michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(Production): Complete production deployment infrastructure

Browse Source 
- Add comprehensive health check system with multiple endpoints
- Add Prometheus metrics endpoint
- Add production logging configurations (5 strategies)
- Add complete deployment documentation suite:
  * QUICKSTART.md - 30-minute deployment guide
  * DEPLOYMENT_CHECKLIST.md - Printable verification checklist
  * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle
  * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference
  * production-logging.md - Logging configuration guide
  * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation
  * README.md - Navigation hub
  * DEPLOYMENT_SUMMARY.md - Executive summary
- Add deployment scripts and automation
- Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment
- Update README with production-ready features

All production infrastructure is now complete and ready for deployment.
This commit is contained in:
Michael Schiemer
2025-10-25 19:18:37 +02:00
parent caa85db796
commit fc3d7e6357
83016 changed files with 378904 additions and 20919 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Framework/Waf/Feedback/DatabaseFeedbackRepository.php
View File

@@ -5,11 +5,11 @@ declare(strict_types=1);
namespace App\Framework\Waf\Feedback;
use App\Framework\Core\ValueObjects\Timestamp;
use App\Framework\Database\ConnectionInterface;
use App\Framework\Database\ValueObjects\SqlQuery;
use App\Framework\Waf\DetectionCategory;
use App\Framework\Waf\DetectionSeverity;
use PDO;
use App\Framework\Database\ConnectionInterface;
use App\Framework\Database\ValueObjects\SqlQuery;
/**
* Database implementation of the feedback repository

420
src/Framework/Waf/Layers/MLEnhancedWafLayer.php Normal file
View File

@@ -0,0 +1,420 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\Layers;
use App\Framework\Waf\Layers\LayerInterface;
use App\Framework\Waf\LayerResult;
use App\Framework\Waf\ValueObjects\LayerConfig;
use App\Framework\Waf\ValueObjects\LayerMetrics;
use App\Framework\Waf\ValueObjects\Detection;
use App\Framework\Waf\ValueObjects\DetectionCategory;
use App\Framework\Waf\ValueObjects\DetectionSeverity;
use App\Framework\Waf\ValueObjects\DetectionStatus;
use App\Framework\Waf\MachineLearning\BehaviorPatternExtractor;
use App\Framework\Waf\MachineLearning\BehaviorAnomalyDetector;
use App\Framework\Waf\MachineLearning\RequestHistoryTracker;
use App\Framework\Http\Request;
use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Core\ValueObjects\Percentage;
use App\Framework\Core\ValueObjects\Score;
use Psr\Log\LoggerInterface;
/**
* ML-Enhanced WAF Layer for Advanced Behavioral Analysis
*
* Provides sophisticated threat detection through:
* - Behavioral pattern extraction (8 features)
* - Statistical anomaly detection
* - Heuristic-based threat classification
* - Request sequence analysis
*
* Architecture:
* RequestHistoryTracker → BehaviorPatternExtractor → BehaviorAnomalyDetector → LayerResult
*/
final class MLEnhancedWafLayer implements LayerInterface
{
private const string LAYER_NAME = 'ML-Enhanced Behavioral Analysis';
private const string VERSION = '1.0.0';
private const int PRIORITY = 100; // High priority for ML analysis
private LayerConfig $config;
private LayerMetrics $metrics;
private bool $isHealthy = true;
private int $detectionCount = 0;
private int $requestCount = 0;
/**
* @param Score $confidenceThreshold Minimum confidence for threat classification
* @param int $minHistorySize Minimum request history for analysis
* @param bool $enableStatisticalDetection Use statistical baseline comparison
*/
public function __construct(
private readonly RequestHistoryTracker $historyTracker,
private readonly BehaviorPatternExtractor $patternExtractor,
private readonly BehaviorAnomalyDetector $anomalyDetector,
private readonly LoggerInterface $logger,
private readonly Score $confidenceThreshold = new Score(0.6),
private readonly int $minHistorySize = 5,
private readonly bool $enableStatisticalDetection = true
) {
$this->config = LayerConfig::default()
->withTimeout(Duration::fromMilliseconds(100))
->withConfidenceThreshold(Percentage::from(60.0));
$this->metrics = new LayerMetrics(
totalRequests: 0,
totalDetections: 0,
totalBlocks: 0,
averageProcessingTime: Duration::fromMilliseconds(0),
falsePositiveRate: Percentage::from(0.0),
detectionRate: Percentage::from(0.0)
);
}
public function getName(): string
{
return self::LAYER_NAME;
}
public function analyze(Request $request): LayerResult
{
$startTime = microtime(true);
$this->requestCount++;
try {
// 1. Track current request for sequence building
$this->historyTracker->track($request);
// 2. Get request sequence for client IP
$clientIp = $request->server->getRemoteAddr();
$sequence = $this->historyTracker->getSequence($clientIp);
// 3. Check if we have enough history for analysis
if (!$this->historyTracker->hasSufficientHistory($clientIp, $this->minHistorySize)) {
$processingTime = Duration::fromMilliseconds((microtime(true) - $startTime) * 1000);
return LayerResult::clean(
$this->getName(),
'Insufficient request history for behavioral analysis',
$processingTime
);
}
// 4. Extract behavioral features
$features = $this->patternExtractor->extract($sequence);
// 5. Detect anomalies
$anomalyResult = $this->anomalyDetector->detect(
$features,
[] // TODO: Implement baseline storage for statistical detection
);
$processingTime = Duration::fromMilliseconds((microtime(true) - $startTime) * 1000);
// 6. Evaluate threat level
if (!$anomalyResult->isAnomalous) {
return LayerResult::clean(
$this->getName(),
$anomalyResult->primaryIndicator,
$processingTime
);
}
// 7. Check if anomaly score exceeds threshold
if ($anomalyResult->anomalyScore->isBelow($this->confidenceThreshold)) {
return LayerResult::clean(
$this->getName(),
"Low confidence anomaly: {$anomalyResult->primaryIndicator}",
$processingTime,
metadata: [
'anomaly_score' => $anomalyResult->anomalyScore->value(),
'severity' => $anomalyResult->getSeverity(),
'below_threshold' => true
]
);
}
// 8. Build detections from anomaly result
$detections = $this->buildDetections($anomalyResult, $sequence);
$this->detectionCount += count($detections);
// 9. Log threat detection
if ($this->config->logDetections) {
$this->logger->warning('ML WAF: Behavioral anomaly detected', [
'layer' => $this->getName(),
'client_ip' => $clientIp->toString(),
'anomaly_score' => $anomalyResult->anomalyScore->value(),
'severity' => $anomalyResult->getSeverity(),
'primary_indicator' => $anomalyResult->primaryIndicator,
'detected_patterns' => $anomalyResult->detectedPatterns,
'sequence_stats' => $sequence->getStatistics()
]);
}
return LayerResult::threat(
$this->getName(),
$anomalyResult->primaryIndicator,
$this->mapScoreToStatus($anomalyResult->anomalyScore),
$detections,
$processingTime,
metadata: [
'anomaly_score' => $anomalyResult->anomalyScore->value(),
'severity' => $anomalyResult->getSeverity(),
'recommended_action' => $anomalyResult->getRecommendedAction(),
'top_contributors' => $anomalyResult->getTopContributors()
]
);
} catch (\Throwable $e) {
$processingTime = Duration::fromMilliseconds((microtime(true) - $startTime) * 1000);
$this->logger->error('ML WAF Layer analysis failed', [
'layer' => $this->getName(),
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString()
]);
$this->isHealthy = false;
return LayerResult::error(
$this->getName(),
'Behavioral analysis failed: ' . $e->getMessage(),
$processingTime
);
}
}
/**
* Build Detection objects from anomaly result
*/
private function buildDetections(
\App\Framework\Waf\MachineLearning\ValueObjects\BehaviorAnomalyResult $anomalyResult,
\App\Framework\Waf\MachineLearning\ValueObjects\RequestSequence $sequence
): array {
$detections = [];
foreach ($anomalyResult->detectedPatterns as $pattern) {
$patternType = $pattern['type'] ?? 'unknown';
$category = $this->mapPatternToCategory($patternType);
$severity = $this->mapScoreToSeverity($anomalyResult->anomalyScore);
$detections[] = new Detection(
category: $category,
severity: $severity,
pattern: $patternType,
value: json_encode($pattern),
description: $this->buildPatternDescription($pattern),
confidence: Percentage::fromDecimal($anomalyResult->anomalyScore->value()),
location: 'behavioral_analysis',
status: DetectionStatus::CONFIRMED
);
}
// Add feature-based detections for top contributors
foreach ($anomalyResult->getTopContributors(3) as $featureName => $score) {
$detections[] = new Detection(
category: DetectionCategory::BEHAVIORAL_ANOMALY,
severity: $this->mapScoreToSeverity($score),
pattern: "anomalous_{$featureName}",
value: (string) $score->value(),
description: "Anomalous {$featureName} pattern detected",
confidence: Percentage::fromDecimal($score->value()),
location: 'feature_analysis',
status: DetectionStatus::CONFIRMED
);
}
return $detections;
}
/**
* Map pattern type to detection category
*/
private function mapPatternToCategory(string $patternType): DetectionCategory
{
return match ($patternType) {
'potential_ddos' => DetectionCategory::DDOS_ATTACK,
'potential_scanning' => DetectionCategory::SECURITY_SCANNING,
'potential_bot' => DetectionCategory::BOT_ACTIVITY,
'potential_credential_stuffing' => DetectionCategory::AUTHENTICATION_ABUSE,
'statistical_outlier', 'iqr_outlier' => DetectionCategory::BEHAVIORAL_ANOMALY,
default => DetectionCategory::BEHAVIORAL_ANOMALY
};
}
/**
* Map Score to DetectionSeverity
*/
private function mapScoreToSeverity(Score $score): DetectionSeverity
{
return match (true) {
$score->isCritical() => DetectionSeverity::CRITICAL,
$score->isHigh() => DetectionSeverity::HIGH,
$score->isMedium() => DetectionSeverity::MEDIUM,
default => DetectionSeverity::LOW
};
}
/**
* Map Score to DetectionStatus
*/
private function mapScoreToStatus(Score $score): DetectionStatus
{
return match (true) {
$score->isCritical(), $score->isHigh() => DetectionStatus::CONFIRMED,
$score->isMedium() => DetectionStatus::SUSPECTED,
default => DetectionStatus::POSSIBLE
};
}
/**
* Build human-readable pattern description
*/
private function buildPatternDescription(array $pattern): string
{
$type = $pattern['type'] ?? 'unknown';
return match ($type) {
'potential_ddos' => sprintf(
'High request frequency (%.2f req/s) with low endpoint diversity (%.2f)',
$pattern['frequency'] ?? 0.0,
$pattern['diversity'] ?? 0.0
),
'potential_scanning' => sprintf(
'High parameter entropy (%.2f) combined with geographic anomaly (%.2f)',
$pattern['entropy'] ?? 0.0,
$pattern['geo_anomaly'] ?? 0.0
),
'potential_bot' => sprintf(
'Perfect timing regularity (%.2f) with high payload similarity (%.2f)',
$pattern['regularity'] ?? 0.0,
$pattern['similarity'] ?? 0.0
),
'potential_credential_stuffing' => sprintf(
'High frequency (%.2f req/s) with inconsistent User-Agent (%.2f)',
$pattern['frequency'] ?? 0.0,
$pattern['ua_consistency'] ?? 0.0
),
'statistical_outlier' => sprintf(
'Feature %s is a statistical outlier (z-score: %.2f)',
$pattern['feature'] ?? 'unknown',
$pattern['z_score'] ?? 0.0
),
default => 'Behavioral anomaly detected'
};
}
public function isEnabled(): bool
{
return $this->config->enabled;
}
public function isHealthy(): bool
{
return $this->isHealthy;
}
public function getPriority(): int
{
return self::PRIORITY;
}
public function getConfidenceLevel(): Percentage
{
// Average confidence based on detection rate
if ($this->requestCount === 0) {
return Percentage::from(100.0);
}
$detectionRate = ($this->detectionCount / $this->requestCount) * 100;
$confidence = 100.0 - min($detectionRate, 50.0); // Lower confidence if too many detections
return Percentage::from($confidence);
}
public function getTimeoutThreshold(): Duration
{
return $this->config->getEffectiveTimeout();
}
public function configure(LayerConfig $config): void
{
$this->config = $config;
}
public function getConfig(): LayerConfig
{
return $this->config;
}
public function getMetrics(): LayerMetrics
{
return $this->metrics;
}
public function reset(): void
{
$this->detectionCount = 0;
$this->requestCount = 0;
$this->isHealthy = true;
$this->metrics = new LayerMetrics(
totalRequests: 0,
totalDetections: 0,
totalBlocks: 0,
averageProcessingTime: Duration::fromMilliseconds(0),
falsePositiveRate: Percentage::from(0.0),
detectionRate: Percentage::from(0.0)
);
}
public function warmUp(): void
{
$this->logger->info('ML WAF Layer warming up', [
'layer' => $this->getName(),
'confidence_threshold' => $this->confidenceThreshold->value(),
'min_history_size' => $this->minHistorySize
]);
}
public function shutdown(): void
{
$this->logger->info('ML WAF Layer shutting down', [
'layer' => $this->getName(),
'total_requests' => $this->requestCount,
'total_detections' => $this->detectionCount
]);
}
public function getDependencies(): array
{
return [
RequestHistoryTracker::class,
BehaviorPatternExtractor::class,
BehaviorAnomalyDetector::class
];
}
public function supportsParallelProcessing(): bool
{
return true; // Can run in parallel with other layers
}
public function getVersion(): string
{
return self::VERSION;
}
public function getSupportedCategories(): array
{
return [
DetectionCategory::BEHAVIORAL_ANOMALY,
DetectionCategory::DDOS_ATTACK,
DetectionCategory::SECURITY_SCANNING,
DetectionCategory::BOT_ACTIVITY,
DetectionCategory::AUTHENTICATION_ABUSE
];
}
}

