/**
* This method analyzes statistical {@link Event}s that are added to the system and
* detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is
* created and added to the system.
*
* @param event the {@link Event} that was added to the {@link EventStore}
*/
//public override void analyze(Event Event) {
public void analyze(Event Event)
{
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);
//4 examples for the below code
//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
//2. count is 45, t.count is 10 (45%10 = 5, No Violation)
//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
if (eventCount % thresholdCount == 0)
{
Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
//have determined this event triggers attack
appSensorServer.getAttackStore().addAttack(new Attack(Event));
}
}
/**
* Locate detection point configuration from server-side config file.
*
* @param search detection point that has been added to the system
* @return DetectionPoint populated with configuration information from server-side config
*/
public DetectionPoint findDetectionPoint(DetectionPoint search)
{
DetectionPoint detectionPoint = null;
//detectionPoint = detectionPointCache.get(search.getId());
detectionPoint = detectionPointCache[search.getId()];
if (detectionPoint == null)
{
foreach (DetectionPoint configuredDetectionPoint in getDetectionPoints())
{
if (configuredDetectionPoint.getId().Equals(search.getId()))
{
detectionPoint = configuredDetectionPoint;
//cache
detectionPointCache.Add(detectionPoint.getId(), detectionPoint);
break;
}
}
}
return(detectionPoint);
}
/// <summary>
/// Determines if the player is positioned near a given point
/// </summary>
/// <param name="point">The point to test</param>
/// <returns>True if the player is near the given point, else false</returns>
private bool IsPlayerNear(DetectionPoint point)
{
if (point != null)
{
return(CalcUtil.IsInRadius(point, this.playerService.PlayerPosition, point.Radius));
}
else
{
return(false);
}
}
/// <exception cref="XMLStreamException"></exception>
private DetectionPoint readDetectionPoint(XmlReader xmlReader)
{
DetectionPoint detectionPoint = new DetectionPoint();
bool finished = false;
while (!finished && xmlReader.MoveToNextAttribute())
{
//int Event = xmlReader.next();
string name = XmlUtils.getElementQualifiedName(xmlReader, namespaces);
switch (xmlReader.NodeType)
{
case XmlNodeType.Element:
if ("config:id".Equals(name))
{
detectionPoint.setId(xmlReader.ReadString().Trim());
}
else if ("config:threshold".Equals(name))
{
detectionPoint.setThreshold(readThreshold(xmlReader));
}
else if ("config:response".Equals(name))
{
detectionPoint.getResponses().Add(readResponse(xmlReader));
}
else
{
/** unexpected start element **/
}
break;
case XmlNodeType.EndElement:
if ("config:detection-point".Equals(name))
{
finished = true;
}
else
{
/** unexpected end element **/
}
break;
default:
/** unused xml element - nothing to do **/
break;
}
}
return(detectionPoint);
}
/**
* Lookup configured {@link Response} objects for specified {@link DetectionPoint}
*
* @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack}
* @return collection of {@link Response} objects for given {@link DetectionPoint}
*/
protected Collection <Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint)
{
//Collection<Response> possibleResponses = new List<Response>();
Collection <Response> possibleResponses = new Collection <Response>();
foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints())
{
if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId()))
{
possibleResponses = configuredDetectionPoint.getResponses();
break;
}
}
return(possibleResponses);
}
/**
* {@inheritDoc}
*/
public override Collection <Attack> findAttacks(SearchCriteria criteria)
{
if (criteria == null)
{
//throw new IllegalArgumentException("criteria must be non-null");
throw new ArgumentException("criteria must be non-null");
}
//Collection<Attack> matches = new List<Attack>();
Collection <Attack> matches = new Collection <Attack>();
User user = criteria.GetUser();
DetectionPoint detectionPoint = criteria.GetDetectionPoint();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
Collection <Attack> attacks = loadAttacks();
foreach (Attack attack in attacks)
{
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(attack.GetUser()) : true;
//check detection system match if detection systems specified
//bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.size() > 0) ?
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(attack.GetDetectionSystemId()) : true;
//check detection point match if detection point specified
bool detectionPointMatch = (detectionPoint != null) ?
detectionPoint.getId().Equals(attack.GetDetectionPoint().getId()) : true;
//bool earliestMatch = (earliest != null) ? earliest.isBefore(DateUtils.fromString(attack.GetTimestamp())) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(attack.GetTimestamp()) : true;
if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch)
{
matches.Add(attack);
}
}
return(matches);
}
/**
* {@inheritDoc}
*/
public override Collection <Event> findEvents(SearchCriteria criteria)
{
if (criteria == null)
{
throw new ArgumentException("criteria must be non-null");
}
Collection <Event> matches = new Collection <Event>();
User user = criteria.GetUser();
DetectionPoint detectionPoint = criteria.GetDetectionPoint();
//Collection<string> detectionSystemIds = criteria.getDetectionSystemIds();
HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds();
DateTime? earliest = DateUtils.fromString(criteria.getEarliest());
Collection <Event> events = loadEvents();
foreach (Event Event in events)
{
//check user match if user specified
bool userMatch = (user != null) ? user.Equals(Event.GetUser()) : true;
//check detection system match if detection systems specified
bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ?
