Spear Phishing
Before proceeding, ensure that the pipeline is ready and waiting to receive e-mail messages. Pipeline readiness can be checked by reviewing the deployment logs:
kubectl -n $NAMESPACE logs deploy/$APP_NAME-spear-phish
If you can see the monitor messages that means the pipeline is up and running.
The AI application includes sample dashboards and components set up for this pipeline. They can be accessed at the following URLs using the credentials which can be pulled with the provided commands:
Grafana: https://dashboards.my-cluster.my-domain.com
User: admin
Password:
kubectl get secret grafana-admin-credentials -n nvidia-monitoring -o jsonpath='{.data.GF_SECURITY_ADMIN_PASSWORD}' | base64 -d
Roundcube: https://roundcube-<APP_NAME>-<NAMESPACE>.my-cluster.my-domain.com
User: <any user / e-mail address>
Password: pass
This is for viewing the processed e-mails. This demo uses the destination e-mail address morpheus-user@example.com.
MLflow: https://mlflow-<APP_NAME>-<NAMESPACE>.my-cluster.my-domain.com
This information can also be found in the Helm release’s notes.txt via the following command:
helm status $APP_NAME -n $NAMESPACE
These components support the pipeline’s functionality, allowing the user to interact with and monitor the activity of the pipeline and data.
For example, Grafana’s dashboard shows relevant data regarding the AI application pipeline performance and functionality and spear phishing e-mails detected by the pipeline. Initially, this dashboard will be blank because the pipeline has not received any streaming data.
A mock e-mail producer to simulate benign and phishing e-mails has been included with this solution. To start streaming e-mails into the pipeline, you will need to scale this e-mail producer up to at least one instance using the following command:
kubectl -n $NAMESPACE scale deploy/$APP_NAME-mock-email --replicas=1
Each e-mail producer instance sends 1 e-mail/sec. After scaling, you should then see a new mock-email pod running in the namespace:
Once the e-mail producer is running and sending e-mails, you should now see information populating into the Grafana dashboard. You can open up the dashboard by logging in using the credentials retrieved above, selecting the Dashboards icon in the left navigation pane, selecting browse, then double-clicking the Spear Phishing Pipeline dashboard to open it.
Roundcube is a web-based e-mail client and is used to view the data ran through the pipeline – in other words, the e-mails. You can view the data by logging in to the destination e-mail account using the e-mail as a username and the password pass. Upon logging in, you should see a list of random e-mails delivered to the account. This demo uses the e-mail address morpheus_user@example.com.
Select one of the messages and then click ‘(i) Headers’.
Review the X-Phishing-Detector-Version and X-Phishing-Status headers. If the e-mail was flagged as Spear Phishing, the Subject will also have been rewritten.
You should now see all the data after it has been streamed through the pipeline. This particular e-mail was identified as spear phishing, as evident by the rewritten Subject line and X-Phishing-Status header. Additionally, the banking and crypto intents returned True (0), while the money intent returned False (1).
Overall pipeline functionality works as follows:
E-mails are streamed into a Postfix mail server from the mock e-mail producer.
The e-mails are enriched using the intent models (money, banking, crypto) and the sketch history.
Enriched e-mails are inferenced against the spear phishing model, which was trained using generative AI.
After inferencing is performed, the labeled e-mail is delivered to the next-hop mail server. In the demo environment, this is another instance of Postfix.
Additionally, the sketch database is updated with the enriched e-mail metadata for use in analyzing subsequent e-mails.
Results from the pipeline are aggregated into Prometheus and presented via Grafana.
After the e-mail is processed by the next-hop mail server, it is saved to disk by Dovecot for later viewing and analysis via Roundcube.
That’s all there is to running the Spear Phishing AI Workflow. Feel free to explore the other components deployed as a part of the solution. You can also view the source code included in the Spear Phishing Collection on NGC to determine how this workflow is constructed and how you can customize it to your specific use case and environment. For example, the mock e-mail producer included with this workflow can be replaced, and real e-mail data can be connected to this pipeline via an MX DNS record.