124
src/Framework/Waf/MLEnhancedWafLayerInitializer.php Normal file
View File

@@ -0,0 +1,124 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf;
use App\Framework\Waf\Layers\MLEnhancedWafLayer;
use App\Framework\Waf\MachineLearning\BehaviorPatternExtractor;
use App\Framework\Waf\MachineLearning\BehaviorAnomalyDetector;
use App\Framework\Waf\MachineLearning\RequestHistoryTracker;
use App\Framework\Waf\MachineLearning\WafBehavioralModelAdapter;
use App\Framework\DI\Container;
use App\Framework\DI\Attributes\Initializer;
use App\Framework\Cache\Cache;
use App\Framework\Config\Environment;
use App\Framework\Core\ValueObjects\Score;
use App\Framework\MachineLearning\ModelManagement\ModelPerformanceMonitor;
use App\Framework\MachineLearning\ModelManagement\ModelRegistry;
use App\Framework\Infrastructure\GeoIp\GeoIp;
use Psr\Log\LoggerInterface;
/**
* Initializer for ML-Enhanced WAF Layer
*
* Bootstraps the ML behavioral analysis layer and its dependencies
*/
final readonly class MLEnhancedWafLayerInitializer
{
public function __construct(
private Container $container,
private Environment $environment,
private LoggerInterface $logger
) {}
#[Initializer]
public function __invoke(Container $container): MLEnhancedWafLayer
{
// 1. Resolve dependencies
$cache = $container->get(Cache::class);
$geoIp = $container->get(GeoIp::class);
$logger = $container->get(LoggerInterface::class);
// 2. Create RequestHistoryTracker
$historyTracker = new RequestHistoryTracker(
cache: $cache,
maxRequestsPerIp: 50, // Last 50 requests per IP
timeWindowSeconds: 300 // 5-minute sliding window
);
// 3. Create BehaviorPatternExtractor
$patternExtractor = new BehaviorPatternExtractor(
geoIp: $geoIp,
minConfidence: 0.6
);
// 4. Create BehaviorAnomalyDetector
$anomalyDetector = new BehaviorAnomalyDetector(
anomalyThreshold: Score::medium(), // 0.5 threshold
zScoreThreshold: 3.0, // 99.7% confidence interval
iqrMultiplier: 1.5 // Standard IQR multiplier
);
// 5. Create ML-Enhanced WAF Layer
return new MLEnhancedWafLayer(
historyTracker: $historyTracker,
patternExtractor: $patternExtractor,
anomalyDetector: $anomalyDetector,
logger: $logger,
confidenceThreshold: Score::medium(), // Block at medium confidence
minHistorySize: 5, // Need at least 5 requests for analysis
enableStatisticalDetection: true // Enable statistical baseline comparison
);
}
/**
* Initialize WAF Behavioral Model Adapter for ML Model Management integration
*/
#[Initializer]
public function initializeModelAdapter(): WafBehavioralModelAdapter
{
$this->logger->info('Initializing WAF Behavioral Model Adapter');
try {
// Get required dependencies from container
$registry = $this->container->get(ModelRegistry::class);
$performanceMonitor = $this->container->get(ModelPerformanceMonitor::class);
$anomalyDetector = $this->container->get(BehaviorAnomalyDetector::class);
$adapter = new WafBehavioralModelAdapter(
registry: $registry,
performanceMonitor: $performanceMonitor,
detector: $anomalyDetector
);
// Auto-register current model version if enabled
if ($this->environment->getBool('WAF_ML_AUTO_REGISTER', true)) {
try {
$metadata = $adapter->registerCurrentModel();
$this->logger->info('WAF behavioral model auto-registered', [
'model_name' => $metadata->modelName,
'version' => $metadata->version->toString(),
'type' => $metadata->modelType->value,
]);
} catch (\Exception $e) {
// Model might already exist, which is fine
$this->logger->debug('WAF behavioral model registration skipped', [
'reason' => $e->getMessage(),
]);
}
}
$this->logger->info('WAF Behavioral Model Adapter initialized successfully');
return $adapter;
} catch (\Throwable $e) {
$this->logger->error('Failed to initialize WAF Behavioral Model Adapter', [
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
throw $e;
}
}
}

41
src/Framework/Waf/MachineLearning/BaselineManager.php
View File

@@ -7,8 +7,9 @@ namespace App\Framework\Waf\MachineLearning;
use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Core\ValueObjects\Percentage;
use App\Framework\DateTime\Clock;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorBaseline;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\MachineLearning\ValueObjects\Baseline;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
/**
* Manages behavioral baselines for anomaly detection
@@ -34,7 +35,7 @@ final class BaselineManager
/**
* Get baseline for a specific behavior type and feature
*/
public function getBaseline(BehaviorType $behaviorType, string $featureName = 'default'): ?BehaviorBaseline
public function getBaseline(FeatureType $behaviorType, string $featureName = 'default'): ?Baseline
{
$key = $this->generateBaselineKey($behaviorType, $featureName);
@@ -57,7 +58,7 @@ final class BaselineManager
/**
* Update baseline with new feature data
*/
public function updateBaseline(BehaviorFeature $feature): void
public function updateBaseline(Feature $feature): void
{
$key = $this->generateBaselineKey($feature->type, $feature->name);
@@ -92,7 +93,7 @@ final class BaselineManager
/**
* Update baseline incrementally with new feature
*/
public function updateBaselineIncremental(BehaviorFeature $feature): void
public function updateBaselineIncremental(Feature $feature): void
{
$key = $this->generateBaselineKey($feature->type, $feature->name);
$existingBaseline = $this->baselines[$key] ?? null;
@@ -116,7 +117,7 @@ final class BaselineManager
/**
* Get all baselines for a behavior type
*/
public function getBaselinesForBehaviorType(BehaviorType $behaviorType): array
public function getBaselinesForFeatureType(FeatureType $behaviorType): array
{
$baselines = [];
@@ -181,7 +182,7 @@ final class BaselineManager
'active_baselines' => $totalBaselines - $expiredBaselines,
'avg_sample_size' => $avgSampleSize,
'avg_age_seconds' => $avgAge,
'behavior_types' => $this->getBaselineBehaviorTypes(),
'behavior_types' => $this->getBaselineFeatureTypes(),
'feature_history_size' => array_sum(array_map('count', $this->featureHistory)),
];
}
@@ -189,9 +190,9 @@ final class BaselineManager
/**
* Create initial baseline from feature history
*/
private function createInitialBaseline(BehaviorType $behaviorType, string $featureName, array $featureHistory): BehaviorBaseline
private function createInitialBaseline(FeatureType $behaviorType, string $featureName, array $featureHistory): Baseline
{
$values = array_map(fn (BehaviorFeature $f) => $f->value, $featureHistory);
$values = array_map(fn (Feature $f) => $f->value, $featureHistory);
$stats = $this->calculateStatistics($values);
$confidence = $this->calculateBaselineConfidence($stats['sample_size']);
@@ -201,7 +202,7 @@ final class BaselineManager
$stats = $this->applySeasonalAdjustment($stats, $featureHistory);
}
return new BehaviorBaseline(
return new Baseline(
type: $behaviorType,
mean: $stats['mean'],
standardDeviation: $stats['std_dev'],
@@ -222,13 +223,13 @@ final class BaselineManager
/**
* Update existing baseline with new data
*/
private function updateExistingBaseline(BehaviorBaseline $existingBaseline, array $featureHistory): BehaviorBaseline
private function updateExistingBaseline(Baseline $existingBaseline, array $featureHistory): Baseline
{
if (! $this->enableAdaptiveBaselines) {
return $existingBaseline;
}
$values = array_map(fn (BehaviorFeature $f) => $f->value, $featureHistory);
$values = array_map(fn (Feature $f) => $f->value, $featureHistory);
$newStats = $this->calculateStatistics($values);
// Adaptive learning rate based on sample size and confidence
@@ -249,7 +250,7 @@ final class BaselineManager
$newSampleSize = min($existingBaseline->sampleSize + $newStats['sample_size'], $this->maxSamplesPerBaseline);
$confidence = $this->calculateBaselineConfidence($newSampleSize);
return new BehaviorBaseline(
return new Baseline(
type: $existingBaseline->type,
mean: $updatedMean,
standardDeviation: $updatedStdDev,
@@ -270,7 +271,7 @@ final class BaselineManager
/**
* Incremental update using exponential moving average
*/
private function incrementalUpdate(BehaviorBaseline $baseline, BehaviorFeature $newFeature): BehaviorBaseline
private function incrementalUpdate(Baseline $baseline, Feature $newFeature): Baseline
{
$learningRate = $this->calculateAdaptiveLearningRate($baseline, 1);
@@ -283,7 +284,7 @@ final class BaselineManager
$updatedVariance = $variance * (1 - $learningRate) + $delta * $delta2 * $learningRate;
$updatedStdDev = sqrt(max(0, $updatedVariance));
return new BehaviorBaseline(
return new Baseline(
type: $baseline->type,
mean: $updatedMean,
standardDeviation: $updatedStdDev,
@@ -357,7 +358,7 @@ final class BaselineManager
/**
* Calculate adaptive learning rate
*/
private function calculateAdaptiveLearningRate(BehaviorBaseline $baseline, int $newSamples): float
private function calculateAdaptiveLearningRate(Baseline $baseline, int $newSamples): float
{
// Decrease learning rate as confidence increases
$confidenceFactor = 1.0 - ($baseline->confidence->getValue() / 100.0);
@@ -421,7 +422,7 @@ final class BaselineManager
/**
* Record feature in history
*/
private function recordFeature(string $key, BehaviorFeature $feature): void
private function recordFeature(string $key, Feature $feature): void
{
if (! isset($this->featureHistory[$key])) {
$this->featureHistory[$key] = [];
@@ -454,7 +455,7 @@ final class BaselineManager
/**
* Check if baseline is expired
*/
private function isBaselineExpired(BehaviorBaseline $baseline): bool
private function isBaselineExpired(Baseline $baseline): bool
{
$age = $baseline->lastUpdated->diff($this->clock->time());
@@ -464,7 +465,7 @@ final class BaselineManager
/**
* Generate baseline key
*/
private function generateBaselineKey(BehaviorType $behaviorType, string $featureName): string
private function generateBaselineKey(FeatureType $behaviorType, string $featureName): string
{
return $behaviorType->value . ':' . $featureName;
}
@@ -472,7 +473,7 @@ final class BaselineManager
/**
* Get behavior types with baselines
*/
private function getBaselineBehaviorTypes(): array
private function getBaselineFeatureTypes(): array
{
$types = [];

336
src/Framework/Waf/MachineLearning/BehaviorAnomalyDetector.php Normal file
View File

@@ -0,0 +1,336 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeatures;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorAnomalyResult;
use App\Framework\Core\ValueObjects\Score;
/**
* ML-based Behavioral Anomaly Detector for WAF
*
* Detects anomalous request patterns using statistical analysis:
* - Z-score based outlier detection
* - IQR (Interquartile Range) method
* - Pattern-based heuristics for known attack types
*
* Based on N+1 Detection ML Framework patterns with statistical detection
*/
final readonly class BehaviorAnomalyDetector
{
/**
* @param Score $anomalyThreshold Minimum score for anomaly classification (default: 0.6)
* @param float $zScoreThreshold Z-score threshold for outlier detection (default: 3.0 = 99.7%)
* @param float $iqrMultiplier IQR multiplier for outlier bounds (default: 1.5)
*/
public function __construct(
private Score $anomalyThreshold = new Score(0.6),
private float $zScoreThreshold = 3.0,
private float $iqrMultiplier = 1.5
) {}
/**
* Detect anomalies in behavioral features
*
* @param BehaviorFeatures $features Extracted behavioral features
* @param array<BehaviorFeatures> $historicalBaseline Historical baseline for comparison (optional)
* @return BehaviorAnomalyResult Anomaly detection result with confidence score
*/
public function detect(BehaviorFeatures $features, array $historicalBaseline = []): BehaviorAnomalyResult
{
// 1. Heuristic-based detection (pattern matching)
$heuristicResult = $this->detectHeuristicAnomalies($features);
if ($heuristicResult->isAnomalous) {
return $heuristicResult;
}
// 2. Statistical detection (if baseline available)
if (!empty($historicalBaseline)) {
$statisticalResult = $this->detectStatisticalAnomalies($features, $historicalBaseline);
if ($statisticalResult->isAnomalous) {
return $statisticalResult;
}
// Merge heuristic and statistical scores for low-confidence cases
if ($statisticalResult->anomalyScore->isAbove(Score::low())) {
return $heuristicResult->merge($statisticalResult, weight: 0.5);
}
}
return BehaviorAnomalyResult::normal('Behavioral patterns within expected parameters');
}
/**
* Heuristic-based anomaly detection using known attack patterns
*/
private function detectHeuristicAnomalies(BehaviorFeatures $features): BehaviorAnomalyResult
{
$featureScores = [];
$detectedPatterns = [];
$scores = [];
// Check for DDoS-like patterns: High frequency + Low diversity
if ($features->requestFrequency > 10.0 && $features->endpointDiversity < 1.0) {
$ddosScore = Score::high();
$featureScores['ddos_pattern'] = $ddosScore;
$scores[] = $ddosScore;
$detectedPatterns[] = [
'type' => 'potential_ddos',
'frequency' => $features->requestFrequency,
'diversity' => $features->endpointDiversity
];
}
// Check for scanning behavior: High entropy + Geographic anomaly
if ($features->parameterEntropy > 6.0 && $features->geographicAnomaly > 0.7) {
$scanScore = Score::high();
$featureScores['scanning_pattern'] = $scanScore;
$scores[] = $scanScore;
$detectedPatterns[] = [
'type' => 'potential_scanning',
'entropy' => $features->parameterEntropy,
'geo_anomaly' => $features->geographicAnomaly
];
}
// Check for bot behavior: Perfect regularity + High similarity
if ($features->timePatternRegularity > 0.9 && $features->payloadSimilarity > 0.8) {
$botScore = Score::medium();
$featureScores['bot_pattern'] = $botScore;
$scores[] = $botScore;
$detectedPatterns[] = [
'type' => 'potential_bot',
'regularity' => $features->timePatternRegularity,
'similarity' => $features->payloadSimilarity
];
}
// Check for credential stuffing: High frequency + Inconsistent User-Agent
if ($features->requestFrequency > 5.0 && $features->userAgentConsistency < 0.3) {
$credentialStuffingScore = Score::high();
$featureScores['credential_stuffing'] = $credentialStuffingScore;
$scores[] = $credentialStuffingScore;
$detectedPatterns[] = [
'type' => 'potential_credential_stuffing',
'frequency' => $features->requestFrequency,
'ua_consistency' => $features->userAgentConsistency
];
}
// Calculate overall anomaly score
if (empty($scores)) {
return BehaviorAnomalyResult::normal('No heuristic patterns detected');
}
$overallScore = Score::weightedAverage($scores);
if ($overallScore->isBelow($this->anomalyThreshold)) {
return BehaviorAnomalyResult::lowConfidence($overallScore, $featureScores);
}
return BehaviorAnomalyResult::anomalous(
score: $overallScore,
featureScores: $featureScores,
detectedPatterns: $detectedPatterns,
primaryIndicator: $this->determinePrimaryThreat($detectedPatterns)
);
}
/**
* Statistical anomaly detection using baseline comparison
*
* @param BehaviorFeatures $features Current features
* @param array<BehaviorFeatures> $baseline Historical baseline
*/
private function detectStatisticalAnomalies(
BehaviorFeatures $features,
array $baseline
): BehaviorAnomalyResult {
$featureScores = [];
$detectedAnomalies = [];
// Analyze each feature dimension
$featureNames = BehaviorFeatures::getFeatureNames();
$currentVector = $features->toVector();
foreach ($featureNames as $index => $featureName) {
$currentValue = $currentVector[$index];
// Extract historical values for this feature
$historicalValues = array_map(
fn(BehaviorFeatures $f) => $f->toVector()[$index],
$baseline
);
// Z-score based detection
$zScore = $this->calculateZScore($currentValue, $historicalValues);
if (abs($zScore) > $this->zScoreThreshold) {
$anomalyScore = $this->zScoreToConfidence(abs($zScore));
$featureScores[$featureName] = $anomalyScore;
$detectedAnomalies[] = [
'feature' => $featureName,
'type' => 'statistical_outlier',
'current_value' => $currentValue,
'z_score' => $zScore,
'confidence' => $anomalyScore->value()
];
}
// IQR-based detection
$iqrOutlier = $this->isIQROutlier($currentValue, $historicalValues);
if ($iqrOutlier && !isset($featureScores[$featureName])) {
$iqrScore = Score::medium();
$featureScores[$featureName] = $iqrScore;
$detectedAnomalies[] = [
'feature' => $featureName,
'type' => 'iqr_outlier',
'current_value' => $currentValue
];
}
}
if (empty($featureScores)) {
return BehaviorAnomalyResult::normal('Statistical analysis: within baseline parameters');
}
// Calculate overall anomaly score as weighted average of feature scores
$overallScore = Score::weightedAverage(array_values($featureScores));
if ($overallScore->isBelow($this->anomalyThreshold)) {
return BehaviorAnomalyResult::lowConfidence($overallScore, $featureScores);
}
return BehaviorAnomalyResult::anomalous(
score: $overallScore,
featureScores: $featureScores,
detectedPatterns: $detectedAnomalies,
primaryIndicator: 'Statistical deviation from baseline behavior'
);
}
/**
* Calculate Z-score for a value given historical distribution
*/
private function calculateZScore(float $value, array $historicalValues): float
{
if (empty($historicalValues)) {
return 0.0;
}
$mean = array_sum($historicalValues) / count($historicalValues);
$variance = 0.0;
foreach ($historicalValues as $histValue) {
$variance += ($histValue - $mean) ** 2;
}
$stdDev = sqrt($variance / count($historicalValues));
if ($stdDev === 0.0) {
return 0.0; // No variation in baseline
}
return ($value - $mean) / $stdDev;
}
/**
* Check if value is an IQR outlier
*/
private function isIQROutlier(float $value, array $historicalValues): bool
{
if (count($historicalValues) < 4) {
return false; // Need at least 4 values for quartiles
}
sort($historicalValues);
$q1Index = (int) floor(count($historicalValues) * 0.25);
$q3Index = (int) floor(count($historicalValues) * 0.75);
$q1 = $historicalValues[$q1Index];
$q3 = $historicalValues[$q3Index];
$iqr = $q3 - $q1;
$lowerBound = $q1 - ($this->iqrMultiplier * $iqr);
$upperBound = $q3 + ($this->iqrMultiplier * $iqr);
return $value < $lowerBound || $value > $upperBound;
}
/**
* Convert Z-score to confidence score (0.0-1.0)
*
* Maps Z-score to confidence using sigmoid-like function
*/
private function zScoreToConfidence(float $absZScore): Score
{
// Z-score thresholds:
// 3.0 (99.7%) -> 0.7 (high confidence)
// 4.0 -> 0.85
// 5.0+ -> 0.95 (critical)
$confidence = match (true) {
$absZScore >= 5.0 => 0.95,
$absZScore >= 4.0 => 0.85,
$absZScore >= 3.0 => 0.70,
$absZScore >= 2.0 => 0.50,
default => 0.30
};
return new Score($confidence);
}
/**
* Determine primary threat from detected patterns
*/
private function determinePrimaryThreat(array $detectedPatterns): string
{
if (empty($detectedPatterns)) {
return 'Unknown threat';
}
// Priority order: DDoS > Credential Stuffing > Scanning > Bot
$priorities = [
'potential_ddos' => 4,
'potential_credential_stuffing' => 3,
'potential_scanning' => 2,
'potential_bot' => 1
];
$maxPriority = 0;
$primaryThreat = 'Unknown threat';
foreach ($detectedPatterns as $pattern) {
$type = $pattern['type'];
$priority = $priorities[$type] ?? 0;
if ($priority > $maxPriority) {
$maxPriority = $priority;
$primaryThreat = ucfirst(str_replace('potential_', '', $type)) . ' detected';
}
}
return $primaryThreat;
}
/**
* Get detector configuration
*/
public function getConfiguration(): array
{
return [
'anomaly_threshold' => $this->anomalyThreshold->toArray(),
'z_score_threshold' => $this->zScoreThreshold,
'iqr_multiplier' => $this->iqrMultiplier
];
}
}

