diff options
author | Matthias Held <ilovemilk@wusa.io> | 2018-06-18 15:14:17 +0300 |
---|---|---|
committer | Matthias Held <ilovemilk@wusa.io> | 2018-06-18 15:14:17 +0300 |
commit | 0d4208bd4934d83654fc3893867b2557546b404a (patch) | |
tree | b6db2416bb0da30e119fdf8ff2120dea7d086481 /lib/Analyzer/SequenceAnalyzer.php | |
parent | 7a756a94ab887209f7ad7ffc6a01e2d16d01bfd4 (diff) |
Add Nextcloud application
Diffstat (limited to 'lib/Analyzer/SequenceAnalyzer.php')
-rw-r--r-- | lib/Analyzer/SequenceAnalyzer.php | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/lib/Analyzer/SequenceAnalyzer.php b/lib/Analyzer/SequenceAnalyzer.php new file mode 100644 index 0000000..35b7c29 --- /dev/null +++ b/lib/Analyzer/SequenceAnalyzer.php @@ -0,0 +1,194 @@ +<?php + +/** + * @copyright Copyright (c) 2018 Matthias Held <matthias.held@uni-konstanz.de> + * @author Matthias Held <matthias.held@uni-konstanz.de> + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +namespace OCA\RansomwareDetection\Analyzer; + +use OCA\RansomwareDetection\Monitor; +use OCA\RansomwareDetection\Classifier; + +class SequenceAnalyzer +{ + /** + * Number of information files. + * + * @var int + */ + const NUMBER_OF_INFO_FILES = 10; + + /** @var SequenceSizeAnalyzer */ + private $sequenceSizeAnalyzer; + + /** @var FileTypeFunnellingAnalyzer */ + private $fileTypeFunnellingAnalyzer; + + /** @var EntropyFunnellingAnalyzer */ + private $entropyFunnellingAnalyzer; + + /** + * SequenceAnalyzer constructor. + * + * @param SequenceSizeAnalyzer $sequenceSizeAnalyzer + * @param FileTypeFunnellingAnalyzer $fileTypeFunnellingAnalyzer + * @param EntropyFunnellingAnalyzer $entropyFunnellingAnalyzer + */ + public function __construct( + SequenceSizeAnalyzer $sequenceSizeAnalyzer, + FileTypeFunnellingAnalyzer $fileTypeFunnellingAnalyzer, + EntropyFunnellingAnalyzer $entropyFunnellingAnalyzer + ) { + $this->sequenceSizeAnalyzer = $sequenceSizeAnalyzer; + $this->fileTypeFunnellingAnalyzer = $fileTypeFunnellingAnalyzer; + $this->entropyFunnellingAnalyzer = $entropyFunnellingAnalyzer; + } + + /** + * The analysis of the sequence is seperated in three parts: + * The analysis: If the same number of files is deletedFilesd as written, + * with the special addition that the number of written files is in the + * range of [number of deletedFilesd files, number of deletedFilesd files + 4]. + * To enhance this analysis the sum of the size of the files deletedFilesd and + * the sum of the size of the written files is compared. + * + * The next part is the analysis of the suspicion levels of the files written. + * Therefor the suspicions levels are weighted: + * High - 1 + * Middle - 0.75 + * Low - 0.5 + * None - 0.25 + * + * summed up and divided by the sum of all written files. The higher the result, + * the higher is the suspicion of the hole sequence. + * + * The last part is the file type funneling analysis. + * + * @param int $sequenceId + * @param array $sequence + * + * @return int The level of suspicion, if a sequence is malicious or not. + */ + public function analyze($sequenceId, $sequence) + { + $sequenceResult = new SequenceResult($sequenceId, 0, 0, 0, 0, $sequence); + if (sizeof($sequence) === 0) { + return $sequenceResult; + } + + $highSuspicionFiles = []; + $middleSuspicionFiles = []; + $lowSuspicionFiles = []; + $noSuspicionFiles = []; + $writtenFiles = []; + $sizeOfWrittenFiles = 0; + $deletedFiles = []; + $sizeOfDeletedFiles = 0; + $suspicionScore = 0; + + foreach ($sequence as $file) { + if ($file->getType() === 'file') { + switch ($file->getCommand()) { + case Monitor::WRITE: + $writtenFiles[] = $file; + $sizeOfWrittenFiles = $sizeOfWrittenFiles + $file->getSize(); + break; + case Monitor::READ: + break; + case Monitor::RENAME: + break; + case Monitor::DELETE: + $deletedFiles[] = $file; + $sizeOfDeletedFiles = $sizeOfDeletedFiles + $file->getSize(); + break; + case Monitor::CREATE: + break; + default: + break; + } + switch ($file->getSuspicionClass()) { + case Classifier::HIGH_LEVEL_OF_SUSPICION: + $highSuspicionFiles[] = $file; + break; + case Classifier::MIDDLE_LEVEL_OF_SUSPICION: + $middleSuspicionFiles[] = $file; + break; + case Classifier::LOW_LEVEL_OF_SUSPICION: + $lowSuspicionFiles[] = $file; + break; + case Classifier::NOT_SUSPICIOUS: + $noSuspicionFiles[] = $file; + break; + case Classifier::NO_INFORMATION: + break; + default: + break; + } + } + } + + // compare files written and files deleted + if (sizeof($writtenFiles) > 0 && sizeof($deletedFiles) > 0) { + $sequenceResult->setSizeWritten($sizeOfWrittenFiles); + $sequenceResult->setSizeDeleted($sizeOfDeletedFiles); + $upperBound = sizeof($deletedFiles) + self::NUMBER_OF_INFO_FILES; + if (sizeof($writtenFiles) <= $upperBound && sizeof($writtenFiles) >= sizeof($deletedFiles)) { + if ($this->sequenceSizeAnalyzer->analyze($sequence) == SequenceSizeAnalyzer::EQUAL_SIZE) { + $sequenceResult->setQuantities(2); + $suspicionScore += 2; + } else { + $sequenceResult->setQuantities(1); + $suspicionScore += 1; + } + } + } + + $numberOfWrittenFiles = sizeof($highSuspicionFiles) + sizeof($middleSuspicionFiles) + + sizeof($lowSuspicionFiles) + sizeof($noSuspicionFiles); + + // remove info files from the weight + $numberOfInfoFiles = self::NUMBER_OF_INFO_FILES; + if (sizeof($noSuspicionFiles) < self::NUMBER_OF_INFO_FILES) { + $numberOfInfoFiles = sizeof($noSuspicionFiles); + } + + // weight the suspicion levels. + $suspicionSum = (sizeof($highSuspicionFiles) * 1) + (sizeof($middleSuspicionFiles) * 0.75) + + (sizeof($lowSuspicionFiles) * 0.5) + ((sizeof($noSuspicionFiles) - $numberOfInfoFiles) * 0.25); + + // check for division by zero. + if (($numberOfWrittenFiles - $numberOfInfoFiles) > 0) { + $sequenceResult->setFileSuspicion($suspicionSum / ($numberOfWrittenFiles - $numberOfInfoFiles)); + $suspicionScore += $suspicionSum / ($numberOfWrittenFiles - $numberOfInfoFiles); + } + + // entropy funnelling + $entropyFunnelling = $this->entropyFunnellingAnalyzer->analyze($deletedFiles, $writtenFiles); + $sequenceResult->setEntropyFunnelling($entropyFunnelling); + $suspicionScore += $entropyFunnelling->getEntropyFunnelling(); + + // check for file type funneling + $fileTypeFunnelling = $this->fileTypeFunnellingAnalyzer->analyze($sequence); + $sequenceResult->setFileTypeFunnelling($fileTypeFunnelling); + $suspicionScore += $fileTypeFunnelling; + + $sequenceResult->setSuspicionScore($suspicionScore); + + return $sequenceResult; + } +} |