/** * This method analyzes statistical {@link Event}s that are added to the system and * detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is * created and added to the system. * * @param event the {@link Event} that was added to the {@link EventStore} */ //public override void analyze(Event Event) { public void analyze(Event Event) { SearchCriteria criteria = new SearchCriteria(). setUser(Event.GetUser()). setDetectionPoint(Event.GetDetectionPoint()). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId())); Collection <Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria); DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint()); int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event); //4 examples for the below code //1. count is 5, t.count is 10 (5%10 = 5, No Violation) //2. count is 45, t.count is 10 (45%10 = 5, No Violation) //3. count is 10, t.count is 10 (10%10 = 0, Violation Observed) //4. count is 30, t.count is 10 (30%10 = 0, Violation Observed) int thresholdCount = configuredDetectionPoint.getThreshold().getCount(); if (eventCount % thresholdCount == 0) { Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack"); //have determined this event triggers attack appSensorServer.getAttackStore().addAttack(new Attack(Event)); } }
/** * Locate detection point configuration from server-side config file. * * @param search detection point that has been added to the system * @return DetectionPoint populated with configuration information from server-side config */ public DetectionPoint findDetectionPoint(DetectionPoint search) { DetectionPoint detectionPoint = null; //detectionPoint = detectionPointCache.get(search.getId()); detectionPoint = detectionPointCache[search.getId()]; if (detectionPoint == null) { foreach (DetectionPoint configuredDetectionPoint in getDetectionPoints()) { if (configuredDetectionPoint.getId().Equals(search.getId())) { detectionPoint = configuredDetectionPoint; //cache detectionPointCache.Add(detectionPoint.getId(), detectionPoint); break; } } } return(detectionPoint); }
/// <summary> /// Determines if the player is positioned near a given point /// </summary> /// <param name="point">The point to test</param> /// <returns>True if the player is near the given point, else false</returns> private bool IsPlayerNear(DetectionPoint point) { if (point != null) { return(CalcUtil.IsInRadius(point, this.playerService.PlayerPosition, point.Radius)); } else { return(false); } }
/// <exception cref="XMLStreamException"></exception> private DetectionPoint readDetectionPoint(XmlReader xmlReader) { DetectionPoint detectionPoint = new DetectionPoint(); bool finished = false; while (!finished && xmlReader.MoveToNextAttribute()) { //int Event = xmlReader.next(); string name = XmlUtils.getElementQualifiedName(xmlReader, namespaces); switch (xmlReader.NodeType) { case XmlNodeType.Element: if ("config:id".Equals(name)) { detectionPoint.setId(xmlReader.ReadString().Trim()); } else if ("config:threshold".Equals(name)) { detectionPoint.setThreshold(readThreshold(xmlReader)); } else if ("config:response".Equals(name)) { detectionPoint.getResponses().Add(readResponse(xmlReader)); } else { /** unexpected start element **/ } break; case XmlNodeType.EndElement: if ("config:detection-point".Equals(name)) { finished = true; } else { /** unexpected end element **/ } break; default: /** unused xml element - nothing to do **/ break; } } return(detectionPoint); }
/** * Lookup configured {@link Response} objects for specified {@link DetectionPoint} * * @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack} * @return collection of {@link Response} objects for given {@link DetectionPoint} */ protected Collection <Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint) { //Collection<Response> possibleResponses = new List<Response>(); Collection <Response> possibleResponses = new Collection <Response>(); foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints()) { if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId())) { possibleResponses = configuredDetectionPoint.getResponses(); break; } } return(possibleResponses); }