325
src/Framework/Waf/MachineLearning/BehaviorPatternExtractor.php Normal file
View File

@@ -0,0 +1,325 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeatures;
use App\Framework\Waf\MachineLearning\ValueObjects\RequestSequence;
use App\Framework\Http\Request;
use App\Infrastructure\GeoIp\GeoIp;
/**
* Behavior Pattern Feature Extractor for Advanced WAF
*
* Extracts 8 behavioral features from request sequences:
* 1. request_frequency: Requests per time window
* 2. endpoint_diversity: Shannon entropy of endpoint distribution
* 3. parameter_entropy: Randomness in parameter values
* 4. user_agent_consistency: Consistency score across requests
* 5. geographic_anomaly: IP geolocation change detection (country-based)
* 6. time_pattern_regularity: Request timing pattern analysis
* 7. payload_similarity: Similarity between consecutive payloads
* 8. http_method_distribution: Distribution of HTTP methods used
*
* Based on N+1 Detection ML Framework patterns with FeatureExtractorInterface
*/
final readonly class BehaviorPatternExtractor
{
public function __construct(
private GeoIp $geoIp,
private float $minConfidence = 0.6
) {}
/**
* Extract behavioral features from request sequence
*
* @param RequestSequence $sequence Recent request history for analysis
* @return BehaviorFeatures 8-feature vector for ML analysis
*/
public function extract(RequestSequence $sequence): BehaviorFeatures
{
if ($sequence->isEmpty()) {
return BehaviorFeatures::empty();
}
return new BehaviorFeatures(
requestFrequency: $this->calculateRequestFrequency($sequence),
endpointDiversity: $this->calculateEndpointDiversity($sequence),
parameterEntropy: $this->calculateParameterEntropy($sequence),
userAgentConsistency: $this->calculateUserAgentConsistency($sequence),
geographicAnomaly: $this->detectGeographicAnomaly($sequence),
timePatternRegularity: $this->analyzeTimePatternRegularity($sequence),
payloadSimilarity: $this->calculatePayloadSimilarity($sequence),
httpMethodDistribution: $this->calculateHttpMethodDistribution($sequence)
);
}
/**
* Feature 1: Request Frequency
* Calculates requests per second over the sequence window
*/
private function calculateRequestFrequency(RequestSequence $sequence): float
{
$requests = $sequence->getRequests();
$timeWindowSeconds = $sequence->getTimeWindowSeconds();
if ($timeWindowSeconds === 0.0) {
return 0.0;
}
return count($requests) / $timeWindowSeconds;
}
/**
* Feature 2: Endpoint Diversity
* Shannon entropy of endpoint distribution - higher = more diverse
*/
private function calculateEndpointDiversity(RequestSequence $sequence): float
{
$endpointCounts = [];
foreach ($sequence->getRequests() as $request) {
$path = $request->path;
$endpointCounts[$path] = ($endpointCounts[$path] ?? 0) + 1;
}
$total = array_sum($endpointCounts);
if ($total === 0) {
return 0.0;
}
$entropy = 0.0;
foreach ($endpointCounts as $count) {
$probability = $count / $total;
if ($probability > 0) {
$entropy -= $probability * log($probability, 2);
}
}
return $entropy;
}
/**
* Feature 3: Parameter Entropy
* Average entropy of query parameters across requests
*/
private function calculateParameterEntropy(RequestSequence $sequence): float
{
$entropies = [];
foreach ($sequence->getRequests() as $request) {
$params = array_merge(
$request->queryParams ?? [],
$request->parsedBody->data ?? []
);
if (empty($params)) {
continue;
}
$entropy = $this->calculateStringEntropy(json_encode($params));
$entropies[] = $entropy;
}
return empty($entropies) ? 0.0 : array_sum($entropies) / count($entropies);
}
/**
* Feature 4: User Agent Consistency
* Score from 0 (completely inconsistent) to 1 (perfectly consistent)
*/
private function calculateUserAgentConsistency(RequestSequence $sequence): float
{
$userAgents = [];
foreach ($sequence->getRequests() as $request) {
$userAgent = $request->headers->getFirst('User-Agent') ?? 'unknown';
$userAgents[] = $userAgent;
}
if (empty($userAgents)) {
return 1.0;
}
$uniqueCount = count(array_unique($userAgents));
$totalCount = count($userAgents);
// Consistency = 1 - (variation ratio)
return 1.0 - (($uniqueCount - 1) / max($totalCount - 1, 1));
}
/**
* Feature 5: Geographic Anomaly
* Detects unusual country changes - score 0 (normal) to 1 (anomalous)
*/
private function detectGeographicAnomaly(RequestSequence $sequence): float
{
$countries = [];
foreach ($sequence->getRequests() as $request) {
$ip = $request->server->getRemoteAddr();
// Skip local/private IPs
if ($ip->isLocal()) {
continue;
}
$countryCode = $this->geoIp->getCountryCode($ip);
$countries[] = $countryCode->toString();
}
if (count($countries) < 2) {
return 0.0; // Not enough data
}
// Calculate country change frequency
$uniqueCountries = count(array_unique($countries));
$totalRequests = count($countries);
// High country diversity = anomalous (potential proxy/VPN hopping)
// Normalize: 1 country = 0.0, all different = 1.0
return ($uniqueCountries - 1) / max($totalRequests - 1, 1);
}
/**
* Feature 6: Time Pattern Regularity
* Analyzes request timing patterns - score 0 (irregular) to 1 (regular/automated)
*/
private function analyzeTimePatternRegularity(RequestSequence $sequence): float
{
$timestamps = array_map(
fn($request) => $request->timestamp ?? time(),
$sequence->getRequests()
);
if (count($timestamps) < 3) {
return 0.0;
}
// Calculate inter-arrival times
$intervals = [];
for ($i = 1; $i < count($timestamps); $i++) {
$intervals[] = $timestamps[$i] - $timestamps[$i - 1];
}
// Calculate coefficient of variation (CV)
$mean = array_sum($intervals) / count($intervals);
$stdDev = sqrt($this->calculateVariance($intervals, $mean));
if ($mean === 0.0) {
return 0.0;
}
$cv = $stdDev / $mean;
// Low CV = regular pattern (potential bot)
// Invert and normalize: regular patterns get higher scores
return max(0.0, 1.0 - min(1.0, $cv));
}
/**
* Feature 7: Payload Similarity
* Average similarity between consecutive request payloads
*/
private function calculatePayloadSimilarity(RequestSequence $sequence): float
{
$payloads = array_map(
fn($request) => $request->body ?? '',
$sequence->getRequests()
);
if (count($payloads) < 2) {
return 0.0;
}
$similarities = [];
for ($i = 1; $i < count($payloads); $i++) {
$similarity = $this->calculateStringSimilarity($payloads[$i - 1], $payloads[$i]);
$similarities[] = $similarity;
}
return array_sum($similarities) / count($similarities);
}
/**
* Feature 8: HTTP Method Distribution
* Entropy of HTTP method usage - higher = more diverse
*/
private function calculateHttpMethodDistribution(RequestSequence $sequence): float
{
$methodCounts = [];
foreach ($sequence->getRequests() as $request) {
$method = $request->method->value;
$methodCounts[$method] = ($methodCounts[$method] ?? 0) + 1;
}
$total = array_sum($methodCounts);
if ($total === 0) {
return 0.0;
}
$entropy = 0.0;
foreach ($methodCounts as $count) {
$probability = $count / $total;
if ($probability > 0) {
$entropy -= $probability * log($probability, 2);
}
}
// Normalize by max possible entropy (log2(9) for 9 HTTP methods)
$maxEntropy = log(9, 2);
return $entropy / $maxEntropy;
}
// ===== Helper Methods =====
/**
* Calculate Shannon entropy of a string
*/
private function calculateStringEntropy(string $data): float
{
if (empty($data)) {
return 0.0;
}
$length = strlen($data);
$frequencies = array_count_values(str_split($data));
$entropy = 0.0;
foreach ($frequencies as $count) {
$probability = $count / $length;
$entropy -= $probability * log($probability, 2);
}
return $entropy;
}
/**
* Calculate string similarity using Levenshtein distance
*/
private function calculateStringSimilarity(string $str1, string $str2): float
{
$maxLen = max(strlen($str1), strlen($str2));
if ($maxLen === 0) {
return 1.0;
}
$distance = levenshtein($str1, $str2);
return 1.0 - ($distance / $maxLen);
}
/**
* Calculate variance of numeric array
*/
private function calculateVariance(array $values, float $mean): float
{
if (empty($values)) {
return 0.0;
}
$squaredDiffs = array_map(fn($val) => ($val - $mean) ** 2, $values);
return array_sum($squaredDiffs) / count($values);
}
}

97
src/Framework/Waf/MachineLearning/Detectors/ClusteringAnomalyDetector.php
View File

@@ -5,12 +5,12 @@ declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\Detectors;
use App\Framework\DateTime\Clock;
use App\Framework\Waf\MachineLearning\AnomalyDetectorInterface;
use App\Framework\Waf\MachineLearning\AnomalyType;
use App\Framework\Waf\MachineLearning\BehaviorType;
use App\Framework\Waf\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorBaseline;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\MachineLearning\Core\AnomalyDetectorInterface;
use App\Framework\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\MachineLearning\ValueObjects\AnomalyType;
use App\Framework\MachineLearning\ValueObjects\Baseline;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
/**
* Clustering-based anomaly detector using K-means and density-based methods
@@ -40,17 +40,16 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
}
/**
* @return array<BehaviorType>
* @return array<FeatureType>
*/
public function getSupportedBehaviorTypes(): array
public function getSupportedFeatureTypes(): array
{
return [
BehaviorType::REQUEST_FREQUENCY,
BehaviorType::PATH_PATTERNS,
BehaviorType::PARAMETER_PATTERNS,
BehaviorType::USER_AGENT_PATTERNS,
BehaviorType::GEOGRAPHIC_PATTERNS,
BehaviorType::SESSION_PATTERNS,
FeatureType::FREQUENCY,
FeatureType::STRUCTURAL_PATTERN,
FeatureType::BEHAVIORAL_PATTERN,
FeatureType::GEOGRAPHIC_DISTRIBUTION,
FeatureType::SESSION_PATTERN,
];
}
@@ -62,8 +61,8 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
// Check if we have numerical features that can be clustered
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature &&
in_array($feature->type, $this->getSupportedBehaviorTypes(), true) &&
if ($feature instanceof Feature &&
in_array($feature->type, $this->getSupportedFeatureTypes(), true) &&
is_numeric($feature->value)) {
return true;
}
@@ -73,11 +72,15 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
}
/**
* @param array<BehaviorFeature> $features
* @param array<Feature> $features
* @return array<AnomalyDetection>
*/
public function detectAnomalies(array $features, ?BehaviorBaseline $baseline = null): array
public function detectAnomalies(array $features, ?Baseline $baseline = null): array
{
if (!$this->enabled) {
return [];
}
$anomalies = [];
// Group features by behavior type for separate clustering
@@ -124,15 +127,15 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Group features by behavior type
* @param array<BehaviorFeature> $features
* @return array<string, array<BehaviorFeature>>
* @param array<Feature> $features
* @return array<string, array<Feature>>
*/
private function groupFeaturesByType(array $features): array
{
$groups = [];
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
$typeKey = $feature->type->value;
if (! isset($groups[$typeKey])) {
$groups[$typeKey] = [];
@@ -146,15 +149,15 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Convert features to numerical vectors for clustering
* @param array<BehaviorFeature> $features
* @return array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}>
* @param array<Feature> $features
* @return array<array{value: float, normalized_value: float, z_score: float, feature: Feature}>
*/
private function featuresToVectors(array $features): array
{
$vectors = [];
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature && is_numeric($feature->value)) {
if ($feature instanceof Feature && is_numeric($feature->value)) {
$vector = [
'value' => (float)$feature->value,
'normalized_value' => $feature->normalizedValue ?? $feature->value,
@@ -171,7 +174,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Perform K-means clustering on feature vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @return array{centers: array<array<float>>, assignments: array<array{cluster: int, distance: float}>, cost: float, iterations: int}
*/
private function performClustering(array $vectors, string $behaviorType): array
@@ -221,7 +224,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Initialize cluster centers using K-means++ algorithm
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @return array<array<float>>
*/
private function initializeClusterCenters(array $vectors, int $k): array
@@ -273,7 +276,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Assign each point to the nearest cluster center
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @param array<array<float>> $centers
* @return array<array{cluster: int, distance: float}>
*/
@@ -305,7 +308,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Update cluster centers based on assigned points
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @param array<array{cluster: int, distance: float}> $assignments
* @return array<array<float>>
*/
@@ -335,7 +338,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect anomalies based on cluster analysis
* @param array<BehaviorFeature> $features
* @param array<Feature> $features
* @param array{centers: array<array<float>>, assignments: array<array{cluster: int, distance: float}>, cost: float, iterations: int} $clusters
* @return array<AnomalyDetection>
*/
@@ -379,7 +382,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
$anomalies[] = AnomalyDetection::create(
type: AnomalyType::CLUSTER_DEVIATION,
behaviorType: BehaviorType::from($behaviorType),
featureType: FeatureType::from($behaviorType),
anomalyScore: $anomalyScore,
description: "Point deviates significantly from cluster {$clusterIndex}: distance={$distance}, threshold=" . round($meanDistance + $this->outlierThreshold * $stdDev, 3),
features: [ $features[$index] ?? null],
@@ -400,8 +403,8 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect density-based anomalies using local outlier factor
* @param array<BehaviorFeature> $features
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<Feature> $features
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @return array<AnomalyDetection>
*/
private function detectDensityAnomalies(array $features, array $vectors, string $behaviorType): array
@@ -423,7 +426,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
$anomalies[] = AnomalyDetection::create(
type: AnomalyType::DENSITY_ANOMALY,
behaviorType: BehaviorType::from($behaviorType),
featureType: FeatureType::from($behaviorType),
anomalyScore: $anomalyScore,
description: "Low density region detected: LOF={$lof}",
features: [$features[$index] ?? null],
@@ -441,7 +444,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect group-level anomalies in cluster patterns
* @param array<BehaviorFeature> $features
* @param array<Feature> $features
* @param array{centers: array<array<float>>, assignments: array<array{cluster: int, distance: float}>, cost: float, iterations: int} $clusters
* @return array<AnomalyDetection>
*/
@@ -473,7 +476,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
$anomalies[] = AnomalyDetection::create(
type: AnomalyType::GROUP_ANOMALY,
behaviorType: BehaviorType::from($behaviorType),
featureType: FeatureType::from($behaviorType),
anomalyScore: $anomalyScore,
description: "Anomalously small cluster detected: size={$size}, expected≈{$meanClusterSize}",
features: $this->getFeaturesForCluster($features, $clusters['assignments'], $clusterIndex),
@@ -493,9 +496,9 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Get features belonging to a specific cluster
* @param array<BehaviorFeature> $features
* @param array<Feature> $features
* @param array<array{cluster: int, distance: float}> $assignments
* @return array<BehaviorFeature>
* @return array<Feature>
*/
private function getFeaturesForCluster(array $features, array $assignments, int $clusterIndex): array
{
@@ -512,7 +515,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Extract numeric vector from feature vector
* @param array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature} $vector
* @param array{value: float, normalized_value: float, z_score: float, feature: Feature} $vector
* @return array<float>
*/
private function extractNumericVector(array $vector): array
@@ -573,7 +576,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Calculate total clustering cost (within-cluster sum of squares)
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $vectors
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $vectors
* @param array<array<float>> $centers
* @param array<array{cluster: int, distance: float}> $assignments
*/
@@ -597,8 +600,8 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Calculate Local Outlier Factor for density-based anomaly detection
* @param array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $allVectors
* @param array{value: float, normalized_value: float, z_score: float, feature: Feature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $allVectors
*/
private function calculateLocalOutlierFactor(array $targetVector, array $allVectors, int $k): float
{
@@ -644,8 +647,8 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Calculate local reachability density
* @param array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $allVectors
* @param array{value: float, normalized_value: float, z_score: float, feature: Feature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $allVectors
* @param array<array{index: int, distance: float}> $neighbors
*/
private function calculateLocalReachabilityDensity(array $targetVector, array $allVectors, array $neighbors): float
@@ -674,8 +677,8 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
/**
* Get k-nearest neighbors for a vector
* @param array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: BehaviorFeature}> $allVectors
* @param array{value: float, normalized_value: float, z_score: float, feature: Feature} $targetVector
* @param array<array{value: float, normalized_value: float, z_score: float, feature: Feature}> $allVectors
* @return array<array{index: int, distance: float}>
*/
private function getKNearestNeighbors(array $targetVector, array $allVectors, int $k): array
@@ -698,7 +701,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
{
// Store feature vectors for ongoing clustering analysis
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
$typeKey = $feature->type->value;
if (! isset($this->featureVectors[$typeKey])) {
$this->featureVectors[$typeKey] = [];
@@ -735,7 +738,7 @@ final class ClusteringAnomalyDetector implements AnomalyDetectorInterface
'convergence_threshold' => $this->convergenceThreshold,
'enable_density_analysis' => $this->enableDensityAnalysis,
'enable_group_anomaly_detection' => $this->enableGroupAnomalyDetection,
'supported_behavior_types' => array_map(fn ($type) => $type->value, $this->getSupportedBehaviorTypes()),
'supported_behavior_types' => array_map(fn ($type) => $type->value, $this->getSupportedFeatureTypes()),
'stored_vectors_count' => array_sum(array_map('count', $this->featureVectors)),
];
}

