Implementing relaxed matching for layer 2 and layer 3.

[pingpong.git] / Code / Projects / PacketLevelSignatureExtractor / src / main / java / edu / uci / iotproject / detection / layer2 / Layer2ClusterMatcher.java

diff --git a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java
index 3bb7207a022c0f4f24b79ae2244731ab5f0608db..9de3bd6f77499d2a25f547bad59cf3d5b0cc8d29 100644 (file)
--- a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java
+++ b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java
@@ -8,10 +8,7 @@ import edu.uci.iotproject.detection.AbstractClusterMatcher;
 import edu.uci.iotproject.trafficreassembly.layer2.Layer2FlowObserver;
 import org.pcap4j.core.*;
 
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.function.Function;
 
 /**
@@ -28,7 +25,6 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
      * of {@link #mCluster} and has so far matched {@code j} packets of that particular sequence.
      */
     private final Map<Layer2Flow, Layer2SequenceMatcher[][]> mPerFlowSeqMatchers = new HashMap<>();
-//    private final Map<Layer2Flow, Layer2RangeMatcher[]> mPerFlowRangeMatcher = new HashMap<>();
     private final Map<Layer2Flow, List<Layer2RangeMatcher>> mPerFlowRangeMatcher = new HashMap<>();
 
     private final Function<Layer2Flow, Boolean> mFlowFilter;
@@ -48,22 +44,39 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
     /**
      * Keeping track of maximum number of skipped packets
      */
-    //private int mMaxSkippedPackets;
-    private List<Integer> mMaxSkippedPackets;
+    private int mMaxSkippedPackets;
+    private List<Integer> mSkippedPackets;
+
+    private int mLimitSkippedPackets;
+
+    /**
+     * Router's WLAN MAC.
+     */
+    private String mTrainingRouterWlanMac;
+    private String mRouterWlanMac;
+
+    /**
+     * Relaxed matching
+     */
+    private int mDelta;
+    private Set<Integer> mPacketSet;
 
     /**
      * Create a new {@link Layer2ClusterMatcher} that attempts to find occurrences of {@code cluster}'s members.
      * @param cluster The sequence mutations that the new {@link Layer2ClusterMatcher} should search for.
      */
-    public Layer2ClusterMatcher(List<List<PcapPacket>> cluster, int inclusionTimeMillis,
-                                boolean isRangeBased, double eps) {
+    public Layer2ClusterMatcher(List<List<PcapPacket>> cluster, String trainingRouterWlanMac, String routerWlanMac, int inclusionTimeMillis,
+                                boolean isRangeBased, double eps, int limitSkippedPackets, int delta, Set<Integer> packetSet) {
         // Consider all flows if no flow filter specified.
-        this(cluster, flow -> true, inclusionTimeMillis, isRangeBased, eps);
+        this(cluster, trainingRouterWlanMac, routerWlanMac, flow -> true, inclusionTimeMillis, isRangeBased, eps,
+                limitSkippedPackets, delta, packetSet);
     }
 
     /**
      * Create a new {@link Layer2ClusterMatcher} that attempts to find occurrences of {@code cluster}'s members.
      * @param cluster The sequence mutations that the new {@link Layer2ClusterMatcher} should search for.
+     * @param trainingRouterWlanMac The training router's WLAN MAC (used for determining the direction of packets).
+     * @param routerWlanMac The target trace router's WLAN MAC (used for determining the direction of packets).
      * @param flowFilter A filter that defines what {@link Layer2Flow}s the new {@link Layer2ClusterMatcher} should
      *                   search for {@code cluster}'s members in. If {@code flowFilter} returns {@code true}, the flow
      *                   will be included (searched). Note that {@code flowFilter} is only queried once for each flow,
@@ -74,16 +87,23 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
      * @param isRangeBased The boolean that decides if it is range-based vs. strict matching.
      * @param eps The epsilon value used in the DBSCAN algorithm.
      */
-    public Layer2ClusterMatcher(List<List<PcapPacket>> cluster, Function<Layer2Flow, Boolean> flowFilter,
-                                int inclusionTimeMillis, boolean isRangeBased, double eps) {
+    public Layer2ClusterMatcher(List<List<PcapPacket>> cluster, String trainingRouterWlanMac, String routerWlanMac,
+                                Function<Layer2Flow, Boolean> flowFilter, int inclusionTimeMillis, boolean isRangeBased,
+                                double eps, int limitSkippedPackets, int delta, Set<Integer> packetSet) {
         super(cluster, isRangeBased);
         mFlowFilter = flowFilter;
+        mTrainingRouterWlanMac = trainingRouterWlanMac;
+        mRouterWlanMac = routerWlanMac;
         mRangeBased = isRangeBased;
         mEps = eps;
         mInclusionTimeMillis =
                 inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis;
-        //mMaxSkippedPackets = 0;
-        mMaxSkippedPackets = new ArrayList<>();
+        mMaxSkippedPackets = 0;
+        mSkippedPackets = new ArrayList<>();
+        // Give integer's MAX_VALUE if -1
+        mLimitSkippedPackets = limitSkippedPackets == -1 ? Integer.MAX_VALUE : limitSkippedPackets;
+        mDelta = delta;
+        mPacketSet = packetSet;
     }
 
