From 9f79237b795c928a55b435e12aa6ab47dda87bce Mon Sep 17 00:00:00 2001 From: Janus Varmarken Date: Sun, 13 Jan 2019 14:16:44 -0800 Subject: [PATCH] Layer2SequenceMatcher: check packet directions when matching sequence. --- .../layer2/Layer2SequenceMatcher.java | 102 +++++++++++++++--- 1 file changed, 89 insertions(+), 13 deletions(-) diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java index db7295d..10ae34e 100644 --- a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java +++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/detection/layer2/Layer2SequenceMatcher.java @@ -1,7 +1,9 @@ package edu.uci.iotproject.detection.layer2; import edu.uci.iotproject.analysis.TriggerTrafficExtractor; +import edu.uci.iotproject.util.PcapPacketUtils; import org.pcap4j.core.PcapPacket; +import org.pcap4j.util.MacAddress; import java.util.ArrayList; import java.util.List; @@ -26,12 +28,33 @@ public class Layer2SequenceMatcher { */ private final List mMatchedPackets = new ArrayList<>(); + /** + * Models the directions of packets in {@link #mSequence}. As the sequence matcher assumes that it is only presented + * with packet from a single flow (packets exchanged between two devices), we can model the packet directions with a + * single bit. We don't have any notion "phone to device" or "device to phone" as we don't know the MAC addresses + * of devices in advance during matching. + */ + private final boolean[] mPacketDirections; + /** * Create a {@code Layer2SequenceMatcher}. * @param sequence The sequence to match against (search for). */ public Layer2SequenceMatcher(List sequence) { mSequence = sequence; + // Compute packet directions for sequence. + mPacketDirections = new boolean[sequence.size()]; + for (int i = 0; i < sequence.size(); i++) { + if (i == 0) { + // No previous packet; boolean parameter is ignored in this special case. + mPacketDirections[i] = getPacketDirection(null, true, sequence.get(i)); + } else { + // Base direction marker on direction of previous packet. + PcapPacket prevPkt = mSequence.get(i-1); + boolean prevPktDirection = mPacketDirections[i-1]; + mPacketDirections[i] = getPacketDirection(prevPkt, prevPktDirection, sequence.get(i)); + } + } } /** @@ -42,29 +65,58 @@ public class Layer2SequenceMatcher { * matched packets, {@code false} otherwise. */ public boolean matchPacket(PcapPacket packet) { - // The packet we want to match next. + if (getMatchedPacketsCount() == getTargetSequencePacketCount()) { + // We already matched the entire sequence, so we can't match any more packets. + return false; + } + + // Verify that new packet pertains to same flow as previously matched packets, if any. + if (getMatchedPacketsCount() > 0) { + MacAddress pktSrc = PcapPacketUtils.getEthSrcAddr(packet); + MacAddress pktDst = PcapPacketUtils.getEthDstAddr(packet); + MacAddress earlierPktSrc = PcapPacketUtils.getEthSrcAddr(mMatchedPackets.get(0)); + MacAddress earlierPktDst = PcapPacketUtils.getEthDstAddr(mMatchedPackets.get(0)); + if (!(pktSrc.equals(earlierPktSrc) && pktDst.equals(earlierPktDst) || + pktSrc.equals(earlierPktDst) && pktDst.equals(earlierPktSrc))) { + return false; + } + } + + // Get representative of the packet we expect to match next. PcapPacket expected = mSequence.get(mMatchedPackets.size()); // First verify if the received packet has the length we're looking for. if (packet.getOriginalLength() == expected.getOriginalLength()) { + // If this is the first packet, we only need to verify that its length is correct. Time constraints are + // obviously satisfied as there are no previous packets. Furthermore, direction matches by definition as we + // don't know the MAC of the device (or phone) in advance, so we can't enforce a rule saying "first packet + // must originate from this particular MAC". + if (getMatchedPacketsCount() == 0) { + // Store packet as matched and advance. + mMatchedPackets.add(packet); + return true; + } + // Check if direction of packet matches expected direction. + boolean actualDirection = getPacketDirection(mMatchedPackets.get(getMatchedPacketsCount()-1), + mPacketDirections[getMatchedPacketsCount()-1], packet); + boolean expectedDirection = mPacketDirections[getMatchedPacketsCount()]; + if (actualDirection != expectedDirection) { + return false; + } // Next apply timing constraints: - // - to be a match, the packet must have a later timestamp than any other packet currently matched - // - does adding the packet cause the max allowed time between first packet and last packet to be exceeded? - if (mMatchedPackets.size() > 0 && - !packet.getTimestamp().isAfter(mMatchedPackets.get(mMatchedPackets.size()-1).getTimestamp())) { + // 1: to be a match, the packet must have a later timestamp than any other packet currently matched + // 2: does adding the packet cause the max allowed time between first packet and last packet to be exceeded? + if (!packet.getTimestamp().isAfter(mMatchedPackets.get(getMatchedPacketsCount()-1).getTimestamp())) { return false; } - if (mMatchedPackets.size() > 0 && - packet.getTimestamp(). - isAfter(mMatchedPackets.get(0).getTimestamp(). - plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) { - // Packet too + if (packet.getTimestamp().isAfter(mMatchedPackets.get(0).getTimestamp(). + plusMillis(TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS))) { return false; } - // TODO (how to) check directions? - // This packet has a length matching next packet of searched sequence, so we store it and advance. + // If we made it here, it means that this packet has the expected length, direction, and obeys the timing + // constraints, so we store it and advance. mMatchedPackets.add(packet); if (mMatchedPackets.size() == mSequence.size()) { - // TODO report (to observers?) that we are done. + // TODO report (to observers?) that we are done? } return true; } @@ -86,4 +138,28 @@ public class Layer2SequenceMatcher { public List getMatchedPackets() { return mMatchedPackets; } + + /** + * Compute the direction of a packet based on the previous packet. If no previous packet is provided, the direction + * of {@code currPkt} is {@code true} by definition. + * @param prevPkt The previous packet, if any. + * @param prevPktDirection The computed direction of the previous packet + * @param currPkt The current packet for which the direction is to be determined. + * @return The direction of {@code currPkt}. + */ + private boolean getPacketDirection(PcapPacket prevPkt, boolean prevPktDirection, PcapPacket currPkt) { + if (prevPkt == null) { + // By definition, use true as direction marker for first packet + return true; + } + if (PcapPacketUtils.getEthSrcAddr(prevPkt).equals(PcapPacketUtils.getEthSrcAddr(currPkt))) { + // Current packet goes in same direction as previous packet. + return prevPktDirection; + } else { + // Current packet goes in opposite direction of previous packet. + return !prevPktDirection; + } + } + + } -- 2.34.1