ai_root_shield 0.1.0 → 0.3.0

data/lib/ai_root_shield/rasp_protection.rb

@@ -0,0 +1,359 @@
+# frozen_string_literal: true
+
+require "digest"
+require "fiddle"
+
+module AiRootShield
+  # Runtime Application Self-Protection (RASP) system
+  # Provides real-time protection against debugging, tampering, and injection attacks
+  class RaspProtection
+    # RASP event types for real-time reporting
+    RASP_EVENTS = {
+      debug_attempt: "DEBUG_ATTEMPT_DETECTED",
+      tamper_detected: "CODE_TAMPER_DETECTED", 
+      injection_blocked: "INJECTION_ATTEMPT_BLOCKED",
+      integrity_violation: "INTEGRITY_VIOLATION_DETECTED",
+      memory_patch: "MEMORY_PATCH_DETECTED"
+    }.freeze
+
+    def initialize(config = {})
+      @config = {
+        enable_anti_debug: true,
+        enable_anti_tamper: true,
+        enable_memory_protection: true,
+        enable_integrity_monitor: true,
+        enable_real_time_alerts: true,
+        alert_callback: nil,
+        critical_functions: [],
+        protection_interval: 1.0
+      }.merge(config)
+      
+      @event_callbacks = []
+      @protection_active = false
+      @integrity_hashes = {}
+      @original_memory_maps = {}
+      @protection_thread = nil
+      @last_check_time = Time.now
+      
+      initialize_protection if @config[:enable_real_time_alerts]
+    end
+
+    # Start RASP protection monitoring
+    def start_protection
+      return if @protection_active
+      
+      @protection_active = true
+      
+      # Initialize anti-debug protection
+      setup_anti_debug_protection if @config[:enable_anti_debug]
+      
+      # Initialize anti-tamper protection
+      setup_anti_tamper_protection if @config[:enable_anti_tamper]
+      
+      # Initialize memory protection
+      setup_memory_protection if @config[:enable_memory_protection]
+      
+      # Initialize integrity monitoring
+      setup_integrity_monitoring if @config[:enable_integrity_monitor]
+      
+      # Start real-time monitoring thread
+      start_monitoring_thread
+      
+      report_rasp_event(:protection_started, "RASP protection activated")
+    end
+
+    # Stop RASP protection monitoring
+    def stop_protection
+      @protection_active = false
+      @protection_thread&.kill
+      @protection_thread = nil
+      
+      report_rasp_event(:protection_stopped, "RASP protection deactivated")
+    end
+
+    # Register callback for RASP events
+    def on_rasp_event(&block)
+      @event_callbacks << block if block_given?
+    end
+
+    # Check current protection status
+    def protection_status
+      {
+        active: @protection_active,
+        anti_debug_enabled: @config[:enable_anti_debug],
+        anti_tamper_enabled: @config[:enable_anti_tamper],
+        memory_protection_enabled: @config[:enable_memory_protection],
+        integrity_monitor_enabled: @config[:enable_integrity_monitor],
+        events_detected: @events_detected || 0,
+        last_check: @last_check_time
+      }
+    end
+
+    private
+
+    def initialize_protection
+      @events_detected = 0
+      @last_check_time = Time.now
+    end
+
+    # Anti-Debug Protection Implementation
+    def setup_anti_debug_protection
+      # Check for ptrace attachment
+      check_ptrace_protection
+      
+      # Check for debugger processes
+      check_debugger_processes
+      
+      # Check for debug environment variables
+      check_debug_environment
+    end
+
+    def check_ptrace_protection
+      # Attempt to detect ptrace attachment
+      if ptrace_detected?
+        report_rasp_event(:debug_attempt, "Ptrace debugger attachment detected")
+        take_protection_action(:debug_attempt)
+      end
+    end
+
+    def ptrace_detected?
+      # Check /proc/self/status for TracerPid on Linux
+      return false unless File.exist?("/proc/self/status")
+      
+      status_content = File.read("/proc/self/status")
+      tracer_line = status_content.lines.find { |line| line.start_with?("TracerPid:") }
+      
+      if tracer_line
+        tracer_pid = tracer_line.split(":")[1].strip.to_i
+        return tracer_pid != 0
+      end
+      
+      false
+    rescue
+      false
+    end
+
+    def check_debugger_processes
+      debugger_processes = ["gdb", "lldb", "strace", "ltrace", "frida-server", "frida"]
+      
+      debugger_processes.each do |debugger|
+        if process_running?(debugger)
+          report_rasp_event(:debug_attempt, "Debugger process detected: #{debugger}")
+          take_protection_action(:debug_attempt)
+        end
+      end
+    end
+
+    def process_running?(process_name)
+      `pgrep #{process_name}`.strip.length > 0
+    rescue
+      false
+    end
+
+    def check_debug_environment
+      debug_vars = ["DEBUG", "LLDB_DEBUGSERVER_PATH", "DYLD_INSERT_LIBRARIES"]
+      
+      debug_vars.each do |var|
+        if ENV[var]
+          report_rasp_event(:debug_attempt, "Debug environment variable detected: #{var}")
+          take_protection_action(:debug_attempt)
+        end
+      end
+    end
+
+    # Anti-Tamper Protection Implementation
+    def setup_anti_tamper_protection
+      # Calculate initial code integrity hashes
+      calculate_code_integrity_hashes
+      
+      # Monitor for code modifications
+      monitor_code_integrity
+    end
+
+    def calculate_code_integrity_hashes
+      # Hash critical Ruby files and libraries
+      critical_files = [
+        __FILE__,
+        File.join(__dir__, "detector.rb"),
+        File.join(__dir__, "ai_behavioral_analyzer.rb")
+      ]
+      
+      critical_files.each do |file|
+        next unless File.exist?(file)
+        
+        content = File.read(file)
+        @integrity_hashes[file] = Digest::SHA256.hexdigest(content)
+      end
+    end
+
+    def monitor_code_integrity
