Research On Key Technology Of Attacking Call Detection Based On SIP

Attacking call detection based on SIP includes detection of offensive action (detection of SIP DoS attack) and distinguishing normal session from attack one. In the extensive Soft switch network, real-time detection to the Attacking call is mostly faced with two kind of problem: the one is that attacking call submerges in great capacity of normal operation flow; most of the attack action is difficult to arouse the obvious change of the Soft switch's network flow model. The other is that it's necessary to deoxidize the flow of all calls to orientate attacking call after discovering attacking action. Session relevancy of the extensive concurrent calls is faced with the bottle-neck problem of disposal capability because of the Call-ID characteristic of SIP protocol.This dissertation stresses the research according to"Secure System of Telecommunication Network"of information and technology industry of National High Technology Research and Development Program 863. Its objective is analyzing systematic of Soft switch and security trait of SIP, researching detection of SIP DoS and algorithm of session relevancy, to provide technology support for information security of Soft switch. The main contribution and innovate point of this dissertation are outlined as follows:Firstly, it is constructed that statistical series applying to SIP DoS attack detection according to the characteristics of SIP news interactive and adaptive non-parametric cumulative sum algorithm for detecting attack is proposed. On the analysis of advantages and disadvantages of existing detection algorithm, this dissertation use non-parametric cumulative sum algorithm to detect SIP DoS, and point out that attack detection algorithm exist three deficiencies: significant random unusual influences, the offset variable by experience setting, cumulative domino offect. The algorithm proposed design three adaptive mechanism. Mechanism of cumulative abnormal alarm is designed to handle with significant unusual, it reflects capability of tolerance to normal random mutations, reducing false positives; The algorithm proposed use the Chebyshev inequality to construct adaptive offset variables following SIP business change, and it improve the detection rate; Mechanism of cumulative alarm monitor is designed to timely eliminate cumulative domino offect. The simulation results show that adaptive algorithm improve the probability of true detection and reduce it.Secondly, session relevancy algorithm based on two-level hash architecture is proposed. It reduce the frequency of memory operation by establishing vacancy list beforehand according to the characteristic of real-time concurrent system; then, two-level hash table structure is constructed to associate session by using two level hash operation. The simulation results show that method 1 improve the speed of session relevancy and has universal meaning for a concurrent processing of all engineering applications; method two further improves the speed of session relevancy and reduces memory space occupied.