michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(Production): Complete production deployment infrastructure

Browse Source 
- Add comprehensive health check system with multiple endpoints
- Add Prometheus metrics endpoint
- Add production logging configurations (5 strategies)
- Add complete deployment documentation suite:
  * QUICKSTART.md - 30-minute deployment guide
  * DEPLOYMENT_CHECKLIST.md - Printable verification checklist
  * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle
  * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference
  * production-logging.md - Logging configuration guide
  * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation
  * README.md - Navigation hub
  * DEPLOYMENT_SUMMARY.md - Executive summary
- Add deployment scripts and automation
- Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment
- Update README with production-ready features

All production infrastructure is now complete and ready for deployment.
This commit is contained in:
Michael Schiemer
2025-10-25 19:18:37 +02:00
parent caa85db796
commit fc3d7e6357
83016 changed files with 378904 additions and 20919 deletions
Download Patch File Download Diff File Expand all files Collapse all files

378
examples/ml-waf-behavioral-analysis-usage.php Normal file
View File

@@ -0,0 +1,378 @@
<?php
declare(strict_types=1);
/**
* ML-Enhanced WAF Behavioral Analysis - Usage Example
*
* Demonstrates the complete integration of ML-based behavioral analysis
* into the WAF system for advanced threat detection.
*
* Features Demonstrated:
* - RequestHistoryTracker for sequence storage
* - BehaviorPatternExtractor with 8 features
* - BehaviorAnomalyDetector using Core Score value object
* - MLEnhancedWafLayer integration with WafEngine
* - Advanced threat detection scenarios
*/
require_once __DIR__ . '/../vendor/autoload.php';
use App\Framework\Waf\WafEngine;
use App\Framework\Waf\Layers\MLEnhancedWafLayer;
use App\Framework\Waf\MachineLearning\BehaviorPatternExtractor;
use App\Framework\Waf\MachineLearning\BehaviorAnomalyDetector;
use App\Framework\Waf\MachineLearning\RequestHistoryTracker;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeatures;
use App\Framework\Waf\MachineLearning\ValueObjects\RequestSequence;
use App\Framework\Cache\SmartCache;
use App\Framework\Core\ValueObjects\Score;
use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Http\IpAddress;
use App\Infrastructure\GeoIp\GeoIp;
echo "=== ML-Enhanced WAF Behavioral Analysis Demo ===\n\n";
// ========================================
// 1. Setup Components
// ========================================
echo "1. Initializing ML WAF components...\n";
// Mock cache for demonstration
$cache = new SmartCache(new \App\Framework\Cache\Driver\InMemoryCache());
// Mock GeoIp service
$geoIp = new class {
public function getCountryCode(\App\Framework\Http\IpAddress $ip) {
return new class {
public function toString(): string {
return 'US';
}
};
}
};
// Mock logger
$logger = new class implements \Psr\Log\LoggerInterface {
use \Psr\Log\LoggerTrait;
public function log($level, $message, array $context = []): void {
echo "[{$level}] {$message}\n";
if (!empty($context)) {
echo " Context: " . json_encode($context, JSON_PRETTY_PRINT) . "\n";
}
}
};
// Create components
$historyTracker = new RequestHistoryTracker(
cache: $cache,
maxRequestsPerIp: 50,
timeWindowSeconds: 300
);
$patternExtractor = new BehaviorPatternExtractor(
geoIp: $geoIp,
minConfidence: 0.6
);
$anomalyDetector = new BehaviorAnomalyDetector(
anomalyThreshold: Score::medium(),
zScoreThreshold: 3.0,
iqrMultiplier: 1.5
);
$mlWafLayer = new MLEnhancedWafLayer(
historyTracker: $historyTracker,
patternExtractor: $patternExtractor,
anomalyDetector: $anomalyDetector,
logger: $logger,
confidenceThreshold: Score::medium(),
minHistorySize: 5
);
echo "✓ ML WAF Layer initialized: {$mlWafLayer->getName()} v{$mlWafLayer->getVersion()}\n\n";
// ========================================
// 2. Simulate Normal Traffic Pattern
// ========================================
echo "2. Simulating normal traffic pattern...\n";
$normalIp = new IpAddress('203.0.113.10');
for ($i = 1; $i <= 10; $i++) {
$request = createMockRequest($normalIp, "/page-{$i}", 'GET');
$historyTracker->track($request);
sleep(1); // Normal timing
}
$normalSequence = $historyTracker->getSequence($normalIp);