77
src/Framework/Waf/MachineLearning/Detectors/StatisticalAnomalyDetector.php
View File

@@ -4,12 +4,12 @@ declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\Detectors;
use App\Framework\Waf\MachineLearning\AnomalyDetectorInterface;
use App\Framework\Waf\MachineLearning\AnomalyType;
use App\Framework\Waf\MachineLearning\BehaviorType;
use App\Framework\Waf\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorBaseline;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\MachineLearning\Core\AnomalyDetectorInterface;
use App\Framework\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\MachineLearning\ValueObjects\AnomalyType;
use App\Framework\MachineLearning\ValueObjects\Baseline;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
/**
* Statistical anomaly detector using Z-score and other statistical methods
@@ -33,15 +33,14 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return 'Statistical Anomaly Detector';
}
public function getSupportedBehaviorTypes(): array
public function getSupportedFeatureTypes(): array
{
return [
BehaviorType::REQUEST_FREQUENCY,
BehaviorType::PATH_PATTERNS,
BehaviorType::PARAMETER_PATTERNS,
BehaviorType::TIME_PATTERNS,
BehaviorType::ERROR_PATTERNS,
BehaviorType::RESPONSE_TIME_PATTERNS,
FeatureType::FREQUENCY,
FeatureType::STRUCTURAL_PATTERN,
FeatureType::TIME_DISTRIBUTION,
FeatureType::FAILURE_PATTERN,
FeatureType::LATENCY,
];
}
@@ -53,8 +52,8 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
// Check if we have features from supported behavior types
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature &&
in_array($feature->type, $this->getSupportedBehaviorTypes(), true)) {
if ($feature instanceof Feature &&
in_array($feature->type, $this->getSupportedFeatureTypes(), true)) {
return true;
}
}
@@ -62,18 +61,19 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return false;
}
public function detectAnomalies(array $features, ?BehaviorBaseline $baseline = null): array
public function detectAnomalies(array $features, ?Baseline $baseline = null): array
{
if (!$this->enabled) {
return [];
}
$anomalies = [];
foreach ($features as $feature) {
if (! ($feature instanceof BehaviorFeature)) {
if (! ($feature instanceof Feature)) {
continue;
}
// Store feature for trend analysis
$this->recordFeature($feature);
// Z-score based anomaly detection
$zScoreAnomalies = $this->detectZScoreAnomalies($feature, $baseline);
$anomalies = array_merge($anomalies, $zScoreAnomalies);
@@ -91,16 +91,19 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
}
// Frequency spike detection
if ($feature->type === BehaviorType::REQUEST_FREQUENCY) {
if ($feature->type === FeatureType::FREQUENCY) {
$spikeAnomalies = $this->detectFrequencySpikes($feature, $baseline);
$anomalies = array_merge($anomalies, $spikeAnomalies);
}
// Pattern deviation detection
if (in_array($feature->type, [BehaviorType::PATH_PATTERNS, BehaviorType::PARAMETER_PATTERNS], true)) {
if ($feature->type === FeatureType::STRUCTURAL_PATTERN) {
$patternAnomalies = $this->detectPatternDeviations($feature, $baseline);
$anomalies = array_merge($anomalies, $patternAnomalies);
}
// Store feature for historical analysis (after detection to not pollute baseline)
$this->recordFeature($feature);
}
// Filter anomalies by confidence threshold
@@ -113,7 +116,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect Z-score based statistical anomalies
*/
private function detectZScoreAnomalies(BehaviorFeature $feature, ?BehaviorBaseline $baseline): array
private function detectZScoreAnomalies(Feature $feature, ?Baseline $baseline): array
{
$anomalies = [];
@@ -133,7 +136,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
// Extreme anomaly (> 3 sigma)
if ($absZScore > $this->extremeZScoreThreshold) {
$anomalies[] = AnomalyDetection::statisticalAnomaly(
behaviorType: $feature->type,
featureType: $feature->type,
metric: $feature->name,
value: $feature->value,
expectedValue: $baseline?->mean ?? 0.0,
@@ -146,7 +149,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
$anomaly = AnomalyDetection::create(
type: AnomalyType::STATISTICAL_ANOMALY,
behaviorType: $feature->type,
featureType: $feature->type,
anomalyScore: $anomalyScore,
description: "Moderate statistical anomaly in {$feature->name}: Z-score = " . round($zScore, 2),
features: [$feature],
@@ -168,7 +171,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect outliers using Interquartile Range (IQR) method
*/
private function detectOutliers(BehaviorFeature $feature): array
private function detectOutliers(Feature $feature): array
{
$history = $this->getFeatureHistory($feature->type, $feature->name);
@@ -196,7 +199,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return [
AnomalyDetection::create(
type: AnomalyType::OUTLIER_DETECTION,
behaviorType: $feature->type,
featureType: $feature->type,
anomalyScore: $anomalyScore,
description: "Statistical outlier detected in {$feature->name}: value={$feature->value}, bounds=[{$lowerBound}, {$upperBound}]",
features: [$feature],
@@ -219,7 +222,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect trend-based anomalies using moving averages
*/
private function detectTrendAnomalies(BehaviorFeature $feature): array
private function detectTrendAnomalies(Feature $feature): array
{
$history = $this->getFeatureHistory($feature->type, $feature->name);
@@ -243,7 +246,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return [
AnomalyDetection::create(
type: AnomalyType::BEHAVIORAL_DRIFT,
behaviorType: $feature->type,
featureType: $feature->type,
anomalyScore: min(1.0, ($trendRatio - 1.0) / 2.0),
description: "Upward trend anomaly in {$feature->name}: short MA={$shortMA}, long MA={$longMA}",
features: [$feature],
@@ -261,7 +264,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return [
AnomalyDetection::create(
type: AnomalyType::BEHAVIORAL_DRIFT,
behaviorType: $feature->type,
featureType: $feature->type,
anomalyScore: min(1.0, (1.0 - $trendRatio) / 0.5),
description: "Downward trend anomaly in {$feature->name}: short MA={$shortMA}, long MA={$longMA}",
features: [$feature],
@@ -282,7 +285,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect frequency spikes
*/
private function detectFrequencySpikes(BehaviorFeature $feature, ?BehaviorBaseline $baseline): array
private function detectFrequencySpikes(Feature $feature, ?Baseline $baseline): array
{
if (! str_contains($feature->name, 'rate') && ! str_contains($feature->name, 'frequency')) {
return [];
@@ -318,7 +321,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Detect pattern deviations
*/
private function detectPatternDeviations(BehaviorFeature $feature, ?BehaviorBaseline $baseline): array
private function detectPatternDeviations(Feature $feature, ?Baseline $baseline): array
{
$history = $this->getFeatureHistory($feature->type, $feature->name);
@@ -339,7 +342,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
return [
AnomalyDetection::patternDeviation(
behaviorType: $feature->type,
featureType: $feature->type,
pattern: $feature->name,
deviationScore: $anomalyScore,
features: [$feature]
@@ -353,7 +356,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Record feature for historical analysis
*/
private function recordFeature(BehaviorFeature $feature): void
private function recordFeature(Feature $feature): void
{
$key = $feature->type->value . ':' . $feature->name;
@@ -372,7 +375,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
/**
* Get feature history for analysis
*/
private function getFeatureHistory(BehaviorType $type, string $name): array
private function getFeatureHistory(FeatureType $type, string $name): array
{
$key = $type->value . ':' . $name;
@@ -398,7 +401,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
{
// For statistical detector, just record the features for baseline calculation
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
$this->recordFeature($feature);
}
}
@@ -414,7 +417,7 @@ final class StatisticalAnomalyDetector implements AnomalyDetectorInterface
'min_sample_size' => $this->minSampleSize,
'enable_outlier_detection' => $this->enableOutlierDetection,
'enable_trend_analysis' => $this->enableTrendAnalysis,
'supported_behavior_types' => array_map(fn ($type) => $type->value, $this->getSupportedBehaviorTypes()),
'supported_behavior_types' => array_map(fn ($type) => $type->value, $this->getSupportedFeatureTypes()),
'feature_history_size' => array_sum(array_map('count', $this->featureHistory)),
];
}

124
src/Framework/Waf/MachineLearning/Extractors/FrequencyFeatureExtractor.php
View File

