetails.exe\",\n", + " \"File Creation Time\": \"10:20 AM\",\n", + " \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\",\n", + " \"Network Logs Timestamp\": \"10:20 AM\"\n", + "}\n", + "\n", + "\n", + "\n" + ] + }, + { + "data": { + "text/plain": [ + "'\\n\\n\\nIdenitfy evidence entities from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\\n\\n---\\n\\nFollow the following format.\\n\\nQuestion: a conversation between -Alex (IT Security Specialist) and Bob (Employee).\\nAnswer: a list of evidence, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, in the conversation as a Python dictionary. For example, {evidence type: evidence value, ...}\\n\\n---\\n\\nQuestion: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It\\'s actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn\\'t enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There\\'s a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\\nAnswer:\\x1b[32m {\\n \"Email From\": \"support@banksecure.com\",\\n \"Email Subject\": \"Urgent: Verify Your Account Now\",\\n \"IP Address\": \"192.168.10.45\",\\n \"Domain\": \"banksecure.com\",\\n \"Actual Domain Registration\": \"Russia\",\\n \"URL Clicked\": \"http://banksecure-verification.com/login\",\\n \"URL Visited 1\": \"http://banksecure-verification.com/login\",\\n \"URL Visited 2\": \"http://banksecure-verification.com/account-details\",\\n \"File Downloaded\": \"AccountDetails.exe\",\\n \"File Creation Time\": \"10:20 AM\",\\n \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\",\\n \"Network Logs Timestamp\": \"10:20 AM\"\\n}\\x1b[0m\\n\\n\\n'" + ] + }, + "execution_count": 19, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "turbo.inspect_history(n=1)" + ] + }, + { + "cell_type": "code", + "execution_count": 20, + "metadata": {}, + "outputs": [], + "source": [ + "class EvidenceRelationIdentifier(dspy.Signature):\n", + " \"\"\"Idenitfy evidence entities and their relationships from a conversation between -Alex (IT Security Specialist) and Taylor (Employee).\"\"\"\n", + "\n", + " question = dspy.InputField(\n", + " desc=\"a conversation between -Alex (IT Security Specialist) and Bob (Employee).\"\n", + " )\n", + "\n", + " answer_relations: str = dspy.OutputField(\n", + " desc=\"relatioinships between evidence entities. Output in JSON format: {Relationship name: evidence -> evidence, ...}.\"\n", + " )\n", + " \n", + " answer_evidence : str = dspy.OutputField(\n", + " desc=\"a list of evidence type and the value, inlcuding but not limited to emaile, IP address, URL, File name, timestamps, etc, idenified from the conversation. Output in JSON format: {evidence type: evidence value, ...}\"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 21, + "metadata": {}, + "outputs": [], + "source": [ + "# deal with multiple output fields\n", + "def generate_answers(\n", + " signature, conversation, output_file, attributes_to_extract=[\"answer\"]\n", + "):\n", + " generate_answer = dspy.Predict(signature)\n", + " result = generate_answer(question=conversation) # Call the module\n", + " print(result)\n", + "\n", + " # Write the answers to the JSON file\n", + " with open(output_file, \"w\") as json_file:\n", + " # Extract specified attributes\n", + " for attr in attributes_to_extract:\n", + " if hasattr(result, attr):\n", + " # print(attr)\n", + " # print(getattr(result, attr))\n", + " # json_file.write(getattr(result, attr))\n", + " results = json.loads(getattr(result, attr))\n", + "\n", + " json.dump(results, json_file, indent=4)\n", + "\n", + " else:\n", + " print(f\"Warning: Attribute '{attr}' not found in the result.\")\n", + "\n", + " print(f\"The evidence has been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 22, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Prediction(\n", + " answer_relations='{\\n \"Email Header Analysis\": \"IP Address -> Domain\",\\n \"URL Analysis\": \"URL -> Domain\",\\n \"Browser History Analysis\": \"URL -> Timestamp\",\\n \"File Analysis\": \"File Name -> Timestamp, File Name -> MD5 Hash\",\\n \"Malware Analysis\": \"MD5 Hash -> Malware Database\"\\n}',\n", + " answer_evidence='{\\n \"Email Sender\": \"support@banksecure.com\",\\n \"Email Subject\": \"Urgent: Verify Your Account Now\",\\n \"IP Address\": \"192.168.10.45\",\\n \"Domain\": \"banksecure.com\",\\n \"Domain Registration\": \"Russia\",\\n \"URL\": \"http://banksecure-verification.com/login\",\\n \"URL Registration Date\": \"Two days ago\",\\n \"File Name\": \"AccountDetails.exe\",\\n \"File Creation Timestamp\": \"10:20 AM\",\\n \"MD5 Hash\": \"e99a18c428cb38d5f260853678922e03\"\\n}'\n", + ")\n", + "The evidence has been saved to the file 01_output_evidence_entity_relation.txt\n" + ] + } + ], + "source": [ + "output_file = \"01_output_entity_relation.txt\"\n", + "generate_answers(\n", + " EvidenceRelationIdentifier,\n", + " conversation,\n", + " output_file,\n", + " [\"answer_evidence\", \"answer_relations\"],\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.12.3" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity.txt new file mode 100644 index 0000000..a35d365 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity.txt @@ -0,0 +1,14 @@ +{ + "Email From": "support@banksecure.com", + "Email Subject": "Urgent: Verify Your Account Now", + "IP Address": "192.168.10.45", + "Domain": "banksecure.com", + "Actual Domain Registration": "Russia", + "URL Clicked": "http://banksecure-verification.com/login", + "URL Visited 1": "http://banksecure-verification.com/login", + "URL Visited 2": "http://banksecure-verification.com/account-details", + "File Downloaded": "AccountDetails.exe", + "File Creation Time": "10:20 AM", + "MD5 Hash": "e99a18c428cb38d5f260853678922e03", + "Network Logs Timestamp": "10:20 AM" +} \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity_relation.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity_relation.txt new file mode 100644 index 0000000..57d54a1 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_output_entity_relation.txt @@ -0,0 +1,18 @@ +{ + "Email Sender": "support@banksecure.com", + "Email Subject": "Urgent: Verify Your Account Now", + "IP Address": "192.168.10.45", + "Domain": "banksecure.com", + "Domain Registration": "Russia", + "URL": "http://banksecure-verification.com/login", + "URL Registration Date": "Two days ago", + "File Name": "AccountDetails.exe", + "File Creation Timestamp": "10:20 AM", + "MD5 Hash": "e99a18c428cb38d5f260853678922e03" +}{ + "Email Header Analysis": "IP Address -> Domain", + "URL Analysis": "URL -> Domain", + "Browser History Analysis": "URL -> Timestamp", + "File Analysis": "File Name -> Timestamp, File Name -> MD5 Hash", + "Malware Analysis": "MD5 Hash -> Malware Database" +} \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb new file mode 100644 index 0000000..1b84784 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb @@ -0,0 +1,445 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "#!pip install graphviz\n", + "\n", + "import dspy\n", + "import os\n", + "import openai\n", + "import json\n", + "from dotenv import load_dotenv\n", + "\n", + "from graphviz import Source\n", + "from IPython.display import display" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [], + "source": [ + "def set_dspy():\n", + " # ==============set openAI enviroment=========\n", + " # Path to your API key file\n", + " key_file_path = \"openai_api_key.txt\"\n", + "\n", + " # Load the API key from the file\n", + " with open(key_file_path, \"r\") as file:\n", + " openai_api_key = file.read().strip()\n", + "\n", + " # Set the API key as an environment variable\n", + " os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + " # ==============end of set openAI enviroment=========\n", + "\n", + "\n", + "def set_dspy_hardcode_openai_key():\n", + " os.environ[\"OPENAI_API_KEY\"] = (\n", + " \"sk-proj-yourapikeyhere\"\n", + " )\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + "\n", + "turbo=set_dspy()\n", + "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n", + "# turbo=set_dspy_hardcode_openai_key()" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [], + "source": [ + "def load_text_file(file_path):\n", + " \"\"\"\n", + " Load a text file and return its contents as a string.\n", + "\n", + " Parameters:\n", + " file_path (str): The path to the text file.\n", + "\n", + " Returns:\n", + " str: The contents of the text file.\n", + " \"\"\"\n", + " try:\n", + " with open(file_path, \"r\") as file:\n", + " contents = file.read()\n", + " return contents\n", + " except FileNotFoundError:\n", + " return \"File not found.\"\n", + " except Exception as e:\n", + " return f\"An error occurred: {e}\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n", + "\n", + "Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from.\n", + "\n", + "Alice: Sure, forwarding it now.\n", + "\n", + "Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n", + "\n", + "Alice: That’s definitely not right. Should I be worried?\n", + "\n", + "Bob: We should investigate further. Did you click on any links or download any attachments?\n", + "\n", + "Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n", + "\n", + "Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site.\n", + "\n", + "Alice: What should I do next?\n", + "\n", + "Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n", + "\n", + "Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n", + "\n", + "Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM.\n", + "\n", + "Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it?\n", + "\n", + "Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n", + "\n", + "Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n", + "\n", + "Alice: Is there anything else I need to do?\n", + "\n", + "Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts.\n", + "\n", + "Alice: Thanks, Bob. I’ll follow these steps immediately.\n" + ] + } + ], + "source": [ + "conversation = load_text_file(\"conversation.txt\")\n", + "print(conversation)" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "class DotGenerator(dspy.Signature):\n", + " \"\"\"Generate a evidence knowledge graph based on a conversation between an IT Security Specialist and an Employee. \"\"\"\n", + "\n", + " question: str = dspy.InputField(\n", + " desc=\"a conversation describing a cyber incident between an IT Security Specialist and an employee.\"\n", + " )\n", + "\n", + " answer: str = dspy.OutputField(\n", + " desc=\"a graph in a dot format. The nodes of the graph are evidence entities and the edges of the graph are the relationship between evidence entities. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "def generate_answer_CoT(signature, text, output_file):\n", + " generate_answer = dspy.ChainOfThought(signature)\n", + " answer = generate_answer(question=text).answer # here we use the module\n", + "\n", + " with open(output_file, \"w\") as dot_file:\n", + " print(answer)\n", + " dot_file.write(answer)\n", + " return answer\n", + " print(f\"The evidence has been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "digraph cyber_incident {\n", + " \"Suspicious Email\" -> \"IP Address: 192.168.10.45\"\n", + " \"Suspicious Email\" -> \"Domain: banksecure.com (Registered to someone in Russia)\"\n", + " \"Suspicious Email\" -> \"URL: http://banksecure-verification.com/login\"\n", + " \"Suspicious Email\" -> \"URL: http://banksecure-verification.com/account-details\"\n", + " \"URL: http://banksecure-verification.com/login\" -> \"Domain: banksecure-verification.com (Registered 2 days ago)\"\n", + " \"URL: http://banksecure-verification.com/account-details\" -> \"Domain: banksecure-verification.com (Registered 2 days ago)\"\n", + " \"Browser History Entries\" -> \"Visited at 10:15 AM: http://banksecure-verification.com/login\"\n", + " \"Browser History Entries\" -> \"Visited at 10:17 AM: http://banksecure-verification.com/account-details\"\n", + " \"Downloaded File: AccountDetails.exe\" -> \"Created at 10:20 AM\"\n", + " \"Downloaded File: AccountDetails.exe\" -> \"MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\"\n", + " \"MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\" -> \"Quarantined File: AccountDetails.exe\"\n", + " \"IP Address: 192.168.10.45\" -> \"Network Logs Analysis around 10:20 AM\"\n", + "}\n" + ] + } + ], + "source": [ + "output_file = \"02_output.dot\"\n", + "dot_description = generate_answer_CoT(\n", + " DotGenerator,\n", + " conversation,\n", + " output_file,\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 11, + "metadata": {}, + "outputs": [ + { + "data": { + "image/svg+xml": [ + "\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "cyber_incident\n", + "\n", + "\n", + "\n", + "Suspicious Email\n", + "\n", + "Suspicious Email\n", + "\n", + "\n", + "\n", + "IP Address: 192.168.10.45\n", + "\n", + "IP Address: 192.168.10.45\n", + "\n", + "\n", + "\n", + "Suspicious Email->IP Address: 192.168.10.45\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Domain: banksecure.com (Registered to someone in Russia)\n", + "\n", + "Domain: banksecure.com (Registered to someone in Russia)\n", + "\n", + "\n", + "\n", + "Suspicious Email->Domain: banksecure.com (Registered to someone in Russia)\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "URL: http://banksecure-verification.com/login\n", + "\n", + "URL: http://banksecure-verification.com/login\n", + "\n", + "\n", + "\n", + "Suspicious Email->URL: http://banksecure-verification.com/login\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "URL: http://banksecure-verification.com/account-details\n", + "\n", + "URL: http://banksecure-verification.com/account-details\n", + "\n", + "\n", + "\n", + "Suspicious Email->URL: http://banksecure-verification.com/account-details\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Network Logs Analysis around 10:20 AM\n", + "\n", + "Network Logs Analysis around 10:20 AM\n", + "\n", + "\n", + "\n", + "IP Address: 192.168.10.45->Network Logs Analysis around 10:20 AM\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Domain: banksecure-verification.com (Registered 2 days ago)\n", + "\n", + "Domain: banksecure-verification.com (Registered 2 days ago)\n", + "\n", + "\n", + "\n", + "URL: http://banksecure-verification.com/login->Domain: banksecure-verification.com (Registered 2 days ago)\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "URL: http://banksecure-verification.com/account-details->Domain: banksecure-verification.com (Registered 2 days ago)\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Browser History Entries\n", + "\n", + "Browser History Entries\n", + "\n", + "\n", + "\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "\n", + "\n", + "\n", + "Browser History Entries->Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "\n", + "\n", + "Browser History Entries->Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Downloaded File: AccountDetails.exe\n", + "\n", + "Downloaded File: AccountDetails.exe\n", + "\n", + "\n", + "\n", + "Created at 10:20 AM\n", + "\n", + "Created at 10:20 AM\n", + "\n", + "\n", + "\n", + "Downloaded File: AccountDetails.exe->Created at 10:20 AM\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\n", + "\n", + "MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\n", + "\n", + "\n", + "\n", + "Downloaded File: AccountDetails.exe->MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "Quarantined File: AccountDetails.exe\n", + "\n", + "Quarantined File: AccountDetails.exe\n", + "\n", + "\n", + "\n", + "MD5 Hash: e99a18c428cb38d5f260853678922e03 (Matched known malware)->Quarantined File: AccountDetails.exe\n", + "\n", + "\n", + "\n", + "\n", + "\n" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/plain": [ + "'02_output_email_analysis.png'" + ] + }, + "execution_count": 11, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "# Create a Digraph object and render the graph\n", + "graph = Source(dot_description)\n", + "display(graph)\n", + "\n", + "# Render the graph within the notebook\n", + "graph.render(\"02_output_email_analysis\", format=\"png\", cleanup=True)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.12.3" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output.dot b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output.dot new file mode 100644 index 0000000..2733ba7 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output.dot @@ -0,0 +1,5 @@ +digraph file_not_found { + File [label="File" shape="rectangle" color="blue"] + NotFound [label="Not Found" shape="ellipse" color="red"] + File -> NotFound [label="Indicator"] +} \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output_email_analysis.png b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output_email_analysis.png new file mode 100644 index 0000000..d5fd79b Binary files /dev/null and b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_output_email_analysis.png differ diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb new file mode 100644 index 0000000..368ba1c --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb @@ -0,0 +1,355 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "#!pip install graphviz\n", + "\n", + "import dspy\n", + "import os\n", + "import openai\n", + "import json\n", + "from dotenv import load_dotenv\n", + "from IPython.display import display" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [], + "source": [ + "def set_dspy():\n", + " # ==============set openAI enviroment=========\n", + " # Path to your API key file\n", + " key_file_path = \"openai_api_key.txt\"\n", + "\n", + " # Load the API key from the file\n", + " with open(key_file_path, \"r\") as file:\n", + " openai_api_key = file.read().strip()\n", + "\n", + " # Set the API key as an environment variable\n", + " os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + " # ==============end of set openAI enviroment=========\n", + "\n", + "\n", + "def set_dspy_hardcode_openai_key():\n", + " os.environ[\"OPENAI_API_KEY\"] = (\n", + " \"sk-proj-yourapikeyhere\"\n", + " )\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + "\n", + "turbo=set_dspy()\n", + "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n", + "# turbo=set_dspy_hardcode_openai_key()" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [], + "source": [ + "def load_text_file(file_path):\n", + " \"\"\"\n", + " Load a text file and return its contents as a string.\n", + "\n", + " Parameters:\n", + " file_path (str): The path to the text file.\n", + "\n", + " Returns:\n", + " str: The contents of the text file.\n", + " \"\"\"\n", + " try:\n", + " with open(file_path, \"r\") as file:\n", + " contents = file.read()\n", + " return contents\n", + " except FileNotFoundError:\n", + " return \"File not found.\"\n", + " except Exception as e:\n", + " return f\"An error occurred: {e}\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n", + "\n", + "Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from.\n", + "\n", + "Alice: Sure, forwarding it now.\n", + "\n", + "Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n", + "\n", + "Alice: That’s definitely not right. Should I be worried?\n", + "\n", + "Bob: We should investigate further. Did you click on any links or download any attachments?\n", + "\n", + "Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n", + "\n", + "Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site.\n", + "\n", + "Alice: What should I do next?\n", + "\n", + "Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n", + "\n", + "Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n", + "\n", + "Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM.\n", + "\n", + "Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it?\n", + "\n", + "Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n", + "\n", + "Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n", + "\n", + "Alice: Is there anything else I need to do?\n", + "\n", + "Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts.\n", + "\n", + "Alice: Thanks, Bob. I’ll follow these steps immediately.\n" + ] + } + ], + "source": [ + "conversation=load_text_file(\"conversation.txt\")\n", + "print(conversation)" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "class SITXGenerator(dspy.Signature):\n", + " \"\"\"Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\"\"\"\n", + "\n", + " question: str = dspy.InputField(\n", + " desc=\"a conversation describing a cyber incident between an IT Security Specialist and an employee.\"\n", + " )\n", + "\n", + " answer: str = dspy.OutputField(\n", + " desc=\"the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "def generate_answer_CoT(signature, conversation, output_file):\n", + " generate_answer = dspy.ChainOfThought(signature)\n", + " answer = generate_answer(question=conversation).answer # here we use the module\n", + "\n", + " with open(output_file, \"w\") as json_file:\n", + " result = json.loads(answer)\n", + " print(answer)\n", + " json.dump(result, json_file, indent=4)\n", + " print(f\"The evidence has been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "[\n", + " {\n", + " \"email\": {\n", + " \"sender\": \"support@banksecure.com\",\n", + " \"subject\": \"Urgent: Verify Your Account Now\",\n", + " \"headers\": {\n", + " \"IP_address\": \"192.168.10.45\",\n", + " \"domain\": \"banksecure.com\",\n", + " \"registered_to\": \"Russia\"\n", + " },\n", + " \"links_clicked\": [\n", + " {\n", + " \"URL\": \"http://banksecure-verification.com/login\",\n", + " \"timestamp\": \"10:15 AM\"\n", + " },\n", + " {\n", + " \"URL\": \"http://banksecure-verification.com/account-details\",\n", + " \"timestamp\": \"10:17 AM\"\n", + " }\n", + " ],\n", + " \"attachments\": [\n", + " {\n", + " \"file_name\": \"AccountDetails.exe\",\n", + " \"created_at\": \"10:20 AM\",\n", + " \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\n", + " \"status\": \"known_malware\"\n", + " }\n", + " ]\n", + " }\n", + " },\n", + " {\n", + " \"actions_taken\": [\n", + " \"Clear browser history and cache\",\n", + " \"Run full antivirus scan\",\n", + " \"Provide browser history entries and cookies\",\n", + " \"Quarantine suspicious file\",\n", + " \"Check network connections\",\n", + " \"Reset passwords and enable two-factor authentication\"\n", + " ]\n", + " }\n", + "]\n", + "The evidence has been saved to the file 03_output.json\n" + ] + } + ], + "source": [ + "output_file = \"03_output.json\"\n", + "generate_answer_CoT(\n", + " SITXGenerator,\n", + " conversation,\n", + " output_file,\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "\n", + "\n", + "\n", + "Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\n", + "\n", + "---\n", + "\n", + "Follow the following format.\n", + "\n", + "Question: a conversation describing a cyber incident between an IT Security Specialist and an employee.\n", + "Reasoning: Let's think step by step in order to ${produce the answer}. We ...\n", + "Answer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\n", + "\n", + "---\n", + "\n", + "Question: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\n", + "Reasoning: Let's think step by step in order to produce the answer. We need to formalize the conversation into STIX objects that represent the cyber threat information discussed between Alice and Bob.\n", + "\n", + "Answer: \n", + "[\n", + " {\n", + " \"email\": {\n", + " \"sender\": \"support@banksecure.com\",\n", + " \"subject\": \"Urgent: Verify Your Account Now\",\n", + " \"headers\": {\n", + " \"IP_address\": \"192.168.10.45\",\n", + " \"domain\": \"banksecure.com\",\n", + " \"registered_to\": \"Russia\"\n", + " },\n", + " \"links_clicked\": [\n", + " {\n", + " \"URL\": \"http://banksecure-verification.com/login\",\n", + " \"timestamp\": \"10:15 AM\"\n", + " },\n", + " {\n", + " \"URL\": \"http://banksecure-verification.com/account-details\",\n", + " \"timestamp\": \"10:17 AM\"\n", + " }\n", + " ],\n", + " \"attachments\": [\n", + " {\n", + " \"file_name\": \"AccountDetails.exe\",\n", + " \"created_at\": \"10:20 AM\",\n", + " \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\n", + " \"status\": \"known_malware\"\n", + " }\n", + " ]\n", + " }\n", + " },\n", + " {\n", + " \"actions_taken\": [\n", + " \"Clear browser history and cache\",\n", + " \"Run full antivirus scan\",\n", + " \"Provide browser history entries and cookies\",\n", + " \"Quarantine suspicious file\",\n", + " \"Check network connections\",\n", + " \"Reset passwords and enable two-factor authentication\"\n", + " ]\n", + " }\n", + "]\n", + "\n", + "\n", + "\n" + ] + }, + { + "data": { + "text/plain": [ + "'\\n\\n\\nDescribe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\\n\\n---\\n\\nFollow the following format.\\n\\nQuestion: a conversation describing a cyber incident between an IT Security Specialist and an employee.\\nReasoning: Let\\'s think step by step in order to ${produce the answer}. We ...\\nAnswer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\\n\\n---\\n\\nQuestion: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It\\'s actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn\\'t enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There\\'s a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\\nReasoning: Let\\'s think step by step in order to\\x1b[32m produce the answer. We need to formalize the conversation into STIX objects that represent the cyber threat information discussed between Alice and Bob.\\n\\nAnswer: \\n[\\n {\\n \"email\": {\\n \"sender\": \"support@banksecure.com\",\\n \"subject\": \"Urgent: Verify Your Account Now\",\\n \"headers\": {\\n \"IP_address\": \"192.168.10.45\",\\n \"domain\": \"banksecure.com\",\\n \"registered_to\": \"Russia\"\\n },\\n \"links_clicked\": [\\n {\\n \"URL\": \"http://banksecure-verification.com/login\",\\n \"timestamp\": \"10:15 AM\"\\n },\\n {\\n \"URL\": \"http://banksecure-verification.com/account-details\",\\n \"timestamp\": \"10:17 AM\"\\n }\\n ],\\n \"attachments\": [\\n {\\n \"file_name\": \"AccountDetails.exe\",\\n \"created_at\": \"10:20 AM\",\\n \"MD5_hash\": \"e99a18c428cb38d5f260853678922e03\",\\n \"status\": \"known_malware\"\\n }\\n ]\\n }\\n },\\n {\\n \"actions_taken\": [\\n \"Clear browser history and cache\",\\n \"Run full antivirus scan\",\\n \"Provide browser history entries and cookies\",\\n \"Quarantine suspicious file\",\\n \"Check network connections\",\\n \"Reset passwords and enable two-factor authentication\"\\n ]\\n }\\n]\\x1b[0m\\n\\n\\n'" + ] + }, + "execution_count": 8, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "turbo.inspect_history(n=1)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.12.3" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_output.json b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_output.json new file mode 100644 index 0000000..74a30a7 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_output.json @@ -0,0 +1,41 @@ +[ + { + "email": { + "sender": "support@banksecure.com", + "subject": "Urgent: Verify Your Account Now", + "headers": { + "IP_address": "192.168.10.45", + "domain": "banksecure.com", + "registered_to": "Russia" + }, + "links_clicked": [ + { + "URL": "http://banksecure-verification.com/login", + "timestamp": "10:15 AM" + }, + { + "URL": "http://banksecure-verification.com/account-details", + "timestamp": "10:17 AM" + } + ], + "attachments": [ + { + "file_name": "AccountDetails.exe", + "created_at": "10:20 AM", + "MD5_hash": "e99a18c428cb38d5f260853678922e03", + "status": "known_malware" + } + ] + } + }, + { + "actions_taken": [ + "Clear browser history and cache", + "Run full antivirus scan", + "Provide browser history entries and cookies", + "Quarantine suspicious file", + "Check network connections", + "Reset passwords and enable two-factor authentication" + ] + } +] \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb new file mode 100644 index 0000000..6ca2fe8 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb @@ -0,0 +1,726 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "#!pip install graphviz\n", + "\n", + "import dspy\n", + "import os\n", + "import openai\n", + "import json\n", + "from dotenv import load_dotenv\n", + "\n", + "from graphviz import Digraph\n", + "from IPython.display import display" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [], + "source": [ + "def set_dspy():\n", + " # ==============set openAI enviroment=========\n", + " # Path to your API key file\n", + " key_file_path = \"openai_api_key.txt\"\n", + "\n", + " # Load the API key from the file\n", + " with open(key_file_path, \"r\") as file:\n", + " openai_api_key = file.read().strip()\n", + "\n", + " # Set the API key as an environment variable\n", + " os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=3000, temperature=0.5)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + " # ==============end of set openAI enviroment=========\n", + "\n", + "\n", + "def set_dspy_hardcode_openai_key():\n", + " os.environ[\"OPENAI_API_KEY\"] = (\n", + " \"sk-proj-yourapikeyhere\"\n", + " )\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + "\n", + "turbo=set_dspy()\n", + "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n", + "# turbo=set_dspy_hardcode_openai_key()" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [], + "source": [ + "def load_text_file(file_path):\n", + " \"\"\"\n", + " Load a text file and return its contents as a string.\n", + "\n", + " Parameters:\n", + " file_path (str): The path to the text file.\n", + "\n", + " Returns:\n", + " str: The contents of the text file.\n", + " \"\"\"\n", + " try:\n", + " with open(file_path, \"r\") as file:\n", + " contents = file.read()\n", + " return contents\n", + " except FileNotFoundError:\n", + " return \"File not found.\"\n", + " except Exception as e:\n", + " return f\"An error occurred: {e}\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me.\n", + "\n", + "Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from.\n", + "\n", + "Alice: Sure, forwarding it now.\n", + "\n", + "Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia.\n", + "\n", + "Alice: That’s definitely not right. Should I be worried?\n", + "\n", + "Bob: We should investigate further. Did you click on any links or download any attachments?\n", + "\n", + "Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login.\n", + "\n", + "Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site.\n", + "\n", + "Alice: What should I do next?\n", + "\n", + "Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session?\n", + "\n", + "Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history:\n", + "Visited at 10:15 AM: http://banksecure-verification.com/login\n", + "Visited at 10:17 AM: http://banksecure-verification.com/account-details\n", + "\n", + "Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual.\n", + "\n", + "Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM.\n", + "\n", + "Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it?\n", + "\n", + "Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03.\n", + "\n", + "Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM.\n", + "\n", + "Alice: Is there anything else I need to do?\n", + "\n", + "Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts.\n", + "\n", + "Alice: Thanks, Bob. I’ll follow these steps immediately.\n" + ] + } + ], + "source": [ + "conversation=load_text_file(\"conversation.txt\")\n", + "print(conversation)" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "example = dspy.Example(\n", + " question=\"\"\"\n", + " Taylor: Hey Alex, I think I might have clicked on a suspicious link in an email.\n", + " Alex: Oh no, Taylor. Can you describe what happened?\n", + " Taylor: I got an email from what looked like our HR department. It said there was an urgent update to our benefits package, and I needed to click a link to review the changes.\n", + " Alex: Did the email address seem legitimate?\n", + " Taylor: At first glance, yes, but now that I think about it, the domain was slightly different. It was hr-dept@ourcompany-security.com instead of @ourcompany.com.\n", + " Alex: That sounds like phishing. What happened after you clicked the link?\n", + " Taylor: It took me to a login page that looked just like our internal portal. I entered my username and password.\n", + " Alex: Did you notice anything unusual after entering your credentials?\n", + " Taylor: Not immediately, but a few minutes later, I got an alert that someone attempted to log into my account from a different location.\n", + " Alex: Okay, this sounds serious. I need you to change your password immediately and enable two-factor authentication if you haven't already.\n", + " Taylor: Done. What should we do next?\n", + " Alex: I'll start by examining the email headers to trace the origin. Also, I need to check the link you clicked on to understand its structure and where it leads.\n", + " Taylor: Alright, I’ll forward you the email.\n", + " Alex: Thanks. I’ll also run a network scan to see if any other devices might have been compromised.\n", + " Taylor: Should I inform the rest of the team?\n", + " Alex: Yes, let them know about the phishing attempt and advise them to be cautious. I’ll send an official email with detailed instructions.\n", + " Taylor: Got it. Thanks, Alex. Is there anything else I should do?\n", + " Alex: Just keep an eye out for any unusual activities in your accounts. I’ll handle the technical investigation and follow up with you if I need more information.\n", + " Taylor: Will do. Thanks again.\n", + " Alex: No problem. Stay safe online.\"\"\",\n", + " answer=\"\"\"[\n", + " {\n", + " \"type\": \"identity\",\n", + " \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"OurCompany\",\n", + " \"identity_class\": \"organization\",\n", + " \"sectors\": [\"technology\"],\n", + " \"contact_information\": \"info@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-addr\",\n", + " \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-message\",\n", + " \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\n", + " \"is_multipart\": false,\n", + " \"subject\": \"Urgent Benefits Package Update\",\n", + " \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"body\": \"Please click the link to review the changes to your benefits package.\"\n", + " },\n", + " {\n", + " \"type\": \"url\",\n", + " \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\n", + " \"value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"user-account\",\n", + " \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\n", + " \"user_id\": \"Taylor\",\n", + " \"account_login\": \"taylor@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--001\",\n", + " \"observable_type\": \"email\",\n", + " \"observable_value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--002\",\n", + " \"observable_type\": \"url\",\n", + " \"observable_value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"Phishing Email Indicator\",\n", + " \"pattern\": \"[email-message:subject = 'Urgent Benefits Package Update']\",\n", + " \"valid_from\": \"2024-07-17T00:00:00Z\"\n", + " },\n", + " {\n", + " \"type\": \"incident\",\n", + " \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"name\": \"Phishing Attack on OurCompany\",\n", + " \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\n", + " \"first_seen\": \"2024-07-17T08:00:00Z\",\n", + " \"last_seen\": \"2024-07-17T08:10:00Z\",\n", + " \"status\": \"ongoing\",\n", + " \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\n", + " \"relationship_type\": \"attributed-to\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\n", + " \"relationship_type\": \"uses\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\n", + " }\n", + "]\"\"\",\n", + ").with_inputs(\"question\")" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "# Create a simple retriever that always returns the one-shot example\n", + "class OneShotRetriever(dspy.Retrieve):\n", + " def __init__(self, example):\n", + " super().__init__()\n", + " self.example = example\n", + "\n", + " def forward(self, query):\n", + " # Here we could use the query to determine if we should return the example\n", + " # For demonstration, let's just print the query\n", + " # print(f\"Retrieval query: {query}\")\n", + " one_example = f\"Example scenairo: {self.example.question}\\n Example generated STIX in JSON based on the scenairo: {self.example.answer}\\n\"\n", + " return one_example" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [], + "source": [ + "class SITXGeneratorSig(dspy.Signature):\n", + " \"\"\"Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\"\"\"\n", + "\n", + " # Make sure to define context here, otherwise, one-short learning won't work\n", + " context = dspy.InputField(desc=\"one example, which contain a scenario and the coreposing STIX in JSON\")\n", + "\n", + " question: str = dspy.InputField(\n", + " desc=\"a conversation describing a cyber incident between an IT Security Specialist and an employee.\"\n", + " )\n", + "\n", + " answer: str = dspy.OutputField(\n", + " desc=\"the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [], + "source": [ + "class STXIGenCoT(dspy.Module):\n", + " def __init__(self, example):\n", + " super().__init__()\n", + " self.retriever = OneShotRetriever(example)\n", + " self.predictor = dspy.ChainOfThought(SITXGeneratorSig)\n", + "\n", + " def forward(self, question):\n", + " context = self.retriever(question)\n", + " results = self.predictor(context=context, question=question)\n", + "\n", + " # Inspect the history\n", + " # last_interaction = turbo.inspect_history(n=1)\n", + " # print(\"Last interaction:\")\n", + " # print(last_interaction)\n", + " \n", + " return results" + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "metadata": {}, + "outputs": [], + "source": [ + "def generate_answer(conversation, output_file):\n", + " # Create an instance of your module with the one-shot example\n", + " my_module = STXIGenCoT(example)\n", + "\n", + " # Use your module with a new input\n", + " answer = my_module(question=conversation).answer\n", + "\n", + " with open(output_file, \"w\") as json_file:\n", + " result = json.loads(answer)\n", + " print(answer)\n", + " json.dump(result, json_file, indent=4)\n", + " print(f\"The results have been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 10, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "[\n", + " {\n", + " \"type\": \"identity\",\n", + " \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"OurCompany\",\n", + " \"identity_class\": \"organization\",\n", + " \"sectors\": [\"technology\"],\n", + " \"contact_information\": \"info@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-addr\",\n", + " \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-message\",\n", + " \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\n", + " \"is_multipart\": false,\n", + " \"subject\": \"Urgent Benefits Package Update\",\n", + " \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"body\": \"Please click the link to review the changes to your benefits package.\"\n", + " },\n", + " {\n", + " \"type\": \"url\",\n", + " \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\n", + " \"value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"user-account\",\n", + " \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\n", + " \"user_id\": \"Taylor\",\n", + " \"account_login\": \"taylor@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--001\",\n", + " \"observable_type\": \"email\",\n", + " \"observable_value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--002\",\n", + " \"observable_type\": \"url\",\n", + " \"observable_value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"Phishing Email Indicator\",\n", + " \"pattern\": \"[email-message:subject = 'Urgent Benefits Package Update']\",\n", + " \"valid_from\": \"2024-07-17T00:00:00Z\"\n", + " },\n", + " {\n", + " \"type\": \"incident\",\n", + " \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"name\": \"Phishing Attack on OurCompany\",\n", + " \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\n", + " \"first_seen\": \"2024-07-17T08:00:00Z\",\n", + " \"last_seen\": \"2024-07-17T08:10:00Z\",\n", + " \"status\": \"ongoing\",\n", + " \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\n", + " \"relationship_type\": \"attributed-to\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\n", + " \"relationship_type\": \"uses\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\n", + " }\n", + "]\n", + "The results have been saved to the file 04_output.json\n" + ] + } + ], + "source": [ + "output_file = \"04_output.json\"\n", + "generate_answer(\n", + " conversation,\n", + " output_file,\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 11, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "\n", + "\n", + "\n", + "Describe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\n", + "\n", + "---\n", + "\n", + "Follow the following format.\n", + "\n", + "Question: a conversation describing a cyber incident between an IT Security Specialist and an employee.\n", + "\n", + "Context: one example, which contain a scenario and the coreposing STIX in JSON\n", + "\n", + "Reasoning: Let's think step by step in order to ${produce the answer}. We ...\n", + "\n", + "Answer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\n", + "\n", + "---\n", + "\n", + "Question: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There's a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\n", + "\n", + "Context:\n", + "Example scenairo: \n", + " Taylor: Hey Alex, I think I might have clicked on a suspicious link in an email.\n", + " Alex: Oh no, Taylor. Can you describe what happened?\n", + " Taylor: I got an email from what looked like our HR department. It said there was an urgent update to our benefits package, and I needed to click a link to review the changes.\n", + " Alex: Did the email address seem legitimate?\n", + " Taylor: At first glance, yes, but now that I think about it, the domain was slightly different. It was hr-dept@ourcompany-security.com instead of @ourcompany.com.\n", + " Alex: That sounds like phishing. What happened after you clicked the link?\n", + " Taylor: It took me to a login page that looked just like our internal portal. I entered my username and password.\n", + " Alex: Did you notice anything unusual after entering your credentials?\n", + " Taylor: Not immediately, but a few minutes later, I got an alert that someone attempted to log into my account from a different location.\n", + " Alex: Okay, this sounds serious. I need you to change your password immediately and enable two-factor authentication if you haven't already.\n", + " Taylor: Done. What should we do next?\n", + " Alex: I'll start by examining the email headers to trace the origin. Also, I need to check the link you clicked on to understand its structure and where it leads.\n", + " Taylor: Alright, I’ll forward you the email.\n", + " Alex: Thanks. I’ll also run a network scan to see if any other devices might have been compromised.\n", + " Taylor: Should I inform the rest of the team?\n", + " Alex: Yes, let them know about the phishing attempt and advise them to be cautious. I’ll send an official email with detailed instructions.\n", + " Taylor: Got it. Thanks, Alex. Is there anything else I should do?\n", + " Alex: Just keep an eye out for any unusual activities in your accounts. I’ll handle the technical investigation and follow up with you if I need more information.\n", + " Taylor: Will do. Thanks again.\n", + " Alex: No problem. Stay safe online.\n", + " Example generated STIX in JSON based on the scenairo: [\n", + " {\n", + " \"type\": \"identity\",\n", + " \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"OurCompany\",\n", + " \"identity_class\": \"organization\",\n", + " \"sectors\": [\"technology\"],\n", + " \"contact_information\": \"info@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-addr\",\n", + " \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-message\",\n", + " \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\n", + " \"is_multipart\": false,\n", + " \"subject\": \"Urgent Benefits Package Update\",\n", + " \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"body\": \"Please click the link to review the changes to your benefits package.\"\n", + " },\n", + " {\n", + " \"type\": \"url\",\n", + " \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\n", + " \"value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"user-account\",\n", + " \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\n", + " \"user_id\": \"Taylor\",\n", + " \"account_login\": \"taylor@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--001\",\n", + " \"observable_type\": \"email\",\n", + " \"observable_value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--002\",\n", + " \"observable_type\": \"url\",\n", + " \"observable_value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"Phishing Email Indicator\",\n", + " \"pattern\": \"[email-message:subject = 'Urgent Benefits Package Update']\",\n", + " \"valid_from\": \"2024-07-17T00:00:00Z\"\n", + " },\n", + " {\n", + " \"type\": \"incident\",\n", + " \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"name\": \"Phishing Attack on OurCompany\",\n", + " \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\n", + " \"first_seen\": \"2024-07-17T08:00:00Z\",\n", + " \"last_seen\": \"2024-07-17T08:10:00Z\",\n", + " \"status\": \"ongoing\",\n", + " \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\n", + " \"relationship_type\": \"attributed-to\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\n", + " \"relationship_type\": \"uses\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\n", + " }\n", + "]\n", + "\n", + "\n", + "Reasoning: Let's think step by step in order to produce the answer. We need to identify the key elements in the conversation, such as the email address, suspicious URLs, actions taken by the employee, and recommendations provided by the IT Security Specialist. By breaking down the conversation into these components, we can create corresponding STIX objects in JSON format to represent the cyber threat information.