diff options
author | Matthias Held <ilovemilk@wusa.io> | 2018-06-18 15:14:17 +0300 |
---|---|---|
committer | Matthias Held <ilovemilk@wusa.io> | 2018-06-18 15:14:17 +0300 |
commit | 0d4208bd4934d83654fc3893867b2557546b404a (patch) | |
tree | b6db2416bb0da30e119fdf8ff2120dea7d086481 /tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php | |
parent | 7a756a94ab887209f7ad7ffc6a01e2d16d01bfd4 (diff) |
Add Nextcloud application
Diffstat (limited to 'tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php')
-rw-r--r-- | tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php b/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php new file mode 100644 index 0000000..33e4cc0 --- /dev/null +++ b/tests/Unit/Analyzer/FileTypeFunnellingAnalyzerTest.php @@ -0,0 +1,191 @@ +<?php + +/** + * @copyright Copyright (c) 2018 Matthias Held <matthias.held@uni-konstanz.de> + * @author Matthias Held <matthias.held@uni-konstanz.de> + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +namespace OCA\RansomwareDetection\tests\Unit\Analyzer; + +use OCA\RansomwareDetection\Monitor; +use OCA\RansomwareDetection\Analyzer\FileTypeFunnellingAnalyzer; +use OCA\RansomwareDetection\Analyzer\FileNameResult; +use OCA\RansomwareDetection\Db\FileOperation; +use Test\TestCase; + +class FileTypeFunnellingAnalyzerTest extends TestCase +{ + /** @var FileTypeFunnellingAnalyzer */ + protected $fileTypeFunnellingAnalyzer; + + public function setUp() + { + parent::setUp(); + + $this->fileTypeFunnellingAnalyzer = new FileTypeFunnellingAnalyzer(); + } + + public function dataAnalyze() + { + $fileOperation1 = new FileOperation(); + $fileOperation1->setCommand(Monitor::WRITE); + $fileOperation1->setOriginalName('file.unknown'); + $fileOperation1->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation1->setCorrupted(false); + $fileOperation1->setType('file'); + + $fileOperation11 = new FileOperation(); + $fileOperation11->setCommand(Monitor::WRITE); + $fileOperation11->setOriginalName('file.unknown1'); + $fileOperation11->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation11->setCorrupted(false); + $fileOperation11->setType('file'); + + $fileOperation12 = new FileOperation(); + $fileOperation12->setCommand(Monitor::WRITE); + $fileOperation12->setOriginalName('file.unknown2'); + $fileOperation12->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation12->setCorrupted(false); + $fileOperation12->setType('file'); + + $fileOperation13 = new FileOperation(); + $fileOperation13->setCommand(Monitor::WRITE); + $fileOperation13->setOriginalName('file.unknown3'); + $fileOperation13->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation13->setCorrupted(false); + $fileOperation13->setType('file'); + + $fileOperation14 = new FileOperation(); + $fileOperation14->setCommand(Monitor::WRITE); + $fileOperation14->setOriginalName('file.unknown4'); + $fileOperation14->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation14->setCorrupted(false); + $fileOperation14->setType('file'); + + $fileOperation15 = new FileOperation(); + $fileOperation15->setCommand(Monitor::WRITE); + $fileOperation15->setOriginalName('file.unknown5'); + $fileOperation15->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation15->setCorrupted(false); + $fileOperation15->setType('file'); + + $fileOperation16 = new FileOperation(); + $fileOperation16->setCommand(Monitor::WRITE); + $fileOperation16->setOriginalName('file.unknown6'); + $fileOperation16->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation16->setCorrupted(false); + $fileOperation16->setType('file'); + + $fileOperation2 = new FileOperation(); + $fileOperation2->setCommand(Monitor::WRITE); + $fileOperation2->setOriginalName('file.csv'); + $fileOperation2->setFileNameClass(FileNameResult::NORMAL); + $fileOperation2->setCorrupted(false); + $fileOperation2->setType('file'); + + $fileOperation3 = new FileOperation(); + $fileOperation3->setCommand(Monitor::WRITE); + $fileOperation3->setOriginalName('file.csv'); + $fileOperation3->setFileNameClass(FileNameResult::NORMAL); + $fileOperation3->setCorrupted(true); + $fileOperation3->setType('file'); + + $fileOperation4 = new