通信类英文文献及翻译

整理文档很辛苦,赏杯茶钱您下走!

免费阅读已结束,点击下载阅读编辑剩下 ...

阅读已结束,您可以下载文档离线阅读编辑

资源描述

附录一、英文原文:DetectingAnomalyTrafficusingFlowDataintherealVoIPnetworkI.INTRODUCTIONRecently,manySIP[3]/RTP[4]-basedVoIPapplicationsandserviceshaveappearedandtheirpenetrationratioisgraduallyincreasingduetothefreeorcheapcallchargeandtheeasysubscriptionmethod.Thus,someofthesubscriberstothePSTNservicetendtochangetheirhometelephoneservicestoVoIPproducts.Forexample,companiesinKoreasuchasLGDacom,SamsungNet-works,andKThavebeguntodeploySIP/RTP-basedVoIPservices.ItisreportedthatmorethanfivemillionusershavesubscribedthecommercialVoIPservicesand50%ofalltheusersarejoinedin2009inKorea[1].AccordingtoIDC,itisexpectedthatthenumberofVoIPusersinUSwillincreaseto27millionsin2009[2].Hence,astheVoIPservicebecomespopular,itisnotsurprisingthatalotofVoIPanomalytraffichasbeenalreadyknown[5].So,MostcommercialservicesuchasVoIPservicesshouldprovideessentialsecurityfunctionsregardingprivacy,authentication,integrityandnon-repudiationforpreventingmalicioustraffic.Particu-larly,mostofcurrentSIP/RTP-basedVoIPservicessupplytheminimalsecurityfunctionrelatedwithauthentication.Thoughsecuretransport-layerprotocolssuchasTransportLayerSecurity(TLS)[6]orSecureRTP(SRTP)[7]havebeenstandardized,theyhavenotbeenfullyimplementedanddeployedincurrentVoIPapplicationsbecauseoftheoverheadsofimplementationandperformance.Thus,un-encryptedVoIPpacketscouldbeeasilysniffedandforged,especiallyinwirelessLANs.Inspiteofauthentication,theauthenticationkeyssuchasMD5intheSIPheadercouldbemaliciouslyexploited,becauseSIPisatext-basedprotocolandunencryptedSIPpacketsareeasilydecoded.Therefore,VoIPservicesareveryvulnerabletoattacksexploitingSIPandRTP.WeaimatproposingaVoIPanomalytrafficdetectionmethodusingtheflow-basedtrafficmeasurementarchi-tecture.WeconsiderthreerepresentativeVoIPanomaliescalledCANCEL,BYEDenialofService(DoS)andRTPfloodingattacksinthispaper,becausewefoundthatmalicioususersinwirelessLANcouldeasilyperformtheseattacksintherealVoIPnetwork.FormonitoringVoIPpackets,weemploytheIETFIPFlowInformationeXport(IPFIX)[9]standardthatisbasedonNetFlowv9.Thistrafficmeasurementmethodprovidesaflexibleandextensibletemplatestructureforvariousprotocols,whichisusefulforobservingSIP/RTPflows[10].InordertocaptureandexportVoIPpacketsintoIPFIXflows,wedefinetwoadditionalIPFIXtemplatesforSIPandRTPflows.Furthermore,weaddfourIPFIXfieldstoobserve802.11packetswhicharenecessarytodetectVoIPsourcespoofingattacksinWLANs.II.RELATEDWORK[8]proposedafloodingdetectionmethodbytheHellingerDistance(HD)concept.In[8],theyhavepre-sentedINVITE,SYNandRTPfloodingdetectionmeth-ods.TheHDisthedifferencevaluebetweenatrainingdatasetandatestingdataset.ThetrainingdatasetcollectedtrafficovernsamplingperiodofdurationΔt.Thetestingdatasetcollectedtrafficnextthetrainingdatasetinthesameperiod.IftheHDiscloseto‘1’,thistestingdatasetisregardedasanomalytraffic.Forusingthismethod,theyassumedthatinitialtrainingdatasetdidnothaveanyanomalytraffic.Sincethismethodwasbasedonpacketcounts,itmightnoteasilyextendedtodetectotheranomalytrafficexceptflooding.Ontheotherhand,[11]hasproposedaVoIPanomalytrafficdetectionmethodusingExtendedFiniteStateMachine(EFSM).[11]hassuggestedINVITEflooding,BYEDoSanomalytrafficandmediaspammingdetectionmethods.However,thestatemachinerequiredmorememorybecauseithadtomaintaineachflow.[13]haspresentedNetFlow-basedVoIPanomalydetectionmethodsforINVITE,REGIS-TER,RTPflooding,andREGISTER/INVITEscan.How-ever,theVoIPDoSattacksconsideredinthispaperwerenotconsidered.In[14],anIDSapproachtodetectSIPanomalieswasdeveloped,butonlysimulationresultsarepresented.FormonitoringVoIPtraffic,SIPFIX[10]hasbeenproposedasanIPFIXextension.ThekeyideasoftheSIPFIXareapplication-layerinspectionandSDPanalysisforcarryingmediasessioninformation.Yet,thispaperpresentsonlythepossibilityofapplyingSIPFIXtoDoSanomalytrafficdetectionandprevention.WedescribedthepreliminaryideaofdetectingVoIPanomalytrafficin[15].ThispaperelaboratesBYEDoSanomalytrafficandRTPfloodinganomalytrafficdetec-tionmethodbasedonIPFIX.Basedon[15],wehaveconsideredSIPandRTPanomalytrafficgeneratedinwirelessLAN.Inthiscase,itispossibletogeneratethesimiliaranomalytrafficwithnormalVoIPtraffic,becauseattackerscaneasilyextractnormaluserinformationfromunencryptedVoIPpackets.Inthispaper,wehaveextendedtheideawithadditionalSIPdetectionmethodsusinginformationofwirelessLANpackets.Furthermore,wehaveshowntherealexperimentresultsatthecommercialVoIPnetwork.III.THEVOIPANOMALYTRAFFICDETECTIONMETHODA.CANCELDoSAnomalyTrafficDetectionAstheSIPINVITEmessageisnotusuallyencrypted,attackerscouldextractfieldsnecessarytoreproducetheforgedSIPCANCELmessagebysniffingSIPINVITEpackets,especiallyinwirelessLANs.Thus,wecannottellthedifferencebetweenthenormalSIPCANCELmessageandthereplicatedone,becausethefakedCANCELpacketincludesthenormalfieldsinferredfromtheSIPINVITEmessage.TheattackerwillperformtheSIPCANCELDoSattackatthesamewirelessLAN,becausethepurposeoftheSIPCANCELattackistopreventthenormalcallestab-lishmentwhenavictimiswaitingforcalls.Therefore,assoonastheattackercatchesacallinvitationmessageforavictim,itwillsendaSIPCANCELmessage,whichmakesthecallestablishmentfailed.

1 / 9
下载文档,编辑使用

©2015-2020 m.777doc.com 三七文档.

备案号:鲁ICP备2024069028号-1 客服联系 QQ:2149211541

×
保存成功