1、通信类英文文献与翻译姓名:刘峻霖 班级:通信 143 班 学号: 2014101108附 录一、英文原文:Detecting Anomaly Traf?c using Flow Data in the real VoIP networkI. INTRODUCTIONRecently, many SIP3/RTP4-based VoIP applications and services have appeared and their penetration ratio is gradually increasing due to the free or cheap call charge an
2、d the easy subscription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone services to VoIP products. For example, companies in Korea such as LG Dacom, Samsung Net- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported that more tha
3、n ?ve million users have subscribed the commercial VoIP services and 50% of all the users are joined in 2009 in Korea 1. According to IDC, it is expected that the number of VoIP users in US will increase to 27 millions in 2009 2. Hence, as the VoIP service becomes popular, it is not surprising that
4、a lot of VoIP anomaly traf?c has been already known 5. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious traf?c. Particu - larly, most of current SIP/RTP-based VoIP s
5、ervices supply the minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) 6 or Secure RTP (SRTP)7 have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the overh
6、eads of implementation and performance. Thus, un-encrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could bemaliciously exploited, because SIP is a text-based protocol and unencrypte
7、d SIP packets are easily decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traf?c detection method using the ?ow -based traf?c measurement archi-tecture. We consider three representative VoIP anomalies called CANCEL, BYE Denia
8、l of Service (DoS) and RTP ?ooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) 9 standard that is based on NetFlow v9. This
9、 traf?c measurement methodprovides a ?exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ?ows 10. In order to capture and export VoIP packets into IPFIX ?ows, we de?ne two additional IPFIX templates for SIP and RTP ?ows. Furthermore, we add four IPF
10、IX ?elds to observe 802.11 packets which are necessary to detect VoIP source spoo?ng attacks in WLANs.II. RELATED WORK8 proposed a ?ooding detection method by theHellinger Distance (HD) concept. In 8, theyhave pre- sented INVITE, SYN and RTP ?ooding detection meth-ods. The HD is the difference value
11、 between a training data set and a testing data set. The training data setcollected traf?c over n sampling period of duration t.The testing data set collected tra next the training data set in the same period. If the HD is close to 1 , this tesregarded as anomaly traf?c. For using this method, they
12、assumed that initial training data setdid not have any anomaly traf?c. Since this method was based on packet counts, it might not easily extended to detect other anomaly traf?c except ?ooding. On the other hand, 11 has proposed a VoIP anomaly traf?c detection method using Extended Finite State Machi
13、ne (EFSM). 11 has suggested INVITE ?ooding, BYE DoS anomaly traf?c and media spamming detection methods. However, the state machine required more memory because it had to maintain each ?ow. 13 has presented NetFlow -based VoIP anomaly detection methods for INVITE, REGIS- TER, RTP ?ooding, and REGIST
14、ER/INVITE scan. How -ever, the VoIP DoS attacks considered in this paper were not considered. In 14, an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP traf?c, SIPFIX 10 has been proposed as an IPFIX extension. The key ideas of the S
15、IPFIX are application-layer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traf?c detection and prevention. We described the preliminary idea of detecting VoIP anomaly traf?c in 15. This paper elabor
16、ates BYE DoS anomaly traf?c and RTP ?ooding anomaly traf?c detec-tion method based on IPFIX. Based on 15, we have considered SIP and RTP anomaly traf?c generated in wireless LAN. In this case, it is possible to generate the similiar anomaly traf?c with normal VoIP traf?c, because attackers can easil
17、y extract normal user information from unencrypted VoIP packets. In this paper, we have extended the idea with additional SIP detection methods using information of wireless LAN packets. Furthermore, we have shown the real experiment results at the commercial VoIP network.III. THE VOIP ANOMALY TRAFF
18、IC DETECTIONMETHODA. CAN CEL DoS Anomaly Traf?c DetectionAs the SIP INVITE message is not usually encrypted, attackers could extract ?elds necessary to reproduce the forged SIP CANCEL message by snif?ng SIP INVITE packets, especially in wireless LANs. Thus, we cannot tell the difference between the
