asy1um

CVE/CVSS Integration Guide

Overview

This document describes the CVE and CVSS enrichment capabilities integrated into the asy1um adaptive honeypot system. The integration enables automatic detection, enrichment, and adaptive response to CVE-related threats detected in honeypot logs.

Architecture

Components

CVE Enrichment Module (ai/api/cve_enrichment.py)
- Regex-based CVE detection
- NVD API client with rate limiting
- Multi-version CVSS support (v3.1, v3.0, v2.0)
- In-memory and persistent caching
AI API Endpoints (ai/api/main.py)
- /cveinfo - Retrieve CVE details by ID
- /cve/detect - Extract CVE IDs from text
- /cve/enrich - Enrich log entries with CVE data
Logstash Pipeline (monitoring/elk/logstash/pipeline/logstash.conf)
- Automatic CVE detection in honeypot logs
- CVE-aware anomaly scoring
- Forwarding to enrichment service
Orchestration API (orchestration/api/server.js)
- CVSS-based adaptive response triggers
- Infrastructure adaptation based on severity
- CVE information proxy endpoint

Features

1. CVE Detection

The system automatically detects CVE identifiers in honeypot logs using the pattern:

\bCVE-\d{4}-\d+\b

Detection occurs in multiple log fields:

message
input
command
data
payload

2. CVSS Enrichment

When a CVE is detected, the system queries the NVD API to retrieve:

CVSS Base Score (0.0 - 10.0)
Severity Rating (CRITICAL, HIGH, MEDIUM, LOW, NONE)
CVSS Vector String
CVE Description (first 500 characters)
Attack Vector, Complexity, and Impact Metrics
Published and Last Modified Dates

3. Caching System

To avoid rate limiting and reduce API calls:

In-memory cache for runtime performance
Persistent JSON cache for long-lived storage
7-day cache expiry for data freshness
Rate limiting (0.6s between requests for public API)

Cache location: ai/data/cve_cache.json

4. Adaptive Orchestration

The system responds dynamically based on CVSS severity:

Critical Severity (CVSS >= 9.0)

Deploy specialized high-interaction honeypots
Redirect attacker to isolated, heavily instrumented decoy
Enable maximum monitoring and verbose logging
Alert security team
Trigger Terraform infrastructure updates

High Severity (7.0 <= CVSS < 9.0)

Scale up honeypot instances (1.5x)
Deploy medium-interaction honeypots
Elevate monitoring levels
Trigger infrastructure updates

Medium Severity (4.0 <= CVSS < 7.0)

Enhanced logging only
Standard monitoring continues

Low/None Severity (CVSS < 4.0)

Log for analysis
No adaptive response

5. Elasticsearch Integration

Enriched log entries include new fields:

{
  "cve_detected": true,
  "cve_ids": ["CVE-2021-44228"],
  "max_cvss_score": 10.0,
  "cve_severity": "CRITICAL",
  "cve_enrichments": [
    {
      "cve_id": "CVE-2021-44228",
      "cvss_base_score": 10.0,
      "cvss_severity": "CRITICAL",
      "cvss_version": "3.1",
      "cve_description": "Apache Log4j2 ...",
      "enrichment_status": "success"
    }
  ]
}

API Reference

GET /cveinfo

Retrieve detailed information about a specific CVE or multiple CVEs.

Parameters:

cve (query string): CVE identifier (e.g., CVE-2021-44228) or comma-separated list (e.g., CVE-2021-44228,CVE-2020-1234)

Example (Single CVE):

curl "http://localhost:8000/cveinfo?cve=CVE-2021-44228"

Response (Single CVE):

{
  "cve_id": "CVE-2021-44228",
  "cvss_base_score": 10.0,
  "cvss_severity": "CRITICAL",
  "cvss_version": "3.1",
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
  "cve_description": "Apache Log4j2 2.0-beta9 through 2.15.0...",
  "published_date": "2021-12-10T10:15:09.000",
  "enrichment_timestamp": "2024-01-15T10:30:00.000000",
  "enrichment_status": "success"
}

Example (Multiple CVEs):

curl "http://localhost:8000/cveinfo?cve=CVE-2021-44228,CVE-2020-1234"

Response (Multiple CVEs):

{
  "cves": [
    {
      "cve_id": "CVE-2021-44228",
      "cvss_base_score": 10.0,
      "cvss_severity": "CRITICAL",
      "enrichment_status": "success"
    },
    {
      "cve_id": "CVE-2020-1234",
      "cvss_base_score": 7.5,
      "cvss_severity": "HIGH",
      "enrichment_status": "success"
    }
  ],
  "count": 2
}

POST /cve/detect

Extract CVE identifiers from text.

Request Body:

{
  "text": "Exploit attempt using CVE-2021-44228"
}

Response:

{
  "cve_ids": ["CVE-2021-44228"],
  "count": 1,
  "timestamp": "2024-01-15T10:30:00.000000"
}

POST /cve/enrich

Enrich a log entry with CVE data.

Request Body:

{
  "log_entry": {
    "message": "Command executed: exploit CVE-2021-44228",
    "cve_ids": ["CVE-2021-44228"],
    "timestamp": "2024-01-15T10:30:00.000Z",
    "src_ip": "192.168.1.100",
    "eventid": "cowrie.command.input"
  }
}

Note: The Logstash pipeline automatically sends a structured JSON payload with the following fields:

message: Original log message
cve_ids: Array of detected CVE identifiers
timestamp: Event timestamp
src_ip: Source IP address
eventid: Event identifier from honeypot

Response:

{
  "message": "Command executed: exploit CVE-2021-44228",
  "cve_ids": ["CVE-2021-44228"],
  "src_ip": "192.168.1.100",
  "cve_detected": true,
  "max_cvss_score": 10.0,
  "cve_severity": "CRITICAL",
  "cve_enrichments": [...]
}

GET /cve/:cveId (Orchestration API)

Proxy endpoint for CVE information via the orchestration API.

