通信类英文文献及翻译.docx
- 文档编号:18476171
- 上传时间:2023-08-18
- 格式:DOCX
- 页数:10
- 大小:25.17KB
通信类英文文献及翻译.docx
《通信类英文文献及翻译.docx》由会员分享,可在线阅读,更多相关《通信类英文文献及翻译.docx(10页珍藏版)》请在冰点文库上搜索。
通信类英文文献及翻译
:
峻霖班级:
通信143班学号:
2014101108
附录
一、英文原文:
DetectingAnomalyTrafficusingFlowDataintherealVoIPnetwork
I.INTRODUCTION
Recently,manySIP[3]/RTP[4]-basedVoIPapplicationsandserviceshaveappearedandtheirpenetrationratioisgraduallyincreasingduetothefreeorcheapcallchargeandtheeasysubscriptionmethod.Thus,someofthesubscriberstothePSTNservicetendtochangetheirhometelephoneservicestoVoIPproducts.Forexample,paniesinKoreasuchasLGDa,SamsungNet-works,andKThavebeguntodeploySIP/RTP-basedVoIPservices.ItisreportedthatmorethanfivemillionusershavesubscribedthemercialVoIPservicesand50%ofalltheusersarejoinedin2009inKorea[1].AccordingtoIDC,itisexpectedthatthenumberofVoIPusersinUSwillincreaseto27millionsin2009[2].Hence,astheVoIPservicebeespopular,itisnotsurprisingthatalotofVoIPanomalytraffichasbeenalreadyknown[5].So,MostmercialservicesuchasVoIPservicesshouldprovideessentialsecurityfunctionsregardingprivacy,authentication,integrityandnon-repudiationforpreventingmalicioustraffic.Particu-larly,mostofcurrentSIP/RTP-basedVoIPservicessupplytheminimalsecurityfunctionrelatedwithauthentication.Thoughsecuretransport-layerprotocolssuchasTransportLayerSecurity(TLS)[6]orSecureRTP(SRTP)[7]havebeenstandardized,theyhavenotbeenfullyimplementedanddeployedincurrentVoIPapplicationsbecauseoftheoverheadsofimplementationandperformance.Thus,un-encryptedVoIPpacketscouldbeeasilysniffedandforged,especiallyinwirelessLANs.Inspiteofauthentication,theauthenticationkeyssuchasMD5intheSIPheadercouldbemaliciouslyexploited,becauseSIPisatext-basedprotocolandunencryptedSIPpacketsareeasilydecoded.Therefore,VoIPservicesareveryvulnerabletoattacksexploitingSIPandRTP.WeaimatproposingaVoIPanomalytrafficdetectionmethodusingtheflow-basedtrafficmeasurementarchi-tecture.WeconsiderthreerepresentativeVoIPanomaliescalledCANCEL,BYEDenialofService(DoS)andRTPfloodingattacksinthispaper,becausewefoundthatmalicioususersinwirelessLANcouldeasilyperformtheseattacksintherealVoIPnetwork.FormonitoringVoIPpackets,weemploytheIETFIPFlowInformationeXport(IPFIX)[9]standardthatisbasedonNetFlowv9.Thistrafficmeasurementmethodprovidesaflexibleandextensibletemplatestructureforvariousprotocols,whichisusefulforobservingSIP/RTPflows[10].InordertocaptureandexportVoIPpacketsintoIPFIXflows,wedefinetwoadditionalIPFIXtemplatesforSIPandRTPflows.Furthermore,weaddfourIPFIXfieldstoobserve802.11packetswhicharenecessarytodetectVoIPsourcespoofingattacksinWLANs.
