ai_root_shield 0.1.0 → 0.3.0

data/lib/ai_root_shield/ai_behavioral_analyzer.rb

@@ -0,0 +1,512 @@
+# frozen_string_literal: true
+
+require "onnxruntime"
+require "numo/narray"
+
+module AiRootShield
+  # AI-powered behavioral analysis using ONNX models
+  class AiBehavioralAnalyzer
+    DEFAULT_MODEL_PATH = File.join(__dir__, "..", "..", "models", "behavioral_model.onnx")
+    
+    # Feature indices for the ML model
+    FEATURE_INDICES = {
+      file_access_entropy: 0,
+      sensor_consistency_score: 1,
+      hardware_fingerprint_score: 2,
+      process_behavior_score: 3,
+      network_pattern_score: 4,
+      timing_analysis_score: 5,
+      system_call_entropy: 6,
+      memory_access_pattern: 7
+    }.freeze
+
+    def initialize(model_path: nil)
+      @model_path = model_path || DEFAULT_MODEL_PATH
+      @model = nil
+      @confidence_threshold = 0.7
+      load_model if File.exist?(@model_path)
+    end
+
+    # Perform AI behavioral analysis on device data
+    # @param device_data [Hash] Parsed device data
+    # @return [Hash] Analysis result with AI confidence and behavioral factors
+    def analyze(device_data)
+      return fallback_analysis(device_data) unless @model
+
+      features = extract_behavioral_features(device_data)
+      prediction = run_inference(features)
+      
+      {
+        ai_confidence: prediction[:confidence],
+        behavioral_risk_score: prediction[:risk_score],
+        behavioral_factors: prediction[:factors],
+        anomaly_indicators: detect_anomalies(device_data, features),
+        ml_emulator_score: calculate_ml_emulator_score(features)
+      }
+    end
+
+    private
+
+    def load_model
+      begin
+        @model = OnnxRuntime::Model.new(@model_path)
+      rescue => e
+        puts "Warning: Could not load ONNX model at #{@model_path}: #{e.message}"
+        @model = nil
+      end
+    end
+
+    def extract_behavioral_features(device_data)
+      features = Numo::SFloat.zeros(FEATURE_INDICES.size)
+      
+      # File access pattern entropy
+      features[FEATURE_INDICES[:file_access_entropy]] = calculate_file_access_entropy(device_data)
+      
+      # Sensor data consistency
+      features[FEATURE_INDICES[:sensor_consistency_score]] = calculate_sensor_consistency(device_data)
+      
+      # Hardware fingerprint score
+      features[FEATURE_INDICES[:hardware_fingerprint_score]] = calculate_hardware_fingerprint_score(device_data)
+      
+      # Process behavior analysis
+      features[FEATURE_INDICES[:process_behavior_score]] = analyze_process_behavior(device_data)
+      
+      # Network pattern analysis
+      features[FEATURE_INDICES[:network_pattern_score]] = analyze_network_patterns(device_data)
+      
+      # Timing analysis
+      features[FEATURE_INDICES[:timing_analysis_score]] = analyze_timing_patterns(device_data)
+      
+      # System call entropy
+      features[FEATURE_INDICES[:system_call_entropy]] = calculate_system_call_entropy(device_data)
+      
+      # Memory access patterns
+      features[FEATURE_INDICES[:memory_access_pattern]] = analyze_memory_patterns(device_data)
+      
+      features
+    end
+
+    def calculate_file_access_entropy(device_data)
+      file_accesses = extract_file_accesses(device_data)
+      return 0.0 if file_accesses.empty?
+      
+      # Calculate Shannon entropy of file access patterns
+      access_counts = file_accesses.group_by(&:itself).transform_values(&:size)
+      total_accesses = file_accesses.size.to_f
+      
+      entropy = access_counts.values.reduce(0.0) do |sum, count|
+        probability = count / total_accesses
+        sum - (probability * Math.log2(probability))
+      end
+      
+      # Normalize to 0-1 range (typical entropy range is 0-8 for file paths)
+      [entropy / 8.0, 1.0].min
+    end
+
+    def calculate_sensor_consistency(device_data)
+      sensors = device_data.dig(:hardware_info, :sensors) || []
+      return 0.0 if sensors.empty?
+      
+      # Expected sensor combinations for real devices
+      expected_sensors = %w[accelerometer gyroscope magnetometer proximity light]
+      missing_sensors = expected_sensors - sensors.map(&:downcase)
+      
+      # Check for sensor data consistency
+      sensor_data = device_data[:sensor_data] || {}
+      consistency_score = 0.0
+      
+      # Accelerometer consistency (should have realistic values and noise)
+      if sensor_data["accelerometer"]
+        accel_values = sensor_data["accelerometer"]["values"] || []
+        consistency_score += analyze_sensor_realism(accel_values, "accelerometer")
