Security Connectors

Gideon uses a plugin-based Security Connector architecture to fetch and normalize data from various threat intelligence sources.

Overview

Each connector is responsible for:

Fetching: Querying the external API with proper authentication and rate limiting.
Normalizing: Converting vendor-specific JSON into Gideon’s standard NormalizedData format.
Ranking: Sorting and scoring results based on severity and confidence.

Supported Connectors

1. CVE Connector (NVD)

The CVE connector searches the National Vulnerability Database (NVD) and CISA’s KEV (Known Exploited Vulnerabilities) catalog.

Capability: Vulnerability research, CVSS scoring, and affected product analysis.
Configuration:
Terminal window
```
NVD_API_KEY=your_key_here
```
Data Points:
- CVE ID & Summary
- CVSS 3.1 Severity & Vector
- Affected CPEs (Vendor/Product)
- Reference URLs

2. IOC Connector (VirusTotal & AbuseIPDB)

The IOC (Indicator of Compromise) connector analyzes IPs, Domains, URLs, and File Hashes.

Capability: Reputation checks and malware analysis.

Configuration:

VIRUSTOTAL_API_KEY=your_key_here
ABUSEIPDB_API_KEY=your_key_here

Detection Logic:
- IPs: Checked against AbuseIPDB for report history and VirusTotal for malicious flags.
- Hashes: Searched in VirusTotal’s file database.
- Domains/URLs: Analyzed for phishing and DGA patterns.

Data Normalization

All security data in Gideon is normalized to a common schema:

interface NormalizedData {
  id: string;
  source: string;
  type: 'cve' | 'ioc' | 'summary';
  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFORMATIONAL';
  confidence: number; // 0.0 to 1.0
  summary: string;
  details: Record<string, any>;
  timestamp: string;
  url?: string;
}

Adding Custom Connectors

Gideon is designed to be extensible. To add a new connector:

Create a new file in src/tools/security/.
Implement the SecurityConnector interface.
Register it in the ConnectorRegistry.