通信类英文文献与翻译.docx

通信类英文文献与翻译.docx

《通信类英文文献与翻译.docx》由会员分享，可在线阅读，更多相关《通信类英文文献与翻译.docx（15页珍藏版）》请在冰豆网上搜索。

通信类英文文献与翻译

姓名：

刘峻霖班级：

通信143班学号：

2014101108

附录

一、英文原文：

DetectingAnomalyTraf?

cusingFlowDataintherealVoIPnetwork

I.INTRODUCTION

Recently,manySIP[3]/RTP[4]-basedVoIPapplicationsandserviceshaveappearedandtheirpenetrationratioisgraduallyincreasingduetothefreeorcheapcallchargeandtheeasysubscriptionmethod.Thus,someofthesubscriberstothePSTNservicetendtochangetheirhometelephoneservicestoVoIPproducts.Forexample,companiesinKoreasuchasLGDacom,SamsungNet-works,andKThavebeguntodeploySIP/RTP-basedVoIPservices.Itisreportedthatmorethan?

vemillionusershavesubscribedthecommercialVoIPservicesand50%ofalltheusersarejoinedin2009inKorea[1].AccordingtoIDC,itisexpectedthatthenumberofVoIPusersinUSwillincreaseto27millionsin2009[2].Hence,astheVoIPservicebecomespopular,itisnotsurprisingthatalotofVoIPanomalytraf?

chasbeenalreadyknown[5].So,MostcommercialservicesuchasVoIPservicesshouldprovideessentialsecurityfunctionsregardingprivacy,authentication,integrityandnon-repudiationforpreventingmalicioustraf?

c.Particu-larly,mostofcurrentSIP/RTP-basedVoIPservicessupplytheminimalsecurityfunctionrelatedwithauthentication.Thoughsecuretransport-layerprotocolssuchasTransportLayerSecurity（TLS）[6]orSecureRTP（SRTP）

[7]havebeenstandardized,theyhavenotbeenfullyimplementedanddeployedincurrentVoIPapplicationsbecauseoftheoverheadsofimplementationandperformance.Thus,un-encryptedVoIPpacketscouldbeeasilysniffedandforged,especiallyinwirelessLANs.Inspiteofauthentication,theauthenticationkeyssuchasMD5intheSIPheadercouldbe

maliciouslyexploited,becauseSIPisatext-basedprotocolandunencryptedSIPpacketsareeasilydecoded.Therefore,VoIPservicesareveryvulnerabletoattacksexploitingSIPandRTP.WeaimatproposingaVoIPanomalytraf?

cdetectionmethodusingthe?

ow-basedtraf?

cmeasurementarchi-tecture.WeconsiderthreerepresentativeVoIPanomaliescalledCANCEL,BYEDenialofService（DoS）andRTP?

oodingattacksinthispaper,becausewefoundthatmalicioususersinwirelessLANcouldeasilyperformtheseattacksintherealVoIPnetwork.FormonitoringVoIPpackets,weemploytheIETFIPFlowInformationeXport（IPFIX）[9]standardthatisbasedonNetFlowv9.Thistraf?

cmeasurementmethod

providesa?

exibleandextensibletemplatestructureforvariousprotocols,whichisusefulforobservingSIP/RTP?

ows[10].InordertocaptureandexportVoIPpacketsintoIPFIX?

ows,wede?

netwoadditionalIPFIXtemplatesforSIPandRTP?

ows.Furthermore,weaddfourIPFIX?

eldstoobserve802.11packetswhicharenecessarytodetectVoIPsourcespoo?

ngattacksinWLANs.