II.RELATEDWORK
[8]proposedafloodingdetectionmethodbytheHellingerDistance(HD)concept.In[8],theyhavepre-sentedINVITE,SYNandRTPfloodingdetectionmeth-ods.TheHDisthedifferencevaluebetweenatrainingdatasetandatestingdataset.ThetrainingdatasetcollectedtrafficovernsamplingperiodofdurationΔt.Thetestingdatasetcollectedtrafficnextthetrainingdatasetinthesameperiod.IftheHDiscloseto‘1’,thistestingdatasetisregardedasanomalytraffic.Forusingthismethod,theyassumedthatinitialtrainingdatasetdidnothaveanyanomalytraffic.Sincethismethodwasbasedonpacketcounts,itmightnoteasilyextendedtodetectotheranomalytrafficexceptflooding.Ontheotherhand,[11]hasproposedaVoIPanomalytrafficdetectionmethodusingExtendedFiniteStateMachine(EFSM).[11]hassuggestedINVITEflooding,BYEDoSanomalytrafficandmediaspammingdetectionmethods.However,thestatemachinerequiredmorememorybecauseithadtomaintaineachflow.[13]haspresentedNetFlow-basedVoIPanomalydetectionmethodsforINVITE,REGIS-TER,RTPflooding,andREGISTER/INVITEscan.How-ever,theVoIPDoSattacksconsideredinthispaperwerenotconsidered.In[14],anIDSapproachtodetectSIPanomalieswasdeveloped,butonlysimulationresultsarepresented.FormonitoringVoIPtraffic,SIPFIX[10]hasbeenproposedasanIPFIXextension.ThekeyideasoftheSIPFIXareapplication-layerinspectionandSDPanalysisforcarryingmediasessioninformation.Yet,thispaperpresentsonlythepossibilityofapplyingSIPFIXtoDoSanomalytrafficdetectionandprevention.WedescribedthepreliminaryideaofdetectingVoIPanomalytrafficin[15].ThispaperelaboratesBYEDoSanomalytrafficandRTPfloodinganomalytrafficdetec-tionmethodbasedonIPFIX.Basedon[15],wehaveconsideredSIPandRTPanomalytrafficgeneratedinwirelessLAN.Inthiscase,itispossibletogeneratethesimiliaranomalytrafficwithnormalVoIPtraffic,becauseattackerscaneasilyextractnormaluserinformationfromunencryptedVoIPpackets.Inthispaper,wehaveextendedtheideawithadditionalSIPdetectionmethodsusinginformationofwirelessLANpackets.Furthermore,wehaveshowntherealexperimentresultsatthemercialVoIPnetwork.
III.THEVOIPANOMALYTRAFFICDETECTIONMETHOD
A.CANCELDoSAnomalyTrafficDetection
AstheSIPINVITEmessageisnotusuallyencrypted,attackerscouldextractfieldsnecessarytoreproducetheforgedSIPCANCELmessagebysniffingSIPINVITEpackets,especiallyinwirelessLANs.Thus,wecannottellthedifferencebetweenthenormalSIPCANCELmessageandthereplicatedone,becausethefakedCANCELpacketincludesthenormalfieldsinferredfromtheSIPINVITEmessage.TheattackerwillperformtheSIPCANCELDoSattackatthesamewirelessLAN,becausethepurposeoftheSIPCANCELattackistopreventthenormalcallestab-lishmentwhenavictimiswaitingforcalls.Therefore,assoonastheattackercatchesacallinvitationmessageforavictim,itwillsendaSIPCANCELmessage,whichmakesthecallestablishmentfailed.WehavegeneratedfakedSIPCANCELmessageusingsniffedaSIPINVITEmessage.FieldsinSIPheaderofthisCANCELmessageisthesameasnormalSIPCANCELmessage,becausetheattackercanobtaintheSIPheaderfieldfromunencryptednormalSIPmessageinwirelessLANenvironment.ThereforeitisimpossibletodetecttheCANCELDoSanomalytrafficusingSIPheaders,weusethedifferentvaluesofthewirelessLANframe.Thatis,thesequencenumberinthe802.11framewilltellthedifferencebetweenavictimhostandanattacker.WelookintosourceMACaddressandsequencenumberinthe802.11MACframeincludingaSIPCANCELmessageasshowninAlgorithm1.WeparethesourceMACaddressofSIPCANCELpacketswiththatofthepreviouslysavedSIPINVITEflow.IfthesourceMACaddressofaSIPCANCELflowischanged,itwillbehighlyprobablethattheCANCELpacketisgeneratedbyaunknownuser.However,thesourceMACaddresscouldbespoofed.Regarding802.11sourcespoofingdetection,weemploythemethodin[12]thatusessequencenumbersof802.11frames.Wecalculatethegapbetweenn-thand(n-1)-th802.11frames.Asthesequencenumberfieldina802.11MACheaderuses12bits,itvariesfrom0to4095.WhenwefindthatthesequencenumbergapbetweenasingleSIPflowisgreaterthanthethresholdvalueofNthatwillbesetfromtheexperiments,wedeterminethattheSIPhostaddressasbeenspoofedfortheanomalytraffic.
