RubyGems - ai_root_shield - Versions diffs - 0.4.0 → 1.0.0 - Mend

ai_root_shield 0.4.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +52 -4
data/README.md +191 -14
data/bindings/python/README.md +304 -0
data/bindings/python/ai_root_shield.py +438 -0
data/bindings/python/setup.py +65 -0
data/examples/device_logs/android_safetynet_device.json +148 -0
data/examples/device_logs/ios_jailbroken_device.json +172 -0
data/exe/ai_root_shield +220 -7
data/lib/ai_root_shield/ci_cd/security_test_module.rb +743 -0
data/lib/ai_root_shield/dashboard/web_dashboard.rb +441 -0
data/lib/ai_root_shield/enterprise/alert_system.rb +601 -0
data/lib/ai_root_shield/enterprise/hybrid_detection_engine.rb +650 -0
data/lib/ai_root_shield/enterprise/performance_optimizer.rb +613 -0
data/lib/ai_root_shield/enterprise/policy_manager.rb +637 -0
data/lib/ai_root_shield/integrations/siem_connector.rb +695 -0
data/lib/ai_root_shield/platform/android_security_module.rb +263 -0
data/lib/ai_root_shield/platform/hardware_security_analyzer.rb +452 -0
data/lib/ai_root_shield/platform/ios_security_module.rb +513 -0
data/lib/ai_root_shield/platform/unified_report_generator.rb +613 -0
data/lib/ai_root_shield/version.rb +1 -1
data/lib/ai_root_shield.rb +152 -1
data/security_test_artifacts/security_report.json +124 -0
data/security_test_artifacts/security_results.sarif +16 -0
data/security_test_artifacts/security_tests.xml +3 -0
metadata +20 -1

data/lib/ai_root_shield/integrations/siem_connector.rb ADDED Viewed

@@ -0,0 +1,695 @@
+# frozen_string_literal: true
+require 'json'
+require 'net/http'
+require 'uri'
+require 'time'
+module AiRootShield
+  module Integrations
+    # SIEM and SOC integration connector for third-party security platforms
+    class SiemConnector
+      # Supported SIEM platforms
+      SUPPORTED_PLATFORMS = {
+        splunk: 'Splunk Enterprise/Cloud',
+        elastic: 'Elastic Stack (ELK)',
+        qradar: 'IBM QRadar',
+        sentinel: 'Microsoft Sentinel',
+        sumo_logic: 'Sumo Logic',
+        datadog: 'Datadog Security',
+        chronicle: 'Google Chronicle',
+        arcsight: 'Micro Focus ArcSight'
+      }.freeze
+      # Event severity levels
+      SEVERITY_LEVELS = {
+        info: 1,
+        low: 2,
+        medium: 3,
+        high: 4,
+        critical: 5
+      }.freeze
+      def initialize(platform, config = {})
+        @platform = platform.to_sym
+        @config = config
+        @api_endpoint = config[:api_endpoint]
+        @api_key = config[:api_key]
+        @index = config[:index] || 'ai_root_shield'
+        @source_type = config[:source_type] || 'mobile_security'
+        @timeout = config[:timeout] || 30
+        validate_configuration
+      end
+      # Send security events to SIEM platform
+      def send_security_event(analysis_results, metadata = {})
+        event_data = format_security_event(analysis_results, metadata)
+        case @platform
+        when :splunk
+          send_to_splunk(event_data)
+        when :elastic
+          send_to_elastic(event_data)
+        when :qradar
+          send_to_qradar(event_data)
+        when :sentinel
+          send_to_sentinel(event_data)
+        when :sumo_logic
+          send_to_sumo_logic(event_data)
+        when :datadog
+          send_to_datadog(event_data)
+        when :chronicle
+          send_to_chronicle(event_data)
+        when :arcsight
+          send_to_arcsight(event_data)
+        else
+          raise "Unsupported SIEM platform: #{@platform}"
+        end
+      end
+      # Send batch of security events
+      def send_batch_events(analysis_results_array, metadata = {})
+        batch_data = analysis_results_array.map do |results|
+          format_security_event(results, metadata)
+        end
+        case @platform
+        when :splunk
+          send_batch_to_splunk(batch_data)
+        when :elastic
+          send_batch_to_elastic(batch_data)
+        else
+          # For platforms without native batch support, send individually
+          batch_data.each { |event| send_security_event(event, metadata) }
+        end
+      end
+      # Create security alert based on risk threshold
+      def create_security_alert(analysis_results, alert_config = {})
+        risk_score = analysis_results[:risk_score] || 0
+        threshold = alert_config[:threshold] || 70
+        return unless risk_score >= threshold
+        alert_data = {
+          alert_id: generate_alert_id,
+          timestamp: Time.now.utc.iso8601,
+          severity: determine_alert_severity(risk_score),
+          title: generate_alert_title(analysis_results),
