ai_root_shield 0.2.0 → 0.4.0

data/exe/ai_root_shield

@@ -1,17 +1,30 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require_relative "../lib/ai_root_shield"
 require "optparse"
 require "json"
+require_relative "../lib/ai_root_shield"
 
-# CLI interface for AI Root Shield
+# Command line interface for AI Root Shield
 class AiRootShieldCLI
   def initialize
     @options = {
-      config: {},
-      output_format: "json",
-      verbose: false
+      format: "json",
+      verbose: false,
+      threshold: 50,
+      enable_root_detection: true,
+      enable_emulator_detection: true,
+      enable_hooking_detection: true,
+      enable_integrity_checks: true,
+      enable_network_analysis: true,
+      enable_ai_behavioral_analysis: true,
+      enable_rasp_protection: false,
+      rasp_monitoring_time: 5,
+      policy_file: nil,
+      enable_certificate_pinning: false,
+      enable_proxy_detection: false,
+      target_ip: nil,
+      target_url: nil
     }
   end
 
@@ -32,8 +45,58 @@ class AiRootShieldCLI
     end
 
     begin
-      result = AiRootShield.scan_device_with_config(device_logs_path, @options[:config])
+      # Configure enterprise policy if provided
+      if @options[:policy_file]
+        puts "Loading enterprise policy from #{@options[:policy_file]}..." if @options[:verbose]
+        AiRootShield.configure_policy(@options[:policy_file])
+      end
+      
+      # Configure certificate pinning if enabled
+      if @options[:enable_certificate_pinning]
+        puts "Configuring certificate pinning..." if @options[:verbose]
+        AiRootShield.configure_certificate_pinning
+      end
+      
+      # Configure proxy detection if enabled
+      if @options[:enable_proxy_detection]
+        puts "Configuring proxy detection..." if @options[:verbose]
+        AiRootShield.configure_proxy_detection
+      end
+      
+      # Start RASP protection if enabled
+      if @options[:enable_rasp_protection]
+        puts "Starting RASP protection..." if @options[:verbose]
+        rasp = AiRootShield.start_rasp_protection(
+          enable_real_time_alerts: @options[:verbose],
+          protection_interval: 0.5
+        )
+        
+        # Set up RASP event logging if verbose
+        if @options[:verbose]
+          rasp.on_rasp_event do |event|
+            puts "[RASP] #{event[:type]}: #{event[:message]}"
+          end
+        end
+        
+        # Monitor for specified time
+        puts "Monitoring with RASP protection for #{@options[:rasp_monitoring_time]} seconds..." if @options[:verbose]
+        sleep(@options[:rasp_monitoring_time])
+      end
+      
+      result = AiRootShield.scan_device_with_config(device_logs_path, @options)
+      
+      # Add RASP status to result if enabled
+      if @options[:enable_rasp_protection] && AiRootShield.rasp_active?
+        result[:rasp_status] = AiRootShield.rasp_protection.protection_status
+      end
+      
+      # Add security status if verbose
+      if @options[:verbose]
+        result[:security_status] = AiRootShield.security_status
+      end
+      
       output_result(result)
+      
     rescue AiRootShield::Error => e
       puts "Error: #{e.message}"
       exit 1
@@ -41,6 +104,9 @@ class AiRootShieldCLI
       puts "Unexpected error: #{e.message}"
       puts e.backtrace if @options[:verbose]
       exit 1
+    ensure
+      # Stop RASP protection
+      AiRootShield.stop_rasp_protection if @options[:enable_rasp_protection]
     end
   end
 
@@ -54,7 +120,7 @@ class AiRootShieldCLI
 
       opts.on("-f", "--format FORMAT", ["json", "text", "summary"], 
               "Output format (json, text, summary)") do |format|
-        @options[:output_format] = format
+        @options[:format] = format
       end
 
       opts.on("-v", "--verbose", "Enable verbose output") do
@@ -63,27 +129,59 @@ class AiRootShieldCLI
 
       opts.on("-t", "--threshold SCORE", Integer, 
               "Risk threshold (0-100, default: 50)") do |threshold|
-        @options[:config][:risk_threshold] = threshold
+        @options[:threshold] = threshold
       end
 
       opts.on("--no-root", "Disable root detection") do
-        @options[:config][:enable_root_detection] = false
+        @options[:enable_root_detection] = false
       end
 