+      end
+      
+      # Gyroscope consistency
+      if sensor_data["gyroscope"]
+        gyro_values = sensor_data["gyroscope"]["values"] || []
+        consistency_score += analyze_sensor_realism(gyro_values, "gyroscope")
+      end
+      
+      # Penalize for missing critical sensors
+      consistency_score -= (missing_sensors.size * 0.2)
+      
+      [consistency_score, 1.0].min.clamp(0.0, 1.0)
+    end
+
+    def calculate_hardware_fingerprint_score(device_data)
+      hardware = device_data[:hardware_info] || {}
+      
+      # Analyze hardware characteristics for emulator indicators
+      score = 1.0
+      
+      # Device model analysis
+      device_model = hardware[:device_model].to_s.downcase
+      if device_model.include?("generic") || device_model.include?("emulator")
+        score -= 0.3
+      end
+      
+      # Manufacturer analysis
+      manufacturer = hardware[:manufacturer].to_s.downcase
+      if manufacturer.include?("android") || manufacturer.empty?
+        score -= 0.2
+      end
+      
+      # Serial number patterns
+      serial = hardware[:serial_number].to_s
+      if serial.include?("android") || serial == "unknown" || serial.empty?
+        score -= 0.2
+      end
+      
+      # Baseband analysis
+      baseband = hardware[:baseband_version]
+      if baseband.nil? || baseband.to_s.empty?
+        score -= 0.3
+      end
+      
+      [score, 1.0].min.clamp(0.0, 1.0)
+    end
+
+    def analyze_process_behavior(device_data)
+      processes = device_data[:processes] || []
+      return 0.5 if processes.empty?
+      
+      suspicious_patterns = 0
+      total_processes = processes.size
+      
+      processes.each do |process|
+        next unless process.is_a?(Hash)
+        
+        process_name = process["name"].to_s.downcase
+        
+        # Check for emulator-specific processes
+        if process_name.match?(/qemu|goldfish|ranchu|genymotion/)
+          suspicious_patterns += 1
+        end
+        
+        # Check for debugging processes
+        if process_name.match?(/gdb|lldb|frida|strace/)
+          suspicious_patterns += 1
+        end
+        
+        # Analyze process memory patterns
+        memory_maps = process["memory_maps"] || []
+        if memory_maps.any? { |map| map["permissions"]&.include?("x") && map["path"]&.start_with?("/data") }
+          suspicious_patterns += 1
+        end
+      end
+      
+      # Return normalized suspicion score (lower is more suspicious)
+      1.0 - (suspicious_patterns.to_f / [total_processes, 1].max)
+    end
+
+    def analyze_network_patterns(device_data)
+      network = device_data[:network_config] || {}
+      
+      score = 1.0
+      
+      # Proxy configuration analysis
+      if network.dig(:proxy_settings, "enabled")
+        proxy_host = network.dig(:proxy_settings, "host").to_s
+        proxy_port = network.dig(:proxy_settings, "port")
+        
+        # Localhost proxies are suspicious
+        if proxy_host.match?(/localhost|127\.0\.0\.1|::1/)
+          score -= 0.3
+        end
+        
+        # Common MITM ports
+        if [8080, 8888, 3128, 8081, 8082].include?(proxy_port)
+          score -= 0.2
+        end
+      end
+      
+      # VPN analysis
+      if network[:vpn_active]
+        score -= 0.1  # VPN itself is not necessarily suspicious
+      end
+      
+      # Certificate analysis
+      certificates = network[:certificates] || []
+      user_certs = certificates.count { |cert| cert["user_installed"] }
+      if user_certs > 0
+        score -= (user_certs * 0.15)
+      end
+      
+      [score, 1.0].min.clamp(0.0, 1.0)
+    end
+
+    def analyze_timing_patterns(device_data)
+      # Analyze timing patterns in system events
+      logs = device_data[:logs] || []
+      return 0.5 if logs.empty?
+      
+      # Extract timestamps if available
+      timestamps = logs.filter_map do |log|
+        next unless log.is_a?(Hash) && log["timestamp"]
+        Time.parse(log["timestamp"]) rescue nil
+      end
+      
+      return 0.5 if timestamps.size < 2
+      
+      # Calculate time intervals between events
+      intervals = timestamps.each_cons(2).map { |t1, t2| (t2 - t1).abs }
+      
+      # Real devices should have some variation in timing
+      if intervals.uniq.size == 1
+        # Perfectly regular intervals suggest automation/emulation
+        return 0.2
+      end
+      
+      # Calculate coefficient of variation
+      mean_interval = intervals.sum / intervals.size
+      variance = intervals.sum { |i| (i - mean_interval) ** 2 } / intervals.size
