IBM QRadar
- You have to get the AIShield AI Security Monitoring DSM for QRadar from IBM app exchnage to get started with below steps.
AIShield is an AI-security product designed to protect AI-powered devices in the face of emerging security threats such as Model Extraction, Evasion, Data Poisoning, and Model Inference attacks. AIShield provides automated hacker-level vulnerability analysis and endpoint protection to harden the systems against emerging AI-security threats. AIShield provided Threat Informed Endpoint Defense (EDR) that integrates with IBM QRadar® SIEM to deliver enhanced real-time monitoring capabilities to security teams for their AI assets, giving them insights into AI security incidents.
IBM QRadar® provides a robust solution for Security Information and Event Management (SIEM), anomaly detection, incident forensics, and vulnerability management. This document provides the information to install and configure the AIShield DSM for QRadar®
App Content:
As of now (Version 1.0.0), the package includes the following items:
Content Type | Contents |
Log Source Type | 1 |
Log Source Extension | 1 |
QIDMAP | 5 |
Custom Property Name | 2 |
Custom Rule Event | 5 |
Pre-requisite for AIShield
Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense (EDR) capable of integrating with IBM QRadar® SIEM.To complete this step, please get in touch with [email protected] The application installation requires access to the QRadar® console machine via a web interface.
The web interface can be accessed via https://<<QRadarconsoleIP>>/.
Pre-requisites for QRadar
Version : QRadar® Version 7.3.3 or above
The installation processes as follows:
1. Login to QRadar® console.
2. Go to Admin → Extension Management.
3. Download the AIShield AI Security Monitoring App for QRadar® v1.0.0 from IBM app exchange.
4. Choose the downloaded zip file by clicking on Add.
5. The QRadar® will prompt a list of changes being made by the app. Click on the install button.
6. Thereafter, it will show a window that the App is installed successfully along with the DSM Event Mappings list.
7. Clear cache and refresh the browser window after the app gets installed successfully.
3.1 Create Log Source
To create a log source in QRadar® (through Log Source Management app) for ingesting data from AIShield, perform following steps:
1. Go to the Log Source Management App via the Admin Panel.
2. A separate window will pop up. Click on + New Log Source button as shown below:
3. Select Log Source type as “AIShield”.
4. For receiving data sent through TCP/UDP protocol from AIShield Threat Informed defense model, select protocol type as “HTTP Receiver”.
5. In the section under Configure Log Source parameters, enter the name of the log source, keep the log source enabled and Coalescing events checkbox disabled.
6. In the section under Configure the protocol parameters, enter Log Source Identifier for e.g. ‘AIShield’.
Note:- i) The value of Log Source Identifier used in this step must also be used in “Log Source Identifier” field while configuring AIShield QRadar® Plugin. Ensure that the correct value is entered for the Log Source Identifier field, otherwise ingested events would not be identified as AIShield events.
7. Now click on the Skip Test and Finish button.
Now, Go to STEP 3.2 Deploy
3.2 Deploy
Click on Deploy as shown below.
2. To collect events in QRadar®, Configure QRadar® http receiver endpoint.
For more information about this protocol, see HTTP Receiver protocol configuration options.
Collect events from AIShield Threat Informed Endpoint Defense (EDR) in QRadar® by using the HTTP Receiver protocol. Collect events by using the HTTP Receiver Protocol:
- Configure your AIShield Threat Informed Endpoint Defense (EDR) to communicate with QRadar®. For more information, contact
- Update QRadar® http receiver endpoint in defense_model.py to send attack telemetry to QRadar®.
url = <qradar http receiver endpoint : port>>
3. After successful receiving events via created Log source, the status of Log source will be OK.
4. To confirm logs in QRadar® Go to log activity and see the result.(AIShield DSM will normalized these logs)
5. We have configured Custome rule events to create offense based on the AI attack telemetry. Go to offense and see the list of Rules.
6. This Custom event rules will match the criteria and creates offense related to AI security in QRadar®.
AIShield sample event messages
Use these sample event messages as a way of verifying a successful integration with QRadar®.
The following table provides a sample event message when you use the AIShield Threat Informed Endpoint Defense (EDR) for the AIShield DSM:
Event name | Low-level category | Sample log |
AIShield - Image classification model extraction vulnerability detection | AI model extraction | { "RawMessage": "Image Classification AI Model Extraction Attack Identified", "service_name": "image_classification_extraction_defense_engine", "asset_id": "model-01", "source_name": "NA", "probability": 0.9, "attack_name": "model_attack", "timestamp": "2021-12-03T00:50:23Z", } |
AIShield - Image classification model evasion vulnerability detection | AI model evasion | { "RawMessage": "Image Classification AI Model Evasion Attack Identified", "service_name": "image_classification_evasion_defense_engine", "asset_id": "model-01", "source_name": "NA", "probability": 0.8, "attack_name": "model_attack", "timestamp": "2021-12-03T00:50:23Z", } |
AIShield - Tabular Classification AI Model Extraction Attack Identified | AI Model Extraction | { "RawMessage": "Tabular Classification AI Model Extraction Attack Identified", "service_name": "tabular_classification_extraction_defense_engine ", "asset_id": "model-02", "source_name": "NA", "probability": 0.9, "attack_name": "model_attack", "timestamp": "2021-12-03T00:50:23Z", } |
AIShield -TimeSeries Forecasting AI Model Extraction Attack Identified | AI Model Extraction | { "RawMessage": "TimeSeries Forecasting AI Model Extraction Attack Identified", "service_name": "timeseries_forecasting_extraction_defense_engine", "asset_id": "model-02", "source_name": "NA", "probability": 0.9, "attack_name": "model_attack", "timestamp": "2021-12-03T00:50:23Z" } |
Case #1 – AIShield events are shown up as Unknown events
Problem: AIShield events shown up as Unknown events.
Troubleshooting Steps: 1. Go to Log Activity. 2. Click on Add Filter. Select Parameter → Log Source Type[Indexed], Operator → Equals and Log Source → AIShield. 3. Select ‘Last 7 Days’ in Views filter dropdown. 4. If any events come as Unknown,
i) Right click on that particular event. ii) View in DSM editor. iii) Check the value of Event ID and Event Category under Log activity Preview. iv) If Event ID and Event Category value come as unknown, Please contact AIShield support contact.([email protected])
Case #2 – AIShield events are not ingesting in QRadar®
Problem: AIShield events are not being ingested in QRadar®.
Troubleshooting Steps: Make sure the port used to receive the event is open. Still if you are facing issue contact support.
For help using the AIShield platform or the AIShield Threat Informed Endpoint Defense (EDR) App for IBM QRadar®, please contact the AIShield support. You can also send an email to [email protected] with questions about this.