diff --git a/.gitignore b/.gitignore index 64c65f2..380771f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,10 @@ build/ .gradle/ /bin/ +.idea/ +*.iml +*.class + .settings/ .classpath .project diff --git a/analyzer/Aggregator.java b/analyzer/Aggregator.java deleted file mode 100644 index 9d3a14a..0000000 --- a/analyzer/Aggregator.java +++ /dev/null @@ -1,20 +0,0 @@ -public class Aggregator -{ - public static void main(String [] args) - { - try - { - final Database db1 = new Database(args[0]); - final Database db2 = new Database(args[1]); - - db1.commit(db2); - db1.dump(args[2]); - - } - catch(Exception e) - { - e.printStackTrace(); - //System.out.println("ERROR: " + e); - } - } -} diff --git a/analyzer/BoSC.java b/analyzer/BoSC.java index 4a53fde..913b661 100644 --- a/analyzer/BoSC.java +++ b/analyzer/BoSC.java @@ -1,23 +1,20 @@ +package analyzer; + import java.util.ArrayList; -import java.util.Collections; /** * Bag of System Calls * * @author AmrAbed - * */ -public class BoSC extends ArrayList -{ +public class BoSC extends ArrayList { private static final long serialVersionUID = 1L; - public BoSC(String string) - { + public BoSC(String string) { string = string.replace("[", ""); string = string.replace("]", ""); - for (String value : string.split(",")) - { + for (String value : string.split(",")) { add(Byte.parseByte(value.trim())); } } diff --git a/analyzer/Comparator.java b/analyzer/Comparator.java deleted file mode 100644 index 71d6f50..0000000 --- a/analyzer/Comparator.java +++ /dev/null @@ -1,20 +0,0 @@ -public class Comparator -{ - public static void main(String [] args) - { - try - { - final Database db1 = new Database(args[0]); - final Database db2 = new Database(args[1]); - - double similarity = db1.calculateSimilarity(db2); - - System.out.println("Similaity: " + similarity); - } - catch(Exception e) - { - e.printStackTrace(); - //System.out.println("ERROR: " + e); - } - } -} diff --git a/analyzer/Database.java b/analyzer/Database.java index 6b8ac77..e51170d 100644 --- a/analyzer/Database.java +++ b/analyzer/Database.java @@ -1,3 +1,5 @@ +package analyzer; + import java.io.BufferedReader; import java.io.FileNotFoundException; import java.io.FileReader; @@ -10,118 +12,96 @@ * Normal-behavior Database * * @author AmrAbed - * */ -public class Database extends HashMap -{ +public class Database extends HashMap { private static final long serialVersionUID = 1L; /** * Create normal-behavior database from a dump file * - * @param filePath - * path to the dump file - * @throws NumberFormatException + * @param filePath path to the dump file * @throws IOException */ - public Database(String filePath) throws NumberFormatException, IOException - { - if (filePath != null) - { - final BufferedReader reader = new BufferedReader(new FileReader(filePath)); - String line; - while ((line = reader.readLine()) != null) - { - final String[] words = line.split("\t"); - put(new BoSC(words[0]), Long.parseLong(words[1])); + public Database(String filePath) throws IOException { + if (filePath != null) { + try (final BufferedReader reader = new BufferedReader(new FileReader(filePath))) { + String line; + while ((line = reader.readLine()) != null) { + final String[] words = line.split("\t"); + put(new BoSC(words[0]), Long.parseLong(words[1])); + } + } finally { + reader.close(); } - reader.close(); } } - public void add(BoSC bosc) - { - if (bosc == null) - { + public void add(BoSC bosc) { + if (bosc == null) { return; } - if (containsKey(bosc)) - { + if (containsKey(bosc)) { replace(bosc, get(bosc) + 1); - } - else - { + } else { put(bosc, 1L); } } - public void commit(Database change) - { - for (BoSC bosc : change.keySet()) - { + public void commit(Database change) { + for (BoSC bosc : change.keySet()) { long value = change.get(bosc); - if (this.containsKey(bosc)) - { + if (this.containsKey(bosc)) { value += this.get(bosc); } this.put(bosc, value); } } - private double getNorm() - { + private double getNorm() { double norm = 0; - for (BoSC bosc : keySet()) - { + for (BoSC bosc : keySet()) { long val = get(bosc); norm += val * val; } return Math.sqrt(norm); } - public double calculateSimilarity(Database other) - { - if (this.isEmpty() || other.isEmpty()) - { + public double calculateSimilarity(Database other) { + if (this.isEmpty() || other.isEmpty()) { return 0; } double dot = 0; - double norm1 = this.getNorm(), norm2 = other.getNorm(); - for (BoSC bosc : keySet()) - { -// System.out.print(bosc + " -> "); - if (other.containsKey(bosc)) - { + double norm1 = this.getNorm(); + double norm2 = other.getNorm(); + for (BoSC bosc : keySet()) { + if (other.containsKey(bosc)) { long value1 = other.get(bosc); long value2 = this.get(bosc); -// System.out.print("found (Frequencies: " + value2 + " & " + value1 + ")"); dot += value1 * value2; } } return dot / (norm1 * norm2); } - public void dump(String file) throws FileNotFoundException - { - try (PrintStream out = new PrintStream(file)) - { - for (BoSC bosc : keySet()) - { + public void dump(String file) throws FileNotFoundException { + try (PrintStream out = new PrintStream(file)) { + for (BoSC bosc : keySet()) { out.println(bosc + "\t" + get(bosc)); } } } @Override - public String toString() - { - String output = new String(); - for (ArrayList entry : keySet()) - { - output += entry + " => " + get(entry) + "\n"; + public String toString() { + final StringBuilder output = new StringBuilder(); + for (Entry entry : entrySet()) { + output.append(entry.getKey()); + output.append(" => "); + output.append(entry.getValue()); + output.append('\n'); } - return output; + return output.toString(); } } diff --git a/analyzer/aggregate/Aggregator.java b/analyzer/aggregate/Aggregator.java new file mode 100644 index 0000000..239f64f --- /dev/null +++ b/analyzer/aggregate/Aggregator.java @@ -0,0 +1,21 @@ +package analyzer.aggregate; + +import java.util.logging.Logger; +import java.util.logging.Level; + +import analyzer.Database; + +public class Aggregator { + public static void main(String[] args) { + try { + final Database db1 = new Database(args[0]); + final Database db2 = new Database(args[1]); + + db1.commit(db2); + db1.dump(args[2]); + + } catch (Exception e) { + Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.SEVERE, e.toString()); + } + } +} diff --git a/analyzer/compare/Comparator.java b/analyzer/compare/Comparator.java new file mode 100644 index 0000000..8e1d354 --- /dev/null +++ b/analyzer/compare/Comparator.java @@ -0,0 +1,20 @@ +package analyzer.compare; + +import java.util.logging.Logger; +import java.util.logging.Level; + +import analyzer.Database; + +public class Comparator { + public static void main(String[] args) { + try { + final Database db1 = new Database(args[0]); + final Database db2 = new Database(args[1]); + final double similarity = db1.calculateSimilarity(db2); + Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.INFO, () -> "Similaity: " + similarity); + + } catch (Exception e) { + Logger.getLogger(Logger.GLOBAL_LOGGER_NAME).log(Level.SEVERE, e.toString()); + } + } +} \ No newline at end of file diff --git a/build.gradle b/build.gradle index a74f077..b80884f 100644 --- a/build.gradle +++ b/build.gradle @@ -1,5 +1,4 @@ apply plugin: 'java' -apply plugin: 'eclipse' apply plugin: 'application' mainClassName = 'edu.vt.rhids.main.RHIDS' @@ -16,11 +15,10 @@ task createJar(type: Jar) { with jar } - repositories { mavenCentral() } dependencies { - compile group: 'commons-cli', name: 'commons-cli', version: '1.2' + implementation 'commons-cli:commons-cli:1.2' } diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 7e7e0b7..8c5b198 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Sun Mar 05 18:43:08 UTC 2017 +#Wed Nov 28 12:06:22 EET 2018 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-3.4.1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-3.4.1-all.zip diff --git a/src/main/java/edu/vt/rhids/common/Database.java b/src/main/java/edu/vt/rhids/common/Database.java index 0de0cbb..65130ff 100644 --- a/src/main/java/edu/vt/rhids/common/Database.java +++ b/src/main/java/edu/vt/rhids/common/Database.java @@ -1,103 +1,79 @@ package edu.vt.rhids.common; -import java.io.BufferedReader; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.IOException; -import java.io.PrintStream; -import java.util.ArrayList; -import java.util.HashMap; - import edu.vt.rhids.input.BoSC; import edu.vt.rhids.util.Logger; import edu.vt.rhids.util.Logger.Verbosity; +import java.io.*; +import java.util.HashMap; + /** * Normal-behavior Database - * - * @author AmrAbed * + * @author AmrAbed */ -public class Database extends HashMap -{ +public class Database extends HashMap { private static final long serialVersionUID = 1L; /** * Create normal-behavior database from a dump file - * - * @param filePath - * path to the dump file - * @throws NumberFormatException - * @throws IOException + * + * @param filePath path to the dump file */ - public Database(String filePath) throws NumberFormatException, IOException - { - if (filePath != null) - { - final BufferedReader reader = new BufferedReader(new FileReader(filePath)); - String line; - while ((line = reader.readLine()) != null) - { - final String[] words = line.split("\t"); - put(new BoSC(words[0]), Long.parseLong(words[1])); + public Database(String filePath) throws IOException { + if (filePath != null) { + try (final BufferedReader reader = new BufferedReader(new FileReader(filePath))) { + String line; + while ((line = reader.readLine()) != null) { + final String[] words = line.split("\t"); + put(new BoSC(words[0]), Long.parseLong(words[1])); + } } - reader.close(); } } - public void add(BoSC bosc) - { - if (bosc == null) - { + public void add(BoSC bosc) { + if (bosc == null) { return; } - if (containsKey(bosc)) - { + if (containsKey(bosc)) { replace(bosc, get(bosc) + 1); - } - else - { + } else { put(bosc, 1L); } } - public void commit(Database change) - { - for (BoSC bosc : change.keySet()) - { + public void commit(Database change) { + for (Entry entry : change.entrySet()) { + final BoSC bosc = entry.getKey(); long value = change.get(bosc); - if (this.containsKey(bosc)) - { - value += this.get(bosc); + if (this.containsKey(bosc)) { + value += entry.getValue(); } this.put(bosc, value); } } - private double getNorm() - { + private double getNorm() { double norm = 0; - for (BoSC bosc : keySet()) - { - long val = get(bosc); + for (Entry entry : entrySet()) { + long val = entry.getValue(); norm += val * val; } return Math.sqrt(norm); } - public double calculateSimilarity(Database other) - { - if (this.isEmpty() || other.isEmpty()) - { + public double calculateSimilarity(Database other) { + if (this.isEmpty() || other.isEmpty()) { return 0; } - double dot = 0, norm1 = this.getNorm(), norm2 = other.getNorm(); - for (BoSC bosc : keySet()) - { - if (other.containsKey(bosc)) - { + double dot = 0; + double norm1 = this.getNorm(); + double norm2 = other.getNorm(); + for (BoSC bosc : keySet()) { + if (other.containsKey(bosc)) { long value1 = other.get(bosc); long value2 = this.get(bosc); dot += value1 * value2; @@ -106,28 +82,26 @@ public double calculateSimilarity(Database other) return dot / (norm1 * norm2); } - public void dump(String id) throws FileNotFoundException - { + public void dump(String id) throws FileNotFoundException { final String file = "/var/log/rhids/db-" + id + ".dump"; - try (PrintStream out = new PrintStream(file)) - { + try (PrintStream out = new PrintStream(file)) { Logger.log("Dumping database to " + file, Verbosity.MEDIUM); - for (BoSC