Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

AI Usage Concealment

AI Usage Concealment

Section titled “AI Usage Concealment”

5 automated security scanners

Federated Processing Distribution

Section titled “Federated Processing Distribution”

Purpose: The Federated Processing Distribution Scanner is designed to identify patterns indicative of federated processing distribution by analyzing DNS configurations, HTTP security headers, TLS/SSL settings, and port usage. This tool helps in detecting distributed computation implementation, processing responsibility diffusion, and centralized oversight avoidance.

What It Detects:

  • Distributed DNS Configuration: Identifies multiple Name Server (NS) records pointing to different domains, TXT records with SPF configurations indicating multiple mail servers or external services, and Certificate Authority Authorization (CAA) records specifying multiple trusted certificate authorities.
  • HTTP Security Headers: Looks for the absence of security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. It also detects redirects to external domains or subdomains that may indicate processing responsibility diffusion.
  • TLS/SSL Issues: Identifies outdated TLS versions like TLSv1.0 and TLSv1.1, as well as weak cipher suites such as RC4, DES, and MD5 in the SSL/TLS configuration.
  • Port Scanning and Service Fingerprinting: Scans common ports (e.g., 80, 443, 22) to identify open services that may be part of a distributed processing setup, performing service fingerprinting to detect multiple services running on different ports or subdomains.
  • API Usage Patterns: Analyzes HTTP requests and responses for patterns indicative of API usage from external services, detecting the presence of DMARC (Domain-based Message Authentication, Reporting & Conformance) records that may indicate third-party email handling.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com).

Business Impact: This scanner is crucial for organizations aiming to maintain a secure and distributed computing environment, ensuring compliance with security best practices and reducing the risk of data breaches or unauthorized access due to centralized oversight avoidance.

Risk Levels:

  • Critical: The presence of multiple NS records pointing to different domains, significant missing HTTP security headers, outdated TLS versions, and use of weak cipher suites are critical risks that indicate a high level of exposure to potential threats.
  • High: Missing or insufficient HTTP security headers, redirects to external domains, and the detection of open ports with unknown services pose significant risks, potentially leading to unauthorized access or data leakage.
  • Medium: The presence of outdated TLS versions and weak cipher suites may not directly compromise security but are indicative of suboptimal configurations that could be improved for enhanced protection against attacks.
  • Low: Informational findings such as the detection of CAA records specifying multiple trusted certificate authorities generally do not pose immediate risks but contribute to a comprehensive security posture assessment.
  • Info: These include DNS records, HTTP headers, and TLS/SSL issues that provide context about the network configuration without directly affecting security.

Example Findings:

  1. A domain has multiple NS records pointing to different domains, indicating potential distributed processing.
  2. The absence of Strict-Transport-Security header in HTTP responses suggests a risk of man-in-the-middle attacks and data interception.

API Middleware Obfuscation

Section titled “API Middleware Obfuscation”

Purpose: The API Middleware Obfuscation Scanner is designed to identify and detect intermediary service usage, extended connection chains, and concealed direct relationships through various means such as DNS queries, HTTP requests, TLS/SSL configurations, and socket connections. This tool aims to uncover potential obfuscation techniques employed in API middleware layers.

What It Detects:

  • Security Headers Analysis: Checks for the presence of security headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options to ensure proper security configurations are in place.
  • TLS/SSL Configuration Issues: Identifies outdated or insecure TLS versions (e.g., TLSv1.0, TLSv1.1) and weak cipher suites (e.g., RC4, DES, MD5).
  • DNS Record Analysis: Examines TXT, MX, NS, CAA, and DMARC records for suspicious patterns that may indicate intermediary services or obfuscation practices.
  • HTTP Redirects and Content Inspection: Analyzes HTTP redirects to detect potential proxying or redirection through intermediary services and inspects HTTP content for signs of obfuscated API usage or hidden connections.
  • Socket Connection Fingerprinting: Scans common ports and performs service fingerprinting to identify intermediary services or unexpected open ports that may indicate obfuscation.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com.

Business Impact: This scanner is crucial for security teams monitoring API communications, as it helps in identifying potential risks associated with intermediary services and hidden connections that could compromise data integrity or introduce unauthorized access points.

Risk Levels:

  • Critical: Conditions where the presence of insecure TLS versions or weak cipher suites are identified without mitigation measures.
  • High: Conditions where missing security headers significantly affect the security posture, potentially allowing for various attacks.
  • Medium: Conditions where outdated DNS records might indicate intermediary involvement, though direct threats may not be as severe.
  • Low: Informal findings that do not pose significant risks but are still worth noting for awareness and future monitoring.
  • Info: General informational outputs indicating the presence of certain configurations or patterns without immediate security implications.

If specific risk levels are not detailed in the README, these inferred levels reflect typical considerations for such scanners.

Example Findings:

  1. A domain exhibits multiple missing Strict-Transport-Security headers, which could lead to session hijacking and other attacks if exploited.
  2. TLS configurations on a server use outdated SSLv3 protocol, highly vulnerable to exploits and should be urgently upgraded for enhanced security.

Third-Party Assistant Proxying

Section titled “Third-Party Assistant Proxying”

Purpose: The Third-Party Assistant Proxying Scanner is designed to identify external service mediation, responsibility displacement, and usage attribution obscuring by analyzing DNS records, HTTP headers, TLS configurations, and network ports. This tool aims to detect patterns indicative of third-party proxying or service mediation within an organization’s infrastructure.

