通信类英文文献与翻译.docx
- 文档编号:9965511
- 上传时间:2023-02-07
- 格式:DOCX
- 页数:15
- 大小:25.77KB
通信类英文文献与翻译.docx
《通信类英文文献与翻译.docx》由会员分享,可在线阅读,更多相关《通信类英文文献与翻译.docx(15页珍藏版)》请在冰豆网上搜索。
通信类英文文献与翻译
姓名:
刘峻霖班级:
通信143班学号:
2014101108
附录
一、英文原文:
DetectingAnomalyTraf?
cusingFlowDataintherealVoIPnetwork
I.INTRODUCTION
Recently,manySIP[3]/RTP[4]-basedVoIPapplicationsandserviceshaveappearedandtheirpenetrationratioisgraduallyincreasingduetothefreeorcheapcallchargeandtheeasysubscriptionmethod.Thus,someofthesubscriberstothePSTNservicetendtochangetheirhometelephoneservicestoVoIPproducts.Forexample,companiesinKoreasuchasLGDacom,SamsungNet-works,andKThavebeguntodeploySIP/RTP-basedVoIPservices.Itisreportedthatmorethan?
vemillionusershavesubscribedthecommercialVoIPservicesand50%ofalltheusersarejoinedin2009inKorea[1].AccordingtoIDC,itisexpectedthatthenumberofVoIPusersinUSwillincreaseto27millionsin2009[2].Hence,astheVoIPservicebecomespopular,itisnotsurprisingthatalotofVoIPanomalytraf?
chasbeenalreadyknown[5].So,MostcommercialservicesuchasVoIPservicesshouldprovideessentialsecurityfunctionsregardingprivacy,authentication,integrityandnon-repudiationforpreventingmalicioustraf?
c.Particu-larly,mostofcurrentSIP/RTP-basedVoIPservicessupplytheminimalsecurityfunctionrelatedwithauthentication.Thoughsecuretransport-layerprotocolssuchasTransportLayerSecurity(TLS)[6]orSecureRTP(SRTP)
[7]havebeenstandardized,theyhavenotbeenfullyimplementedanddeployedincurrentVoIPapplicationsbecauseoftheoverheadsofimplementationandperformance.Thus,un-encryptedVoIPpacketscouldbeeasilysniffedandforged,especiallyinwirelessLANs.Inspiteofauthentication,theauthenticationkeyssuchasMD5intheSIPheadercouldbe
maliciouslyexploited,becauseSIPisatext-basedprotocolandunencryptedSIPpacketsareeasilydecoded.Therefore,VoIPservicesareveryvulnerabletoattacksexploitingSIPandRTP.WeaimatproposingaVoIPanomalytraf?
cdetectionmethodusingthe?
ow-basedtraf?
cmeasurementarchi-tecture.WeconsiderthreerepresentativeVoIPanomaliescalledCANCEL,BYEDenialofService(DoS)andRTP?
oodingattacksinthispaper,becausewefoundthatmalicioususersinwirelessLANcouldeasilyperformtheseattacksintherealVoIPnetwork.FormonitoringVoIPpackets,weemploytheIETFIPFlowInformationeXport(IPFIX)[9]standardthatisbasedonNetFlowv9.Thistraf?
cmeasurementmethod
providesa?
exibleandextensibletemplatestructureforvariousprotocols,whichisusefulforobservingSIP/RTP?
ows[10].InordertocaptureandexportVoIPpacketsintoIPFIX?
ows,wede?
netwoadditionalIPFIXtemplatesforSIPandRTP?
ows.Furthermore,weaddfourIPFIX?
eldstoobserve802.11packetswhicharenecessarytodetectVoIPsourcespoo?
ngattacksinWLANs.