19、normal SIP CANCEL message and the replicated one, because the faked CANCEL packet includes the normal ?elds inferred from the SIP INVITE message.The attacker will perform the SIP CANCEL DoS attack at the same wireless LAN, because the purpose of the SIP CANCELattack is to prevent the normal call est
20、ab-lishment when a victim is waiting for calls. Therefore, as soon as the attacker catches a call invitation message for a victim, it will send a SIP CANCEL message, which makes the call establishment failed. We have generated faked SIP CANCEL message using sniffed a SIP INVITE message.Fieldsin SIP
21、header of this CANCEL message is the same as normal SIP CANCEL message, because the attacker can obtain the SIP header ?eld from unencrypted normal SIP message in wireless LAN environment. Therefore it is impossible to detect the CANCEL DoS anomaly traf?c using SIP headers, we use the different valu
22、es of the wireless LAN frame. That is, the sequence number in the 802.11 frame will tell the difference between a victim host and an attacker. We look into source MAC address and sequence numberin the 802.11 MAC frame including a SIP CANCEL message as shown in Algorithm 1. We compare the source MAC
23、address of SIP CANCEL packets with that of the previously saved SIP INVITE ?ow. If the source MAC address of a SIP CANCEL ?ow is changed, it will be highly probable that the CANCELpacket is generated by a unknown user. However, the source MAC address could be spoofed. Regarding 802.11 source spoo?ng
24、 detection, we employ the method in 12 that usessequence numbers of 802.11 frames. We calculate the gap between n-th and (n-1)-th 802.11 frames. As the sequence number ?eld in a 802.11 MAC header uses 12 bits, it varies from 0 to 4095. When we ?nd that the sequence number gap betweena single SIP ?ow
25、 is greater than the threshold value of N that will be set from the experiments, we determine that the SIP host address as been spoofed for the anomaly traf?c.B. BYE DoS Anomaly Traf?c DetectionIn commercial VoIP applications, SIP BYE messages use the same authentication ?eld is included in the SIP
26、IN-VITE message for security and accounting purposes. How-ever, attackers can reproduce BYE DoS packets through snif?ng normal SIP INVITE packets in wireless LANs.The faked SIP BYE message is same with the normal SIP BYE. Therefore, it is dif?cult to detect the BYE DoS anomaly traf?c using only SIP
27、header information.After snif?ng SIP INVITE message, the attacker at the same or different subn ets could terminate the normal in- progress call, because it could succeed in generating a BYE message to the SIP proxy server. In the SIP BYE attack, it is dif?cult to distinguish from the normal call te
28、rmination procedure. That is, we apply the timestamp of RTP traf?c for detecting the SIP BYE attack. Generally, after normal call termination, the bi- directional RTP ?ow is terminated in a bref space of time. However, if the call termination procedure is anomaly, we can observe that a directional R
29、TP media?ow is still ongoing, whereas an attacked directional RTP ?ow is broken. Therefore, in order to detect the SIP BYE attack, we decide that we watch a directional RTP ?ow for a long time threshold of N sec after SIP BYE message. The threshold of N is also set from the experiments.Algorithm 2 e
30、xplains the procedure to detect BYE DoS anomal traf?c using captured timestamp of the RTP packet. We maintain SIP session information between clients with INVITE and OK messages including the same Call-ID and 4-tuple (source/destination IP Address and port number) of the BYE packet. We set a time th
31、reshold value by adding Nsec to the timestamp value of the BYE message. The reason why we use the captured timestamp is that a few RTP packets are observed under 0.5 second. If RTP traf?c is observed after the time threshold, this will be considered as a BYE DoS attack, because the VoIP session will
32、 be terminated with normal BYE messages. C. RTP Anomaly Traf?c Detection Algorithm 3 describes an RTP ?ooding detection method thatusesSSRC and sequence numbers of the RTP header. During a single RTP session, typically, the same SSRC value is maintained. If SSRC is changed, it is highly probable that anomaly has occurred. In addition, if there is a big sequence number gap between RTP packets, we determine that anomaly RTP traf?c has happened. As inspecting every sequence number for apacket is dif?cult, we calculate the sequence number gap using the ?rst, last, maximum and mini
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1