Skip to content

TECH-NINJA06/Chimera

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Project Chimera: Autonomous Security Validation Architecture

Overview

Project Chimera is an advanced agentic AI system designed for authorized security testing and diagnostic validation. It combines a modern Next.js dashboard frontend with a sophisticated multi-agent AI orchestration backend powered by LangChain and LangGraph, enabling automated, contextually-aware security assessments within sanctioned diagnostic environments.

The system is designed to simulate and validate enterprise security posture through authorized, automated workflows while maintaining strict operational security controls.


System Architecture

High-Level Architecture

┌─────────────────────────────────────────────────────────────────┐
│                      Frontend (Next.js 16)                      │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ Landing Page (Chimera)                                   │   │
│  │ - Public portal for users                                │   │
│  │ - Authentication & signup                                │   │
│  │ - Feature showcase and how-it-works guide                │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ Admin Dashboard                                          │   │
│  │ - Real-time threat visualization                         │   │
│  │ - Incident management & incident logs                    │   │
│  │ - Attack timeline and severity tracking                  │   │
│  │ - Live threat mapping and statistics                     │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ API Integration Layer (Next.js API Routes)               │   │
│  │ - /api/agent/* endpoints for backend communication       │   │
│  │ - Real-time WebSocket connections                        │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                             HTTP/WebSocket
                                  │
┌─────────────────────────────────────────────────────────────────┐
│              Backend (Python ML Orchestration)                  │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ Main Orchestrator (Chimera Agent Controller)             │   │
│  │ - Coordinates multi-agent workflow                       │   │
│  │ - Enforces security validation checks                    │   │
│  │ - Manages execution timeline and state                   │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ Multi-Agent System (LangGraph + DeepAgents)              │   │
│  │                                                          │   │
│  │  ┌─────────────────────────────────────────────────┐     │   │
│  │  │ External Reconnaissance Specialist              │     │   │
│  │  │ - Shodan honeypot detection                     │     │   │
│  │  │ - Evasive latency-optimized scanning            │     │   │
│  │  │ - TLS randomization for signature evasion       │     │   │
│  │  └─────────────────────────────────────────────────┘     │   │
│  │                                                          │   │
│  │  ┌─────────────────────────────────────────────────┐     │   │
│  │  │ Internal Reconnaissance Specialist              │     │   │
│  │  │ - Environment type verification                 │     │   │
│  │  │ - Passive subnet topology mapping               │     │   │
│  │  │ - Adjacent network node discovery               │     │   │
│  │  └─────────────────────────────────────────────────┘     │   │
│  │                                                          │   │
│  │  ┌─────────────────────────────────────────────────┐     │   │
│  │  │ Evasive Execution Agent                         │     │   │
│  │  │ - Dynamic payload mutation                      │     │   │
│  │  │ - Inter-node lateral movement (WinRM)           │     │   │
│  │  │ - Fileless persistence (WMI)                    │     │   │
│  │  │ - Human-cadence execution timing                │     │   │
│  │  │ - DLP & data exfiltration testing (DOH, DNS)    │     │   │
│  │  └─────────────────────────────────────────────────┘     │   │
│  │                                                          │   │
│  │ All sub-agents report results to Orchestrator            │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ Specialized Tool Library                                 │   │
│  │ - shodanchecker: Shodan API integration                  │   │
│  │ - evasive_scan: Syn scanning with evasion                │   │
│  │ - tls_randomizer: TLS fingerprint randomization          │   │
│  │ - mutation_engine: Payload obfuscation                   │   │
│  │ - lotl_checker: Living-off-the-land detection            │   │
│  │ - lateral_movement: WinRM inter-node access              │   │
│  │ - persistance: WMI fileless persistence                  │   │
│  │ - internal_recon: Passive subnet mapping                 │   │
│  │ - evasive_execution: Human-cadence execution             │   │
│  │ - exfiltration: DOH/DNS data exfiltration tests          │   │
│  │ - cleanup: Autonomous log sanitization                   │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ LLM Integration Layer                                    │   │
│  │ - Primary: Groq (openai/gpt-oss-120b)                    │   │
│  │ - Fallback: Local Ollama integration                     │   │
│  │ - Temperature: 0.3 (deterministic, precise)              │   │
│  └──────────────────────────────────────────────────────────┘   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │ State Management & Memory                                │   │
│  │ - InMemorySaver for session state                        │   │
│  │ - LangGraph checkpoint system                            │   │
│  │ - Thread-based execution isolation                       │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
                        Target Infrastructure
                    (Authorized Diagnostic Servers)