+          description: generate_alert_description(analysis_results),
+          risk_score: risk_score,
+          risk_factors: analysis_results[:risk_factors] || [],
+          platform: analysis_results[:platform] || 'unknown',
+          device_info: extract_device_info(analysis_results),
+          remediation_steps: generate_remediation_steps(analysis_results),
+          tags: generate_alert_tags(analysis_results)
+        }
+        send_alert(alert_data)
+      end
+      # Query SIEM for historical security events
+      def query_security_events(query_params = {})
+        case @platform
+        when :splunk
+          query_splunk(query_params)
+        when :elastic
+          query_elastic(query_params)
+        when :qradar
+          query_qradar(query_params)
+        else
+          raise "Query not supported for platform: #{@platform}"
+        end
+      end
+      # Generate security dashboard URL
+      def generate_dashboard_url(dashboard_type = 'overview')
+        case @platform
+        when :splunk
+          "#{@api_endpoint}/app/search/ai_root_shield_#{dashboard_type}"
+        when :elastic
+          "#{@api_endpoint}/app/kibana#/dashboard/ai-root-shield-#{dashboard_type}"
+        when :datadog
+          "#{@api_endpoint}/dashboard/ai-root-shield-#{dashboard_type}"
+        else
+          @api_endpoint
+        end
+      end
+      private
+      # Validate SIEM configuration
+      def validate_configuration
+        raise "API endpoint required for #{@platform}" unless @api_endpoint
+        raise "API key required for #{@platform}" unless @api_key
+        unless SUPPORTED_PLATFORMS.key?(@platform)
+          raise "Unsupported SIEM platform: #{@platform}"
+        end
+      end
+      # Format security event for SIEM ingestion
+      def format_security_event(analysis_results, metadata)
+        {
+          timestamp: Time.now.utc.iso8601,
+          event_type: 'mobile_security_analysis',
+          source: 'ai_root_shield',
+          version: AiRootShield::VERSION,
+          severity: determine_event_severity(analysis_results[:risk_score]),
+          risk_score: analysis_results[:risk_score] || 0,
+          risk_level: determine_risk_level(analysis_results[:risk_score]),
+          platform: analysis_results[:platform] || 'unknown',
+          risk_factors: analysis_results[:risk_factors] || [],
+          device_info: extract_device_info(analysis_results),
+          security_analysis: format_security_analysis(analysis_results),
+          compliance_status: extract_compliance_status(analysis_results),
+          metadata: metadata,
+          tags: generate_event_tags(analysis_results)
+        }
+      end
+      # Splunk integration methods
+      def send_to_splunk(event_data)
+        uri = URI("#{@api_endpoint}/services/collector/event")
+        payload = {
+          time: Time.now.to_i,
+          host: Socket.gethostname,
+          source: 'ai_root_shield',
+          sourcetype: @source_type,
+          index: @index,
+          event: event_data
+        }
+        send_http_request(uri, payload, {
+          'Authorization' => "Splunk #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      def send_batch_to_splunk(batch_data)
+        uri = URI("#{@api_endpoint}/services/collector/event")
+        batch_payload = batch_data.map do |event|
+          {
+            time: Time.now.to_i,
+            host: Socket.gethostname,
+            source: 'ai_root_shield',
+            sourcetype: @source_type,
+            index: @index,
+            event: event
+          }
+        end.join("\n")
+        send_http_request(uri, batch_payload, {
+          'Authorization' => "Splunk #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      def query_splunk(query_params)
+        search_query = build_splunk_query(query_params)
+        uri = URI("#{@api_endpoint}/services/search/jobs")
+        payload = {
+          search: search_query,
+          output_mode: 'json'
+        }
+        send_http_request(uri, payload, {
+          'Authorization' => "Splunk #{@api_key}",
+          'Content-Type' => 'application/x-www-form-urlencoded'
+        })
+      end
+      # Elastic Stack integration methods
+      def send_to_elastic(event_data)
+        uri = URI("#{@api_endpoint}/#{@index}/_doc")
+        send_http_request(uri, event_data, {
+          'Authorization' => "ApiKey #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      def send_batch_to_elastic(batch_data)
+        uri = URI("#{@api_endpoint}/_bulk")
+        bulk_payload = batch_data.map do |event|
