Research On Detection Algorithms Of SIP Malformed Messages And Flooding Attacks In Video Surveillance System

Economic is developing and social is progressing, but public security issues has continued to stand out. In the security field, the application of Video Surveillance Systems(VSS) have become more widely used. More and more monitoring equipment have been built and the scale of system is increasing. Now VSS protect the safety of public areas just like a huge net cover the whole society. However, with the construction and application of large-scale VSS, problems have gradually emerged. As lack of a standardized common protocol between different systems, the data are difficult to share. The interoperability has become an important issue restricting the VSS’s further development.To solve this problem, GB/T28181requires all enterprises and institutions to use SIP protocol as a standard protocol when they build VSS.Session Initiation Protocol (SIP) is a signaling control protocol proposed by Internet Engineering Task Force(IETF) in1999. It is Text-based. The main consideration in the design of SIP is the convenience and flexibility but not the safety. There are a variety of attacks on the Internet, DoS flood attack and malformed SIP message attack are two of biggest threats for SIP applications.This paper analyzes the feature of VSS and SIP, studies the principles of SIP DoS flood attack and malformed SIP message attack deeply, investigates the related research at home and abroad, then proposes the improved detection algorithm and defense mechanisms.For DoS attack, we analyzes its impact on the distribution of network traffic and finds traditional entropy algorithm does not consider the dynamic characteristics of network traffic. Based on this, we proposed relative entropy detection algorithm. By comparing the relative entropy of detection phase with training phase to determine whether DoS attack occurs.For malformed message attack, anomaly bias model is used. At first N-gram technique is used to map SIP messages and feature vectors are extracted to build a model of usual messages. Then utilize Euclidean distance to calculates the distance between the usual messages and test messages.when establishing the usual message model, global model and local model are combined in order to increase the detection rate meanwhile does not affect the performance of the algorithm.Combined with the detection of above two attacks, anomaly detection and defense model is presented. This model can protect the security of VSS’s SIP domain to some extent.