+      @integrity_hashes.each do |file, original_hash|
+        next unless File.exist?(file)
+        
+        current_content = File.read(file)
+        current_hash = Digest::SHA256.hexdigest(current_content)
+        
+        if current_hash != original_hash
+          report_rasp_event(:tamper_detected, "Code integrity violation: #{file}")
+          take_protection_action(:tamper_detected)
+        end
+      end
+    rescue
+      # File access errors might indicate tampering
+      report_rasp_event(:tamper_detected, "File access anomaly detected")
+    end
+
+    # Memory Protection Implementation
+    def setup_memory_protection
+      # Monitor for Frida injection signatures
+      check_frida_injection
+      
+      # Monitor memory patches
+      monitor_memory_patches
+    end
+
+    def check_frida_injection
+      frida_indicators = [
+        "frida",
+        "gum-js-loop",
+        "gmain",
+        "glib-",
+        "FridaGadget"
+      ]
+      
+      # Check loaded libraries for Frida signatures
+      if maps_content = read_proc_maps
+        frida_indicators.each do |indicator|
+          if maps_content.include?(indicator)
+            report_rasp_event(:injection_blocked, "Frida injection detected: #{indicator}")
+            take_protection_action(:injection_blocked)
+          end
+        end
+      end
+    end
+
+    def read_proc_maps
+      File.read("/proc/self/maps") if File.exist?("/proc/self/maps")
+    rescue
+      nil
+    end
+
+    def monitor_memory_patches
+      # Check for suspicious memory modifications
+      if maps_content = read_proc_maps
+        # Look for executable memory regions that shouldn't be there
+        suspicious_regions = maps_content.lines.select do |line|
+          line.include?("rwxp") && !line.include?("[stack]") && !line.include?("[heap]")
+        end
+        
+        unless suspicious_regions.empty?
+          report_rasp_event(:memory_patch, "Suspicious executable memory regions detected")
+          take_protection_action(:memory_patch)
+        end
+      end
+    end
+
+    # Runtime Integrity Monitor Implementation
+    def setup_integrity_monitoring
+      # Monitor critical function integrity
+      monitor_critical_functions
+    end
+
+    def monitor_critical_functions
+      @config[:critical_functions].each do |function_info|
+        validate_function_integrity(function_info)
+      end
+    end
+
+    def validate_function_integrity(function_info)
+      # Validate function hash if provided
+      if function_info[:hash] && function_info[:method]
+        current_hash = calculate_method_hash(function_info[:method])
+        
+        if current_hash != function_info[:hash]
+          report_rasp_event(:integrity_violation, 
+            "Critical function integrity violation: #{function_info[:method]}")
+          take_protection_action(:integrity_violation)
+        end
+      end
+    end
+
+    def calculate_method_hash(method_obj)
+      # Calculate hash of method source if available
+      if method_obj.respond_to?(:source)
+        Digest::SHA256.hexdigest(method_obj.source)
+      else
+        # Fallback to method object hash
+        Digest::SHA256.hexdigest(method_obj.to_s)
+      end
+    rescue
+      nil
+    end
+
+    # Real-time Monitoring Thread
+    def start_monitoring_thread
+      @protection_thread = Thread.new do
+        while @protection_active
+          perform_protection_checks
+          sleep(@config[:protection_interval])
+        end
+      end
+    end
+
+    def perform_protection_checks
+      @last_check_time = Time.now
+      
+      # Perform all protection checks
+      check_ptrace_protection if @config[:enable_anti_debug]
+      check_debugger_processes if @config[:enable_anti_debug]
+      monitor_code_integrity if @config[:enable_anti_tamper]
+      check_frida_injection if @config[:enable_memory_protection]
+      monitor_memory_patches if @config[:enable_memory_protection]
+      monitor_critical_functions if @config[:enable_integrity_monitor]
+    end
+
+    # Event Reporting System
+    def report_rasp_event(event_type, message, details = {})
+      return unless @config[:enable_real_time_alerts]
+      
+      @events_detected = (@events_detected || 0) + 1
+      
+      event_data = {
+        type: RASP_EVENTS[event_type] || event_type.to_s.upcase,
+        message: message,
+        timestamp: Time.now.to_f,
+        details: details,
+        protection_status: protection_status
+      }
+      
+      # Call registered callbacks
+      @event_callbacks.each do |callback|
+        callback.call(event_data) rescue nil
+      end
+      
+      # Call configured alert callback
+      @config[:alert_callback]&.call(event_data) rescue nil
+      
+      # Log to stderr for immediate visibility
+      warn "[RASP] #{event_data[:type]}: #{message}" if @config[:enable_real_time_alerts]
+    end
+
+    # Protection Actions
+    def take_protection_action(threat_type)
+      case threat_type
+      when :debug_attempt
+        # Could implement process termination, obfuscation, etc.
+        report_rasp_event(:protection_action, "Anti-debug countermeasure activated")
+      when :tamper_detected
+        # Could implement integrity restoration, alerts, etc.
+        report_rasp_event(:protection_action, "Anti-tamper countermeasure activated")
+      when :injection_blocked
+        # Could implement injection blocking, process isolation, etc.
+        report_rasp_event(:protection_action, "Injection blocking countermeasure activated")
+      when :integrity_violation
+        # Could implement function restoration, alerts, etc.
+        report_rasp_event(:protection_action, "Integrity protection countermeasure activated")
+      end
+    end
+  end
+end

