From 862b0fda8609f46b594c3de4e091969dbda5951a Mon Sep 17 00:00:00 2001 From: Janus Varmarken Date: Sat, 28 Apr 2018 20:01:20 -0700 Subject: [PATCH] 1) Skip zero-payload packets when reassemlbing conversations from individual packets. 2) Hardcode TP-Link Local ON pattern. 3) Rushed implementation that finds complete matches of the pattern. --- .../java/edu/uci/iotproject/FlowPattern.java | 20 +++++++++++++ .../edu/uci/iotproject/FlowPatternFinder.java | 29 ++++++++++++++++++- .../main/java/edu/uci/iotproject/Main.java | 2 +- 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPattern.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPattern.java index 4b5b8fe..7ec2a74 100644 --- a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPattern.java +++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPattern.java @@ -1,8 +1,11 @@ package edu.uci.iotproject; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.List; + /** * TODO add class documentation. * @@ -10,6 +13,18 @@ import java.util.List; */ public class FlowPattern { + static { + // TP-Link Local ON packet lengths (TCP payload only), extracted from ON event at Feb 13, 2018 13:38:04 + // of the 5 switch data collection: + // 517 1448 1448 1448 855 191 51 490 1027 31 + + ArrayList packetLengths = new ArrayList<>(); + packetLengths.addAll(Arrays.asList(new Integer[] {517, 1448, 1448, 1448, 855, 191, 51, 490, 1027, 31})); + TP_LINK_LOCAL_ON = new FlowPattern("TP_LINK_LOCAL_ON", "events.tplinkra.com", packetLengths); + } + + public static final FlowPattern TP_LINK_LOCAL_ON; + private final String patternId; /** @@ -19,6 +34,7 @@ public class FlowPattern { /** * The order of packet lengths that defines this {@link FlowPattern} + * TODO: this is a simplified representation, we should also include information about direction of each packet. */ private final List flowPacketOrder; @@ -28,6 +44,10 @@ public class FlowPattern { this.flowPacketOrder = Collections.unmodifiableList(flowPacketOrder); } + public String getPatternId() { + return patternId; + } + public String getHostname() { return hostname; } diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPatternFinder.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPatternFinder.java index 1732b99..df4d447 100644 --- a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPatternFinder.java +++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/FlowPatternFinder.java @@ -34,7 +34,6 @@ public class FlowPatternFinder { Packet packet; while ((packet = pcap.getNextPacketEx()) != null) { - // For now, we only work support pattern search in TCP over IPv4. IpV4Packet ipPacket = packet.get(IpV4Packet.class); TcpPacket tcpPacket = packet.get(TcpPacket.class); @@ -53,6 +52,12 @@ public class FlowPatternFinder { // Packet not related to pattern, skip it. continue; } + if (tcpPacket.getPayload() == null) { + // We skip non-payload control packets as these are less predictable and should therefore not be + // part of a signature (e.g. receiver can choose not to ACK immediately) + continue; + } + // Identify conversations (connections/sessions) by the four-tuple (clientIp, clientPort, serverIp, serverPort). // TODO: this is strictly not sufficient to differentiate one TCP session from another, but should suffice for now. Conversation conversation = fromClient ? new Conversation(srcAddress, srcPort, dstAddress, dstPort) : @@ -67,6 +72,28 @@ public class FlowPatternFinder { } } catch (EOFException eofe) { System.out.println("findFlowPattern: finished processing entire file"); + find(pattern); + } + } + + private void find(FlowPattern pattern) { + for (Conversation con : connections.keySet()) { + List packets = connections.get(con); + if (packets.size() != pattern.getPacketOrder().size()) { + // Not a complete match if different number of packets. + continue; + } + boolean completeMatch = true; + for (int i = 0; i < packets.size(); i++) { + TcpPacket tcpPacket = packets.get(i).get(TcpPacket.class); + if (tcpPacket.getPayload().length() != pattern.getPacketOrder().get(i)) { + completeMatch = false; + break; + } + } + if (completeMatch) { + System.out.println(String.format("found a complete match for %s", pattern.getPatternId())); + } } } diff --git a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java index 18bb582..b323d84 100644 --- a/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java +++ b/Code/Projects/SmartPlugDetector/src/main/java/edu/uci/iotproject/Main.java @@ -40,7 +40,7 @@ public class Main { handle = Pcaps.openOffline(fileName); } FlowPatternFinder fpf = new FlowPatternFinder(ipToHostnameMap); - fpf.findFlowPattern(handle, new FlowPattern("TP_LINK_LOCAL_ON", "events.tplinkra.com", new ArrayList<>())); + fpf.findFlowPattern(handle, FlowPattern.TP_LINK_LOCAL_ON); // ======================== } -- 2.34.1