echo "✓ Tracked {$normalSequence->count()} normal requests\n";
$normalFeatures = $patternExtractor->extract($normalSequence);
echo " Features extracted:\n";
echo " - Request Frequency: " . round($normalFeatures->requestFrequency, 2) . " req/s\n";
echo " - Endpoint Diversity: " . round($normalFeatures->endpointDiversity, 2) . "\n";
echo " - User-Agent Consistency: " . round($normalFeatures->userAgentConsistency, 2) . "\n\n";
$normalAnomalyResult = $anomalyDetector->detect($normalFeatures);
echo " Anomaly Detection: " . ($normalAnomalyResult->isAnomalous ? '❌ ANOMALOUS' : '✓ NORMAL') . "\n";
echo " Score: {$normalAnomalyResult->anomalyScore->toString()}\n";
echo " Indicator: {$normalAnomalyResult->primaryIndicator}\n\n";
// ========================================
// 3. Simulate DDoS Attack Pattern
// ========================================
echo "3. Simulating DDoS attack pattern...\n";
$ddosIp = new IpAddress('198.51.100.42');
// High frequency, same endpoint
for ($i = 1; $i <= 20; $i++) {
$request = createMockRequest($ddosIp, "/api/search", 'GET');
$historyTracker->track($request);
// No sleep - rapid fire
}
$ddosSequence = $historyTracker->getSequence($ddosIp);
echo "✓ Tracked {$ddosSequence->count()} DDoS-like requests\n";
$ddosFeatures = $patternExtractor->extract($ddosSequence);
echo " Features extracted:\n";
echo " - Request Frequency: " . round($ddosFeatures->requestFrequency, 2) . " req/s 🚨\n";
echo " - Endpoint Diversity: " . round($ddosFeatures->endpointDiversity, 2) . " 🚨\n";
echo " - User-Agent Consistency: " . round($ddosFeatures->userAgentConsistency, 2) . "\n\n";
$ddosAnomalyResult = $anomalyDetector->detect($ddosFeatures);
echo " Anomaly Detection: " . ($ddosAnomalyResult->isAnomalous ? '❌ ANOMALOUS' : '✓ NORMAL') . "\n";
echo " Score: {$ddosAnomalyResult->anomalyScore->toString()} 🚨\n";
echo " Severity: {$ddosAnomalyResult->getSeverity()}\n";
echo " Indicator: {$ddosAnomalyResult->primaryIndicator}\n";
echo " Recommended Action: {$ddosAnomalyResult->getRecommendedAction()}\n\n";
// ========================================
// 4. Simulate Bot Pattern
// ========================================
echo "4. Simulating bot pattern...\n";
$botIp = new IpAddress('198.51.100.99');
// Perfect timing regularity with identical payloads
for ($i = 1; $i <= 10; $i++) {
$request = createMockRequest($botIp, "/api/data", 'POST', 'same_payload_data');
$historyTracker->track($request);
usleep(500000); // Exactly 0.5 seconds between requests
}
$botSequence = $historyTracker->getSequence($botIp);
echo "✓ Tracked {$botSequence->count()} bot-like requests\n";
$botFeatures = $patternExtractor->extract($botSequence);
echo " Features extracted:\n";
echo " - Time Pattern Regularity: " . round($botFeatures->timePatternRegularity, 2) . " 🚨\n";
echo " - Payload Similarity: " . round($botFeatures->payloadSimilarity, 2) . " 🚨\n";
echo " - Request Frequency: " . round($botFeatures->requestFrequency, 2) . " req/s\n\n";
$botAnomalyResult = $anomalyDetector->detect($botFeatures);
echo " Anomaly Detection: " . ($botAnomalyResult->isAnomalous ? '❌ ANOMALOUS' : '✓ NORMAL') . "\n";
echo " Score: {$botAnomalyResult->anomalyScore->toString()}\n";
echo " Severity: {$botAnomalyResult->getSeverity()}\n";
echo " Indicator: {$botAnomalyResult->primaryIndicator}\n";
if (!empty($botAnomalyResult->detectedPatterns)) {
echo " Detected Patterns:\n";
foreach ($botAnomalyResult->detectedPatterns as $pattern) {
echo " - {$pattern['type']}\n";
}
}
echo "\n";
// ========================================
// 5. Test MLEnhancedWafLayer Integration
// ========================================
echo "5. Testing ML WAF Layer integration...\n\n";
// Analyze normal traffic
echo " Analyzing normal traffic through ML WAF Layer:\n";
$normalRequest = createMockRequest($normalIp, "/dashboard", 'GET');
$normalResult = $mlWafLayer->analyze($normalRequest);
echo " Status: " . ($normalResult->isThreat() ? 'THREAT' : 'CLEAN') . "\n";
echo " Message: {$normalResult->getMessage()}\n";
echo " Processing Time: {$normalResult->getProcessingTime()->toMilliseconds()}ms\n\n";
// Analyze DDoS traffic
echo " Analyzing DDoS traffic through ML WAF Layer:\n";
$ddosRequest = createMockRequest($ddosIp, "/api/search", 'GET');
$ddosResult = $mlWafLayer->analyze($ddosRequest);
echo " Status: " . ($ddosResult->isThreat() ? '🚨 THREAT' : 'CLEAN') . "\n";
echo " Message: {$ddosResult->getMessage()}\n";