bosc : keySet()) - { - out.println(bosc + "\t" + get(bosc)); + for (Entry entry : entrySet()) { + out.println(entry.getKey() + "\t" + entry.getValue()); } Logger.log("Done", Verbosity.MEDIUM); } } @Override - public String toString() - { - String output = new String(); - for (ArrayList entry : keySet()) - { - output += entry + " => " + get(entry) + "\n"; + public String toString() { + final StringBuilder output = new StringBuilder(); + for (Entry entry : entrySet()) { + output.append(entry.getKey()); + output.append(" => "); + output.append(entry.getValue()); + output.append('\n'); } - return output; + return output.toString(); } } diff --git a/src/main/java/edu/vt/rhids/common/IndexMap.java b/src/main/java/edu/vt/rhids/common/IndexMap.java index c56e122..0c4e428 100644 --- a/src/main/java/edu/vt/rhids/common/IndexMap.java +++ b/src/main/java/edu/vt/rhids/common/IndexMap.java @@ -1,11 +1,12 @@ package edu.vt.rhids.common; +import edu.vt.rhids.input.SyscallParser; +import edu.vt.rhids.util.Logger; + import java.io.BufferedReader; import java.io.IOException; import java.util.HashMap; -import edu.vt.rhids.input.SyscallParser; - /** * Lookup table for system call index * @@ -33,17 +34,13 @@ public IndexMap(BufferedReader reader) while ((line = reader.readLine()) != null) { String[] words = line.split("\t"); -// if (Integer.parseInt(words[1]) < size()) -// { -// break; -// } put(words[0], size()); } reader.close(); } catch (IOException e) { - System.err.println(e); + Logger.log(e.getMessage(), Logger.Verbosity.NONE); System.exit(-2); } } @@ -83,7 +80,7 @@ public IndexMap(BufferedReader reader, int epochSize) throws IOException } } - public int get(String syscall) + private int get(String syscall) { if (containsKey(syscall)) { @@ -95,13 +92,15 @@ public int get(String syscall) } } - public String toString() - { - String output = new String(); - for (String entry : keySet()) - { - output += entry + " => " + get(entry); + @Override + public String toString() { + final StringBuilder output = new StringBuilder(); + for (Entry entry : entrySet()) { + output.append(entry.getKey()); + output.append(" => "); + output.append(entry.getValue()); + output.append('\n'); } - return output; + return output.toString(); } } diff --git a/src/main/java/edu/vt/rhids/common/SimilarityVector.java b/src/main/java/edu/vt/rhids/common/SimilarityVector.java index 75f14f5..a7b3d77 100644 --- a/src/main/java/edu/vt/rhids/common/SimilarityVector.java +++ b/src/main/java/edu/vt/rhids/common/SimilarityVector.java @@ -2,27 +2,13 @@ import java.util.LinkedList; -public class SimilarityVector extends LinkedList -{ +public class SimilarityVector extends LinkedList { private static final long serialVersionUID = 1L; - private static final int SIZE = 3; - public void update(double similarity) - { - if (size() == SIZE) - { + public void update(double similarity) { + if (size() == 3) { removeFirst(); } addLast(similarity); } - - public boolean isAbove(float threshold) - { - boolean isAboveThreshold = (size() == SIZE); - for (double s : this) - { - isAboveThreshold &= (s >= threshold); - } - return isAboveThreshold; - } } diff --git a/src/main/java/edu/vt/rhids/input/SyscallParser.java b/src/main/java/edu/vt/rhids/input/SyscallParser.java index 9e6497d..cc6ae23 100644 --- a/src/main/java/edu/vt/rhids/input/SyscallParser.java +++ b/src/main/java/edu/vt/rhids/input/SyscallParser.java @@ -1,61 +1,53 @@ package edu.vt.rhids.input; + +import edu.vt.rhids.main.RHIDS; + import java.io.BufferedReader; import java.io.IOException; import java.util.regex.Matcher; import java.util.regex.Pattern; -import edu.vt.rhids.main.RHIDS; - /** - * Read system calls from input file + * Utility class to read system calls from input file * * @author AmrAbed - * */ -public class SyscallParser -{ - public static String parse(BufferedReader reader) throws IOException - { - try - { - final String line = reader. readLine(); +public class SyscallParser { + private SyscallParser() { + } + + public static String parse(BufferedReader reader) throws IOException { + try { + final String line = reader.readLine(); Matcher matcher = Pattern.compile("STOP TRAINING").matcher(line); - if (matcher.find()) - { + if (matcher.find()) { RHIDS.setDoneTraining(true); return parse(reader); } matcher = Pattern.compile("START ATTACK").matcher(line); - if (matcher.find()) - { + if (matcher.find()) { RHIDS.setUnderAttack(true); return parse(reader); } matcher = Pattern.compile("END ATTACK").matcher(line); - if (matcher.find()) - { + if (matcher.find()) { RHIDS.setUnderAttack(false); return parse(reader); } matcher = Pattern.compile("([a-z_]+)").matcher(line); - if (matcher.find()) - { + if (matcher.find()) { return matcher.group(1); - } - else - { + } else { // No new system call found .. skip to next line return parse(reader); } - } - catch (NullPointerException e) - { + } catch (NullPointerException e) { // End of file return null; } } -} +} \ No newline at end of file diff --git a/src/main/java/edu/vt/rhids/main/Classifier.java b/src/main/java/edu/vt/rhids/main/Classifier.java index a3735d2..5222e22 100644 --- a/src/main/java/edu/vt/rhids/main/Classifier.java +++ b/src/main/java/edu/vt/rhids/main/Classifier.java @@ -1,9 +1,5 @@ package edu.vt.rhids.main; -import java.io.BufferedReader; -import java.io.IOException; -import java.util.ArrayList; - import edu.vt.rhids.common.Database; import edu.vt.rhids.common.SimilarityVector; import edu.vt.rhids.input.BoSC; @@ -14,44 +10,39 @@ import edu.vt.rhids.util.Logger; import edu.vt.rhids.util.Logger.Verbosity; +import java.io.BufferedReader; +import java.io.IOException; +import java.util.ArrayList; + /** * "Real-time" Classifier * * @author AmrAbed - * */ -public class Classifier -{ +class Classifier { private final