Merge branch 'tg-36-ip-prefix-clf' into 'main'

IP Prefix Classifier

See merge request feta/wif-group/libwif!40

Author: plnyrich

include/wif/classifiers/ipPrefixClassifier.hpp

@@ -0,0 +1,73 @@
+/**
+ * @file
+ * @author Richard Plny <plnyrich@fit.cvut.cz>
+ * @brief IP prefix classifier interface
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#pragma once
+
+#include "wif/classifiers/classifier.hpp"
+#include "wif/utils/ipPrefix.hpp"
+
+#include <algorithm>
+#include <memory>
+#include <vector>
+
+namespace WIF {
+
+/**
+ * @brief Classifier performing blocklist detection
+ */
+class IpPrefixClassifier : public Classifier {
+public:
+	/**
+	 * @brief Construct an IP Prefix Classifier object with empty blocklist
+	 */
+	IpPrefixClassifier() = default;
+
+	/**
+	 * @brief Construct a new IP Prefix Classifier object
+	 * @param blocklist std::vector of blocklisted IP prefixes
+	 */
+	IpPrefixClassifier(const std::vector<IpPrefix>& blocklist);
+
+	/**
+	 * @brief Getter for current IP prefix blocklist
+	 * @return const std::vector<IpPrefix>& current blocklist
+	 */
+	const std::vector<IpPrefix>& getBlocklist() const noexcept { return m_blocklist; }
+
+	/**
+	 * @brief Update blocklist
+	 * Old blocklist is destructed and replaced by new one
+	 * @param blocklist std::vector of new IP prefixes on blocklist
+	 */
+	void updateBlocklist(const std::vector<IpPrefix>& blocklist);
+
+	/**
+	 * @brief Classify single flowFeature object
+	 * ClfResult contains non-zero double value if flowFeatures contained a field with IP from
+	 * blocklist, otherwise the double value is set to zero
+	 *
+	 * @param flowFeatures flow features to classify
+	 * @return ClfResult result of the classification
+	 */
+	ClfResult classify(const FlowFeatures& flowFeatures) override;
+
+	/**
+	 * @brief Classify a burst of flow features
+	 *
+	 * @param burstOfFlowsFeatures the burst of flow features to classify
+	 * @return std::vector<ClfResult> std::vector<ClfResult> the results of the classification
+	 */
+	std::vector<ClfResult> classify(const std::vector<FlowFeatures>& burstOfFlowsFeatures) override;
+
+private:
+	bool findIpAddress(const IpAddress& ipAddress);
+
+	std::vector<IpPrefix> m_blocklist;
+};
+
+} // namespace WIF

include/wif/storage/ipAddress.hpp

@@ -70,6 +70,12 @@ class IpAddress {
 	 */
 	bool empty() const noexcept;
 
+	/**
+	 * Getter for version of the IP address.
+	 * @return IpVersion version of the held IP address
+	 */
+	IpVersion getVersion() const noexcept;
+
 	/**
 	 * @brief Checks if the IP address is version 4
 	 * @return bool
@@ -136,13 +142,22 @@ class IpAddress {
 	 */
 	friend IpAddress operator&(const IpAddress& l, const IpAddress& r);
 
+	/**
+	 * @brief Bitwise NOT operator
+	 *
+	 * @param address IP address whose bits will be flipped
+	 * @return IpAddress IP address with flipped bits
+	 */
+	friend IpAddress operator~(const IpAddress& address);
+
 	/**
 	 * @brief Comparison operator <
 	 *
-	 * @param other IP address object to print
-	 * @return bool
+	 * @param l left operand
+	 * @param r right operand
+	 * @return bool true if l is less than r
 	 */
-	bool operator<(const IpAddress& other) const;
+	friend bool operator<(const IpAddress& l, const IpAddress& r);
 
 private:
 	constexpr static size_t SIZE_IN_UINT8 = 16;
@@ -159,6 +174,9 @@ class IpAddress {
 
 	constexpr static uint32_t IPV4_FILLING_CONSTANT = 0xFFFFFFFF;
 
