Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java

   1 package edu.uci.iotproject.detection.layer2;
   2
   3 import edu.uci.iotproject.analysis.TriggerTrafficExtractor;
   4 import edu.uci.iotproject.util.PcapPacketUtils;
   5 import org.pcap4j.core.PcapPacket;
   6 import org.pcap4j.util.MacAddress;
   7
   8 import java.util.ArrayList;
   9 import java.util.List;
  10 import java.util.Set;
  11
  12 /**
  13  * Attempts to detect the presence of a specific packet sequence in the set of packets provided through multiple calls
  14  * to {@link #matchPacket(PcapPacket)}, considering only layer 2 information.
  15  *
  16  * @author Janus Varmarken {@literal <jvarmark@uci.edu>}
  17  * @author Rahmadi Trimananda {@literal <rtrimana@uci.edu>}
  18  */
  19 public class Layer2SequenceMatcher extends Layer2AbstractMatcher {
  20
  21     /**
  22      * The sequence this {@link Layer2SequenceMatcher} is searching for.
  23      */
  24     private final List<PcapPacket> mSequence;
  25
  26     private int mInclusionTimeMillis;
  27
  28     /**
  29      * Relaxed matching
  30      */
  31     private int mDelta;
  32     private Set<Integer> mPacketSet;
  33
  34     /**
  35      * Create a {@code Layer2SequenceMatcher}.
  36      * @param sequence The sequence to match against (search for).
  37      * @param trainingRouterWlanMac The training router's WLAN MAC (used for determining the direction of packets).
  38      * @param routerWlanMac The target trace router's WLAN MAC (used for determining the direction of packets).
  39      */
  40     public Layer2SequenceMatcher(List<PcapPacket> sequence, int inclusionTimeMillis, String trainingRouterWlanMac,
  41                                  String routerWlanMac, int delta, Set<Integer> packetSet) {
  42         super(sequence, trainingRouterWlanMac, routerWlanMac);
  43         mSequence = sequence;
  44         // Compute packet directions for sequence.
  45         for (int i = 0; i < sequence.size(); i++) {
  46             if (i == 0) {
  47                 // No previous packet; boolean parameter is ignored in this special case.
  48                 mPacketDirections[i] = getPacketDirection(null, true, sequence.get(i));
  49             } else {
  50                 // Base direction marker on direction of previous packet.
  51                 PcapPacket prevPkt = mSequence.get(i-1);
  52                 boolean prevPktDirection = mPacketDirections[i-1];
  53                 mPacketDirections[i] = getPacketDirection(prevPkt, prevPktDirection, sequence.get(i));
  54             }
  55         }
  56         mInclusionTimeMillis =
  57                 inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis;
  58         mDelta = delta;
  59         mPacketSet = packetSet;
  60     }
  61
  62     /**
  63      * Attempt to advance this {@code Layer2SequenceMatcher} by matching {@code packet} against the packet that this
  64      * {@code Layer2SequenceMatcher} expects as the next packet of the sequence it is searching for.
  65      * @param packet
  66      * @return {@code true} if this {@code Layer2SequenceMatcher} could advance by adding {@code packet} to its set of
  67      *         matched packets, {@code false} otherwise.
  68      */
  69     public boolean matchPacket(PcapPacket packet) {
  70         if (getMatchedPacketsCount() == getTargetSequencePacketCount()) {
  71             // We already matched the entire sequence, so we can't match any more packets.
  72             return false;
  73         }
  74
  75         // Verify that new packet pertains to same flow as previously matched packets, if any.
  76         if (getMatchedPacketsCount() > 0) {
  77             MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet);
  78             MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet);
  79             MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0));
  80             MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0));
  81             if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) ||
  82                     pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) {
  83                 return false;
  84             }
  85         }
  86
  87         // Get representative of the packet we expect to match next.
  88         PcapPacket expected = mSequence.get(mMatchedPackets.size());
  89         // First verify if the received packet has the length we're looking for.
  90         if ((mDelta > 0 && mPacketSet.contains(expected.getOriginalLength()) &&
  91                 expected.getOriginalLength() - mDelta <= packet.getOriginalLength() &&
  92                 packet.getOriginalLength() <= expected.getOriginalLength() + mDelta) ||
  93                 packet.getOriginalLength() == expected.getOriginalLength()) {
  94             // If this is the first packet, we only need to verify that its length is correct. Time constraints are
  95             // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we
  96             // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet
  97             // must originate from this particular MAC".
  98             if (getMatchedPacketsCount() == 0) {
  99                 // Store packet as matched and advance.
 100                 mMatchedPackets.add(packet);
 101                 return true;
 102             }
 103             // Check if direction of packet matches expected direction.
 104             boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1),
 105                     mPacketDirections[getMatchedPacketsCount()-1], packet);
 106             boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()];
 107             if (actualDirection != expectedDirection) {
 108                 return false;
 109             }
 110             // Next apply timing constraints:
 111             // 1: to be a match, the packet must have a later timestamp than any other packet currently matched
 112             // 2: does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
 113             if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) {
 114                 return false;
 115             }
 116 //            if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
 117 //                            plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) {
 118             if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
 119                 plusMillis(mInclusionTimeMillis))) {
 120                 return false;
 121             }
 122             // If we made it here, it means that this packet has the expected length, direction, and obeys the timing
 123             // constraints, so we store it and advance.
 124             mMatchedPackets.add(packet);
 125             if (mMatchedPackets.size() == mSequence.size()) {
 126                 // TODO report (to observers?) that we are done?
 127             }
 128             return true;
 129         }
 130         return false;
 131     }
 132
 133     public int getTargetSequencePacketCount() {
 134         return mSequence.size();
 135     }
 136
 137     public List<PcapPacket> getTargetSequence() {
 138         return mSequence;
 139     }
 140
 141 }