BufferedReader reader; private final Statistics stats; private final Database db; - public Classifier(BufferedReader reader, Statistics stats, String databaseFile) throws IOException - { + Classifier(BufferedReader reader, Statistics stats, String databaseFile) throws IOException { this.reader = reader; this.stats = stats; db = new Database(databaseFile); } - public boolean trainUnconditionally() throws IOException - { + boolean trainUnconditionally() throws IOException { final Window window = new Window(); BoSC bosc; String syscall; - while (!RHIDS.isDoneTraining()) - { - for (int i = 0; i < stats.getEpochSize(); i++) - { - if ((syscall = SyscallParser.parse(reader)) != null) - { + while (!RHIDS.isDoneTraining()) { + for (int i = 0; i < stats.getEpochSize(); i++) { + if ((syscall = SyscallParser.parse(reader)) != null) { bosc = window.slide(syscall).getBoSC(); db.add(bosc); Logger.log(syscall + " => " + window + " => " + bosc, Verbosity.HIGH); - } - else - { + } else { // Failed to train using input file Logger.signal("Training failed", Verbosity.LOW); db.dump(String.valueOf(stats.getEpochSize())); @@ -63,32 +54,23 @@ public boolean trainUnconditionally() throws IOException } db.dump(String.valueOf(stats.getEpochSize())); return true; - - // return train(); } - public boolean train() throws IOException - { + public boolean train() throws IOException { final SimilarityVector similarity = new SimilarityVector(); final Window window = new Window(); Database lastEpochChange = new Database(null); String syscall; - // while (!similarity.isAbove(stats.getTrainThreshold())) - while (!RHIDS.isDoneTraining()) - { + while (!RHIDS.isDoneTraining()) { Logger.log("\nEpoch " + stats.getTotalEpochs(), Verbosity.MEDIUM); final Database currentEpochChange = new Database(null); - for (int i = 0; i < stats.getEpochSize(); i++) - { - if ((syscall = SyscallParser.parse(reader)) != null) - { + for (int i = 0; i < stats.getEpochSize(); i++) { + if ((syscall = SyscallParser.parse(reader)) != null) { BoSC bosc = window.slide(syscall).getBoSC(); currentEpochChange.add(bosc); Logger.log(syscall + " => " + window + " => " + bosc, Verbosity.HIGH); - } - else - { + } else { // Failed to train using input file Logger.signal("Training failed", Verbosity.LOW); return false; @@ -110,58 +92,44 @@ public boolean train() throws IOException return true; } - public void test() throws IOException - { + void test() throws IOException { final Window window = new Window(); String syscall; - while (true) - { + while (true) { final Database currentEpochChange = new Database(null); boolean isAnomalousEpoch = false; int nMismatches = 0; - for (int i = 0; i < stats.getEpochSize(); i++) - { - if ((syscall = SyscallParser.parse(reader)) != null) - { - if (RHIDS.isUnderAttack()) - { + for (int i = 0; i < stats.getEpochSize(); i++) { + if ((syscall = SyscallParser.parse(reader)) != null) { + if (RHIDS.isUnderAttack()) { isAnomalousEpoch = true; } final BoSC bosc = window.slide(syscall).getBoSC(); currentEpochChange.add(bosc); - if (!db.containsKey(bosc)) - { + if (!db.containsKey(bosc)) { nMismatches++; Logger.signal(syscall + " => " + window + " => " + bosc + " => mismatch", Verbosity.HIGH); - } - else - { + } else { Logger.log(syscall + " => " + window + " => " + bosc + " => match", Verbosity.HIGH); } - } - else - { + } else { // Incomplete epoch .. ignore (for now) return; } } Logger.log("Epoch " + stats.getTotalEpochs() + ": " + nMismatches + " mismatches", Verbosity.MEDIUM); - if (isAnomalousEpoch) - { + if (isAnomalousEpoch) { Logger.signal("ANOMALOUS EPOCH", Verbosity.MEDIUM); } - if ((float) nMismatches / stats.getEpochSize() > stats.getTestThreshold() / 100.0f) - { + if ((float) nMismatches / stats.getEpochSize() > stats.getTestThreshold() / 100.0f) { Logger.signal("Anomaly signal raised", Verbosity.MEDIUM); stats.incrementAlarms(isAnomalousEpoch); - } - else if (nMismatches > 0) - { + } else if (nMismatches > 0) { db.commit(currentEpochChange); Logger.emphasize("Current Database size: " + db.size(), Verbosity.MEDIUM); } @@ -172,16 +140,16 @@ else if (nMismatches > 0) /** * Test classifier in epochs - * + * * @param reader * @param epochSize * @param testThreshold * @return test results * @throws IOException + * @deprecated */ @Deprecated - public TestResult test(BufferedReader reader, double testThreshold, int epochSize) throws IOException - { + public TestResult test(BufferedReader reader, double testThreshold, int epochSize) throws IOException { final Window window = new Window(); String syscall; @@ -193,26 +161,22 @@ public TestResult test(BufferedReader reader, double testThreshold, int epochSiz double nAnomalySignals = 0; double nMismatches = 0; - while ((syscall = SyscallParser.parse(reader)) != null) - { + while ((syscall = SyscallParser.parse(reader)) != null) { final BoSC bosc = window.slide(syscall).getBoSC(); - if (!db.containsKey(bosc)) - { + if (!db.containsKey(bosc)) { nMismatches++; } nSyscalls++; - if (nSyscalls >= epochSize) - { + if (nSyscalls >= epochSize) { Logger.log("\nTotal mismatches for epoch " + nEpochs + " is " + nMismatches, Verbosity.MEDIUM); nEpochs++; // Reached end of epoch mismatchCounts.add(nMismatches); - if (nMismatches > testThreshold * epochSize) - { + if (nMismatches > testThreshold * epochSize) { nAnomalySignals++; } nMismatches = 0; @@ -224,33 +188,31 @@ public TestResult test(BufferedReader reader, double testThreshold, int epochSiz /** * Test classifier in sequences - * + * * @param reader * @return percentage of mismatches * @throws IOException + * @deprecated */ @Deprecated - public double test(BufferedReader reader) throws IOException - { + public double test(BufferedReader reader) throws IOException { final Window window = new Window(); double mismatchCount = 0; int totalSequences = 0; String syscall; - while ((syscall = SyscallParser.parse(reader)) != null) - { + while ((syscall = SyscallParser.parse(reader)) != null) { totalSequences++; - if (!db.containsKey(window.slide(syscall).getBoSC())) - { + if (!db.containsKey(window.slide(syscall).getBoSC())) { mismatchCount++; } } - Logger.log("Total number of seqences: " + totalSequences, Verbosity.MEDIUM); + Logger.log("Total number of sequences: " + totalSequences, Verbosity.MEDIUM); Logger.log("Number of mismatches: " + mismatchCount, Verbosity.MEDIUM); - return 100 * mismatchCount / totalSequences; + return totalSequences > 0 ? 