II.RELATEDWORK
[8]proposeda?
oodingdetectionmethodbytheHellingerDistance(HD)concept.In[8],they
havepre-sentedINVITE,SYNandRTP?
oodingdetectionmeth-ods.TheHDisthedifferencevaluebetweenatrainingdatasetandatestingdataset.Thetrainingdataset
collectedtraf?
covernsamplingperiodofdurationt.Thetestingdatasetcollectedtranextthetrainingdatasetinthesameperiod.IftheHDiscloseto‘1’,thistes
regardedasanomalytraf?
c.Forusingthismethod,theyassumedthatinitialtrainingdataset
didnothaveanyanomalytraf?
c.Sincethismethodwasbasedonpacketcounts,itmightnoteasilyextendedtodetectotheranomalytraf?
cexcept?
ooding.Ontheotherhand,[11]hasproposedaVoIPanomalytraf?
cdetectionmethodusingExtendedFiniteStateMachine(EFSM).[11]hassuggestedINVITE?
ooding,BYEDoSanomalytraf?
candmediaspammingdetectionmethods.However,thestatemachinerequiredmorememorybecauseithadtomaintaineach?
ow.[13]haspresentedNetFlow-basedVoIPanomalydetectionmethodsforINVITE,REGIS-TER,RTP?
ooding,andREGISTER/INVITEscan.How-ever,theVoIPDoSattacksconsideredinthispaperwerenotconsidered.In[14],anIDSapproachtodetectSIPanomalieswasdeveloped,butonlysimulationresultsarepresented.FormonitoringVoIPtraf?
c,SIPFIX[10]hasbeenproposedasanIPFIXextension.ThekeyideasoftheSIPFIXareapplication-layerinspectionandSDPanalysisforcarryingmediasessioninformation.Yet,thispaperpresentsonlythepossibilityofapplyingSIPFIXtoDoSanomalytraf?
cdetectionandprevention.WedescribedthepreliminaryideaofdetectingVoIPanomalytraf?
cin[15].ThispaperelaboratesBYEDoSanomalytraf?
candRTP?
oodinganomalytraf?
cdetec-tionmethodbasedonIPFIX.Basedon[15],wehaveconsideredSIPandRTPanomalytraf?
cgeneratedinwirelessLAN.Inthiscase,itispossibletogeneratethesimiliaranomalytraf?
cwithnormalVoIPtraf?
c,becauseattackerscaneasilyextractnormaluserinformationfromunencryptedVoIPpackets.Inthispaper,wehaveextendedtheideawithadditionalSIPdetectionmethodsusinginformationofwirelessLANpackets.Furthermore,wehaveshowntherealexperimentresultsatthecommercialVoIPnetwork.
III.THEVOIPANOMALYTRAFFICDETECTION
METHOD
A.CANCELDoSAnomalyTraf?
cDetection
AstheSIPINVITEmessageisnotusuallyencrypted,attackerscouldextract?
eldsnecessarytoreproducetheforgedSIPCANCELmessagebysnif?
ngSIPINVITEpackets,especiallyinwirelessLANs.Thus,wecannottellthedifferencebetweenthenormalSIPCANCELmessageandthereplicatedone,becausethefakedCANCELpacketincludesthenormal?
eldsinferredfromtheSIPINVITEmessage.TheattackerwillperformtheSIPCANCELDoSattackatthesamewirelessLAN,becausethepurposeoftheSIPCANCEL
attackistopreventthenormalcallestab-lishmentwhenavictimiswaitingforcalls.Therefore,assoonastheattackercatchesacallinvitationmessageforavictim,itwillsendaSIPCANCELmessage,whichmakesthecallestablishmentfailed.WehavegeneratedfakedSIPCANCELmessageusingsniffedaSIPINVITEmessage.FieldsinSIPheaderofthisCANCELmessageisthesameasnormalSIPCANCELmessage,becausetheattackercanobtaintheSIPheader?
eldfromunencryptednormalSIPmessageinwirelessLANenvironment.ThereforeitisimpossibletodetecttheCANCELDoSanomalytraf?
