ai_root_shield 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f124192172da4bb34ee0ec2c385049a4c25de229d2e14fc1df4a5459f2dab1a
-  data.tar.gz: e2bf7708d0ea5c292b04ba932d9537a3982554493959161ae09f6deb8997ef78
+  metadata.gz: f0d354e66eecc271bd43c8ac6625c186a3aa38789ac19abbe5eabc0bf4fc1641
+  data.tar.gz: f2ce01ca5f411532737549e534db15dd1be0f942c3ef3427e1685a4fe7c964da
 SHA512:
-  metadata.gz: 0c3d53358069b9c79ca803256d41972e9390662d300033377127f7bf8e5ec6500147e0cdd4d742310a439943a00b2e1c78c58e2484d3f1cb98b21be6703c8d00
-  data.tar.gz: a2997cb19587cb3a49270252407b4f3c002c6af9de81801fba5697494d6cd232b268dd35814fd455106c8dbe65c37d1840197eb71d7d345ceba7ffb804988622
+  metadata.gz: 05e5cfacfef14284c46aa5dbc7ae33ae5a1f70a5262c6341de8b22e968feb71c4e2f91385672d3032ea02e47ab1d21d504dfe4c0a3bb2134b9807aaea7647554
+  data.tar.gz: 0cc0cd97dab91107681bbbe04951f8c966a23de3e35965e8ed0d50afba5212133c2ef41b569560000c73b2b9ee22b869d22994ed73ca57749e1345c09a36e89d

data/CHANGELOG.md

@@ -8,11 +8,62 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
-- AI behavioral analysis integration (ONNX model support)
 - Enhanced hooking detection for iOS method swizzling
 - Real-time threat monitoring capabilities
 - Custom rule engine for security policies
 
+## [0.3.0] - 2024-01-03
+
+### Added
+- 🛡️ **RASP Protection**: Runtime Application Self-Protection with real-time threat blocking
+- 🛡️ **Anti-Debug Mechanisms**: Ptrace, GDB, LLDB detection and blocking
+- 🛡️ **Anti-Tamper Protection**: Code integrity and memory patch detection
+- 🛡️ **Dynamic Memory Protection**: Frida injection hook mitigation
+- 🛡️ **Runtime Integrity Monitor**: Critical function hash validation
+- 🛡️ **Real-Time Event Reporting**: Instant alerts for security violations
+- CLI RASP support with `--enable-rasp` and `--rasp-time` options
+- Comprehensive RASP test suite with 69 passing tests
+- Process monitoring for debugger detection
+- Memory map analysis for injection detection
+- Code integrity hash validation
+- Event callback system for real-time alerts
+
+### Changed
+- Enhanced CLI with RASP protection options
+- Updated main library interface with RASP methods
+- Improved error handling and protection status reporting
+
+### Dependencies
+- Added `fiddle` for low-level system interactions (Ruby standard library)
+
+## [0.2.0] - 2024-01-02
+
+### Added
+- 🤖 **AI Behavioral Analysis**: ONNX-powered behavioral pattern analysis with anomaly detection
+- 🤖 **ML-Based Emulator Detection**: Advanced machine learning techniques for emulator identification
+- 🤖 **AI Confidence Scoring**: Confidence metrics integrated into risk assessment
+- File access pattern analysis with entropy calculation
+- Sensor data consistency validation
+- Hardware fingerprinting with advanced characteristics
+- Process behavior monitoring and analysis
+- Network pattern analysis for anomaly detection
+- Timing analysis for attack indicator detection
+- System call entropy analysis
+- Memory access pattern monitoring
+- ONNX runtime integration with fallback to rule-based analysis
+- AI confidence weighting in overall risk calculation
+- Comprehensive behavioral analysis test suite
+
+### Changed
+- Updated risk calculator to incorporate AI confidence metrics
+- Enhanced detector to support AI behavioral analysis
+- Improved CLI with AI-specific configuration options
+- Updated documentation with AI behavioral analysis features
+
+### Dependencies
+- Added `onnxruntime` for AI model inference
+- Added `numo-narray` for numerical computations
+
 ## [0.1.0] - 2024-09-09
 
 ### Added

data/Gemfile.lock

@@ -1,9 +1,11 @@
 PATH
   remote: .
   specs:
-    ai_root_shield (0.1.0)
+    ai_root_shield (0.3.0)
       digest (~> 3.1)
       json (~> 2.6)
+      numo-narray (~> 0.9)
+      onnxruntime (~> 0.7)
       openssl (~> 3.0)
 