@@ -5,15 +5,25 @@ declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\Extractors;
use App\Framework\Core\ValueObjects\Timestamp;
use App\Framework\MachineLearning\Core\FeatureExtractorMetadata;
use App\Framework\MachineLearning\Core\FeatureExtractorPerformance;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
use App\Framework\Waf\Analysis\ValueObjects\RequestAnalysisData;
use App\Framework\Waf\MachineLearning\BehaviorType;
use App\Framework\Waf\MachineLearning\FeatureExtractorInterface;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\Waf\MachineLearning\WafFeatureExtractor;
/**
* Extracts request frequency and rate-based behavioral features
*
* Uses atomic interface composition pattern (NO extends):
* - WafFeatureExtractor: Domain-specific feature extraction
* - FeatureExtractorMetadata: Metadata and configuration
* - FeatureExtractorPerformance: Performance characteristics
*/
final class FrequencyFeatureExtractor implements FeatureExtractorInterface
final class FrequencyFeatureExtractor implements
WafFeatureExtractor,
FeatureExtractorMetadata,
FeatureExtractorPerformance
{
public function __construct(
private readonly bool $enabled = true,
@@ -24,9 +34,9 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
) {
}
public function getBehaviorType(): BehaviorType
public function getFeatureType(): FeatureType
{
return BehaviorType::REQUEST_FREQUENCY;
return FeatureType::FREQUENCY;
}
public function canExtract(RequestAnalysisData $requestData): bool
@@ -78,12 +88,12 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract basic request rate
*/
private function extractRequestRate(array $requests, int $windowSeconds): BehaviorFeature
private function extractRequestRate(array $requests, int $windowSeconds): Feature
{
$count = count($requests);
$rate = $windowSeconds > 0 ? $count / $windowSeconds : 0.0;
return BehaviorFeature::frequency(
return Feature::frequency(
name: "request_rate_{$windowSeconds}s",
count: $count,
timeWindow: $windowSeconds
@@ -93,11 +103,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract burst detection rate
*/
private function extractBurstRate(array $requests, int $windowSeconds): BehaviorFeature
private function extractBurstRate(array $requests, int $windowSeconds): Feature
{
if (count($requests) < 2) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: "burst_rate_{$windowSeconds}s",
value: 0.0,
unit: 'requests/second'
@@ -124,8 +134,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$maxRate = max($maxRate, $rate);
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: "burst_rate_{$windowSeconds}s",
value: $maxRate,
unit: 'requests/second'
@@ -135,7 +145,7 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract sustained rate (longer window)
*/
private function extractSustainedRate(array $requests, int $windowSeconds): BehaviorFeature
private function extractSustainedRate(array $requests, int $windowSeconds): Feature
{
$count = count($requests);
@@ -149,8 +159,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$sustainedCount = count($sustainedRequests);
$rate = $windowSeconds > 0 ? $sustainedCount / $windowSeconds : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: "sustained_rate_{$windowSeconds}s",
value: $rate,
unit: 'requests/second'
@@ -160,11 +170,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract inter-arrival time variance
*/
private function extractInterArrivalVariance(array $requests): BehaviorFeature
private function extractInterArrivalVariance(array $requests): Feature
{
if (count($requests) < 3) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'inter_arrival_variance',
value: 0.0,
unit: 'seconds²'
@@ -180,8 +190,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$interArrivals[] = $requests[$i] - $requests[$i - 1];
}
return BehaviorFeature::statistical(
type: $this->getBehaviorType(),
return Feature::statistical(
type: $this->getFeatureType(),
name: 'inter_arrival_variance',
values: $interArrivals,
statistic: 'variance'
@@ -191,11 +201,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract request spacing regularity
*/
private function extractRequestSpacing(array $requests): BehaviorFeature
private function extractRequestSpacing(array $requests): Feature
{
if (count($requests) < 3) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'request_spacing_regularity',
value: 0.0,
unit: 'coefficient'
@@ -211,8 +221,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
}
$mean = array_sum($interArrivals) / count($interArrivals);
$variance = BehaviorFeature::statistical(
type: $this->getBehaviorType(),
$variance = Feature::statistical(
type: $this->getFeatureType(),
name: 'temp_variance',
values: $interArrivals,
statistic: 'variance'
@@ -221,8 +231,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
// Coefficient of variation (lower = more regular)
$regularity = $mean > 0 ? sqrt($variance) / $mean : 1.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'request_spacing_regularity',
value: 1.0 / (1.0 + $regularity), // Normalize: 1 = perfectly regular, 0 = very irregular
unit: 'regularity_score'
@@ -232,11 +242,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract periodicity score using autocorrelation
*/
private function extractPeriodicityScore(array $requests): BehaviorFeature
private function extractPeriodicityScore(array $requests): Feature
{
if (count($requests) < 10) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'periodicity_score',
value: 0.0,
unit: 'correlation'
@@ -251,8 +261,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$duration = $maxTime - $minTime;
if ($duration <= 0) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'periodicity_score',
value: 0.0,
unit: 'correlation'
@@ -279,8 +289,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$maxCorrelation = max($maxCorrelation, abs($correlation));
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'periodicity_score',
value: $maxCorrelation,
unit: 'correlation'
@@ -290,11 +300,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract time of day pattern
*/
private function extractTimeOfDayPattern(array $requests): BehaviorFeature
private function extractTimeOfDayPattern(array $requests): Feature
{
if (empty($requests)) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'time_of_day_entropy',
value: 0.0,
unit: 'bits'
@@ -309,8 +319,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$hourDistribution[$hour]++;
}
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'time_of_day_entropy',
distribution: $hourDistribution
);
@@ -319,11 +329,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract weekday pattern
*/
private function extractWeekdayPattern(array $requests): BehaviorFeature
private function extractWeekdayPattern(array $requests): Feature
{
if (empty($requests)) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'weekday_entropy',
value: 0.0,
unit: 'bits'
@@ -338,8 +348,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$dayDistribution[$day]++;
}
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'weekday_entropy',
distribution: $dayDistribution
);
@@ -348,11 +358,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract frequency distribution entropy
*/
private function extractFrequencyEntropy(array $requests): BehaviorFeature
private function extractFrequencyEntropy(array $requests): Feature
{
if (count($requests) < 5) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'frequency_entropy',
value: 0.0,
unit: 'bits'
@@ -369,8 +379,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$buckets[$bucket] = ($buckets[$bucket] ?? 0) + 1;
}
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'frequency_entropy',
distribution: array_values($buckets)
);
@@ -379,11 +389,11 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
/**
* Extract burstiness measure
*/
private function extractBurstiness(array $requests): BehaviorFeature
private function extractBurstiness(array $requests): Feature
{
if (count($requests) < 5) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'burstiness',
value: 0.0,
unit: 'burstiness_coefficient'
@@ -399,8 +409,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
}
$mean = array_sum($interArrivals) / count($interArrivals);
$variance = BehaviorFeature::statistical(
type: $this->getBehaviorType(),
$variance = Feature::statistical(
type: $this->getFeatureType(),
name: 'temp_variance',
values: $interArrivals,
statistic: 'variance'
@@ -411,8 +421,8 @@ final class FrequencyFeatureExtractor implements FeatureExtractorInterface
$stdDev = sqrt($variance);
$burstiness = ($stdDev + $mean) > 0 ? ($stdDev - $mean) / ($stdDev + $mean) : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'burstiness',
value: $burstiness,
unit: 'burstiness_coefficient'

196
src/Framework/Waf/MachineLearning/Extractors/PatternFeatureExtractor.php
View File

@@ -4,15 +4,25 @@ declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\Extractors;
use App\Framework\MachineLearning\Core\FeatureExtractorMetadata;
use App\Framework\MachineLearning\Core\FeatureExtractorPerformance;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
use App\Framework\Waf\Analysis\ValueObjects\RequestAnalysisData;
use App\Framework\Waf\MachineLearning\BehaviorType;
use App\Framework\Waf\MachineLearning\FeatureExtractorInterface;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\Waf\MachineLearning\WafFeatureExtractor;
/**
* Extracts behavioral patterns from URL paths, parameters, and request structure
*
* Uses atomic interface composition pattern (NO extends):
* - WafFeatureExtractor: Domain-specific feature extraction
* - FeatureExtractorMetadata: Metadata and configuration
* - FeatureExtractorPerformance: Performance characteristics
*/
final class PatternFeatureExtractor implements FeatureExtractorInterface
final class PatternFeatureExtractor implements
WafFeatureExtractor,
FeatureExtractorMetadata,
FeatureExtractorPerformance
{
public function __construct(
private readonly bool $enabled = true,
@@ -24,9 +34,9 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
) {
}
public function getBehaviorType(): BehaviorType
public function getFeatureType(): FeatureType
{
return BehaviorType::PATH_PATTERNS;
return FeatureType::STRUCTURAL_PATTERN;
}
public function canExtract(RequestAnalysisData $requestData): bool
@@ -149,13 +159,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path depth (number of segments)
*/
private function extractPathDepth(string $path): BehaviorFeature
private function extractPathDepth(string $path): Feature
{
$segments = array_filter(explode('/', trim($path, '/')));
$depth = count($segments);
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_depth',
value: $depth,
unit: 'segments'
@@ -165,7 +175,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path complexity score
*/
private function extractPathComplexity(string $path): BehaviorFeature
private function extractPathComplexity(string $path): Feature
{
$segments = array_filter(explode('/', trim($path, '/')));
@@ -184,8 +194,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$complexity += $specialChars * 0.5;
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_complexity',
value: $complexity,
unit: 'complexity_score'
@@ -195,14 +205,14 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path entropy
*/
private function extractPathEntropy(string $path): BehaviorFeature
private function extractPathEntropy(string $path): Feature
{
// Character frequency distribution
$chars = str_split(strtolower($path));
$distribution = array_count_values($chars);
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'path_entropy',
distribution: array_values($distribution)
);
@@ -211,13 +221,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path uniqueness for this client
*/
private function extractPathUniqueness(string $clientId): BehaviorFeature
private function extractPathUniqueness(string $clientId): Feature
{
$pathHistory = $this->pathHistory[$clientId] ?? [];
if (empty($pathHistory)) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_uniqueness',
value: 1.0,
unit: 'ratio'
@@ -229,8 +239,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$uniqueness = $totalPaths > 0 ? $uniquePaths / $totalPaths : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_uniqueness',
value: $uniqueness,
unit: 'ratio'
@@ -240,13 +250,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path repetition score
*/
private function extractPathRepetition(string $clientId): BehaviorFeature
private function extractPathRepetition(string $clientId): Feature
{
$pathHistory = $this->pathHistory[$clientId] ?? [];
if (count($pathHistory) < 2) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_repetition',
value: 0.0,
unit: 'score'
@@ -259,8 +269,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$repetition = $totalCount > 0 ? $maxCount / $totalCount : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_repetition',
value: $repetition,
unit: 'ratio'
@@ -270,13 +280,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path diversity score
*/
private function extractPathDiversity(string $clientId): BehaviorFeature
private function extractPathDiversity(string $clientId): Feature
{
$pathHistory = $this->pathHistory[$clientId] ?? [];
if (empty($pathHistory)) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_diversity',
value: 0.0,
unit: 'bits'
@@ -285,8 +295,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$pathCounts = array_count_values($pathHistory);
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'path_diversity',
distribution: array_values($pathCounts)
);
@@ -295,7 +305,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract suspicious path characteristics score
*/
private function extractSuspiciousPathScore(string $path): BehaviorFeature
private function extractSuspiciousPathScore(string $path): Feature
{
$suspiciousScore = 0.0;
@@ -327,8 +337,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$suspiciousScore += 0.2;
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'suspicious_path_score',
value: min($suspiciousScore, 1.0),
unit: 'score'
@@ -338,7 +348,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract file extension pattern
*/
private function extractFileExtensionPattern(string $path): BehaviorFeature
private function extractFileExtensionPattern(string $path): Feature
{
$extension = pathinfo($path, PATHINFO_EXTENSION);
$extension = strtolower($extension);
@@ -355,8 +365,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$riskScore = 0.1; // Any extension is slightly suspicious
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'file_extension_risk',
value: $riskScore,
unit: 'risk_score'
@@ -366,7 +376,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract directory traversal score
*/
private function extractDirectoryTraversalScore(string $path): BehaviorFeature
private function extractDirectoryTraversalScore(string $path): Feature
{
$traversalScore = 0.0;
@@ -378,8 +388,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$traversalScore += $matches * 0.3;
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'directory_traversal_score',
value: min($traversalScore, 1.0),
unit: 'score'
@@ -389,10 +399,10 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter count
*/
private function extractParameterCount(array $parameters): BehaviorFeature
private function extractParameterCount(array $parameters): Feature
{
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_count',
value: count($parameters),
unit: 'count'
@@ -402,7 +412,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter complexity
*/
private function extractParameterComplexity(array $parameters): BehaviorFeature
private function extractParameterComplexity(array $parameters): Feature
{
$complexity = 0.0;
@@ -418,8 +428,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
}
}
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_complexity',
value: $complexity,
unit: 'complexity_score'
@@ -429,11 +439,11 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter key entropy
*/
private function extractParameterEntropy(array $parameters): BehaviorFeature
private function extractParameterEntropy(array $parameters): Feature
{
if (empty($parameters)) {
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_entropy',
value: 0.0,
unit: 'bits'
@@ -445,8 +455,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$chars = str_split(strtolower($allKeys));
$distribution = array_count_values($chars);
return BehaviorFeature::entropy(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::entropy(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_entropy',
distribution: array_values($distribution)
);
@@ -455,13 +465,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter uniqueness for this client
*/
private function extractParameterUniqueness(string $clientId): BehaviorFeature
private function extractParameterUniqueness(string $clientId): Feature
{
$paramHistory = $this->parameterHistory[$clientId] ?? [];
if (empty($paramHistory)) {
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_uniqueness',
value: 1.0,
unit: 'ratio'
@@ -473,8 +483,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$uniqueness = $totalParams > 0 ? $uniqueParams / $totalParams : 0.0;
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_uniqueness',
value: $uniqueness,
unit: 'ratio'
@@ -484,13 +494,13 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter key diversity
*/
private function extractParameterKeyDiversity(string $clientId): BehaviorFeature
private function extractParameterKeyDiversity(string $clientId): Feature
{
$paramHistory = $this->parameterHistory[$clientId] ?? [];
if (empty($paramHistory)) {
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_key_diversity',
value: 0.0,
unit: 'bits'
@@ -507,8 +517,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$keyCounts = array_count_values($allKeys);
return BehaviorFeature::entropy(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::entropy(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_key_diversity',
distribution: array_values($keyCounts)
);
@@ -517,11 +527,11 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract parameter value entropy
*/
private function extractParameterValueEntropy(array $parameters): BehaviorFeature
private function extractParameterValueEntropy(array $parameters): Feature
{
if (empty($parameters)) {
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_value_entropy',
value: 0.0,
unit: 'bits'
@@ -532,8 +542,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$allValues = implode('', array_filter(array_values($parameters), 'is_string'));
if (empty($allValues)) {
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_value_entropy',
value: 0.0,
unit: 'bits'
@@ -543,8 +553,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$chars = str_split(strtolower($allValues));
$distribution = array_count_values($chars);
return BehaviorFeature::entropy(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::entropy(
type: FeatureType::PARAMETER_PATTERNS,
name: 'parameter_value_entropy',
distribution: array_values($distribution)
);
@@ -553,7 +563,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract suspicious parameter score
*/
private function extractSuspiciousParameterScore(array $parameters): BehaviorFeature
private function extractSuspiciousParameterScore(array $parameters): Feature
{
$suspiciousScore = 0.0;
@@ -584,8 +594,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
}
}
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'suspicious_parameter_score',
value: min($suspiciousScore, 1.0),
unit: 'score'
@@ -595,7 +605,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract injection pattern score
*/
private function extractInjectionPatternScore(array $parameters): BehaviorFeature
private function extractInjectionPatternScore(array $parameters): Feature
{
$injectionScore = 0.0;
@@ -621,8 +631,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
}
}
return BehaviorFeature::create(
type: BehaviorType::PARAMETER_PATTERNS,
return Feature::create(
type: FeatureType::PARAMETER_PATTERNS,
name: 'injection_pattern_score',
value: min($injectionScore, 1.0),
unit: 'score'
@@ -632,7 +642,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path sequence entropy
*/
private function extractPathSequenceEntropy(array $pathHistory): BehaviorFeature
private function extractPathSequenceEntropy(array $pathHistory): Feature
{
// Create bigrams (consecutive path pairs)
$bigrams = [];
@@ -643,8 +653,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$bigramCounts = array_count_values($bigrams);
return BehaviorFeature::entropy(
type: $this->getBehaviorType(),
return Feature::entropy(
type: $this->getFeatureType(),
name: 'path_sequence_entropy',
distribution: array_values($bigramCounts)
);
@@ -653,11 +663,11 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract path transition score
*/
private function extractPathTransitionScore(array $pathHistory): BehaviorFeature
private function extractPathTransitionScore(array $pathHistory): Feature
{
if (count($pathHistory) < 2) {
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_transition_score',
value: 0.0,
unit: 'score'
@@ -677,8 +687,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$averageTransition = $transitionScore / (count($pathHistory) - 1);
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'path_transition_score',
value: $averageTransition,
unit: 'similarity_score'
@@ -688,7 +698,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract navigation pattern
*/
private function extractNavigationPattern(array $pathHistory): BehaviorFeature
private function extractNavigationPattern(array $pathHistory): Feature
{
$backtrackingScore = 0.0;
@@ -708,8 +718,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$normalizedScore = count($pathHistory) > 2 ? $backtrackingScore / (count($pathHistory) - 2) : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'navigation_backtracking',
value: $normalizedScore,
unit: 'backtracking_score'
@@ -719,7 +729,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract request complexity
*/
private function extractRequestComplexity(RequestAnalysisData $requestData): BehaviorFeature
private function extractRequestComplexity(RequestAnalysisData $requestData): Feature
{
$complexity = 0.0;
@@ -738,8 +748,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$bodySize = strlen($requestData->body);
$complexity += $bodySize / 5000.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'request_complexity',
value: $complexity,
unit: 'complexity_score'
@@ -749,7 +759,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract header to body ratio
*/
private function extractHeaderToBodyRatio(RequestAnalysisData $requestData): BehaviorFeature
private function extractHeaderToBodyRatio(RequestAnalysisData $requestData): Feature
{
$headerSize = array_sum(array_map(
fn ($name, $value) => strlen($name) + strlen($value),
@@ -761,8 +771,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
$ratio = ($headerSize + $bodySize) > 0 ? $headerSize / ($headerSize + $bodySize) : 0.0;
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'header_body_ratio',
value: $ratio,
unit: 'ratio'
@@ -772,7 +782,7 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
/**
* Extract content type consistency
*/
private function extractContentTypeConsistency(RequestAnalysisData $requestData): BehaviorFeature
private function extractContentTypeConsistency(RequestAnalysisData $requestData): Feature
{
$consistencyScore = 1.0;
@@ -798,8 +808,8 @@ final class PatternFeatureExtractor implements FeatureExtractorInterface
}
}
return BehaviorFeature::create(
type: $this->getBehaviorType(),
return Feature::create(
type: $this->getFeatureType(),
name: 'content_type_consistency',
value: max(0.0, $consistencyScore),
unit: 'consistency_score'

