Research On Key Technology Of VoIP Network Dfense

The history of VoIP application is less than 20 years after its birth and it is growing fast while the research on VoIP network defense technology is still in its infancy stage, which mainly shows in several aspects. Existing research on VoIP threat modeling still concentrated on threat classification. Detection of spam over internet telephony is customized according to the specialized application and context. Research on detection of denial of service attack against VoIP network was not in accordance with the situation that VoIP denial of service threat holds the first position among all the VoIP threats. Disclosed VoIP network defense systems had common shortcomings in scalability and throughput.This dissertation tries to enhance and improve the overall defense ability against VoIP network attack from different aspects, which are the threat modeling theory and risk assessment methodology, SPIT detection algorithm, detection with denial of service attack to VoIP and the distributed computing architecture. Main contents, innovative achievements and contributions made by this dissertation are as follows:1) We proposed S2TRIDP threat model and applied it in VoIP network threat modeling, which is useful for finding out the origination, cause and impacts of threats in general and abstract VoIP network. The proposed model classified the VoIP network threats with 7 different categories, which are spoofing, SPIT, tampering, repudiation, information disclosure, denial of service and privacy disclosure. After threats classification, we proposed a systemic and complete threat modeling theory by setting down the security goals, analyzing VoIP network architecture, decomposing the VoIP network devices and entities, using S2TRIDP based threats identification and classification methods, summarizing the vulnerabilities identification and assessment methods. Based on the S2TRIDP threat model, we proposed a VoIP network oriented risk assessment methodology. A qualitative evaluation of the risk level that the VoIP network was facing can be made by the proposed methodology.2) We proposed a SPIT detection method that is specially designed to recognize the widespread automatically generated bulk spam calls in VoIP network. This method is based on RTP payload pattern match and has the characteristics of high detection rate, low false positive rate, efficient computation and easy implementation. The core of this method is a binary voice payload pattern match algorithm proposed in this dissertation, which is called BF-BM algorithm and developed based on bloom filter and BM algorithm. The payload pattern signature used in BF-BM algorithm was obtained from another offline SPIT detection technology proposed in this dissertation, which is developed on top of the call pattern in human conversation extracted from VoIP speech content. Naive Bayes learning algorithm is used to compute the score of calls which indicates the possibility of SPIT calls, and it can be used to recognize SPIT calls without the prior knowledge of the speech content. Lab tests indicate that the proposed human conversation classification algorithm, which is based on VoIP speech content, can get a high SPIT call detection rate, that is nearly 90 percent, while keep the false positive rate under about 2 percent.3) We proposed the two stages and multiple patterns based DoS attack detection algorithm that is primarily designed to detect the denial of service attacks against SIP servers and user agents. The proposed algorithm exploits the complex and computing intensive detection algorithm in the offline processing stage while prefers the more implementable and computing efficient algorithm. White list alike pattern match approaches has been applied in stateless detection stage in order to decrease the overhead of pattern matching and avoid false positive recognition, while CUSUM and decision tree induction algorithms have been used in stateful detection stage to avoid repeated and redundant alerts. The detection workflow can be also customized and ported to other standard VoIP protocols as long as the protocols include signaling protocol, media stream protocol and protocol defining the signaling and media streaming interaction behaviors.4) We proposed not to take the distribution indicator of load balance as the flow distribution goal of attack defense system. In this dissertation, we take another flow distribution optimization goal for the collaborative VoIP attack defense system architecture, which is to prevent choosing from the overloaded hosts as the stream forwarding target under the prerequisite of session stream integrity intacted. We proposed a new flow distribution optimization algorithm based on publish subscribe model that improves the computational resource scalability of VoIP network defense system. What's more, the two innovative attack detection algorithms proposed in this dissertation, which are the "two stage and multiple patterns based DoS attack detection algorithm" and "widespread automatically generated bulk spam calls oriented SPIT detection algorithm", are all implemented, integrated and verified in the proposed collaborative VoIP attack defense system architecture. This application suggests that the proposed collaborative VoIP network defense architecture has the capability and functionality to support the existing attack detection algorithms running in parallel.Through the research of above four aspects, it is provided in this dissertation with a VoIP network oriented threat modeling theory and risk assessment methodology. This dissertation has also proposed a complete solution to improve the performance of VoIP network defense system.