AIL: The fully inflated leak detector


AIL allows you to find low-intensity signals in the web ocean corresponding to suspicious or clearly malicious or even criminal activities.

AIL is a modular framework for analysing potential information leaks from unstructured data sources such as items stored in Pastebin or similar services. The AIL framework is flexible and can be extended to support other functionalities for extracting sensitive information.

In the past two years, new data sources have been added, which significantly widens the detection range of the tool. This allows, for example, to scan Twitter and Telegram for possible traces of data leaks. The tool also allows you to detect vulnerabilities that are likely to be used by hackers or new vulnerabilities that have not yet been officially released but that are likely to be used. Those could be code leaks due to an access API left open. These are sometimes accidents, but there are also malicious acts, such as port scanning.

AIL allows you to identify a certain number of suspicious behaviours on the web or attempted attacks in DNS, key traffic or stolen certificate.

It allows you to follow ‘.onion’ links and find traces of a series of illegal traffic, such as stolen credit card numbers, Amazon gift cards, data traffic from ransomware, weapons, drugs, etc.

AIL also allows you to monitor websites like Booter, IP Stresser, which are DDoS cyber attack sales platforms. You can also crawl your own site to detect the injection of malicious code.

It can, therefore, be both a basic protection tool for webmasters and an advanced intelligence tool for the use of CERTs, investigators of the judicial police.

The collection of PGP signatures allows to accumulate a series of indications via their metadata, which makes investigators able to trace correlations between different people or online activities. The strength of AIL is the ability to precisely reveal correlations between elements which at the outset have no connection between them.

AIL allows you to find low-intensity signals in the web ocean corresponding to suspicious or clearly malicious or even criminal activities. From identified pieces of code, addresses or other signatures linked to each other, we can draw up profiles of malicious agents to better protect themselves.

AIL is a Swiss Army knife that allows you to scan the hidden side of the web and dissect its data to better detect and combat a series of malicious activities. When you use AIL for the first time, you will immediately notice the results preview window which is blurred by default… It is quite simply because the tool regularly detects images that we do not necessarily want to see… The sewers of the canvas are not very shiny, and the AIL team is looking for specialised investigators who could take care in particular of analysis and child pornography images.

Historical overview

AIL started as an internship project in 2014, the aim of which was to assess the feasibility of an automated analysis of unstructured data… In 2019, the project gained momentum and became an actively used open-source product by many organisations and maintained by CIRCL. It is now a complete project called ‘AIL Project’ which is now interoperable with MISP and TheHive. Find AIL on Github.