96
src/Framework/Waf/MachineLearning/MachineLearningEngine.php
View File

@@ -7,10 +7,14 @@ namespace App\Framework\Waf\MachineLearning;
use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Core\ValueObjects\Percentage;
use App\Framework\DateTime\Clock;
use App\Framework\MachineLearning\Core\AnomalyDetectorInterface;
use App\Framework\MachineLearning\Core\FeatureExtractorMetadata;
use App\Framework\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\MachineLearning\ValueObjects\Baseline;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\MachineLearning\ValueObjects\FeatureType;
use App\Framework\Waf\Analysis\ValueObjects\RequestAnalysisData;
use App\Framework\Waf\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorBaseline;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
use App\Framework\Waf\MachineLearning\WafFeatureExtractor;
/**
* Main machine learning engine for behavioral analysis and anomaly detection
@@ -18,7 +22,7 @@ use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeature;
final class MachineLearningEngine
{
/**
* @param FeatureExtractorInterface[] $extractors
* @param WafFeatureExtractor[] $extractors
* @param AnomalyDetectorInterface[] $detectors
*/
public function __construct(
@@ -141,7 +145,7 @@ final class MachineLearningEngine
$extractorResults[] = [
'extractor' => get_class($extractor),
'behavior_type' => $extractor->getBehaviorType()->value,
'feature_type' => $extractor->getFeatureType()->value,
'feature_count' => count($validFeatures),
'processing_time' => $extractorTime->toMilliseconds(),
'success' => true,
@@ -155,7 +159,7 @@ final class MachineLearningEngine
} catch (\Throwable $e) {
$extractorResults[] = [
'extractor' => get_class($extractor),
'behavior_type' => $extractor->getBehaviorType()->value,
'feature_type' => $extractor->getFeatureType()->value,
'feature_count' => 0,
'processing_time' => 0,
'success' => false,
@@ -239,10 +243,10 @@ final class MachineLearningEngine
{
$baselines = [];
// Group features by behavior type
// Group features by feature type
$featureGroups = [];
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
$typeKey = $feature->type->value;
if (! isset($featureGroups[$typeKey])) {
$featureGroups[$typeKey] = [];
@@ -251,17 +255,17 @@ final class MachineLearningEngine
}
}
// Get or create baselines for each behavior type
foreach ($featureGroups as $behaviorType => $groupFeatures) {
$cacheKey = "baseline:{$behaviorType}";
// Get or create baselines for each feature type
foreach ($featureGroups as $featureType => $groupFeatures) {
$cacheKey = "baseline:{$featureType}";
if (isset($this->baselineCache[$cacheKey])) {
$baselines[$behaviorType] = $this->baselineCache[$cacheKey];
$baselines[$featureType] = $this->baselineCache[$cacheKey];
} else {
// Create new baseline from features
$baseline = $this->createBaselineFromFeatures($groupFeatures, BehaviorType::from($behaviorType));
$baseline = $this->createBaselineFromFeatures($groupFeatures, FeatureType::from($featureType));
if ($baseline !== null) {
$baselines[$behaviorType] = $baseline;
$baselines[$featureType] = $baseline;
$this->baselineCache[$cacheKey] = $baseline;
}
}
@@ -273,13 +277,13 @@ final class MachineLearningEngine
/**
* Create behavioral baseline from feature set
*/
private function createBaselineFromFeatures(array $features, BehaviorType $behaviorType): ?BehaviorBaseline
private function createBaselineFromFeatures(array $features, FeatureType $featureType): ?Baseline
{
if (empty($features)) {
return null;
}
$values = array_map(fn (BehaviorFeature $f) => $f->value, $features);
$values = array_map(fn (Feature $f) => $f->value, $features);
if (empty($values)) {
return null;
@@ -294,28 +298,36 @@ final class MachineLearningEngine
$p95 = $values[(int)(count($values) * 0.95)];
$p99 = $values[(int)(count($values) * 0.99)];
return new BehaviorBaseline(
type: $behaviorType,
return new Baseline(
type: $featureType,
identifier: 'dynamic-baseline',
mean: $mean,
standardDeviation: $stdDev,
sampleSize: count($values),
p50: $p50,
p95: $p95,
p99: $p99,
confidence: Percentage::from(min(100.0, count($values) * 5.0)), // 5% per sample, max 100%
lastUpdated: $this->clock->time()
median: $p50,
minimum: min($values),
maximum: max($values),
percentiles: [
50 => $p50,
95 => $p95,
99 => $p99
],
sampleCount: count($values),
createdAt: $this->clock->time(),
lastUpdated: $this->clock->time(),
windowSize: Duration::fromMinutes(30),
confidence: min(1.0, count($values) * 0.05) // 5% per sample, max 100%
);
}
/**
* Get relevant baseline for a detector
*/
private function getRelevantBaseline(AnomalyDetectorInterface $detector, array $baselines): ?BehaviorBaseline
private function getRelevantBaseline(AnomalyDetectorInterface $detector, array $baselines): ?Baseline
{
$supportedTypes = $detector->getSupportedBehaviorTypes();
$supportedTypes = $detector->getSupportedFeatureTypes();
foreach ($supportedTypes as $behaviorType) {
$typeKey = $behaviorType->value;
foreach ($supportedTypes as $featureType) {
$typeKey = $featureType->value;
if (isset($baselines[$typeKey])) {
return $baselines[$typeKey];
}
@@ -332,7 +344,7 @@ final class MachineLearningEngine
$validFeatures = [];
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
// Validate feature values
if (is_numeric($feature->value) &&
! is_nan($feature->value) &&
@@ -530,13 +542,13 @@ final class MachineLearningEngine
*/
private function deduplicateAndRankAnomalies(array $anomalies): array
{
// Remove duplicates based on type and behavior type
// Remove duplicates based on type and feature type
$seen = [];
$unique = [];
foreach ($anomalies as $anomaly) {
if ($anomaly instanceof AnomalyDetection) {
$key = $anomaly->type->value . ':' . $anomaly->behaviorType->value;
$key = $anomaly->type->value . ':' . $anomaly->featureType->value;
if (! isset($seen[$key]) || $anomaly->confidence->getValue() > $seen[$key]->confidence->getValue()) {
$seen[$key] = $anomaly;
}
@@ -560,8 +572,8 @@ final class MachineLearningEngine
'path' => $requestData->path,
'method' => $requestData->method,
'params' => $requestData->getAllParameters(),
'user_agent' => $requestData->userAgent?->toString(),
'ip' => $requestData->clientIp?->toString(),
'user_agent' => (string) $requestData->userAgent,
'ip' => (string) $requestData->clientIp,
]));
}
@@ -574,7 +586,7 @@ final class MachineLearningEngine
$featuresByType = [];
foreach ($features as $feature) {
if ($feature instanceof BehaviorFeature) {
if ($feature instanceof Feature) {
$typeKey = $feature->type->value;
if (! isset($featuresByType[$typeKey])) {
$featuresByType[$typeKey] = [];
@@ -583,9 +595,9 @@ final class MachineLearningEngine
}
}
foreach ($featuresByType as $behaviorType => $typeFeatures) {
foreach ($featuresByType as $featureType => $typeFeatures) {
$results[] = [
'behavior_type' => $behaviorType,
'feature_type' => $featureType,
'feature_count' => count($typeFeatures),
'avg_value' => array_sum(array_map(fn ($f) => $f->value, $typeFeatures)) / count($typeFeatures),
'feature_names' => array_unique(array_map(fn ($f) => $f->name, $typeFeatures)),
@@ -632,14 +644,14 @@ final class MachineLearningEngine
{
$stats = [];
foreach ($baselines as $behaviorType => $baseline) {
if ($baseline instanceof BehaviorBaseline) {
foreach ($baselines as $featureType => $baseline) {
if ($baseline instanceof Baseline) {
$stats[] = [
'behavior_type' => $behaviorType,
'sample_size' => $baseline->sampleSize,
'feature_type' => $featureType,
'sample_size' => $baseline->sampleCount,
'mean' => $baseline->mean,
'std_dev' => $baseline->standardDeviation,
'confidence' => $baseline->confidence->getValue(),
'confidence' => $baseline->confidence,
'last_updated' => $baseline->lastUpdated->toIso8601String(),
];
}
@@ -654,7 +666,7 @@ final class MachineLearningEngine
private function recordPerformanceMetrics(Duration $processingTime, int $featureCount, int $anomalyCount): void
{
$this->performanceMetrics[] = [
'timestamp' => $this->clock->time()->toUnixTimestamp(),
'timestamp' => $this->clock->time()->toTimestamp(),
'processing_time_ms' => $processingTime->toMilliseconds(),
'feature_count' => $featureCount,
'anomaly_count' => $anomalyCount,

250
src/Framework/Waf/MachineLearning/RequestHistoryTracker.php Normal file
View File

@@ -0,0 +1,250 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning;
use App\Framework\Waf\MachineLearning\ValueObjects\RequestSequence;
use App\Framework\Http\Request;
use App\Framework\Http\IpAddress;
use App\Framework\Cache\Cache;
use App\Framework\Cache\CacheKey;
use App\Framework\Core\ValueObjects\Duration;
/**
* Request History Tracker for Behavioral Analysis
*
* Stores recent request history per client IP for sequence-based analysis
* Uses cache for temporary storage with automatic expiration
*
* Storage Strategy:
* - Per-IP request history (last N requests)
* - Sliding time window (configurable TTL)
* - Automatic cleanup of old requests
* - Memory-efficient storage (request metadata only)
*/
final class RequestHistoryTracker
{
private const int DEFAULT_MAX_REQUESTS = 50;
private const int DEFAULT_WINDOW_SECONDS = 300; // 5 minutes
public function __construct(
private readonly Cache $cache,
private readonly int $maxRequestsPerIp = self::DEFAULT_MAX_REQUESTS,
private readonly int $timeWindowSeconds = self::DEFAULT_WINDOW_SECONDS
) {}
/**
* Track new request for client IP
*/
public function track(Request $request): void
{
$clientIp = $request->server->getRemoteAddr();
$cacheKey = $this->getCacheKey($clientIp);
// Get existing history
$history = $this->getHistory($clientIp);
// Add new request metadata
$requestData = $this->extractRequestMetadata($request);
$history[] = $requestData;
// Keep only recent requests (sliding window)
$history = $this->pruneOldRequests($history);
// Limit to max requests
if (count($history) > $this->maxRequestsPerIp) {
$history = array_slice($history, -$this->maxRequestsPerIp);
}
// Store updated history
$this->cache->set(
$cacheKey,
$history,
Duration::fromSeconds($this->timeWindowSeconds)
);
}
/**
* Get request sequence for client IP
*/
public function getSequence(IpAddress $clientIp): RequestSequence
{
$history = $this->getHistory($clientIp);
if (empty($history)) {
return RequestSequence::empty($clientIp->toString());
}
// Reconstruct Request objects from metadata
$requests = array_map(
fn(array $data) => $this->reconstructRequest($data),
$history
);
return RequestSequence::fromRequests($requests, $clientIp->toString());
}
/**
* Clear history for specific client IP
*/
public function clearHistory(IpAddress $clientIp): void
{
$cacheKey = $this->getCacheKey($clientIp);
$this->cache->delete($cacheKey);
}
/**
* Get statistics for client IP
*/
public function getStatistics(IpAddress $clientIp): array
{
$sequence = $this->getSequence($clientIp);
return $sequence->getStatistics();
}
/**
* Check if client has sufficient history for analysis
*/
public function hasSufficientHistory(IpAddress $clientIp, int $minRequests = 3): bool
{
$history = $this->getHistory($clientIp);
return count($history) >= $minRequests;
}
/**
* Get request history from cache
*/
private function getHistory(IpAddress $clientIp): array
{
$cacheKey = $this->getCacheKey($clientIp);
$cached = $this->cache->get($cacheKey);
if ($cached === null) {
return [];
}
return is_array($cached) ? $cached : [];
}
/**
* Extract essential request metadata for storage
*/
private function extractRequestMetadata(Request $request): array
{
return [
'timestamp' => time(),
'path' => $request->path,
'method' => $request->method->value,
'query_params' => $request->queryParams ?? [],
'body' => $request->body ?? '',
'headers' => [
'User-Agent' => $request->headers->getFirst('User-Agent') ?? '',
'Content-Type' => $request->headers->getFirst('Content-Type') ?? '',
'Content-Length' => $request->headers->getFirst('Content-Length') ?? '0',
],
'ip' => $request->server->getRemoteAddr()->toString(),
];
}
/**
* Reconstruct Request object from stored metadata
* Note: This creates a minimal Request for analysis purposes
*/
private function reconstructRequest(array $data): Request
{
// Create minimal HttpRequest for analysis
// This is a simplified reconstruction - full Request creation would require
// more complete ServerEnvironment and other dependencies
return new class($data) implements Request {
public function __construct(
private readonly array $data
) {}
public string $path {
get => $this->data['path'];
}
public object $method {
get => new class($this->data['method']) {
public function __construct(public readonly string $value) {}
};
}
public array $queryParams {
get => $this->data['query_params'];
}
public string $body {
get => $this->data['body'];
}
public int $timestamp {
get => $this->data['timestamp'];
}
public object $headers {
get => new class($this->data['headers']) {
public function __construct(private readonly array $headers) {}
public function getFirst(string $name): ?string
{
return $this->headers[$name] ?? null;
}
};
}
public object $server {
get => new class($this->data['ip']) {
public function __construct(private readonly string $ip) {}
public function getRemoteAddr(): IpAddress
{
return new IpAddress($this->ip);
}
};
}
public object $parsedBody {
get => new class {
public array $data {
get => [];
}
};
}
};
}
/**
* Remove requests older than time window
*/
private function pruneOldRequests(array $history): array
{
$cutoffTime = time() - $this->timeWindowSeconds;
return array_filter(
$history,
fn(array $requestData) => $requestData['timestamp'] >= $cutoffTime
);
}
/**
* Get cache key for client IP
*/
private function getCacheKey(IpAddress $clientIp): CacheKey
{
return CacheKey::fromString("waf:request_history:{$clientIp->toString()}");
}
/**
* Get configuration
*/
public function getConfiguration(): array
{
return [
'max_requests_per_ip' => $this->maxRequestsPerIp,
'time_window_seconds' => $this->timeWindowSeconds,
];
}
}

339
src/Framework/Waf/MachineLearning/ValueObjects/AnomalyDetection.php
View File