data/lib/ai_root_shield/risk_calculator.rb

@@ -43,8 +43,9 @@ module AiRootShield
       # Calculate overall risk score from individual analyzer results
       # @param risk_scores [Array<Integer>] Individual risk scores from analyzers
       # @param factors [Array<String>] Detected risk factors
+      # @param ai_confidence [Float, nil] AI confidence score (0.0-1.0)
       # @return [Integer] Overall risk score (0-100)
-      def calculate_overall_risk(risk_scores, factors)
+      def calculate_overall_risk(risk_scores, factors, ai_confidence: nil)
         return 0 if factors.empty?
 
         # Calculate weighted score based on detected factors
@@ -59,6 +60,12 @@ module AiRootShield
         # Apply risk amplification for multiple high-risk factors
         amplified_score = apply_risk_amplification(combined_score, factors)
         
+        # Apply AI confidence weighting if available
+        if ai_confidence && ai_confidence > 0.5
+          ai_weight = (ai_confidence - 0.5) * 2  # Scale 0.5-1.0 to 0.0-1.0
+          amplified_score *= (1.0 + ai_weight * 0.2)  # Up to 20% boost for high confidence
+        end
+        
         # Ensure score is within bounds
         [amplified_score.round, 100].min
       end

data/lib/ai_root_shield/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AiRootShield
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/ai_root_shield.rb

@@ -7,17 +7,22 @@ require_relative "ai_root_shield/analyzers/emulator_detector"
 require_relative "ai_root_shield/analyzers/hooking_detector"
 require_relative "ai_root_shield/analyzers/integrity_checker"
 require_relative "ai_root_shield/analyzers/network_analyzer"
+require_relative "ai_root_shield/ai_behavioral_analyzer"
+require_relative "ai_root_shield/rasp_protection"
 require_relative "ai_root_shield/risk_calculator"
 require_relative "ai_root_shield/device_log_parser"
 
 module AiRootShield
   class Error < StandardError; end
 
+  # Global RASP protection instance
+  @rasp_protection = nil
+
   # Main entry point for device scanning
   # @param device_logs_path [String] Path to device logs JSON file
   # @return [Hash] Risk assessment result with score and factors
   def self.scan_device(device_logs_path)
-    Detector.new.scan(device_logs_path)
+    scan_device_with_config(device_logs_path)
   end
 