 GEM
@@ -14,10 +16,17 @@ GEM
     diff-lcs (1.6.2)
     digest (3.2.0)
     docile (1.4.1)
+    ffi (1.17.2)
+    ffi (1.17.2-arm64-darwin)
     json (2.13.2)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     method_source (1.1.0)
+    numo-narray (0.9.2.1)
+    onnxruntime (0.10.0)
+      ffi
+    onnxruntime (0.10.0-arm64-darwin)
+      ffi
     openssl (3.3.0)
     parallel (1.27.0)
     parser (3.3.9.0)

data/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 AI Root Shield
+Copyright (c) 2025 AhmetXHero
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -10,17 +10,26 @@
 
 An AI-powered Ruby library that performs comprehensive on-device compromise detection for mobile applications without requiring a backend. Protects against root/jailbreak, emulators, hooking frameworks, and provides behavioral risk analysis.
 
-## 🚀 Features
-
-- **Root & Jailbreak Detection**: Detects binaries, file system anomalies, SELinux states (Android), DYLD injections (iOS), and system property manipulation
-- **Emulator/Simulator Detection**: Identifies QEMU drivers, missing baseband, sensor entropy anomalies, and virtualized environments
-- **Hooking & Instrumentation Detection**: Flags Frida gadgets, Magisk modules, Xposed frameworks, method swizzling, and debugger attachments
-- **Repackaging & Integrity Checks**: Validates code signatures, DEX hashes, app bundle integrity, and tamper indicators
-- **Network Security Analysis**: Provides TLS pinning helpers and detects custom CA injections or MITM proxies
-- **AI Behavioral Analysis**: Ready for lightweight ONNX model integration for behavioral risk scoring
-- **Offline & Privacy-Preserving**: Works fully offline, requires no cloud connectivity, and collects no PII
-
-## 📦 Installation
+## Features
+
+- **Root & Jailbreak Detection**: Comprehensive detection of rooted Android devices and jailbroken iOS devices
+- **Emulator/Simulator Detection**: Identifies virtual devices, emulators, and simulators
+- **Hooking Framework Detection**: Detects Frida, Xposed, Substrate, and other instrumentation tools
+- **Application Integrity Checks**: Validates app signatures and detects repackaging/tampering
+- **Network Security Analysis**: Identifies TLS issues, custom CAs, and MITM tools
+- **🆕 RASP Protection**: Runtime Application Self-Protection with real-time threat blocking
+- **🆕 Anti-Debug Mechanisms**: Ptrace, GDB, LLDB detection and blocking
+- **🆕 Anti-Tamper Protection**: Code integrity and memory patch detection
+- **🆕 Dynamic Memory Protection**: Frida injection hook mitigation
+- **🆕 Runtime Integrity Monitor**: Critical function hash validation
+- **AI Behavioral Analysis**: ONNX-powered behavioral pattern analysis with anomaly detection
+- **ML-Based Emulator Detection**: Advanced machine learning techniques for emulator identification
+- **AI Confidence Scoring**: Confidence metrics integrated into risk assessment
+- **Risk Scoring System**: Comprehensive risk assessment with weighted factors (0-100 scale)
+- **CLI Tool**: Command-line interface with multiple output formats
+- **Privacy-First**: Completely offline, no data collection or external dependencies
+
+## Installation
 
 Add this line to your application's Gemfile:
 
@@ -40,7 +49,7 @@ Or install it yourself as:
 $ gem install ai_root_shield
 ```
 
-## 🔧 Usage
+## Usage
 
 ### Basic Usage
 
@@ -64,7 +73,9 @@ config = {
   enable_hooking_detection: true,
   enable_integrity_checks: true,
   enable_network_analysis: true,
-  risk_threshold: 70
+  enable_ai_behavioral_analysis: true,  # v0.2.0
+  risk_threshold: 70,
+  ai_confidence_threshold: 0.7  # v0.2.0
 }
 
 result = AiRootShield.scan_device_with_config("device_logs/sample.json", config)
@@ -96,7 +107,81 @@ $ ai_root_shield --no-emulator --no-network device_logs/sample.json
 $ ai_root_shield --help
 ```
 
