aprender-profile 0.29.0

Pure Rust system call tracer with source-aware correlation for Rust binaries
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483

//! Anomaly collector for Z-score and Isolation Forest detection
//!
//! Detects anomalous syscall behavior using statistical methods
//! and machine learning (Isolation Forest when enabled).

use super::{Collector, MetricValue, Metrics};
use anyhow::Result;
use std::collections::{HashMap, VecDeque};
use std::time::Instant;

/// Anomaly record for display
#[derive(Debug, Clone)]
pub struct AnomalyRecord {
    /// Syscall name
    pub syscall: String,
    /// Duration in microseconds
    pub duration_us: u64,
    /// Z-score deviation
    pub z_score: f32,
    /// Isolation Forest anomaly score (if available)
    pub if_score: Option<f32>,
    /// Detection timestamp
    pub timestamp: Instant,
    /// Source file (from DWARF)
    pub source_file: Option<String>,
    /// Source line (from DWARF)
    pub source_line: Option<u32>,
    /// Process ID
    pub pid: i32,
}

impl AnomalyRecord {
    /// Create new anomaly record
    pub fn new(syscall: &str, duration_us: u64, z_score: f32) -> Self {
        Self {
            syscall: syscall.to_string(),
            duration_us,
            z_score,
            if_score: None,
            timestamp: Instant::now(),
            source_file: None,
            source_line: None,
            pid: 0,
        }
    }

    /// Set Isolation Forest score
    pub fn with_if_score(mut self, score: f32) -> Self {
        self.if_score = Some(score);
        self
    }

    /// Set source location
    pub fn with_source(mut self, file: &str, line: u32) -> Self {
        self.source_file = Some(file.to_string());
        self.source_line = Some(line);
        self
    }

    /// Set process ID
    pub fn with_pid(mut self, pid: i32) -> Self {
        self.pid = pid;
        self
    }

    /// Check if this is a high-severity anomaly (z > 5)
    pub fn is_high_severity(&self) -> bool {
        self.z_score > 5.0
    }
}

/// Online statistics tracker for anomaly detection
#[derive(Debug, Clone)]
pub struct OnlineStats {
    /// Running count
    count: u64,
    /// Running mean
    mean: f64,
    /// Running M2 for variance (Welford's algorithm)
    m2: f64,
}

impl Default for OnlineStats {
    fn default() -> Self {
        Self::new()
    }
}

impl OnlineStats {
    /// Create new online stats tracker
    pub fn new() -> Self {
        Self { count: 0, mean: 0.0, m2: 0.0 }
    }

    /// Update with new value using Welford's online algorithm
    pub fn update(&mut self, value: f64) {
        self.count += 1;
        let delta = value - self.mean;
        self.mean += delta / self.count as f64;
        let delta2 = value - self.mean;
        self.m2 += delta * delta2;
    }

    /// Get current mean
    pub fn mean(&self) -> f64 {
        self.mean
    }

    /// Get current variance
    pub fn variance(&self) -> f64 {
        if self.count < 2 {
            0.0
        } else {
            self.m2 / (self.count - 1) as f64
        }
    }

    /// Get current standard deviation
    pub fn stddev(&self) -> f64 {
        self.variance().sqrt()
    }

    /// Calculate Z-score for a value
    pub fn z_score(&self, value: f64) -> f64 {
        let std = self.stddev();
        if std == 0.0 || self.count < 10 {
            0.0 // Not enough data for meaningful Z-score
        } else {
            (value - self.mean) / std
        }
    }

    /// Get sample count
    pub fn count(&self) -> u64 {
        self.count
    }

    /// Reset statistics
    pub fn reset(&mut self) {
        self.count = 0;
        self.mean = 0.0;
        self.m2 = 0.0;
    }
}

/// Anomaly detector and collector
pub struct AnomalyCollector {
    /// Per-syscall online statistics
    stats: HashMap<String, OnlineStats>,
    /// Z-score threshold for anomaly detection
    threshold: f32,
    /// Recent anomalies (ring buffer behavior)
    anomalies: VecDeque<AnomalyRecord>,
    /// Maximum anomalies to keep
    max_anomalies: usize,
    /// Total anomaly count
    total_anomalies: u64,
    /// Current average Z-score (for display)
    avg_z_score: f64,
    /// Z-score accumulator
    z_score_sum: f64,
    /// Z-score count
    z_score_count: u64,
    /// Whether collector is available
    available: bool,
}

impl AnomalyCollector {
    /// Create new anomaly collector with default threshold (3.0σ)
    pub fn new() -> Self {
        Self::with_threshold(3.0)
    }