detectionSystemIds.Contains(Event.GetDetectionSystemId()) : true;
//check detection point match if detection point specified
bool detectionPointMatch = (detectionPoint != null) ?
detectionPoint.getId().Equals(Event.GetDetectionPoint().getId()) : true;
bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(Event.GetTimestamp()) : true;
if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch)
{
matches.Add(Event);
}
}
return(matches);
}
/**
* Find/generate {@link Response} appropriate for specified {@link Attack}.
*
* @param attack {@link Attack} that is being analyzed
* @return {@link Response} to be executed for given {@link Attack}
*/
protected Response findAppropriateResponse(Attack attack)
{
DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint();
SearchCriteria criteria = new SearchCriteria().
setUser(attack.GetUser()).
setDetectionPoint(triggeringDetectionPoint).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId()));
//grab any existing responses
Collection <Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria);
string responseAction = null;
Interval interval = null;
Collection <Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint);
//if (existingResponses == null || existingResponses.Size() == 0) {
if (existingResponses == null || existingResponses.Count == 0)
{
//no responses yet, just grab first configured response from detection point
// Response response = possibleResponses.iterator().next();
IEnumerator <Response> enumerator = possibleResponses.GetEnumerator();
enumerator.MoveNext();
Response response = enumerator.Current;
responseAction = response.getAction();
interval = response.getInterval();
}
else
{
foreach (Response configuredResponse in possibleResponses)
{
responseAction = configuredResponse.getAction();
interval = configuredResponse.getInterval();
if (!isPreviousResponse(configuredResponse, existingResponses))
{
//if we find that this response doesn't already exist, use it
break;
}
//if we reach here, we will just use the last configured response (repeat last response)
}
}
if (responseAction == null)
{
//throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId());
}
Response responses = new Response();
responses.setUser(attack.GetUser());
responses.setTimestamp(attack.GetTimestamp());
responses.setAction(responseAction);
responses.setInterval(interval);
responses.setDetectionSystemId(attack.GetDetectionSystemId());
return(responses);
}
//private Collection<DetectionPoint> loadMockedDetectionPoints() {
private HashSet <DetectionPoint> loadMockedDetectionPoints()
{
//Collection<DetectionPoint> configuredDetectionPoints = new Collection<DetectionPoint>();
HashSet <DetectionPoint> configuredDetectionPoints = new HashSet <DetectionPoint>();
Interval minutes5 = new Interval(5, Interval.MINUTES);
Interval minutes6 = new Interval(6, Interval.MINUTES);
Interval minutes7 = new Interval(7, Interval.MINUTES);
Interval minutes8 = new Interval(8, Interval.MINUTES);
Interval minutes11 = new Interval(11, Interval.MINUTES);
Interval minutes12 = new Interval(12, Interval.MINUTES);
Interval minutes13 = new Interval(13, Interval.MINUTES);
Interval minutes14 = new Interval(14, Interval.MINUTES);
Interval minutes15 = new Interval(15, Interval.MINUTES);
Interval minutes31 = new Interval(31, Interval.MINUTES);
Interval minutes32 = new Interval(32, Interval.MINUTES);
Interval minutes33 = new Interval(33, Interval.MINUTES);
Interval minutes34 = new Interval(34, Interval.MINUTES);
Interval minutes35 = new Interval(35, Interval.MINUTES);
Threshold events3minutes5 = new Threshold(3, minutes5);
Threshold events12minutes5 = new Threshold(12, minutes5);
Threshold events13minutes6 = new Threshold(13, minutes6);
Threshold events14minutes7 = new Threshold(14, minutes7);
Threshold events15minutes8 = new Threshold(15, minutes8);
Response log = new Response();
log.setAction("log");
Response logout = new Response();
logout.setAction("logout");
Response disableUser = new Response();
disableUser.setAction("disableUser");
Response disableComponentForSpecificUser31 = new Response();
disableComponentForSpecificUser31.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser31.setInterval(minutes31);
Response disableComponentForSpecificUser32 = new Response();
disableComponentForSpecificUser32.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser32.setInterval(minutes32);
Response disableComponentForSpecificUser33 = new Response();
disableComponentForSpecificUser33.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser33.setInterval(minutes33);
Response disableComponentForSpecificUser34 = new Response();
disableComponentForSpecificUser34.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser34.setInterval(minutes34);