-## 📊 Risk Scoring
+## AI Behavioral Analysis (New in v0.2.0)
+
+AI Root Shield now includes advanced behavioral analysis powered by ONNX machine learning models:
+
+### Features
+- **File Access Pattern Analysis**: Detects unusual file system access patterns
+- **Sensor Data Consistency**: Validates sensor data against real device behavior
+- **Hardware Fingerprinting**: Advanced hardware characteristic analysis
+- **Process Behavior Analysis**: Monitors process execution patterns
+- **Network Pattern Analysis**: Analyzes network behavior for anomalies
+- **Timing Analysis**: Detects timing-based attack indicators
+- **System Call Entropy**: Analyzes system call distribution patterns
+- **Memory Access Patterns**: Monitors memory usage behavior
+
+### ONNX Model Integration
+
+Place your trained ONNX model at `models/behavioral_model.onnx` for AI-powered analysis. The system falls back to rule-based analysis if no model is available.
+
+```ruby
+# AI analysis is automatically enabled
+result = AiRootShield.scan_device('device_logs.json')
+puts "AI Confidence: #{result[:ai_confidence]}"
+puts "ML Emulator Score: #{result[:ml_emulator_score]}"
+```
+
+## RASP Protection (New in v0.3.0)
+
+Runtime Application Self-Protection provides real-time threat detection and blocking:
+
+### Features
+- **Anti-Debug Protection**: Detects and blocks ptrace, GDB, LLDB, and other debuggers
+- **Anti-Tamper Protection**: Monitors code integrity and detects memory patches
+- **Dynamic Memory Protection**: Prevents Frida injection and hook attempts
+- **Runtime Integrity Monitor**: Validates critical function hashes in real-time
+- **Real-Time Event Reporting**: Instant alerts for security violations
+
+### Usage
+
+```ruby
+# Start RASP protection
+rasp = AiRootShield.start_rasp_protection(
+  enable_anti_debug: true,
+  enable_anti_tamper: true,
+  enable_memory_protection: true,
+  enable_integrity_monitor: true,
+  enable_real_time_alerts: true,
+  protection_interval: 1.0
+)
+
+# Register event callback
+rasp.on_rasp_event do |event|
+  puts "[RASP] #{event[:type]}: #{event[:message]}"
+  # Take action based on threat type
+end
+
+# Check protection status
+status = rasp.protection_status
+puts "RASP Active: #{status[:active]}"
+puts "Events Detected: #{status[:events_detected]}"
+
+# Stop protection when done
+AiRootShield.stop_rasp_protection
+```
+
+### CLI RASP Support
+
+```bash
+# Enable RASP protection during scan
+$ ai_root_shield --enable-rasp --rasp-time 10 --verbose device_logs.json
+
+# Monitor for 30 seconds with RASP
+$ ai_root_shield --enable-rasp --rasp-time 30 device_logs.json
+```
+
+## Risk Scoring
 
 The library provides a comprehensive risk score (0-100) based on detected security factors:
 
@@ -115,7 +200,35 @@ The library provides a comprehensive risk score (0-100) based on detected securi
 | Integrity | `REPACKAGED_APP`, `DEX_TAMPERED` | Medium (10-18) |
 | Network | `TLS_UNPINNED`, `MITM_PROXY_DETECTED` | Medium (8-18) |
 
-## 📋 Device Log Format
+## Device Log Format
+
+The library expects device logs in JSON format with the following structure:
+
+```json
+{
+  "risk_score": 85,
+  "factors": [
+    "ROOT_BINARY_DETECTED",
+    "SUPERUSER_APP_INSTALLED",
+    "SELINUX_DISABLED",
+    "EMULATOR_DETECTED",
+    "FRIDA_SERVER_RUNNING",
+    "BEHAVIORAL_ANOMALY_DETECTED",
+    "ML_EMULATOR_CONFIDENCE_HIGH"
+  ],
+  "ai_confidence": 0.92,
+  "ml_emulator_score": 0.87,
+  "anomaly_indicators": [
+    "SUSPICIOUS_FILE_ACCESS_PATTERN",
+    "SENSOR_DATA_INCONSISTENCY",
+    "ABNORMAL_TIMING_PATTERNS"
+  ],
+  "timestamp": 1640995200,
+  "version": "0.3.0"
+}
+```
+
+### Device Log Input Format
 
 The library expects device logs in JSON format with the following structure:
 
@@ -123,22 +236,18 @@ The library expects device logs in JSON format with the following structure:
 {
   "platform": "android",
   "system_info": {
-    "os_version": "Android 11",
-    "kernel_version": "4.19.95-g0123456789ab",
-    "build_fingerprint": "google/flame/flame:11/RQ3A.210905.001/7511028:user/release-keys",
-    "bootloader_status": "unlocked",
-    "selinux_status": "enforcing"
+    "os_version": "11",
+    "api_level": 30,
+    "build_tags": "release-keys"
+  },
+  "hardware_info": {
+    "model": "Pixel 5",
+    "manufacturer": "Google"
   },
-  "installed_packages": [
-    {
-      "name": "com.example.app",
-      "signature": "release-keys"
-    }
-  ],
   "file_system": {
-    "suspicious_files": ["/system/bin/su"],
-    "system_binaries": ["/system/bin/sh"],
-    "writable_system_dirs": []
+    "files": [
+      {"path": "/system/bin/su", "permissions": "755", "owner": "root"}
+    ]
   },
   "running_processes": [
     {

data/exe/ai_root_shield

@@ -1,17 +1,25 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require_relative "../lib/ai_root_shield"
 require "optparse"
 require "json"
+require_relative "../lib/ai_root_shield"
 
