Research On The Technology Of CSCF Defending In IMS Network

With the development of the communication technology, in order to meet users’increasingly improving demands,3GPP introduced IP Multimedia Subsystem (IMS) based on IPframework in R5version. As the core control entity of IMS, Call Session Control Function(CSCF) faces a lot of security threats because of the security vulnerability of its operating systemand the realization vulnerability of Session Initialization Protocol (SIP). At present, IMS networkhas not provided mature specification and security mechanisms for the security threats faced byCSCF, and the relevant defending technologies also have some limitations:1) Aiming at theintrusion of malicious code, the malformed behavior that CSCF hijacked by attackers may makeexception handling to signaling messages couldn’t be defended effectively.2) Aiming at the SIPflooding attack, recent researches on detection of SIP flooding attacks could not adapt thenetwork environment.3) Aiming at the malformed SIP messages attack, existing methodscouldn’t effectively defend the malformed SIP messages extremely similar with the normal ones.Relying on an863key project, this paper thoroughly analyses the attacks facing by CSCF inIMS network, and research on the appropriate defending technologies of the attacks.In order to solve the problem that CSCF hijacked by attackers may make exceptionhandling to signaling messages, a real-time monitoring system for malformed behavior of CSCFwas proposed. In order to solve the problem that recent researches on detection of SIP floodingattack could not adapt to the network environment, a self-adaptive detection method for SIPflooding attack was proposed. In order to solve the problem that the existing methods couldn’teffectively defend the threat of malformed SIP messages that extremely similar with the normalones, a defending mechanism for malformed SIP messages attack was proposed. The concretecontent is as follows:1) A real-time monitoring system for malformed behavior of CSCF based on signalinghandling rules was proposed. First, according to the signaling handling rules of CSCF, a databaseof signaling handling rules was built by defining the functions of signaling handling rules. Thenthis method simulated the normal handling of CSCF to signaling messages and generated apre-processing message based on the database. At last, matching detection was made betweenthe pre-processing message and the message handled by CSCF using the detection priority levelof the SIP message header. The simulation results prove that this system could effectively detectthe exception handling of CSCF to signaling messages in a short time and about100%detectionrate is achieved, which shows that it could monitor the malformed behavior of CSCF inreal-time.2) A self-adaptive detection method for SIP flooding attack based on SIP state machine wasproposed. First, for the different characteristics of two kinds of SIP flooding attack, thecorresponding SIP state machine with different detection parameters was built. Then an adaptivealgorithm based on Kalman filter was proposed to adjust the detection threshold adaptively,which realized the adaptive detection of SIP flooding attack. The simulation results prove thatthis method could effectively detect SIP flooding attack facing by CSCF and has better detection performance than detection methods using fixed threshold, which is more effective in the realnetwork.3) A defending mechanism for malformed SIP messages attack based on C4.5DecisionTree was proposed. First, the SIP messages were mapped to a high dimension space using then-gram technique, and features were distilled based on the information gain of the sampleattribute. Second, a decision tree model was built using the information gain ratio of the features,and malformed SIP messages were detected and prevented through seeking in the decision treemodel. At last, with the definition of the construction functions of such kinds of SIP messagesand the corresponding sample messages set, the method was demonstrated by simulations. Thesimulation results prove that the mechanism could detect the malformed messages extremelysimilar with the normal ones with94.8%detection rate. This mechanism could effectivelydefend the malformed SIP messages attack with different deformity, and it’s still useful indefending the malformed SIP messages attack facing by the other entities.