diff options
| author | Matthias Held <ilovemilk@wusa.io> | 2018-09-05 20:03:49 +0300 |
|---|---|---|
| committer | Matthias Held <ilovemilk@wusa.io> | 2018-09-05 20:03:49 +0300 |
| commit | a345337c85affcb67d5deb03a170048d81a45a58 (patch) | |
| tree | 0424a2abd9f495674b362ec79addba3b8bfc201e | |
| parent | e5158d3d1f5c1a9ce02d1ecacb29a50c7f6c23e5 (diff) | |
Remove file name analysis
22 files changed, 374 insertions, 549 deletions
diff --git a/js/filelist.js b/js/filelist.js index 5a49520..c43ebf6 100644 --- a/js/filelist.js +++ b/js/filelist.js @@ -439,16 +439,10 @@ } tr.append(td); - if (fileData.fileNameClass === '0') { + if (fileData.fileExtensionClass === '0') { // normal - td = $('<td></td>').append($('<p></p>').attr({"title": "NORMAL"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); - } else if (fileData.fileNameClass === '1') { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE EXTENSION"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === '2') { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE NAME"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === '3') { + td = $('<td></td>').append($('<p></p>').attr({"title": "NOT_SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); + } else if (fileData.fileExtensionClass === '1') { // suspicious td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); } else { @@ -606,16 +600,10 @@ } tr.append(td); - if (fileData.fileNameClass === '0') { - // normal - td = $('<td></td>').append($('<p></p>').attr({"title": "NORMAL"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); - } else if (fileData.fileNameClass === '1') { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE EXTENSION"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === '2') { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE NAME"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === '3') { + if (fileData.fileExtensionClass === '0') { + // not suspicious + td = $('<td></td>').append($('<p></p>').attr({"title": "NOT_SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); + } else if (fileData.fileExtensionClass === '1') { // suspicious td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); } else { @@ -441,16 +441,10 @@ } tr.append(td); - if (fileData.fileNameClass === 0) { - // normal - td = $('<td></td>').append($('<p></p>').attr({"title": "NORMAL"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); - } else if (fileData.fileNameClass === 1) { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE EXTENSION"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === 2) { - // suspicious - td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS FILE NAME"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); - } else if (fileData.fileNameClass === 3) { + if (fileData.fileExtensionClass === 0) { + // not suspicious + td = $('<td></td>').append($('<p></p>').attr({"title": "NOT_SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-check-circle fa-fw"></span>')); + } else if (fileData.fileExtensionClass === 3) { // suspicious td = $('<td></td>').append($('<p></p>').attr({"title": "SUSPICIOUS"}).tooltip({placement: 'top'}).prepend('<span class="fas fa-exclamation-triangle fa-fw"></span>')); } else { diff --git a/lib/Analyzer/FileNameAnalyzer.php b/lib/Analyzer/FileExtensionAnalyzer.php index 8123903..e7b4d88 100644 --- a/lib/Analyzer/FileNameAnalyzer.php +++ b/lib/Analyzer/FileExtensionAnalyzer.php @@ -25,58 +25,40 @@ use OCA\RansomwareDetection\FileSignatureList; use OCA\RansomwareDetection\Entropy\Entropy; use OCP\ILogger; -class FileNameAnalyzer +class FileExtensionAnalyzer { - /** - * File name entropy cut-off point between normal and suspicious. - * - * @var float - */ - const ENTROPY_CUT_OFF = 4.0; /** @var ILogger */ private $logger; - /** @var Entropy */ - private $entropy; - /** * @param ILogger $logger - * @param Entropy $entropy */ public function __construct( - ILogger $logger, - Entropy $entropy + ILogger $logger ) { $this->logger = $logger; - $this->entropy = $entropy; } /** - * Classifies a file name in NORMAL, SUSPICIOUS_FILE_NAME, - * SUSPICIOUS_FILE_EXTENSION or SUSPICIOUS, if the file name - * and file extension are suspicious. + * Classifies a file extension in NOT_SUSPICIOUS or SUSPICIOUS, + * if the file extension are suspicious. * * @param string $path * - * @return FileNameResult + * @return FileExtensionResult */ public function analyze($path) { - $fileName = $this->getFileName($path); $extension = $this->getFileExtension($path); - $class = FileNameResult::NORMAL; + $class = FileExtensionResult::NOT_SUSPICIOUS; $isFileExtensionKnown = $this->isFileExtensionKnown($extension); if (!$isFileExtensionKnown) { - $class += FileNameResult::SUSPICIOUS_FILE_EXTENSION; - } - $entropyOfFileName = $this->calculateEntropyOfFileName($fileName); - if ($entropyOfFileName > self::ENTROPY_CUT_OFF) { - $class += FileNameResult::SUSPICIOUS_FILE_NAME; + $class = FileExtensionResult::SUSPICIOUS; } - return new FileNameResult($class, $isFileExtensionKnown, $entropyOfFileName); + return new FileExtensionResult($class); } /** @@ -99,20 +81,6 @@ class FileNameAnalyzer } /** - * Returns the file name of a path. - * - * @param string $path - * - * @return string - */ - private function getFileName($path) - { - $file = pathinfo($path); - - return $file['basename']; - } - - /** * Returns the file extension of a file name. * * @param string $fileName @@ -125,16 +93,4 @@ class FileNameAnalyzer return $file['extension']; } - - /** - * Calculates the entropy of the a file name. - * - * @param string $fileName - * - * @return float - */ - private function calculateEntropyOfFileName($fileName) - { - return $this->entropy->calculateEntropy($fileName); - } } diff --git a/lib/Analyzer/FileExtensionResult.php b/lib/Analyzer/FileExtensionResult.php new file mode 100644 index 0000000..2c35d5f --- /dev/null +++ b/lib/Analyzer/FileExtensionResult.php @@ -0,0 +1,61 @@ +<?php + +/** + * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> + * @author Matthias Held <matthias.held@uni-konstanz.de> + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +namespace