complete network analyzer auto-blacklist logic and DAO queries

Author: Hamna928

app/src/main/java/com/droid/cybershield/data/local/dao/NetworkTrafficDao.kt

@@ -38,6 +38,18 @@ interface NetworkTrafficDao {
     @Query("SELECT COUNT(*) FROM network_traffic WHERE blocked = 1")
     fun getBlockedCount(): Flow<Long>
 
+    /**
+     * Count how many MALICIOUS hits exist for a specific domain since [sinceMs].
+     * Used by the auto-blacklist rule: 3+ hits in 24 h → permanent block.
+     */
+    @Query("""
+        SELECT COUNT(*) FROM network_traffic
+        WHERE (destination_domain = :domain OR destination_ip = :domain)
+          AND threat_level = 'MALICIOUS'
+          AND timestamp >= :sinceMs
+    """)
+    suspend fun countMaliciousForDomainSince(domain: String, sinceMs: Long): Int
+
     /** Delete traffic logs older than [cutoffMs] (7-day retention). */
     @Query("DELETE FROM network_traffic WHERE timestamp < :cutoffMs")
     suspend fun deleteOlderThan(cutoffMs: Long)

app/src/main/java/com/droid/cybershield/data/local/dao/NetworkWhitelistDao.kt

@@ -39,6 +39,10 @@ interface NetworkBlacklistDao {
     """)
     suspend fun deleteExpired(cutoffMs: Long)
 
+    /** Returns the blacklist entry for [domain], or null if not blacklisted. */
+    @Query("SELECT * FROM network_blacklist WHERE domain = :domain LIMIT 1")
+    suspend fun getByDomain(domain: String): NetworkBlacklistEntity?
+
     @Query("SELECT COUNT(*) FROM network_blacklist")
     suspend fun getCount(): Long
 }

app/src/main/java/com/droid/cybershield/data/repository/NetworkAnalyzerRepositoryImpl.kt

@@ -27,9 +27,12 @@ class NetworkAnalyzerRepositoryImpl @Inject constructor(
 
     companion object {
         private const val TAG = "NetworkAnalyzerRepo"
-        // 7-day and 30-day retention in milliseconds
+        // Retention windows
         private const val TRAFFIC_RETENTION_MS   = 7L  * 24 * 60 * 60 * 1000
         private const val BLACKLIST_RETENTION_MS  = 30L * 24 * 60 * 60 * 1000
+        // Auto-blacklist rule: MALICIOUS_THRESHOLD hits within WINDOW_MS → permanent block
+        private const val AUTO_BLACKLIST_THRESHOLD = 3
+        private const val AUTO_BLACKLIST_WINDOW_MS = 24L * 60 * 60 * 1000  // 24 hours
     }
 
     // ── Traffic Logging ────────────────────────────────────────────────────────
@@ -49,6 +52,36 @@ class NetworkAnalyzerRepositoryImpl @Inject constructor(
                 blocked           = result.shouldBlock
             )
         )
+
+        // Auto-blacklist: if this domain has been MALICIOUS 3+ times in 24h, block permanently
+        if (result.threatLevel == ThreatLevel.MALICIOUS) {
+            val target = packet.destinationDomain ?: packet.destinationIp
+            checkAutoBlacklist(target)
+        }
+    }
+
+    /**
+     * Checks if [domain] has been flagged MALICIOUS [AUTO_BLACKLIST_THRESHOLD]+ times
+     * within the last [AUTO_BLACKLIST_WINDOW_MS]. If so, permanently blacklists it.
+     * This enforces the plan's "3× MALICIOUS in 24h → auto-blacklist" rule.
+     */
+    private suspend fun checkAutoBlacklist(domain: String) {
+        val since = System.currentTimeMillis() - AUTO_BLACKLIST_WINDOW_MS
+        val hitCount = trafficDao.countMaliciousForDomainSince(domain, since)
+
+        if (hitCount >= AUTO_BLACKLIST_THRESHOLD) {
+            val alreadyBlocked = blacklistDao.getByDomain(domain) != null
+            if (!alreadyBlocked) {
+                blacklistDao.insert(
+                    NetworkBlacklistEntity(
+                        domain           = domain,
+                        reason           = "Auto-blacklisted: flagged MALICIOUS $hitCount times in 24h",
+                        blockPermanently = true
+                    )
+                )
+                Log.w(TAG, "🚫 AUTO-BLACKLISTED: $domain ($hitCount MALICIOUS hits in 24h)")
+            }
+        }
     }
 
     override fun getRecentTraffic(limit: Int): Flow<List<NetworkTrafficEntity>> =