From da522d853c482a182fb7032251fd936caee6f317 Mon Sep 17 00:00:00 2001 From: rtrimana Date: Fri, 15 Mar 2019 14:40:12 -0700 Subject: [PATCH] Trying to be more strict by applying the signature duration constraint at packet level. --- .../layer2/Layer2ClusterMatcher.java | 2 +- .../layer3/Layer3ClusterMatcher.java | 32 +++++++++++++++---- .../layer3/Layer3SignatureDetector.java | 3 +- 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java index 7fb571a..a3f4d0e 100644 --- a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java +++ b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer2/Layer2ClusterMatcher.java @@ -63,7 +63,7 @@ public class Layer2ClusterMatcher extends AbstractClusterMatcher implements Laye * namely when the {@link Layer2FlowReassembler} notifies the {@link Layer2ClusterMatcher} about * the new flow. This functionality may for example come in handy when one only wants to search * for matches in the subset of flows that involves a specific (range of) MAC(s). - * @param inclusionTimeMillis Packet inclusion limit for matching. + * @param inclusionTimeMillis Packet inclusion time limit for matching. * @param isRangeBased The boolean that decides if it is range-based vs. strict matching. * @param eps The epsilon value used in the DBSCAN algorithm. */ diff --git a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3ClusterMatcher.java b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3ClusterMatcher.java index 53fab96..e314deb 100644 --- a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3ClusterMatcher.java +++ b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3ClusterMatcher.java @@ -1,5 +1,6 @@ package edu.uci.iotproject.detection.layer3; +import edu.uci.iotproject.analysis.TriggerTrafficExtractor; import edu.uci.iotproject.detection.AbstractClusterMatcher; import edu.uci.iotproject.detection.ClusterMatcherObserver; import edu.uci.iotproject.trafficreassembly.layer3.Conversation; @@ -44,19 +45,26 @@ public class Layer3ClusterMatcher extends AbstractClusterMatcher implements Pack */ private final double mEps; + /** + * The packet inclusion time for signature. + */ + private int mInclusionTimeMillis; + /** * Create a {@link Layer3ClusterMatcher}. * @param cluster The cluster that traffic is matched against. * @param routerWanIp The router's WAN IP if examining traffic captured at the ISP's point of view (used for * determining the direction of packets). - * @param eps The epsilon value used in the DBSCAN algorithm. + * @param inclusionTimeMillis The packet inclusion time for signature. * @param isRangeBased The boolean that decides if it is range-based vs. strict matching. + * @param eps The epsilon value used in the DBSCAN algorithm. * @param detectionObservers Client code that wants to get notified whenever the {@link Layer3ClusterMatcher} detects that * (a subset of) the examined traffic is similar to the traffic that makes up * {@code cluster}, i.e., when the examined traffic is classified as pertaining to * {@code cluster}. */ - public Layer3ClusterMatcher(List> cluster, String routerWanIp, boolean isRangeBased, double eps, + public Layer3ClusterMatcher(List> cluster, String routerWanIp, int inclusionTimeMillis, + boolean isRangeBased, double eps, ClusterMatcherObserver... detectionObservers) { super(cluster, isRangeBased); Objects.requireNonNull(detectionObservers, "detectionObservers cannot be null"); @@ -83,6 +91,8 @@ public class Layer3ClusterMatcher extends AbstractClusterMatcher implements Pack } mEps = eps; mRouterWanIp = routerWanIp; + mInclusionTimeMillis = + inclusionTimeMillis == 0 ? TriggerTrafficExtractor.INCLUSION_WINDOW_MILLIS : inclusionTimeMillis; } @Override @@ -121,8 +131,13 @@ public class Layer3ClusterMatcher extends AbstractClusterMatcher implements Pack while ((match = findSubsequenceInSequence(lowerBound, upperBound, cPkts, mClusterMemberDirections, null)). isPresent()) { List matchSeq = match.get(); - // Notify observers about the match. - mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); +// // Notify observers about the match. +// mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); + if (!matchSeq.get(matchSeq.size()-1).getTimestamp().isAfter(matchSeq.get(0).getTimestamp(). + plusMillis(mInclusionTimeMillis))) { + // Notify observers about the match. + mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); + } /* * Get the index in cPkts of the last packet in the sequence of packets that matches the searched * signature sequence. @@ -163,8 +178,13 @@ public class Layer3ClusterMatcher extends AbstractClusterMatcher implements Pack while ((match = findSubsequenceInSequence(signatureSequence, cPkts, mClusterMemberDirections, null)). isPresent()) { List matchSeq = match.get(); - // Notify observers about the match. - mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); +// // Notify observers about the match. +// mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); + if (!matchSeq.get(matchSeq.size()-1).getTimestamp().isAfter(matchSeq.get(0).getTimestamp(). + plusMillis(mInclusionTimeMillis))) { + // Notify observers about the match. + mObservers.forEach(o -> o.onMatch(Layer3ClusterMatcher.this, matchSeq)); + } /* * Get the index in cPkts of the last packet in the sequence of packets that matches the searched * signature sequence. diff --git a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3SignatureDetector.java b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3SignatureDetector.java index 3c6d331..b11fef8 100644 --- a/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3SignatureDetector.java +++ b/Code/Projects/PacketLevelSignatureExtractor/src/main/java/edu/uci/iotproject/detection/layer3/Layer3SignatureDetector.java @@ -248,7 +248,8 @@ public class Layer3SignatureDetector implements PacketListener, ClusterMatcherOb // Generate corresponding/appropriate ClusterMatchers based on the provided signature List clusterMatchers = new ArrayList<>(); for (List> cluster : mSignature) { - clusterMatchers.add(new Layer3ClusterMatcher(cluster, routerWanIp, isRangeBased, eps, this)); + clusterMatchers.add(new Layer3ClusterMatcher(cluster, routerWanIp, inclusionTimeMillis, + isRangeBased, eps, this)); } mClusterMatchers = Collections.unmodifiableList(clusterMatchers); -- 2.34.1