OCA\RansomwareDetection\Analyzer; + +class FileExtensionResult +{ + /** + * File extension classes. + * + * @var int + */ + const NOT_SUSPICIOUS = 0; + const SUSPICIOUS = 1; + + /** @var int */ + private $fileExtensionClass; + + /** + * @param int $fileExtensionClass + */ + public function __construct( + $fileExtensionClass + ) { + $this->fileExtensionClass = $fileExtensionClass; + } + + /** + * @param int $fileExtensionClass + */ + public function setFileExtensionClass($fileExtensionClass) + { + $this->fileExtensionClass = $fileExtensionClass; + } + + /** + * @return int + */ + public function getFileExtensionClass() + { + return $this->fileExtensionClass; + } +} diff --git a/lib/Analyzer/FileNameResult.php b/lib/Analyzer/FileNameResult.php deleted file mode 100644 index 10d4f82..0000000 --- a/lib/Analyzer/FileNameResult.php +++ /dev/null @@ -1,107 +0,0 @@ -<?php - -/** - * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> - * @author Matthias Held <matthias.held@uni-konstanz.de> - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ - -namespace OCA\RansomwareDetection\Analyzer; - -class FileNameResult -{ - /** - * File name classes. - * - * @var int - */ - const NORMAL = 0; - const SUSPICIOUS_FILE_EXTENSION = 1; - const SUSPICIOUS_FILE_NAME = 2; - const SUSPICIOUS = 3; - - /** @var int */ - private $fileNameClass; - - /** @var bool */ - private $isFileExtensionKnown; - - /** @var float */ - private $entropyOfFileName; - - /** - * @param int $fileNameClass - * @param bool $isFileExtensionKnown - * @param float $entropyOfFileName - */ - public function __construct( - $fileNameClass, - $isFileExtensionKnown, - $entropyOfFileName - ) { - $this->fileNameClass = $fileNameClass; - $this->isFileExtensionKnown = $isFileExtensionKnown; - $this->entropyOfFileName = $entropyOfFileName; - } - - /** - * @param int $fileNameClass - */ - public function setFileNameClass($fileNameClass) - { - $this->fileNameClass = $fileNameClass; - } - - /** - * @return int - */ - public function getFileNameClass() - { - return $this->fileNameClass; - } - - /** - * @param bool $isFileExtensionKnown - */ - public function setFileExtensionKnown($isFileExtensionKnown) - { - $this->isFileExtensionKnown = $isFileExtensionKnown; - } - - /** - * @return bool - */ - public function isFileExtensionKnown() - { - return $this->isFileExtensionKnown; - } - - /** - * @param float $entropyOfFileName - */ - public function setEntropyOfFileName($entropyOfFileName) - { - $this->entropyOfFileName = $entropyOfFileName; - } - - /** - * @return float - */ - public function getEntropyOfFileName() - { - return $this->entropyOfFileName; - } -} diff --git a/lib/Analyzer/FileTypeFunnellingAnalyzer.php b/lib/Analyzer/FileTypeFunnellingAnalyzer.php index ad33e8b..843eea2 100644 --- a/lib/Analyzer/FileTypeFunnellingAnalyzer.php +++ b/lib/Analyzer/FileTypeFunnellingAnalyzer.php @@ -120,7 +120,7 @@ class FileTypeFunnellingAnalyzer */ private function countKnownFileExtensions($file) { - if (intval($file->getFileNameClass()) === FileNameResult::NORMAL || intval($file->getFileNameClass()) === FileNameResult::SUSPICIOUS_FILE_NAME) { + if (intval($file->getFileExtensionClass()) === FileExtensionResult::NOT_SUSPICIOUS) { return 1; } } diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index 42f9bce..de474f9 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -28,7 +28,7 @@ use OCA\RansomwareDetection\Analyzer\SequenceAnalyzer; use OCA\RansomwareDetection\Analyzer\SequenceSizeAnalyzer; use OCA\RansomwareDetection\Analyzer\FileTypeFunnellingAnalyzer; use OCA\RansomwareDetection\Analyzer\EntropyFunnellingAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; use OCA\RansomwareDetection\Entropy\Entropy; use OCA\RansomwareDetection\Notification\Notifier; use OCA\RansomwareDetection\StorageWrapper; @@ -101,8 +101,8 @@ class Application extends App ); }); - $container->registerService('FileNameAnalyzer', function ($c) { - return new FileNameAnalyzer( + $container->registerService('FileExtensionAnalyzer', function ($c) { + return new FileExtensionAnalyzer( $c->query(ILogger::class), $c->query(Entropy::class) diff --git a/lib/Classifier.php b/lib/Classifier.php index 0ae06b5..2441b14 100644 --- a/lib/Classifier.php +++ b/lib/Classifier.php @@ -21,7 +21,7 @@ namespace OCA\RansomwareDetection; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Analyzer\EntropyResult; use OCA\RansomwareDetection\Db\FileOperationMapper; use OCA\RansomwareDetection\Service\FileOperationService; @@ -36,6 +36,7 @@ class Classifier */ const HIGH_LEVEL_OF_SUSPICION = 1; const MIDDLE_LEVEL_OF_SUSPICION = 2; + // deprecated will be removed const LOW_LEVEL_OF_SUSPICION = 3; const NOT_SUSPICIOUS = 4; const NO_INFORMATION = 5; @@ -80,17 +81,17 @@ class Classifier $file->getCommand() === Monitor::CREATE ) { if ($file->getFileClass() === EntropyResult::ENCRYPTED) { - if ($file->getFileNameClass() === FileNameResult::SUSPICIOUS) { + if ($file->getFileExtensionClass() === FileExtensionResult::SUSPICIOUS) { $file->setSuspicionClass(self::HIGH_LEVEL_OF_SUSPICION); - } elseif ($file->getFileNameClass() > FileNameResult::NORMAL) { + } elseif ($file->getFileExtensionClass() > FileExtensionResult::NOT_SUSPICIOUS) { $file->setSuspicionClass(self::MIDDLE_LEVEL_OF_SUSPICION); } else { $file->setSuspicionClass(self::NOT_SUSPICIOUS); } } elseif ($file->getFileClass() === EntropyResult::COMPRESSED) { - if ($file->getFileNameClass() === FileNameResult::SUSPICIOUS) { + if ($file->getFileExtensionClass() === FileExtensionResult::SUSPICIOUS) { $file->setSuspicionClass(self::MIDDLE_LEVEL_OF_SUSPICION); - } elseif ($file->getFileNameClass() > FileNameResult::NORMAL) { + } elseif ($file->getFileExtensionClass() > FileExtensionResult::NOT_SUSPICIOUS) { $file->setSuspicionClass(self::LOW_LEVEL_OF_SUSPICION); } else { $file->setSuspicionClass(self::NOT_SUSPICIOUS); diff --git a/lib/Controller/ScanController.php b/lib/Controller/ScanController.php index 5cb3e39..009c280 100644 --- a/lib/Controller/ScanController.php +++ b/lib/Controller/ScanController.php @@ -26,7 +26,7 @@ use OCA\RansomwareDetection\Classifier; use OCA\RansomwareDetection\Analyzer\SequenceAnalyzer; use