II.RELATEDWORK

[8]proposeda?

oodingdetectionmethodbytheHellingerDistance（HD）concept.In[8],they

havepre-sentedINVITE,SYNandRTP?

oodingdetectionmeth-ods.TheHDisthedifferencevaluebetweenatrainingdatasetandatestingdataset.Thetrainingdataset

collectedtraf?

covernsamplingperiodofdurationt.Thetestingdatasetcollectedtranextthetrainingdatasetinthesameperiod.IftheHDiscloseto‘1’,thistes

regardedasanomalytraf?

c.Forusingthismethod,theyassumedthatinitialtrainingdataset

didnothaveanyanomalytraf?

c.Sincethismethodwasbasedonpacketcounts,itmightnoteasilyextendedtodetectotheranomalytraf?

cexcept?

ooding.Ontheotherhand,[11]hasproposedaVoIPanomalytraf?

cdetectionmethodusingExtendedFiniteStateMachine（EFSM）.[11]hassuggestedINVITE?

ooding,BYEDoSanomalytraf?

candmediaspammingdetectionmethods.However,thestatemachinerequiredmorememorybecauseithadtomaintaineach?

ow.[13]haspresentedNetFlow-basedVoIPanomalydetectionmethodsforINVITE,REGIS-TER,RTP?

ooding,andREGISTER/INVITEscan.How-ever,theVoIPDoSattacksconsideredinthispaperwerenotconsidered.In[14],anIDSapproachtodetectSIPanomalieswasdeveloped,butonlysimulationresultsarepresented.FormonitoringVoIPtraf?

c,SIPFIX[10]hasbeenproposedasanIPFIXextension.ThekeyideasoftheSIPFIXareapplication-layerinspectionandSDPanalysisforcarryingmediasessioninformation.Yet,thispaperpresentsonlythepossibilityofapplyingSIPFIXtoDoSanomalytraf?

cdetectionandprevention.WedescribedthepreliminaryideaofdetectingVoIPanomalytraf?

cin[15].ThispaperelaboratesBYEDoSanomalytraf?

candRTP?

oodinganomalytraf?

cdetec-tionmethodbasedonIPFIX.Basedon[15],wehaveconsideredSIPandRTPanomalytraf?

cgeneratedinwirelessLAN.Inthiscase,itispossibletogeneratethesimiliaranomalytraf?

cwithnormalVoIPtraf?

c,becauseattackerscaneasilyextractnormaluserinformationfromunencryptedVoIPpackets.Inthispaper,wehaveextendedtheideawithadditionalSIPdetectionmethodsusinginformationofwirelessLANpackets.Furthermore,wehaveshowntherealexperimentresultsatthecommercialVoIPnetwork.

III.THEVOIPANOMALYTRAFFICDETECTION

METHOD

A.CANCELDoSAnomalyTraf?

cDetection

AstheSIPINVITEmessageisnotusuallyencrypted,attackerscouldextract?

eldsnecessarytoreproducetheforgedSIPCANCELmessagebysnif?

ngSIPINVITEpackets,especiallyinwirelessLANs.Thus,wecannottellthedifferencebetweenthenormalSIPCANCELmessageandthereplicatedone,becausethefakedCANCELpacketincludesthenormal?

eldsinferredfromtheSIPINVITEmessage.TheattackerwillperformtheSIPCANCELDoSattackatthesamewirelessLAN,becausethepurposeoftheSIPCANCEL

attackistopreventthenormalcallestab-lishmentwhenavictimiswaitingforcalls.Therefore,assoonastheattackercatchesacallinvitationmessageforavictim,itwillsendaSIPCANCELmessage,whichmakesthecallestablishmentfailed.WehavegeneratedfakedSIPCANCELmessageusingsniffedaSIPINVITEmessage.FieldsinSIPheaderofthisCANCELmessageisthesameasnormalSIPCANCELmessage,becausetheattackercanobtaintheSIPheader?

eldfromunencryptednormalSIPmessageinwirelessLANenvironment.ThereforeitisimpossibletodetecttheCANCELDoSanomalytraf?

