class Setup: """ This is the starting class of the Discoverer implementation It creates Message objects out of the sequences read from an inputfile performs type inference and and clusters them ("Initial clustering" step) """ def __init__(self, flowBasedSequences, performFullAnalysis=True): if flowBasedSequences == None: print "FATAL: No sequences loaded yet" return False self.cluster_collection = ClusterCollection() for directionTuple in flowBasedSequences: flowDirection = directionTuple[1] #print directionTuple[0]['zRF1otvQJQ5'] for seqs in directionTuple[0]: flowInfo = directionTuple[0][seqs] for seq in flowInfo.sequences: #=========================================================== # myseq = seq.sequence # if myseq[0] == 0xd: # if myseq[1] == 0xa: # print "Found 0D0A in seq ", myseq, " in flowInfo ", flowInfo #=========================================================== newMessage = Message(seq.sequence, seq.connIdent, seq.mNumber, seq.flowNumber, flowDirection, performFullAnalysis) self.cluster_collection.add_message_to_cluster(newMessage) #print newMessage.get_payload() #print "Tokenlist of ", seq.sequence, " = ", newMessage.get_tokenrepresentation_string() # Cluster message #=============================================================== # newrep = newMessage.get_tokenrepresentation() # if not cluster.has_key(newrep): # cluster.update({newrep: [newMessage]}) # else: # l = cluster.get(newrep) # l.append(newMessage) # cluster.update({newrep: l}) #=============================================================== def __repr__(self): return "%s" % self.cluster_collection def get_cluster_collection(self): return self.cluster_collection def debug(self): cluster = self.cluster_collection.get_all_cluster() # Print cluster for c in cluster: keys = c.keys() for key in keys: l = c.get(key) print "Key: {0} Elements: {1}".format(key, l)
def __init__(self, flowBasedSequences, performFullAnalysis=True): if flowBasedSequences == None: print "FATAL: No sequences loaded yet" return False self.cluster_collection = ClusterCollection() for directionTuple in flowBasedSequences: flowDirection = directionTuple[1] #print directionTuple[0]['zRF1otvQJQ5'] for seqs in directionTuple[0]: flowInfo = directionTuple[0][seqs] for seq in flowInfo.sequences: #=========================================================== # myseq = seq.sequence # if myseq[0] == 0xd: # if myseq[1] == 0xa: # print "Found 0D0A in seq ", myseq, " in flowInfo ", flowInfo #=========================================================== newMessage = Message(seq.sequence, seq.connIdent, seq.mNumber, seq.flowNumber, flowDirection, performFullAnalysis) self.cluster_collection.add_message_to_cluster(newMessage)
def __init__(self,flowBasedSequences, performFullAnalysis=True): if flowBasedSequences==None: print "FATAL: No sequences loaded yet" return False self.cluster_collection = ClusterCollection() for directionTuple in flowBasedSequences: flowDirection = directionTuple[1] #print directionTuple[0]['zRF1otvQJQ5'] for seqs in directionTuple[0]: flowInfo = directionTuple[0][seqs] for seq in flowInfo.sequences: #=========================================================== # myseq = seq.sequence # if myseq[0] == 0xd: # if myseq[1] == 0xa: # print "Found 0D0A in seq ", myseq, " in flowInfo ", flowInfo #=========================================================== newMessage = Message(seq.sequence, seq.connIdent, seq.mNumber, seq.flowNumber, flowDirection, performFullAnalysis) self.cluster_collection.add_message_to_cluster(newMessage)
class Setup: """ This is the starting class of the Discoverer implementation It creates Message objects out of the sequences read from an inputfile performs type inference and and clusters them ("Initial clustering" step) """ def __init__(self,flowBasedSequences, performFullAnalysis=True): if flowBasedSequences==None: print "FATAL: No sequences loaded yet" return False self.cluster_collection = ClusterCollection() for directionTuple in flowBasedSequences: flowDirection = directionTuple[1] #print directionTuple[0]['zRF1otvQJQ5'] for seqs in directionTuple[0]: flowInfo = directionTuple[0][seqs] for seq in flowInfo.sequences: #=========================================================== # myseq = seq.sequence # if myseq[0] == 0xd: # if myseq[1] == 0xa: # print "Found 0D0A in seq ", myseq, " in flowInfo ", flowInfo #=========================================================== newMessage = Message(seq.sequence, seq.connIdent, seq.mNumber, seq.flowNumber, flowDirection, performFullAnalysis) self.cluster_collection.add_message_to_cluster(newMessage) #print newMessage.get_payload() #print "Tokenlist of ", seq.sequence, " = ", newMessage.get_tokenrepresentation_string() # Cluster message #=============================================================== # newrep = newMessage.get_tokenrepresentation() # if not cluster.has_key(newrep): # cluster.update({newrep: [newMessage]}) # else: # l = cluster.get(newrep) # l.append(newMessage) # cluster.update({newrep: l}) #=============================================================== def __repr__(self): return "%s" % self.cluster_collection def get_cluster_collection(self): return self.cluster_collection def debug(self): cluster = self.cluster_collection.get_all_cluster() # Print cluster for c in cluster: keys = c.keys() for key in keys: l = c.get(key) print "Key: {0} Elements: {1}".format(key,l)
