通信类英文文献及翻译.docx

通信类英文文献及翻译.docx

《通信类英文文献及翻译.docx》由会员分享，可在线阅读，更多相关《通信类英文文献及翻译.docx（10页珍藏版）》请在冰点文库上搜索。

通信类英文文献及翻译

附录

一、英文原文：

DetectingAnomalyTrafficusingFlowDataintherealVoIPnetwork

I.INTRODUCTION

Recently,manySIP[3]/RTP[4]-basedVoIPapplicationsandserviceshaveappearedandtheirpenetrationratioisgraduallyincreasingduetothefreeorcheapcallchargeandtheeasysubscriptionmethod.Thus,someofthesubscriberstothePSTNservicetendtochangetheirhometelephoneservicestoVoIPproducts.Forexample,companiesinKoreasuchasLGDacom,SamsungNet-works,andKThavebeguntodeploySIP/RTP-basedVoIPservices.ItisreportedthatmorethanfivemillionusershavesubscribedthecommercialVoIPservicesand50%ofalltheusersarejoinedin2009inKorea[1].AccordingtoIDC,itisexpectedthatthenumberofVoIPusersinUSwillincreaseto27millionsin2009[2].Hence,astheVoIPservicebecomespopular,itisnotsurprisingthatalotofVoIPanomalytraffichasbeenalreadyknown[5].So,MostcommercialservicesuchasVoIPservicesshouldprovideessentialsecurityfunctionsregardingprivacy,authentication,integrityandnon-repudiationforpreventingmalicioustraffic.Particu-larly,mostofcurrentSIP/RTP-basedVoIPservicessupplytheminimalsecurityfunctionrelatedwithauthentication.Thoughsecuretransport-layerprotocolssuchasTransportLayerSecurity（TLS）[6]orSecureRTP（SRTP）[7]havebeenstandardized,theyhavenotbeenfullyimplementedanddeployedincurrentVoIPapplicationsbecauseoftheoverheadsofimplementationandperformance.Thus,un-encryptedVoIPpacketscouldbeeasilysniffedandforged,especiallyinwirelessLANs.Inspiteofauthentication,theauthenticationkeyssuchasMD5intheSIPheadercouldbemaliciouslyexploited,becauseSIPisatext-basedprotocolandunencryptedSIPpacketsareeasilydecoded.Therefore,VoIPservicesareveryvulnerabletoattacksexploitingSIPandRTP.WeaimatproposingaVoIPanomalytrafficdetectionmethodusingtheflow-basedtrafficmeasurementarchi-tecture.WeconsiderthreerepresentativeVoIPanomaliescalledCANCEL,BYEDenialofService（DoS）andRTPfloodingattacksinthispaper,becausewefoundthatmalicioususersinwirelessLANcouldeasilyperformtheseattacksintherealVoIPnetwork.FormonitoringVoIPpackets,weemploytheIETFIPFlowInformationeXport（IPFIX）[9]standardthatisbasedonNetFlowv9.Thistrafficmeasurementmethodprovidesaflexibleandextensibletemplatestructureforvariousprotocols,whichisusefulforobservingSIP/RTPflows[10].InordertocaptureandexportVoIPpacketsintoIPFIXflows,wedefinetwoadditionalIPFIXtemplatesforSIPandRTPflows.Furthermore,weaddfourIPFIXfieldstoobservepacketswhicharenecessarytodetectVoIPsourcespoofingattacksinWLANs.

II.RELATEDWORK

[8]proposedafloodingdetectionmethodbytheHellingerDistance（HD）concept.In[8],theyhavepre-sentedINVITE,SYNandRTPfloodingdetectionmeth-ods.TheHDisthedifferencevaluebetweenatrainingdatasetandatestingdataset.ThetrainingdatasetcollectedtrafficovernsamplingperiodofdurationΔtestingdatasetcollectedtrafficnextthetrainingdatasetinthesameperiod.IftheHDiscloseto‘1’,thistestingdatasetisregardedasanomalytraffic.Forusingthismethod,theyassumedthatinitialtrainingdatasetdidnothaveanyanomalytraffic.Sincethismethodwasbasedonpacketcounts,itmightnoteasilyextendedtodetectotheranomalytrafficexceptflooding.Ontheotherhand,[11]hasproposedaVoIPanomalytrafficdetectionmethodusingExtendedFiniteStateMachine（EFSM）.[11]hassuggestedINVITEflooding,BYEDoSanomalytrafficandmediaspammingdetectionmethods.However,thestatemachinerequiredmorememorybecauseithadtomaintaineachflow.[13]haspresentedNetFlow-basedVoIPanomalydetectionmethodsforINVITE,REGIS-TER,RTPflooding,andREGISTER/INVITEscan.How-ever,theVoIPDoSattacksconsideredinthispaperwerenotconsidered.In[14],anIDSapproachtodetectSIPanomalieswasdeveloped,butonlysimulationresultsarepresented.FormonitoringVoIPtraffic,SIPFIX[10]hasbeenproposedasanIPFIXextension.ThekeyideasoftheSIPFIXareapplication-layerinspectionandSDPanalysisforcarryingmediasessioninformation.Yet,thispaperpresentsonlythepossibilityofapplyingSIPFIXtoDoSanomalytrafficdetectionandprevention.WedescribedthepreliminaryideaofdetectingVoIPanomalytrafficin[15].ThispaperelaboratesBYEDoSanomalytrafficandRTPfloodinganomalytrafficdetec-tionmethodbasedonIPFIX.Basedon[15],wehaveconsideredSIPandRTPanomalytrafficgeneratedinwirelessLAN.Inthiscase,itispossibletogeneratethesimiliaranomalytrafficwithnormalVoIPtraffic,becauseattackerscaneasilyextractnormaluserinformationfromunencryptedVoIPpackets.Inthispaper,wehaveextendedtheideawithadditionalSIPdetectionmethodsusinginformationofwirelessLANpackets.Furthermore,wehaveshowntherealexperimentresultsatthecommercialVoIPnetwork.