Component Details

Frontend Architecture

Technology Stack

  • Framework: Next.js 16.2.1 with React 19.2.4
  • Language: TypeScript 5
  • Styling: Tailwind CSS 4 with PostCSS
  • State Management: React hooks
  • HTTP Client: Axios
  • UI Components: Recharts for data visualization, Lucide React for icons

Key Modules

Landing Page (/app/page.tsx or /app/landing/page.tsx)

  • Public-facing portal with hero section
  • Feature showcase highlighting security capabilities
  • How-it-works guide explaining the testing process
  • Call-to-action banner
  • Authentication: Sign In/Sign Up modal
  • After successful authentication → redirects to IP entry page

IP Test Entry Page (Authenticated route)

  • Secure input form for target IP address
  • Validation and submission to backend
  • Real-time status indicator during execution
  • Polling/WebSocket connection for live updates

Admin Dashboard (/app/admin/dashboard/page.tsx)

  • Threat Incident Board: Real-time incident logging from agent execution

    • Incident ID, target IP address, attack type, country of origin
    • Severity levels: Critical, High, Medium, Low
    • Protocol and timestamp tracking
  • Attack Timeline Chart: Time-series visualization of attack patterns

    • Brute force attempts
    • Exploit attempts
    • Port scans
    • 24-hour rolling window analysis
  • Geo-Threat Mapping: Geographic visualization of threats

    • Country-level threat aggregation
    • Latitude/longitude positioning
    • Risk heat mapping
  • Recovery Metrics:

    • Mean Time To Detect (MTTD)
    • Mean Time To Respond (MTTR)
    • Recovery point objectives (RPO)
    • Test execution success rate

API Route Handler (/app/api/agent/route.ts)

  • Single Responsibility: Accept target IP from authenticated user
  • Backend Bridge: Forwards IP to Python orchestrator service
  • Result Aggregation: Collects JSON response from agent execution
  • Response Format: Returns structured telemetry payload to dashboard

Component & Route Hierarchy

App
├── Landing Page (/)
│   ├── Header (with navigation + Sign In button)
│   ├── Auth Modal (Sign In / Sign Up)
│   ├── Feature Showcase
│   ├── How-It-Works Section
│   └── CTA Banner
├── Auth Required Routes (Protected)
│   ├── IP Test Entry Page
│   │   ├── IP Input Form
│   │   ├── Validation
│   │   └── Execution Status
│   └── Admin Dashboard (/admin/dashboard)
│       ├── Incident Board
│       ├── Timeline Chart
│       ├── Geo-Threat Map
│       ├── Recovery Metrics
│       └── Statistics Cards
└── API Routes
    └── /api/agent (POST: target IP → orchestrator)

Backend Architecture

Technology Stack

  • Language: Python 3.13+
  • AI Orchestration: LangGraph 1.1.3, LangChain 1.2.13
  • Agent Framework: DeepAgents 0.4.12
  • LLM Provider: Groq API (openai/gpt-oss-120b) + Ollama fallback
  • Network Tools: Scapy 2.7.0 (packet crafting, scanning)
  • Security Assessment: Shodan SDK 1.31.0
  • Remote Access: pywinrm 0.5.0 (WinRM lateral movement)
  • Container Integration: Docker 7.1.0
  • HTTP: curl-cffi for network requests
  • Data Processing: NumPy/SciPy for analytics

Core System Workflow

1. Initialization Phase

chimera_agent.invoke(
  messages=[{role: "user", content: "Target: {TARGET_IP}"}],
  config={configurable: {thread_id: "chimera_sim_001"}}
)

2. Orchestrator Workflow (Defined in agent_orcheastrator.py)

  1. Phase I: Call recon-specialist agent

    • Run Shodan honeypot detection
    • Perform evasive latency-optimized network scanning
    • Detect deceptive infrastructure (abort if detected)
  2. Phase II: Call internal-recon-specialist agent