/** * {@inheritDoc} */ public override Collection <Attack> findAttacks(SearchCriteria criteria) { if (criteria == null) { //throw new IllegalArgumentException("criteria must be non-null"); throw new ArgumentException("criteria must be non-null"); } //Collection<Attack> matches = new List<Attack>(); Collection <Attack> matches = new Collection <Attack>(); User user = criteria.GetUser(); DetectionPoint detectionPoint = criteria.GetDetectionPoint(); //Collection<string> detectionSystemIds = criteria.getDetectionSystemIds(); HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds(); DateTime? earliest = DateUtils.fromString(criteria.getEarliest()); Collection <Attack> attacks = loadAttacks(); foreach (Attack attack in attacks) { //check user match if user specified bool userMatch = (user != null) ? user.Equals(attack.GetUser()) : true; //check detection system match if detection systems specified //bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.size() > 0) ? bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ? detectionSystemIds.Contains(attack.GetDetectionSystemId()) : true; //check detection point match if detection point specified bool detectionPointMatch = (detectionPoint != null) ? detectionPoint.getId().Equals(attack.GetDetectionPoint().getId()) : true; //bool earliestMatch = (earliest != null) ? earliest.isBefore(DateUtils.fromString(attack.GetTimestamp())) : true; bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(attack.GetTimestamp()) : true; if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch) { matches.Add(attack); } } return(matches); }
/** * {@inheritDoc} */ public override Collection <Event> findEvents(SearchCriteria criteria) { if (criteria == null) { throw new ArgumentException("criteria must be non-null"); } Collection <Event> matches = new Collection <Event>(); User user = criteria.GetUser(); DetectionPoint detectionPoint = criteria.GetDetectionPoint(); //Collection<string> detectionSystemIds = criteria.getDetectionSystemIds(); HashSet <string> detectionSystemIds = criteria.getDetectionSystemIds(); DateTime? earliest = DateUtils.fromString(criteria.getEarliest()); Collection <Event> events = loadEvents(); foreach (Event Event in events) { //check user match if user specified bool userMatch = (user != null) ? user.Equals(Event.GetUser()) : true; //check detection system match if detection systems specified bool detectionSystemMatch = (detectionSystemIds != null && detectionSystemIds.Count > 0) ? detectionSystemIds.Contains(Event.GetDetectionSystemId()) : true; //check detection point match if detection point specified bool detectionPointMatch = (detectionPoint != null) ? detectionPoint.getId().Equals(Event.GetDetectionPoint().getId()) : true; bool earliestMatch = (earliest != null) ? earliest < DateUtils.fromString(Event.GetTimestamp()) : true; if (userMatch && detectionSystemMatch && detectionPointMatch && earliestMatch) { matches.Add(Event); } } return(matches); }
/** * Find/generate {@link Response} appropriate for specified {@link Attack}. * * @param attack {@link Attack} that is being analyzed * @return {@link Response} to be executed for given {@link Attack} */ protected Response findAppropriateResponse(Attack attack) { DetectionPoint triggeringDetectionPoint = attack.GetDetectionPoint(); SearchCriteria criteria = new SearchCriteria(). setUser(attack.GetUser()). setDetectionPoint(triggeringDetectionPoint). setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(attack.GetDetectionSystemId())); //grab any existing responses Collection <Response> existingResponses = appSensorServer.getResponseStore().findResponses(criteria); string responseAction = null; Interval interval = null; Collection <Response> possibleResponses = findPossibleResponses(triggeringDetectionPoint); //if (existingResponses == null || existingResponses.Size() == 0) { if (existingResponses == null || existingResponses.Count == 0) { //no responses yet, just grab first configured response from detection point // Response response = possibleResponses.iterator().next(); IEnumerator <Response> enumerator = possibleResponses.GetEnumerator(); enumerator.MoveNext(); Response response = enumerator.Current; responseAction = response.getAction(); interval = response.getInterval(); } else { foreach (Response configuredResponse in possibleResponses) { responseAction = configuredResponse.getAction(); interval = configuredResponse.getInterval(); if (!isPreviousResponse(configuredResponse, existingResponses)) { //if we find that this response doesn't already exist, use it break; } //if we reach here, we will just use the last configured response (repeat last response) } } if (responseAction == null) { //throw new IllegalArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId()); throw new ArgumentException("No appropriate response was configured for this detection point: " + triggeringDetectionPoint.getId()); } Response responses = new Response(); responses.setUser(attack.GetUser()); responses.setTimestamp(attack.GetTimestamp()); responses.setAction(responseAction); responses.setInterval(interval); responses.setDetectionSystemId(attack.GetDetectionSystemId()); return(responses); }
//private Collection<DetectionPoint> loadMockedDetectionPoints() { private HashSet <DetectionPoint> loadMockedDetectionPoints() { //Collection<DetectionPoint> configuredDetectionPoints = new Collection<DetectionPoint>(); HashSet <DetectionPoint> configuredDetectionPoints = new HashSet <DetectionPoint>(); Interval minutes5 = new Interval(5, Interval.MINUTES); Interval minutes6 = new Interval(6, Interval.MINUTES); Interval minutes7 = new Interval(7, Interval.MINUTES); Interval minutes8 = new Interval(8, Interval.MINUTES); Interval minutes11 = new Interval(11, Interval.MINUTES); Interval minutes12 = new Interval(12, Interval.MINUTES); Interval minutes13 = new Interval(13, Interval.MINUTES); Interval minutes14 = new Interval(14, Interval.MINUTES); Interval minutes15 = new Interval(15, Interval.MINUTES); Interval minutes31 = new Interval(31, Interval.MINUTES); Interval minutes32 = new Interval(32, Interval.MINUTES); Interval minutes33 = new Interval(33, Interval.MINUTES); Interval minutes34 = new Interval(34, Interval.MINUTES); Interval minutes35 = new Interval(35, Interval.MINUTES); Threshold events3minutes5 = new Threshold(3, minutes5); Threshold events12minutes5 = new Threshold(12, minutes5); Threshold events13minutes6 = new Threshold(13, minutes6); Threshold events14minutes7 = new Threshold(14, minutes7); Threshold events15minutes8 = new Threshold(15, minutes8); Response log = new Response(); log.setAction("log"); Response logout = new Response(); logout.setAction("logout"); Response disableUser = new Response(); disableUser.setAction("disableUser"); Response disableComponentForSpecificUser31 = new Response(); disableComponentForSpecificUser31.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser31.setInterval(minutes31); Response disableComponentForSpecificUser32 = new Response(); disableComponentForSpecificUser32.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser32.setInterval(minutes32); Response disableComponentForSpecificUser33 = new Response(); disableComponentForSpecificUser33.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser33.setInterval(minutes33); Response disableComponentForSpecificUser34 = new Response(); disableComponentForSpecificUser34.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser34.setInterval(minutes34); Response disableComponentForSpecificUser35 = new Response(); disableComponentForSpecificUser35.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser35.setInterval(minutes35); Response disableComponentForAllUsers11 = new Response(); disableComponentForAllUsers11.setAction("disableComponentForAllUsers"); disableComponentForAllUsers11.setInterval(minutes11); Response disableComponentForAllUsers12 = new Response(); disableComponentForAllUsers12.setAction("disableComponentForAllUsers"); disableComponentForAllUsers12.setInterval(minutes12); Response disableComponentForAllUsers13 = new Response(); disableComponentForAllUsers13.setAction("disableComponentForAllUsers"); disableComponentForAllUsers13.setInterval(minutes13); Response disableComponentForAllUsers14 = new Response(); disableComponentForAllUsers14.setAction("disableComponentForAllUsers"); disableComponentForAllUsers14.setInterval(minutes14); Response disableComponentForAllUsers15 = new