       opts.on("--no-emulator", "Disable emulator detection") do
-        @options[:config][:enable_emulator_detection] = false
+        @options[:enable_emulator_detection] = false
       end
 
       opts.on("--no-hooking", "Disable hooking detection") do
-        @options[:config][:enable_hooking_detection] = false
+        @options[:enable_hooking_detection] = false
       end
 
       opts.on("--no-integrity", "Disable integrity checks") do
-        @options[:config][:enable_integrity_checks] = false
+        @options[:enable_integrity_checks] = false
       end
 
       opts.on("--no-network", "Disable network analysis") do
-        @options[:config][:enable_network_analysis] = false
+        @options[:enable_network_analysis] = false
+      end
+
+      opts.on("--no-ai", "Disable AI behavioral analysis") do
+        @options[:enable_ai_behavioral_analysis] = false
+      end
+
+      opts.on("--enable-rasp", "Enable RASP protection during scan") do
+        @options[:enable_rasp_protection] = true
+      end
+
+      opts.on("--rasp-time SECONDS", Integer, "RASP monitoring time in seconds (default: 5)") do |time|
+        @options[:rasp_monitoring_time] = time
+      end
+
+      opts.on("--policy FILE", "Enterprise policy file path") do |file|
+        @options[:policy_file] = file
+      end
+
+      opts.on("--enable-cert-pinning", "Enable certificate pinning validation") do
+        @options[:enable_certificate_pinning] = true
+      end
+
+      opts.on("--enable-proxy-detection", "Enable advanced proxy detection") do
+        @options[:enable_proxy_detection] = true
+      end
+
+      opts.on("--target-ip IP", "Target IP address for network analysis") do |ip|
+        @options[:target_ip] = ip
+      end
+
+      opts.on("--target-url URL", "Target URL for certificate pinning validation") do |url|
+        @options[:target_url] = url
       end
 
       opts.on("-h", "--help", "Show this help message") do
@@ -99,7 +197,7 @@ class AiRootShieldCLI
   end
 
   def output_result(result)
-    case @options[:output_format]
+    case @options[:format]
     when "json"
       puts JSON.pretty_generate(result)
     when "text"
@@ -117,6 +215,42 @@ class AiRootShieldCLI
     puts "Version: #{result[:version]}"
     puts ""
     
+    # Display compliance status if available
+    if result[:compliance]
+      puts "Policy Compliance:"
+      puts "  Status: #{result[:compliance][:compliant] ? 'COMPLIANT' : 'NON-COMPLIANT'}"
+      puts "  Policy Version: #{result[:compliance][:policy_version]}"
+      
+      if result[:compliance][:violations].any?
+        puts "  Violations:"
+        result[:compliance][:violations].each do |violation|
+          puts "    • #{violation[:message]} (#{violation[:severity]})"
+        end
+      end
+      puts ""
+    end
+    
+    # Display network analysis if available
+    if result[:network_analysis]
+      puts "Network Security Analysis:"
+      
+      if result[:network_analysis][:proxy_detection]
+        proxy = result[:network_analysis][:proxy_detection]
+        puts "  Proxy Detection: #{proxy[:proxy_detected] ? 'DETECTED' : 'Clean'}"
+        if proxy[:proxy_detected]
+          puts "    Types: #{proxy[:proxy_types].join(', ')}"
+          puts "    Confidence: #{(proxy[:confidence_score] * 100).round}%"
+        end
+      end
+      
+      if result[:network_analysis][:certificate_pinning]
+        pinning = result[:network_analysis][:certificate_pinning]
+        puts "  Certificate Pinning: #{pinning[:valid] ? 'VALID' : 'FAILED'}"
+        puts "    Reason: #{pinning[:reason]}" unless pinning[:valid]
+      end
+      puts ""
+    end
+    
     if result[:factors].any?
       puts "Detected Security Factors:"
       result[:factors].each do |factor|
@@ -134,6 +268,15 @@ class AiRootShieldCLI
     else
       puts "No security threats detected."
     end
+    
+    # Display RASP status if available
+    if result[:rasp_status]
+      puts ""
+      puts "RASP Protection Status:"
+      puts "  Active: #{result[:rasp_status][:active] ? 'YES' : 'NO'}"
+      puts "  Events Detected: #{result[:rasp_status][:events_detected] || 0}"
+      puts "  Protection Level: #{result[:rasp_status][:protection_level] || 'Standard'}"
+    end
   end
 