    • Verify environment type (physical vs. simulated)
    • Passively map internal network topology
    • Discover adjacent network nodes
  3. Phase III: Call evasive-execution-agent agent

    • Mutate payloads with dynamic obfuscation
    • Verify inter-node administrative access
    • Test DLP egress controls
    • Validate configuration retention
  4. Cleanup Phase: Execute autonomous cleanup

    • Sanitize diagnostic logs
    • Remove artifacts
    • Clean up execution traces

3. Output Generation The orchestrator compiles a JSON telemetry payload with:

{
  "status": "Simulation Complete",
  "dashboard_metrics": {
    "activeImplants": <int>,
    "exfiltratedDataMB": <float>,
    "honeyscore": <float>,
    "attackSuccessRate": <float %>,
    "overallRiskScore": <float>
  },
  "attack_graph": {
    "nodes": [{id, label, type}],
    "edges": []
  },
  "execution_timeline": [
    {agent, tool_used, mitre_tactic_id, time_to_objective_seconds, action_result}
  ],
  "failedExploits": [{target, reason}]
}

Agent Specifications

Sub-Agent 1: External Reconnaissance Specialist

  • Purpose: Map exposed perimeter infrastructure
  • Tools:
    • shodan_honeypot_scout: Detect honeypot infrastructure
    • evasive_request: TLS-randomized requests
    • evasive_syn_scan: Evasion-enabled port scanning
  • System Prompt: Authorized external perimeter visibility specialist
  • Safety: Aborts if deceptive infrastructure detected

Sub-Agent 2: Internal Reconnaissance Specialist

  • Purpose: Verify environment type and map internal topology
  • Tools:
    • run_environment_check: Verify physical host vs. simulation
    • passive_subnet_mapping: Non-disruptive network discovery
  • System Prompt: Internal topology auditing tool
  • Safety: Only proceeds after environment verification

Sub-Agent 3: Evasive Execution Agent

  • Purpose: Test execution controls and data protection mechanisms
  • Tools:
    • mutate_payload: Dynamic payload obfuscation
    • winrm_lateral_movement: Inter-node access via WinRM
    • wmi_fileless_persistence: WMI-based persistence testing
    • doh_exfiltrate: DNS-over-HTTPS exfiltration tests
    • human_cadence_execution: Timing-based evasion simulation
  • System Prompt: Inter-node resilience testing agent
  • Safety: All operations wrapped in evasion techniques

Tools Library

Tool Purpose Purpose Category
shodanchecker.py Shodan API integration, honeypot detection Reconnaissance
evasive_scan.py Syn-based port scanning with evasion Reconnaissance
tls_randomizer.py TLS fingerprint randomization Evasion
mutation_engine.py Payload obfuscation and encoding Evasion
lotl_checker.py Living-off-the-land technique detection Detection
internal_recon.py Passive subnet topology mapping Reconnaissance
lateral_movement.py WinRM-based inter-node access Lateral Movement
persistance.py WMI-based fileless persistence Persistence
evasive_execution.py Human behavior simulation for execution Evasion
exfiltration.py DOH/DNS data exfiltration Exfiltration
cleanup.py Autonomous log and artifact sanitization Post-Exploitation
c2_server.py Command & control server implementation C2
implant.py Agent implant generation Payload
ebpf_bypasser.py eBPF security control evasion Evasion
dna_bypasser.py DNA-based malware detection bypass Evasion

State Management

  • Checkpointer: InMemorySaver for session persistence
  • Thread ID: chimera_sim_001 format for execution isolation
  • Message History: Full conversation history maintained for analytics
  • Checkpoint Recovery: LangGraph enables resumption from failures

