Capability and outstanding value of the YAKSHA software

Capability and outstanding value of the YAKSHA software

In the latest – summer 2020 – edition of the newsletter,  the key points that make the YAKSHA software unique and unlike any other software on the market, were presented. We asked our technical project partners to explain their vision about the platform.

What is the YAKSHA software?

YAKSHA is an innovative cybersecurity intelligence gathering tool that allows organisations to easily deploy and monitor large numbers of honeypot virtual machines acting both as threat samples generators and deception decoys for the actual services the organisation runs exposed on the internet.

How is it unique and different from other existing softwares?

YAKSHA employs some features seen for the first time in cybersecurity solutions:

  • Rapid setting up, deployment and management of honeypots Virtual Machines, in small or large numbers
  • Fully automated malware sample analysis, both static and dynamic
  • Automated, unsupervised machine learning analysis of attack patterns by clustering the samples and individuation of the prototypes for each
  • Sharing of information (according to strict and flexible policies) between YAKSHA installations (“nodes”) in a fully distributed architecture

Could you describe the functionality of the YAKSHA software?

  1. Through a web interface the user is able to create and expose to the Internet virtual honeypots ready to go. Supported Operating Systems range from Linux (in various flavours) to MS Windows, to Android. They are free to install on the newly created honeypots aby application they see fit, connecting through standard protocols like SSH or RDP.
  2. YAKSHA honeypots are automatically monitored for changes in the filesystem that could reveal potential malware. File monitoring agents were developed from scratch for the Microsoft Windows environment; for Linux and Android open source solutions with special customisations. Malware samples are collected every time a change is detected;
  3. Every sample file collected is fed through a queue mechanism on the backend where its behaviour is automatically analysed in a “sandbox” safe environment. The sample is classified as malware or as safe. For the Android-based honeypots a similar sandbox environment is used.
  4. Details on all samples and the analysis result are displayed in the GUI and are part of the datasets generated.
  5. The results of the automated malware analysis (system calls in particular, that describe the actual malware behaviour) are the input of a clustering Machine Learning model that groups the samples according to similarities in their behaviour. Each cluster represents a family of similarly-behaved malware samples. A prototype is automatically individuated by the Machine Learning model for each cluster.
  6. The end results from the clustering module allow the YAKSHA platform to show clearly the macro-trends in malware threats, in particular geographical regions or single countries, providing very valuable intelligence.

The second end-user event has been postponed due to the COVID-19 outbreak. Could you please expand on how the software is planned to be presented at this final event of the project and what is your vision for the future?

The complete platform’s functionality will be presented to the ambassadors’ community and other participants, focusing on the automated malware analysis feature and the malware clustering results.

The end goal will be to show the data gathering and Machine Learning features.

The long-term plan is that the IPR owners relevant to the platform will bring the service to market in the framework of the YAKSHA Exploitation Agreement.