Implementing the API and Auto Response System in HEDA
by Dillon GriffeyThis month, I focused on developing and integrating an api system for HEDA. I also set up the token system for accessing that api and automatic response system to malious packets.
Hello, I am Dillon Griffey, and welcome back to my blog. Today, I want to share the progress and challenges I faced in enhancing HEDA's alert system.
Goal for the Month
The primary goal for this month was to implement an api system for HEDA to pull and update information. I also aimed at making the autom response system for malicous packets.
Feature Development
The new api system is designed to pull and update HEDA database information. When a packet is flagged as potentially malicious, a automatic response is generated, a log which includes the packet's source and destination IP addresses, ports, protocol, and payload is generated. Users can then review this information and confirm whether the packet is indeed malicious or a false positive. This then can be queried using the api.
To build this feature, I used several tools and technologies:
- Electron for the desktop application framework
- SQLite for the database to store packet logs and notifications
- Scapy for packet sniffing and analysis
- Python for automatic response and the API back end.
- TensorFlow for machine learning model integration
One significant challenge was creating a token system that the user could generate and use for the api. I had to design a system where the token would remain secure but also allow for the user to easily update/modify the key if needed. Additionally, I ran into issue when making the automatic response - at first the system would write multiple firewall updates about the same IP. I had to design logic to prevent spamming the same IP being blocked.
Visual Components
Retrospective
This month was a mix of successes and challenges. The api is a must have for users to integrate all data moving forward. Additionally having a way to auto block/ and white list specific IP is much needed for this type of application.
What went right:
- Successful inclusiong of a secure api system.
- Automatic Responses on malicously detected packets.
What went wrong:
- VPN would some time trigger the automatic responses.
- The token system was failing intially for new systems that had not a previous token.
Moving forward, I plan to enhance api options and allow for more settings over bearer tokens that are generated.
Additional Insights
Time management has been crucial in balancing feature development and user testing. Collaborating with my advisor provided valuable feedback and direction, helping to refine the feature. The knowledge gained from previous courses in machine learning and database management has been instrumental in this project's progress.
With the api system working and automatic responses working HEDA now just needs to focus on fine tuning and training the models on new or excisting threats. Additionally I plan to integrate a basic pentest of the host system to show exposed ports and outdated software.
Thank you for following along on this journey. Stay tuned for more updates and insights into the development of HEDA.