OCA\RansomwareDetection\Analyzer\EntropyAnalyzer; use OCA\RansomwareDetection\Analyzer\FileCorruptionAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; use OCA\RansomwareDetection\AppInfo\Application; use OCA\RansomwareDetection\Db\FileOperation; use OCA\RansomwareDetection\Exception\NotAFileException; @@ -75,8 +75,8 @@ class ScanController extends OCSController /** @var FileCorruptionAnalyzer */ protected $fileCorruptionAnalyzer; - /** @var FileNameAnalyzer */ - protected $fileNameAnalyzer; + /** @var FileExtensionAnalyzer */ + protected $fileExtensionAnalyzer; /** @var IDBConnection */ protected $connection; @@ -96,7 +96,7 @@ class ScanController extends OCSController * @param SequenceAnalyzer $sequenceAnalyzer * @param EntropyAnalyzer $entropyAnalyzer * @param FileCorruptionAnalyzer $fileCorruptionAnalyzer - * @param FileNameAnalyzer $fileNameAnalyzer + * @param FileExtensionAnalyzer $fileExtensionAnalyzer * @param IDBConnection $connection * @param string $userId */ @@ -112,7 +112,7 @@ class ScanController extends OCSController SequenceAnalyzer $sequenceAnalyzer, EntropyAnalyzer $entropyAnalyzer, FileCorruptionAnalyzer $fileCorruptionAnalyzer, - FileNameAnalyzer $fileNameAnalyzer, + FileExtensionAnalyzer $fileExtensionAnalyzer, IDBConnection $connection, $userId ) { @@ -127,7 +127,7 @@ class ScanController extends OCSController $this->sequenceAnalyzer = $sequenceAnalyzer; $this->entropyAnalyzer = $entropyAnalyzer; $this->fileCorruptionAnalyzer = $fileCorruptionAnalyzer; - $this->fileNameAnalyzer = $fileNameAnalyzer; + $this->fileExtensionAnalyzer = $fileExtensionAnalyzer; $this->connection = $connection; $this->userId = $userId; } @@ -250,7 +250,7 @@ class ScanController extends OCSController $this->classifier->classifyFile($fileOperation); $jsonSequence[] = ['userId' => $fileOperation->getUserId(), 'path' => $fileOperation->getPath(), 'originalName' => preg_replace('/.d[0-9]{10}/', '', $fileOperation->getOriginalName()), 'type' => $fileOperation->getType(), 'mimeType' => $fileOperation->getMimeType(), 'size' => $fileOperation->getSize(), 'corrupted' => $fileOperation->getCorrupted(), 'timestamp' => $fileOperation->getTimestamp(), 'entropy' => $fileOperation->getEntropy(), - 'standardDeviation' => $fileOperation->getStandardDeviation(), 'command' => $fileOperation->getCommand(), 'fileNameEntropy' => $fileOperation->getFileNameEntropy(), 'fileClass' => $fileOperation->getFileClass(), 'fileNameClass' => $fileOperation->getFileNameClass(), 'suspicionClass' => $fileOperation->getSuspicionClass()]; + 'standardDeviation' => $fileOperation->getStandardDeviation(), 'command' => $fileOperation->getCommand(), 'fileClass' => $fileOperation->getFileClass(), 'fileExtensionClass' => $fileOperation->getFileExtensionClass(), 'suspicionClass' => $fileOperation->getSuspicionClass()]; $fileOperationSequence[] = $fileOperation; } if (count($fileOperationSequence) > 0) { @@ -297,10 +297,9 @@ class ScanController extends OCSController $fileOperation->setSize($node->getSize()); $fileOperation->setTimestamp($file['timestamp']); - // file name analysis - $fileNameResult = $this->fileNameAnalyzer->analyze($node->getInternalPath()); - $fileOperation->setFileNameClass($fileNameResult->getFileNameClass()); - $fileOperation->setFileNameEntropy($fileNameResult->getEntropyOfFileName()); + // file extension analysis + $fileExtensionResult = $this->fileExtensionAnalyzer->analyze($node->getInternalPath()); + $fileOperation->setFileExtensionClass($fileExtensionResult->getFileExtensionClass()); $fileCorruptionResult = $this->fileCorruptionAnalyzer->analyze($node); $fileOperation->setCorrupted($fileCorruptionResult->isCorrupted()); diff --git a/lib/Db/FileOperation.php b/lib/Db/FileOperation.php index ea9c40e..e91f92c 100644 --- a/lib/Db/FileOperation.php +++ b/lib/Db/FileOperation.php @@ -64,14 +64,11 @@ class FileOperation extends Entity /** @var float */ public $standardDeviation; - /** @var float */ - public $fileNameEntropy; - /** @var string */ public $fileClass; /** @var string */ - public $fileNameClass; + public $fileExtensionClass; /** @var int */ public $suspicionClass; @@ -85,7 +82,6 @@ class FileOperation extends Entity $this->addType('sequence', 'integer'); $this->addType('entropy', 'float'); $this->addType('standardDeviation', 'float'); - $this->addType('fileNameEntropy', 'float'); $this->addType('suspicionClass', 'integer'); } } diff --git a/lib/Monitor.php b/lib/Monitor.php index a0009fa..88f34e3 100644 --- a/lib/Monitor.php +++ b/lib/Monitor.php @@ -25,8 +25,8 @@ use OCA\RansomwareDetection\AppInfo\Application; use OCA\RansomwareDetection\Analyzer\EntropyAnalyzer; use OCA\RansomwareDetection\Analyzer\EntropyResult; use OCA\RansomwareDetection\Analyzer\FileCorruptionAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Db\FileOperation; use OCA\RansomwareDetection\Db\FileOperationMapper; use OCP\App\IAppManager; @@ -76,8 +76,8 @@ class Monitor /** @var FileOperationMapper */ protected $mapper; - /** @var FileNameAnalyzer */ - protected $fileNameAnalyzer; + /** @var FileExtensionAnalyzer */ + protected $fileExtensionAnalyzer; /** @var FileCorruptionAnalyzer */ protected $fileCorruptionAnalyzer; @@ -97,7 +97,7 @@ class Monitor * @param IRootFolder $rootFolder * @param EntropyAnalyzer $entropyAnalyzer * @param FileOperationMapper $mapper - * @param FileNameAnalyzer $fileNameAnalyzer + * @param FileExtensionAnalyzer $fileExtensionAnalyzer * @param FileCorruptionAnalyzer $fileCorruptionAnalyzer * @param string $userId */ @@ -110,7 +110,7 @@ class Monitor IRootFolder $rootFolder, EntropyAnalyzer $entropyAnalyzer, FileOperationMapper $mapper, - FileNameAnalyzer $fileNameAnalyzer, + FileExtensionAnalyzer $fileExtensionAnalyzer, FileCorruptionAnalyzer $fileCorruptionAnalyzer, $userId ) { @@ -122,7 +122,7 @@ class Monitor $this->rootFolder = $rootFolder; $this->entropyAnalyzer = $entropyAnalyzer; $this->mapper = $mapper; - $this->fileNameAnalyzer = $fileNameAnalyzer; + $this->fileExtensionAnalyzer = $fileExtensionAnalyzer; $this->fileCorruptionAnalyzer = $fileCorruptionAnalyzer; $this->userId = $userId; } @@ -264,9 +264,8 @@ class Monitor $fileOperation->setStandardDeviation(0.0); $fileOperation->setFileClass(EntropyResult::NORMAL); - // file name analysis - $fileOperation->setFileNameClass(FileNameResult::NORMAL); - $fileOperation->setFileNameEntropy(0.0); + // file extension analysis + $fileOperation->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $this->mapper->insert($fileOperation); $this->nestingLevel--; @@ -406,9 +405,8 @@ class Monitor $fileOperation->setStandardDeviation(0.0); $fileOperation->setFileClass(EntropyResult::NORMAL); - // file name analysis - $fileOperation->setFileNameClass(FileNameResult::NORMAL); - $fileOperation->setFileNameEntropy(0.0); + // file extension analysis + $fileOperation->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $this->mapper->insert($fileOperation); } @@ -437,10 +435,9 @@ class Monitor $sequenceId = $this->config->getUserValue($this->userId, Application::APP_ID, 'sequence_id', 0); $fileOperation->setSequence($sequenceId); - // file name analysis - $fileNameResult = $this->fileNameAnalyzer->analyze($node->getInternalPath()); - $fileOperation->setFileNameClass($fileNameResult->getFileNameClass()); - $fileOperation->setFileNameEntropy($fileNameResult->getEntropyOfFileName()); + // file extension analysis + $fileExtensionResult = $this->fileExtensionAnalyzer->analyze($node->getInternalPath()); + $fileOperation->setFileExtensionClass($fileExtensionResult->getFileExtensionClass()); $fileCorruptionResult = $this->fileCorruptionAnalyzer->analyze($node); $fileOperation->setCorrupted($fileCorruptionResult->isCorrupted()); diff --git a/tests/Integration/Db/FileOperationMapperTest.php b/tests/Integration/Db/FileOperationMapperTest.php index 90fd933..33f5239 100644 --- a/tests/Integration/Db/FileOperationMapperTest.php +++ b/tests/Integration/Db/FileOperationMapperTest.php @@ -101,9 +101,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -119,9 +118,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); @@ -155,9 +153,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -173,9 +170,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); @@ -202,9 +198,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -220,9 +215,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); @@ -255,9 +249,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -273,9 +266,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); @@ -314,9 +306,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -332,9 +323,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); @@ -359,9 +349,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], [ 'userId' => 'john', @@ -377,9 +366,8 @@ class FileOperationMapperTest extends AppTest 'sequence' => 2, 'entropy' => 7.9123595, 'standardDeviation' => 0.05, - 'fileNameEntropy' => 3.1, 'fileClass' => 2, - 'fileNameClass' => 1, + 'fileExtensionClass' => 1, ], ]; $this->loadFixtures($fileOperations); diff --git a/tests/Integration/Fixtures/FileOperationFixture.php b/tests/Integration/Fixtures/FileOperationFixture.php index 1fe02f7..1eb98b5 100644 --- a/tests/Integration/Fixtures/FileOperationFixture.php +++ b/tests/Integration/Fixtures/FileOperationFixture.php @@ -44,9 +44,8 @@ class FileOperationFixture extends FileOperation 'sequence' => 1, 'entropy' => 7.9123595, 'standardDeviation' => 0.04, - 'fileNameEntropy' => 4.1, 'fileClass' => 2, - 'fileNameClass' => 3, + 'fileExtensionClass' => 1, ], $defaults); $this->fillDefaults($defaults); } diff --git a/tests/Unit/Analyzer/FileExtensionAnalyzerTest.php b/tests/Unit/Analyzer/FileExtensionAnalyzerTest.php new file mode 100644 index 0000000..9812ffd --- /dev/null +++ b/tests/Unit/Analyzer/FileExtensionAnalyzerTest.php @@ -0,0 +1,105 @@ +<?php + +/** + * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> + * @author Matthias Held <matthias.held@uni-konstanz.de> + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +namespace OCA\RansomwareDetection\tests\Unit\Analyzer; + +use OCA\RansomwareDetection\Entropy\Entropy; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; +use OCA\RansomwareDetection\FileSignatureList; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; +use OCP\ILogger; +use Test\TestCase; + +class FileExtensionAnalyzerTest extends TestCase +{ + /** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */ + protected $logger; + + /** @var FileExtensionAnalyzer */ + protected $fileExtensionAnalyzer; + + public function setUp() + { + parent::setUp(); + + $this->logger = $this->createMock(ILogger::class); + + $this->fileExtensionAnalyzer = new FileExtensionAnalyzer($this->logger); + } + + public function dataAnalyze() + { + return [ + ['path' => 'file.jpg', 'class' => FileExtensionResult::NOT_SUSPICIOUS], + ['path' => 'file.unknown', 'class' => FileExtensionResult::SUSPICIOUS], + ['path' => 'file.jpg', 'class' => FileExtensionResult::NOT_SUSPICIOUS], + ['path' => 'file.jpg1', 'class' => FileExtensionResult::SUSPICIOUS], + ]; + } + + /** + * @dataProvider dataAnalyze + * + * @param string $path + * @param int $class + */ + public function testAnalyze($path, $class) + { + $result = $this->fileExtensionAnalyzer->analyze($path); + $this->assertInstanceOf(FileExtensionResult::class, $result); + $this->assertEquals($result->getFileExtensionClass(), $class); + } + + public function dataIsFileExtensionKnown() + { + $signatures = FileSignatureList::getSignatures(); + $extensions = []; + foreach ($signatures as $signature) { + foreach ($signature['extension'] as $extension) { + $extensions[] = $extension; + } + } + $tests = []; + + foreach ($extensions as $extension) { + $tests[] = [$extension, true]; + } + $tests[] = ['WNCRY', false]; + + return $tests; + } + + /** + * @dataProvider dataIsFileExtensionKnown + * + * @param string $extension + * @param bool $return + */ + public function testIsFileExtensionKnown($extension, $return) + { + $this->assertEquals($this->invokePrivate($this->fileExtensionAnalyzer, 'isFileExtensionKnown', [$extension]), $return); + } + + public function testGetFileExtension() + { + $this->assertEquals($this->invokePrivate($this->fileExtensionAnalyzer, 'getFileExtension', ['filename.extension']), 