   def output_summary_format(result)

data/lib/ai_root_shield/advanced_proxy_detector.rb

@@ -0,0 +1,406 @@
+# frozen_string_literal: true
+
+require "resolv"
+require "net/http"
+require "ipaddr"
+
+module AiRootShield
+  # Advanced proxy detection for VPN, Tor, custom DNS, and MITM appliances
+  class AdvancedProxyDetector
+    # Known Tor exit node IP ranges and identifiers
+    TOR_INDICATORS = {
+      dns_names: [
+        "tor-exit", "torservers", "artikel5ev", "privacyfoundation",
+        "torproject", "exitnode", "tor-relay"
+      ],
+      asn_patterns: [
+        /tor/i, /privacy/i, /anonymous/i, /vpn/i
+      ]
+    }.freeze
+
+    # Common VPN provider indicators
+    VPN_INDICATORS = {
+      dns_patterns: [
+        /vpn/i, /proxy/i, /tunnel/i, /shield/i, /secure/i,
+        /private/i, /anonymous/i, /hide/i, /mask/i
+      ],
+      asn_patterns: [
+        /vpn/i, /virtual private/i, /proxy/i, /datacenter/i,
+        /hosting/i, /cloud/i, /server/i
+      ],
+      known_providers: [
+        "nordvpn", "expressvpn", "surfshark", "cyberghost", "pia",
+        "mullvad", "protonvpn", "windscribe", "tunnelbear", "hotspotshield"
+      ]
+    }.freeze
+
+    # MITM appliance indicators
+    MITM_INDICATORS = {
+      certificate_issuers: [
+        /blue coat/i, /websense/i, /forcepoint/i, /zscaler/i,
+        /checkpoint/i, /palo alto/i, /fortinet/i, /sophos/i,
+        /mcafee/i, /symantec/i, /broadcom/i
+      ],
+      proxy_headers: [
+        "x-bluecoat-via", "x-forwarded-for", "x-real-ip",
+        "x-proxy-id", "x-cache", "via", "x-forwarded-proto"
+      ]
+    }.freeze
+
+    # Custom DNS server indicators
+    CUSTOM_DNS_INDICATORS = {
+      public_dns: [
+        "8.8.8.8", "8.8.4.4",           # Google
+        "1.1.1.1", "1.0.0.1",           # Cloudflare
+        "208.67.222.222", "208.67.220.220", # OpenDNS
+        "9.9.9.9", "149.112.112.112"    # Quad9
+      ],
+      privacy_dns: [
+        "94.140.14.14", "94.140.15.15", # AdGuard
+        "76.76.19.19", "76.223.100.101", # Alternate DNS
+        "185.228.168.9", "185.228.169.9" # CleanBrowsing
+      ]
+    }.freeze
+
+    def initialize(config = {})
+      @config = {
+        enable_tor_detection: true,
+        enable_vpn_detection: true,
+        enable_mitm_detection: true,
+        enable_dns_detection: true,
+        timeout: 5,
+        max_retries: 2,
+        use_external_apis: false
+      }.merge(config)
+      
+      @detection_cache = {}
+      @last_detection_time = {}
+    end
+
+    # Perform comprehensive proxy detection
+    # @param target_ip [String] IP address to analyze
+    # @param additional_data [Hash] Additional network data
+    # @return [Hash] Detection results
+    def detect_proxy(target_ip, additional_data = {})
+      return cached_result(target_ip) if cached_and_fresh?(target_ip)
+      
+      results = {
+        ip_address: target_ip,
+        timestamp: Time.now.to_f,
+        proxy_detected: false,
+        proxy_types: [],
+        confidence_score: 0.0,
+        indicators: [],
+        details: {}
+      }
+      
+      # Perform different detection methods
+      results = detect_tor_exit_node(target_ip, results) if @config[:enable_tor_detection]
+      results = detect_vpn_service(target_ip, results) if @config[:enable_vpn_detection]
+      results = detect_mitm_appliance(target_ip, additional_data, results) if @config[:enable_mitm_detection]
+      results = detect_custom_dns(additional_data, results) if @config[:enable_dns_detection]
+      
+      # Calculate overall confidence
+      results[:confidence_score] = calculate_confidence_score(results)
+      results[:proxy_detected] = results[:confidence_score] > 0.5
+      
+      # Cache results
+      cache_result(target_ip, results)
+      
+      results
+    end
+
+    # Detect Tor exit nodes
+    # @param ip [String] IP address to check
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_tor_exit_node(ip, results)
+      tor_indicators = []
+      
+      # Check reverse DNS for Tor indicators
+      begin
+        hostname = Resolv.getname(ip)
+        TOR_INDICATORS[:dns_names].each do |indicator|
+          if hostname.downcase.include?(indicator)