+          index_line = { index: { _index: @index } }
+          "#{index_line.to_json}\n#{event.to_json}"
+        end.join("\n") + "\n"
+        send_http_request(uri, bulk_payload, {
+          'Authorization' => "ApiKey #{@api_key}",
+          'Content-Type' => 'application/x-ndjson'
+        })
+      end
+      def query_elastic(query_params)
+        uri = URI("#{@api_endpoint}/#{@index}/_search")
+        query = build_elastic_query(query_params)
+        send_http_request(uri, query, {
+          'Authorization' => "ApiKey #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      # QRadar integration methods
+      def send_to_qradar(event_data)
+        uri = URI("#{@api_endpoint}/api/siem/events")
+        qradar_event = format_qradar_event(event_data)
+        send_http_request(uri, qradar_event, {
+          'SEC' => @api_key,
+          'Content-Type' => 'application/json'
+        })
+      end
+      def query_qradar(query_params)
+        uri = URI("#{@api_endpoint}/api/siem/events")
+        query = build_qradar_query(query_params)
+        uri.query = URI.encode_www_form(query)
+        send_http_request(uri, nil, {
+          'SEC' => @api_key,
+          'Accept' => 'application/json'
+        }, 'GET')
+      end
+      # Microsoft Sentinel integration methods
+      def send_to_sentinel(event_data)
+        uri = URI("#{@api_endpoint}/api/logs")
+        sentinel_event = format_sentinel_event(event_data)
+        send_http_request(uri, sentinel_event, {
+          'Authorization' => "Bearer #{@api_key}",
+          'Content-Type' => 'application/json',
+          'Log-Type' => 'AiRootShieldSecurityEvent'
+        })
+      end
+      # Sumo Logic integration methods
+      def send_to_sumo_logic(event_data)
+        uri = URI(@api_endpoint) # Sumo Logic HTTP collector endpoint
+        send_http_request(uri, event_data, {
+          'Content-Type' => 'application/json',
+          'X-Sumo-Name' => 'AI Root Shield Security Events',
+          'X-Sumo-Category' => 'mobile_security'
+        })
+      end
+      # Datadog integration methods
+      def send_to_datadog(event_data)
+        uri = URI("#{@api_endpoint}/v1/logs")
+        datadog_event = format_datadog_event(event_data)
+        send_http_request(uri, datadog_event, {
+          'DD-API-KEY' => @api_key,
+          'Content-Type' => 'application/json'
+        })
+      end
+      # Google Chronicle integration methods
+      def send_to_chronicle(event_data)
+        uri = URI("#{@api_endpoint}/v1/unstructuredlogentries:batchCreate")
+        chronicle_event = format_chronicle_event(event_data)
+        send_http_request(uri, chronicle_event, {
+          'Authorization' => "Bearer #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      # ArcSight integration methods
+      def send_to_arcsight(event_data)
+        uri = URI("#{@api_endpoint}/logger/api/events")
+        arcsight_event = format_arcsight_event(event_data)
+        send_http_request(uri, arcsight_event, {
+          'Authorization' => "Basic #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      # Alert methods
+      def send_alert(alert_data)
+        case @platform
+        when :splunk
+          send_splunk_alert(alert_data)
+        when :elastic
+          send_elastic_alert(alert_data)
+        when :datadog
+          send_datadog_alert(alert_data)
+        else
+          # Send as regular event with alert flag
+          alert_event = alert_data.merge(event_type: 'security_alert')
+          send_security_event(alert_event)
+        end
+      end
+      # HTTP request helper
+      def send_http_request(uri, payload, headers, method = 'POST')
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.scheme == 'https'
+        http.read_timeout = @timeout
+        request = case method.upcase
+                  when 'GET'
+                    Net::HTTP::Get.new(uri)
+                  when 'POST'
+                    Net::HTTP::Post.new(uri)
+                  when 'PUT'
+                    Net::HTTP::Put.new(uri)
+                  else
+                    raise "Unsupported HTTP method: #{method}"
+                  end
+        headers.each { |key, value| request[key] = value }
+        if payload
+          request.body = payload.is_a?(String) ? payload : payload.to_json
+        end
+        response = http.request(request)
+        unless response.code.start_with?('2')
+          raise "SIEM request failed: #{response.code} - #{response.body}"
+        end
+        JSON.parse(response.body) if response.body && !response.body.empty?