   # Scan device with custom configuration
@@ -25,7 +30,35 @@ module AiRootShield
   # @param config [Hash] Configuration options
   # @return [Hash] Risk assessment result with score and factors
   def self.scan_device_with_config(device_logs_path, config = {})
-    Detector.new(config).scan(device_logs_path)
+    detector = Detector.new(config)
+    detector.scan(device_logs_path)
+  end
+
+  # Start RASP protection
+  # @param config [Hash] RASP configuration options
+  # @return [RaspProtection] RASP protection instance
+  def self.start_rasp_protection(config = {})
+    @rasp_protection = RaspProtection.new(config)
+    @rasp_protection.start_protection
+    @rasp_protection
+  end
+
+  # Stop RASP protection
+  def self.stop_rasp_protection
+    @rasp_protection&.stop_protection
+    @rasp_protection = nil
+  end
+
+  # Get current RASP protection instance
+  # @return [RaspProtection, nil] Current RASP protection instance
+  def self.rasp_protection
+    @rasp_protection
+  end
+
+  # Check if RASP protection is active
+  # @return [Boolean] True if RASP protection is active
+  def self.rasp_active?
+    @rasp_protection&.protection_status&.dig(:active) || false
   end
 
   # Get version information

data/models/README.md

@@ -0,0 +1,72 @@
+# AI Root Shield - Behavioral Analysis Models
+
+This directory contains ONNX models for AI-powered behavioral analysis.
+
+## Model Architecture
+
+The behavioral analysis model (`behavioral_model.onnx`) is designed to analyze device behavior patterns and detect anomalies that may indicate compromise or emulation.
+
+### Input Features (8 dimensions)
+
+1. **File Access Entropy** (0.0-1.0): Shannon entropy of file access patterns
+2. **Sensor Consistency Score** (0.0-1.0): Consistency of sensor data with real device behavior
+3. **Hardware Fingerprint Score** (0.0-1.0): Hardware characteristics analysis
+4. **Process Behavior Score** (0.0-1.0): Process execution patterns analysis
+5. **Network Pattern Score** (0.0-1.0): Network behavior analysis
+6. **Timing Analysis Score** (0.0-1.0): Event timing pattern analysis
+7. **System Call Entropy** (0.0-1.0): System call distribution entropy
+8. **Memory Access Pattern** (0.0-1.0): Memory usage pattern analysis
+
+### Output
+
+- **Risk Score** (0.0-1.0): Behavioral risk assessment
+- **Confidence** (0.0-1.0): Model confidence in the prediction
+
+## Model Training
+
+The model should be trained on labeled datasets containing:
+- Legitimate device telemetry data
+- Emulator/simulator data
+- Compromised device data
+- Synthetic attack scenarios
+
+## Usage
+
+The model is automatically loaded by `AiBehavioralAnalyzer` if present in this directory. If the model file is not available, the analyzer falls back to rule-based analysis.
+
+## Creating Your Own Model
+
+To create a custom behavioral analysis model:
+
+1. Collect training data with the 8 input features
+2. Train using your preferred ML framework (TensorFlow, PyTorch, etc.)
+3. Export to ONNX format as `behavioral_model.onnx`
+4. Place in this directory
+
+Example Python code for model creation:
+
+```python
+import onnx
+import numpy as np
+from sklearn.ensemble import RandomForestClassifier
+from skl2onnx import convert_sklearn
+from skl2onnx.common.data_types import FloatTensorType
+
+# Train your model
+model = RandomForestClassifier(n_estimators=100, random_state=42)
+model.fit(X_train, y_train)
+
+# Convert to ONNX
+initial_type = [('input', FloatTensorType([None, 8]))]
+onnx_model = convert_sklearn(model, initial_types=initial_type)
+
+# Save model
+with open("behavioral_model.onnx", "wb") as f:
+    f.write(onnx_model.SerializeToString())
+```
+
+## Security Considerations
+
+- Models should be validated for adversarial robustness
+- Regular retraining is recommended as attack techniques evolve
+- Consider model versioning for production deployments

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ai_root_shield
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Ahmet KAHRAMAN
@@ -51,6 +51,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: onnxruntime
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: numo-narray
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -142,6 +170,7 @@ files:
 - examples/device_logs/rooted_android.json
 - exe/ai_root_shield
 - lib/ai_root_shield.rb
+- lib/ai_root_shield/ai_behavioral_analyzer.rb
 - lib/ai_root_shield/analyzers/emulator_detector.rb
 - lib/ai_root_shield/analyzers/hooking_detector.rb
 - lib/ai_root_shield/analyzers/integrity_checker.rb
@@ -149,8 +178,10 @@ files:
 - lib/ai_root_shield/analyzers/root_detector.rb
 - lib/ai_root_shield/detector.rb
 - lib/ai_root_shield/device_log_parser.rb
+- lib/ai_root_shield/rasp_protection.rb
 - lib/ai_root_shield/risk_calculator.rb
 - lib/ai_root_shield/version.rb
+- models/README.md
 homepage: https://github.com/ahmetxhero/ai-root-shield
 licenses:
 - MIT