/** * This method analyzes statistical {@link Event}s that are added to the system and * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is * created and added to the system. * * @param event the {@link Event} that was added to the {@link EventStore} */ //public override void analyze(Event Event) { public void analyze(Event Event) { SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria); DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint()); int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event); //4 examples for the below code //1. count is 5, t.count is 10 (5%10 = 5, No Violation) //2. count is 45, t.count is 10 (45%10 = 5, No Violation) //3. count is 10, t.count is 10 (10%10 = 0, Violation Observed) //4. count is 30, t.count is 10 (30%10 = 0, Violation Observed) int thresholdCount = configuredDetectionPoint.getThreshold().getCount(); if (eventCount % thresholdCount == 0) { Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack"); //have determined this event triggers attack appSensorServer.getAttackStore().addAttack(new Attack(Event)); } }
/// <exception cref="Exception"></exception> private void populateData() { AppSensorClient appSensorClient = (AppSensorClient)contextClient.GetObject("AppSensorClient"); AppSensorServer appSensorServer = (AppSensorServer)contextServer.GetObject("AppSensorServer"); int delay = 500; detectionPoint1.setId("IE1"); detectionSystems1.Add(detectionSystem1); ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration(); updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints()); appSensorServer.setConfiguration(updatedConfiguration); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Thread.Sleep(delay); }
/** * Check authz before performing action. * * @param action desired action * @throws NotAuthorizedException thrown if user does not have role. */ public void checkAuthorization(Action action, IncomingWebRequestContext context) // throws NotAuthorizedException { string clientApplicationName = (string)context.GetType().GetProperty(RequestHandler.APPSENSOR_CLIENT_APPLICATION_IDENTIFIER_ATTR).ToString(); ClientApplication clientApplication = appSensorServer.getConfiguration().findClientApplication(clientApplicationName); appSensorServer.getAccessController().assertAuthorized(clientApplication, action, new Context()); }
public void testAttackCreation() { //IApplicationContext context = new XmlApplicationContext("Resources/appsensor-client-config.xml", "Resources/appsensor-server-config.xml"); //IApplicationContext contextClient = new XmlApplicationContext("Resources/base-context.xml", "Resources/appsensor-client-config.xml"); //IApplicationContext context = ContextRegistry.GetContext(); //AppSensorServer appSensorServer = (AppSensorServer)context.GetObject("AppSensorServer"); //AppSensorClient appSensorClient = (AppSensorClient)context.GetObject("AppSensorClient"); ServerConfiguration updatedConfiguration = appSensorServer.getConfiguration(); updatedConfiguration.setDetectionPoints(loadMockedDetectionPoints()); appSensorServer.setConfiguration(updatedConfiguration); SearchCriteria criteria = new SearchCriteria(). setUser(bob). setDetectionPoint(detectionPoint1). setDetectionSystemIds(detectionSystems1); Assert.AreEqual(0, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(1, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(2, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(0, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(3, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(4, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(5, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(1, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(6, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count); appSensorClient.getEventManager().addEvent(new Event(bob, detectionPoint1, "localhostme")); Assert.AreEqual(7, appSensorServer.getEventStore().findEvents(criteria).Count); Assert.AreEqual(2, appSensorServer.getAttackStore().findAttacks(criteria).Count); }
private void updateHeaderFromConfiguration() { String configuredHeaderName = appSensorServer.getConfiguration().getClientApplicationIdentificationHeaderName(); if (configuredHeaderName != null && configuredHeaderName.Trim().Length > 0) { HEADER_NAME = configuredHeaderName; } }
/** * Find/generate {@link Response} appropriate for specified {@link Attack}. * * @param attack {@link Attack} that is being analyzed * @return {@link Response} to be executed for given {@link Attack} */ protected Response findAppropriateResponse(Attack attack) { DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint(); SearchCriteria criteria = new SearchCriteria(). setUser(attack.GetUser()). setDetectionPoint(triggeringDetectionPoint). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId())); //grab any existing responses Collection <Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria); string responseAction = null; Interval interval = null; Collection <Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint); //if (existingResponses == null || existingResponses.Size() == 0) { if (existingResponses == null || existingResponses.Count == 0) { //no responses yet, just grab first configured response from detection point // Response response = possibleResponses.iterator().next(); IEnumerator <Response> enumerator = possibleResponses.GetEnumerator(); enumerator.MoveNext(); Response response = enumerator.Current; responseAction = response.getAction(); interval = response.getInterval(); } else { foreach (Response configuredResponse in possibleResponses) { responseAction = configuredResponse.getAction(); interval = configuredResponse.getInterval(); if (!isPreviousResponse(configuredResponse, existingResponses)) { //if we find that this response doesn't already exist, use it break; } //if we reach here, we will just use the last configured response (repeat last response) } } if (responseAction == null) { //throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId()); throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId()); } Response responses = new Response(); responses.setUser(attack.GetUser()); responses.setTimestamp(attack.GetTimestamp()); responses.setAction(responseAction); responses.setInterval(interval); responses.setDetectionSystemId(attack.GetDetectionSystemId()); return(responses); }