nexus-shield 0.4.1

Adaptive zero-trust security gateway with real-time endpoint protection — SQL firewall, SSRF guard, malware detection, process monitoring, network analysis, rootkit detection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

// ============================================================================
// File: threat_score.rs
// Description: Multi-signal threat scoring engine combining all Shield defense signals
// Author: Andrew Jewell Sr. - AutomataNexus
// Updated: March 24, 2026
//
// DISCLAIMER: This software is provided "as is", without warranty of any kind,
// express or implied. Use at your own risk. AutomataNexus and the author assume
// no liability for any damages arising from the use of this software.
// ============================================================================
//! Threat Scoring Engine — Adaptive multi-signal threat assessment.
//!
//! Combines signals from the SQL firewall, SSRF guard, rate governor,
//! request fingerprinter, and behavioral history into a single threat
//! score (0.0–1.0). The score determines whether a request is allowed,
//! warned, or blocked.

use crate::fingerprint::RequestFingerprint;
use crate::rate_governor::RateCheckResult;

/// Weighted signals contributing to the overall threat score.
#[derive(Debug, Clone)]
pub struct ThreatSignals {
    /// Anomaly score from request fingerprinting (0.0–1.0).
    pub fingerprint_anomaly: f64,
    /// Rate limiting escalation severity (0.0–1.0).
    pub rate_pressure: f64,
    /// Behavioral anomaly from request history (0.0–1.0).
    pub behavioral_anomaly: f64,
    /// Whether this IP has recent security violations.
    pub recent_violations: bool,
}

/// Final threat assessment for a request.
#[derive(Debug, Clone)]
pub struct ThreatAssessment {
    /// Overall threat score (0.0 = safe, 1.0 = definitely malicious).
    pub score: f64,
    /// Individual signal contributions.
    pub signals: ThreatSignals,
    /// Recommended action based on the score.
    pub action: ThreatAction,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ThreatAction {
    /// Allow the request to proceed normally.
    Allow,
    /// Allow but log a warning for review.
    Warn,
    /// Block the request with 403 Forbidden.
    Block,
}

/// Signal weights for the scoring algorithm.
const WEIGHT_FINGERPRINT: f64 = 0.30;
const WEIGHT_RATE: f64 = 0.25;
const WEIGHT_BEHAVIORAL: f64 = 0.30;
const WEIGHT_VIOLATIONS: f64 = 0.15;

/// Compute a threat assessment from available signals.
pub fn assess(
    fingerprint: &RequestFingerprint,
    rate_result: &RateCheckResult,
    behavioral_score: f64,
    has_recent_violations: bool,
    warn_threshold: f64,
    block_threshold: f64,
) -> ThreatAssessment {
    let rate_pressure = escalation_to_score(rate_result);

    let signals = ThreatSignals {
        fingerprint_anomaly: fingerprint.anomaly_score,
        rate_pressure,
        behavioral_anomaly: behavioral_score,
        recent_violations: has_recent_violations,
    };

    let violation_score = if has_recent_violations { 1.0 } else { 0.0 };

    let score = (signals.fingerprint_anomaly * WEIGHT_FINGERPRINT
        + signals.rate_pressure * WEIGHT_RATE
        + signals.behavioral_anomaly * WEIGHT_BEHAVIORAL
        + violation_score * WEIGHT_VIOLATIONS)
        .min(1.0);

    let action = if score >= block_threshold {
        ThreatAction::Block
    } else if score >= warn_threshold {
        ThreatAction::Warn
    } else {
        ThreatAction::Allow
    };

    ThreatAssessment {
        score,
        signals,
        action,
    }
}

fn escalation_to_score(rate_result: &RateCheckResult) -> f64 {
    use crate::rate_governor::EscalationLevel;
    match rate_result.escalation {
        EscalationLevel::None => 0.0,
        EscalationLevel::Warn => 0.3,
        EscalationLevel::Throttle => 0.6,
        EscalationLevel::Block => 0.9,
        EscalationLevel::Ban => 1.0,
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::fingerprint::{FingerprintSignals, RequestFingerprint};
    use crate::rate_governor::{EscalationLevel, RateCheckResult};

    fn clean_fingerprint() -> RequestFingerprint {
        RequestFingerprint {
            hash: "abc".into(),
            signals: FingerprintSignals {
                has_user_agent: true,
                has_accept: true,
                has_accept_language: true,
                has_accept_encoding: true,
                has_referer: false,
                header_count: 5,
                header_order_hash: "def".into(),
                user_agent: "Mozilla/5.0".into(),
            },
            anomaly_score: 0.0,
        }
    }

    fn clean_rate() -> RateCheckResult {
        RateCheckResult {
            allowed: true,
            escalation: EscalationLevel::None,
            remaining: 100.0,
            retry_after: None,
            violations: 0,
        }
    }

    #[test]
    fn clean_request_allowed() {
        let result = assess(&clean_fingerprint(), &clean_rate(), 0.0, false, 0.4, 0.7);
        assert_eq!(result.action, ThreatAction::Allow);
        assert!(result.score < 0.1);
    }

    #[test]
    fn suspicious_fingerprint_warns() {
        let mut fp = clean_fingerprint();
        fp.anomaly_score = 0.9;
        // anomaly 0.9 * 0.30 + behavioral 0.8 * 0.30 = 0.27 + 0.24 = 0.51 > 0.4
        let result = assess(&fp, &clean_rate(), 0.8, false, 0.4, 0.7);
        assert!(
            matches!(result.action, ThreatAction::Warn | ThreatAction::Block),
            "High anomaly should trigger warn or block: {:?}",
            result
        );
    }

    #[test]
    fn multiple_bad_signals_block() {
        let mut fp = clean_fingerprint();
        fp.anomaly_score = 0.8;
        let rate = RateCheckResult {
            allowed: false,
            escalation: EscalationLevel::Block,
            remaining: 0.0,
            retry_after: None,
            violations: 20,
        };
        let result = assess(&fp, &rate, 0.7, true, 0.4, 0.7);
        assert_eq!(result.action, ThreatAction::Block);
    }
}