BytePairsReocurringCountIn32FirstBytesMeter
From spid
BytePairsReocurringCountIn32FirstBytesMeter is an attribute meter used in the SPID algorithm.
Description
This attribute meter counts the byte paris (consecutive bytes) that reoccur in two consecutive packets. The attribute meter also cares which direction the packet was sent in, as well as the direction of the proceding packet.
Background
I got the idea for this attribute meter while reading the paper Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots by Corrado Leita, Marc Dacier, and Frederic Massicotte. The idea is that commonly reoccuring 16-bit fields (or longer) will be detected. This will probably work best in binary protocols, such as SMB (where each packet starts with the SMB header FF 53 D4 42) and NetBIOS (wich often bootstraps SMB onto TCP by the way), but should also works for protocols like Telnet where the server echoes back the commands from the client.
Code
public IEnumerable<int> GetMeasurements(byte[] frameData, int packetStartIndex, int packetLength, DateTime packetTimestamp, AttributeFingerprintHandler.PacketDirection packetDirection, int packetOrderNumberInSession) {
System.Collections.Generic.List<ushort> bytePairsInCurrentPacket=new List<ushort>();
for(int i=0; packetStartIndex+2*i+1<frameData.Length && 2*i+1<packetLength && i<16; i++) {
ushort key=ConvertToUshort(frameData[packetStartIndex+i*2], frameData[packetStartIndex+i*2+1]);
if(!bytePairsInCurrentPacket.Contains(key))
bytePairsInCurrentPacket.Add(key);
} int reocurringCount=0;
foreach(ushort key in bytePairsInCurrentPacket)
if(this.bytePairsFromPreviousPacket.Contains(key))
reocurringCount++;
int returnValue=this.GetDirectionPairOffset(this.previousPacketDirection, packetDirection)+Math.Min(reocurringCount, directionPairLength-1);
this.bytePairsFromPreviousPacket=bytePairsInCurrentPacket;
this.previousPacketDirection=packetDirection;
yield return returnValue;
}