+	bool compareV4(const IpAddress& other) const;
+	bool compareV6(const IpAddress& other) const;
+
 	void createV4FromBytes(const uint8_t* bytes, bool isLittleEndian);
 	void createV6FromBytes(const uint8_t* bytes, bool isLittleEndian);
 	void createV4FromBytesLittleEndian(const uint8_t* bytes);

include/wif/utils/ipPrefix.hpp

@@ -0,0 +1,117 @@
+/**
+ * @file
+ * @author Richard Plny <plnyrich@fit.cvut.cz>
+ * @brief IP prefix interface
+ * Based on:
+ * https://github.com/CESNET/nemea-modules-ng/blob/main/modules/whitelist/src/ipAddressPrefix.hpp
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#pragma once
+
+#include "wif/storage/ipAddress.hpp"
+
+namespace WIF {
+
+/**
+ * @brief Class representing an IP prefix (or an IP subnet)
+ */
+class IpPrefix {
+public:
+	/**
+	 * @brief Max bit lenth of IPv4 prefix
+	 */
+	static constexpr size_t IPV4_MAX_PREFIX_LENGTH = 32;
+
+	/**
+	 * @brief Max bit lenth of IPv6 prefix
+	 */
+	static constexpr size_t IPV6_MAX_PREFIX_LENGTH = 128;
+
+	/**
+	 * @brief Construct a new IP Prefix object representing just 1 IP address
+	 *
+	 * @param address single IP address
+	 */
+	IpPrefix(const IpAddress& address);
+
+	/**
+	 * @brief Construct a new IP Prefix object
+	 * @param addressStr string representation of IP prefix
+	 * @param prefixLength number of bits of the prefix
+	 */
+	IpPrefix(const std::string& addressStr, size_t prefixLength);
+
+	/**
+	 * @brief Construct a new IP Prefix object
+	 * @param address IP prefix
+	 * @param prefixLength number of bits of the prefix
+	 */
+	IpPrefix(const IpAddress& address, size_t prefixLength);
+
+	/**
+	 * @brief Getter for the number of bits used by prefix
+	 * @return size_t number of bits of the prefix
+	 */
+	size_t prefixLength() const noexcept { return m_prefixLength; }
+
+	/**
+	 * @brief Getter for number of IP addresses in the prefix
+	 * @return size_t number of IP addresses in the prefix
+	 */
+	size_t size() const noexcept;
+
+	/**
+	 * @brief Getter for the prefix address
+	 * @return const IpAddress& prefix address
+	 */
+	const IpAddress& getPrefix() const noexcept { return m_prefixAddress; }
+
+	/**
+	 * @brief Getter for the prefix mask
+	 * @return const IpAddress& prefix mask
+	 */
+	const IpAddress& getMask() const noexcept { return m_prefixMask; }
+
+	/**
+	 * @brief Match IP prefix and check if IP address in part of the prefix
+	 * @param ipAddress to be matched
+	 * @return true if ipAddress is in this prefix
+	 * @return false otherwise
+	 */
+	bool match(const IpAddress& ipAddress) const noexcept;
+
+	/**
+	 * @brief Comparison operator <
+	 * @param l left operand
+	 * @param r right operand
+	 * @return bool true if l is less than r
+	 */
+	friend bool operator<(const IpPrefix& l, const IpPrefix& r);
+
+	/**
+	 * @brief Comparison operator <
+	 * Used for binary search of IP address in a vector of IP prefixes
+	 * @param l left operand
+	 * @param r right operand
+	 * @return bool true if l is less than r
+	 */
+	friend bool operator<(const IpAddress& l, const IpPrefix& r);
+
+	/**
+	 * @brief Comparison operator <
+	 * Used for binary search of IP address in a vector of IP prefixes
+	 * @param l left operand
+	 * @param r right operand
+	 * @return bool true if l is less than r
+	 */
+	friend bool operator<(const IpPrefix& l, const IpAddress& r);
+
+private:
+	IpAddress m_prefixAddress;
+	IpAddress m_prefixMask;
+	size_t m_prefixLength;
+};
+
+} // namespace WIF

src/wif/CMakeLists.txt

@@ -1,5 +1,6 @@
 set(LIBWIF_SOURCES
 	classifiers/classifier.cpp
+	classifiers/ipPrefixClassifier.cpp
 	classifiers/regexClassifier.cpp
 	classifiers/scikitMlClassifier.cpp
 	combinators/averageCombinator.cpp
@@ -10,6 +11,7 @@ set(LIBWIF_SOURCES
 	regex/regexPattern.cpp
 	storage/flowFeatures.cpp
 	storage/ipAddress.cpp
+	utils/ipPrefix.cpp
 )
 
