| With the increasing demand for social and personal security,intrusion detection technology has been widely used and rapidly developed in the past decade.Protocol anomaly detection is new type of intrusion detection technology.It uses the data packets of normal protocol behavior as the sample data to train the model,and calculates the deviation between the observation sequence and the normal model to detect intrusion.Protocol anomaly detection utilizes the characteristics of highly regularized and universality of protocols which has high reliability and versatility.However,with the increasing diversification of network attacks,existing protocol anomaly detection work faces new challenges in terms of accuracy and detection efficiency.Existing protocol anomaly detection methods usually can only detect malicious attacks with one single protocol,that will make it has limited applicability in a network environment with multiple protocol interactions.For example,in a more common Vo IP network,one session will contain two types of protocol data streams: call management of SIP and real-time data transmission of RTP.In addition,RTCP and ICMP monitor the connection status together too.Cross-protocol attacks are often found in such networks,such as the use of SIP protocol vulnerabilities to spoof packets to achieve session hijacking,interrupt sessions,and guessing attacks that involve both SIP and RTP protocols.Therefore,detection methods for only a single protocol and a single malicious attack have low applicability in many real-world network environments.The current protocol anomaly detection technology often trains the protocol models separately and detect the intrusions with each type of protocol,but ignores the correlation between protocols and the threat of multi-protocol attacks,resulting in a bad accuracy and a limited detection range.In view of the above problems,this paper choose the anomaly detection under Vo IP network as the research object,determined the detection requirements by summarizing the security threat model of Vo IP network,and proposed a Vo IP network cross-protocol anomaly detection method based on HMM,which mainly includes a method of cross-protocol HMM Model training and the implementation of cross-protocol anomaly detection.The framework not only can detect multiple malicious attacks accurately,but also has certain versatility.The main contributions of this paper include the following aspects:1.Proposed an anomaly detection architecture based on HMM-based for Vo IP network,it has implemented data capture and filtering,data pre-processing,cross-protocol model training,and anomaly detection.2.Proposed a cross-protocol HMM modeling method,it used the semantic keywords and timestamp to find the association between different protocols,and message sequence merge algorithm is proposed to generate multi-protocol message sequence as the observation state set for cross-protocol HMM.Then it used the optimized Baum-Welch algorithm to training model which involve multiple types of protocol behavior will contribute to detect the multi-protocol attacks.3.In order to realize the detection of Vo IP network traffic by Cp-HMM,we proposed a multi-level anomaly detection algorithm,which uses hierarchical anomaly judgment mechanism and assists the sub-sequence repetition number feature to reduce the false negative rate,and deals with the abnormality through hierarchical processing to avoid over-control problems.4.Constructed a Vo IP experimental network,and intercepted the normal flow interaction as the training samples to training the protocol model of SIP&RTP.Then we use the test samples obtained by simulated attacks experiment to evaluate the performance of our anomaly detection method.The anomaly detection method can not only detect malicious attacks under the Vo IP network more accurately,but also has better robustness. |
PDF Full Text Request