@dimzxzzx07/file-watcher 1.0.0

package/src/detectors/AnomalyDetector.ts

@@ -0,0 +1,247 @@
+import { Logger } from '../utils/Logger';
+
+export class AnomalyDetector {
+    private readonly logger: Logger;
+    private readonly baseline: Map<string, any>;
+    private readonly anomalies: any[];
+    private learningMode: boolean = true;
+    private readonly learningPeriod: number = 3600000;
+
+    constructor() {
+        this.logger = Logger.getInstance();
+        this.baseline = new Map();
+        this.anomalies = [];
+        
+        this.startLearning();
+    }
+
+    private startLearning(): void {
+        this.logger.info('Anomaly detector starting learning mode');
+        
+        setTimeout(() => {
+            this.learningMode = false;
+            this.logger.info('Anomaly detector learning complete');
+        }, this.learningPeriod);
+    }
+
+    public async detectAnomalies(filePath: string, content: Buffer): Promise<boolean> {
+        try {
+            const anomalies: string[] = [];
+
+            if (await this.isSizeAnomaly(filePath, content.length)) {
+                anomalies.push('size_anomaly');
+            }
+
+            if (await this.isTimingAnomaly(filePath)) {
+                anomalies.push('timing_anomaly');
+            }
+
+            if (await this.isContentPatternAnomaly(content)) {
+                anomalies.push('pattern_anomaly');
+            }
+
+            if (await this.isFrequencyAnomaly(filePath)) {
+                anomalies.push('frequency_anomaly');
+            }
+
+            if (await this.isStructuralAnomaly(content)) {
+                anomalies.push('structural_anomaly');
+            }
+
+            if (anomalies.length > 0) {
+                this.anomalies.push({
+                    filePath,
+                    timestamp: new Date(),
+                    anomalies,
+                    severity: this.calculateSeverity(anomalies.length)
+                });
+
+                this.logger.warning(`Anomalies detected in ${filePath}`, { anomalies });
+                return true;
+            }
+
+            return false;
+        } catch (error) {
+            this.logger.error('Error detecting anomalies', { error });
+            return true;
+        }
+    }
+
+    private async isSizeAnomaly(filePath: string, newSize: number): Promise<boolean> {
+        const stats = await this.getFileStats(filePath);
+        if (!stats) return false;
+
+        const avgSize = stats.sizes.reduce((a: number, b: number) => a + b, 0) / stats.sizes.length;
+        const stdDev = this.calculateStdDev(stats.sizes, avgSize);
+
+        return Math.abs(newSize - avgSize) > (stdDev * 3);
+    }
+
+    private async isTimingAnomaly(filePath: string): Promise<boolean> {
+        const stats = await this.getFileStats(filePath);
+        if (!stats) return false;
+
+        const now = Date.now();
+        const lastAccess = stats.lastAccess || now;
+        const timeDiff = now - lastAccess;
+
+        const hour = new Date().getHours();
+        if (hour >= 1 && hour <= 4) {
+            return timeDiff < 300000;
+        }
+
+        return false;
+    }
+
+    private async isContentPatternAnomaly(content: Buffer): Promise<boolean> {
+        const contentStr = content.toString();
+        
+        const charDistribution = this.getCharacterDistribution(contentStr);
+        
+        const normalDistribution = this.getNormalDistribution();
+        
+        let deviation = 0;
+        for (const [char, count] of charDistribution) {
+            const normalCount = normalDistribution.get(char) || 0;
+            deviation += Math.abs(count - normalCount);
+        }
+
+        return deviation > 100;
+    }
+
+    private async isFrequencyAnomaly(filePath: string): Promise<boolean> {
+        const stats = await this.getFileStats(filePath);
+        if (!stats) return false;
+
+        const now = Date.now();
+        const recentAccesses = stats.accessTimes.filter(
+            (time: number) => now - time < 60000
+        );
+
+        return recentAccesses.length > 10;
+    }
+
+    private async isStructuralAnomaly(content: Buffer): Promise<boolean> {
+        if (content.length < 100) return false;
+
+        const bytes = Array.from(content);
+        
+        let maxRunLength = 0;
+        let currentRun = 1;
+        
+        for (let i = 1; i < bytes.length; i++) {
+            if (bytes[i] === bytes[i - 1]) {
+                currentRun++;
+                maxRunLength = Math.max(maxRunLength, currentRun);
+            } else {
+                currentRun = 1;
+            }
+        }
+
+        return maxRunLength > 100;
+    }
+
+    private async getFileStats(filePath: string): Promise<any> {
+        if (!this.baseline.has(filePath)) {
+            this.baseline.set(filePath, {
+                sizes: [],
+                accessTimes: [],
+                lastAccess: null,
+                firstSeen: new Date()
+            });
+        }
+
