IEEE CS ENICarthage SBC
Tunisia section
NeoCarthago Report
�Table of Contents
List of Figures i
List of Tables i
1 Scope and Topic 1
2 NeoCarthago Objective 1
3 Deliverables 2
3.1 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.2 Data Processing and Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.3 AI and Machine Learning Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.4 Solution Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.5 Visualization and User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.6 Integration with Cybersecurity Ecosystem . . . . . . . . . . . . . . . . . . . . . . . 6
3.7 Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Contact us 7
List of Figures
1 UNSW-NB15 network data set description. . . . . . . . . . . . . . . . . . . . . . . 2
2 Model Accuracy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Internal Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4 External Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5 Website Home page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
List of Tables
1 Definition of the Attack Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Tools and Their Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
i
�1 Scope and Topic
This challenge focuses on the critical need for advanced cybersecurity solutions that leverage AI to
automate incident response processes, enhancing organizations’ ability to defend against evolving
cyber threats both efficiently and effectively. It is part of the IEEE CS Tunisia Section Chapter
and IEEE Tunisia YP Affinity Group’s TSYP 12 technical challenge: SMARTSHIELD: AI-Driven
Cybersecurity Incident Response Automation.
2 NeoCarthago Objective
Our objective with NeoCarthago is to develop an AI-powered infrastructure solution for automat-
ing cybersecurity incident detection, response, and mitigation, thereby enhancing organizational
resilience against cyber threats.
NeoCarthago incorporates several components handling security incidents, with Wazuh as its core
SIEM tool, ensuring compatibility and reliability on both Windows and Ubuntu servers. It in-
tegrates VirusTotal, Kali, Mimikatz and Gemini creating a cohesive and adaptive cybersecurity
solution.
It efficiently protects against brute force attacks, DCSync, Kerberoasting, LLMNR and NetBIOS
vulnerabilities, and blocks malicious IPs.
Attack Simulation Definition
Brute Force Attack A brute force attack is a method used to gain unauthorized access
to a system by attempting many possible passwords or passphrases
until the correct one is found. This attack typically targets weak
or easily guessed passwords.
DCSync Attack DCSync is an attack that simulates the process of Domain Con-
troller replication. Attackers impersonate a domain controller and
extract password hashes from the domain, often to escalate priv-
ileges.
Kerberoasting Kerberoasting is a technique where attackers request service tick-
ets for service accounts in Active Directory, extract the encrypted
tickets, and attempt to crack them offline to gain access to service
account credentials.
LLMNR Vulnerability LLMNR is a protocol that can be exploited to capture network
traffic in local networks. Attackers can intercept and manipulate
name resolution requests to harvest sensitive information or con-
duct man-in-the-middle attacks.
NetBIOS Vulnerability NetBIOS is a legacy network protocol used for file sharing and
network communication. Exploiting NetBIOS vulnerabilities can
allow attackers to execute man-in-the-middle attacks, intercept
traffic, and gather sensitive data.
Malicious IP Blocking Malicious IP blocking refers to the process of identifying and
blocking IP addresses that are involved in suspicious or harm-
ful activities, such as cyberattacks or network intrusions. This is
done to protect the network and prevent further malicious actions.
Table 1: Definition of the Attack Simulations
1
�3 Deliverables
3.1 Data Collection
Collect data from various sources such as security logs, network traffic, endpoint
devices (e.g., laptops, servers), and threat intelligence feeds:
Wazuh Agents’ Logs: We set up Wazuh agents across our network to monitor and log activity
from various endpoints. These logs capture a wide range of security events, from authentication
attempts and system errors to file integrity changes. This data provides real-time insight into
potential security issues, helping us identify unusual behavior patterns and detect possible threats
as they occur.
Endpoint Data from Nmap: We utilized Nmap to scan endpoint devices and gather data on
open ports, active services, and protocols in use. This data helps us understand the current
state of our network endpoints, providing a detailed inventory of accessible services and potential
vulnerabilities. It also enhances our ability to spot any unauthorized access points or configurations
that may be exploited.
IEEE Xplore Dataset (IEEE DataPort) for AI Model Training: To build and refine our AI model for
threat detection, we incorporated a dataset from IEEE Xplore. This dataset, containing structured
information on known vulnerabilities, threat behaviors, and cybersecurity best practices, serves as
a foundation for training the model. Using this data, we trained the model to recognize patterns
indicative of specific threats and anomalies, increasing its accuracy in analyzing data from Wazuh.
IEEE DataPort: UNSW-NB15: a comprehensive data set for network intrusion detection systems
(UNSW-NB15 network data set)
Figure 1: UNSW-NB15 network data set description.