+            tor_indicators << "tor_dns_pattern: #{indicator}"
+          end
+        end
+      rescue Resolv::ResolvError
+        # No reverse DNS available
+      end
+      
+      # Check if IP is in known Tor exit node lists (if external APIs enabled)
+      if @config[:use_external_apis]
+        tor_indicators.concat(check_tor_exit_lists(ip))
+      end
+      
+      # Check for Tor-specific network characteristics
+      tor_indicators.concat(analyze_tor_network_characteristics(ip))
+      
+      unless tor_indicators.empty?
+        results[:proxy_types] << "tor_exit_node"
+        results[:indicators].concat(tor_indicators)
+        results[:details][:tor] = {
+          detected: true,
+          indicators: tor_indicators,
+          risk_level: "high"
+        }
+      end
+      
+      results
+    end
+
+    # Detect VPN services
+    # @param ip [String] IP address to check
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_vpn_service(ip, results)
+      vpn_indicators = []
+      
+      # Check reverse DNS for VPN patterns
+      begin
+        hostname = Resolv.getname(ip)
+        VPN_INDICATORS[:dns_patterns].each do |pattern|
+          if hostname.match?(pattern)
+            vpn_indicators << "vpn_dns_pattern: #{pattern}"
+          end
+        end
+        
+        # Check for known VPN providers
+        VPN_INDICATORS[:known_providers].each do |provider|
+          if hostname.downcase.include?(provider)
+            vpn_indicators << "known_vpn_provider: #{provider}"
+          end
+        end
+      rescue Resolv::ResolvError
+        # No reverse DNS available
+      end
+      
+      # Check ASN information for VPN characteristics
+      vpn_indicators.concat(analyze_asn_for_vpn(ip))
+      
+      # Check for datacenter/hosting characteristics
+      vpn_indicators.concat(analyze_hosting_characteristics(ip))
+      
+      unless vpn_indicators.empty?
+        results[:proxy_types] << "vpn_service"
+        results[:indicators].concat(vpn_indicators)
+        results[:details][:vpn] = {
+          detected: true,
+          indicators: vpn_indicators,
+          risk_level: "medium"
+        }
+      end
+      
+      results
+    end
+
+    # Detect MITM appliances
+    # @param ip [String] IP address to check
+    # @param additional_data [Hash] Additional network data
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_mitm_appliance(ip, additional_data, results)
+      mitm_indicators = []
+      
+      # Check for MITM certificate issuers
+      if additional_data[:certificates]
+        additional_data[:certificates].each do |cert_info|
+          issuer = cert_info[:issuer] || ""
+          MITM_INDICATORS[:certificate_issuers].each do |pattern|
+            if issuer.match?(pattern)
+              mitm_indicators << "mitm_certificate_issuer: #{pattern}"
+            end
+          end
+        end
+      end
+      
+      # Check for proxy headers
+      if additional_data[:http_headers]
+        MITM_INDICATORS[:proxy_headers].each do |header|
+          if additional_data[:http_headers].key?(header.downcase)
+            mitm_indicators << "proxy_header_detected: #{header}"
+          end
+        end
+      end
+      
+      # Check for transparent proxy characteristics
+      mitm_indicators.concat(detect_transparent_proxy(ip, additional_data))
+      
+      unless mitm_indicators.empty?
+        results[:proxy_types] << "mitm_appliance"
+        results[:indicators].concat(mitm_indicators)
+        results[:details][:mitm] = {
+          detected: true,
+          indicators: mitm_indicators,
+          risk_level: "high"
+        }
+      end
+      
+      results
+    end
+
+    # Detect custom DNS configuration
+    # @param additional_data [Hash] Additional network data
+    # @param results [Hash] Current results hash
+    # @return [Hash] Updated results
+    def detect_custom_dns(additional_data, results)
+      dns_indicators = []
+      
+      # Check configured DNS servers
+      if additional_data[:dns_servers]
+        dns_servers = Array(additional_data[:dns_servers])
+        
+        dns_servers.each do |dns_server|
+          # Check for public DNS services
+          if CUSTOM_DNS_INDICATORS[:public_dns].include?(dns_server)
