Skip to content

AI Triage

Jump to bottom
Michael Haag edited this page Aug 14, 2024 · 2 revisions

AI Triage in ShellSweepX

ShellSweepX incorporates AI-powered triage to provide in-depth analysis of potential webshells. This feature leverages either GPT (from OpenAI) or Claude (from Anthropic) to analyze suspicious files and provide insights.

Configuration

The AI triage feature is configured in the Settings page (settings.html):

  1. API Keys:

    • GPT API Key: Used for OpenAI's GPT model.
    • Claude API Key: Used for Anthropic's Claude model.

  2. AI Prompt:

    • A customizable prompt that guides the AI in analyzing potential webshells.
    • Default prompt: "You are an AI assistant tasked with analyzing potential webshells. Please analyze the following code and provide insights on whether it might be a webshell, its capabilities, and any suspicious elements."

  3. YARA Integration:

    • The "Enable Yara" checkbox allows YARA rules to be used in conjunction with AI analysis.

Triage Process

The triage process is initiated from the Analysis page (analysis.html):

  1. Triggering Triage:

    • Each file in the search results has a "Triage with AI" button.
    • Clicking this button sends a POST request to /triage_with_ai with the file's SHA256 hash.

  2. Backend Processing:

    • The server retrieves the file content based on the SHA256 hash.
    • The content is then sent to the configured AI model (GPT or Claude) along with the custom prompt.

  3. AI Analysis:

    • The AI model analyzes the file content and generates insights.
    • This analysis likely includes:
      • Determination of whether the file is likely a webshell.
      • Identification of suspicious functions or code patterns.
      • Assessment of the file's capabilities (e.g., file operations, command execution).
      • Potential security risks or vulnerabilities.

  4. Displaying Results:

    • The AI's analysis is returned to the frontend and displayed in an expandable "AI Analysis" section for the corresponding file.
    • Users can view this analysis to get an in-depth understanding of the file's nature and potential threats.

Implementation Details

  1. API Selection:

    • The system uses either GPT or Claude based on which API key is provided in the settings.
    • If both are provided, there might be a preference order (not specified in the given code).

  2. Asynchronous Processing:

    • The triage is performed asynchronously, allowing users to continue interacting with the interface while waiting for results.

  3. Integration with Existing Data:

    • The AI analysis is stored alongside other file metadata in the database.
    • This allows for quick retrieval of previous analyses without re-running the AI triage.

  4. User Interface:

    • The AI analysis is initially hidden within a <details> element.
    • Upon completion of the triage, the analysis is revealed automatically.

  5. Error Handling:

    • If an error occurs during the AI triage process, an alert is shown to the user.

Security and Performance Considerations

  1. API Key Protection:

    • API keys are stored securely and not exposed to the frontend.

  2. Caching:

    • AI analysis results are stored in the database, allowing for quick retrieval of previously analyzed files.

  3. Selective Triage:

    • Users can choose which files to triage, rather than automatically triaging all files, which helps manage API usage and costs.
Clone this wiki locally