Response disableComponentForSpecificUser35 = new Response();
disableComponentForSpecificUser35.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser35.setInterval(minutes35);
Response disableComponentForAllUsers11 = new Response();
disableComponentForAllUsers11.setAction("disableComponentForAllUsers");
disableComponentForAllUsers11.setInterval(minutes11);
Response disableComponentForAllUsers12 = new Response();
disableComponentForAllUsers12.setAction("disableComponentForAllUsers");
disableComponentForAllUsers12.setInterval(minutes12);
Response disableComponentForAllUsers13 = new Response();
disableComponentForAllUsers13.setAction("disableComponentForAllUsers");
disableComponentForAllUsers13.setInterval(minutes13);
Response disableComponentForAllUsers14 = new Response();
disableComponentForAllUsers14.setAction("disableComponentForAllUsers");
disableComponentForAllUsers14.setInterval(minutes14);
Response disableComponentForAllUsers15 = new Response();
disableComponentForAllUsers15.setAction("disableComponentForAllUsers");
disableComponentForAllUsers15.setInterval(minutes15);
Collection <Response> point1Responses = new Collection <Response>();
point1Responses.Add(log);
point1Responses.Add(logout);
point1Responses.Add(disableUser);
point1Responses.Add(disableComponentForSpecificUser31);
point1Responses.Add(disableComponentForAllUsers11);
DetectionPoint point1 = new DetectionPoint("IE1", events3minutes5, point1Responses);
Collection <Response> point2Responses = new Collection <Response>();
point2Responses.Add(log);
point2Responses.Add(logout);
point2Responses.Add(disableUser);
point2Responses.Add(disableComponentForSpecificUser32);
point2Responses.Add(disableComponentForAllUsers12);
DetectionPoint point2 = new DetectionPoint("IE2", events12minutes5, point2Responses);
Collection <Response> point3Responses = new Collection <Response>();
point3Responses.Add(log);
point3Responses.Add(logout);
point3Responses.Add(disableUser);
point3Responses.Add(disableComponentForSpecificUser33);
point3Responses.Add(disableComponentForAllUsers13);
DetectionPoint point3 = new DetectionPoint("IE3", events13minutes6, point3Responses);
Collection <Response> point4Responses = new Collection <Response>();
point4Responses.Add(log);
point4Responses.Add(logout);
point4Responses.Add(disableUser);
point4Responses.Add(disableComponentForSpecificUser34);
point4Responses.Add(disableComponentForAllUsers14);
DetectionPoint point4 = new DetectionPoint("IE4", events14minutes7, point4Responses);
Collection <Response> point5Responses = new Collection <Response>();
point5Responses.Add(log);
point5Responses.Add(logout);
point5Responses.Add(disableUser);
point5Responses.Add(disableComponentForSpecificUser35);
point5Responses.Add(disableComponentForAllUsers15);
DetectionPoint point5 = new DetectionPoint("IE5", events15minutes8, point5Responses);
configuredDetectionPoints.Add(point1);
configuredDetectionPoints.Add(point2);
configuredDetectionPoints.Add(point3);
configuredDetectionPoints.Add(point4);
configuredDetectionPoints.Add(point5);
return(configuredDetectionPoints);
}
/**
* Lookup configured {@link Response} objects for specified {@link DetectionPoint}
*
* @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack}
* @return collection of {@link Response} objects for given {@link DetectionPoint}
*/
protected Collection<Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint) {
//Collection<Response> possibleResponses = new List<Response>();
Collection<Response> possibleResponses = new Collection<Response>();
foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints()) {
if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId())) {
possibleResponses = configuredDetectionPoint.getResponses();
break;
}
}
return possibleResponses;
}
//private Collection<DetectionPoint> loadMockedDetectionPoints() {
private HashSet<DetectionPoint> loadMockedDetectionPoints() {
//Collection<DetectionPoint> configuredDetectionPoints = new Collection<DetectionPoint>();
HashSet<DetectionPoint> configuredDetectionPoints = new HashSet<DetectionPoint>();
Interval minutes5 = new Interval(5, Interval.MINUTES);
Interval minutes6 = new Interval(6, Interval.MINUTES);
Interval minutes7 = new Interval(7, Interval.MINUTES);
Interval minutes8 = new Interval(8, Interval.MINUTES);
Interval minutes11 = new Interval(11, Interval.MINUTES);
Interval minutes12 = new Interval(12, Interval.MINUTES);
Interval minutes13 = new Interval(13, Interval.MINUTES);
Interval minutes14 = new Interval(14, Interval.MINUTES);
Interval minutes15 = new Interval(15, Interval.MINUTES);
Interval minutes31 = new Interval(31, Interval.MINUTES);