    /// Create anomaly collector with custom threshold
    pub fn with_threshold(threshold: f32) -> Self {
        Self {
            stats: HashMap::new(),
            threshold,
            anomalies: VecDeque::with_capacity(100),
            max_anomalies: 100,
            total_anomalies: 0,
            avg_z_score: 0.0,
            z_score_sum: 0.0,
            z_score_count: 0,
            available: true,
        }
    }

    /// Process a syscall and check for anomaly
    ///
    /// Returns the Z-score and optional anomaly record if threshold exceeded.
    pub fn process(
        &mut self,
        syscall: &str,
        duration_us: u64,
        source_file: Option<&str>,
        source_line: Option<u32>,
        pid: i32,
    ) -> (f64, Option<AnomalyRecord>) {
        // Get or create stats for this syscall
        let stats = self.stats.entry(syscall.to_string()).or_default();

        // Calculate Z-score before updating stats
        let z_score = stats.z_score(duration_us as f64);

        // Update running statistics
        stats.update(duration_us as f64);

        // Update average Z-score
        self.z_score_sum += z_score.abs();
        self.z_score_count += 1;
        self.avg_z_score = self.z_score_sum / self.z_score_count as f64;

        // Check for anomaly
        if z_score.abs() > self.threshold as f64 {
            let mut record = AnomalyRecord::new(syscall, duration_us, z_score as f32).with_pid(pid);

            if let (Some(file), Some(line)) = (source_file, source_line) {
                record = record.with_source(file, line);
            }

            // Add to anomalies ring buffer
            if self.anomalies.len() >= self.max_anomalies {
                self.anomalies.pop_front();
            }
            self.anomalies.push_back(record.clone());
            self.total_anomalies += 1;

            (z_score, Some(record))
        } else {
            (z_score, None)
        }
    }

    /// Get recent anomalies
    pub fn anomalies(&self) -> &VecDeque<AnomalyRecord> {
        &self.anomalies
    }

    /// Get total anomaly count
    pub fn total_count(&self) -> u64 {
        self.total_anomalies
    }

    /// Get average Z-score
    pub fn avg_z_score(&self) -> f64 {
        self.avg_z_score
    }

    /// Get Z-score threshold
    pub fn threshold(&self) -> f32 {
        self.threshold
    }

    /// Get stats for a specific syscall
    pub fn get_stats(&self, syscall: &str) -> Option<&OnlineStats> {
        self.stats.get(syscall)
    }

    /// Clear anomaly history
    pub fn clear_anomalies(&mut self) {
        self.anomalies.clear();
    }
}

impl Default for AnomalyCollector {
    fn default() -> Self {
        Self::new()
    }
}

impl Collector for AnomalyCollector {
    fn collect(&mut self) -> Result<Metrics> {
        let mut values = HashMap::new();

        values
            .insert("anomaly.total.count".to_string(), MetricValue::Counter(self.total_anomalies));
        values.insert("anomaly.avg_z_score".to_string(), MetricValue::Gauge(self.avg_z_score));
        values.insert("anomaly.threshold".to_string(), MetricValue::Gauge(self.threshold as f64));
        values.insert(
            "anomaly.recent.count".to_string(),
            MetricValue::Gauge(self.anomalies.len() as f64),
        );

        // High severity count
        let high_severity = self.anomalies.iter().filter(|a| a.is_high_severity()).count();
        values.insert(
            "anomaly.high_severity.count".to_string(),
            MetricValue::Gauge(high_severity as f64),
        );

        Ok(Metrics::new(values))
    }

    fn is_available(&self) -> bool {
        self.available
    }

    fn name(&self) -> &'static str {
        "anomaly"
    }

    fn reset(&mut self) {
        self.stats.clear();
        self.anomalies.clear();
        self.total_anomalies = 0;
        self.avg_z_score = 0.0;
        self.z_score_sum = 0.0;
        self.z_score_count = 0;
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_anomaly_record_new() {
        let record = AnomalyRecord::new("read", 1000, 4.5);
        assert_eq!(record.syscall, "read");
        assert_eq!(record.duration_us, 1000);
        assert!((record.z_score - 4.5).abs() < f32::EPSILON);
        assert!(!record.is_high_severity());
    }

    #[test]
    fn test_anomaly_record_high_severity() {
        let record = AnomalyRecord::new("write", 5000, 5.5);
        assert!(record.is_high_severity());
    }

    #[test]
    fn test_anomaly_record_with_source() {
        let record = AnomalyRecord::new("open", 100, 3.5).with_source("main.c", 42);
        assert_eq!(record.source_file, Some("main.c".to_string()));
        assert_eq!(record.source_line, Some(42));
    }

    #[test]
    fn test_online_stats_welford() {
        let mut stats = OnlineStats::new();