+      std_dev = Math.sqrt(variance)
+      
+      cv = mean_interval > 0 ? std_dev / mean_interval : 0
+      
+      # Higher variation is more realistic (up to a point)
+      [cv * 2, 1.0].min
+    end
+
+    def calculate_system_call_entropy(device_data)
+      # Analyze system call patterns from logs
+      logs = device_data[:logs] || []
+      system_calls = logs.filter_map do |log|
+        log_text = log.is_a?(Hash) ? log["message"] : log.to_s
+        # Extract system call names from log entries
+        log_text.scan(/\b(open|read|write|close|mmap|ioctl|socket)\b/).flatten
+      end
+      
+      return 0.5 if system_calls.empty?
+      
+      # Calculate entropy of system call distribution
+      call_counts = system_calls.group_by(&:itself).transform_values(&:size)
+      total_calls = system_calls.size.to_f
+      
+      entropy = call_counts.values.reduce(0.0) do |sum, count|
+        probability = count / total_calls
+        sum - (probability * Math.log2(probability))
+      end
+      
+      # Normalize entropy (typical range 0-3 for system calls)
+      [entropy / 3.0, 1.0].min
+    end
+
+    def analyze_memory_patterns(device_data)
+      processes = device_data[:processes] || []
+      return 0.5 if processes.empty?
+      
+      suspicious_memory_patterns = 0
+      total_memory_regions = 0
+      
+      processes.each do |process|
+        next unless process.is_a?(Hash)
+        
+        memory_maps = process["memory_maps"] || []
+        total_memory_regions += memory_maps.size
+        
+        memory_maps.each do |map|
+          next unless map.is_a?(Hash)
+          
+          # Check for suspicious memory patterns
+          if map["path"]&.include?("/dev/ashmem") && map["size"].to_i > 100_000_000
+            suspicious_memory_patterns += 1
+          end
+          
+          # Executable memory in data segments
+          if map["permissions"]&.include?("x") && map["path"]&.start_with?("/data")
+            suspicious_memory_patterns += 1
+          end
+        end
+      end
+      
+      return 0.5 if total_memory_regions == 0
+      
+      # Return normalized score (lower means more suspicious)
+      1.0 - (suspicious_memory_patterns.to_f / total_memory_regions)
+    end
+
+    def run_inference(features)
+      return fallback_prediction(features) unless @model
+      
+      begin
+        # Prepare input for ONNX model
+        input_data = { "input" => features.reshape(1, -1) }
+        
+        # Run inference
+        output = @model.predict(input_data)
+        
+        # Extract predictions (assuming model outputs risk_score and confidence)
+        risk_score = output["risk_score"].first.first
+        confidence = output["confidence"].first.first
+        
+        # Generate factors based on feature analysis
+        factors = generate_behavioral_factors(features, risk_score)
+        
+        {
+          risk_score: (risk_score * 100).round,
+          confidence: confidence,
+          factors: factors
+        }
+      rescue => e
+        puts "Warning: ONNX inference failed: #{e.message}"
+        fallback_prediction(features)
+      end
+    end
+
+    def fallback_prediction(features)
+      # Simple rule-based prediction when ONNX model is not available
+      risk_indicators = 0
+      
+      # Check each feature for suspicious values
+      risk_indicators += 1 if features[FEATURE_INDICES[:file_access_entropy]] < 0.3
+      risk_indicators += 1 if features[FEATURE_INDICES[:sensor_consistency_score]] < 0.5
+      risk_indicators += 1 if features[FEATURE_INDICES[:hardware_fingerprint_score]] < 0.6
+      risk_indicators += 1 if features[FEATURE_INDICES[:process_behavior_score]] < 0.5
+      risk_indicators += 1 if features[FEATURE_INDICES[:network_pattern_score]] < 0.7
+      
+      risk_score = (risk_indicators / FEATURE_INDICES.size.to_f * 100).round
+      confidence = 0.6  # Lower confidence for fallback method
+      
+      {
+        risk_score: risk_score,
+        confidence: confidence,
+        factors: generate_behavioral_factors(features, risk_score / 100.0)
+      }
+    end
+
+    def generate_behavioral_factors(features, risk_score)
+      factors = []
+      
+      factors << "LOW_FILE_ACCESS_ENTROPY" if features[FEATURE_INDICES[:file_access_entropy]] < 0.3
+      factors << "INCONSISTENT_SENSOR_DATA" if features[FEATURE_INDICES[:sensor_consistency_score]] < 0.5
+      factors << "SUSPICIOUS_HARDWARE_FINGERPRINT" if features[FEATURE_INDICES[:hardware_fingerprint_score]] < 0.6