echo " Processing Time: {$ddosResult->getProcessingTime()->toMilliseconds()}ms\n";
if ($ddosResult->isThreat()) {
$detections = $ddosResult->getDetections();
echo " Detections: " . count($detections) . "\n";
foreach ($detections as $detection) {
echo " - {$detection->category->value}: {$detection->description}\n";
echo " Severity: {$detection->severity->value}, Confidence: {$detection->confidence->getValue()}%\n";
}
}
echo "\n";
// ========================================
// 6. Layer Metrics and Health
// ========================================
echo "6. ML WAF Layer metrics and health status:\n\n";
echo " Layer Name: {$mlWafLayer->getName()}\n";
echo " Version: {$mlWafLayer->getVersion()}\n";
echo " Priority: {$mlWafLayer->getPriority()}\n";
echo " Enabled: " . ($mlWafLayer->isEnabled() ? 'Yes' : 'No') . "\n";
echo " Healthy: " . ($mlWafLayer->isHealthy() ? '✓ Yes' : '❌ No') . "\n";
echo " Confidence Level: {$mlWafLayer->getConfidenceLevel()->getValue()}%\n";
echo " Timeout Threshold: {$mlWafLayer->getTimeoutThreshold()->toMilliseconds()}ms\n";
echo " Supports Parallel Processing: " . ($mlWafLayer->supportsParallelProcessing() ? 'Yes' : 'No') . "\n\n";
echo " Supported Categories:\n";
foreach ($mlWafLayer->getSupportedCategories() as $category) {
echo " - {$category->value}\n";
}
echo "\n";
// ========================================
// 7. Feature Vector Analysis
// ========================================
echo "7. Complete feature vector comparison:\n\n";
echo " Normal Traffic Features:\n";
$normalVector = $normalFeatures->toArray();
foreach ($normalVector as $key => $value) {
echo " - " . str_pad($key, 30) . ": " . round($value, 3) . "\n";
}
echo "\n";
echo " DDoS Attack Features:\n";
$ddosVector = $ddosFeatures->toArray();
foreach ($ddosVector as $key => $value) {
echo " - " . str_pad($key, 30) . ": " . round($value, 3) . "\n";
}
echo "\n";
echo " Bot Pattern Features:\n";
$botVector = $botFeatures->toArray();
foreach ($botVector as $key => $value) {
echo " - " . str_pad($key, 30) . ": " . round($value, 3) . "\n";
}
echo "\n";
// ========================================
// 8. Request History Statistics
// ========================================
echo "8. Request history statistics:\n\n";
$normalStats = $normalSequence->getStatistics();
echo " Normal Traffic Statistics:\n";
foreach ($normalStats as $key => $value) {
echo " - " . str_pad($key, 30) . ": {$value}\n";
}
echo "\n";
$ddosStats = $ddosSequence->getStatistics();
echo " DDoS Traffic Statistics:\n";
foreach ($ddosStats as $key => $value) {
echo " - " . str_pad($key, 30) . ": {$value}\n";
}
echo "\n";
echo "=== Demo Complete ===\n\n";
echo "Summary:\n";
echo "✓ ML WAF Layer successfully detects:\n";
echo " - DDoS attacks (high frequency + low diversity)\n";
echo " - Bot patterns (perfect regularity + high similarity)\n";
echo " - Normal traffic patterns (no anomalies)\n\n";
echo "✓ Uses Core Score value object for confidence levels\n";
echo "✓ Provides detailed feature extraction and analysis\n";
echo "✓ Integrates seamlessly with existing WAF system\n";
// ========================================
// Helper Functions
// ========================================
function createMockRequest(
IpAddress $ip,
string $path,
string $method,
string $body = ''
): \App\Framework\Http\Request {
return new class($ip, $path, $method, $body) implements \App\Framework\Http\Request {
public function __construct(
private readonly IpAddress $ip,
private readonly string $path,
private readonly string $method,
private readonly string $body
) {}
public string $path {
get => $this->path;
}
public object $method {
get => new class($this->method) {
public function __construct(public readonly string $value) {}
};
}
public array $queryParams {
get => [];
}
public string $body {
get => $this->body;
}
public int $timestamp {
get => time();
}
public object $headers {
get => new class {
public function getFirst(string $name): ?string {
return match($name) {
'User-Agent' => 'Mozilla/5.0 (compatible; Bot/1.0)',
'Content-Type' => 'application/json',
'Content-Length' => '0',
default => null
};
}
};
}
public object $server {
get => new class($this->ip) {
public function __construct(private readonly IpAddress $ip) {}
public function getRemoteAddr(): IpAddress {
return $this->ip;
}
};
}
public object $parsedBody {
get => new class {
public array $data {
get => [];
}
};
}
};
}