def perform_recursive_clustering(cluster_collection, startAt): """ Performs a recursive clustering on a list of clusters given via cluster_collection. The recursion is performed according to the Discoverer paper by Cui et al. At first new number of distinct values for each token are calculated in each cluster and if this number is lower than a configurable number, the token is considered a FD. Then the number of subclusters that would be generated is calculated. If these subclusters contain at least one cluster containing more than a configurable amount of messages, the clustering is performed and the token is considered a FD. Then the recursion is performed on each of the new clusters with the next token. """ # Scan for FD token, Phase 1 clusters = cluster_collection.get_all_cluster()[:] # <-- "[:]" Very very important... otherwise our iterated list will change because of deletions... # Save startAt information over cluster iteration __startAt = startAt for cluster in clusters: if Globals.getConfig().debug: print "Starting processing for next cluster ({0} messages)".format(len(cluster.get_messages())) startAt = __startAt #tokenValue = token.get_token() # Check distinct number of values of token foundFD = False maxTokenIdx = len(cluster.get_messages()[0].get_tokenlist()) while not foundFD and startAt<maxTokenIdx: l = [] #print "Analyzing token %s" % startAt # Check whether this might be a length token if "lengthfield" in set(cluster.get_semantics_for_token(startAt)): # Current token is a length token. Do not treat as FD startAt += 1 continue if not Globals.getConfig().allowAdjacentFDs: if startAt>0: if "FD"in set(cluster.get_semantics_for_token(startAt-1)): # We have an adjacent FD print "Two adjacent FDs forbidden by configuration, skipping to next token" continue for message in cluster.get_messages(): l.append(message.get_tokenAt(startAt).get_token()) numOfDistinctValuesForToken = len(set(l)) if Globals.getConfig().minDistinctFDValues < numOfDistinctValuesForToken <= Globals.getConfig().maxDistinctFDValues: # FD candidate found # Check number of potential clusters sumUp = Counter(l) wouldCluster = False for key in sumUp.keys(): if sumUp.get(key)>Globals.getConfig().minimumClusterSize: # Minimum cluster size of at least one cluster wouldCluster = True break if wouldCluster: # Check if adjacent text/text FDs are allowed in text protocols if Globals.getProtocolClassification()==Globals.protocolText: if not Globals.getConfig().allowAdjacentTextFDs: if startAt>0: # Check whether the previous one is a text FD (type text and no semantic numeric) if "FD" in set(cluster.get_semantics_for_token(startAt-1)): if cluster.get_format(startAt-1)==Message.typeText and ( cluster.get_format(startAt)==Message.typeText and ("numeric" not in cluster.get_semantics_for_token(startAt-1))): print "Two adjacent text FDs forbidden by configuration, skipping to next token" continue # Create new cluster if Globals.getConfig().debug: print "Subcluster prerequisites fulfilled. Adding FD semantic, splitting cluster and entering recursion" # Senseless here: message.get_tokenAt(startAt).add_semantic("FD") cluster.add_semantic_for_token(startAt,"FD") newCollection = ClusterCollection() for key in sumUp.keys(): messagesWithValue = cluster.get_messages_with_value_at(startAt,key) newCluster = Cluster(messagesWithValue[0].get_tokenrepresentation(), "recursion") newCluster.setSplitpoint("{0}".format(startAt)) newCluster.add_messages(messagesWithValue) newCluster.add_semantic_for_token(startAt, "FD") newCollection.add_cluster(newCluster) if Globals.getConfig().debug: print "{0} sub clusters generated".format(len(sumUp.keys())) # Perform format inference on new cluster collection formatinference.perform_format_inference_for_cluster_collection(newCollection) semanticinference.perform_semantic_inference(newCollection) # Merge clusters with same format while newCollection.mergeClustersWithSameFormat(): pass # Perform needle wunsch # Edit 20120120 - not here #=========================================================== # cluster1 = newCollection.get_random_cluster() # cluster2 = newCollection.get_random_cluster() # format1 = cluster1.get_formats() # format2 = cluster2.get_formats() # needlewunsch.needlewunsch(format1, format2) # #=========================================================== # Perform recursive step perform_recursive_clustering(newCollection, startAt+1) # Remove old parent cluster cluster_collection.remove_cluster(cluster) cluster_collection.add_clusters(newCollection.get_all_cluster()) foundFD = True else: pass #print "Subclustering prerequisites not fulfilled. Will not sub-cluster" startAt+=1 if Globals.getConfig().debug: print "Recursive clustering analysis for cluster finished"