Interval minutes32 = new Interval(32, Interval.MINUTES);
Interval minutes33 = new Interval(33, Interval.MINUTES);
Interval minutes34 = new Interval(34, Interval.MINUTES);
Interval minutes35 = new Interval(35, Interval.MINUTES);
Threshold events3minutes5 = new Threshold(3, minutes5);
Threshold events12minutes5 = new Threshold(12, minutes5);
Threshold events13minutes6 = new Threshold(13, minutes6);
Threshold events14minutes7 = new Threshold(14, minutes7);
Threshold events15minutes8 = new Threshold(15, minutes8);
Response log = new Response();
log.setAction("log");
Response logout = new Response();
logout.setAction("logout");
Response disableUser = new Response();
disableUser.setAction("disableUser");
Response disableComponentForSpecificUser31 = new Response();
disableComponentForSpecificUser31.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser31.setInterval(minutes31);
Response disableComponentForSpecificUser32 = new Response();
disableComponentForSpecificUser32.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser32.setInterval(minutes32);
Response disableComponentForSpecificUser33 = new Response();
disableComponentForSpecificUser33.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser33.setInterval(minutes33);
Response disableComponentForSpecificUser34 = new Response();
disableComponentForSpecificUser34.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser34.setInterval(minutes34);
Response disableComponentForSpecificUser35 = new Response();
disableComponentForSpecificUser35.setAction("disableComponentForSpecificUser");
disableComponentForSpecificUser35.setInterval(minutes35);
Response disableComponentForAllUsers11 = new Response();
disableComponentForAllUsers11.setAction("disableComponentForAllUsers");
disableComponentForAllUsers11.setInterval(minutes11);
Response disableComponentForAllUsers12 = new Response();
disableComponentForAllUsers12.setAction("disableComponentForAllUsers");
disableComponentForAllUsers12.setInterval(minutes12);
Response disableComponentForAllUsers13 = new Response();
disableComponentForAllUsers13.setAction("disableComponentForAllUsers");
disableComponentForAllUsers13.setInterval(minutes13);
Response disableComponentForAllUsers14 = new Response();
disableComponentForAllUsers14.setAction("disableComponentForAllUsers");
disableComponentForAllUsers14.setInterval(minutes14);
Response disableComponentForAllUsers15 = new Response();
disableComponentForAllUsers15.setAction("disableComponentForAllUsers");
disableComponentForAllUsers15.setInterval(minutes15);
Collection<Response> point1Responses = new Collection<Response>();
point1Responses.Add(log);
point1Responses.Add(logout);
point1Responses.Add(disableUser);
point1Responses.Add(disableComponentForSpecificUser31);
point1Responses.Add(disableComponentForAllUsers11);
DetectionPoint point1 = new DetectionPoint("IE1", events3minutes5, point1Responses);
Collection<Response> point2Responses = new Collection<Response>();
point2Responses.Add(log);
point2Responses.Add(logout);
point2Responses.Add(disableUser);
point2Responses.Add(disableComponentForSpecificUser32);
point2Responses.Add(disableComponentForAllUsers12);
DetectionPoint point2 = new DetectionPoint("IE2", events12minutes5, point2Responses);
Collection<Response> point3Responses = new Collection<Response>();
point3Responses.Add(log);
point3Responses.Add(logout);
point3Responses.Add(disableUser);
point3Responses.Add(disableComponentForSpecificUser33);
point3Responses.Add(disableComponentForAllUsers13);
DetectionPoint point3 = new DetectionPoint("IE3", events13minutes6, point3Responses);
Collection<Response> point4Responses = new Collection<Response>();
point4Responses.Add(log);
point4Responses.Add(logout);
point4Responses.Add(disableUser);
point4Responses.Add(disableComponentForSpecificUser34);
point4Responses.Add(disableComponentForAllUsers14);
DetectionPoint point4 = new DetectionPoint("IE4", events14minutes7, point4Responses);
Collection<Response> point5Responses = new Collection<Response>();
point5Responses.Add(log);
point5Responses.Add(logout);
point5Responses.Add(disableUser);
point5Responses.Add(disableComponentForSpecificUser35);
point5Responses.Add(disableComponentForAllUsers15);
DetectionPoint point5 = new DetectionPoint("IE5", events15minutes8, point5Responses);
configuredDetectionPoints.Add(point1);
configuredDetectionPoints.Add(point2);
configuredDetectionPoints.Add(point3);
configuredDetectionPoints.Add(point4);
configuredDetectionPoints.Add(point5);
return configuredDetectionPoints;
}
public SearchCriteria setDetectionPoint(DetectionPoint detectionPoint)
{
this.detectionPoint = detectionPoint;
return(this);
}