@@ -1,339 +0,0 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\ValueObjects;
use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Core\ValueObjects\Percentage;
use App\Framework\Core\ValueObjects\Timestamp;
use App\Framework\Waf\MachineLearning\AnomalyType;
use App\Framework\Waf\MachineLearning\BehaviorType;
/**
* Represents a detected behavioral anomaly
*/
final readonly class AnomalyDetection
{
public function __construct(
public AnomalyType $type,
public BehaviorType $behaviorType,
public Percentage $confidence,
public float $anomalyScore,
public string $description,
public array $features,
public array $evidence,
public ?string $clientId = null,
public ?string $sessionId = null,
public ?Timestamp $detectedAt = null,
public ?Duration $analysisWindow = null,
public array $metadata = []
) {
}
/**
* Create anomaly detection with automatic confidence calculation
*/
public static function create(
AnomalyType $type,
BehaviorType $behaviorType,
float $anomalyScore,
string $description,
array $features = [],
array $evidence = []
): self {
// Calculate confidence based on anomaly score and feature consistency
$baseConfidence = min($anomalyScore * 100, 100.0);
// Adjust confidence based on feature agreement
if (! empty($features)) {
$featureAnomalyScores = array_map(
fn (BehaviorFeature $feature) => $feature->getAnomalyScore(),
$features
);
$meanFeatureScore = array_sum($featureAnomalyScores) / count($featureAnomalyScores);
$featureConsistency = 1.0 - (abs($anomalyScore - $meanFeatureScore) / max($anomalyScore, 0.01));
$baseConfidence *= $featureConsistency;
}
$confidence = Percentage::from(max(0.0, min(100.0, $baseConfidence)));
return new self(
type: $type,
behaviorType: $behaviorType,
confidence: $confidence,
anomalyScore: $anomalyScore,
description: $description,
features: $features,
evidence: $evidence,
detectedAt: Timestamp::fromFloat(microtime(true))
);
}
/**
* Create frequency spike anomaly
*/
public static function frequencySpike(
float $currentRate,
float $baseline,
float $threshold = 3.0,
?string $clientId = null
): self {
$ratio = $baseline > 0 ? $currentRate / $baseline : $currentRate;
$anomalyScore = min(($ratio - 1.0) / $threshold, 1.0);
return self::create(
type: AnomalyType::FREQUENCY_SPIKE,
behaviorType: BehaviorType::REQUEST_FREQUENCY,
anomalyScore: $anomalyScore,
description: "Request frequency spike detected: {$currentRate}/s (baseline: {$baseline}/s, ratio: " . round($ratio, 2) . "x)",
evidence: [
'current_rate' => $currentRate,
'baseline_rate' => $baseline,
'spike_ratio' => $ratio,
'threshold' => $threshold,
]
);
return $clientId !== null ? $anomaly->withClientId($clientId) : $anomaly;
}
/**
* Create geographic anomaly
*/
public static function geographicAnomaly(
string $currentLocation,
array $normalLocations,
float $distance,
?string $clientId = null
): self {
$anomalyScore = min($distance / 10000, 1.0); // Normalize by 10,000 km
return self::create(
type: AnomalyType::GEOGRAPHIC_ANOMALY,
behaviorType: BehaviorType::GEOGRAPHIC_PATTERNS,
anomalyScore: $anomalyScore,
description: "Geographic anomaly: access from {$currentLocation}, distance: " . round($distance) . "km from normal locations",
evidence: [
'current_location' => $currentLocation,
'normal_locations' => $normalLocations,
'distance_km' => $distance,
]
);
return $clientId !== null ? $anomaly->withClientId($clientId) : $anomaly;
}
/**
* Create pattern deviation anomaly
*/
public static function patternDeviation(
BehaviorType $behaviorType,
string $pattern,
float $deviationScore,
array $features = []
): self {
return self::create(
type: AnomalyType::UNUSUAL_PATTERN,
behaviorType: $behaviorType,
anomalyScore: $deviationScore,
description: "Unusual pattern detected in {$behaviorType->getDescription()}: {$pattern}",
features: $features,
evidence: [
'pattern' => $pattern,
'deviation_score' => $deviationScore,
'feature_count' => count($features),
]
);
}
/**
* Create statistical anomaly
*/
public static function statisticalAnomaly(
BehaviorType $behaviorType,
string $metric,
float $value,
float $expectedValue,
float $standardDeviation,
?string $clientId = null
): self {
$zScore = $standardDeviation > 0 ? abs($value - $expectedValue) / $standardDeviation : 0;
$anomalyScore = min($zScore / 3.0, 1.0); // Normalize by 3 sigma
return self::create(
type: AnomalyType::STATISTICAL_ANOMALY,
behaviorType: $behaviorType,
anomalyScore: $anomalyScore,
description: "Statistical anomaly in {$metric}: value={$value}, expected={$expectedValue}, z-score=" . round($zScore, 2),
evidence: [
'metric' => $metric,
'value' => $value,
'expected_value' => $expectedValue,
'standard_deviation' => $standardDeviation,
'z_score' => $zScore,
]
);
return $clientId !== null ? $anomaly->withClientId($clientId) : $anomaly;
}
/**
* Add client ID
*/
public function withClientId(string $clientId): self
{
return new self(
type: $this->type,
behaviorType: $this->behaviorType,
confidence: $this->confidence,
anomalyScore: $this->anomalyScore,
description: $this->description,
features: $this->features,
evidence: $this->evidence,
clientId: $clientId,
sessionId: $this->sessionId,
detectedAt: $this->detectedAt,
analysisWindow: $this->analysisWindow,
metadata: $this->metadata
);
}
/**
* Add session ID
*/
public function withSessionId(string $sessionId): self
{
return new self(
type: $this->type,
behaviorType: $this->behaviorType,
confidence: $this->confidence,
anomalyScore: $this->anomalyScore,
description: $this->description,
features: $this->features,
evidence: $this->evidence,
clientId: $this->clientId,
sessionId: $sessionId,
detectedAt: $this->detectedAt,
analysisWindow: $this->analysisWindow,
metadata: $this->metadata
);
}
/**
* Add analysis window
*/
public function withAnalysisWindow(Duration $window): self
{
return new self(
type: $this->type,
behaviorType: $this->behaviorType,
confidence: $this->confidence,
anomalyScore: $this->anomalyScore,
description: $this->description,
features: $this->features,
evidence: $this->evidence,
clientId: $this->clientId,
sessionId: $this->sessionId,
detectedAt: $this->detectedAt,
analysisWindow: $window,
metadata: $this->metadata
);
}
/**
* Check if anomaly requires immediate action
*/
public function requiresImmediateAction(): bool
{
return $this->type->requiresImmediateAction() &&
$this->confidence->getValue() >= $this->type->getConfidenceThreshold() * 100;
}
/**
* Get risk level
*/
public function getRiskLevel(): string
{
$confidenceScore = $this->confidence->getValue() / 100.0;
$combinedScore = ($this->anomalyScore + $confidenceScore) / 2.0;
return match (true) {
$combinedScore >= 0.8 => 'critical',
$combinedScore >= 0.6 => 'high',
$combinedScore >= 0.4 => 'medium',
$combinedScore >= 0.2 => 'low',
default => 'info'
};
}
/**
* Get recommended action
*/
public function getRecommendedAction(): string
{
return $this->type->getRecommendedAction();
}
/**
* Get severity score (0-100)
*/
public function getSeverityScore(): float
{
$typeWeight = match ($this->type->getSeverityLevel()) {
'high' => 0.9,
'medium' => 0.6,
'low' => 0.3,
default => 0.5
};
$confidenceWeight = $this->confidence->getValue() / 100.0;
$anomalyWeight = $this->anomalyScore;
return ($typeWeight * 0.4 + $confidenceWeight * 0.3 + $anomalyWeight * 0.3) * 100;
}
/**
* Convert to array for logging/storage
*/
public function toArray(): array
{
return [
'type' => $this->type->value,
'behavior_type' => $this->behaviorType->value,
'confidence' => $this->confidence->getValue(),
'anomaly_score' => $this->anomalyScore,
'description' => $this->description,
'client_id' => $this->clientId,
'session_id' => $this->sessionId,
'detected_at' => $this->detectedAt?->format('c'),
'analysis_window_seconds' => $this->analysisWindow?->toSeconds(),
'features' => array_map(fn (BehaviorFeature $f) => $f->toArray(), $this->features),
'evidence' => $this->evidence,
'risk_level' => $this->getRiskLevel(),
'severity_score' => $this->getSeverityScore(),
'requires_immediate_action' => $this->requiresImmediateAction(),
'recommended_action' => $this->getRecommendedAction(),
'metadata' => $this->metadata,
];
}
/**
* Create summary for dashboard/alerting
*/
public function getSummary(): array
{
return [
'id' => md5($this->type->value . $this->behaviorType->value . ($this->detectedAt?->format('c') ?? '')),
'type' => $this->type->value,
'description' => $this->description,
'risk_level' => $this->getRiskLevel(),
'confidence' => $this->confidence->getValue(),
'client_id' => $this->clientId,
'detected_at' => $this->detectedAt?->format('c'),
'requires_action' => $this->requiresImmediateAction(),
];
}
}

181
src/Framework/Waf/MachineLearning/ValueObjects/BehaviorAnomalyResult.php Normal file
View File

@@ -0,0 +1,181 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\ValueObjects;
use App\Framework\Core\ValueObjects\Score;
/**
* Result of behavioral anomaly detection analysis
*
* Immutable value object representing the outcome of ML-based behavioral analysis
*/
final readonly class BehaviorAnomalyResult
{
/**
* @param Score $anomalyScore Overall anomaly confidence (0.0-1.0)
* @param bool $isAnomalous Whether behavior is classified as anomalous
* @param array<string, Score> $featureScores Individual feature anomaly scores
* @param array<string, mixed> $detectedPatterns Specific attack patterns detected
* @param string $primaryIndicator Main indicator of anomaly
* @param array<string, mixed> $metadata Additional analysis metadata
*/
public function __construct(
public Score $anomalyScore,
public bool $isAnomalous,
public array $featureScores,
public array $detectedPatterns,
public string $primaryIndicator,
public array $metadata = []
) {}
/**
* Create result indicating normal behavior
*/
public static function normal(string $reason = 'No anomalous patterns detected'): self
{
return new self(
anomalyScore: Score::zero(),
isAnomalous: false,
featureScores: [],
detectedPatterns: [],
primaryIndicator: $reason,
metadata: ['analysis_type' => 'normal']
);
}
/**
* Create result indicating low-confidence anomaly
*/
public static function lowConfidence(Score $score, array $featureScores = []): self
{
return new self(
anomalyScore: $score,
isAnomalous: false,
featureScores: $featureScores,
detectedPatterns: [],
primaryIndicator: 'Low confidence anomaly - monitoring recommended',
metadata: ['analysis_type' => 'low_confidence']
);
}
/**
* Create result indicating confirmed anomaly
*/
public static function anomalous(
Score $score,
array $featureScores,
array $detectedPatterns,
string $primaryIndicator
): self {
return new self(
anomalyScore: $score,
isAnomalous: true,
featureScores: $featureScores,
detectedPatterns: $detectedPatterns,
primaryIndicator: $primaryIndicator,
metadata: ['analysis_type' => 'confirmed_anomaly']
);
}
/**
* Get anomaly severity based on score level
*/
public function getSeverity(): string
{
return $this->anomalyScore->toLevel()->value;
}
/**
* Check if anomaly requires immediate action
*/
public function requiresImmediateAction(): bool
{
return $this->isAnomalous && $this->anomalyScore->isCritical();
}
/**
* Get recommended action based on score level
*/
public function getRecommendedAction(): string
{
if (!$this->isAnomalous) {
return 'monitor';
}
return $this->anomalyScore->toLevel()->getRecommendedAction();
}
/**
* Get top contributing features (sorted by score)
*/
public function getTopContributors(int $limit = 3): array
{
if (empty($this->featureScores)) {
return [];
}
$sorted = $this->featureScores;
uasort($sorted, fn(Score $a, Score $b) => $b->value() <=> $a->value());
return array_slice($sorted, 0, $limit, true);
}
/**
* Convert to array for serialization
*/
public function toArray(): array
{
return [
'anomaly_score' => $this->anomalyScore->toArray(),
'is_anomalous' => $this->isAnomalous,
'severity' => $this->getSeverity(),
'feature_scores' => array_map(
fn(Score $score) => $score->toArray(),
$this->featureScores
),
'detected_patterns' => $this->detectedPatterns,
'primary_indicator' => $this->primaryIndicator,
'recommended_action' => $this->getRecommendedAction(),
'top_contributors' => array_map(
fn(Score $score) => $score->value(),
$this->getTopContributors()
),
'metadata' => $this->metadata
];
}
/**
* Merge with another anomaly result using weighted combination
*/
public function merge(self $other, float $weight = 0.5): self
{
$combinedScore = $this->anomalyScore->combine($other->anomalyScore, $weight);
return new self(
anomalyScore: $combinedScore,
isAnomalous: $this->isAnomalous || $other->isAnomalous,
featureScores: array_merge($this->featureScores, $other->featureScores),
detectedPatterns: array_merge($this->detectedPatterns, $other->detectedPatterns),
primaryIndicator: $combinedScore->isAbove($this->anomalyScore)
? $other->primaryIndicator
: $this->primaryIndicator,
metadata: array_merge($this->metadata, $other->metadata, [
'merged' => true,
'merge_weight' => $weight
])
);
}
/**
* String representation
*/
public function toString(): string
{
$status = $this->isAnomalous ? 'ANOMALOUS' : 'NORMAL';
$score = $this->anomalyScore->toString();
return "{$status} - Score: {$score} - {$this->primaryIndicator}";
}
}

227
src/Framework/Waf/MachineLearning/ValueObjects/BehaviorFeatures.php Normal file
View File

@@ -0,0 +1,227 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\ValueObjects;
/**
* Behavioral Feature Vector for WAF ML Analysis
*
* 8-dimensional feature space for behavioral anomaly detection:
* - request_frequency: Requests/second (0-∞)
* - endpoint_diversity: Shannon entropy (0-∞)
* - parameter_entropy: Average entropy (0-8)
* - user_agent_consistency: Consistency score (0-1)
* - geographic_anomaly: Location change score (0-1)
* - time_pattern_regularity: Timing regularity (0-1)
* - payload_similarity: Similarity score (0-1)
* - http_method_distribution: Method entropy normalized (0-1)
*/
final readonly class BehaviorFeatures
{
public function __construct(
public float $requestFrequency,
public float $endpointDiversity,
public float $parameterEntropy,
public float $userAgentConsistency,
public float $geographicAnomaly,
public float $timePatternRegularity,
public float $payloadSimilarity,
public float $httpMethodDistribution
) {}
/**
* Create empty feature vector (all zeros)
*/
public static function empty(): self
{
return new self(
requestFrequency: 0.0,
endpointDiversity: 0.0,
parameterEntropy: 0.0,
userAgentConsistency: 0.0,
geographicAnomaly: 0.0,
timePatternRegularity: 0.0,
payloadSimilarity: 0.0,
httpMethodDistribution: 0.0
);
}
/**
* Convert to array for ML processing
*/
public function toArray(): array
{
return [
'request_frequency' => $this->requestFrequency,
'endpoint_diversity' => $this->endpointDiversity,
'parameter_entropy' => $this->parameterEntropy,
'user_agent_consistency' => $this->userAgentConsistency,
'geographic_anomaly' => $this->geographicAnomaly,
'time_pattern_regularity' => $this->timePatternRegularity,
'payload_similarity' => $this->payloadSimilarity,
'http_method_distribution' => $this->httpMethodDistribution,
];
}
/**
* Convert to feature vector (numeric array for ML algorithms)
*/
public function toVector(): array
{
return array_values($this->toArray());
}
/**
* Get feature names
*/
public static function getFeatureNames(): array
{
return [
'request_frequency',
'endpoint_diversity',
'parameter_entropy',
'user_agent_consistency',
'geographic_anomaly',
'time_pattern_regularity',
'payload_similarity',
'http_method_distribution',
];
}
/**
* Get number of features
*/
public static function getFeatureCount(): int
{
return 8;
}
/**
* Normalize features for ML processing
* Applies min-max normalization to bring all features to 0-1 range
*/
public function normalize(): self
{
return new self(
requestFrequency: $this->normalizeRequestFrequency($this->requestFrequency),
endpointDiversity: $this->normalizeEntropy($this->endpointDiversity),
parameterEntropy: $this->parameterEntropy / 8.0, // Max entropy ~8
userAgentConsistency: $this->userAgentConsistency, // Already 0-1
geographicAnomaly: $this->geographicAnomaly, // Already 0-1
timePatternRegularity: $this->timePatternRegularity, // Already 0-1
payloadSimilarity: $this->payloadSimilarity, // Already 0-1
httpMethodDistribution: $this->httpMethodDistribution // Already 0-1
);
}
/**
* Normalize request frequency to 0-1 range
* Using sigmoid-like function: f(x) = x / (1 + x)
*/
private function normalizeRequestFrequency(float $freq): float
{
return $freq / (1.0 + $freq);
}
/**
* Normalize entropy values to 0-1 range
* Typical max entropy for endpoints is ~4-5 bits
*/
private function normalizeEntropy(float $entropy): float
{
return min(1.0, $entropy / 5.0);
}
/**
* Calculate L2 norm (Euclidean distance from origin)
*/
public function norm(): float
{
$vector = $this->toVector();
$sumSquares = array_sum(array_map(fn($val) => $val ** 2, $vector));
return sqrt($sumSquares);
}
/**
* Calculate distance to another feature vector
*/
public function distanceTo(self $other): float
{
$diff = [
$this->requestFrequency - $other->requestFrequency,
$this->endpointDiversity - $other->endpointDiversity,
$this->parameterEntropy - $other->parameterEntropy,
$this->userAgentConsistency - $other->userAgentConsistency,
$this->geographicAnomaly - $other->geographicAnomaly,
$this->timePatternRegularity - $other->timePatternRegularity,
$this->payloadSimilarity - $other->payloadSimilarity,
$this->httpMethodDistribution - $other->httpMethodDistribution,
];
$sumSquares = array_sum(array_map(fn($val) => $val ** 2, $diff));
return sqrt($sumSquares);
}
/**
* Check if features indicate potential attack behavior
* Based on heuristic thresholds
*/
public function indicatesAttack(): bool
{
// High request frequency + low diversity = potential DDoS
if ($this->requestFrequency > 10.0 && $this->endpointDiversity < 1.0) {
return true;
}
// High parameter entropy + geographic anomaly = potential scanning
if ($this->parameterEntropy > 6.0 && $this->geographicAnomaly > 0.7) {
return true;
}
// Perfect regularity + high similarity = likely bot
if ($this->timePatternRegularity > 0.9 && $this->payloadSimilarity > 0.8) {
return true;
}
return false;
}
/**
* Get anomaly indicators with scores
*/
public function getAnomalyIndicators(): array
{
$indicators = [];
if ($this->requestFrequency > 10.0) {
$indicators['high_frequency'] = $this->requestFrequency;
}
if ($this->endpointDiversity < 0.5) {
$indicators['low_diversity'] = $this->endpointDiversity;
}
if ($this->parameterEntropy > 6.0) {
$indicators['high_entropy'] = $this->parameterEntropy;
}
if ($this->userAgentConsistency < 0.3) {
$indicators['inconsistent_user_agent'] = $this->userAgentConsistency;
}
if ($this->geographicAnomaly > 0.7) {
$indicators['geographic_anomaly'] = $this->geographicAnomaly;
}
if ($this->timePatternRegularity > 0.9) {
$indicators['automated_pattern'] = $this->timePatternRegularity;
}
if ($this->payloadSimilarity > 0.9) {
$indicators['repetitive_payloads'] = $this->payloadSimilarity;
}
return $indicators;
}
}

