《通信类英文文献及翻译》由会员分享,可在线阅读,更多相关《通信类英文文献及翻译(9页珍藏版)》请在金锄头文库上搜索。
1、附附 录录一、英文原文:一、英文原文:Detecting Anomaly Traffic using Flow Data in the real VoIP networkI. INTRODUCTIONRecently, many SIP3/RTP4-based VoIP applications and services have appeared and their penetration ratio is gradually increasing due to the free or cheap call charge and the easy subscription method. T
2、hus, some of the subscribers to the PSTN service tend to change their home telephone services to VoIP products. For example, companies in Korea such as LG Dacom, Samsung Net- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported that more than five million users have subscri
3、bed the commercial VoIP services and 50% of all the users are joined in 2009 in Korea 1. According to IDC, it is expected that the number of VoIP users in US will increase to 27 millions in 2009 2. Hence, as the VoIP service becomes popular, it is not surprising that a lot of VoIP anomaly traffic ha
4、s been already known 5. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious traffic. Particu- larly, most of current SIP/RTP-based VoIP services supply the minimal secu
5、rity function related with authentication. Though secure transport- layer protocols such as Transport Layer Security (TLS) 6 or Secure RTP (SRTP) 7 have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the overheads of implementation and pe
6、rformance. Thus, un- encrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could be maliciously exploited, because SIP is a text-based protocol and unencrypted SIP packets are easily de
7、coded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traffic detection method using the flow-based traffic measurement archi-tecture. We consider three representative VoIP anomalies called CANCEL, BYE Denial of Service (DoS) and RT
8、P flooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) 9 standard that is based on NetFlow v9. This traffic measurement met
9、hod provides a flexible and extensible template structure for various protocols, which is useful for observing SIP/RTP flows 10. In order to capture and export VoIP packets into IPFIX flows, we define two additional IPFIX templates for SIP and RTP flows. Furthermore, we add four IPFIX fields to obse
10、rve 802.11 packets which are necessary to detect VoIP source spoofing attacks in WLANs. II. RELATED WORK8 proposed a flooding detection method by the Hellinger Distance (HD) concept. In 8, they have pre- sented INVITE, SYN and RTP flooding detection meth-ods. The HD is the difference value between a
11、 training data set and a testing data set. The training data set collected traffic over n sampling period of duration t.The testing data set collected traffic next the training data set in the same period. If the HD is close to 1, this testing data set is regarded as anomaly traffic. For using this
12、method, they assumed that initial training data set did not have any anomaly traffic. Since this method was based on packet counts, it might not easily extended to detect other anomaly traffic except flooding. On the other hand, 11 has proposed a VoIP anomaly traffic detection method using Extended
13、Finite State Machine (EFSM). 11 has suggested INVITE flooding, BYE DoS anomaly traffic and media spamming detection methods. However, the state machine required more memory because it had to maintain each flow. 13 has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER, RTP
14、flooding, and REGISTER/INVITE scan. How-ever, the VoIP DoS attacks considered in this paper were not considered. In 14, an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP traffic, SIPFIX 10 has been proposed as an IPFIX extension. Th
15、e key ideas of the SIPFIX are application-layer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traffic detection and prevention. We described the preliminary idea of detecting VoIP anomaly traffic in
16、 15. This paper elaborates BYE DoS anomaly traffic and RTP flooding anomaly traffic detec-tion method based on IPFIX. Based on 15, we have considered SIP and RTP anomaly traffic generated in wireless LAN. In this case, it is possible to generate the similiar anomaly traffic with normal VoIP traffic, because attackers can easily extract normal user information from unencrypted VoIP packets. In this paper, we have extended the idea
