Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge Embedded Novelty Detection Feature into Main #56

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions owlyshield_predict/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,13 @@ registry = "1.2.0"
strum = "0.24.1"
strum_macros = "0.24.2"
byteorder = "1.4.3"
chrono = "0.4.19"
chrono = { version = "0.4.19", features = ["serde"] }
num = "0.4.0"
num-derive = "0.3.3"
num-traits = "0.2.15"
serde_json = "1.0.82"
serde = { version = "1.0.140", features = ["derive"] }
serde_json = "1.0.82"
serde_yaml = "0.9.17"
log = "0.4.17"
rmp-serde = "1.1.0"
hostname = "0.3.1"
Expand Down Expand Up @@ -67,3 +68,4 @@ record = []
replay = []
jsonrpc = []
mqtt = []
novelty = []
2 changes: 2 additions & 0 deletions owlyshield_predict/slc-paths/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ edition = "2021"

[dependencies]
kodama = { git = "https://github.com/SubconsciousCompute/kodama" } # uses a nightly feature
serde = { version = "1.0.140", features = ["derive"] }
serde_json = "1.0.82"

[dev-dependencies]
criterion = "0.4.0"
Expand Down
9 changes: 5 additions & 4 deletions owlyshield_predict/slc-paths/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -107,12 +107,13 @@ pub mod clustering {
use std::io::BufRead;
use std::io::BufReader;
use std::path::Path;
use serde::{Serialize, Deserialize};

#[derive(Debug)]
#[derive(Serialize, Deserialize, Debug)]
pub struct Cluster {
root: String,
size: usize,
step: usize,
pub root: String,
pub size: usize,
pub step: usize,
}

pub type Clusters = Vec<Cluster>;
Expand Down
12 changes: 10 additions & 2 deletions owlyshield_predict/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ use std::ops::Index;
use std::path::{Path, PathBuf};
use configparser::ini::Ini;
#[cfg(target_os = "windows")]
use registry::*;
use strum::IntoEnumIterator;
use registry::{Hive, Security};
use strum_macros::EnumIter;

use crate::extensions::ExtensionList;
Expand All @@ -21,6 +20,7 @@ pub enum Param {
Language,
Telemetry,
MqttServer,
NoveltyPath,
Unknown,
}

Expand All @@ -45,6 +45,7 @@ impl Param {
Param::Language => "LANGUAGE", // Language used at installation
Param::Telemetry => "TELEMETRY", // 1 if telemetry is active, 0 if not
Param::MqttServer => "MQTT_SERVER",
Param::NoveltyPath => "NOVELTY_PATH",
_ => "UNKNOWN"
}
}
Expand All @@ -62,6 +63,7 @@ impl Param {
Param::Language => "language", // Language used at installation
Param::Telemetry => "telemetry", // 1 if telemetry is active, 0 if not
Param::MqttServer => "mqtt_server",
Param::NoveltyPath => "novelty_path",
_ => "unknown"
}
}
Expand All @@ -87,6 +89,10 @@ impl Param {
params.push(Param::MqttServer);
}

if cfg!(feature = "novelty") {
params.push(Param::NoveltyPath);
}

let mut ret = Vec::new();
for param in params {
let val = Self::convert_to_str(&param).to_string();
Expand All @@ -108,6 +114,7 @@ impl Param {
"LANGUAGE" => Param::Language, // Language used at installation
"TELEMETRY" => Param::Telemetry, // 1 if telemetry is active, 0 if not
"MQTT_SERVER" => Param::MqttServer,
"NOVELTY_PATH" => Param::NoveltyPath,
_ => Param::Unknown,
}
}
Expand All @@ -125,6 +132,7 @@ impl Param {
"language" => Param::Language, // Language used at installation
"telemetry" => Param::Telemetry, // 1 if telemetry is active, 0 if not
"mqtt_server" => Param::MqttServer,
"novelty_path" => Param::NoveltyPath,
_ => Param::Unknown,
}
}
Expand Down
23 changes: 18 additions & 5 deletions owlyshield_predict/src/linux/run.rs
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,15 @@ use crate::IOMessage;
use crate::Connectors;
use crate::ExepathLive;
use crate::ProcessRecordHandlerLive;
use crate::ProcessRecordHandlerNovelty;
use crate::IOMsgPostProcessorWriter;
use crate::IOMsgPostProcessorRPC;
use crate::IOMsgPostProcessorMqtt;
use crate::LDriverMsg;
use std::thread;
use crate::config::Param;
use crate::driver_com::Buf;