+      factors << "ANOMALOUS_PROCESS_BEHAVIOR" if features[FEATURE_INDICES[:process_behavior_score]] < 0.5
+      factors << "SUSPICIOUS_NETWORK_PATTERNS" if features[FEATURE_INDICES[:network_pattern_score]] < 0.7
+      factors << "IRREGULAR_TIMING_PATTERNS" if features[FEATURE_INDICES[:timing_analysis_score]] < 0.4
+      factors << "LOW_SYSTEM_CALL_ENTROPY" if features[FEATURE_INDICES[:system_call_entropy]] < 0.3
+      factors << "ANOMALOUS_MEMORY_PATTERNS" if features[FEATURE_INDICES[:memory_access_pattern]] < 0.4
+      
+      # Add high-level behavioral indicators
+      factors << "AI_BEHAVIORAL_ANOMALY" if risk_score > 0.7
+      factors << "ML_EMULATOR_DETECTED" if calculate_ml_emulator_score(features) > 0.8
+      
+      factors
+    end
+
+    def detect_anomalies(device_data, features)
+      anomalies = []
+      
+      # File access anomalies
+      if features[FEATURE_INDICES[:file_access_entropy]] < 0.2
+        anomalies << {
+          type: "file_access_pattern",
+          severity: "high",
+          description: "Extremely low entropy in file access patterns suggests automated behavior"
+        }
+      end
+      
+      # Sensor anomalies
+      if features[FEATURE_INDICES[:sensor_consistency_score]] < 0.3
+        anomalies << {
+          type: "sensor_inconsistency",
+          severity: "medium",
+          description: "Sensor data patterns inconsistent with real device behavior"
+        }
+      end
+      
+      # Hardware fingerprint anomalies
+      if features[FEATURE_INDICES[:hardware_fingerprint_score]] < 0.4
+        anomalies << {
+          type: "hardware_fingerprint",
+          severity: "high",
+          description: "Hardware characteristics suggest emulated environment"
+        }
+      end
+      
+      anomalies
+    end
+
+    def calculate_ml_emulator_score(features)
+      # ML-based emulator detection using multiple features
+      emulator_indicators = 0
+      total_indicators = 5
+      
+      # Hardware fingerprint is strong indicator
+      emulator_indicators += 2 if features[FEATURE_INDICES[:hardware_fingerprint_score]] < 0.5
+      
+      # Sensor consistency
+      emulator_indicators += 1 if features[FEATURE_INDICES[:sensor_consistency_score]] < 0.4
+      
+      # Process behavior
+      emulator_indicators += 1 if features[FEATURE_INDICES[:process_behavior_score]] < 0.3
+      
+      # Memory patterns
+      emulator_indicators += 1 if features[FEATURE_INDICES[:memory_access_pattern]] < 0.3
+      
+      (emulator_indicators.to_f / total_indicators).clamp(0.0, 1.0)
+    end
+
+    def fallback_analysis(device_data)
+      {
+        ai_confidence: 0.5,
+        behavioral_risk_score: 0,
+        behavioral_factors: [],
+        anomaly_indicators: [],
+        ml_emulator_score: 0.0
+      }
+    end
+
+    # Helper methods for feature extraction
+    
+    def extract_file_accesses(device_data)
+      file_accesses = []
+      
+      # Extract from logs
+      logs = device_data[:logs] || []
+      logs.each do |log|
+        log_text = log.is_a?(Hash) ? log["message"] : log.to_s
+        # Extract file paths from log entries
+        file_paths = log_text.scan(%r{/[/\w.-]+})
+        file_accesses.concat(file_paths)
+      end
+      
+      # Extract from process information
+      processes = device_data[:processes] || []
+      processes.each do |process|
+        next unless process.is_a?(Hash)
+        
+        if process["open_files"]
+          file_accesses.concat(process["open_files"])
+        end
+      end
+      
+      file_accesses.uniq
+    end
+
+    def analyze_sensor_realism(values, sensor_type)
+      return 0.0 if values.empty?
+      
+      # Convert to numeric values
+      numeric_values = values.filter_map { |v| Float(v) rescue nil }
+      return 0.0 if numeric_values.empty?
+      
+      case sensor_type
+      when "accelerometer"
+        # Accelerometer should have realistic range and noise
+        realistic_range = numeric_values.all? { |v| v.abs <= 20.0 }  # Reasonable G-force range
+        has_variation = numeric_values.uniq.size > 1
+        
+        realistic_range && has_variation ? 0.5 : 0.0
+      when "gyroscope"
+        # Gyroscope should have realistic angular velocity range
+        realistic_range = numeric_values.all? { |v| v.abs <= 2000.0 }  # Degrees per second
+        has_variation = numeric_values.uniq.size > 1
+        
+        realistic_range && has_variation ? 0.5 : 0.0
+      else
+        0.3  # Default score for other sensors
+      end
+    end
+  end
+end