Data Flow

User Journey & Request Flow

1. User lands on http://localhost:3000/
   ↓ (Landing Page displayed)
2. User clicks "Sign In" button
   ↓ (Auth Modal opens)
3. User enters credentials & authenticates
   ↓ (Redirects to IP entry page)
4. User enters target IP address
   ↓ (HTTP POST /api/agent/route.ts with {targetIP})
5. Next.js API Handler receives request
   ↓ (Validates auth token + IP format)
6. Backend invocation: Python orchestrator receives IP
   ↓ (agent_orcheastrator.py::chimera_agent.invoke())
7. Main Orchestrator orchestrates workflow:
   ├─→ Phase 1: External Recon Specialist
   │   └─→ Tools: Shodan, evasive_scan, tls_randomizer
   ├─→ Phase 2: Internal Recon Specialist
   │   └─→ Tools: env_check, subnet_mapping
   ├─→ Phase 3: Evasive Execution Agent
   │   └─→ Tools: mutation, lateral_movement, persistence, exfiltration
   └─→ Cleanup Phase
       └─→ Autonomous log sanitization
8. JSON Telemetry Payload Generated
   ↓ (Contains metrics, timeline, attack graph)
9. Response sent back to frontend API handler
   ↓ (HTTP 200 with JSON payload)
10. Frontend displays results on Dashboard
    ├─→ Incident Board (live threats)
    ├─→ Attack Timeline Chart
    ├─→ Geo-Threat Map
    └─→ Recovery Metrics

Deployment Architecture

Environment Configuration

Frontend Deployment

# Development
npm run dev                  # Starts on port 3000

# Production
npm run build                # Build Next.js app
npm run start                # Start production server

Backend Deployment

# Setup Python environment
python3 -m venv venv
source venv/bin/activate    # Linux/Mac
# or
venv\Scripts\activate       # Windows

# Install dependencies
pip install -e .

# Run orchestrator
python main.py              # Connects to localhost:8080

Configuration Files

  • tpot.yml: Ansible playbook for environment bootstrapping (Python setup across distributions)
  • package.json: Defines frontend dependencies and build scripts
  • pyproject.toml: Defines Python dependencies and project metadata

Environment Variables

  • NEXT_PUBLIC_API_URL: Backend API endpoint (default: http://localhost:8080)
  • GROQ_API_KEY: Groq API authentication
  • SHODAN_API_KEY: Shodan API key for honeypot detection
  • OLLAMA_BASE_URL: Ollama server endpoint (for LLM fallback)

Security Considerations

Operational Security Controls

  1. Deceptive Infrastructure Detection: Aborts if honeypots detected
  2. Environment Verification: Confirms physical host before proceeding
  3. Passive Discovery: Avoids network traffic that disrupts telemetry
  4. Autonomous Cleanup: Self-sanitizing logs and artifacts
  5. Payload Obfuscation: Dynamic mutation to avoid signature detection
  6. Human Cadence Simulation: Timing patterns mimic legitimate user behavior

Authorization Model

  • Sanctioned Environments Only: System designed for authorized diagnostics
  • Thread Isolation: Each execution thread isolated via LangGraph
  • Configuration Tracking: All parameters logged for audit trails
  • Abort Conditions: Multiple fail-safe abort vectors

Data Handling

  • MTTR/MTTD Metrics: Track detection and response time
  • Exfiltration Testing: Validates DLP controls
  • Incident Classification: Severity-based event tracking

Key Features

Multi-Agent Orchestration

  • ✅ Hierarchical agent structure with specialized roles
  • ✅ Inter-agent communication via LangGraph
  • ✅ Coordinated workflow execution
  • ✅ Checkpointed state management

Advanced Evasion Techniques

  • ✅ Dynamic payload mutation
  • ✅ TLS fingerprint randomization
  • ✅ Living-off-the-land technique detection
  • ✅ eBPF/DNA security bypass testing
  • ✅ Human-cadence execution timing

Real-Time Dashboard

  • ✅ Live incident monitoring
  • ✅ Attack timeline visualization
  • ✅ Geo-threat mapping
  • ✅ Recovery metrics (MTTD, MTTR)
  • ✅ Severity-based alerting

Comprehensive Reporting

  • ✅ Structured JSON telemetry
  • ✅ MITRE ATT&CK tactic mapping
  • ✅ Attack graph visualization
  • ✅ Execution timeline with timestamps
  • ✅ Failed exploit analysis