241
src/Framework/Waf/MachineLearning/ValueObjects/RequestSequence.php Normal file
View File

@@ -0,0 +1,241 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning\ValueObjects;
use App\Framework\Http\Request;
/**
* Sequence of Recent Requests for Behavioral Analysis
*
* Immutable collection of requests with time window information
* Used by BehaviorPatternExtractor for sequence-based feature extraction
*/
final readonly class RequestSequence
{
/**
* @param array<Request> $requests Recent requests in chronological order
* @param float $timeWindowSeconds Time window covered by the sequence
* @param string $clientIdentifier IP address or other identifier
*/
public function __construct(
private array $requests,
private float $timeWindowSeconds,
private string $clientIdentifier
) {}
/**
* Create empty sequence
*/
public static function empty(string $clientIdentifier = ''): self
{
return new self([], 0.0, $clientIdentifier);
}
/**
* Create from request array with automatic time window calculation
*
* @param array<Request> $requests
*/
public static function fromRequests(array $requests, string $clientIdentifier): self
{
if (empty($requests)) {
return self::empty($clientIdentifier);
}
// Calculate time window from first to last request
$timestamps = array_map(fn($req) => $req->timestamp ?? time(), $requests);
$minTime = min($timestamps);
$maxTime = max($timestamps);
$timeWindow = max(1.0, (float) ($maxTime - $minTime)); // Minimum 1 second
return new self($requests, $timeWindow, $clientIdentifier);
}
/**
* Get all requests in sequence
*
* @return array<Request>
*/
public function getRequests(): array
{
return $this->requests;
}
/**
* Get time window in seconds
*/
public function getTimeWindowSeconds(): float
{
return $this->timeWindowSeconds;
}
/**
* Get client identifier (IP address)
*/
public function getClientIdentifier(): string
{
return $this->clientIdentifier;
}
/**
* Check if sequence is empty
*/
public function isEmpty(): bool
{
return empty($this->requests);
}
/**
* Get number of requests in sequence
*/
public function count(): int
{
return count($this->requests);
}
/**
* Get most recent request
*/
public function getLatestRequest(): ?Request
{
if (empty($this->requests)) {
return null;
}
return $this->requests[array_key_last($this->requests)];
}
/**
* Get oldest request
*/
public function getOldestRequest(): ?Request
{
if (empty($this->requests)) {
return null;
}
return $this->requests[array_key_first($this->requests)];
}
/**
* Filter requests by path pattern
*/
public function filterByPath(string $pattern): self
{
$filtered = array_filter(
$this->requests,
fn($req) => preg_match($pattern, $req->path) === 1
);
return new self($filtered, $this->timeWindowSeconds, $this->clientIdentifier);
}
/**
* Filter requests by HTTP method
*/
public function filterByMethod(string $method): self
{
$filtered = array_filter(
$this->requests,
fn($req) => $req->method->value === strtoupper($method)
);
return new self($filtered, $this->timeWindowSeconds, $this->clientIdentifier);
}
/**
* Get requests in time window (last N seconds)
*/
public function getRecentRequests(int $seconds): self
{
if (empty($this->requests)) {
return $this;
}
$cutoffTime = time() - $seconds;
$recent = array_filter(
$this->requests,
fn($req) => ($req->timestamp ?? time()) >= $cutoffTime
);
return self::fromRequests($recent, $this->clientIdentifier);
}
/**
* Merge with another sequence
*/
public function merge(self $other): self
{
if ($this->clientIdentifier !== $other->clientIdentifier) {
throw new \InvalidArgumentException('Cannot merge sequences from different clients');
}
$allRequests = array_merge($this->requests, $other->requests);
// Sort by timestamp
usort($allRequests, function ($a, $b) {
$timeA = $a->timestamp ?? 0;
$timeB = $b->timestamp ?? 0;
return $timeA <=> $timeB;
});
return self::fromRequests($allRequests, $this->clientIdentifier);
}
/**
* Limit sequence to maximum number of requests (keep most recent)
*/
public function limitToLast(int $maxRequests): self
{
if (count($this->requests) <= $maxRequests) {
return $this;
}
$limited = array_slice($this->requests, -$maxRequests);
return self::fromRequests($limited, $this->clientIdentifier);
}
/**
* Get sequence statistics
*/
public function getStatistics(): array
{
if (empty($this->requests)) {
return [
'count' => 0,
'time_window_seconds' => 0.0,
'requests_per_second' => 0.0,
'unique_endpoints' => 0,
'unique_methods' => 0,
];
}
$uniqueEndpoints = count(array_unique(array_map(fn($req) => $req->path, $this->requests)));
$uniqueMethods = count(array_unique(array_map(fn($req) => $req->method->value, $this->requests)));
return [
'count' => count($this->requests),
'time_window_seconds' => $this->timeWindowSeconds,
'requests_per_second' => $this->timeWindowSeconds > 0
? count($this->requests) / $this->timeWindowSeconds
: 0.0,
'unique_endpoints' => $uniqueEndpoints,
'unique_methods' => $uniqueMethods,
];
}
/**
* Convert to array for serialization
*/
public function toArray(): array
{
return [
'client_identifier' => $this->clientIdentifier,
'request_count' => count($this->requests),
'time_window_seconds' => $this->timeWindowSeconds,
'statistics' => $this->getStatistics(),
];
}
}

217
src/Framework/Waf/MachineLearning/WafBehavioralModelAdapter.php Normal file
View File

@@ -0,0 +1,217 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning;
use App\Framework\MachineLearning\ModelManagement\ModelRegistry;
use App\Framework\MachineLearning\ModelManagement\ModelPerformanceMonitor;
use App\Framework\MachineLearning\ModelManagement\ValueObjects\ModelMetadata;
use App\Framework\Core\ValueObjects\Version;
use App\Framework\Core\ValueObjects\Timestamp;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorFeatures;
use App\Framework\Waf\MachineLearning\ValueObjects\BehaviorAnomalyResult;
/**
* WAF Behavioral Analysis Model Management Adapter
*
* Integrates BehaviorAnomalyDetector with the ML Model Management System:
* - Automatic model registration
* - Real-time performance tracking
* - Prediction monitoring
* - Configuration management
*
* Usage:
* ```php
* $adapter = new WafBehavioralModelAdapter($registry, $performanceMonitor, $detector);
*
* // Register current model version
* $adapter->registerCurrentModel();
*
* // Analyze with tracking
* $result = $adapter->analyzeWithTracking($features, $historicalBaseline, $groundTruth);
* ```
*/
final readonly class WafBehavioralModelAdapter
{
private const MODEL_NAME = 'waf-behavioral';
private const CURRENT_VERSION = '1.0.0';
public function __construct(
private ModelRegistry $registry,
private ModelPerformanceMonitor $performanceMonitor,
private BehaviorAnomalyDetector $detector
) {}
/**
* Register current WAF behavioral model in registry
*/
public function registerCurrentModel(?array $performanceMetrics = null): ModelMetadata
{
$version = Version::fromString(self::CURRENT_VERSION);
// Check if already registered
if ($this->registry->exists(self::MODEL_NAME, $version)) {
return $this->registry->get(self::MODEL_NAME, $version);
}
// Create metadata
$metadata = ModelMetadata::forWafBehavioral(
version: $version,
configuration: $this->detector->getConfiguration()
);
// Add performance metrics if provided
if ($performanceMetrics !== null) {
$metadata = $metadata->withPerformanceMetrics($performanceMetrics);
}
// Register in registry
$this->registry->register($metadata);
return $metadata;
}
/**
* Analyze behavioral features with automatic performance tracking
*
* @param BehaviorFeatures $features Current request features
* @param array<BehaviorFeatures> $historicalBaseline Historical baseline for comparison
* @param bool|null $groundTruth Ground truth (if known) - true if request is malicious
*
* @return array Analysis result with tracking info
*/
public function analyzeWithTracking(
BehaviorFeatures $features,
array $historicalBaseline = [],
?bool $groundTruth = null
): array {
// Perform ML analysis
$analysisResult = $this->detector->detect($features, $historicalBaseline);
// Determine prediction
$prediction = $analysisResult->isAnomalous;
$confidence = $analysisResult->anomalyScore->value();
// Track prediction in performance monitor
$this->performanceMonitor->trackPrediction(
modelName: self::MODEL_NAME,
version: Version::fromString(self::CURRENT_VERSION),
prediction: $prediction,
actual: $groundTruth,
confidence: $confidence,
features: $this->extractFeatureSummary($analysisResult)
);
// Convert result to array format
$resultArray = [
'is_anomalous' => $analysisResult->isAnomalous,
'anomaly_score' => $confidence,
'feature_scores' => array_map(
fn($score) => $score->value(),
$analysisResult->featureScores
),
'detected_patterns' => $analysisResult->detectedPatterns,
'primary_indicator' => $analysisResult->primaryIndicator,
'success' => true
];
// Add tracking info
$resultArray['tracking'] = [
'model_name' => self::MODEL_NAME,
'model_version' => self::CURRENT_VERSION,
'prediction' => $prediction ? 'malicious' : 'benign',
'ground_truth' => $groundTruth,
'tracked' => true,
];
return $resultArray;
}
/**
* Get current model performance metrics
*/
public function getCurrentPerformanceMetrics(): array
{
return $this->performanceMonitor->getCurrentMetrics(
self::MODEL_NAME,
Version::fromString(self::CURRENT_VERSION)
);
}
/**
* Check if model performance has degraded
*/
public function checkPerformanceDegradation(float $thresholdPercent = 0.05): array
{
return $this->performanceMonitor->getPerformanceDegradationInfo(
self::MODEL_NAME,
Version::fromString(self::CURRENT_VERSION),
$thresholdPercent
);
}
/**
* Update model configuration in registry
*/
public function updateConfiguration(array $newConfiguration): void
{
$version = Version::fromString(self::CURRENT_VERSION);
$metadata = $this->registry->get(self::MODEL_NAME, $version);
if ($metadata === null) {
throw new \RuntimeException(
'Model not registered. Call registerCurrentModel() first.'
);
}
$updated = $metadata->withConfiguration($newConfiguration);
$this->registry->update($updated);
}
/**
* Deploy current model to production
*/
public function deployToProduction(): void
{
$version = Version::fromString(self::CURRENT_VERSION);
$metadata = $this->registry->get(self::MODEL_NAME, $version);
if ($metadata === null) {
throw new \RuntimeException(
'Model not registered. Call registerCurrentModel() first.'
);
}
$deployed = $metadata->withDeployment(
environment: 'production',
deployedAt: Timestamp::now()
);
$this->registry->update($deployed);
}
/**
* Get model metadata
*/
public function getModelMetadata(): ?ModelMetadata
{
return $this->registry->get(
self::MODEL_NAME,
Version::fromString(self::CURRENT_VERSION)
);
}
/**
* Extract feature summary for tracking
*/
private function extractFeatureSummary(BehaviorAnomalyResult $result): array
{
return [
'feature_count' => count($result->featureScores),
'pattern_count' => count($result->detectedPatterns),
'primary_indicator' => $result->primaryIndicator,
'is_anomalous' => $result->isAnomalous,
];
}
}

49
src/Framework/Waf/MachineLearning/WafFeatureExtractor.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
declare(strict_types=1);
namespace App\Framework\Waf\MachineLearning;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\Waf\Analysis\ValueObjects\RequestAnalysisData;
/**
* Domain-specific interface for WAF feature extraction
*
* This interface is WAF-specific and uses RequestAnalysisData for type safety.
* It does NOT extend any other interfaces - pure atomic composition pattern.
*
* Implementations should also implement:
* - FeatureExtractorMetadata (metadata and configuration)
* - FeatureExtractorPerformance (performance characteristics)
*
* Example:
* ```php
* final class FrequencyFeatureExtractor implements
* WafFeatureExtractor,
* FeatureExtractorMetadata,
* FeatureExtractorPerformance
* {
* // Implements all methods from all 3 interfaces
* }
* ```
*/
interface WafFeatureExtractor
{
/**
* Check if extractor can extract features from given request data
*
* Allows extractors to skip processing for irrelevant requests
* (e.g., frequency extractor needs client IP)
*/
public function canExtract(RequestAnalysisData $requestData): bool;
/**
* Extract features from WAF request analysis data
*
* @param RequestAnalysisData $requestData Type-safe WAF request data
* @param array<string, mixed> $context Additional context (e.g., historical data, baseline)
* @return Feature[] Array of extracted features
*/
public function extractFeatures(RequestAnalysisData $requestData, array $context = []): array;
}

2
src/Framework/Waf/ThreatAssessmentService.php
View File

@@ -8,6 +8,8 @@ use App\Framework\Core\ValueObjects\Duration;
use App\Framework\Core\ValueObjects\Percentage;
use App\Framework\DateTime\Clock;
use App\Framework\Http\Request;
use App\Framework\MachineLearning\ValueObjects\AnomalyDetection;
use App\Framework\MachineLearning\ValueObjects\Feature;
use App\Framework\Waf\MachineLearning\MachineLearningResult;
/**