        // Add values: 10, 20, 30
        stats.update(10.0);
        stats.update(20.0);
        stats.update(30.0);

        assert_eq!(stats.count(), 3);
        assert!((stats.mean() - 20.0).abs() < f64::EPSILON);

        // Variance: ((10-20)² + (20-20)² + (30-20)²) / 2 = 200/2 = 100
        assert!((stats.variance() - 100.0).abs() < f64::EPSILON);
        assert!((stats.stddev() - 10.0).abs() < f64::EPSILON);
    }

    #[test]
    fn test_online_stats_z_score() {
        let mut stats = OnlineStats::new();

        // Add 100 values with mean=100, stddev≈10
        for i in 0..100 {
            stats.update(100.0 + (i % 20) as f64 - 10.0);
        }

        // Z-score of value at 3 stddevs
        let z = stats.z_score(stats.mean() + 3.0 * stats.stddev());
        assert!((z - 3.0).abs() < 0.1);
    }

    #[test]
    fn test_online_stats_insufficient_data() {
        let mut stats = OnlineStats::new();
        stats.update(100.0);

        // With only 1 sample, Z-score should be 0
        assert_eq!(stats.z_score(200.0), 0.0);
    }

    #[test]
    fn test_anomaly_collector_new() {
        let collector = AnomalyCollector::new();
        assert!((collector.threshold() - 3.0).abs() < f32::EPSILON);
        assert_eq!(collector.total_count(), 0);
        assert!(collector.is_available());
    }

    #[test]
    fn test_anomaly_collector_process_normal() {
        let mut collector = AnomalyCollector::new();

        // Add baseline data
        for _ in 0..100 {
            collector.process("read", 100, None, None, 1234);
        }

        // Normal value should not trigger anomaly
        let (z, anomaly) = collector.process("read", 100, None, None, 1234);
        assert!(z.abs() < 1.0);
        assert!(anomaly.is_none());
    }

    #[test]
    fn test_anomaly_collector_process_anomaly() {
        let mut collector = AnomalyCollector::with_threshold(3.0);

        // Add baseline data (100μs ± small variation)
        for i in 0..100 {
            let duration = 100 + (i % 5); // 100-104μs
            collector.process("read", duration, None, None, 1234);
        }

        // Extreme value should trigger anomaly
        let (z, anomaly) = collector.process("read", 10000, Some("main.c"), Some(42), 1234);
        assert!(z > 3.0);
        assert!(anomaly.is_some());

        let record = anomaly.unwrap();
        assert_eq!(record.syscall, "read");
        assert_eq!(record.duration_us, 10000);
        assert_eq!(record.source_file, Some("main.c".to_string()));
        assert_eq!(record.source_line, Some(42));
    }

    #[test]
    fn test_anomaly_collector_ring_buffer() {
        let mut collector = AnomalyCollector::with_threshold(0.001); // Very low threshold
        collector.max_anomalies = 10;

        // Add baseline data first (need 10+ samples for z-score)
        for _ in 0..15 {
            collector.process("read", 100, None, None, 1234);
        }

        // Clear the initial anomalies
        collector.anomalies.clear();
        let initial_total = collector.total_anomalies;

        // Now add varying values that will trigger anomalies
        for i in 0..20 {
            collector.process("read", 100 + i * 50, None, None, 1234); // Varying durations
        }

        // Should have some anomalies (varying durations create z-scores)
        // And should be limited to max_anomalies
        assert!(collector.anomalies().len() <= 10);
        assert!(collector.total_count() > initial_total);
    }

    #[test]
    fn test_anomaly_collector_collect() {
        let mut collector = AnomalyCollector::new();
        collector.process("read", 100, None, None, 1234);

        let metrics = collector.collect().unwrap();
        assert!(metrics.values.contains_key("anomaly.total.count"));
        assert!(metrics.values.contains_key("anomaly.avg_z_score"));
    }

    #[test]
    fn test_anomaly_collector_reset() {
        let mut collector = AnomalyCollector::with_threshold(2.0);

        // Build baseline with small variation (100 ± 5)
        for i in 0..20 {
            let duration = 100 + (i % 10); // 100-109 range
            collector.process("read", duration, None, None, 1234);
        }

        // Add clearly anomalous value (100x normal)
        collector.process("read", 10000, None, None, 1234);

        assert!(
            !collector.anomalies().is_empty(),
            "Expected at least one anomaly after extreme value"
        );
        assert!(collector.total_count() > 0);

        collector.reset();
        assert!(collector.anomalies().is_empty());
        assert_eq!(collector.total_count(), 0);
        assert!(collector.stats.is_empty());
    }
}