100 * mismatchCount / totalSequences : 0; } } diff --git a/src/main/java/edu/vt/rhids/main/Parameters.java b/src/main/java/edu/vt/rhids/main/Parameters.java index a796d2e..955978b 100644 --- a/src/main/java/edu/vt/rhids/main/Parameters.java +++ b/src/main/java/edu/vt/rhids/main/Parameters.java @@ -1,37 +1,39 @@ package edu.vt.rhids.main; -public class Parameters -{ - public static final IntegerRange DEFAULT_EPOCH_SIZE = new IntegerRange(2500, 2500, 50000); - public static final FloatRange DEFAULT_TRAIN_THRESHOLD = new FloatRange(0.9f, 0.001f, 1f); - public static final IntegerRange DEFAULT_TEST_THRESHOLD = new IntegerRange(5, 5, 200); - - public String inputFile, databaseFile; - public IntegerRange epochSize = DEFAULT_EPOCH_SIZE; - public FloatRange trainThreshold = DEFAULT_TRAIN_THRESHOLD; - public IntegerRange testThreshold = DEFAULT_TEST_THRESHOLD; - - public void setNormalFilePath(String normalFilePath) +import edu.vt.rhids.util.Logger; + +class Parameters { + static final IntegerRange DEFAULT_EPOCH_SIZE = new IntegerRange(2500, 2500, 50000); + static final FloatRange DEFAULT_TRAIN_THRESHOLD = new FloatRange(0.9f, 0.001f, 1f); + static final IntegerRange DEFAULT_TEST_THRESHOLD = new IntegerRange(5, 5, 200); + private static final String PARSE_FAILED = "Parsing failed: invalid range"; + String inputFile; + String databaseFile; + IntegerRange epochSize = DEFAULT_EPOCH_SIZE; + FloatRange trainThreshold = DEFAULT_TRAIN_THRESHOLD; + IntegerRange testThreshold = DEFAULT_TEST_THRESHOLD; + + void setNormalFilePath(String normalFilePath) { this.inputFile = normalFilePath; } - public void setDatabaseFilePath(String databaseFile) + void setDatabaseFilePath(String databaseFile) { this.databaseFile = databaseFile; } - public void setEpochSize(String range) + void setEpochSize(String range) { this.epochSize.set(range); } - public void setTrainThreshold(String range) + void setTrainThreshold(String range) { this.trainThreshold.set(range); } - public void setTestThreshold(String range) + void setTestThreshold(String range) { this.testThreshold.set(range); } @@ -39,7 +41,7 @@ public void setTestThreshold(String range) @Override public String toString() { - String output = new String(); + String output = ""; output += "\nInput file: " + inputFile; output += "\nEpoch-size range: " + epochSize; output += "\nTraining-threshold range: " + trainThreshold; @@ -49,7 +51,9 @@ public String toString() public static class IntegerRange { - public int min, step, max; + int min; + int step; + int max; private IntegerRange(int min, int step, int max) { @@ -58,7 +62,7 @@ private IntegerRange(int min, int step, int max) this.max = max; } - public void set(String range) + private void set(String range) { if (range == null) { @@ -79,7 +83,7 @@ public void set(String range) max = Integer.parseInt(values[2]); break; default: - System.out.println("Parsing failed: invalid range"); + Logger.log(PARSE_FAILED, Logger.Verbosity.NONE); break; } } @@ -93,7 +97,9 @@ public String toString() public static class FloatRange { - public float min, step, max; + float min; + float step; + float max; private FloatRange(float min, float step, float max) { @@ -102,7 +108,7 @@ private FloatRange(float min, float step, float max) this.max = max; } - public void set(String range) + private void set(String range) { if (range == null) { @@ -123,7 +129,7 @@ public void set(String range) max = Float.parseFloat(values[2]); break; default: - System.out.println("Parsing failed: invalid range"); + Logger.log(PARSE_FAILED, Logger.Verbosity.NONE); break; } } @@ -134,55 +140,4 @@ public String toString() return "[" + min + ((max == min) ? "" : ":" + step + ":" + max) + "]"; } } - - public static class Range - { - public T min, step, max; - - private Range(T min, T step, T max) - { - this.min = min; - this.step = step; - this.max = max; - } - - public void set(String range) - { - if (range == null) - { - return; - } - String[] values = range.split(":"); - min = parse(values[0]); - switch (values.length) - { - case 1: - max = min; - break; - case 2: - max = parse(values[1]); - break; - case 3: - step = parse(values[1]); - max = parse(values[2]); - break; - default: - System.out.println("Parsing failed: invalid range"); - break; - } - } - - private T parse(String value) - { - // TODO (AmrAbed): Implement this - return null; - } - - @Override - public String toString() - { - return "[" + min + ((max == min) ? "" : ":" + step + ":" + max) + "]"; - } - } - } \ No newline at end of file diff --git a/src/main/java/edu/vt/rhids/main/RHIDS.java b/src/main/java/edu/vt/rhids/main/RHIDS.java index e2dbd59..3c3f94c 100644 --- a/src/main/java/edu/vt/rhids/main/RHIDS.java +++ b/src/main/java/edu/vt/rhids/main/RHIDS.java @@ -1,59 +1,46 @@ package edu.vt.rhids.main; -import java.io.BufferedReader; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.IOException; -import java.util.ArrayList; - -import org.apache.commons.cli.BasicParser; -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; - import edu.vt.rhids.common.IndexMap; import edu.vt.rhids.output.Statistics; import edu.vt.rhids.output.Summary; import edu.vt.rhids.util.Logger; import edu.vt.rhids.util.Logger.Verbosity; +import org.apache.commons.cli.