+        return this.baseline.get(filePath);
+    }
+
+    private getCharacterDistribution(text: string): Map<string, number> {
+        const distribution = new Map<string, number>();
+        
+        for (const char of text) {
+            distribution.set(char, (distribution.get(char) || 0) + 1);
+        }
+        
+        return distribution;
+    }
+
+    private getNormalDistribution(): Map<string, number> {
+        const normal = new Map<string, number>();
+        normal.set('e', 12.7);
+        normal.set('t', 9.1);
+        normal.set('a', 8.2);
+        normal.set('o', 7.5);
+        normal.set('i', 7.0);
+        normal.set('n', 6.7);
+        normal.set('s', 6.3);
+        normal.set('h', 6.1);
+        normal.set('r', 6.0);
+        normal.set('d', 4.3);
+        normal.set('l', 4.0);
+        normal.set('c', 2.8);
+        normal.set('u', 2.8);
+        normal.set('m', 2.4);
+        normal.set('w', 2.4);
+        normal.set('f', 2.2);
+        normal.set('g', 2.0);
+        normal.set('y', 2.0);
+        normal.set('p', 1.9);
+        normal.set('b', 1.5);
+        normal.set('v', 1.0);
+        normal.set('k', 0.8);
+        normal.set('j', 0.2);
+        normal.set('x', 0.2);
+        normal.set('q', 0.1);
+        normal.set('z', 0.1);
+        
+        return normal;
+    }
+
+    private calculateStdDev(values: number[], mean: number): number {
+        const squareDiffs = values.map(value => Math.pow(value - mean, 2));
+        const avgSquareDiff = squareDiffs.reduce((a, b) => a + b, 0) / squareDiffs.length;
+        return Math.sqrt(avgSquareDiff);
+    }
+
+    private calculateSeverity(anomalyCount: number): string {
+        if (anomalyCount >= 4) return 'critical';
+        if (anomalyCount >= 2) return 'high';
+        return 'medium';
+    }
+
+    public updateBaseline(filePath: string, content: Buffer): void {
+        if (!this.learningMode) return;
+
+        const stats = this.baseline.get(filePath) || {
+            sizes: [],
+            accessTimes: [],
+            lastAccess: null,
+            firstSeen: new Date()
+        };
+
+        stats.sizes.push(content.length);
+        stats.accessTimes.push(Date.now());
+        stats.lastAccess = Date.now();
+
+        if (stats.sizes.length > 100) {
+            stats.sizes.shift();
+        }
+        if (stats.accessTimes.length > 100) {
+            stats.accessTimes.shift();
+        }
+
+        this.baseline.set(filePath, stats);
+    }
+
+    public getAnomalies(): any[] {
+        return [...this.anomalies];
+    }
+
+    public getStatus(): any {
+        return {
+            learningMode: this.learningMode,
+            baselineCount: this.baseline.size,
+            anomaliesDetected: this.anomalies.length,
+            learningPeriod: this.learningPeriod
+        };
+    }
+}

package/src/detectors/InjectionDetector.ts

@@ -0,0 +1,233 @@
+import { Logger } from '../utils/Logger';
+
+export class InjectionDetector {
+    private readonly logger: Logger;
+    
+    private readonly suspiciousPatterns = [
+        /eval\s*\(/i,
+        /Function\s*\(/i,
+        /setTimeout\s*\(\s*['"`]/i,
+        /setInterval\s*\(\s*['"`]/i,
+        /new\s+Function\s*\(/i,
+        /require\(['"][^'"]+['"]\)/i,
+        /process\.(binding|dlopen|kill)/i,
+        /child_process/,
+        /exec(File)?(Sync)?\s*\(/i,
+        /spawn(Sync)?\s*\(/i,
+        /fork\s*\(/i,
+        /vm\.(runIn|create)/i,
+        /\[\s*[\s\S]{100,}\s*\]/,
+        /String\.fromCharCode/,
+        /unescape\s*\(/i,
+        /escape\s*\(/i,
+        /decodeURI(Component)?\s*\(/i,
+        /atob\s*\(/i,
+        /btoa\s*\(/i,
+        /Buffer\.from\s*\(/i,
+        /new\s+Buffer\s*\(/i,
+        /__defineGetter__/,
+        /__defineSetter__/,
+        /__lookupGetter__/,
+        /__lookupSetter__/,
+        /Object\.(defineProperty|defineProperties)\s*\([^)]*(?:writable:\s*true|configurable:\s*true)/i,
+        /Reflect\.(set|defineProperty)/i,
+        /Proxy\s*\(/i,
+        /WeakMap|WeakSet/,
+        /FinalizationRegistry/,
+        /WebAssembly/,
+        /SharedArrayBuffer/,
+        /Atomics\./,
+        /globalThis/,
+        /global\s*\[/,
+        /this\.constructor/,
+        /\[\s*['"`]__proto__['"`]\s*\]/i,
+        /Object\.setPrototypeOf/,
+        /module\.constructor\._load/,
+        /process\.mainModule/,
+        /require\.cache/,
+        /module\.children/,
+        /\[\s*['"`]length['"`]\s*\]/
+    ];
+
+    private readonly malwareSignatures = [
+        'Injection by',
+        'Bypass',
+        'bypass',
+        'Injeksi',
+        'injeksi',
+        'Ultra-Audit V80',
+        'Ghost-FS',
+        'b64'
+    ];
+
+    constructor() {
+        this.logger = Logger.getInstance();
+    }
+
+    public async detectInjection(content: string): Promise<boolean> {
+        try {
+            if (this.hasMalwareSignature(content)) {
+                this.logger.warning('Malware signature detected');
+                return true;