'extension'); + } +} diff --git a/tests/Unit/Analyzer/FileExtensionResultTest.php b/tests/Unit/Analyzer/FileExtensionResultTest.php new file mode 100644 index 0000000..7f6ad0e --- /dev/null +++ b/tests/Unit/Analyzer/FileExtensionResultTest.php @@ -0,0 +1,51 @@ +<?php + +/** + * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> + * @author Matthias Held <matthias.held@uni-konstanz.de> + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +namespace OCA\RansomwareDetection\tests\Unit\Analyzer; + +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; +use Test\TestCase; + +class FileExtensionResultTest extends TestCase +{ + /** @var FileExtensionResult */ + protected $fileExtensioneResult; + + public function setUp() + { + parent::setUp(); + + $this->fileExtensioneResult = new FileExtensionResult(FileExtensionResult::NOT_SUSPICIOUS); + } + + public function testConstruct() + { + $this->assertEquals($this->fileExtensioneResult->getFileExtensionClass(), FileExtensionResult::NOT_SUSPICIOUS); + } + + public function testFileNameClass() + { + $this->fileExtensioneResult->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); + $this->assertEquals($this->fileExtensioneResult->getFileExtensionClass(), FileExtensionResult::NOT_SUSPICIOUS); + $this->fileExtensioneResult->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); + $this->assertEquals($this->fileExtensioneResult->getFileExtensionClass(), FileExtensionResult::SUSPICIOUS); + } +} diff --git a/tests/Unit/Analyzer/FileNameAnalyzerTest.php b/tests/Unit/Analyzer/FileNameAnalyzerTest.php deleted file mode 100644 index c76ce5e..0000000 --- a/tests/Unit/Analyzer/FileNameAnalyzerTest.php +++ /dev/null @@ -1,127 +0,0 @@ -<?php - -/** - * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> - * @author Matthias Held <matthias.held@uni-konstanz.de> - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ - -namespace OCA\RansomwareDetection\tests\Unit\Analyzer; - -use OCA\RansomwareDetection\Entropy\Entropy; -use OCA\RansomwareDetection\Analyzer\FileNameResult; -use OCA\RansomwareDetection\FileSignatureList; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; -use OCP\ILogger; -use Test\TestCase; - -class FileNameAnalyzerTest extends TestCase -{ - /** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */ - protected $logger; - - /** @var Entropy|\PHPUnit_Framework_MockObject_MockObject */ - protected $entropy; - - /** @var FileNameAnalyzer */ - protected $fileNameAnalyzer; - - public function setUp() - { - parent::setUp(); - - $this->logger = $this->createMock(ILogger::class); - $this->entropy = $this->createMock(Entropy::class); - - $this->fileNameAnalyzer = new FileNameAnalyzer($this->logger, $this->entropy); - } - - public function dataAnalyze() - { - return [ - ['path' => 'file.jpg', 'class' => FileNameResult::NORMAL, 'isFileExtensionKnown' => true, 'entropyOfFileName' => 1.0], - ['path' => 'file.unknown', 'class' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'isFileExtensionKnown' => false, 'entropyOfFileName' => 1.0], - ['path' => 'file.jpg', 'class' => FileNameResult::SUSPICIOUS_FILE_NAME, 'isFileExtensionKnown' => true, 'entropyOfFileName' => 6.0], - ['path' => 'file.unknown', 'class' => FileNameResult::SUSPICIOUS, 'isFileExtensionKnown' => false, 'entropyOfFileName' => 6.0], - ]; - } - - /** - * @dataProvider dataAnalyze - * - * @param string $path - * @param int $class - * @param bool $isFileExtensionKnown - * @param float $entropyOfFileName - */ - public function testAnalyze($path, $class, $isFileExtensionKnown, $entropyOfFileName) - { - $this->entropy->method('calculateEntropy') - ->willReturn($entropyOfFileName); - $result = $this->fileNameAnalyzer->analyze($path); - $this->assertInstanceOf(FileNameResult::class, $result); - $this->assertEquals($result->getFileNameClass(), $class); - $this->assertEquals($result->isFileExtensionKnown(), $isFileExtensionKnown); - $this->assertEquals($result->getEntropyOfFileName(), $entropyOfFileName); - } - - public function dataIsFileExtensionKnown() - { - $signatures = FileSignatureList::getSignatures(); - $extensions = []; - foreach ($signatures as $signature) { - foreach ($signature['extension'] as $extension) { - $extensions[] = $extension; - } - } - $tests = []; - - foreach ($extensions as $extension) { - $tests[] = [$extension, true]; - } - $tests[] = ['WNCRY', false]; - - return $tests; - } - - /** - * @dataProvider dataIsFileExtensionKnown - * - * @param string $extension - * @param bool $return - */ - public function testIsFileExtensionKnown($extension, $return) - { - $this->assertEquals($this->invokePrivate($this->fileNameAnalyzer, 'isFileExtensionKnown', [$extension]), $return); - } - - public function testGetFileName() - { - $this->assertEquals($this->invokePrivate($this->fileNameAnalyzer, 'getFileName', ['/test/filename.extension']), 'filename.extension'); - } - - public function testGetFileExtension() - { - $this->assertEquals($this->invokePrivate($this->fileNameAnalyzer, 'getFileExtension', ['filename.extension']), 'extension'); - } - - public function testCalculateEntropyOfFileName() - { - $this->entropy->method('calculateEntropy') - ->willReturn('6.00'); - $this->assertEquals($this->invokePrivate($this->fileNameAnalyzer, 'calculateEntropyOfFileName', ['filename.extension']), '6.00'); - } -} diff --git a/tests/Unit/Analyzer/FileNameResultTest.php b/tests/Unit/Analyzer/FileNameResultTest.php deleted file mode 100644 index 5bf5a16..0000000 --- a/tests/Unit/Analyzer/FileNameResultTest.php +++ /dev/null @@ -1,70 +0,0 @@ -<?php - -/** - * @copyright Copyright (c) 2017 Matthias Held <matthias.held@uni-konstanz.de> - * @author Matthias Held <matthias.held@uni-konstanz.de> - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ - -namespace OCA\RansomwareDetection\tests\Unit\Analyzer; - -use OCA\RansomwareDetection\Analyzer\FileNameResult; -use Test\TestCase; - -class FileNameResultTest extends TestCase -{ - /** @var FileNameResult */ - protected $fileNameResult; - - public function setUp() - { - parent::setUp(); - - $this->fileNameResult = new FileNameResult(FileNameResult::NORMAL, true, 