+      rescue JSON::ParserError
+        response.body
+      end
+      # Utility methods
+      def determine_event_severity(risk_score)
+        case risk_score
+        when 0..20
+          SEVERITY_LEVELS[:info]
+        when 21..40
+          SEVERITY_LEVELS[:low]
+        when 41..70
+          SEVERITY_LEVELS[:medium]
+        when 71..85
+          SEVERITY_LEVELS[:high]
+        else
+          SEVERITY_LEVELS[:critical]
+        end
+      end
+      def determine_alert_severity(risk_score)
+        case risk_score
+        when 70..79
+          'high'
+        when 80..89
+          'critical'
+        else
+          'critical'
+        end
+      end
+      def determine_risk_level(risk_score)
+        case risk_score
+        when 0..20
+          'LOW'
+        when 21..40
+          'MEDIUM'
+        when 41..70
+          'HIGH'
+        else
+          'CRITICAL'
+        end
+      end
+      def extract_device_info(analysis_results)
+        {
+          platform: analysis_results[:platform],
+          device_model: analysis_results.dig(:device_info, :model),
+          os_version: analysis_results.dig(:device_info, :os_version),
+          app_version: analysis_results.dig(:device_info, :app_version)
+        }
+      end
+      def format_security_analysis(analysis_results)
+        {
+          safetynet: analysis_results[:safetynet],
+          play_integrity: analysis_results[:play_integrity],
+          jailbreak_detection: analysis_results[:jailbreak_detection],
+          code_signing: analysis_results[:code_signing],
+          hardware_security: analysis_results[:hardware_security],
+          system_integrity: analysis_results[:system_integrity]
+        }.compact
+      end
+      def extract_compliance_status(analysis_results)
+        analysis_results[:compliance] || {}
+      end
+      def generate_event_tags(analysis_results)
+        tags = ['mobile_security', 'ai_root_shield']
+        tags << analysis_results[:platform] if analysis_results[:platform]
+        tags << 'high_risk' if (analysis_results[:risk_score] || 0) > 70
+        tags << 'jailbroken' if analysis_results[:risk_factors]&.any? { |f| f.include?('JAILBREAK') }
+        tags << 'rooted' if analysis_results[:risk_factors]&.any? { |f| f.include?('ROOT') }
+        tags
+      end
+      def generate_alert_id
+        "ARS-ALERT-#{Time.now.strftime('%Y%m%d%H%M%S')}-#{SecureRandom.hex(4).upcase}"
+      end
+      def generate_alert_title(analysis_results)
+        risk_score = analysis_results[:risk_score] || 0
+        platform = analysis_results[:platform] || 'Unknown'
+        "High Risk Mobile Device Detected - #{platform} (Risk Score: #{risk_score})"
+      end
+      def generate_alert_description(analysis_results)
+        risk_factors = analysis_results[:risk_factors] || []
+        platform = analysis_results[:platform] || 'unknown'
+        description = "AI Root Shield detected a high-risk #{platform} device with #{risk_factors.size} security issues:\n"
+        risk_factors.first(5).each { |factor| description += "• #{factor}\n" }
+        description += "Immediate security review recommended."
+        description
+      end
+      def generate_remediation_steps(analysis_results)
+        steps = []
+        risk_factors = analysis_results[:risk_factors] || []
+        risk_factors.each do |factor|
+          case factor
+          when /ROOT|JAILBREAK/
+            steps << "Block device access until security compliance is restored"
+          when /EMULATOR/
+            steps << "Implement additional emulator detection measures"
+          when /FRIDA|XPOSED/
+            steps << "Deploy runtime application self-protection (RASP)"
+          when /INTEGRITY/
+            steps << "Verify application signature and code integrity"
+          end
+        end
+        steps.uniq.first(5)
+      end
+      def generate_alert_tags(analysis_results)
+        tags = generate_event_tags(analysis_results)
+        tags << 'security_alert'
+        tags << 'requires_action'
+        tags
+      end
+      # Platform-specific formatting methods
+      def format_qradar_event(event_data)
+        {
+          events: [{
+            eventTime: Time.now.to_i * 1000,
+            eventCategory: 1003, # Security event category
+            severity: event_data[:severity],
+            sourceIP: '127.0.0.1',
+            destinationIP: '127.0.0.1',
+            eventName: 'Mobile Security Analysis',
+            eventDescription: event_data.to_json,
+            properties: event_data.transform_keys(&:to_s)
+          }]
+        }
+      end
+      def format_sentinel_event(event_data)
+        [{