+            }
+
+            if (this.hasSuspiciousPatterns(content)) {
+                this.logger.warning('Suspicious pattern detected');
+                return true;
+            }
+
+            if (this.hasEncodedContent(content)) {
+                this.logger.warning('Encoded content detected');
+                return true;
+            }
+
+            if (this.isObfuscated(content)) {
+                this.logger.warning('Obfuscated code detected');
+                return true;
+            }
+
+            if (this.isSelfModifying(content)) {
+                this.logger.warning('Self-modifying code detected');
+                return true;
+            }
+
+            return false;
+        } catch (error) {
+            this.logger.error('Injection detection error', { error });
+            return true;
+        }
+    }
+
+    private hasMalwareSignature(content: string): boolean {
+        return this.malwareSignatures.some(signature => 
+            content.includes(signature)
+        );
+    }
+
+    private hasSuspiciousPatterns(content: string): boolean {
+        let suspiciousCount = 0;
+        
+        for (const pattern of this.suspiciousPatterns) {
+            const matches = content.match(new RegExp(pattern.source, 'g')) || [];
+            suspiciousCount += matches.length;
+            
+            if (suspiciousCount > 5) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+
+    private hasEncodedContent(content: string): boolean {
+        const base64Pattern = /[A-Za-z0-9+/]{50,}={0,2}/g;
+        const base64Matches = content.match(base64Pattern) || [];
+        
+        for (const match of base64Matches) {
+            try {
+                const decoded = Buffer.from(match, 'base64').toString();
+                if (this.hasSuspiciousPatterns(decoded)) {
+                    return true;
+                }
+            } catch {
+            }
+        }
+        
+        const hexPattern = /[0-9a-fA-F]{50,}/g;
+        const hexMatches = content.match(hexPattern) || [];
+        
+        for (const match of hexMatches) {
+            try {
+                const decoded = Buffer.from(match, 'hex').toString();
+                if (this.hasSuspiciousPatterns(decoded)) {
+                    return true;
+                }
+            } catch {
+            }
+        }
+        
+        const urlEncodedPattern = /%[0-9a-fA-F]{2}/g;
+        const urlMatches = content.match(urlEncodedPattern) || [];
+        
+        if (urlMatches.length > 20) {
+            try {
+                const decoded = decodeURIComponent(content);
+                if (this.hasSuspiciousPatterns(decoded)) {
+                    return true;
+                }
+            } catch {
+            }
+        }
+        
+        return false;
+    }
+
+    private isObfuscated(content: string): boolean {
+        const entropy = this.calculateEntropy(content);
+        if (entropy > 6.5) {
+            return true;
+        }
+        
+        const varNamePattern = /(?:var|let|const)\s+([a-zA-Z_$][0-9a-zA-Z_$]*)/g;
+        const varNames: string[] = [];
+        let match;
+        
+        while ((match = varNamePattern.exec(content)) !== null) {
+            if (match[1]) {
+                varNames.push(match[1]);
+            }
+        }
+        
+        const avgVarLength = varNames.reduce((sum, name) => sum + name.length, 0) / varNames.length;
+        if (avgVarLength > 15) {
+            return true;
+        }
+        
+        const lines = content.split('\n');
+        if (lines.length === 1 && content.length > 1000) {
+            return true;
+        }
+        
+        const bracketCount = (content.match(/[{}()[\]]/g) || []).length;
+        const bracketRatio = bracketCount / content.length;
+        if (bracketRatio > 0.3) {
+            return true;
+        }
+        
+        return false;
+    }
+
+    private isSelfModifying(content: string): boolean {
+        const selfModifyingPatterns = [
+            /Function\s*\(['"`][^)]*['"`]\s*\)/,
+            /eval\s*\(/,
+            /new\s+Function/,
+            /writeFileSync.*__filename/,
+            /unlinkSync.*__filename/,
+            /require\(['"`]fs['"`]\)/,
+            /process\.argv/,
+            /module\.exports\s*=/,
+            /exports\.[a-zA-Z_]+\s*=/
+        ];
+        
+        return selfModifyingPatterns.some(pattern => pattern.test(content));
+    }
+
+    private calculateEntropy(content: string): number {
+        const frequencies: { [key: string]: number } = {};
+        
+        for (const char of content) {
+            frequencies[char] = (frequencies[char] || 0) + 1;
+        }
+        
+        let entropy = 0;
+        const length = content.length;
+        
+        for (const freq of Object.values(frequencies)) {
+            const probability = freq / length;
+            entropy -= probability * Math.log2(probability);
+        }
+        
+        return entropy;
+    }
+}