     @Override
@@ -95,6 +115,7 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
         }
     }
 
+    // TODO: Relaxed matching is applied in conservative matching
     private void conservativeMatching(Layer2Flow flow, PcapPacket newPacket) {
         if (mPerFlowSeqMatchers.get(flow) == null) {
             // If this is the first time we encounter this flow, we need to set up sequence matchers for it.
@@ -105,7 +126,8 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
             Layer2SequenceMatcher[][] matchers = new Layer2SequenceMatcher[mCluster.size()][mCluster.get(0).size()];
             // Prepare a "state 0" sequence matcher for each sequence variation in the cluster.
             for (int i = 0; i < matchers.length; i++) {
-                matchers[i][0] = new Layer2SequenceMatcher(mCluster.get(i), mInclusionTimeMillis);
+                matchers[i][0] = new Layer2SequenceMatcher(mCluster.get(i), mInclusionTimeMillis, mTrainingRouterWlanMac,
+                        mRouterWlanMac, mDelta, mPacketSet);
             }
             // Associate the new sequence matcher table with the new flow
             mPerFlowSeqMatchers.put(flow, matchers);
@@ -127,9 +149,11 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
                 if (matched) {
                     if (sm.getMatchedPacketsCount() == sm.getTargetSequencePacketCount()) {
                         // Update maximum skipped packets
-                        updateMaxSkippedPackets(flow.getPackets(), sm.getMatchedPackets());
-                        // Sequence matcher has a match. Report it to observers.
-                        mObservers.forEach(o -> o.onMatch(this, sm.getMatchedPackets()));
+                        boolean stillMatch = checkMaxSkippedPackets(flow.getPackets(), sm.getMatchedPackets());
+                        if (stillMatch) {
+                            // Sequence matcher has a match. Report it to observers.
+                            mObservers.forEach(o -> o.onMatch(this, sm.getMatchedPackets()));
+                        }
                         // Remove the now terminated sequence matcher.
                         matchers[i][j] = null;
                     } else {
@@ -147,26 +171,32 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
                     // We always want to have a sequence matcher in state 0, regardless of if the one that advanced
                     // from state zero completed its matching or if it replaced a different one in state 1 or not.
                     if (sm.getMatchedPacketsCount() == 1) {
-                        matchers[i][j] = new Layer2SequenceMatcher(sm.getTargetSequence(), mInclusionTimeMillis);
+                        matchers[i][j] = new Layer2SequenceMatcher(sm.getTargetSequence(), mInclusionTimeMillis,
+                                mTrainingRouterWlanMac, mRouterWlanMac, mDelta, mPacketSet);
                     }
                 }
             }
         }
     }
 
-    // Update the maximum number of skipped packets
-    private void updateMaxSkippedPackets(List<PcapPacket> flowPackets, List<PcapPacket> matchedPackets) {
+    // Update the maximum number of skipped packets.
+    private boolean checkMaxSkippedPackets(List<PcapPacket> flowPackets, List<PcapPacket> matchedPackets) {
         // Count number of skipped packets by looking into
-        // the difference of indices of two matched packets
+        // the difference of indices of two matched packets.
+        boolean stillMatch = true;
         for(int i = 1; i < matchedPackets.size(); ++i) {
             int currIndex = flowPackets.indexOf(matchedPackets.get(i-1));
             int nextIndex = flowPackets.indexOf(matchedPackets.get(i));
             int skippedPackets = nextIndex - currIndex;
-//            if (mMaxSkippedPackets < skippedPackets) {
-//                mMaxSkippedPackets = skippedPackets;
-//            }
-            mMaxSkippedPackets.add(skippedPackets);
+            if (mMaxSkippedPackets < skippedPackets) {
+                mMaxSkippedPackets = skippedPackets;
+            }
+            if (mLimitSkippedPackets < skippedPackets) {
+                stillMatch = false;
+            }
+            mSkippedPackets.add(skippedPackets);
         }
+        return stillMatch;
     }
 
