/**
* This method analyzes statistical {@link Event}s that are added to the system and
* detects if the configured {@link Threshold} has been crossed. If so, an {@link Attack} is
* created and added to the system.
*
* @param event the {@link Event} that was added to the {@link EventStore}
*/
//public override void analyze(Event Event) {
public void analyze(Event Event) {
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection<Event> existingEvents = appSensorServer.getEventStore().findEvents(criteria);
DetectionPoint configuredDetectionPoint = appSensorServer.getConfiguration().findDetectionPoint(Event.GetDetectionPoint());
int eventCount = countEvents(configuredDetectionPoint.getThreshold().getInterval().toMillis(), existingEvents, Event);
//4 examples for the below code
//1. count is 5, t.count is 10 (5%10 = 5, No Violation)
//2. count is 45, t.count is 10 (45%10 = 5, No Violation)
//3. count is 10, t.count is 10 (10%10 = 0, Violation Observed)
//4. count is 30, t.count is 10 (30%10 = 0, Violation Observed)
int thresholdCount = configuredDetectionPoint.getThreshold().getCount();
if (eventCount % thresholdCount == 0) {
Logger.Info("Violation Observed for user <" + Event.GetUser().getUsername() + "> - storing attack");
//have determined this event triggers attack
appSensorServer.getAttackStore().addAttack(new Attack(Event));
}
}
public Attack (Event Event) {
setUser(Event.GetUser());
setDetectionPoint(Event.GetDetectionPoint());
setTimestamp(Event.GetTimestamp());
setDetectionSystemId(Event.GetDetectionSystemId());
setResource(Event.getResource());
}
/**
* {@inheritDoc}
*/
public override void addEvent(Event Event) {
Logger.Warn("Security event " + Event.GetDetectionPoint().getId() + " triggered by user: " + Event.GetUser().getUsername());
writeEvent(Event);
//super.notifyListeners(Event);
base.notifyListeners(Event);
}
public Attack(Event Event)
{
setUser(Event.GetUser());
setDetectionPoint(Event.GetDetectionPoint());
setTimestamp(Event.GetTimestamp());
setDetectionSystemId(Event.GetDetectionSystemId());
setResource(Event.getResource());
}
public override bool Equals(object obj)
{
if (this == obj)
{
return(true);
}
if (obj == null)
{
return(false);
}
if (GetType() != obj.GetType())
{
return(false);
}
Event other = (Event)obj;
/*return new EqualsBuilder().
* Append(user, other.GetUser()).
* Append(detectionPoint, other.GetDetectionPoint()).
* Append(timestamp, other.GetTimestamp()).
* Append(detectionSystemId, other.GetDetectionSystemId()).
* Append(resource, other.getResource()).
* isEquals();*/
if (user.Equals(other.GetUser()) &&
detectionPoint.Equals(other.GetDetectionPoint()) &&
timestamp.Equals(other.GetTimestamp()) &&
detectionSystemId.Equals(other.GetDetectionSystemId()) &&
resource.Equals(other.getResource()))
{
return(true);
}
else
{
return(false);
}
}
/**
* Find most recent {@link Attack} matching the given {@link Event} ({@link User}, {@link DetectionPoint}, detection system)
* and find it's timestamp.
*
* The {@link Event} should only be counted if they've occurred after the most recent {@link Attack}.
*
* @param event {@link Event} to use to find matching {@link Attack}s
* @return timestamp representing last matching {@link Attack}, or -1L if not found
*/
protected DateTime? findMostRecentAttackTime(Event Event) {
DateTime? newest = DateUtils.epoch();
SearchCriteria criteria = new SearchCriteria().
setUser(Event.GetUser()).
setDetectionPoint(Event.GetDetectionPoint()).
setDetectionSystemIds(appSensorServer.getConfiguration().getRelatedDetectionSystems(Event.GetDetectionSystemId()));
Collection<Attack> attacks = appSensorServer.getAttackStore().findAttacks(criteria);
foreach (Attack attack in attacks) {
// if (DateUtils.fromString(attack.GetTimestamp()).isafter(newest)) {
if (DateUtils.fromString(attack.GetTimestamp())>newest) {
newest = DateUtils.fromString(attack.GetTimestamp());
}
}
return newest;
}
