Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java

   1 package edu.uci.iotproject.detection.layer2;
   2
   3 import edu.uci.iotproject.analysis.TriggerTrafficExtractor;
   4 import edu.uci.iotproject.util.PcapPacketUtils;
   5 import org.pcap4j.core.PcapPacket;
   6 import org.pcap4j.util.MacAddress;
   7
   8 import java.util.ArrayList;
   9 import java.util.List;
  10
  11 /**
  12  * Attempts to detect the presence of a specific packet sequence in the set of packets provided through multiple calls
  13  * to {@link #matchPacket(PcapPacket)}, considering only layer 2 information.
  14  *
  15  * @author Janus Varmarken {@literal <jvarmark@uci.edu>}
  16  * @author Rahmadi Trimananda {@literal <rtrimana@uci.edu>}
  17  */
  18 public class Layer2SequenceMatcher extends Layer2AbstractMatcher {
  19
  20     /**
  21      * The sequence this {@link Layer2SequenceMatcher} is searching for.
  22      */
  23     private final List<PcapPacket> mSequence;
  24
  25     private int mInclusionTimeMillis;
  26
  27
  28     /**
  29      * Create a {@code Layer2SequenceMatcher}.
  30      * @param sequence The sequence to match against (search for).
  31      */
  32     public Layer2SequenceMatcher(List<PcapPacket> sequence, int inclusionTimeMillis) {
  33         super(sequence);
  34         mSequence = sequence;
  35         // Compute packet directions for sequence.
  36         for (int i = 0; i < sequence.size(); i++) {
  37             if (i == 0) {
  38                 // No previous packet; boolean parameter is ignored in this special case.
  39                 mPacketDirections[i] = getPacketDirection(null, true, sequence.get(i));
  40             } else {
  41                 // Base direction marker on direction of previous packet.
  42                 PcapPacket prevPkt = mSequence.get(i-1);
  43                 boolean prevPktDirection = mPacketDirections[i-1];
  44                 mPacketDirections[i] = getPacketDirection(prevPkt, prevPktDirection, sequence.get(i));
  45             }
  46         }
  47         mInclusionTimeMillis =
  48                 inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis;
  49     }
  50
  51     /**
  52      * Attempt to advance this {@code Layer2SequenceMatcher} by matching {@code packet} against the packet that this
  53      * {@code Layer2SequenceMatcher} expects as the next packet of the sequence it is searching for.
  54      * @param packet
  55      * @return {@code true} if this {@code Layer2SequenceMatcher} could advance by adding {@code packet} to its set of
  56      *         matched packets, {@code false} otherwise.
  57      */
  58     public boolean matchPacket(PcapPacket packet) {
  59         if (getMatchedPacketsCount() == getTargetSequencePacketCount()) {
  60             // We already matched the entire sequence, so we can't match any more packets.
  61             return false;
  62         }
  63
  64         // Verify that new packet pertains to same flow as previously matched packets, if any.
  65         if (getMatchedPacketsCount() > 0) {
  66             MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet);
  67             MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet);
  68             MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0));
  69             MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0));
  70             if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) ||
  71                     pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) {
  72                 return false;
  73             }
  74         }
  75
  76         // Get representative of the packet we expect to match next.
  77         PcapPacket expected = mSequence.get(mMatchedPackets.size());
  78         // First verify if the received packet has the length we're looking for.
  79         if (packet.getOriginalLength() == expected.getOriginalLength()) {
  80             // If this is the first packet, we only need to verify that its length is correct. Time constraints are
  81             // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we
  82             // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet
  83             // must originate from this particular MAC".
  84             if (getMatchedPacketsCount() == 0) {
  85                 // Store packet as matched and advance.
  86                 mMatchedPackets.add(packet);
  87                 return true;
  88             }
  89             // Check if direction of packet matches expected direction.
  90             boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1),
  91                     mPacketDirections[getMatchedPacketsCount()-1], packet);
  92             boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()];
  93             if (actualDirection != expectedDirection) {
  94                 mSkippedPackets++;
  95                 return false;
  96             }
  97             // Next apply timing constraints:
  98             // 1: to be a match, the packet must have a later timestamp than any other packet currently matched
  99             // 2: does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
 100             if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) {
 101                 mSkippedPackets++;
 102                 return false;
 103             }
 104 //            if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
 105 //                            plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) {
 106             if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
 107                 plusMillis(mInclusionTimeMillis))) {
 108                 mSkippedPackets++;
 109                 return false;
 110             }
 111             // If we made it here, it means that this packet has the expected length, direction, and obeys the timing
 112             // constraints, so we store it and advance.
 113             if (mMaxSkippedPackets < mSkippedPackets) {
 114                 mMaxSkippedPackets = mSkippedPackets;
 115                 mSkippedPackets = 0;
 116             }
 117             mMatchedPackets.add(packet);
 118             if (mMatchedPackets.size() == mSequence.size()) {
 119                 // TODO report (to observers?) that we are done?
 120             }
 121             return true;
 122         }
 123         return false;
 124     }
 125
 126     public int getTargetSequencePacketCount() {
 127         return mSequence.size();
 128     }
 129
 130     public List<PcapPacket> getTargetSequence() {
 131         return mSequence;
 132     }
 133
 134 }