-# CLI interface for AI Root Shield
+# Command line interface for AI Root Shield
 class AiRootShieldCLI
   def initialize
     @options = {
-      config: {},
-      output_format: "json",
-      verbose: false
+      format: "json",
+      verbose: false,
+      threshold: 50,
+      enable_root_detection: true,
+      enable_emulator_detection: true,
+      enable_hooking_detection: true,
+      enable_integrity_checks: true,
+      enable_network_analysis: true,
+      enable_ai_behavioral_analysis: true,
+      enable_rasp_protection: false,
+      rasp_monitoring_time: 5
     }
   end
 
@@ -32,8 +40,35 @@ class AiRootShieldCLI
     end
 
     begin
-      result = AiRootShield.scan_device_with_config(device_logs_path, @options[:config])
+      # Start RASP protection if enabled
+      if @options[:enable_rasp_protection]
+        puts "Starting RASP protection..." if @options[:verbose]
+        rasp = AiRootShield.start_rasp_protection(
+          enable_real_time_alerts: @options[:verbose],
+          protection_interval: 0.5
+        )
+        
+        # Set up RASP event logging if verbose
+        if @options[:verbose]
+          rasp.on_rasp_event do |event|
+            puts "[RASP] #{event[:type]}: #{event[:message]}"
+          end
+        end
+        
+        # Monitor for specified time
+        puts "Monitoring with RASP protection for #{@options[:rasp_monitoring_time]} seconds..." if @options[:verbose]
+        sleep(@options[:rasp_monitoring_time])
+      end
+      
+      result = AiRootShield.scan_device_with_config(device_logs_path, @options)
+      
+      # Add RASP status to result if enabled
+      if @options[:enable_rasp_protection] && AiRootShield.rasp_active?
+        result[:rasp_status] = AiRootShield.rasp_protection.protection_status
+      end
+      
       output_result(result)
+      
     rescue AiRootShield::Error => e
       puts "Error: #{e.message}"
       exit 1
@@ -41,6 +76,9 @@ class AiRootShieldCLI
       puts "Unexpected error: #{e.message}"
       puts e.backtrace if @options[:verbose]
       exit 1
+    ensure
+      # Stop RASP protection
+      AiRootShield.stop_rasp_protection if @options[:enable_rasp_protection]
     end
   end
 
@@ -54,7 +92,7 @@ class AiRootShieldCLI
 
       opts.on("-f", "--format FORMAT", ["json", "text", "summary"], 
               "Output format (json, text, summary)") do |format|
-        @options[:output_format] = format
+        @options[:format] = format
       end
 
       opts.on("-v", "--verbose", "Enable verbose output") do
@@ -63,27 +101,39 @@ class AiRootShieldCLI
 
       opts.on("-t", "--threshold SCORE", Integer, 
               "Risk threshold (0-100, default: 50)") do |threshold|
-        @options[:config][:risk_threshold] = threshold
+        @options[:threshold] = threshold
       end
 
       opts.on("--no-root", "Disable root detection") do
-        @options[:config][:enable_root_detection] = false
+        @options[:enable_root_detection] = false
       end
 
       opts.on("--no-emulator", "Disable emulator detection") do
-        @options[:config][:enable_emulator_detection] = false
+        @options[:enable_emulator_detection] = false
       end
 
       opts.on("--no-hooking", "Disable hooking detection") do
-        @options[:config][:enable_hooking_detection] = false
+        @options[:enable_hooking_detection] = false
       end
 
       opts.on("--no-integrity", "Disable integrity checks") do
-        @options[:config][:enable_integrity_checks] = false
+        @options[:enable_integrity_checks] = false
       end
 
       opts.on("--no-network", "Disable network analysis") do
-        @options[:config][:enable_network_analysis] = false
+        @options[:enable_network_analysis] = false
+      end
+
+      opts.on("--no-ai", "Disable AI behavioral analysis") do
+        @options[:enable_ai_behavioral_analysis] = false
+      end
+
+      opts.on("--enable-rasp", "Enable RASP protection during scan") do
+        @options[:enable_rasp_protection] = true
+      end
+
+      opts.on("--rasp-time SECONDS", Integer, "RASP monitoring time in seconds (default: 5)") do |time|
+        @options[:rasp_monitoring_time] = time
       end
 
       opts.on("-h", "--help", "Show this help message") do