def perform_recursive_clustering(cluster_collection, startAt): """ Performs a recursive clustering on a list of clusters given via cluster_collection. The recursion is performed according to the Discoverer paper by Cui et al. At first new number of distinct values for each token are calculated in each cluster and if this number is lower than a configurable number, the token is considered a FD. Then the number of subclusters that would be generated is calculated. If these subclusters contain at least one cluster containing more than a configurable amount of messages, the clustering is performed and the token is considered a FD. Then the recursion is performed on each of the new clusters with the next token. """ # Scan for FD token, Phase 1 clusters = cluster_collection.get_all_cluster( )[:] # <-- "[:]" Very very important... otherwise our iterated list will change because of deletions... # Save startAt information over cluster iteration __startAt = startAt for cluster in clusters: if Globals.getConfig().debug: print "Starting processing for next cluster ({0} messages)".format( len(cluster.get_messages())) startAt = __startAt #tokenValue = token.get_token() # Check distinct number of values of token foundFD = False maxTokenIdx = len(cluster.get_messages()[0].get_tokenlist()) while not foundFD and startAt < maxTokenIdx: l = [] #print "Analyzing token %s" % startAt # Check whether this might be a length token if "lengthfield" in set(cluster.get_semantics_for_token(startAt)): # Current token is a length token. Do not treat as FD startAt += 1 continue if not Globals.getConfig().allowAdjacentFDs: if startAt > 0: if "FD" in set(cluster.get_semantics_for_token( startAt - 1)): # We have an adjacent FD print "Two adjacent FDs forbidden by configuration, skipping to next token" continue for message in cluster.get_messages(): l.append(message.get_tokenAt(startAt).get_token()) numOfDistinctValuesForToken = len(set(l)) if Globals.getConfig( ).minDistinctFDValues < numOfDistinctValuesForToken <= Globals.getConfig( ).maxDistinctFDValues: # FD candidate found # Check number of potential clusters sumUp = Counter(l) wouldCluster = False for key in sumUp.keys(): if sumUp.get(key) > Globals.getConfig( ).minimumClusterSize: # Minimum cluster size of at least one cluster wouldCluster = True break if wouldCluster: # Check if adjacent text/text FDs are allowed in text protocols if Globals.getProtocolClassification( ) == Globals.protocolText: if not Globals.getConfig().allowAdjacentTextFDs: if startAt > 0: # Check whether the previous one is a text FD (type text and no semantic numeric) if "FD" in set( cluster.get_semantics_for_token( startAt - 1)): if cluster.get_format( startAt - 1) == Message.typeText and ( cluster.get_format(startAt) == Message.typeText and ("numeric" not in cluster. get_semantics_for_token( startAt - 1))): print "Two adjacent text FDs forbidden by configuration, skipping to next token" continue # Create new cluster if Globals.getConfig().debug: print "Subcluster prerequisites fulfilled. Adding FD semantic, splitting cluster and entering recursion" # Senseless here: message.get_tokenAt(startAt).add_semantic("FD") cluster.add_semantic_for_token(startAt, "FD") newCollection = ClusterCollection() for key in sumUp.keys(): messagesWithValue = cluster.get_messages_with_value_at( startAt, key) newCluster = Cluster( messagesWithValue[0].get_tokenrepresentation(), "recursion") newCluster.setSplitpoint("{0}".format(startAt)) newCluster.add_messages(messagesWithValue) newCluster.add_semantic_for_token(startAt, "FD") newCollection.add_cluster(newCluster) if Globals.getConfig().debug: print "{0} sub clusters generated".format( len(sumUp.keys())) # Perform format inference on new cluster collection formatinference.perform_format_inference_for_cluster_collection( newCollection) semanticinference.perform_semantic_inference(newCollection) # Merge clusters with same format while newCollection.mergeClustersWithSameFormat(): pass # Perform needle wunsch # Edit 20120120 - not here #=========================================================== # cluster1 = newCollection.get_random_cluster() # cluster2 = newCollection.get_random_cluster() # format1 = cluster1.get_formats() # format2 = cluster2.get_formats() # needlewunsch.needlewunsch(format1, format2) # #=========================================================== # Perform recursive step perform_recursive_clustering(newCollection, startAt + 1) # Remove old parent cluster cluster_collection.remove_cluster(cluster) cluster_collection.add_clusters( newCollection.get_all_cluster()) foundFD = True else: pass #print "Subclustering prerequisites not fulfilled. Will not sub-cluster" startAt += 1 if Globals.getConfig().debug: print "Recursive clustering analysis for cluster finished"