Include historical incident data, attack patterns, and vulnerabilities:
In NeoCarthago, we have included two well-known vulnerabilities: LLMNR (Link-Local Multicast
Name Resolution) and NetBIOS (Network Basic Input/Output System). These protocols can in-
troduce security weaknesses, particularly in Windows environments. They are commonly exploited
for network-based attacks, such as credential theft.
3.2 Data Processing and Storage
Utilize scalable storage solutions such as SIEM (Security Information and Event Man-
agement) systems, data lakes, or cloud-based databases:
Wazuh uses a set of predefined parsers that are tailored to specific log types from different sources,
such as firewalls, intrusion detection systems, and operating systems. These parsers extract relevant
fields from the logs to ensure the data is organized and ready for further analysis.
2
�Once logs are parsed, they go through a normalization process. Normalization standardizes the
parsed data into a consistent format across all log sources. This step ensures that data from dif-
ferent platforms, applications, and devices can be compared and analyzed uniformly. For example,
a ”login attempt” from a Windows machine will be normalized in the same way as a ”login at-
tempt” from a Linux machine, making it easier to aggregate and analyze data across heterogeneous
environments.
After normalization, Wazuh applies a set of security rules to the data. These rules are designed
to detect specific patterns or behaviors that indicate potential security incidents. For example,
rules may be set to detect brute force login attempts, unusual network traffic patterns, or privilege
escalation activities. When an event matches a predefined rule, it is flagged as a potential threat
and an alert is generated. These alerts are categorized based on severity, with more critical events
triggering higher priority alerts.
For storage, Wazuh integrates with Elasticsearch, a powerful search and analytics engine that is
optimized for storing and querying large volumes of data. After processing the logs, the parsed,
normalized, and rule-matched data is indexed in Elasticsearch. This enables fast querying and
retrieval, allowing security teams to search through vast amounts of data efficiently. The data is
stored in a time-series format, which makes it easier to track trends, perform historical analysis,
and correlate events over time. Elasticsearch also ensures that the data is highly available and
scalable, supporting the growing volume of logs in large and distributed environments.
By leveraging Elasticsearch for storage, Wazuh ensures that all logs, alerts, and processed data
are efficiently indexed and stored in a way that allows for rapid querying and deep analysis, even
as the amount of data increases over time. This combination of parsing, normalization, rule-based
analysis, and elastic storage creates a comprehensive, reliable system for processing and storing
cybersecurity data.
3.3 AI and Machine Learning Models
Develop AI models for real-time threat detection, using machine learning algorithms
to analyze patterns and anomalies in network and system behavior:
We have trained our AI model using the UNSW-NB15 dataset from IEEE Xplore. The model’s
role is to classify network packets as either benign or malicious, enabling the detection of potential
cyberattacks. Upon detecting malicious activity, the model takes action by blocking the malicious
IP.
Figure 2: Model Accuracy.
3
�Implement natural language processing (NLP) for analyzing security reports, threat
intelligence, and incident tickets.:
We developed an integrated system combining Nmap, Gemini, and Wazuh to enhance network
security. Nmap scans the network for vulnerabilities, and Gemini, with its NLP capabilities, pro-
cesses and analyzes the scan results, turning them into actionable insights. These findings are then
sent to Wazuh, which uses predefined rules to trigger alerts and automated responses, improving
threat detection and incident management. This system streamlines vulnerability assessment and
response, ensuring timely, efficient protection against emerging cyber threats.
3.4 Solution Infrastructure
Design a scalable and resilient infrastructure for deploying AI models and processing
real-time cybersecurity data:
To design a scalable and resilient infrastructure for deploying AI models and processing real-time
cybersecurity data, we set up a robust environment using a combination of virtualized systems and
essential cybersecurity tools. We began by installing Ubuntu and Windows servers on virtual ma-
chines hosted through VMware, providing a flexible and isolated environment for running different
security applications and AI models. These virtual machines allow for easy scalability and resource
management, ensuring the infrastructure can handle growing data and processing demands.
Figure 3: Internal Infrastructure.
Implement APIs and connectors for seamless integration with existing cybersecurity
tools and systems.: To enhance the system’s ability to detect and respond to security incidents,
we integrated key cybersecurity tools such as VirusTotal for malware analysis and Kali Linux for
penetration testing. These tools help in identifying potential vulnerabilities and threats within the
network. Additionally, we deployed Active Directory to manage and secure user access, ensuring
that only authorized individuals can interact with the system.