3.0); - } - - public function testConstruct() - { - $this->assertEquals($this->fileNameResult->getFileNameClass(), FileNameResult::NORMAL); - $this->assertEquals($this->fileNameResult->isFileExtensionKnown(), true); - $this->assertEquals($this->fileNameResult->getEntropyOfFileName(), 3.0); - } - - public function testFileNameClass() - { - $this->fileNameResult->setFileNameClass(FileNameResult::SUSPICIOUS_FILE_EXTENSION); - $this->assertEquals($this->fileNameResult->getFileNameClass(), FileNameResult::SUSPICIOUS_FILE_EXTENSION); - $this->fileNameResult->setFileNameClass(FileNameResult::SUSPICIOUS_FILE_NAME); - $this->assertEquals($this->fileNameResult->getFileNameClass(), FileNameResult::SUSPICIOUS_FILE_NAME); - $this->fileNameResult->setFileNameClass(FileNameResult::SUSPICIOUS); - $this->assertEquals($this->fileNameResult->getFileNameClass(), FileNameResult::SUSPICIOUS); - } - - public function testIsFileExtensionKnown() - { - $this->fileNameResult->setFileExtensionKnown(true); - $this->assertEquals($this->fileNameResult->isFileExtensionKnown(), true); - $this->fileNameResult->setFileExtensionKnown(false); - $this->assertEquals($this->fileNameResult->isFileExtensionKnown(), false); - } - - public function testEntropyOfFileName() - { - $this->assertEquals($this->fileNameResult->getEntropyOfFileName(), 3.0); - $this->fileNameResult->setEntropyOfFileName(3.1); - $this->assertEquals($this->fileNameResult->getEntropyOfFileName(), 3.1); - } -} diff --git a/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php b/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php index 33e4cc0..e2e0bc1 100644 --- a/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php +++ b/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php @@ -23,7 +23,7 @@ namespace OCA\RansomwareDetection\tests\Unit\Analyzer; use OCA\RansomwareDetection\Monitor; use OCA\RansomwareDetection\Analyzer\FileTypeFunnellingAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Db\FileOperation; use Test\TestCase; @@ -44,91 +44,91 @@ class FileTypeFunnellingAnalyzerTest extends TestCase $fileOperation1 = new FileOperation(); $fileOperation1->setCommand(Monitor::WRITE); $fileOperation1->setOriginalName('file.unknown'); - $fileOperation1->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation1->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation1->setCorrupted(false); $fileOperation1->setType('file'); $fileOperation11 = new FileOperation(); $fileOperation11->setCommand(Monitor::WRITE); $fileOperation11->setOriginalName('file.unknown1'); - $fileOperation11->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation11->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation11->setCorrupted(false); $fileOperation11->setType('file'); $fileOperation12 = new FileOperation(); $fileOperation12->setCommand(Monitor::WRITE); $fileOperation12->setOriginalName('file.unknown2'); - $fileOperation12->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation12->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation12->setCorrupted(false); $fileOperation12->setType('file'); $fileOperation13 = new FileOperation(); $fileOperation13->setCommand(Monitor::WRITE); $fileOperation13->setOriginalName('file.unknown3'); - $fileOperation13->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation13->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation13->setCorrupted(false); $fileOperation13->setType('file'); $fileOperation14 = new FileOperation(); $fileOperation14->setCommand(Monitor::WRITE); $fileOperation14->setOriginalName('file.unknown4'); - $fileOperation14->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation14->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation14->setCorrupted(false); $fileOperation14->setType('file'); $fileOperation15 = new FileOperation(); $fileOperation15->setCommand(Monitor::WRITE); $fileOperation15->setOriginalName('file.unknown5'); - $fileOperation15->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation15->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation15->setCorrupted(false); $fileOperation15->setType('file'); $fileOperation16 = new FileOperation(); $fileOperation16->setCommand(Monitor::WRITE); $fileOperation16->setOriginalName('file.unknown6'); - $fileOperation16->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation16->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation16->setCorrupted(false); $fileOperation16->setType('file'); $fileOperation2 = new FileOperation(); $fileOperation2->setCommand(Monitor::WRITE); $fileOperation2->setOriginalName('file.csv'); - $fileOperation2->setFileNameClass(FileNameResult::NORMAL); + $fileOperation2->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation2->setCorrupted(false); $fileOperation2->setType('file'); $fileOperation3 = new FileOperation(); $fileOperation3->setCommand(Monitor::WRITE); $fileOperation3->setOriginalName('file.csv'); - $fileOperation3->setFileNameClass(FileNameResult::NORMAL); + $fileOperation3->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation3->setCorrupted(true); $fileOperation3->setType('file'); $fileOperation4 = new FileOperation(); $fileOperation4->setCommand(Monitor::RENAME); $fileOperation4->setOriginalName('file.csv'); - $fileOperation4->setFileNameClass(FileNameResult::NORMAL); + $fileOperation4->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation4->setCorrupted(true); $fileOperation4->setType('file'); $fileOperation5 = new FileOperation(); $fileOperation5->setCommand(Monitor::DELETE); $fileOperation5->setOriginalName('file.csv'); - $fileOperation5->setFileNameClass(FileNameResult::NORMAL); + $fileOperation5->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation5->setCorrupted(true); $fileOperation5->setType('file'); $fileOperation6 = new FileOperation(); $fileOperation6->setCommand(100); $fileOperation6->setOriginalName('file.csv'); - $fileOperation6->setFileNameClass(FileNameResult::NORMAL); + $fileOperation6->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation6->setCorrupted(true); $fileOperation6->setType('file'); $fileOperation7 = new