Layer2SequenceMatcher: check packet directions when matching sequence.
authorJanus Varmarken <varmarken@gmail.com>
Sun, 13 Jan 2019 22:16:44 +0000 (14:16 -0800)
committerJanus Varmarken <varmarken@gmail.com>
Sun, 13 Jan 2019 22:16:44 +0000 (14:16 -0800)
Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java

index db7295d..10ae34e 100644 (file)
@@ -1,7 +1,9 @@
 package edu.uci.iotproject.detection.layer2;
 
 import edu.uci.iotproject.analysis.TriggerTrafficExtractor;
+import edu.uci.iotproject.util.PcapPacketUtils;
 import org.pcap4j.core.PcapPacket;
+import org.pcap4j.util.MacAddress;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -26,12 +28,33 @@ public class Layer2SequenceMatcher {
      */
     private final List<PcapPacket> mMatchedPackets = new ArrayList<>();
 
+    /**
+     * Models the directions of packets in {@link #mSequence}. As the sequence matcher assumes that it is only presented
+     * with packet from a single flow (packets exchanged between two devices), we can model the packet directions with a
+     * single bit. We don't have any notion "phone to device" or "device to phone" as we don't know the MAC addresses
+     * of devices in advance during matching.
+     */
+    private final boolean[] mPacketDirections;
+
     /**
      * Create a {@code Layer2SequenceMatcher}.
      * @param sequence The sequence to match against (search for).
      */
     public Layer2SequenceMatcher(List<PcapPacket> sequence) {
         mSequence = sequence;
+        // Compute packet directions for sequence.
+        mPacketDirections = new boolean[sequence.size()];
+        for (int i = 0; i < sequence.size(); i++) {
+            if (i == 0) {
+                // No previous packet; boolean parameter is ignored in this special case.
+                mPacketDirections[i] = getPacketDirection(null, true, sequence.get(i));
+            } else {
+                // Base direction marker on direction of previous packet.
+                PcapPacket prevPkt = mSequence.get(i-1);
+                boolean prevPktDirection = mPacketDirections[i-1];
+                mPacketDirections[i] = getPacketDirection(prevPkt, prevPktDirection, sequence.get(i));
+            }
+        }
     }
 
     /**
@@ -42,29 +65,58 @@ public class Layer2SequenceMatcher {
      *         matched packets, {@code false} otherwise.
      */
     public boolean matchPacket(PcapPacket packet) {
-        // The packet we want to match next.
+        if (getMatchedPacketsCount() == getTargetSequencePacketCount()) {
+            // We already matched the entire sequence, so we can't match any more packets.
+            return false;
+        }
+
+        // Verify that new packet pertains to same flow as previously matched packets, if any.
+        if (getMatchedPacketsCount() > 0) {
+            MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet);
+            MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet);
+            MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0));
+            MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0));
+            if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) ||
+                    pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) {
+                return false;
+            }
+        }
+
+        // Get representative of the packet we expect to match next.
         PcapPacket expected = mSequence.get(mMatchedPackets.size());
         // First verify if the received packet has the length we're looking for.
         if (packet.getOriginalLength() == expected.getOriginalLength()) {
+            // If this is the first packet, we only need to verify that its length is correct. Time constraints are
+            // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we
+            // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet
+            // must originate from this particular MAC".
+            if (getMatchedPacketsCount() == 0) {
+                // Store packet as matched and advance.
+                mMatchedPackets.add(packet);
+                return true;
+            }
+            // Check if direction of packet matches expected direction.
+            boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1),
+                    mPacketDirections[getMatchedPacketsCount()-1], packet);
+            boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()];
+            if (actualDirection != expectedDirection) {
+                return false;
+            }
             // Next apply timing constraints:
-            // - to be a match, the packet must have a later timestamp than any other packet currently matched
-            // - does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
-            if (mMatchedPackets.size() > 0 &&
-                    !packet.getTimestamp().isAfter(mMatchedPackets.get(mMatchedPackets.size()-1).getTimestamp())) {
+            // 1: to be a match, the packet must have a later timestamp than any other packet currently matched
+            // 2: does adding the packet cause the max allowed time between first packet and last packet to be exceeded?
+            if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) {
                 return false;
             }
-            if (mMatchedPackets.size() > 0 &&
-                    packet.getTimestamp().
-                            isAfter(mMatchedPackets.get(0).getTimestamp().
-                                    plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) {
-                // Packet too
+            if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp().
+                            plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) {
                 return false;
             }
-            // TODO (how to) check directions?
-            // This packet has a length matching next packet of searched sequence, so we store it and advance.
+            // If we made it here, it means that this packet has the expected length, direction, and obeys the timing
+            // constraints, so we store it and advance.
             mMatchedPackets.add(packet);
             if (mMatchedPackets.size() == mSequence.size()) {
-                // TODO report (to observers?) that we are done.
+                // TODO report (to observers?) that we are done?
             }
             return true;
         }
@@ -86,4 +138,28 @@ public class Layer2SequenceMatcher {
     public List<PcapPacket> getMatchedPackets() {
         return mMatchedPackets;
     }
+
+    /**
+     * Compute the direction of a packet based on the previous packet. If no previous packet is provided, the direction
+     * of {@code currPkt} is {@code true} by definition.
+     * @param prevPkt The previous packet, if any.
+     * @param prevPktDirection The computed direction of the previous packet
+     * @param currPkt The current packet for which the direction is to be determined.
+     * @return The direction of {@code currPkt}.
+     */
+    private boolean getPacketDirection(PcapPacket prevPkt, boolean prevPktDirection, PcapPacket currPkt) {
+        if (prevPkt == null) {
+            // By definition, use true as direction marker for first packet
+            return true;
+        }
+        if (PcapPacketUtils.getEthSrcAddr(prevPkt).equals(PcapPacketUtils.getEthSrcAddr(currPkt))) {
+            // Current packet goes in same direction as previous packet.
+            return prevPktDirection;
+        } else {
+            // Current packet goes in opposite direction of previous packet.
+            return !prevPktDirection;
+        }
+    }
+
+
 }