通信類英文文獻(xiàn)與翻譯-文庫吧資料
2025-07-20 14:41本頁面
【正文】 entication. Though secure transportlayer protocols such as Transport Layer Security (TLS) [6] or Secure RTP (SRTP) [7] have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the overheads of implementation and performance. Thus, unencrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could be maliciously exploited, because SIP is a textbased protocol and unencrypted SIP packets are easily decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traf?c detection method using the ?owbased traf?c measurement architecture. We consider three representative VoIP anomalies called CANCEL, BYE Denial of Service (DoS) and RTP ?ooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) [9] standard that is based on NetFlow v9. This traf?c measurement method provides a ?exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ?ows [10]. In order to capture and export VoIP packets into IPFIX ?ows, we de?ne two additional IPFIX templates for SIP and RTP ?ows. Furthermore, we add four IPFIX ?elds to observe packets which are necessary to detect VoIP source spoo?ng attacks in WLANs.II. RELATED WORK[8] proposed a ?ooding detection method by the Hellinger Distance (HD) concept. In [8], they have pre sented INVITE, SYN and RTP ?ooding detection methods. The HD is the difference value between a training data set and a testing data set. The training data set collected traf?c over n sampling period of duration Δ testing data set collected traf?c next the training data set in the same period. If the HD is close to ‘1’, this testing data set is regarded as anomaly traf?c. For using this method, they assumed that initial training data set did not have any anomaly traf?c. Since this method was based on packet counts, it might not easily extended to detect other anomaly traf?c except ?ooding. On the other hand, [11] has proposed a VoIP anomaly traf?c detection method using Extended Finite State Machine (EFSM). [11] has suggested INVITE ?ooding, BYE DoS anomaly traf?c and media spamming detection methods. However, the state machine required more memory because it had to maintain each ?ow. [13] has presented NetFlowbased VoIP anomaly detection methods for INVITE, REGISTER, RTP ?ooding, and REGISTER/INVITE scan. However, the VoIP DoS attacks considered in this paper were not considered. In [14], an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP traf?c, SIPFIX [10] has been proposed as an IPFIX extension. The key ideas of the SIPFIX are applicationlayer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traf?c detection and prevention. We described the preliminary idea of detecting VoIP anomaly traf?c in [15]. This paper elaborates BYE DoS anomaly traf?c and RTP ?ooding anomaly traf?c detection method based on IPFIX. Based on [15], we have considered SIP and RTP anomaly traf?c generated in wireless LAN. In this case, it is possible to generate the similiar anomaly traf?c with normal VoIP traf?c, because attackers can easily extract normal user information from unencrypted VoIP packets. In this paper, we have extended the idea wit
環(huán)評(píng)公示相關(guān)推薦
鄂ICP備17016276號(hào)-1