B.BYEDoSAnomalyTrafficDetection
InmercialVoIPapplications,SIPBYEmessagesusethesameauthenticationfieldisincludedintheSIPIN-VITEmessageforsecurityandaccountingpurposes.How-ever,attackerscanreproduceBYEDoSpacketsthroughsniffingnormalSIPINVITEpacketsinwirelessLANs.ThefakedSIPBYEmessageissamewiththenormalSIPBYE.Therefore,itisdifficulttodetecttheBYEDoSanomalytrafficusingonlySIPheaderinformation.AftersniffingSIPINVITEmessage,theattackeratthesameordifferentsubnetscouldterminatethenormalin-progresscall,becauseitcouldsucceedingeneratingaBYEmessagetotheSIPproxyserver.IntheSIPBYEattack,itisdifficulttodistinguishfromthenormalcallterminationprocedure.Thatis,weapplythetimestampofRTPtrafficfordetectingtheSIPBYEattack.Generally,afternormalcalltermination,thebi-directionalRTPflowisterminatedinabrefspaceoftime.However,ifthecallterminationprocedureisanomaly,wecanobservethatadirectionalRTPmediaflowisstillongoing,whereasanattackeddirectionalRTPflowisbroken.Therefore,inordertodetecttheSIPBYEattack,wedecidethatwewatchadirectionalRTPflowforalongtimethresholdofNsecafterSIPBYEmessage.ThethresholdofNisalsosetfromtheexperiments.Algorithm2explainstheproceduretodetectBYEDoSanomaltrafficusingcapturedtimestampoftheRTPpacket.WemaintainSIPsessioninformationbetweenclientswithINVITEandOKmessagesincludingthesameCall-IDand4-tuple(source/destinationIPAddressandportnumber)oftheBYEpacket.WesetatimethresholdvaluebyaddingNsectothetimestampvalueoftheBYEmessage.ThereasonwhyweusethecapturedtimestampisthatafewRTPpacketsareobservedunder0.5second.IfRTPtrafficisobservedafterthetimethreshold,thiswillbeconsideredasaBYEDoSattack,becausetheVoIPsessionwillbeterminatedwithnormalBYEmessages.C.RTPAnomalyTrafficDetectionAlgorithm3describesanRTPfloodingdetectionmethodthatusesSSRCandsequencenumbersoftheRTPheader.DuringasingleRTPsession,typically,thesameSSRCvalueismaintained.IfSSRCischanged,itishighlyprobablethatanomalyhasoccurred.Inaddition,ifthereisabigsequencenumbergapbetweenRTPpackets,wedeterminethatanomalyRTPtraffichashappened.Asinspectingeverysequencenumberforapacketisdifficult,wecalculatethesequencenumbergapusingthefirst,last,maximumandminimumsequencenumbers.IntheRTPheader,thesequen
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 通信 英文 文献 翻译