Project Structure

Chimera/
├── frontend/                          # Next.js React frontend
│   ├── app/
│   │   ├── page.tsx                  # Home/landing page
│   │   ├── layout.tsx                # Root layout
│   │   ├── landing/                  # Landing page components
│   │   ├── admin/
│   │   │   └── dashboard/            # Admin dashboard
│   │   ├── api/
│   │   │   └── agent/                # Backend API proxy routes
│   │   └── components/               # Reusable UI components
│   ├── lib/
│   │   └── utils.ts                  # Utility functions
│   ├── public/                        # Static assets
│   ├── package.json
│   ├── tsconfig.json
│   └── next.config.ts
│
├── ML/                                # Python ML backend
│   ├── main.py                       # Entry point / orchestrator invocation
│   ├── agents/
│   │   └── agent_orcheastrator.py   # Multi-agent controller
│   ├── tools/                        # Specialized tool implementations
│   │   ├── shodanchecker.py
│   │   ├── evasive_scan.py
│   │   ├── tls_randomizer.py
│   │   ├── mutation_engine.py
│   │   ├── lotl_checker.py
│   │   ├── internal_recon.py
│   │   ├── lateral_movement.py
│   │   ├── persistance.py
│   │   ├── evasive_execution.py
│   │   ├── exfiltration.py
│   │   ├── cleanup.py
│   │   ├── c2_server.py
│   │   ├── implant.py
│   │   ├── ebpf_bypasser.py
│   │   ├── dna_bypasser.py
│   │   └── stage_check.ps1
│   ├── pyproject.toml
│   └── requirements.txt
│
├── test/
│   └── target.js                     # Mock test server
│
├── tpot.yml                           # Ansible bootstrapping
└── README.md                          # This file

Getting Started

Prerequisites

  • Python 3.13+
  • Node.js 18+ with npm
  • Docker (optional, for cloud deployment)
  • Shodan API key
  • Groq API key

Installation

Frontend Setup

cd frontend
npm install
npm run dev              # Starts on http://localhost:3000

Backend Setup

cd ML
python3 -m venv venv
source venv/bin/activate
pip install -e .
python main.py

Running a Diagnostic

  1. Start the frontend: npm run devhttp://localhost:3000
  2. Start the backend: python main.py → Listens on localhost:8080
  3. User Journey:
    • Navigate to landing page
    • Click "Sign In" and authenticate
    • Enter target IP address in the test form
    • Observe execution status indicator
    • Results displayed on admin dashboard automatically
  4. Dashboard displays:
    • Live incident data from the agent execution
    • Attack timeline with timestamps
    • Geographic threat origin mapping
    • Recovery metrics (MTTD, MTTR)

Architecture Principles

1. Agent-Centric Design

Each agent has a singular, well-defined responsibility with specialized tools.

2. Hierarchical Control

Main Orchestrator coordinates sub-agents; sub-agents manage tools; tools execute specific operations.

3. Fail-Safe by Default

Multiple abort conditions prevent unintended expansion of scope.

4. Audit-Ready Design

All operations logged with MITRE ATT&CK mappings and execution timelines.

5. Evasion-First Execution

Payloads, timing, and network traffic designed to avoid detection mechanisms.

6. Autonomous Cleanup

All artifacts self-sanitized post-execution; no manual cleanup required.


Future Enhancements

  • WebSocket real-time streaming of execution timeline
  • Distributed agent orchestration (multiple backend instances)
  • YARA rule integration for malware detection
  • Custom agent creation UI
  • Report generation with PDF/CSV export
  • Integration with SIEM systems (Splunk, ELK)
  • Multi-target orchestration and correlation
  • ML-based threat pattern detection
  • Advanced visualization with 3D attack graphs

Support & Documentation

  • Frontend Guide: See frontend/FRONTEND_GUIDE.md
  • Agent Documentation: See frontend/AGENTS.md
  • Claude AI Notes: See frontend/CLAUDE.md
  • Python Requirements: See ML/requirements.txt
  • Project Config: See pyproject.toml

License

[Specify your license here]


Contact

For questions or issues regarding Project Chimera, please contact the development team.


Last Updated: March 30, 2026
Project Status: Active Development
Current Version: 0.1.0

About

Solo leveling for Bits hack

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors