Group Name - CyborgDroid

Course - CS658A: Topics In Malware Analysis & Intrusion Detection

Topic - Malware Analysis and detection on different hosts and prediction with DL model on Wazuh

Team Members

1. Sumit Patel ( 21211404 )
2. Rahul Kumar ( 21111069 )
3. Ashankur Tripathi ( 20111076 )
4. Mandar Bapat ( 190475 )
5. Harishchandra patidar ( 21111029 )
6. Sandeep Saket ( 21111055 )

DEMO VIDEO - https://www.youtube.com/watch?v=vgaZpUpF3K4

Folder "sample_data" contains few samples of the malware that we used for testing the model. "Don't run the sample folder files directly in your local machine"

our wazuh server ip - 149.28.194.138 Part 1 - To connect agent with wazuh, run these commands

For Linux - $ curl -so wazuh-agent-4.2.5.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.5-1_amd64.deb && sudo WAZUH_MANAGER='149.28.194.138' dpkg -i ./wazuh-agent-4.2.5.deb $ sudo systemctl daemon-reload $ sudo systemctl enable wazuh-agent $ sudo systemctl start wazuh-agent

For Mac - $ curl -so wazuh-agent-4.2.5.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.2.5-1.pkg && sudo launchctl setenv WAZUH_MANAGER '149.28.194.138' && sudo installer -pkg ./wazuh-agent-4.2.5.pkg -target / $ sudo /Library/Ossec/bin/wazuh-control start

This will connect all the agents with wazuh server

Part 2 - Connect all the external devices with the wazuh

1. Pendrive For pendrive, run this command Make a folder name "malware" on both client and server side on the same location where client.py and server.py is respectively.

$ python detect_pendrive.py - This will detect pendrive if pendrive is connected with the system and forward the executables file to the local system if there's any. $ python server.py - This is used to establish link between wazuh server and local client to receive the executables files from the client. Run this on server side $ python client.py - This is used to send the files to wazuh server from the pendrive

2. Raspberry Pi For raspberry pi, run this command

$ python server.py - This is used to establish link between wazuh server and local client to receive the executables files from the client. $ python client.py - This is used to send the files to wazuh server from the raspberry pi

3. Android devices For android, run this command

4. Make sure that the Android phone that you are connecting to the PC has USB debugging enabled through developer options.

5. Connect the Android device to the PC using USB cable

6. Use the command 'adb devices' to get the list of USB devices connected to the PC and check if your device is in that list.

7. Run the command 'adb tcpip 5555'

8. Note down the IP address of your Android device.

9. Run the command 'adb connect '

10. Now you can remove the Android device from the USB port

11. Run the command 'adb logcat' to get the logs from the Android device. You will see the real-time logs on the command line itself.

12. To put the logs into a file, you can redirect the output of the above command to another file.

13. Run this command --> $ python android.py

We have selected only few events to monitor android logs, you can monitor more no. of events as well. Append All those events name in the list available in android.py file.

Part 3 - Train & Deploy Deep learning Model to detect malware families. Dataset Link - https://drive.google.com/file/d/1AJl5sb4iYEpPjZ4DiZfI3G_665_nO3sl/view?usp=sharing Steps followed

1. Download these datasets and put in "data" folder.
2. Run this command to preprocess the data and convert all executables to images --> $ python data_preprocess.py --bin_to_img
3. Train the VGG19 model to detect malware --> $ python detect_malware.py --transfer_conv_ml
4. Find all the plots and logs in the logs folder
5. You can change the hyperparameters in config.py file.

To deploy the model,

1. Save the model weights and move it to the wazuh server.
2. we have made one flask based api where we tested the model with all the executables received from the all external devices.
3. Search on the browser --> 149.28.194.138:5000/scan - This will scan all the executables files present on the wazuh server and detect malware families.
4. To run the api --- $ flask app -h 149.28.194.138 -p 5000

To show the all the logs of external devices, we created one external test.log file on this location - /var/ossec/logs/test.log We have written custom RULES and DECODER for Wazuh to read logs of particular type These are the files which we modified to read external logs other than syslog

1. /var/ossec/bin/wazuh-logtest`
2. /var/ossec/etc/decoders/local_decoder.xml
3. /var/ossec/etc/rules/local_rules.xml

After modifying all the changes, we restarted the wazuh-manager

Using logger we forwarded all the logs to wazuh server on this location -- /var/ossec/logs/test.log

import logger
logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
logger = logging.getLogger()
handler = logging.FileHandler("/var/ossec/logs/test.log")
logger.addHandler(handler)

Then appending all the logs using logger.info("...")