+            dns_indicators << "public_dns_detected: #{dns_server}"
+          elsif CUSTOM_DNS_INDICATORS[:privacy_dns].include?(dns_server)
+            dns_indicators << "privacy_dns_detected: #{dns_server}"
+          elsif !is_isp_dns?(dns_server)
+            dns_indicators << "custom_dns_detected: #{dns_server}"
+          end
+        end
+      end
+      
+      # Check for DNS over HTTPS/TLS usage
+      if additional_data[:doh_enabled] || additional_data[:dot_enabled]
+        dns_indicators << "encrypted_dns_detected"
+      end
+      
+      unless dns_indicators.empty?
+        results[:proxy_types] << "custom_dns"
+        results[:indicators].concat(dns_indicators)
+        results[:details][:dns] = {
+          detected: true,
+          indicators: dns_indicators,
+          risk_level: "low"
+        }
+      end
+      
+      results
+    end
+
+    # Get detection statistics
+    # @return [Hash] Detection statistics
+    def detection_statistics
+      {
+        total_detections: @detection_cache.size,
+        cache_hits: @detection_cache.values.count { |v| v[:cached] },
+        detection_types: @detection_cache.values.flat_map { |v| v[:proxy_types] }.tally,
+        average_confidence: calculate_average_confidence,
+        last_detection: @last_detection_time.values.max
+      }
+    end
+
+    # Clear detection cache
+    def clear_cache
+      @detection_cache.clear
+      @last_detection_time.clear
+    end
+
+    private
+
+    def cached_and_fresh?(ip, ttl = 300)
+      return false unless @detection_cache[ip]
+      return false unless @last_detection_time[ip]
+      
+      Time.now.to_f - @last_detection_time[ip] < ttl
+    end
+
+    def cached_result(ip)
+      result = @detection_cache[ip].dup
+      result[:cached] = true
+      result
+    end
+
+    def cache_result(ip, results)
+      @detection_cache[ip] = results
+      @last_detection_time[ip] = Time.now.to_f
+    end
+
+    def calculate_confidence_score(results)
+      base_score = 0.0
+      
+      # Weight different proxy types
+      type_weights = {
+        "tor_exit_node" => 0.9,
+        "mitm_appliance" => 0.8,
+        "vpn_service" => 0.6,
+        "custom_dns" => 0.3
+      }
+      
+      results[:proxy_types].each do |type|
+        base_score += type_weights[type] || 0.5
+      end
+      
+      # Factor in number of indicators
+      indicator_bonus = [results[:indicators].size * 0.1, 0.3].min
+      
+      # Cap at 1.0
+      [base_score + indicator_bonus, 1.0].min
+    end
+
+    def check_tor_exit_lists(ip)
+      # Placeholder for external Tor exit node list checking
+      # In production, this would query Tor directory authorities
+      []
+    end
+
+    def analyze_tor_network_characteristics(ip)
+      indicators = []
+      
+      # Check for common Tor exit node ports
+      common_tor_ports = [80, 443, 993, 995]
+      # This would require actual port scanning in production
+      
+      indicators
+    end
+
+    def analyze_asn_for_vpn(ip)
+      indicators = []
+      
+      # This would require ASN lookup in production
+      # For now, return empty array
+      
+      indicators
+    end
+
+    def analyze_hosting_characteristics(ip)
+      indicators = []
+      
+      # Check if IP is in known datacenter ranges
+      # This would require GeoIP database in production
+      
+      indicators
+    end
+
+    def detect_transparent_proxy(ip, additional_data)
+      indicators = []
+      
+      # Check for transparent proxy indicators
+      if additional_data[:tcp_timestamp_anomaly]
+        indicators << "tcp_timestamp_anomaly"
+      end
+      
+      if additional_data[:ttl_anomaly]
+        indicators << "ttl_hop_anomaly"
+      end
+      
+      indicators
+    end
+
+    def is_isp_dns?(dns_server)
+      # Check if DNS server belongs to common ISP ranges
+      # This would require ISP database lookup in production
+      false
+    end
+
+    def calculate_average_confidence
+      return 0.0 if @detection_cache.empty?
+      
+      total_confidence = @detection_cache.values.sum { |v| v[:confidence_score] }
+      total_confidence / @detection_cache.size
+    end
+  end
+end