cusingSIPheaders,weusethedifferentvaluesofthewirelessLANframe.Thatis,thesequencenumberinthe802.11framewilltellthedifferencebetweenavictimhostandanattacker.WelookintosourceMACaddressandsequencenumberinthe802.11MACframeincludingaSIPCANCELmessageasshowninAlgorithm1.WecomparethesourceMACaddressofSIPCANCELpacketswiththatofthepreviouslysavedSIPINVITE?

ow.IfthesourceMACaddressofaSIPCANCEL?

owischanged,itwillbehighlyprobablethattheCANCEL

packetisgeneratedbyaunknownuser.However,thesourceMACaddresscouldbespoofed.Regarding802.11sourcespoo?

ngdetection,weemploythemethodin[12]thatuses

sequencenumbersof802.11frames.Wecalculatethegapbetweenn-thand（n-1）-th802.11frames.Asthesequencenumber?

eldina802.11MACheaderuses12bits,itvariesfrom0to4095.Whenwe?

ndthatthesequencenumbergapbetweenasingleSIP?

owisgreaterthanthethresholdvalueofNthatwillbesetfromtheexperiments,wedeterminethattheSIPhostaddressasbeenspoofedfortheanomalytraf?

c.

B.BYEDoSAnomalyTraf?

cDetection

IncommercialVoIPapplications,SIPBYEmessagesusethesameauthentication?

eldisincludedintheSIPIN-VITEmessageforsecurityandaccountingpurposes.How-ever,attackerscanreproduceBYEDoSpacketsthroughsnif?

ngnormalSIPINVITEpacketsinwirelessLANs.ThefakedSIPBYEmessageissamewiththenormalSIPBYE.Therefore,itisdif?

culttodetecttheBYEDoSanomalytraf?

cusingonlySIPheaderinformation.Aftersnif?

ngSIPINVITEmessage,theattackeratthesameordifferentsubnetscouldterminatethenormalin-progresscall,becauseitcouldsucceedingeneratingaBYEmessagetotheSIPproxyserver.IntheSIPBYEattack,itisdif?

culttodistinguishfromthenormalcallterminationprocedure.Thatis,weapplythetimestampofRTPtraf?

cfordetectingtheSIPBYEattack.Generally,afternormalcalltermination,thebi-directionalRTP?

owisterminatedinabrefspaceoftime.However,ifthecallterminationprocedureisanomaly,wecanobservethatadirectionalRTPmedia?

owisstillongoing,whereasanattackeddirectionalRTP?

owisbroken.Therefore,inordertodetecttheSIPBYEattack,wedecidethatwewatchadirectionalRTP?

owforalongtimethresholdofNsecafterSIPBYEmessage.ThethresholdofNisalsosetfromtheexperiments.Algorithm2explainstheproceduretodetectBYEDoSanomaltraf?

cusingcapturedtimestampoftheRTPpacket.WemaintainSIPsessioninformationbetweenclientswithINVITEandOKmessagesincludingthesameCall-IDand4-tuple（source/destinationIPAddressandportnumber）oftheBYEpacket.WesetatimethresholdvaluebyaddingNsectothetimestampvalueoftheBYEmessage.ThereasonwhyweusethecapturedtimestampisthatafewRTPpacketsareobservedunder0.5second.IfRTPtraf?

cisobservedafterthetimethreshold,thiswillbeconsideredasaBYEDoSattack,becausetheVoIPsessionwillbeterminatedwithnormalBYEmessages.C.RTPAnomalyTraf?

cDetectionAlgorithm3describesanRTP?

oodingdetectionmethodthatuses

SSRCandsequencenumbersoftheRTPheader.DuringasingleRTPsession,typically,thesameSSRCvalueismaintained.IfSSRCischanged,itishighlyprobablethatanomalyhasoccurred.Inaddition,ifthereisabigsequencenumbergapbetweenRTPpackets,wedeterminethatanomalyRTPtraf?

chashappened.Asinspectingeverysequencenumberfora

packetisdif?

cult,wecalculatethesequencenumbergapusingthe?

rst,last,maximumandmini