Response(); disableComponentForAllUsers15.setAction("disableComponentForAllUsers"); disableComponentForAllUsers15.setInterval(minutes15); Collection <Response> point1Responses = new Collection <Response>(); point1Responses.Add(log); point1Responses.Add(logout); point1Responses.Add(disableUser); point1Responses.Add(disableComponentForSpecificUser31); point1Responses.Add(disableComponentForAllUsers11); DetectionPoint point1 = new DetectionPoint("IE1", events3minutes5, point1Responses); Collection <Response> point2Responses = new Collection <Response>(); point2Responses.Add(log); point2Responses.Add(logout); point2Responses.Add(disableUser); point2Responses.Add(disableComponentForSpecificUser32); point2Responses.Add(disableComponentForAllUsers12); DetectionPoint point2 = new DetectionPoint("IE2", events12minutes5, point2Responses); Collection <Response> point3Responses = new Collection <Response>(); point3Responses.Add(log); point3Responses.Add(logout); point3Responses.Add(disableUser); point3Responses.Add(disableComponentForSpecificUser33); point3Responses.Add(disableComponentForAllUsers13); DetectionPoint point3 = new DetectionPoint("IE3", events13minutes6, point3Responses); Collection <Response> point4Responses = new Collection <Response>(); point4Responses.Add(log); point4Responses.Add(logout); point4Responses.Add(disableUser); point4Responses.Add(disableComponentForSpecificUser34); point4Responses.Add(disableComponentForAllUsers14); DetectionPoint point4 = new DetectionPoint("IE4", events14minutes7, point4Responses); Collection <Response> point5Responses = new Collection <Response>(); point5Responses.Add(log); point5Responses.Add(logout); point5Responses.Add(disableUser); point5Responses.Add(disableComponentForSpecificUser35); point5Responses.Add(disableComponentForAllUsers15); DetectionPoint point5 = new DetectionPoint("IE5", events15minutes8, point5Responses); configuredDetectionPoints.Add(point1); configuredDetectionPoints.Add(point2); configuredDetectionPoints.Add(point3); configuredDetectionPoints.Add(point4); configuredDetectionPoints.Add(point5); return(configuredDetectionPoints); }
/** * Lookup configured {@link Response} objects for specified {@link DetectionPoint} * * @param triggeringDetectionPoint {@link DetectionPoint} that triggered {@link Attack} * @return collection of {@link Response} objects for given {@link DetectionPoint} */ protected Collection<Response> findPossibleResponses(DetectionPoint triggeringDetectionPoint) { //Collection<Response> possibleResponses = new List<Response>(); Collection<Response> possibleResponses = new Collection<Response>(); foreach (DetectionPoint configuredDetectionPoint in appSensorServer.getConfiguration().getDetectionPoints()) { if (configuredDetectionPoint.getId().Equals(triggeringDetectionPoint.getId())) { possibleResponses = configuredDetectionPoint.getResponses(); break; } } return possibleResponses; }
//private Collection<DetectionPoint> loadMockedDetectionPoints() { private HashSet<DetectionPoint> loadMockedDetectionPoints() { //Collection<DetectionPoint> configuredDetectionPoints = new Collection<DetectionPoint>(); HashSet<DetectionPoint> configuredDetectionPoints = new HashSet<DetectionPoint>(); Interval minutes5 = new Interval(5, Interval.MINUTES); Interval minutes6 = new Interval(6, Interval.MINUTES); Interval minutes7 = new Interval(7, Interval.MINUTES); Interval minutes8 = new Interval(8, Interval.MINUTES); Interval minutes11 = new Interval(11, Interval.MINUTES); Interval minutes12 = new Interval(12, Interval.MINUTES); Interval minutes13 = new Interval(13, Interval.MINUTES); Interval minutes14 = new Interval(14, Interval.MINUTES); Interval minutes15 = new Interval(15, Interval.MINUTES); Interval minutes31 = new Interval(31, Interval.MINUTES); Interval minutes32 = new Interval(32, Interval.MINUTES); Interval minutes33 = new Interval(33, Interval.MINUTES); Interval minutes34 = new Interval(34, Interval.MINUTES); Interval minutes35 = new Interval(35, Interval.MINUTES); Threshold events3minutes5 = new Threshold(3, minutes5); Threshold events12minutes5 = new Threshold(12, minutes5); Threshold events13minutes6 = new Threshold(13, minutes6); Threshold events14minutes7 = new Threshold(14, minutes7); Threshold events15minutes8 = new Threshold(15, minutes8); Response log = new Response(); log.setAction("log"); Response logout = new Response(); logout.setAction("logout"); Response disableUser = new Response(); disableUser.setAction("disableUser"); Response disableComponentForSpecificUser31 = new Response(); disableComponentForSpecificUser31.