Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Cyborg)
  • No Skin
Collapse
Brand Logo

CIRCLE WITH A DOT
  1. Home
  2. Uncategorized
  3. 🔹 🔍 Tool: AgentSonar

🔹 🔍 Tool: AgentSonar

Scheduled Pinned Locked Moved Uncategorized
llmdetectionnetworkvisibiliknostic
1 Posts 1 Posters 0 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • hasamba@infosec.exchangeH This user is from outside of this forum
    hasamba@infosec.exchangeH This user is from outside of this forum
    hasamba@infosec.exchange
    wrote last edited by
    #1

    ----------------

    🔹 🔍 Tool: AgentSonar

    AgentSonar is a network‑visibility tool that identifies likely LLM/AI agent traffic by correlating process ownership of sockets with contacted domains and applying a heuristic classifier that outputs an AI score between 0 and 1.

    🔹 Summary

    AgentSonar records outbound connections, associates them with processes via socket ownership, extracts domain indicators from TLS SNI and DNS, and produces scored events for each process→domain pair. Known agents can be defined to produce deterministic matches; domains marked as noise are excluded from scoring.

    🔹 How it works (conceptual)
    • Socket correlation: associates OS socket ownership with userland processes to reveal which binary initiated a connection.
    • Domain extraction: uses TLS SNI and DNS observations as the domain identifier for each outbound flow.
    • Heuristic classifier: analyzes traffic shape characteristics — byte/packet asymmetry, prevalence of small packets, long‑lived or streaming connections, and programmatic TLS patterns — to infer whether a flow resembles LLM API traffic.
    • Scoring model: emits an AI-likelihood score between 0 and 1 per process→domain pair; known agents map to score 1.0, noise maps to 0.

    🔹 Capabilities and workflows

    AgentSonar provides persistent event storage and a triage-oriented workflow for reviewing high‑scoring unknowns and labeling them as agents or noise. It supports importing pre-built event streams for classification and encourages community submissions of agent classifications to improve coverage.

    🔹 Limitations and scope

    The approach relies on observable network metadata (socket ownership, SNI, DNS) and traffic-shape heuristics; encrypted payloads and obfuscated patterns remain outside content-level analysis. Deterministic detection depends on maintained known-agent mappings; heuristic scoring produces probabilistic indicators rather than definitive attribution.

    🔹 Practical context

    AgentSonar targets defenders seeking endpoint-to-domain visibility with AI‑specific signal enrichment, enabling detection of shadow AI usage where traditional allowlists may miss programmatic LLM traffic.

    🔹 agentsonar #llm_detection #network_visibility #knostic

    🔗 Source: https://github.com/knostic/AgentSonar/

    1 Reply Last reply
    1
    0
    • R relay@relay.infosec.exchange shared this topic
    Reply
    • Reply as topic
    Log in to reply
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes

    • Login
    • Login or register to search.
    • First post
      Last post
    0
    • Categories
    • Recent
    • Tags
    • Popular
    • World
    • Users
    • Groups