\n", + "\n", + "Answer: [\n", + " {\n", + " \"type\": \"identity\",\n", + " \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"OurCompany\",\n", + " \"identity_class\": \"organization\",\n", + " \"sectors\": [\"technology\"],\n", + " \"contact_information\": \"info@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-addr\",\n", + " \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"email-message\",\n", + " \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\n", + " \"is_multipart\": false,\n", + " \"subject\": \"Urgent Benefits Package Update\",\n", + " \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\n", + " \"body\": \"Please click the link to review the changes to your benefits package.\"\n", + " },\n", + " {\n", + " \"type\": \"url\",\n", + " \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\n", + " \"value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"user-account\",\n", + " \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\n", + " \"user_id\": \"Taylor\",\n", + " \"account_login\": \"taylor@ourcompany.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--001\",\n", + " \"observable_type\": \"email\",\n", + " \"observable_value\": \"hr-dept@ourcompany-security.com\"\n", + " },\n", + " {\n", + " \"type\": \"observable\",\n", + " \"id\": \"observable--002\",\n", + " \"observable_type\": \"url\",\n", + " \"observable_value\": \"http://phishing-link.com/login\"\n", + " },\n", + " {\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"name\": \"Phishing Email Indicator\",\n", + " \"pattern\": \"[email-message:subject = 'Urgent Benefits Package Update']\",\n", + " \"valid_from\": \"2024-07-17T00:00:00Z\"\n", + " },\n", + " {\n", + " \"type\": \"incident\",\n", + " \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"name\": \"Phishing Attack on OurCompany\",\n", + " \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\n", + " \"first_seen\": \"2024-07-17T08:00:00Z\",\n", + " \"last_seen\": \"2024-07-17T08:10:00Z\",\n", + " \"status\": \"ongoing\",\n", + " \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\n", + " \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\n", + " \"relationship_type\": \"attributed-to\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\n", + " \"relationship_type\": \"uses\",\n", + " \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\n", + " \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\n", + " }\n", + "]\n", + "\n", + "\n", + "\n" + ] + }, + { + "data": { + "text/plain": [ + "'\\n\\n\\nDescribe a conversation in STIX, which stands for Structured Threat Information eXpression, is a standardized language for representing cyber threat information.\\n\\n---\\n\\nFollow the following format.\\n\\nQuestion: a conversation describing a cyber incident between an IT Security Specialist and an employee.\\n\\nContext: one example, which contain a scenario and the coreposing STIX in JSON\\n\\nReasoning: Let\\'s think step by step in order to ${produce the answer}. We ...\\n\\nAnswer: the formalized STIX in JSON representing cyber threat information based on the conversation, e.g., [{object 1}, {object 2}, ... {object n}]\\n\\n---\\n\\nQuestion: Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was \"Urgent: Verify Your Account Now\". The email looks suspicious to me. Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. Alice: Sure, forwarding it now. Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It\\'s actually registered to someone in Russia. Alice: That’s definitely not right. Should I be worried? Bob: We should investigate further. Did you click on any links or download any attachments? Alice: I did click on a link that took me to a page asking for my login credentials. I didn\\'t enter anything though. The URL was http://banksecure-verification.com/login. Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. Alice: What should I do next? Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: Visited at 10:15 AM: http://banksecure-verification.com/login Visited at 10:17 AM: http://banksecure-verification.com/account-details Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. Alice: There\\'s a file named \"AccountDetails.exe\" that I don’t remember downloading. It was created at 10:20 AM. Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. Alice: Is there anything else I need to do? Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. Alice: Thanks, Bob. I’ll follow these steps immediately.\\n\\nContext:\\nExample scenairo: \\n Taylor: Hey Alex, I think I might have clicked on a suspicious link in an email.\\n Alex: Oh no, Taylor. Can you describe what happened?\\n Taylor: I got an email from what looked like our HR department. It said there was an urgent update to our benefits package, and I needed to click a link to review the changes.\\n Alex: Did the email address seem legitimate?\\n Taylor: At first glance, yes, but now that I think about it, the domain was slightly different. It was hr-dept@ourcompany-security.com instead of @ourcompany.com.\\n Alex: That sounds like phishing. What happened after you clicked the link?\\n Taylor: It took me to a login page that looked just like our internal portal. I entered my username and password.\\n Alex: Did you notice anything unusual after entering your credentials?\\n Taylor: Not immediately, but a few minutes later, I got an alert that someone attempted to log into my account from a different location.\\n Alex: Okay, this sounds serious. I need you to change your password immediately and enable two-factor authentication if you haven\\'t already.\\n Taylor: Done. What should we do next?\\n Alex: I\\'ll start by examining the email headers to trace the origin. Also, I need to check the link you clicked on to understand its structure and where it leads.\\n Taylor: Alright, I’ll forward you the email.\\n Alex: Thanks. I’ll also run a network scan to see if any other devices might have been compromised.\\n Taylor: Should I inform the rest of the team?\\n Alex: Yes, let them know about the phishing attempt and advise them to be cautious. I’ll send an official email with detailed instructions.\\n Taylor: Got it. Thanks, Alex. Is there anything else I should do?\\n Alex: Just keep an eye out for any unusual activities in your accounts. I’ll handle the technical investigation and follow up with you if I need more information.\\n Taylor: Will do. Thanks again.\\n Alex: No problem. Stay safe online.\\n Example generated STIX in JSON based on the scenairo: [\\n {\\n \"type\": \"identity\",\\n \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"name\": \"OurCompany\",\\n \"identity_class\": \"organization\",\\n \"sectors\": [\"technology\"],\\n \"contact_information\": \"info@ourcompany.com\"\\n },\\n {\\n \"type\": \"email-addr\",\\n \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\\n \"value\": \"hr-dept@ourcompany-security.com\"\\n },\\n {\\n \"type\": \"email-message\",\\n \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\\n \"is_multipart\": false,\\n \"subject\": \"Urgent Benefits Package Update\",\\n \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\\n \"body\": \"Please click the link to review the changes to your benefits package.\"\\n },\\n {\\n \"type\": \"url\",\\n \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\\n \"value\": \"http://phishing-link.com/login\"\\n },\\n {\\n \"type\": \"user-account\",\\n \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\\n \"user_id\": \"Taylor\",\\n \"account_login\": \"taylor@ourcompany.com\"\\n },\\n {\\n \"type\": \"observable\",\\n \"id\": \"observable--001\",\\n \"observable_type\": \"email\",\\n \"observable_value\": \"hr-dept@ourcompany-security.com\"\\n },\\n {\\n \"type\": \"observable\",\\n \"id\": \"observable--002\",\\n \"observable_type\": \"url\",\\n \"observable_value\": \"http://phishing-link.com/login\"\\n },\\n {\\n \"type\": \"indicator\",\\n \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"name\": \"Phishing Email Indicator\",\\n \"pattern\": \"[email-message:subject = \\'Urgent Benefits Package Update\\']\",\\n \"valid_from\": \"2024-07-17T00:00:00Z\"\\n },\\n {\\n \"type\": \"incident\",\\n \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"name\": \"Phishing Attack on OurCompany\",\\n \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\\n \"first_seen\": \"2024-07-17T08:00:00Z\",\\n \"last_seen\": \"2024-07-17T08:10:00Z\",\\n \"status\": \"ongoing\",\\n \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\\n \"relationship_type\": \"indicates\",\\n \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\\n \"relationship_type\": \"attributed-to\",\\n \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\\n \"relationship_type\": \"uses\",\\n \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\\n }\\n]\\n\\n\\nReasoning: Let\\'s think step by step in order to\\x1b[32m produce the answer. We need to identify the key elements in the conversation, such as the email address, suspicious URLs, actions taken by the employee, and recommendations provided by the IT Security Specialist. By breaking down the conversation into these components, we can create corresponding STIX objects in JSON format to represent the cyber threat information.\\n\\nAnswer: [\\n {\\n \"type\": \"identity\",\\n \"id\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"name\": \"OurCompany\",\\n \"identity_class\": \"organization\",\\n \"sectors\": [\"technology\"],\\n \"contact_information\": \"info@ourcompany.com\"\\n },\\n {\\n \"type\": \"email-addr\",\\n \"id\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\\n \"value\": \"hr-dept@ourcompany-security.com\"\\n },\\n {\\n \"type\": \"email-message\",\\n \"id\": \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\",\\n \"is_multipart\": false,\\n \"subject\": \"Urgent Benefits Package Update\",\\n \"from_ref\": \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\",\\n \"body\": \"Please click the link to review the changes to your benefits package.\"\\n },\\n {\\n \"type\": \"url\",\\n \"id\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\",\\n \"value\": \"http://phishing-link.com/login\"\\n },\\n {\\n \"type\": \"user-account\",\\n \"id\": \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\",\\n \"user_id\": \"Taylor\",\\n \"account_login\": \"taylor@ourcompany.com\"\\n },\\n {\\n \"type\": \"observable\",\\n \"id\": \"observable--001\",\\n \"observable_type\": \"email\",\\n \"observable_value\": \"hr-dept@ourcompany-security.com\"\\n },\\n {\\n \"type\": \"observable\",\\n \"id\": \"observable--002\",\\n \"observable_type\": \"url\",\\n \"observable_value\": \"http://phishing-link.com/login\"\\n },\\n {\\n \"type\": \"indicator\",\\n \"id\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"name\": \"Phishing Email Indicator\",\\n \"pattern\": \"[email-message:subject = \\'Urgent Benefits Package Update\\']\",\\n \"valid_from\": \"2024-07-17T00:00:00Z\"\\n },\\n {\\n \"type\": \"incident\",\\n \"id\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"name\": \"Phishing Attack on OurCompany\",\\n \"description\": \"A phishing attack where a suspicious email was sent to an employee of OurCompany.\",\\n \"first_seen\": \"2024-07-17T08:00:00Z\",\\n \"last_seen\": \"2024-07-17T08:10:00Z\",\\n \"status\": \"ongoing\",\\n \"affected_assets\": [\"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\"]\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\",\\n \"relationship_type\": \"indicates\",\\n \"source_ref\": \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\",\\n \"target_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\"\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\",\\n \"relationship_type\": \"attributed-to\",\\n \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"target_ref\": \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\"\\n },\\n {\\n \"type\": \"relationship\",\\n \"id\": \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\",\\n \"relationship_type\": \"uses\",\\n \"source_ref\": \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\",\\n \"target_ref\": \"url--4c3b-4c4b-bb6c-ded6b2a4a567\"\\n }\\n]\\x1b[0m\\n\\n\\n'" + ] + }, + "execution_count": 11, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "turbo.inspect_history(n=1)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.12.3" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output.json b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output.json new file mode 100644 index 0000000..621d242 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output.json @@ -0,0 +1,88 @@ +[ + { + "type": "identity", + "id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "OurCompany", + "identity_class": "organization", + "sectors": [ + "technology" + ], + "contact_information": "info@ourcompany.com" + }, + { + "type": "email-addr", + "id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "value": "hr-dept@ourcompany-security.com" + }, + { + "type": "email-message", + "id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97", + "is_multipart": false, + "subject": "Urgent Benefits Package Update", + "from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "body": "Please click the link to review the changes to your benefits package." + }, + { + "type": "url", + "id": "url--4c3b-4c4b-bb6c-ded6b2a4a567", + "value": "http://phishing-link.com/login" + }, + { + "type": "user-account", + "id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400", + "user_id": "Taylor", + "account_login": "taylor@ourcompany.com" + }, + { + "type": "observable", + "id": "observable--001", + "observable_type": "email", + "observable_value": "hr-dept@ourcompany-security.com" + }, + { + "type": "observable", + "id": "observable--002", + "observable_type": "url", + "observable_value": "http://phishing-link.com/login" + }, + { + "type": "indicator", + "id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "Phishing Email Indicator", + "pattern": "[email-message:subject = 'Urgent Benefits Package Update']", + "valid_from": "2024-07-17T00:00:00Z" + }, + { + "type": "incident", + "id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "name": "Phishing Attack on OurCompany", + "description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.", + "first_seen": "2024-07-17T08:00:00Z", + "last_seen": "2024-07-17T08:10:00Z", + "status": "ongoing", + "affected_assets": [ + "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400" + ] + }, + { + "type": "relationship", + "id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d", + "relationship_type": "indicates", + "source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" + }, + { + "type": "relationship", + "id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed", + "relationship_type": "attributed-to", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f" + }, + { + "type": "relationship", + "id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051", + "relationship_type": "uses", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567" + } +] \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output_for_viz.json b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output_for_viz.json new file mode 100644 index 0000000..621d242 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_output_for_viz.json @@ -0,0 +1,88 @@ +[ + { + "type": "identity", + "id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "OurCompany", + "identity_class": "organization", + "sectors": [ + "technology" + ], + "contact_information": "info@ourcompany.com" + }, + { + "type": "email-addr", + "id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "value": "hr-dept@ourcompany-security.com" + }, + { + "type": "email-message", + "id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97", + "is_multipart": false, + "subject": "Urgent Benefits Package Update", + "from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "body": "Please click the link to review the changes to your benefits package." + }, + { + "type": "url", + "id": "url--4c3b-4c4b-bb6c-ded6b2a4a567", + "value": "http://phishing-link.com/login" + }, + { + "type": "user-account", + "id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400", + "user_id": "Taylor", + "account_login": "taylor@ourcompany.com" + }, + { + "type": "observable", + "id": "observable--001", + "observable_type": "email", + "observable_value": "hr-dept@ourcompany-security.com" + }, + { + "type": "observable", + "id": "observable--002", + "observable_type": "url", + "observable_value": "http://phishing-link.com/login" + }, + { + "type": "indicator", + "id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "Phishing Email Indicator", + "pattern": "[email-message:subject = 'Urgent Benefits Package Update']", + "valid_from": "2024-07-17T00:00:00Z" + }, + { + "type": "incident", + "id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "name": "Phishing Attack on OurCompany", + "description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.", + "first_seen": "2024-07-17T08:00:00Z", + "last_seen": "2024-07-17T08:10:00Z", + "status": "ongoing", + "affected_assets": [ + "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400" + ] + }, + { + "type": "relationship", + "id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d", + "relationship_type": "indicates", + "source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" + }, + { + "type": "relationship", + "id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed", + "relationship_type": "attributed-to", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f" + }, + { + "type": "relationship", + "id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051", + "relationship_type": "uses", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567" + } +] \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.dot b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.dot new file mode 100644 index 0000000..33c01b4 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.dot @@ -0,0 +1,8 @@ +digraph Phishing_Attack { + "OurCompany" -> "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" [label="attributed-to"]; + "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798" -> "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" [label="from"]; + "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" -> "url--4c3b-4c4b-bb6c-ded6b2a4a567" [label="contains"]; + "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97" -> "observable--001" [label="observable"]; + "url--4c3b-4c4b-bb6c-ded6b2a4a567" -> "observable--002" [label="observable"]; + "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" -> "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f" [label="indicates"]; +} \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.png b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.png new file mode 100644 index 0000000..b640bb7 Binary files /dev/null and b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_output.png differ diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_stix_dot_generator.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_stix_dot_generator.ipynb new file mode 100644 index 0000000..8758bc9 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_stix_dot_generator.ipynb @@ -0,0 +1,259 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "#!pip install graphviz\n", + "import dspy\n", + "import os\n", + "import openai\n", + "import json\n", + "from dotenv import load_dotenv\n", + "from graphviz import Source\n", + "from IPython.display import display" + ] + }, + { + "cell_type": "code", + "execution_count": 2, + "metadata": {}, + "outputs": [], + "source": [ + "def set_dspy():\n", + " # ==============set openAI enviroment=========\n", + " # Path to your API key file\n", + " key_file_path = \"openai_api_key.txt\"\n", + "\n", + " # Load the API key from the file\n", + " with open(key_file_path, \"r\") as file:\n", + " openai_api_key = file.read().strip()\n", + "\n", + " # Set the API key as an environment variable\n", + " os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + " # ==============end of set openAI enviroment=========\n", + "\n", + "\n", + "def set_dspy_hardcode_openai_key():\n", + " os.environ[\"OPENAI_API_KEY\"] = (\n", + " \"sk-proj-yourapikeyhere\"\n", + " )\n", + " openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n", + " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n", + " dspy.settings.configure(lm=turbo)\n", + " return turbo\n", + "\n", + "turbo=set_dspy()\n", + "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n", + "# turbo=set_dspy_hardcode_openai_key()" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [], + "source": [ + "def load_text_file(file_path):\n", + " \"\"\"\n", + " Load a text file and return its contents as a string.\n", + "\n", + " Parameters:\n", + " file_path (str): The path to the text file.\n", + "\n", + " Returns:\n", + " str: The contents of the text file.\n", + " \"\"\"\n", + " try:\n", + " with open(file_path, \"r\") as file:\n", + " contents = file.read()\n", + " return contents\n", + " except FileNotFoundError:\n", + " return \"File not found.\"\n", + " except Exception as e:\n", + " return f\"An error occurred: {e}\"\n" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "File not found.\n" + ] + } + ], + "source": [ + "conversation = load_text_file(\"04_output_for_viz.json\")\n", + "print(conversation)" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "metadata": {}, + "outputs": [], + "source": [ + "class DotGenerator(dspy.Signature):\n", + " \"\"\"Generate a evidence knowledge graph based on a cyber incident expressed in Structured Threat Information Expression (STIX).\"\"\"\n", + "\n", + " question: str = dspy.InputField(\n", + " desc=\"a cyber incident expressed in Structured Threat Information Expression with JSON format.\"\n", + " )\n", + "\n", + " answer: str = dspy.OutputField(\n", + " desc=\"a graph in a dot format. The nodes of the graph are evidence entities in STIX and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n", + " )" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [], + "source": [ + "def generate_answer_CoT(signature, text, output_file):\n", + " generate_answer = dspy.ChainOfThought(signature)\n", + " answer = generate_answer(question=text).answer # here we use the module\n", + "\n", + " with open(output_file, \"w\") as dot_file:\n", + " print(answer)\n", + " dot_file.write(answer)\n", + " return answer\n", + " print(f\"The evidence has been saved to the file {output_file}\")" + ] + }, + { + "cell_type": "code", + "execution_count": 7, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "digraph file_not_found {\n", + " File [label=\"File\" shape=\"rectangle\" color=\"blue\"]\n", + " NotFound [label=\"Not Found\" shape=\"ellipse\" color=\"red\"]\n", + " File -> NotFound [label=\"Indicator\"]\n", + "}\n" + ] + } + ], + "source": [ + "output_file = \"05_output.dot\"\n", + "dot_description = generate_answer_CoT(\n", + " DotGenerator,\n", + " conversation,\n", + " output_file,\n", + ")" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [ + { + "data": { + "image/svg+xml": [ + "\n", + "\n", + "\n", + "\n", + "\n", + "\n", + "file_not_found\n", + "\n", + "\n", + "\n", + "File\n", + "\n", + "File\n", + "\n", + "\n", + "\n", + "NotFound\n", + "\n", + "Not Found\n", + "\n", + "\n", + "\n", + "File->NotFound\n", + "\n", + "\n", + "Indicator\n", + "\n", + "\n", + "\n" + ], + "text/plain": [ + "" + ] + }, + "metadata": {}, + "output_type": "display_data" + }, + { + "data": { + "text/plain": [ + "'02_output_email_analysis.png'" + ] + }, + "execution_count": 8, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "# Create a Digraph object and render the graph\n", + "graph = Source(dot_description)\n", + "display(graph)\n", + "\n", + "# Render the graph within the notebook\n", + "graph.render(\"05_output\", format=\"png\", cleanup=True)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.12.3" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt new file mode 100644 index 0000000..f117222 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt @@ -0,0 +1,39 @@ +Alice: Hey Bob, I just got a strange email from support@banksecure.com. It says I need to verify my account details urgently. The subject line was "Urgent: Verify Your Account Now". The email looks suspicious to me. + +Bob: Hi Alice, that does sound fishy. Can you forward me the email? I’ll take a look at the headers to see where it came from. + +Alice: Sure, forwarding it now. + +Bob: Got it. Let’s see... The email came from IP address 192.168.10.45, but the domain banksecure.com is not their official domain. It's actually registered to someone in Russia. + +Alice: That’s definitely not right. Should I be worried? + +Bob: We should investigate further. Did you click on any links or download any attachments? + +Alice: I did click on a link that took me to a page asking for my login credentials. I didn't enter anything though. The URL was http://banksecure-verification.com/login. + +Bob: Good call on not entering your details. Let’s check the URL. This domain was just registered two days ago. It’s highly likely it’s a phishing site. + +Alice: What should I do next? + +Bob: First, clear your browser history and cache. Also, run a full antivirus scan on your computer. Can you also provide me with any browser history entries and cookies from that session? + +Alice: I’ve cleared the history and started the antivirus scan. Here are the relevant entries from my browser history: +Visited at 10:15 AM: http://banksecure-verification.com/login +Visited at 10:17 AM: http://banksecure-verification.com/account-details + +Bob: Thanks. I’ll analyze these URLs further. Also, check if there are any suspicious files downloaded or present in your downloads folder. Look for anything unusual. + +Alice: There's a file named "AccountDetails.exe" that I don’t remember downloading. It was created at 10:20 AM. + +Bob: Definitely suspicious. Don’t open it. Let’s hash the file to verify its integrity. Can you run an MD5 hash on it? + +Alice: Done. The MD5 hash is e99a18c428cb38d5f260853678922e03. + +Bob: This hash matches known malware in our database. We’ll need to quarantine it and check if it has established any network connections. I’ll look into our network logs for the IP 192.168.10.45 around 10:20 AM. + +Alice: Is there anything else I need to do? + +Bob: For now, avoid using your computer for sensitive tasks. We’ll also reset your passwords from a different device and enable two-factor authentication on your accounts. + +Alice: Thanks, Bob. I’ll follow these steps immediately. \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_evidence_graph.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_evidence_graph.txt new file mode 100644 index 0000000..fa5de4a --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_evidence_graph.txt @@ -0,0 +1,20 @@ +Entities: + +Email Address: support@banksecure.com +IP Address: 192.168.10.45 +Domain: banksecure.com +Domain: banksecure-verification.com +URL: http://banksecure-verification.com/login +URL: http://banksecure-verification.com/account-details +File Name: AccountDetails.exe +Hash: e99a18c428cb38d5f260853678922e03 +Timestamps: 10:15 AM, 10:17 AM, 10:20 AM + +Relationships: + +Email Address -> IP Address (origin of email) +IP Address -> Domain (registered to IP address) +Domain -> URL (composed URLs) +URL -> Timestamp (visited at specific time) +URL -> File Name (downloaded file) +File Name -> Hash (MD5 hash of file) \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz.svg b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz.svg new file mode 100644 index 0000000..6797fbe --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz.svg @@ -0,0 +1,133 @@ + + +EvidenceGraph + + + +Email + +support@banksecure.com + + + +IP + +192.168.10.45 + + + +Email->IP + + + + + +Domain1 + +banksecure.com + + + +IP->Domain1 + + + + + +Domain2 + +banksecure-verification.com + + + +IP->Domain2 + + + + + +URL1 + +http://banksecure-verification.com/login + + + +Domain2->URL1 + + + + + +URL2 + +http://banksecure-verification.com/account-details + + + +Domain2->URL2 + + + + + +Timestamp1 + +10:15 AM + + + +URL1->Timestamp1 + + + + + +Timestamp2 + +10:17 AM + + + +URL2->Timestamp2 + + + + + +File + +AccountDetails.exe + + + +URL2->File + + + + + +Timestamp3 + +10:20 AM + + + +File->Timestamp3 + + + + + +Hash + +e99a18c428cb38d5f260853678922e03 + + + +File->Hash + + + + + \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz_dot.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz_dot.txt new file mode 100644 index 0000000..a3f37c9 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/plaintext_graphviz_dot.txt @@ -0,0 +1,24 @@ +digraph EvidenceGraph { + Email [label="support@banksecure.com"]; + IP [label="192.168.10.45"]; + Domain1 [label="banksecure.com"]; + Domain2 [label="banksecure-verification.com"]; + URL1 [label="http://banksecure-verification.com/login"]; + URL2 [label="http://banksecure-verification.com/account-details"]; + Timestamp1 [label="10:15 AM"]; + Timestamp2 [label="10:17 AM"]; + Timestamp3 [label="10:20 AM"]; + File [label="AccountDetails.exe"]; + Hash [label="e99a18c428cb38d5f260853678922e03"]; + + Email -> IP; + IP -> Domain1; + IP -> Domain2; + Domain2 -> URL1; + Domain2 -> URL2; + URL1 -> Timestamp1; + URL2 -> Timestamp2; + URL2 -> File; + File -> Timestamp3; + File -> Hash; +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graph.json b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graph.json new file mode 100644 index 0000000..1ba5706 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graph.json @@ -0,0 +1,75 @@ +{ + "type": "email-addr", + "id": "email-addr--9c7ef4f7-4655-448e-aeb8-97f623b82948", + "value": "support@banksecure.com" +}, +{ + "type": "ipv4-addr", + "id": "ipv4-addr--a539bfe7-1c82-4d3b-9b5e-6cf2c6a2b4cf", + "value": "192.168.10.45" +}, +{ + "type": "domain-name", + "id": "domain-name--b1c2b7f3-4b14-4ae7-8d6f-54d36b07380c", + "value": "banksecure.com" +}, +{ + "type": "domain-name", + "id": "domain-name--5d4ed8d1-2e45-4c6b-a5c9-f45c3131e3e2", + "value": "banksecure-verification.com" +}, +{ + "type": "url", + "id": "url--0cf22d29-b3bb-46a2-b92e-16f92d39b290", + "value": "http://banksecure-verification.com/login" +}, +{ + "type": "url", + "id": "url--bda54241-9bde-4f4e-a447-9fbfd03fbc5f", + "value": "http://banksecure-verification.com/account-details" +}, +{ + "type": "file", + "id": "file--3ac1c982-ff0a-45c3-8127-5d1b2d2fd06c", + "name": "AccountDetails.exe", + "hashes": { + "MD5": "e99a18c428cb38d5f260853678922e03" + } +}, +{ + "type": "observed-data", + "id": "observed-data--1ff3c3a7-424f-4879-a9f3-1f6b7d6c75d4", + "first_observed": "2024-07-18T10:15:00Z", + "last_observed": "2024-07-18T10:20:00Z", + "number_observed": 1, + "objects": { + "0": { + "type": "email-addr", + "id": "email-addr--9c7ef4f7-4655-448e-aeb8-97f623b82948" + }, + "1": { + "type": "ipv4-addr", + "id": "ipv4-addr--a539bfe7-1c82-4d3b-9b5e-6cf2c6a2b4cf" + }, + "2": { + "type": "domain-name", + "id": "domain-name--b1c2b7f3-4b14-4ae7-8d6f-54d36b07380c" + }, + "3": { + "type": "domain-name", + "id": "domain-name--5d4ed8d1-2e45-4c6b-a5c9-f45c3131e3e2" + }, + "4": { + "type": "url", + "id": "url--0cf22d29-b3bb-46a2-b92e-16f92d39b290" + }, + "5": { + "type": "url", + "id": "url--bda54241-9bde-4f4e-a447-9fbfd03fbc5f" + }, + "6": { + "type": "file", + "id": "file--3ac1c982-ff0a-45c3-8127-5d1b2d2fd06c" + } + } +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz.svg b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz.svg new file mode 100644 index 0000000..43947b7 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz.svg @@ -0,0 +1,107 @@ + + +STIXGraph + + + +email + +Email: support@banksecure.com + + + +ipv4 + +IP Address: 192.168.10.45 + + + +domain1 + +Domain: banksecure.com + + + +domain2 + +Domain: banksecure-verification.com + + + +url1 + +URL: http://banksecure-verification.com/login + + + +url2 + +URL: http://banksecure-verification.com/account-details + + + +file + +File: AccountDetails.exe +MD5: e99a18c428cb38d5f260853678922e03 + + + +observed_data + +Observed Data +First Observed: 2024-07-18T10:15:00Z +Last Observed: 2024-07-18T10:20:00Z + + + +observed_data->email + + +observed + + + +observed_data->ipv4 + + +observed + + + +observed_data->domain1 + + +observed + + + +observed_data->domain2 + + +observed + + + +observed_data->url1 + + +observed + + + +observed_data->url2 + + +observed + + + +observed_data->file + + +observed + + + \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz_dot.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz_dot.txt new file mode 100644 index 0000000..0b06aac --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/phishing_attack_conversation/stix_graphviz_dot.txt @@ -0,0 +1,24 @@ +digraph PhishingIncident { + Email [label="Email"]; + EmailDomain [label="Email Domain"]; + SuspiciousLink [label="Suspicious Link"]; + LoginPage [label="Login Page"]; + Credentials [label="Credentials"]; + Alert [label="Security Alert"]; + EmployeeAccount [label="Employee Account"]; + ForwardedEmail [label="Forwarded Email"]; + NetworkScan [label="Network Scan"]; + TeamNotification [label="Team Notification"]; + ITSecuritySpecialist [label="IT Security Specialist"]; + + Email -> EmailDomain [label="from"]; + Email -> SuspiciousLink [label="contains"]; + SuspiciousLink -> LoginPage [label="redirects to"]; + LoginPage -> Credentials [label="requests"]; + Credentials -> Alert [label="triggered"]; + Alert -> EmployeeAccount [label="related to"]; + Email -> ForwardedEmail [label="forwarded by Taylor"]; + ForwardedEmail -> ITSecuritySpecialist [label="received by"]; + ITSecuritySpecialist -> NetworkScan [label="initiates"]; + ITSecuritySpecialist -> TeamNotification [label="sends"]; +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/conversation.