What It Detects:

  • External Service Mediation via DNS Records: The scanner checks for TXT records indicating third-party services, verifies MX records pointing to external email providers, and detects NS records delegating DNS management to external entities.
  • Security Headers Indicating Proxying: It looks for X-Forwarded-For or Via headers in HTTP responses, indicating traffic is being proxied, and checks for unexpected Server headers that do not match the expected server software.
  • TLS Configuration Issues: The scanner identifies outdated TLS versions such as TLSv1.0 or TLSv1.1, and detects weak cipher suites like RC4, DES, or MD5.
  • Port Scanning and Service Fingerprinting: It scans common ports (e.g., 80, 443) to identify open services and uses service fingerprinting to detect proxy servers or load balancers.
  • API Usage Patterns: The scanner analyzes HTTP requests for patterns indicative of third-party API usage through User-Agent headers containing third-party identifiers.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial as it helps organizations understand the extent of third-party mediation within their networks, which can lead to increased visibility into data flows and potential security vulnerabilities associated with external service usage.

Risk Levels:

  • Critical: Conditions that directly indicate significant risks such as unauthorized access to sensitive information or critical services being mediated through untrusted parties.
  • High: Conditions where the risk is high, potentially affecting multiple systems or exposing substantial data.
  • Medium: Conditions with moderate risk, affecting specific components but not leading to widespread compromise.
  • Low: Informative findings that do not pose significant risks but can be indicators of potential issues for further investigation.
  • Info: General information about the environment and configurations detected by the scanner.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. A TXT record indicating a third-party service (v=spf1 include:sendgrid.net ~all) which could suggest unauthorized use of an external email provider.
  2. An unexpected Server header (nginx/1.18.0) in HTTP responses, potentially masking the actual server software and indicating traffic mediation.

LLM Usage Masking

Section titled “LLM Usage Masking”

Purpose: The LLM Usage Masking Scanner is designed to detect hidden model usage, manipulation of usage logs, and attempts to conceal interactions with large language models (LLMs). This tool ensures compliance with AI usage policies by identifying potential obfuscation tactics used within an organization.

What It Detects:

  • Hidden Model Usage Indicators: The scanner identifies suspicious API endpoints that are potentially related to LLM usage, unusual DNS queries suggesting hidden interactions, and patterns in HTTP requests that may indicate concealment of model use.
  • Usage Log Manipulation Patterns: It checks TLS/SSL certificates for anomalies that could suggest tampering with usage logs, analyzes security headers for signs of obfuscation or manipulation, and examines DNS records for inconsistencies related to LLM usage.
  • Interaction Concealment Techniques: The scanner scans HTTP content for hidden parameters or encoded data indicative of LLM interactions, detects port scanning activities designed to hide model usage, and identifies service fingerprinting patterns that suggest concealment efforts.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for maintaining compliance with AI usage policies and preventing unauthorized use of LLMs within an organization, which could lead to legal repercussions and damage the company’s reputation.

Risk Levels:

  • Critical: Identifies deprecated TLS versions or missing critical security headers that are essential for secure communication.
  • High: Detects unusual DNS record configurations or suspicious API endpoints related to LLM usage.
  • Medium: Flags outdated TLS/SSL configurations or anomalies in the use of specific ports indicative of hidden interactions.
  • Low: Reports informational findings such as missing recommended security headers that are not critical but still enhance overall security posture.
  • Info: Provides details on DNS record anomalies and suspicious API endpoints, which may indicate potential issues requiring further investigation.

Example Findings:

  1. The scanner might flag a domain using TLSv1.0 for encryption, which is deprecated and poses a high risk of security vulnerabilities.
  2. An organization’s DNS configuration shows unusual patterns in SPF records related to LLM usage, suggesting potential attempts to conceal model interactions.

Alternative Model Substitution

Section titled “Alternative Model Substitution”

Purpose: The Alternative Model Substitution Scanner is designed to identify and analyze the usage of less regulated AI models, emerging providers, and attempts to avoid regulation thresholds by examining DNS queries, HTTP requests, TLS/SSL configurations, and socket connections.

What It Detects:

  • Less Regulated Model Selection: Identifies DNS TXT records indicating use of unregulated AI models and checks for specific model names in HTTP responses that are known to be less regulated.
  • Emerging Provider Usage: Analyzes DNS MX, NS, CAA, and DMARC records for emerging AI service providers and detects TLS certificates issued by new or lesser-known Certificate Authorities (CAs) associated with these providers.
  • Regulation Threshold Avoidance: Examines HTTP security headers for indicators of non-compliant configurations and identifies outdated TLS versions and weak cipher suites that may suggest attempts to avoid stricter regulations.
  • DNS Record Anomalies: Looks for suspicious DNS records such as SPF, DMARC, and DKIM configurations suggesting the use of unregulated services and detects unusual patterns in DNS responses that might indicate redirection to less regulated providers.
  • HTTP Content Analysis: Searches HTTP response content for keywords related to emerging AI models or providers and checks for redirects to unfamiliar domains hosting less regulated AI services.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations aiming to comply with evolving regulatory standards for AI model usage, ensuring that they do not inadvertently engage with unregulated or lesser-known providers that may pose higher risks due to lack of oversight.

Risk Levels:

  • Critical: Conditions where the identified less regulated models, emerging providers, or non-compliant configurations directly impact critical business operations or expose sensitive data.
  • High: Conditions where there is a significant risk of regulatory non-compliance or potential security breaches that could lead to substantial damage if exploited.
  • Medium: Conditions where risks are moderate but still pose a threat requiring attention and mitigation efforts.
  • Low: Conditions where the identified issues have minimal impact on operations, provided they do not escalate into higher severity risks.
  • Info: Informative findings that provide insights for awareness or future planning without immediate risk.

Example Findings:

  1. A DNS TXT record indicating a use of an unregulated AI model and associated with potential regulatory non-compliance.
  2. An HTTP response containing keywords related to emerging but unregulated AI providers, suggesting potential exposure to higher risks.