FileOperation(); $fileOperation7->setCommand(Monitor::READ); $fileOperation7->setOriginalName('file.unknown'); - $fileOperation7->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation7->setFileExtensionClass(FileExtensionResult::SUSPICIOUS); $fileOperation7->setCorrupted(false); $fileOperation7->setType('file'); // not a sequence diff --git a/tests/Unit/ClassifierTest.php b/tests/Unit/ClassifierTest.php index e9b7f38..43b9dcd 100644 --- a/tests/Unit/ClassifierTest.php +++ b/tests/Unit/ClassifierTest.php @@ -23,7 +23,7 @@ namespace OCA\RansomwareDetection\tests\Unit; use OCA\RansomwareDetection\Monitor; use OCA\RansomwareDetection\Analyzer\EntropyResult; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Classifier; use OCA\RansomwareDetection\Db\FileOperationMapper; use OCA\RansomwareDetection\Service\FileOperationService; @@ -59,54 +59,52 @@ class ClassifierTest extends TestCase public function dataClassifyFile() { return [ - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::LOW_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::NORMAL, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_EXTENSION, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS_FILE_NAME, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], - ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileNameClass' => FileNameResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::WRITE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::READ, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NO_INFORMATION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::DELETE, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::ENCRYPTED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::HIGH_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::COMPRESSED, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::NOT_SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], + ['command' => Monitor::RENAME, 'fileClass' => EntropyResult::NORMAL, 'fileExtensionClass' => FileExtensionResult::SUSPICIOUS, 'suspicionClass' => Classifier::NOT_SUSPICIOUS], ]; } @@ -115,15 +113,15 @@ class ClassifierTest extends TestCase * * @param int $command * @param int $fileClass - * @param int $fileNameClass + * @param int $fileExtensionClass * @param int $suspicionClass */ - public function testClassifyFile($command, $fileClass, $fileNameClass, $suspicionClass) + public function testClassifyFile($command, $fileClass, $fileExtensionClass, $suspicionClass) { $fileOperation = new FileOperation(); $fileOperation->setCommand($command); $fileOperation->setFileClass($fileClass); - $fileOperation->setFileNameClass($fileNameClass); + $fileOperation->setFileExtensionClass($fileExtensionClass); $result = $this->classifier->classifyFile($fileOperation); $this->assertEquals($result->getSuspicionClass(), $suspicionClass); diff --git a/tests/Unit/Controller/ScanControllerTest.php b/tests/Unit/Controller/ScanControllerTest.php index 30a6e62..6c971c3 100644 --- a/tests/Unit/Controller/ScanControllerTest.php +++ b/tests/Unit/Controller/ScanControllerTest.php @@ -31,8 +31,8 @@ use OCA\RansomwareDetection\Analyzer\EntropyFunnellingAnalyzer; use OCA\RansomwareDetection\Analyzer\EntropyAnalyzer; use OCA\RansomwareDetection\Analyzer\EntropyResult; use OCA\RansomwareDetection\Analyzer\FileCorruptionAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\AppInfo\Application; use OCA\RansomwareDetection\Controller\ScanController; use OCA\RansomwareDetection\Db\FileOperation; @@ -86,8 +86,8 @@ class ScanControllerTest extends TestCase /** @var FileCorruptionAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ protected $fileCorruptionAnalyzer; - /** @var FileNameAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ - protected $fileNameAnalyzer; + /** @var FileExtensionAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ + protected $fileExtensionAnalyzer; /** @var IDBConnection|\PHPUnit_Framework_MockObject_MockObject */ protected $connection; @@ -139,7 +139,7 @@ class ScanControllerTest extends TestCase $this->fileCorruptionAnalyzer = $this->getMockBuilder('OCA\RansomwareDetection\Analyzer\FileCorruptionAnalyzer') ->setConstructorArgs([$this->logger, $rootFolder, $this->userId]) ->getMock(); - $this->fileNameAnalyzer = $this->getMockBuilder('OCA\RansomwareDetection\Analyzer\FileNameAnalyzer') + $this->fileExtensionAnalyzer = $this->getMockBuilder('OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer') ->setConstructorArgs([$this->logger, $entropy]) ->getMock(); } @@ -173,7 +173,7 @@ class ScanControllerTest extends TestCase $controller = $this->getMockBuilder(ScanController::class) ->setConstructorArgs(['ransomware_detection', $this->request, $this->userSession, $this->config, $this->classifier, $this->logger, $this->folder, $this->service, $this->sequenceAnalyzer, $this->entropyAnalyzer, - $this->fileCorruptionAnalyzer, $this->fileNameAnalyzer, $this->connection, $this->userId]) + $this->fileCorruptionAnalyzer, $this->fileExtensionAnalyzer, $this->connection, $this->userId]) ->setMethods(['deleteFromStorage', 'restoreFromTrashbin']) ->getMock(); @@ -195,7 +195,7 @@ class ScanControllerTest extends TestCase $controller = $this->getMockBuilder(ScanController::class) ->setConstructorArgs(['ransomware_detection', $this->request, $this->userSession, $this->config, $this->classifier, $this->logger, $this->folder, $this->service, $this->sequenceAnalyzer, $this->entropyAnalyzer, - $this->fileCorruptionAnalyzer, $this->fileNameAnalyzer, $this->connection, $this->userId]) + $this->fileCorruptionAnalyzer, $this->fileExtensionAnalyzer, $this->connection, $this->userId]) ->setMethods(['getStorageStructure', 'getTrashStorageStructure', 'getLastActivity']) ->getMock(); @@ -231,9 +231,8 @@ class ScanControllerTest extends TestCase $fileOperation1->setSequence(1); $fileOperation1->setEntropy(7.9); $fileOperation1->setStandardDeviation(0.1); - $fileOperation1->setFileNameEntropy(4.0); $fileOperation1->setFileClass(EntropyResult::NORMAL); - $fileOperation1->setFileNameClass(FileNameResult::NORMAL); + $fileOperation1->setFileExtensionClass(FileExtensionResult::NOT_SUSPICIOUS); $fileOperation1->setSuspicionClass(Classifier::HIGH_LEVEL_OF_SUSPICION); $sequenceResult = new SequenceResult(1, 0.0, 1.1, 2.2, 4.5, []); @@ -257,7 +256,7 @@ class ScanControllerTest extends TestCase $controller = $this->getMockBuilder(ScanController::class) ->setConstructorArgs(['ransomware_detection', $this->request, $this->userSession, $this->config, $this->classifier, $this->logger, $this->folder, $this->service, $this->sequenceAnalyzer, $this->entropyAnalyzer, - $this->fileCorruptionAnalyzer, $this->fileNameAnalyzer, $this->connection, $this->userId]) + $this->fileCorruptionAnalyzer, $this->fileExtensionAnalyzer, $this->connection, $this->userId]) ->setMethods(['getLastActivity', 'buildFileOperation']) ->getMock(); diff --git a/tests/Unit/Db/FileOperationTest.php b/tests/Unit/Db/FileOperationTest.php index 9a86ea9..d5581cb 100644 --- a/tests/Unit/Db/FileOperationTest.php +++ b/tests/Unit/Db/FileOperationTest.php @@ -23,7 +23,7 @@ namespace OCA\RansomwareDetection\tests\Unit\Db; use OCA\RansomwareDetection\Monitor; use OCA\RansomwareDetection\Analyzer\EntropyResult; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Classifier; use OCA\RansomwareDetection\Db\FileOperation; use Test\TestCase; @@ -59,14 +59,11 @@ class FileOperationTest extends TestCase ['field' => 'sequence', 'value' => 1], ['field' => 'entropy', 'value' => 7.99], ['field' => 'standardDeviation', 'value' => 0.004], - ['field' => 'fileNameEntropy', 'value' => 4.0], ['field' => 'fileClass', 'value' => EntropyResult::NORMAL], ['field' => 'fileClass', 'value' => EntropyResult::ENCRYPTED], ['field' => 'fileClass', 'value' => EntropyResult::COMPRESSED], - ['field' => 'fileNameClass', 'value' => FileNameResult::NORMAL], - ['field' => 'fileNameClass', 'value' => FileNameResult::SUSPICIOUS_FILE_EXTENSION], - ['field' => 'fileNameClass', 'value' => FileNameResult::SUSPICIOUS_FILE_NAME], - ['field' => 'fileNameClass', 'value' => FileNameResult::SUSPICIOUS], + ['field' => 'fileExtensionClass', 'value' => FileExtensionResult::NOT_SUSPICIOUS], + ['field' => 'fileExtensionClass', 'value' => FileExtensionResult::SUSPICIOUS], ['field' => 'suspicionClass', 'value' => Classifier::NO_INFORMATION], ['field' => 'suspicionClass', 'value' => Classifier::NOT_SUSPICIOUS], ['field' => 'suspicionClass', 'value' => Classifier::MIDDLE_LEVEL_OF_SUSPICION], diff --git a/tests/Unit/MonitorTest.php b/tests/Unit/MonitorTest.php index 6047729..50daee7 100644 --- a/tests/Unit/MonitorTest.php +++ b/tests/Unit/MonitorTest.php @@ -23,8 +23,8 @@ namespace OCA\RansomwareDetection\tests\Unit; use OCA\RansomwareDetection\Monitor; use OCA\RansomwareDetection\Analyzer\EntropyAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameAnalyzer; -use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Analyzer\FileExtensionAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileExtensionResult; use OCA\RansomwareDetection\Analyzer\FileCorruptionAnalyzer; use OCA\RansomwareDetection\Analyzer\FileCorruptionResult; use OCA\RansomwareDetection\Analyzer\EntropyResult; @@ -69,8 +69,8 @@ class MonitorTest extends TestCase /** @var FileOperationMapper|\PHPUnit_Framework_MockObject_MockObject */ protected $mapper; - /** @var FileNameAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ - protected $fileNameAnalyzer; + /** @var FileExtensionAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ + protected $fileExtensionAnalyzer; /** @var FileCorruptionAnalyzer|\PHPUnit_Framework_MockObject_MockObject */ protected $fileCorruptionAnalyzer; @@ -90,7 +90,7 @@ class MonitorTest extends TestCase $this->rootFolder = $this->createMock(IRootFolder::class); $this->entropyAnalyzer = $this->createMock(EntropyAnalyzer::class); $this->mapper = $this->createMock(FileOperationMapper::class); - $this->fileNameAnalyzer = $this->createMock(FileNameAnalyzer::class); + $this->fileExtensionAnalyzer = $this->createMock(FileExtensionAnalyzer::class); $this->fileCorruptionAnalyzer = $this->createMock(FileCorruptionAnalyzer::class); } @@ -120,7 +120,7 @@ class MonitorTest extends TestCase $monitor = $this->getMockBuilder(Monitor::class) ->setConstructorArgs([$this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId]) ->setMethods(['isUploadedFile', 'isCreatingSkeletonFiles', 'classifySequence', 'resetProfindCount', 'triggerAsyncAnalysis']) ->getMock(); @@ -150,10 +150,10 @@ class MonitorTest extends TestCase $this->entropyAnalyzer->method('analyze') ->willReturn($entropyResult); - $fileNameResult = new FileNameResult(FileNameResult::NORMAL, true, 4.0); + $fileExtensionResult = new FileExtensionResult(FileExtensionResult::NOT_SUSPICIOUS, true, 4.0); - $this->fileNameAnalyzer->method('analyze') - ->willReturn($fileNameResult); + $this->fileExtensionAnalyzer->method('analyze') + ->willReturn($fileExtensionResult); $this->request->method('isUserAgent') ->willReturn($userAgent); @@ -203,7 +203,7 @@ class MonitorTest extends TestCase $monitor = $this->getMockBuilder(Monitor::class) ->setConstructorArgs([$this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId]) ->setMethods(['isUploadedFile', 'isCreatingSkeletonFiles', 'triggerAsyncAnalysis', 'resetProfindCount']) ->getMock(); @@ -280,7 +280,7 @@ class MonitorTest extends TestCase $monitor = new Monitor($this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId); $node = $this->createMock(File::class); @@ -324,7 +324,7 @@ class MonitorTest extends TestCase $monitor = new Monitor($this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId); $node = $this->createMock(Folder::class); @@ -367,7 +367,7 @@ class MonitorTest extends TestCase { $monitor = new Monitor($this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId); $isUploadedFile = self::getMethod('isUploadedFile'); @@ -379,7 +379,7 @@ class MonitorTest extends TestCase { $monitor = new Monitor($this->request, $this->config, $this->time, $this->appManager, $this->logger, $this->rootFolder, - $this->entropyAnalyzer, $this->mapper, $this->fileNameAnalyzer, + $this->entropyAnalyzer, $this->mapper, $this->fileExtensionAnalyzer, $this->fileCorruptionAnalyzer, $this->userId); $isCreateingSkeletonFiles = self::getMethod('isCreatingSkeletonFiles'); |