Superflow ARTIF

Superflow ARTIF

ARTIF is a new real-time threat intelligence framework that builds on MISP to identify threats and malicious web traffic based on IP reputation and historical data. It also performs automatic enrichment and threat scoring by collecting, processing, and correlating observables based on different factors.

Key features of ARTIF:

  • <font style="color: rgb(63, 81, 181);"></font><b></b><font style="color: rgb(63, 81, 181);"><b>Scoring System:</b><span class="citation-1"></span></font><span class="citation-1">&nbsp;Enriches IP addresses with threat metadata, including a threat score, which can act as a threshold value for security teams to take action on.</span>
  • <font style="color: rgb(63, 81, 181);"></font><b></b><font style="color: rgb(63, 81, 181);"><b>Containerized:</b><span class="citation-1 citation-end-1"></span></font><span class="citation-1 citation-end-1">&nbsp;ARTIF is deployed using containers,</span><span>&nbsp;</span>which makes it easy to deploy.
  • <font style="color: rgb(63, 81, 181);"><b>Modular Architecture:</b></font><span>&nbsp;</span>The project is plugin-based and can be easily extended by modifying threat feeds in MISP. This can be done without downtime to the service.
  • <font style="color: rgb(63, 81, 181);"><b>Alerting:</b></font><span>&nbsp;</span>ARTIF integrates with Slack for active alerting. It also provides better attack profiling and visualization.

Use cases:

  • Threat detection
  • Logging and monitoring
  • User profiling
  • Alerting automation

Why use ARTIF?

  • It is a real-time threat intelligence framework that can help identify malicious IPs even if they are not present in MISP.
  • This helps organizations set up a first layer of defense by providing transparency over malicious web traffic reaching their servers.
  • By default, ARTIF comes with 52 configured open source threat feeds with a database of 0.7 million IP addresses.
  • It has a latency of ~180ms, which is more than 10x faster than commercial products.
  • ARTIF stores historical IPs for analysis and uses them in scoring based on past records and patterns.
  • It adds a score to each IP in addition to other metadata.

Superflow:

Superflow is a platform that helps organizations build, manage, and deploy custom machine learning models. It provides a variety of features, including:

  • A simple and intuitive user interface
  • A wide range of pre-built machine learning models
  • The ability to train and deploy custom machine learning models
  • A variety of tools for monitoring and managing machine learning models

How does ARTIF use Superflow?

ARTIF uses Superflow to train and deploy its machine learning models. This allows ARTIF to quickly and easily update its models with new data and to deploy its models to new environments.

Benefits of using ARTIF with Superflow:

  • ARTIF can be deployed and managed quickly and easily using Superflow.
  • ARTIF can be updated with new data and models quickly and easily using Superflow.
  • ARTIF can be deployed to new environments quickly and easily using Superflow.

Overall, ARTIF is a powerful and flexible threat intelligence framework that can be used to identify and mitigate threats to organizations of all sizes.

To add custom feeds to ARTIF, you need to:

  1. Create a new feed in MISP.
  2. Add the new feed to your ARTIF configuration file.
  3. Restart ARTIF.

Once ARTIF has restarted, it will start collecting intelligence on the new feed.

ARTIF is written in Python and uses a correlation engine to calculate a threat score for each IP address. The threat score is based on a variety of factors, including the IP's reputation, historical data, and geolocation.

ARTIF stores its data in a MongoDB database. The database contains three important databases:

  • The IP database stores information about the IP addresses in the feed, such as their country, ASN, and organization.
  • The metadata database stores additional information about the IP addresses, such as their threat score and historical data.
  • The old feed database stores old feeds that have been replaced by newer feeds.

ARTIF removes historical IPs from the database after 7 days by default.

Here are some additional technical details about ARTIF:

  • ARTIF uses a celery worker to update the threat scores for IP addresses in the database.
  • The celery worker is triggered whenever a new IP address hits the service or whenever an IP address has not been updated in the past 24 hours.
  • The threat score calculation algorithm takes into account a variety of factors, including the IP's reputation, historical data, and geolocation.
  • ARTIF can be configured to use custom feeds, which can be useful for specific business and security use cases.

Overall, ARTIF is a powerful threat intelligence framework that can help organizations to identify and respond to malicious activity more effectively. It is open source, easy to use, and scalable, making it a good choice for organizations of all sizes.

If you want to explore partnership opportunities with us, please schedule a meeting through the following Calendly link.

https://calendly.com/dashingjoey/superflow