data/lib/ai_root_shield/detector.rb

@@ -11,12 +11,15 @@ module AiRootShield
       enable_hooking_detection: true,
       enable_integrity_checks: true,
       enable_network_analysis: true,
-      risk_threshold: 50
+      enable_ai_behavioral_analysis: true,
+      risk_threshold: 50,
+      ai_confidence_threshold: 0.7
     }.freeze
 
     def initialize(config = {})
       @config = DEFAULT_CONFIG.merge(config)
       @analyzers = initialize_analyzers
+      @ai_analyzer = AiBehavioralAnalyzer.new if @config[:enable_ai_behavioral_analysis]
     end
 
     # Perform comprehensive device security scan
@@ -27,6 +30,7 @@ module AiRootShield
       
       detected_factors = []
       risk_scores = []
+      ai_result = nil
 
       @analyzers.each do |analyzer|
         next unless analyzer_enabled?(analyzer)
@@ -36,14 +40,36 @@ module AiRootShield
         risk_scores << result[:risk_score]
       end
 
-      overall_risk = RiskCalculator.calculate_overall_risk(risk_scores, detected_factors)
+      # Perform AI behavioral analysis if enabled
+      if @ai_analyzer && @config[:enable_ai_behavioral_analysis]
+        ai_result = @ai_analyzer.analyze(device_data)
+        detected_factors.concat(ai_result[:behavioral_factors])
+        risk_scores << ai_result[:behavioral_risk_score]
+      end
+
+      overall_risk = RiskCalculator.calculate_overall_risk(
+        risk_scores, 
+        detected_factors,
+        ai_confidence: ai_result&.dig(:ai_confidence)
+      )
 
-      {
+      result = {
         risk_score: overall_risk,
         factors: detected_factors.uniq,
         timestamp: Time.now.to_i,
         version: AiRootShield::VERSION
       }
+
+      # Add AI-specific results if available
+      if ai_result
+        result.merge!({
+          ai_confidence: ai_result[:ai_confidence],
+          ml_emulator_score: ai_result[:ml_emulator_score],
+          anomaly_indicators: ai_result[:anomaly_indicators]
+        })
+      end
+
+      result
     end
 
     private
@@ -70,6 +96,8 @@ module AiRootShield
         @config[:enable_integrity_checks]
       when "NetworkAnalyzer"
         @config[:enable_network_analysis]
+      when "AiBehavioralAnalyzer"
+        @config[:enable_ai_behavioral_analysis]
       else
         true
       end