use crate::watchlist::WatchList;

fn probe_code() -> &'static [u8] {
include_bytes!(
Expand Down Expand Up @@ -59,13 +59,13 @@ pub async fn run() {
println!("Replay Driver Messages");
let config = config::Config::new();
let whitelist = whitelist::WhiteList::from(
&Path::new(&config[config::Param::ConfigPath]).join(Path::new("exclusions.txt")),
&Path::new(&config[Param::ConfigPath]).join(Path::new("exclusions.txt")),
)
.unwrap();
let mut worker = Worker::new_replay(&config, &whitelist);

let filename =
&Path::new(&config[config::Param::ProcessActivityLogPath]).join(Path::new("drivermessages.txt"));
&Path::new(&config[Param::ProcessActivityLogPath]).join(Path::new("drivermessages.txt"));
let mut file = File::open(Path::new(filename)).unwrap();
let file_len = file.metadata().unwrap().len() as usize;

Expand Down Expand Up @@ -132,12 +132,18 @@ pub async fn run() {
//NEW
thread::spawn(move || {
let whitelist = whitelist::WhiteList::from(
&Path::new(&config[config::Param::ConfigPath])
&Path::new(&config[Param::ConfigPath])
.join(Path::new("exclusions.txt")),
)
.expect("Cannot open exclusions.txt");
whitelist.refresh_periodically();

let watchlist = WatchList::from(
&Path::new(&config[Param::NoveltyPath])
.join(Path::new("to_analyze.yml")),
).expect("Cannot open to_analyze.yml");
watchlist.refresh_periodically();

let mut worker = Worker::new();

worker = worker.exepath_handler(Box::new(ExepathLive::default()));
Expand All @@ -150,6 +156,13 @@ pub async fn run() {
)));
}

if cfg!(feature = "novelty") {
worker = worker
.process_record_handler(Box::new(ProcessRecordHandlerNovelty::new(
&config, watchlist,
)));
}

if cfg!(feature = "record") {
worker = worker.register_iomsg_postprocessor(Box::new(
IOMsgPostProcessorWriter::from(&config),
Expand Down
9 changes: 8 additions & 1 deletion owlyshield_predict/src/logging.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ enum Status {
Alert, // Program detected a malware
Warning, // Warning in program execution
Error, // Error in program execution
Novelty, // Notice a novelty
}

impl Status {
Expand All @@ -24,6 +25,7 @@ impl Status {
Status::Alert => "ALERT",
Status::Warning => "WARNING",
Status::Error => "ERROR",
Status::Novelty => "NOVELTY",
}
}
}
Expand Down Expand Up @@ -69,12 +71,17 @@ impl Logging {
Logging::log(Status::Error, message);
}

/// Notice a novelty
pub fn novelty(message: &str) {
Logging::log(Status::Novelty, message);
}

#[cfg(target_os = "windows")]
fn log(status: Status, message: &str) {
Self::log_in_file(status, message, ConfigReader::read_param_from_registry("LOG_PATH", r"SOFTWARE\Owlyshield").as_str());

match status.clone() {
Status::Alert | Status::Warning => { warn!("{}: {}", status.to_str(), message); },
Status::Alert | Status::Warning | Status::Novelty => { warn!("{}: {}", status.to_str(), message); },
Status::Error => error!("{}: {}", status.to_str(), message),
_ => {
if message.is_empty() {
Expand Down
4 changes: 3 additions & 1 deletion owlyshield_predict/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ use crate::driver_com::CDriverMsgs;
use crate::driver_com::LDriverMsg;
use crate::shared_def::IOMessage;
use crate::logging::Logging;
use crate::worker::process_record_handling::{ExepathLive, ProcessRecordHandlerLive};
use crate::worker::process_record_handling::{ExepathLive, ProcessRecordHandlerLive, ProcessRecordHandlerNovelty};
use crate::worker::worker_instance::{IOMsgPostProcessorMqtt, IOMsgPostProcessorRPC, IOMsgPostProcessorWriter, Worker};

mod actions_on_kill;
Expand Down Expand Up @@ -72,8 +72,10 @@ mod run;
mod run;
mod shared_def;
mod utils;
mod watchlist;
mod whitelist;
mod worker;
mod novelty;

#[cfg(feature = "service")]
const SERVICE_NAME: &str = "Owlyshield Service";
Expand Down
Loading