III.THEVOIPANOMALYTRAFFICDETECTIONMETHOD

A.CANCELDoSAnomalyTrafficDetection

AstheSIPINVITEmessageisnotusuallyencrypted,attackerscouldextractfieldsnecessarytoreproducetheforgedSIPCANCELmessagebysniffingSIPINVITEpackets,especiallyinwirelessLANs.Thus,wecannottellthedifferencebetweenthenormalSIPCANCELmessageandthereplicatedone,becausethefakedCANCELpacketincludesthenormalfieldsinferredfromtheSIPINVITEmessage.TheattackerwillperformtheSIPCANCELDoSattackatthesamewirelessLAN,becausethepurposeoftheSIPCANCELattackistopreventthenormalcallestab-lishmentwhenavictimiswaitingforcalls.Therefore,assoonastheattackercatchesacallinvitationmessageforavictim,itwillsendaSIPCANCELmessage,whichmakesthecallestablishmentfailed.WehavegeneratedfakedSIPCANCELmessageusingsniffedaSIPINVITEinSIPheaderofthisCANCELmessageisthesameasnormalSIPCANCELmessage,becausetheattackercanobtaintheSIPheaderfieldfromunencryptednormalSIPmessageinwirelessLANenvironment.ThereforeitisimpossibletodetecttheCANCELDoSanomalytrafficusingSIPheaders,weusethedifferentvaluesofthewirelessLANframe.Thatis,thesequencenumberintheframewilltellthedifferencebetweenavictimhostandanattacker.WelookintosourceMACaddressandsequencenumberintheMACframeincludingaSIPCANCELmessageasshowninAlgorithm1.WecomparethesourceMACaddressofSIPCANCELpacketswiththatofthepreviouslysavedSIPINVITEflow.IfthesourceMACaddressofaSIPCANCELflowischanged,itwillbehighlyprobablethattheCANCELpacketisgeneratedbyaunknownuser.However,thesourceMACaddresscouldbespoofed.Regardingsourcespoofingdetection,weemploythemethodin[12]thatusessequencenumbersofframes.Wecalculatethegapbetweenn-thand（n-1）-thframes.AsthesequencenumberfieldinaMACheaderuses12bits,itvariesfrom0to4095.WhenwefindthatthesequencenumbergapbetweenasingleSIPflowisgreaterthanthethresholdvalueofNthatwillbesetfromtheexperiments,wedeterminethattheSIPhostaddressasbeenspoofedfortheanomalytraffic.

B.BYEDoSAnomalyTrafficDetection

IncommercialVoIPapplications,SIPBYEmessagesusethesameauthenticationfieldisincludedintheSIPIN-VITEmessageforsecurityandaccountingpurposes.How-ever,attackerscanreproduceBYEDoSpacketsthroughsniffingnormalSIPINVITEpacketsinwirelessfakedSIPBYEmessageissamewiththenormalSIPBYE.Therefore,itisdifficulttodetecttheBYEDoSanomalytrafficusingonlySIPheadersniffingSIPINVITEmessage,theattackeratthesameordifferentsubnetscouldterminatethenormalin-progresscall,becauseitcouldsucceedingeneratingaBYEmessagetotheSIPproxyserver.IntheSIPBYEattack,itisdifficulttodistinguishfromthenormalcallterminationprocedure.Thatis,weapplythetimestampofRTPtrafficfordetectingtheSIPBYEattack.Generally,afternormalcalltermination,thebi-directionalRTPflowisterminatedinabrefspaceoftime.However,ifthecallterminationprocedureisanomaly,wecanobservethatadirectionalRTPmediaflowisstillongoing,whereasanattackeddirectionalRTPflowisbroken.Therefore,inordertodetecttheSIPBYEattack,wedecidethatwewatchadirectionalRTPflowforalongtimethresholdofNsecafterSIPBYEmessage.ThethresholdofNisalsosetfromthe2explainstheproceduretodetectBYEDoSanomaltrafficusingcapturedtimestampoftheRTPpacket.WemaintainSIPsessioninformationbetweenclientswithINVITEandOKmessagesincludingthesameCall-IDand4-tuple（source/destinationIPAddressandportnumber）oftheBYEpacket.WesetatimethresholdvaluebyaddingNsectothetimestampvalueoftheBYEmessage.ThereasonwhyweusethecapturedtimestampisthatafewRTPpacketsareobservedundersecond.IfRTPtrafficisobservedafterthetimethreshold,thiswillbeconsideredasaBYEDoSattack,becausetheVoIPsessionwillbeterminatedwithnormalBYEmessages.C.RTPAnomalyTrafficDetectionAlgorithm3describesanRTPfloodingdetectionmethodthatusesSSRCandsequencenumbersoftheRTPheader.DuringasingleRTPsession,typically,thesameSSRCvalueismaintained.IfSSRCischanged,itishighlyprobablethatanomalyhasoccurred.Inaddition,ifthereisabigsequencenumbergapbetweenRTPpackets,wedeterminethatanomalyRTPtraffichashappened.Asinspectingeverysequencenumberforapacketisdifficult,wecalculatethesequencenumbergapusingthefirst,last,maximumandminimumsequencenumbers.IntheRTPheader,thesequencenumberfielduses16bitsfrom0to65535.Whenweobserveawidesequencenumbergapinouralgorithm,weconsideritasa