 set(LIBWIF_LIBS

src/wif/classifiers/ipPrefixClassifier.cpp

@@ -0,0 +1,51 @@
+/**
+ * @file
+ * @author Richard Plny <plnyrich@fit.cvut.cz>
+ * @brief IP prefix classifier implementation
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "wif/classifiers/ipPrefixClassifier.hpp"
+
+namespace WIF {
+
+IpPrefixClassifier::IpPrefixClassifier(const std::vector<IpPrefix>& blocklist)
+{
+	updateBlocklist(blocklist);
+}
+
+void IpPrefixClassifier::updateBlocklist(const std::vector<IpPrefix>& blocklist)
+{
+	m_blocklist = blocklist;
+	std::sort(m_blocklist.begin(), m_blocklist.end());
+}
+
+ClfResult IpPrefixClassifier::classify(const FlowFeatures& flowFeatures)
+{
+	for (FeatureID featureID : getSourceFeatureIDs()) {
+		auto ipAddress = flowFeatures.get<IpAddress>(featureID);
+		if (findIpAddress(ipAddress)) {
+			return ClfResult(1.0);
+		}
+	}
+	return ClfResult(0.0);
+}
+
+std::vector<ClfResult>
+IpPrefixClassifier::classify(const std::vector<FlowFeatures>& burstOfFlowsFeatures)
+{
+	std::vector<ClfResult> burstResults;
+	burstResults.reserve(burstOfFlowsFeatures.size());
+	for (const auto& flowFeatures : burstOfFlowsFeatures) {
+		burstResults.emplace_back(classify(flowFeatures));
+	}
+	return burstResults;
+}
+
+bool IpPrefixClassifier::findIpAddress(const IpAddress& ipAddress)
+{
+	return std::binary_search(m_blocklist.begin(), m_blocklist.end(), ipAddress);
+}
+
+} // namespace WIF

src/wif/storage/ipAddress.cpp

@@ -64,6 +64,11 @@ bool IpAddress::empty() const noexcept
 	return false;
 }
 
+IpAddress::IpVersion IpAddress::getVersion() const noexcept
+{
+	return isIPv4() ? IpVersion::V4 : IpVersion::V6;
+}
+
 bool IpAddress::isIPv4() const noexcept
 {
 	return (m_ipData.ui64[0] == 0 && m_ipData.ui32[3] == IPV4_FILLING_CONSTANT);
@@ -124,6 +129,46 @@ IpAddress operator&(const IpAddress& l, const IpAddress& r)
 	return result;
 }
 
+IpAddress operator~(const IpAddress& address)
+{
+	IpAddress result;
+	for (unsigned ui64Idx = 0; ui64Idx < IpAddress::SIZE_IN_UINT64; ++ui64Idx) {
+		result.m_ipData.ui64[ui64Idx] = ~(address.m_ipData.ui64[ui64Idx]);
+	}
+	return result;
+}
+
+bool operator<(const IpAddress& l, const IpAddress& r)
+{
+	// All IPv4 are before IPv6
+	if (l.isIPv4() && r.isIPv6()) {
+		return true;
+	} else if (l.isIPv6() && r.isIPv4()) {
+		return false;
+	}
+
+	if (l.isIPv4()) {
+		return l.compareV4(r);
+	} else {
+		return l.compareV6(r);
+	}
+}
+
+bool IpAddress::compareV4(const IpAddress& other) const
+{
+	return v4AsInt() < other.v4AsInt();
+}
+
+bool IpAddress::compareV6(const IpAddress& other) const
+{
+	for (unsigned byteIdx = 0; byteIdx < SIZE_IN_UINT8; ++byteIdx) {
+		if (m_ipData.ui8[byteIdx] != other.m_ipData.ui8[byteIdx]) {
+			return m_ipData.ui8[byteIdx] < other.m_ipData.ui8[byteIdx];
+		}
+	}
+	return false;
+}
+
 void IpAddress::createV4FromBytes(const uint8_t* bytes, bool isLittleEndian)
 {
 	if (isLittleEndian) {