This infrastructure is designed to be modular and flexible, aligning with the requirements of a
microservices architecture. By using virtualized environments and integrating a diverse set of
cybersecurity tools, we have created a resilient platform that can easily accommodate future ex-
pansions, such as the integration of AI models and other cybersecurity solutions, while maintaining
high availability and performance.
4
� Figure 4: External Infrastructure.
3.5 Visualization and User Interface
Create dashboards and visualizations for security operations teams to monitor real-
time threats, incident response status, and overall cybersecurity posture:
The Wazuh Dashboard is a powerful web-based interface designed to provide security teams with
an organized and intuitive way to monitor, analyze, and respond to security events in real time. It
offers a comprehensive view of the security landscape, allowing users to efficiently manage incidents,
view alerts, and investigate suspicious activities across their infrastructure.
Develop a user-friendly interface for incident analysts to investigate alerts, review
automated responses, and initiate manual interventions when necessary and ensure
the interface supports collaboration and knowledge sharing among cybersecurity teams:
We have also developed a responsive, user-friendly website to showcase NeoCarthago, highlighting
its potential features and capabilities. The website serves to promote our solution and, in the future,
will provide additional functionalities, such as an interface for incident analysts to investigate alerts
and conduct in-depth analysis.
Website Link: https://neocarthago.vercel.app/
Figure 5: Website Home page.
5
�3.6 Integration with Cybersecurity Ecosystem
Ensure interoperability with existing cybersecurity tools such as firewalls, IDS/IPS
(Intrusion Detection and Prevention Systems), EDR (Endpoint Detection and Re-
sponse), and SOAR (Security Orchestration, Automation, and Response) platforms:
We have ensured that NeoCarthago integrates seamlessly with existing tools and systems, ensuring
full interoperability with Wazuh, Nmap, Gemini, Mimikatz and others.
Tool Purpose
Wazuh Security monitoring and event management.
Nmap Network scanning and vulnerability detection.
Gemini AI-driven vulnerability analysis.
Elasticsearch Storing and querying large datasets.
Kibana Visualizing and analyzing the collected security data.
Mimikatz Credential extraction and security testing.
Kali Linux Penetration testing and vulnerability assessments.
VirusTotal Scanning and analyzing files and URLs for potential threats.
PuTTY Secure remote administration of servers and network devices.
Table 2: Tools and Their Purposes
Facilitate data sharing and threat intelligence collaboration with external partners
and industry peers:
We have ensured that NeoCarthago integrates seamlessly with Slack for real-time communication
and alert notifications, facilitating data sharing and threat intelligence collaboration with external
partners and industry peers.
Slack Link: https://join.slack.com/t/neocarthago/shared invite/zt-2to7zry5g-O4nu3Pu9ekKBSxJnxI
PFw
3.7 Security and Privacy
Implement strong encryption and access control measures to protect sensitive cy-
bersecurity data and ensure compliance with relevant cybersecurity standards and
regulations, such as GDPR, HIPAA, or industry-specific regulation:
To address the need for strong encryption and access control measures, we implemented hashing
techniques using Kali Linux tools for securing sensitive cybersecurity data. Hashing is a one-way
function, meaning that even if the data is intercepted, it cannot be reversed to reveal the original
information. This approach enhances our data protection, ensuring the confidentiality and integrity
of sensitive information in transit and storage.
Additionally, Wazuh plays a key role in ensuring compliance with cybersecurity standards and
regulations. Wazuh has built-in capabilities that support compliance with GDPR (General Data
Protection Regulation), which governs data privacy and protection within the European Union. By
integrating Wazuh with the necessary data privacy frameworks, we can automate the monitoring of
data access, implement user access control, and ensure that sensitive data is handled in accordance
with GDPR requirements, such as the right to erasure, data minimization, and data protection by
design.
Wazuh’s features, such as log management, intrusion detection, and alerting, help organizations
meet regulatory standards and demonstrate compliance during audits by providing a comprehens-
ive record of data access and security events. This ensures both strong encryption and strict
access controls, while also adhering to regulations like GDPR, HIPAA, or any industry-specific
requirements.
6
�4 Contact us
We welcome any questions, feedback, or inquiries related to NeoCarthago. Please feel free to reach
out to us through our Email: enicarthage.ieee.cs@gmail.com
You can also check the prototype of the solution for further explanation.
Prototype: https://drive.google.com/file/d/1JQUCD0TjrSI9D-B2QmHHfB6-QKbWTKSD/view?usp=
sharing
GitHub Repository: https://github.com/IEEECSENICarthage/NeoCarthago