*; + +import java.io.BufferedReader; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.util.ArrayList; /** * Resilient Host-based Intrusion Detection System - * - * @author AmrAbed * + * @author AmrAbed */ -public class RHIDS -{ - public static IndexMap indexMap; +public class RHIDS { + private static final String OUTPUT_FILE = "output-file"; + private static final String DB_FILE = "database-file"; + private static final String VERBOSE = "verbose"; private static boolean isUnderAttack; private static boolean isDoneTraining; - public static void main(String[] args) - { + public static void main(String[] args) { Logger.log(run(parseArguments(args)), Verbosity.NONE); } - public static ArrayList run(Parameters p) - { + private static ArrayList run(Parameters p) { Logger.log(p, Verbosity.NONE); final Summary summary = new Summary(); - try - { - indexMap = new IndexMap(new BufferedReader(new FileReader("syscalls"))); + try { + IndexMap indexMap = new IndexMap(new BufferedReader(new FileReader("syscalls"))); Logger.log(indexMap, Verbosity.ALL); Logger.emphasize("Number of distinct system calls: " + indexMap.size(), Verbosity.LOW); - for (int epochSize = p.epochSize.min; epochSize <= p.epochSize.max; epochSize += p.epochSize.step) - { - for (float trainThreshold = p.trainThreshold.min; trainThreshold <= p.trainThreshold.max; trainThreshold += p.trainThreshold.step) - { - for (int testThreshold = p.testThreshold.min; testThreshold <= p.testThreshold.max; testThreshold += p.testThreshold.step) - { + for (int epochSize = p.epochSize.min; epochSize <= p.epochSize.max; epochSize += p.epochSize.step) { + for (float trainThreshold = p.trainThreshold.min; trainThreshold <= p.trainThreshold.max; trainThreshold += p.trainThreshold.step) { + for (int testThreshold = p.testThreshold.min; testThreshold <= p.testThreshold.max; testThreshold += p.testThreshold.step) { isDoneTraining = false; isUnderAttack = false; @@ -63,76 +50,64 @@ public static ArrayList run(Parameters p) Logger.log("Test threshold: " + testThreshold, Verbosity.LOW); Logger.log("#######################################################", Verbosity.LOW); - final BufferedReader reader = new BufferedReader(new FileReader(p.inputFile)); - final Statistics stats = new Statistics(epochSize, trainThreshold, testThreshold); - final Classifier classifier = new Classifier(reader, stats, p.databaseFile); + try (BufferedReader reader = new BufferedReader(new FileReader(p.inputFile))) { + final Statistics stats = new Statistics(epochSize, trainThreshold, testThreshold); + final Classifier classifier = new Classifier(reader, stats, p.databaseFile); - if (classifier.trainUnconditionally()) - { - classifier.test(); - stats.print(); - summary.add(stats); + if (classifier.trainUnconditionally()) { + classifier.test(); + stats.print(); + summary.add(stats); + } + Logger.log(summary, Verbosity.LOW); } - Logger.log(summary, Verbosity.LOW); - ; } } } - } - catch (IOException e) - { - System.err.println(e); + } catch (IOException e) { + Logger.log(e.getMessage(), Verbosity.NONE); System.exit(-2); } return summary; } - private static Parameters parseArguments(String[] args) - { + private static Parameters parseArguments(String[] args) { final Parameters parameters = new Parameters(); final Options options = createOptions(); - try - { + try { CommandLine command = new BasicParser().parse(options, args); - if (command.hasOption("help")) - { + if (command.hasOption("help")) { new HelpFormatter().printHelp("RHIDS", options); System.exit(0); } - if (command.hasOption("verbose")) - { - Logger.setLevel(Integer.parseInt(command.getOptionValue("verbose"))); + if (command.hasOption(VERBOSE)) { + Logger.setLevel(Integer.parseInt(command.getOptionValue(VERBOSE))); } - if (command.hasOption("output-file")) - { - Logger.setHandler(command.getOptionValue("output-file")); + if (command.hasOption(OUTPUT_FILE)) { + Logger.setHandler(command.getOptionValue(OUTPUT_FILE)); } - if (command.hasOption("database-file")) - { - parameters.setDatabaseFilePath(command.getOptionValue("database-file")); + if (command.hasOption(DB_FILE)) { + parameters.setDatabaseFilePath(command.getOptionValue(DB_FILE)); } parameters.setNormalFilePath(command.getOptionValue("input-file")); parameters.setEpochSize(command.getOptionValue("epoch-size")); parameters.setTrainThreshold(command.getOptionValue("train-threshold")); parameters.setTestThreshold(command.getOptionValue("detection-threshold")); - } - catch (ParseException | FileNotFoundException e) - { - System.err.println("Parsing failed: " + e.getMessage()); + } catch (ParseException | FileNotFoundException e) { + Logger.log("Parsing failed: " + e.getMessage(), Verbosity.NONE); System.exit(-1); } return parameters; } - private static Options createOptions() - { + private static Options createOptions() { final Options options = new Options(); @@ -143,36 +118,32 @@ private static Options createOptions() options.addOptionGroup(group); - options.addOption("b", "database-file", true, "File to read database from"); + options.addOption("b", DB_FILE, true, "File to read database from"); options.addOption("e", "epoch-size", true, "Range for epoch size (default " + Parameters.DEFAULT_EPOCH_SIZE + ")"); options.addOption("t", "train-threshold", true, "Range for training threshold (default " + Parameters.DEFAULT_TRAIN_THRESHOLD + ")"); options.addOption("d", "detection-threshold", true, "Range for detection threshold (default " + Parameters.DEFAULT_TEST_THRESHOLD + ")"); - options.addOption("v", "verbose", true, "Verbose level (default 0)"); - options.addOption("o", "output-file", true, "Output file path"); + options.addOption("v", VERBOSE, true, "Verbose