Research On Key Technologies Of VoIP Network Dfense

The history of VoIP application is less than 20 years after its birth and it is growing fast while the research on VoIP network defense technology is still in its infancy stage. Existing research on VoIP threat modeling still focused on threat classification. Detection of spam over internet telephony is designed for the specialized application context. Research on detection of denial of service attack against VoIP network was not in accordance with the fact that VoIP denial of service threat holds the first position among all the VoIP threats. Disclosed VoIP network defense systems had common weaknesses in scalability and throughput.This dissertation tries to improve the defense techniques against VoIP network attacks in several aspects, which are the threat modeling theory and risk assessment methodology, SPIT detection algorithm, detection of denial of service attack to VoIP and the distributed computing architecture for VoIP defense system. The main contributions made by this dissertation are as follows:1) We proposed S2TRIDP threat model and applied it in VoIP network threat modeling, which is helpful for finding out the origination, cause and impacts of threats in VoIP network. The proposed model classified the VoIP network threats with 7 different categories, which are spoofing, SPIT, tampering, repudiation, information disclosure, denial of service and privacy disclosure. After threats classification, a systemic threat modeling theory was proposed by a series of procedures, which are setting down the security goals, analyzing VoIP network architecture, decomposing the VoIP network devices and entities, using S2TRIDP based threats identification and classification methods, summarizing the vulnerabilities identification and assessment methods. Based on the S2TRIDP threat model, a VoIP network oriented risk assessment methodology was also proposed. A qualitative evaluation of the risk level that the VoIP network was facing can be made by the proposed methodology. 2) We proposed a SPIT detection method that is especially designed to recognize the widespread automatically generated bulk spam calls in VoIP network. This method is based on RTP payload pattern match and has the characteristics of high detection rate, low false positive rate, efficient computation and easy implementation. The essence of this method is a binary voice payload pattern match algorithm proposed in this dissertation, which is called BF-BM algorithm and developed based on bloom filter and BM algorithm. The payload pattern signature used in BF-BM algorithm was obtained from another offline SPIT detection technology proposed in this dissertation, which is developed on the basis of the call pattern in human conversation extracted from VoIP speech content. Naive Bayes learning algorithm is used to compute the score of calls which indicates the possibility of SPIT calls, and it can be used to recognize SPIT calls without the prior knowledge of the speech content. Lab tests indicate that the proposed human conversation classification algorithm, which is based on VoIP speech content, can reach a high detection rate of SPIT call, that is nearly 90 percent, while keep the false positive rate under about 2 percent.3) We proposed the two stages and multiple patterns based DoS attack detection algorithm that is primarily designed to detect the denial of service attacks against SIP servers and user agents. The proposed algorithm makes use of the complex and computing intensive detection algorithms in the offline processing stage while prefers the more implementable and computing efficient algorithms in on-the-fly detection stage. White list related pattern match approaches has been applied in stateless detection stage in order to decrease the overhead of pattern matching and reduce the possibility of false positive recognition, while CUSUM and decision tree induction algorithms have been used in stateful detection stage to prevent repeated and redundant alerts. The detection workflow can be also customized and ported to other standard VoIP protocols as long as the protocols include signaling protocol, media stream protocol and protocol defining the interaction behaviors between signaling and media streaming.4) In this dissertation, we settle down a new flow distribution optimization goal for the collaborative VoIP attack defense system architecture, which is to prevent choosing from the overloaded hosts as the stream forwarding target under the prerequisite of session stream integrity being intacted. It is pointed out that the distribution indicator of load balance is not suitable for the flow distribution goal of attack defense system. We proposed a new flow distribution optimization algorithm based on publish subscribe model that improves the computational resource scalability of VoIP network defense system. What's more, the two innovative attack detection algorithms proposed in this dissertation, which are the "two stage and multiple patterns based DoS attack detection algorithm" and "SPIT detection algorithm against widespread automatically generated bulk spam calls", are all implemented, integrated and verified in the proposed collaborative VoIP attack defense system architecture. This application suggests that the proposed collaborative VoIP network defense architecture has the capability and functionality to support the existing single host based attack detection algorithms running in parallel.