FileOperation(); + $fileOperation4->setCommand(Monitor::RENAME); + $fileOperation4->setOriginalName('file.csv'); + $fileOperation4->setFileNameClass(FileNameResult::NORMAL); + $fileOperation4->setCorrupted(true); + $fileOperation4->setType('file'); + + $fileOperation5 = new FileOperation(); + $fileOperation5->setCommand(Monitor::DELETE); + $fileOperation5->setOriginalName('file.csv'); + $fileOperation5->setFileNameClass(FileNameResult::NORMAL); + $fileOperation5->setCorrupted(true); + $fileOperation5->setType('file'); + + $fileOperation6 = new FileOperation(); + $fileOperation6->setCommand(100); + $fileOperation6->setOriginalName('file.csv'); + $fileOperation6->setFileNameClass(FileNameResult::NORMAL); + $fileOperation6->setCorrupted(true); + $fileOperation6->setType('file'); + + $fileOperation7 = new FileOperation(); + $fileOperation7->setCommand(Monitor::READ); + $fileOperation7->setOriginalName('file.unknown'); + $fileOperation7->setFileNameClass(FileNameResult::SUSPICIOUS); + $fileOperation7->setCorrupted(false); + $fileOperation7->setType('file'); + // not a sequence + $sequence1 = [$fileOperation1]; + $sequence2 = [$fileOperation1, $fileOperation1]; + // a sequence + $sequence3 = [$fileOperation1, $fileOperation1, $fileOperation1]; + $sequence4 = [$fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1]; + $sequence5 = [$fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1]; + // written files which have all the same unknown file extensions => file type funneling + $sequence6 = [$fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1]; + // written files which have a distinct unknown file extensions => file type funneling + $sequence7 = [$fileOperation11, $fileOperation12, $fileOperation13, $fileOperation14, $fileOperation15, $fileOperation16]; + // written files have a unknown file extensions => file type funneling + $sequence8 = [$fileOperation1, $fileOperation1, $fileOperation1, $fileOperation1, $fileOperation12, $fileOperation13]; + // all written files have known extensions + $sequence9 = [$fileOperation2, $fileOperation2, $fileOperation2, $fileOperation2, $fileOperation2, $fileOperation2]; + // Only delete and rename => no file type funneling + $sequence10 = [$fileOperation4, $fileOperation4, $fileOperation5, $fileOperation5, $fileOperation4, $fileOperation5]; + // unkown command => no file type funneling + $sequence11 = [$fileOperation6, $fileOperation6, $fileOperation6, $fileOperation6, $fileOperation6, $fileOperation6]; + // some files are known + $sequence12 = [$fileOperation1, $fileOperation2, $fileOperation1, $fileOperation1, $fileOperation1, $fileOperation2, $fileOperation1]; + // all written files have known extensions but are corrupted + $sequence13 = [$fileOperation3, $fileOperation3, $fileOperation3, $fileOperation3, $fileOperation3, $fileOperation3, $fileOperation3]; + // only read access + $sequence14 = [$fileOperation7, $fileOperation7, $fileOperation7, $fileOperation7, $fileOperation7, $fileOperation7, $fileOperation7]; + + return [ + ['sequence' => [], 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence1, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence2, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence3, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence4, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence5, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence6, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence7, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence8, 'fileTypeFunnelingClass' => 1], + ['sequence' => $sequence9, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence10, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence11, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence12, 'fileTypeFunnelingClass' => 0], + ['sequence' => $sequence13, 'fileTypeFunnelingClass' => 2], + ['sequence' => $sequence14, 'fileTypeFunnelingClass' => 0], + ]; + } + + /** + * @dataProvider dataAnalyze + * + * @param array $sequence + * @param int $fileTypeFunnelingClass + */ + public function testAnalyze($sequence, $fileTypeFunnelingClass) + { + $result = $this->fileTypeFunnellingAnalyzer->analyze($sequence); + + $this->assertEquals($result, $fileTypeFunnelingClass); + } +} |