level (default 0)"); + options.addOption("o", OUTPUT_FILE, true, "Output file path"); return options; } - public static boolean isUnderAttack() - { + static boolean isUnderAttack() { return isUnderAttack; } - public static void setUnderAttack(boolean isUnderAttack) - { + public static void setUnderAttack(boolean isUnderAttack) { RHIDS.isUnderAttack = isUnderAttack; } - public static boolean isDoneTraining() - { + static boolean isDoneTraining() { return isDoneTraining; } - public static void setDoneTraining(boolean doneTraining) - { + public static void setDoneTraining(boolean doneTraining) { RHIDS.isDoneTraining = doneTraining; } } diff --git a/src/main/java/edu/vt/rhids/output/Statistics.java b/src/main/java/edu/vt/rhids/output/Statistics.java index ecad570..e16712b 100644 --- a/src/main/java/edu/vt/rhids/output/Statistics.java +++ b/src/main/java/edu/vt/rhids/output/Statistics.java @@ -1,149 +1,125 @@ package edu.vt.rhids.output; +import edu.vt.rhids.util.Logger; + import java.util.ArrayList; /** * Statistics collected from running the test for certain epoch size, training * threshold, and testing threshold - * - * @author AmrAbed * + * @author AmrAbed */ -public class Statistics -{ - private final int epochSize, testThreshold; +public class Statistics { + private final int epochSize; + private final int testThreshold; private final float trainThreshold; private final ArrayList normalMismatchCounts = new ArrayList<>(); private final ArrayList anomalousMismatchCounts = new ArrayList<>(); - private int trainingEpochs, normalEpochs, anomalousEpochs; - private int falseAlarms, trueAlarms; + private int trainingEpochs; + private int normalEpochs; + private int anomalousEpochs; + private int falseAlarms; + private int trueAlarms; - public Statistics(int epochSize, float trainThreshold, int testThreshold) - { + public Statistics(int epochSize, float trainThreshold, int testThreshold) { this.epochSize = epochSize; this.trainThreshold = trainThreshold; this.testThreshold = testThreshold; } - public void incrementEpochs(boolean isAnomalous) - { - if (isAnomalous) - { + public void incrementEpochs(boolean isAnomalous) { + if (isAnomalous) { anomalousEpochs++; - } - else - { + } else { normalEpochs++; } } - public void incrementAlarms(boolean isAnomalous) - { - if (isAnomalous) - { + public void incrementAlarms(boolean isAnomalous) { + if (isAnomalous) { trueAlarms++; - } - else - { + } else { falseAlarms++; } } - public void addMismatchCount(int nMismatches, boolean isAnomalous) - { - if (isAnomalous) - { + public void addMismatchCount(int nMismatches, boolean isAnomalous) { + if (isAnomalous) { anomalousMismatchCounts.add(nMismatches); - } - else - { + } else { normalMismatchCounts.add(nMismatches); } } - public int getTestThreshold() - { + public int getTestThreshold() { return testThreshold; } - public int getEpochSize() - { + public int getEpochSize() { return epochSize; } - public float getTrainThreshold() - { + public float getTrainThreshold() { return trainThreshold; } - public double getFalsePositiveRate() - { + private double getFalsePositiveRate() { return 100 * (double) falseAlarms / normalEpochs; } - public double getTruePositiveRate() - { + private double getTruePositiveRate() { return 100 * (double) trueAlarms / anomalousEpochs; } - public String toString() - { - String output = new String(); - output += epochSize + ","; - output += trainThreshold + ","; - output += testThreshold + ","; - output += trainingEpochs + ","; - output += normalEpochs + ","; - output += anomalousEpochs + ","; - output += getAverage(normalMismatchCounts) + ","; - output += getAverage(anomalousMismatchCounts) + ","; - output += getFalsePositiveRate() + ","; - output += getTruePositiveRate(); - return output; + public String toString() { + return String.valueOf(epochSize) + ',' + + trainThreshold + ',' + + testThreshold + ',' + + trainingEpochs + ',' + + normalEpochs + ',' + + anomalousEpochs + ',' + + getAverage(normalMismatchCounts) + ',' + + getAverage(anomalousMismatchCounts) + ',' + + getFalsePositiveRate() + ',' + + getTruePositiveRate(); } - private double getAverage(ArrayList array) - { + private double getAverage(ArrayList array) { double avg = 0; - for (int entry : array) - { + for (int entry : array) { avg += entry; } return avg / array.size(); } - public void print() - { - System.out.println("\nEpoch Size = " + epochSize); - System.out.println("Training Threshold = " + trainThreshold); - System.out.println("Test Threshold = " + testThreshold); - System.out.println("Number of training epochs = " + trainingEpochs); - System.out.println("Number of normal epochs = " + normalEpochs); - System.out.println("Average number of mismatches for normal epochs = " + getAverage(normalMismatchCounts)); - System.out.println("Number of false alarms = " + falseAlarms); - System.out.println("False Positive Rate = " + getFalsePositiveRate() + "%"); - System.out.println("Number of anomalous epochs = " + anomalousEpochs); - System.out - .println("Average number of mismatches for anomalous epochs = " + getAverage(anomalousMismatchCounts)); - System.out.println("Number of true alarms = " + trueAlarms); - System.out.println("True Positive Rate = " + getTruePositiveRate() + "%"); + public void print() { + Logger.log("\nEpoch Size = " + epochSize, Logger.Verbosity.LOW); + Logger.log("Training Threshold = " + trainThreshold, Logger.Verbosity.LOW); + Logger.log("Test Threshold = " + testThreshold, Logger.Verbosity.LOW); + Logger.log("Number of training epochs = " + trainingEpochs, Logger.Verbosity.LOW); + Logger.log("Number of normal epochs = " + normalEpochs, Logger.Verbosity.LOW); + Logger.log("Average number of mismatches for normal epochs = " + getAverage(normalMismatchCounts), Logger.Verbosity.LOW); + Logger.log("Number