     private void rangeBasedMatching(Layer2Flow flow, PcapPacket newPacket) {
@@ -177,7 +207,7 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
             List<Layer2RangeMatcher> listMatchers = new ArrayList<>();
             // Prepare a "state 0" sequence matcher.
             Layer2RangeMatcher matcher = new Layer2RangeMatcher(mCluster.get(0), mCluster.get(1),
-                    mInclusionTimeMillis, mEps);
+                    mInclusionTimeMillis, mEps, mTrainingRouterWlanMac, mRouterWlanMac);
             listMatchers.add(matcher);
             // Associate the new sequence matcher table with the new flow.
             mPerFlowRangeMatcher.put(flow, listMatchers);
@@ -195,13 +225,14 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
         // Add the new matcher into the list
         if (addOneArray) {
             Layer2RangeMatcher newMatcher = new Layer2RangeMatcher(mCluster.get(0), mCluster.get(1),
-                    mInclusionTimeMillis, mEps);
+                    mInclusionTimeMillis, mEps, mTrainingRouterWlanMac, mRouterWlanMac);
             listMatchers.add(newMatcher);
         }
         // Present packet to the sequence matchers.
         // Make a shallow copy of the list so that we can clean up the actual list when a matcher is terminated.
         // Otherwise, we would get an exception for changing the list while iterating on it.
         List<Layer2RangeMatcher> listMatchersCopy = new ArrayList<>(listMatchers);
+        Layer2RangeMatcher previousMatcher = null;
         for(Layer2RangeMatcher matcher : listMatchersCopy) {
             Layer2RangeMatcher sm = matcher;
             // Check if no packets are matched yet or if there are matched packets, the next packet to be matched
@@ -214,14 +245,32 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
                     newPacket.getTimestamp().isAfter(sm.getLastPacket().getTimestamp())) {
                 boolean matched = sm.matchPacket(newPacket);
                 if (matched) {
+                    // BUG: found on May 29, 2019
+                    // We need to remove a previous match if the current match is later in time.
+                    // This is done only if we have matched at least 1 packet (we are about to match the second or
+                    // later packets) and we match for the same packet position in the signature (check the size!).
+                    if (previousMatcher != null && sm.getMatchedPacketsCount() > 1 &&
+                            previousMatcher.getMatchedPacketsCount() == sm.getMatchedPacketsCount()) {
+                        List<PcapPacket> previouslyMatchedPackets = previousMatcher.getMatchedPackets();
+                        List<PcapPacket> currentlyMatchedPackets = sm.getMatchedPackets();
+                        // We need to check 1 packet before the last matched packet from the previous matcher.
+                        int packetIndexToCheck = (sm.getMatchedPacketsCount() - 1) - 1;
+                        if (currentlyMatchedPackets.get(packetIndexToCheck).getTimestamp().
+                            isAfter(previouslyMatchedPackets.get(packetIndexToCheck).getTimestamp())) {
+                            listMatchers.remove(previousMatcher);
+                        }
+                    }
                     if (sm.getMatchedPacketsCount() == sm.getTargetSequencePacketCount()) {
                         // Update maximum skipped packets
-                        updateMaxSkippedPackets(flow.getPackets(), sm.getMatchedPackets());
-                        // Sequence matcher has a match. Report it to observers.
-                        mObservers.forEach(o -> o.onMatch(this, sm.getMatchedPackets()));
+                        boolean stillMatch = checkMaxSkippedPackets(flow.getPackets(), sm.getMatchedPackets());
+                        if (stillMatch) {
+                            // Sequence matcher has a match. Report it to observers.
+                            mObservers.forEach(o -> o.onMatch(this, sm.getMatchedPackets()));
+                        }
                         // Terminate sequence matcher since matching is complete.
                         listMatchers.remove(matcher);
                     }
+                    previousMatcher = sm;
                 }
             }
         }
@@ -268,10 +317,14 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye
     /**
       * Return the maximum number of skipped packets.
       */
-//    public int getMaxSkippedPackets() {
-//       return mMaxSkippedPackets;
-//    }
-    public List<Integer> getMaxSkippedPackets() {
-        return mMaxSkippedPackets;
+    public int getMaxSkippedPackets() {
+       return mMaxSkippedPackets;
+    }
+
+    /**
+     * Return the numbers of skipped packets.
+     */
+    public List<Integer> getSkippedPackets() {
+        return mSkippedPackets;
     }
 }