| With the large-scale development and application of IP Multimedia Subsystem(IMS), IMS has become a core control in NGN (Next Generation Network).Otherwise,the security of session initiation protocol (SIP) in IMS has become an most importantproblem that major carrier at home and abroad must be considered when they provide awide range of value-added service.At present, most carriers use mainly session bordercontroller (SBC) as an security network access equipment to the fixed-IP network. But,SBC mainly completes topology hiding and media stream shaping, NAT traversal,access control and media encryption functions, and it can not complete real-timedetection and prevention functions in the fixed-IP network. SIP-based intrusiondetection and prevention system is an intelligent, active intrusion detection andprevention system which can detect SIP invasion occurs with efficient detectionalgorithms and real-time terminate or mitigate the intrusion occurred through someresponse, and it is an intelligent solutions that can real-time protects that SIP/IMSsystem is not a substantive attack in the SIP network. Some key technologies ofintrusion detection and prevention system in SIP network are researched. The mainwork and contributions are as follows.1. Taking technical specifications defined by RFC3261as reference and followingthe rule definition for SIP, a safe rule-based detection and prevention method againstSIP malformed messages is presented, then a defense system for rapid detection ofSIP malformed message attacks is designed,which utilizes the safe rule-based detectionand prevention method. According to the characteristics of the SIP protocol, a commondata model is abstracted. Drawing on the experience of snort and netfilter architecture,an efficient detection and prevention system against SIP malformed message attacks isachieved in the linux kernel layer.2. Through deeply analyzing on the principle, mode, characteristics of SIP DoS,and the flooding attacks in SIP network, the prevention model to combine a dynamicthreshold adjustment with real-time dynamic prevention for SIP flooding attacks wasproposed. Analyzing flow characteristics of the SIP flooding attacks, an trafficanomaly detection algorithms based on sliding time window and the thresholddynamically adjusts algorithm are designed, whiletime a time penalty algorithm ismade use of to reduce false positives. SIP/IMS system with deployment of thedetection and prevention model can effectively prevent the possibility of the SIP/IMSattacked by SIP single source flooding messages, and designed detection and prevention model can ensures network real-time availability.3. For reducing the impact of SIP Distributed flooding attack to SIP/IMS system,a mitigation method based on security level for SIP distributed flooding attack isproposed. According to the SIP characteristics and historical record of the SIP message,SIP messages are classified in accordance with the SIP session history records and SIPitself, and attacks are alarmed by the traffic monitoring. While Distributed flood attackoccurs, mitigation method will set up the suitable security level to weaken the impactof the attacks, and this method is indexed in the architecture of the two defense DoSattacks.4. The two levels defense architecture against SIP distributed flooding attacks(TDASDFA) is presented. Two levels defensive components make up of theTDASDFA logically: the First Level defense subsystem (FDS) and the second leveldefense subsystem (SDS). FDS on the SIP signaling stream coarse-grained detects anddefends the SIP messages to filter out non-VoIP messages and discard SIP messages ofthe IP address for exceeding the specified rate to ensure service availability; SDSfine-grained detects and defends the SIP messages using a mitigation method based onsecurity level to identity the cunning attacks and low-flow attacks with obviousfeatures of malicious DoS attacks, FDS and SDS can detect and defense togethernetwork status in real-time to weaken SIP distributed flooding attacks.5. For solving real-time problem for SIP instant messaging (SPIM), the behavioralcharacteristics of SPIM in SIP network and black/white list mechanism to deal with thedetection efficiency are discussed, and SPIM detection and prevention model based onsocial networks and black/white list mechanism is proposed. The model combines therecognition model based on the social network with the improved black/white listmechanism, and it is automatic updated using an auto-update algorithm. As a result,detection performance and detection accuracy of the SIP SPIM are improved.Finally, a detection and prevention mechanism of two-layer convergence classifieris proposed. The previous research contributions are applied to various parts of theconvergence classifier, and the feasibility and effectiveness of the designed mechanismare verified.
|
PDF Full Text Request