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser31.setInterval(minutes31); Response disableComponentForSpecificUser32 = new Response(); disableComponentForSpecificUser32.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser32.setInterval(minutes32); Response disableComponentForSpecificUser33 = new Response(); disableComponentForSpecificUser33.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser33.setInterval(minutes33); Response disableComponentForSpecificUser34 = new Response(); disableComponentForSpecificUser34.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser34.setInterval(minutes34); Response disableComponentForSpecificUser35 = new Response(); disableComponentForSpecificUser35.setAction("disableComponentForSpecificUser"); disableComponentForSpecificUser35.setInterval(minutes35); Response disableComponentForAllUsers11 = new Response(); disableComponentForAllUsers11.setAction("disableComponentForAllUsers"); disableComponentForAllUsers11.setInterval(minutes11); Response disableComponentForAllUsers12 = new Response(); disableComponentForAllUsers12.setAction("disableComponentForAllUsers"); disableComponentForAllUsers12.setInterval(minutes12); Response disableComponentForAllUsers13 = new Response(); disableComponentForAllUsers13.setAction("disableComponentForAllUsers"); disableComponentForAllUsers13.setInterval(minutes13); Response disableComponentForAllUsers14 = new Response(); disableComponentForAllUsers14.setAction("disableComponentForAllUsers"); disableComponentForAllUsers14.setInterval(minutes14); Response disableComponentForAllUsers15 = new Response(); disableComponentForAllUsers15.setAction("disableComponentForAllUsers"); disableComponentForAllUsers15.setInterval(minutes15); Collection<Response> point1Responses = new Collection<Response>(); point1Responses.Add(log); point1Responses.Add(logout); point1Responses.Add(disableUser); point1Responses.Add(disableComponentForSpecificUser31); point1Responses.Add(disableComponentForAllUsers11); DetectionPoint point1 = new DetectionPoint("IE1", events3minutes5, point1Responses); Collection<Response> point2Responses = new Collection<Response>(); point2Responses.Add(log); point2Responses.Add(logout); point2Responses.Add(disableUser); point2Responses.Add(disableComponentForSpecificUser32); point2Responses.Add(disableComponentForAllUsers12); DetectionPoint point2 = new DetectionPoint("IE2", events12minutes5, point2Responses); Collection<Response> point3Responses = new Collection<Response>(); point3Responses.Add(log); point3Responses.Add(logout); point3Responses.Add(disableUser); point3Responses.Add(disableComponentForSpecificUser33); point3Responses.Add(disableComponentForAllUsers13); DetectionPoint point3 = new DetectionPoint("IE3", events13minutes6, point3Responses); Collection<Response> point4Responses = new Collection<Response>(); point4Responses.Add(log); point4Responses.Add(logout); point4Responses.Add(disableUser); point4Responses.Add(disableComponentForSpecificUser34); point4Responses.Add(disableComponentForAllUsers14); DetectionPoint point4 = new DetectionPoint("IE4", events14minutes7, point4Responses); Collection<Response> point5Responses = new Collection<Response>(); point5Responses.Add(log); point5Responses.Add(logout); point5Responses.Add(disableUser); point5Responses.Add(disableComponentForSpecificUser35); point5Responses.Add(disableComponentForAllUsers15); DetectionPoint point5 = new DetectionPoint("IE5", events15minutes8, point5Responses); configuredDetectionPoints.Add(point1); configuredDetectionPoints.Add(point2); configuredDetectionPoints.Add(point3); configuredDetectionPoints.Add(point4); configuredDetectionPoints.Add(point5); return configuredDetectionPoints; }
public SearchCriteria setDetectionPoint(DetectionPoint detectionPoint) { this.detectionPoint = detectionPoint; return(this); }