Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2RangeMatcher.java

   1 package edu.uci.iotproject.detection.layer2;
   2
   3 import edu.uci.iotproject.analysis.TriggerTrafficExtractor;
   4 import edu.uci.iotproject.util.PcapPacketUtils;
   5 import org.pcap4j.core.PcapPacket;
   6 import org.pcap4j.util.MacAddress;
   7
   8 import java.util.ArrayList;
   9 import java.util.List;
  10
  11 /**
  12  * Attempts to detect the presence of a specific packet sequence in the set of packets provided through multiple calls
  13  * to {@link #matchPacket(PcapPacket)}, considering only layer 2 information. This class has the same flavor as the
  14  * {@link Layer2SequenceMatcher} class.
  15  *
  16  * @author Janus Varmarken {@literal <jvarmark@uci.edu>}
  17  * @author Rahmadi Trimananda {@literal <rtrimana@uci.edu>}
  18  */
  19 public class Layer2RangeMatcher extends Layer2AbstractMatcher {
  20     /**
  21      * The range this {@link Layer2RangeMatcher} is searching for.
  22      */
  23     private final List<PcapPacket> mLowerBound;
  24     private final List<PcapPacket> mUpperBound;
  25     private final double mEps;
  26     private int mInclusionTimeMillis;
  27     private int mSkippedPackets;
  28
  29     /**
  30      * Create a {@code Layer2RangeMatcher}.
  31      * @param lowerBound The lower bound of the sequence to match against (search for).
  32      * @param upperBound The upper bound of the sequence to match against (search for).
  33      * @param eps The epsilon value used in the DBSCAN algorithm.
  34      */
  35     public Layer2RangeMatcher(List<PcapPacket> lowerBound, List<PcapPacket> upperBound,
  36                               int inclusionTimeMillis, double eps) {
  37         // TODO: Just use the lower bound since both lower and upper bounds' packets essentially have the same direction
  38         // TODO: for the same position in the array. Both arrays also have the same length.
  39         super(lowerBound);
  40         mLowerBound = lowerBound;
  41         mUpperBound = upperBound;
  42         mEps = eps;
  43         mInclusionTimeMillis =
  44                 inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis;
  45         mSkippedPackets = 0;
  46     }
  47
  48     /**
  49      * Attempt to advance this {@code Layer2RangeMatcher} by matching {@code packet} against the packet that this
  50      * {@code Layer2RangeMatcher} expects as the next packet of the sequence it is searching for.
  51      * @param packet
  52      * @return {@code true} if this {@code Layer2SequenceMatcher} could advance by adding {@code packet} to its set of
  53      *         matched packets, {@code false} otherwise.
  54      */
  55     public boolean matchPacket(PcapPacket packet) {
  56         if (getMatchedPacketsCount() == getTargetSequencePacketCount()) {
  57             // We already matched the entire sequence, so we can't match any more packets.
  58             return false;
  59         }
  60
  61         // Verify that new packet pertains to same flow as previously matched packets, if any.
  62         if (getMatchedPacketsCount() > 0) {
  63             MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet);
  64             MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet);
  65             MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0));
  66             MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0));
  67             if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) ||
  68                     pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) {
  69                 return false;
  70             }
  71         }
  72
  73         // Get representative of the packet we expect to match next.
  74         PcapPacket expectedLowerBound = mLowerBound.get(mMatchedPackets.size());
  75         PcapPacket expectedUpperBound = mUpperBound.get(mMatchedPackets.size());
  76         int lowerBound = expectedLowerBound.getOriginalLength();
  77         int upperBound = expectedUpperBound.getOriginalLength();
  78         // Do strict matching if the lower and upper bounds are the same length
  79         // Do range matching with eps otherwise
  80         if (lowerBound != upperBound) {
  81             lowerBound = lowerBound - (int) mEps;
  82             upperBound = upperBound + (int) mEps;
  83         }
  84         // First verify if the received packet has the length we're looking for (the length should be within the range).
  85         if (lowerBound <= packet.getOriginalLength() && packet.getOriginalLength() <= upperBound){
  86             // If this is the first packet, we only need to verify that its length is correct. Time constraints are
  87             // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we
  88             // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet
  89             // must originate from this particular MAC".
  90             if (getMatchedPacketsCount() == 0) {
  91                 // Store packet as matched and advance.
  92                 mMatchedPackets.add(packet);
  93                 return true;
  94             }
  95             // Check if direction of packet matches expected direction.
  96             boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1),
  97                     mPacketDirections[getMatchedPacketsCount()-1], packet);
  98             boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()];
  99             if (actualDirection != expectedDirection) {
 100                 return false;
 101             }
 102             // Next apply timing constraints:
 103             // 1) to be a match, the packet must have a later timestamp than any other packet currently matched
 104             // 2) does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
 105             if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) {
 106                 return false;
 107             }
 108             if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
 109                     plusMillis(mInclusionTimeMillis))) {
 110                 return false;
 111             }
 112             // If we made it here, it means that this packet has the expected length, direction, and obeys the timing
 113             // constraints, so we store it and advance.zzzz
 114             mMatchedPackets.add(packet);
 115             if (mMatchedPackets.size() == mLowerBound.size()) {
 116                 // TODO report (to observers?) that we are done?
 117             }
 118             return true;
 119         }
 120         return false;
 121     }
 122
 123     public int getTargetSequencePacketCount() {
 124         return mLowerBound.size();
 125     }
 126
 127     public List<PcapPacket> getTargetLowerBound() {
 128         return mLowerBound;
 129     }
 130
 131     public List<PcapPacket> getTargetUpperBound() {
 132         return mUpperBound;
 133     }
 134 }