+          TimeGenerated: event_data[:timestamp],
+          EventType: event_data[:event_type],
+          Severity: event_data[:severity],
+          RiskScore: event_data[:risk_score],
+          Platform: event_data[:platform],
+          RiskFactors: event_data[:risk_factors].join(','),
+          EventData: event_data.to_json
+        }]
+      end
+      def format_datadog_event(event_data)
+        {
+          ddsource: 'ai_root_shield',
+          ddtags: event_data[:tags].join(','),
+          hostname: Socket.gethostname,
+          message: event_data.to_json,
+          service: 'mobile_security',
+          timestamp: Time.now.to_i * 1000
+        }
+      end
+      def format_chronicle_event(event_data)
+        {
+          entries: [{
+            logText: event_data.to_json,
+            timestamp: {
+              seconds: Time.now.to_i
+            }
+          }]
+        }
+      end
+      def format_arcsight_event(event_data)
+        {
+          events: [{
+            name: 'Mobile Security Analysis',
+            deviceEventClassId: 'mobile_security_analysis',
+            severity: event_data[:severity],
+            message: event_data.to_json,
+            deviceProduct: 'AI Root Shield',
+            deviceVendor: 'Ahmet KAHRAMAN',
+            deviceVersion: AiRootShield::VERSION
+          }]
+        }
+      end
+      # Query builders
+      def build_splunk_query(query_params)
+        base_query = "search index=#{@index} source=ai_root_shield"
+        if query_params[:start_time]
+          base_query += " earliest=#{query_params[:start_time]}"
+        end
+        if query_params[:end_time]
+          base_query += " latest=#{query_params[:end_time]}"
+        end
+        if query_params[:platform]
+          base_query += " platform=#{query_params[:platform]}"
+        end
+        if query_params[:risk_threshold]
+          base_query += " risk_score>=#{query_params[:risk_threshold]}"
+        end
+        base_query
+      end
+      def build_elastic_query(query_params)
+        query = {
+          query: {
+            bool: {
+              must: []
+            }
+          }
+        }
+        if query_params[:start_time] || query_params[:end_time]
+          range_query = { range: { timestamp: {} } }
+          range_query[:range][:timestamp][:gte] = query_params[:start_time] if query_params[:start_time]
+          range_query[:range][:timestamp][:lte] = query_params[:end_time] if query_params[:end_time]
+          query[:query][:bool][:must] << range_query
+        end
+        if query_params[:platform]
+          query[:query][:bool][:must] << { term: { platform: query_params[:platform] } }
+        end
+        if query_params[:risk_threshold]
+          query[:query][:bool][:must] << { range: { risk_score: { gte: query_params[:risk_threshold] } } }
+        end
+        query
+      end
+      def build_qradar_query(query_params)
+        query = {}
+        if query_params[:start_time]
+          query[:startTime] = query_params[:start_time]
+        end
+        if query_params[:end_time]
+          query[:endTime] = query_params[:end_time]
+        end
+        query[:filter] = "eventName='Mobile Security Analysis'"
+        query
+      end
+      # Alert senders
+      def send_splunk_alert(alert_data)
+        # Send to Splunk as notable event
+        uri = URI("#{@api_endpoint}/services/notable_update")
+        payload = {
+          ruleNames: ['AI Root Shield High Risk Alert'],
+          status: 'new',
+          urgency: alert_data[:severity],
+          comment: alert_data[:description],
+          eventIds: [alert_data[:alert_id]]
+        }
+        send_http_request(uri, payload, {
+          'Authorization' => "Splunk #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      def send_elastic_alert(alert_data)
+        # Send to Elasticsearch as alert document
+        uri = URI("#{@api_endpoint}/ai_root_shield_alerts/_doc/#{alert_data[:alert_id]}")
+        send_http_request(uri, alert_data, {
+          'Authorization' => "ApiKey #{@api_key}",
+          'Content-Type' => 'application/json'
+        })
+      end
+      def send_datadog_alert(alert_data)
+        # Send to Datadog as event
+        uri = URI("#{@api_endpoint}/v1/events")
+        payload = {
+          title: alert_data[:title],
+          text: alert_data[:description],
+          alert_type: alert_data[:severity],
+          source_type_name: 'ai_root_shield',
+          tags: alert_data[:tags]
+        }
+        send_http_request(uri, payload, {
+          'DD-API-KEY' => @api_key,
+          'Content-Type' => 'application/json'
+        })
+      end
+    end
+  end
+end