of false alarms = " + falseAlarms, Logger.Verbosity.LOW); + Logger.log("False Positive Rate = " + getFalsePositiveRate() + "%", Logger.Verbosity.LOW); + Logger.log("Number of anomalous epochs = " + anomalousEpochs, Logger.Verbosity.LOW); + Logger.log("Average number of mismatches for anomalous epochs = " + getAverage(anomalousMismatchCounts), Logger.Verbosity.LOW); + Logger.log("Number of true alarms = " + trueAlarms, Logger.Verbosity.LOW); + Logger.log("True Positive Rate = " + getTruePositiveRate() + "%", Logger.Verbosity.LOW); } - public int getTrainingEpochs() - { + public int getTrainingEpochs() { return trainingEpochs; } - public int getTotalEpochs() - { + public int getTotalEpochs() { return trainingEpochs + anomalousEpochs + normalEpochs; } - public void incrementTrainingEpochs() - { - trainingEpochs ++; + public void incrementTrainingEpochs() { + trainingEpochs++; } } diff --git a/src/main/java/edu/vt/rhids/output/Summary.java b/src/main/java/edu/vt/rhids/output/Summary.java index dc8c2e9..f18baee 100644 --- a/src/main/java/edu/vt/rhids/output/Summary.java +++ b/src/main/java/edu/vt/rhids/output/Summary.java @@ -12,17 +12,18 @@ public class Summary extends ArrayList { private static final long serialVersionUID = 1L; - public String toString() - { - // Returns MATLAB cell-array definition statement - // (for data analysis and plotting) - String output = "{"; - for (Statistics result : this) - { - output += result + ";"; + /** + * @return MATLAB cell-array definition statement (for data analysis and plotting) + */ + @Override + public String toString() { + final StringBuilder output = new StringBuilder("{"); + for (Statistics result : this) { + output.append(result); + output.append(';'); } - output += "};"; - return output; + output.append("};"); + return output.toString(); } } diff --git a/src/main/java/edu/vt/rhids/output/TestResult.java b/src/main/java/edu/vt/rhids/output/TestResult.java index edd46ef..4be5976 100644 --- a/src/main/java/edu/vt/rhids/output/TestResult.java +++ b/src/main/java/edu/vt/rhids/output/TestResult.java @@ -1,37 +1,30 @@ package edu.vt.rhids.output; +import java.util.List; -import java.util.ArrayList; +public class TestResult { + private final int nEpochs; + private final double nAnomalySignals; + private final List mismatchCounts; -public class TestResult -{ - public final int nEpochs; - public final double nAnomalySignals; - public final ArrayList mismatchCounts; - - public TestResult(int nEpochs, double nAnomalySignals, ArrayList mismatchCounts) - { + public TestResult(int nEpochs, double nAnomalySignals, List mismatchCounts) { this.nEpochs = nEpochs; this.nAnomalySignals = nAnomalySignals; this.mismatchCounts = mismatchCounts; } - public double getAvgMismatches() - { + private double getAvgMismatches() { double avgMismatchCount = 0; - for (double mismatchCount : mismatchCounts) - { + for (double mismatchCount : mismatchCounts) { avgMismatchCount += mismatchCount; } return avgMismatchCount / mismatchCounts.size(); } - public String toString() - { - String output = new String(); - output += "\nTotal Number of epochs: " + nEpochs; - output += "\nNumber of anomaly signals: " + nAnomalySignals; - output += "\nAverage number of mismatches per epoch: " + getAvgMismatches(); - return output; + @Override + public String toString() { + return "\nTotal Number of epochs: " + nEpochs + + "\nNumber of anomaly signals: " + nAnomalySignals + + "\nAverage number of mismatches per epoch: " + getAvgMismatches(); } -} +} \ No newline at end of file diff --git a/src/main/java/edu/vt/rhids/util/Logger.java b/src/main/java/edu/vt/rhids/util/Logger.java index ab45039..5a13335 100644 --- a/src/main/java/edu/vt/rhids/util/Logger.java +++ b/src/main/java/edu/vt/rhids/util/Logger.java @@ -4,63 +4,52 @@ import java.io.FileNotFoundException; import java.io.PrintStream; -public class Logger -{ +public class Logger { private static Verbosity level = Verbosity.NONE; - public static void log(Object object, Verbosity level) - { - if (level.compareTo(Logger.level) <= 0) - { + public static void log(Object object, Verbosity level) { + if (level.compareTo(Logger.level) <= 0) { System.out.println(object); } } - public static void emphasize(Object object, Verbosity level) - { - if (level.compareTo(Logger.level) <= 0) - { + public static void emphasize(Object object, Verbosity level) { + if (level.compareTo(Logger.level) <= 0) { System.out.println("\033[1m" + object + "\033[0m"); } } - public static void signal(Object object, Verbosity level) - { - if (level.compareTo(Logger.level) <= 0) - { + public static void signal(Object object, Verbosity level) { + if (level.compareTo(Logger.level) <= 0) { System.out.println("\u001B[31m" + object + "\u001B[0m"); } } - public static void setLevel(int level) - { - switch (level) - { - case 1: - Logger.level = Verbosity.LOW; - break; - case 2: - Logger.level = Verbosity.MEDIUM; - break; - case 3: - Logger.level = Verbosity.HIGH; - break; - case 4: - Logger.level = Verbosity.ALL; - break; - default: - Logger.level = Verbosity.NONE; - break; + public static void setLevel(int level) { + switch (level) { + case 1: + Logger.level = Verbosity.LOW; + break; + case 2: + Logger.level = Verbosity.MEDIUM; + break; + case 3: + Logger.level = Verbosity.HIGH; + break; + case 4: + Logger.level = Verbosity.ALL; + break; + default: + Logger.level = Verbosity.NONE; + break; } } - public static void setHandler(String filename) throws FileNotFoundException - { + public static void setHandler(String filename) throws FileNotFoundException { System.setOut(new PrintStream(new File(filename))); } - public enum Verbosity - { - NONE, LOW, MEDIUM, HIGH, ALL; + public enum Verbosity { + NONE, LOW, MEDIUM, HIGH, ALL } }