Example:

curl "http://localhost:3001/cve/CVE-2021-44228"

Usage Examples

Manual CVE Lookup

# Query single CVE information
curl "http://localhost:8000/cveinfo?cve=CVE-2021-44228" | jq .

# Query multiple CVEs (comma-separated)
curl "http://localhost:8000/cveinfo?cve=CVE-2021-44228,CVE-2020-1234,CVE-2019-5678" | jq .

# Via orchestration API
curl "http://localhost:3001/cve/CVE-2021-44228" | jq .

Detect CVEs in Text

curl -X POST http://localhost:8000/cve/detect \
  -H "Content-Type: application/json" \
  -d '{"text": "Attempting CVE-2021-44228 and CVE-2020-1234"}' \
  | jq .

Enrich Log with CVE Data

curl -X POST http://localhost:8000/cve/enrich \
  -H "Content-Type: application/json" \
  -d '{
    "log_entry": {
      "message": "Exploit CVE-2021-44228",
      "cve_ids": ["CVE-2021-44228"],
      "src_ip": "192.168.1.100"
    }
  }' \
  | jq .

Trigger CVE-based Event

curl -X POST http://localhost:3001/events \
  -H "Content-Type: application/json" \
  -d '{
    "type": "cve_detected",
    "source": "manual",
    "data": {
      "cve_ids": ["CVE-2021-44228"],
      "anomaly_score": 50
    }
  }' | jq .

Configuration

Environment Variables

Add to .env file:

# NVD API Configuration (optional - uses public endpoint by default)
NVD_API_KEY=your-api-key-here  # Increases rate limit to 50 req/30s

# Cache Configuration
CVE_CACHE_EXPIRY_DAYS=7
CVE_CACHE_PATH=/app/data/cve_cache.json

Rate Limiting

Public API: 5 requests per 30 seconds (0.6s delay between requests)
With API Key: 50 requests per 30 seconds

Request an API key at: https://nvd.nist.gov/developers/request-an-api-key

Failure Handling

The system includes robust failure handling:

API Failures

Timeout: Returns enrichment_status: "timeout"
Not Found: Returns enrichment_status: "not_found"
Parse Error: Returns enrichment_status: "parse_error"

Non-Blocking Design

CVE enrichment failures do not block honeypot operations
Logs are still ingested into Elasticsearch
System continues normal operation

Fallback Behavior

{
  "cve_id": "CVE-2021-44228",
  "enrichment_status": "failed",
  "error": "NVD API timeout"
}

Monitoring and Alerts

Metrics

The orchestration API exposes Prometheus metrics:

# Count of CVE detection events
orchestration_events_total{type="cve_detected"}

# Event processing duration
event_processing_duration_seconds{event_type="cve_detected"}

Kibana Queries

Search for CVE-related events:

# All CVE detections
cve_detected:true

# Critical CVEs only
cve_severity:CRITICAL

# High CVSS scores
max_cvss_score:>=9.0

# Specific CVE
cve_ids:"CVE-2021-44228"

Testing

Run the CVE enrichment test suite:

cd ai
python -m pytest tests/test_cve_enrichment.py -v
python -m pytest tests/test_cve_api.py -v

Test coverage:

CVE extraction from text
Cache functionality (set/get/persistence)
NVD API interaction (success/failure/timeout)
Log enrichment with CVE data
API endpoint logic

Troubleshooting

CVE Not Found

Problem: CVE query returns “not found”

Solutions:

Verify CVE ID format: CVE-YYYY-NNNN
Check if CVE is published in NVD database
Try querying NVD directly: https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNN

Rate Limiting

Problem: Receiving 403 errors from NVD API

Solutions:

Reduce query frequency
Use cache more aggressively
Request an NVD API key
Implement request queuing

Cache Issues

Problem: Cache not persisting between restarts

Solutions:

Check file permissions on ai/data/cve_cache.json
Verify Docker volume mounts
Check disk space

Enrichment Timeouts

Problem: CVE enrichment taking too long

Solutions:

Increase NVD_REQUEST_TIMEOUT setting
Check network connectivity to NVD
Use cached data when available
Consider pre-populating cache for common CVEs

Best Practices

Pre-populate Cache: Load common/recent CVEs during startup
Monitor Rate Limits: Track API usage to avoid blocking
Regular Cache Cleanup: Remove old/unused entries
Prioritize Critical CVEs: Process high-severity CVEs first
Alert on Critical: Set up alerts for CVSS >= 9.0 detections
Audit Failures: Review enrichment failures regularly
Update Regularly: Keep CVE data fresh (7-day cache expiry)

Future Enhancements

Potential improvements for the CVE integration:

Daily CRON job to update CVE cache
Auto-deploy honeypot profiles for new high-severity CVEs
ML model integration: use CVSS as feature for anomaly scoring
CVE exploit pattern database
Historical CVE trend analysis
Integration with other vulnerability databases (MITRE, CISA KEV)
Custom severity thresholds per deployment
CVE-based deception tactics (fake vulnerable services)

References

Support

For issues or questions:

GitHub Issues: https://github.com/PR-CYBR/asy1um/issues
Documentation: See docs/ directory