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/conversation.txt new file mode 100644 index 0000000..2112418 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/conversation.txt @@ -0,0 +1,20 @@ +Taylor: Hey Alex, I think I might have clicked on a suspicious link in an email. +Alex: Oh no, Taylor. Can you describe what happened? +Taylor: I got an email from what looked like our HR department. It said there was an urgent update to our benefits package, and I needed to click a link to review the changes. +Alex: Did the email address seem legitimate? +Taylor: At first glance, yes, but now that I think about it, the domain was slightly different. It was hr-dept@ourcompany-security.com instead of @ourcompany.com. +Alex: That sounds like phishing. What happened after you clicked the link? +Taylor: It took me to a login page that looked just like our internal portal. I entered my username and password. +Alex: Did you notice anything unusual after entering your credentials? +Taylor: Not immediately, but a few minutes later, I got an alert that someone attempted to log into my account from a different location. +Alex: Okay, this sounds serious. I need you to change your password immediately and enable two-factor authentication if you haven't already. +Taylor: Done. What should we do next? +Alex: I'll start by examining the email headers to trace the origin. Also, I need to check the link you clicked on to understand its structure and where it leads. +Taylor: Alright, I’ll forward you the email. +Alex: Thanks. I’ll also run a network scan to see if any other devices might have been compromised. +Taylor: Should I inform the rest of the team? +Alex: Yes, let them know about the phishing attempt and advise them to be cautious. I’ll send an official email with detailed instructions. +Taylor: Got it. Thanks, Alex. Is there anything else I should do? +Alex: Just keep an eye out for any unusual activities in your accounts. I’ll handle the technical investigation and follow up with you if I need more information. +Taylor: Will do. Thanks again. +Alex: No problem. Stay safe online. \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_evidence_graph.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_evidence_graph.txt new file mode 100644 index 0000000..4fbf816 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_evidence_graph.txt @@ -0,0 +1,23 @@ +Nodes: +Email (Entity: Email) +Email Domain (Entity: Domain) +Suspicious Link (Entity: URL) +Login Page (Entity: Web Page) +Credentials (Entity: Username/Password) +Alert (Entity: Security Alert) +Employee Account (Entity: Account) +Forwarded Email (Entity: Email) +Network Scan (Entity: Network Activity) +Team Notification (Entity: Communication) + +Edges: +Email -> Email Domain (Relationship: "from") +Email -> Suspicious Link (Relationship: "contains") +Suspicious Link -> Login Page (Relationship: "redirects to") +Login Page -> Credentials (Relationship: "requests") +Credentials -> Alert (Relationship: "triggered") +Alert -> Employee Account (Relationship: "related to") +Email -> Forwarded Email (Relationship: "forwarded by Taylor") +Forwarded Email -> IT Security Specialist (Relationship: "received by") +IT Security Specialist -> Network Scan (Relationship: "initiates") +IT Security Specialist -> Team Notification (Relationship: "sends") \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz.svg b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz.svg new file mode 100644 index 0000000..b6691b1 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz.svg @@ -0,0 +1,143 @@ + + +PhishingIncident + + + +Email + +Email + + + +EmailDomain + +Email Domain + + + +Email->EmailDomain + + +from + + + +SuspiciousLink + +Suspicious Link + + + +Email->SuspiciousLink + + +contains + + + +ForwardedEmail + +Forwarded Email + + + +Email->ForwardedEmail + + +forwarded by Taylor + + + +LoginPage + +Login Page + + + +SuspiciousLink->LoginPage + + +redirects to + + + +Credentials + +Credentials + + + +LoginPage->Credentials + + +requests + + + +Alert + +Security Alert + + + +Credentials->Alert + + +triggered + + + +EmployeeAccount + +Employee Account + + + +Alert->EmployeeAccount + + +related to + + + +ITSecuritySpecialist + +IT Security Specialist + + + +ForwardedEmail->ITSecuritySpecialist + + +received by + + + +NetworkScan + +Network Scan + + + +TeamNotification + +Team Notification + + + +ITSecuritySpecialist->NetworkScan + + +initiates + + + +ITSecuritySpecialist->TeamNotification + + +sends + + + \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz_dot.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz_dot.txt new file mode 100644 index 0000000..0b06aac --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/plaintext_graphviz_dot.txt @@ -0,0 +1,24 @@ +digraph PhishingIncident { + Email [label="Email"]; + EmailDomain [label="Email Domain"]; + SuspiciousLink [label="Suspicious Link"]; + LoginPage [label="Login Page"]; + Credentials [label="Credentials"]; + Alert [label="Security Alert"]; + EmployeeAccount [label="Employee Account"]; + ForwardedEmail [label="Forwarded Email"]; + NetworkScan [label="Network Scan"]; + TeamNotification [label="Team Notification"]; + ITSecuritySpecialist [label="IT Security Specialist"]; + + Email -> EmailDomain [label="from"]; + Email -> SuspiciousLink [label="contains"]; + SuspiciousLink -> LoginPage [label="redirects to"]; + LoginPage -> Credentials [label="requests"]; + Credentials -> Alert [label="triggered"]; + Alert -> EmployeeAccount [label="related to"]; + Email -> ForwardedEmail [label="forwarded by Taylor"]; + ForwardedEmail -> ITSecuritySpecialist [label="received by"]; + ITSecuritySpecialist -> NetworkScan [label="initiates"]; + ITSecuritySpecialist -> TeamNotification [label="sends"]; +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graph.json b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graph.json new file mode 100644 index 0000000..419b142 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graph.json @@ -0,0 +1,88 @@ +{ + "type": "bundle", + "id": "bundle--b5d5f5d4-4c5a-4c3d-9224-5d91b0df6fd5", + "objects": [ + { + "type": "identity", + "id": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "OurCompany", + "identity_class": "organization", + "sectors": ["technology"], + "contact_information": "info@ourcompany.com" + }, + { + "type": "email-addr", + "id": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "value": "hr-dept@ourcompany-security.com" + }, + { + "type": "email-message", + "id": "email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97", + "is_multipart": false, + "subject": "Urgent Benefits Package Update", + "from_ref": "email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798", + "body": "Please click the link to review the changes to your benefits package." + }, + { + "type": "url", + "id": "url--4c3b-4c4b-bb6c-ded6b2a4a567", + "value": "http://phishing-link.com/login" + }, + { + "type": "user-account", + "id": "user-account--bd5631cf-2af6-4bba-bc92-37c60d020400", + "user_id": "Taylor", + "account_login": "taylor@ourcompany.com" + }, + { + "type": "observable", + "id": "observable--001", + "observable_type": "email", + "observable_value": "hr-dept@ourcompany-security.com" + }, + { + "type": "observable", + "id": "observable--002", + "observable_type": "url", + "observable_value": "http://phishing-link.com/login" + }, + { + "type": "indicator", + "id": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "name": "Phishing Email Indicator", + "pattern": "[email-message:subject = 'Urgent Benefits Package Update']", + "valid_from": "2024-07-17T00:00:00Z" + }, + { + "type": "incident", + "id": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "name": "Phishing Attack on OurCompany", + "description": "A phishing attack where a suspicious email was sent to an employee of OurCompany.", + "first_seen": "2024-07-17T08:00:00Z", + "last_seen": "2024-07-17T08:10:00Z", + "status": "ongoing", + "affected_assets": ["user-account--bd5631cf-2af6-4bba-bc92-37c60d020400"] + }, + { + "type": "relationship", + "id": "relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d", + "relationship_type": "indicates", + "source_ref": "indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f", + "target_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857" + }, + { + "type": "relationship", + "id": "relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed", + "relationship_type": "attributed-to", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f" + }, + { + "type": "relationship", + "id": "relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051", + "relationship_type": "uses", + "source_ref": "incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857", + "target_ref": "url--4c3b-4c4b-bb6c-ded6b2a4a567" + } + ] +} diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz.svg b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz.svg new file mode 100644 index 0000000..ab538a6 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz.svg @@ -0,0 +1,142 @@ + + +PhishingIncident + + + +Identity + +Identity: OurCompany + + + +EmailAddress + +Email Address: hr-dept@ourcompany-security.com + + + +EmailMessage + +Email Message: Urgent Benefits Package Update + + + +EmailAddress->EmailMessage + + +from + + + +URL + +URL: http://phishing-link.com/login + + + +EmailMessage->URL + + +contains link + + + +ObservableEmail + +Observable: Email Address + + + +EmailMessage->ObservableEmail + + +matches + + + +UserAccount + +User Account: Taylor + + + +URL->UserAccount + + +requests credentials + + + +ObservableURL + +Observable: URL + + + +URL->ObservableURL + + +matches + + + +Indicator + +Indicator: Phishing Email Indicator + + + +Incident + +Incident: Phishing Attack on OurCompany + + + +Indicator->Incident + + +indicates + + + +Incident->Identity + + +attributed to + + + +Incident->URL + + +uses + + + +Incident->UserAccount + + +affected asset + + + +RelationshipIndicates + +Relationship: indicates + + + +RelationshipAttributedTo + +Relationship: attributed-to + + + +RelationshipUses + +Relationship: uses + + + \ No newline at end of file diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz_dot.txt b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz_dot.txt new file mode 100644 index 0000000..0477bf6 --- /dev/null +++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioPractice/stix_graphviz_dot.txt @@ -0,0 +1,26 @@ +digraph PhishingIncident { + node [shape=box]; + + Identity [label="Identity: OurCompany"]; + EmailAddress [label="Email Address: hr-dept@ourcompany-security.com"]; + EmailMessage [label="Email Message: Urgent Benefits Package Update"]; + URL [label="URL: http://phishing-link.com/login"]; + UserAccount [label="User Account: Taylor"]; + ObservableEmail [label="Observable: Email Address"]; + ObservableURL [label="Observable: URL"]; + Indicator [label="Indicator: Phishing Email Indicator"]; + Incident [label="Incident: Phishing Attack on OurCompany"]; + RelationshipIndicates [label="Relationship: indicates"]; + RelationshipAttributedTo [label="Relationship: attributed-to"]; + RelationshipUses [label="Relationship: uses"]; + + EmailAddress -> EmailMessage [label="from"]; + EmailMessage -> URL [label="contains link"]; + URL -> UserAccount [label="requests credentials"]; + EmailMessage -> ObservableEmail [label="matches"]; + URL -> ObservableURL [label="matches"]; + Indicator -> Incident [label="indicates"]; + Incident -> Identity [label="attributed to"]; + Incident -> URL [label="uses"]; + Incident -> UserAccount [label="affected asset"]; +} diff --git a/papers/CIKM2024.pdf b/papers/CIKM2024.pdf new file mode 100644 index 0000000..c0557c6 Binary files /dev/null and b/papers/CIKM2024.pdf differ