cusingSIPheaders,weusethedifferentvaluesofthewirelessLANframe.Thatis,thesequencenumberinthe802.11framewilltellthedifferencebetweenavictimhostandanattacker.WelookintosourceMACaddressandsequencenumberinthe802.11MACframeincludingaSIPCANCELmessageasshowninAlgorithm1.WecomparethesourceMACaddressofSIPCANCELpacketswiththatofthepreviouslysavedSIPINVITE?
ow.IfthesourceMACaddressofaSIPCANCEL?
owischanged,itwillbehighlyprobablethattheCANCEL
packetisgeneratedbyaunknownuser.However,thesourceMACaddresscouldbespoofed.Regarding802.11sourcespoo?
ngdetection,weemploythemethodin[12]thatuses
sequencenumbersof802.11frames.Wecalculatethegapbetweenn-thand(n-1)-th802.11frames.Asthesequencenumber?
eldina802.11MACheaderuses12bits,itvariesfrom0to4095.Whenwe?
ndthatthesequencenumbergapbetweenasingleSIP?
owisgreaterthanthethresholdvalueofNthatwillbesetfromtheexperiments,wedeterminethattheSIPhostaddressasbeenspoofedfortheanomalytraf?
c.
B.BYEDoSAnomalyTraf?
cDetection
IncommercialVoIPapplications,SIPBYEmessagesusethesameauthentication?
eldisincludedintheSIPIN-VITEmessageforsecurityandaccountingpurposes.How-ever,attackerscanreproduceBYEDoSpacketsthroughsnif?
ngnormalSIPINVITEpacketsinwirelessLANs.ThefakedSIPBYEmessageissamewiththenormalSIPBYE.Therefore,itisdif?
culttodetecttheBYEDoSanomalytraf?
cusingonlySIPheaderinformation.Aftersnif?
ngSIPINVITEmessage,theattackeratthesameordifferentsubnetscouldterminatethenormalin-progresscall,becauseitcouldsucceedingeneratingaBYEmessagetotheSIPproxyserver.IntheSIPBYEattack,itisdif?
culttodistinguishfromthenormalcallterminationprocedure.Thatis,weapplythetimestampofRTPtraf?
cfordetectingtheSIPBYEattack.Generally,afternormalcalltermination,thebi-directionalRTP?
owisterminatedinabrefspaceoftime.However,ifthecallterminationprocedureisanomaly,wecanobservethatadirectionalRTPmedia?
owisstillongoing,whereasanattackeddirectionalRTP?
owisbroken.Therefore,inordertodetecttheSIPBYEattack,wedecidethatwewatchadirectionalRTP?
owforalongtimethresholdofNsecafterSIPBYEmessage.ThethresholdofNisalsosetfromtheexperiments.Algorithm2explainstheproceduretodetectBYEDoSanomaltraf?
cusingcapturedtimestampoftheRTPpacket.WemaintainSIPsessioninformationbetweenclientswithINVITEandOKmessagesincludingthesameCall-IDand4-tuple(source/destinationIPAddressandportnumber)oftheBYEpacket.WesetatimethresholdvaluebyaddingNsectothetimestampvalueoftheBYEmessage.ThereasonwhyweusethecapturedtimestampisthatafewRTPpacketsareobservedunder0.5second.IfRTPtraf?
cisobservedafterthetimethreshold,thiswillbeconsideredasaBYEDoSattack,becausetheVoIPsessionwillbeterminatedwithnormalBYEmessages.C.RTPAnomalyTraf?
cDetectionAlgorithm3describesanRTP?
oodingdetectionmethodthatuses
SSRCandsequencenumbersoftheRTPheader.DuringasingleRTPsession,typically,thesameSSRCvalueismaintained.IfSSRCischanged,itishighlyprobablethatanomalyhasoccurred.Inaddition,ifthereisabigsequencenumbergapbetweenRTPpackets,wedeterminethatanomalyRTPtraf?
chashappened.Asinspectingeverysequencenumberfora
packetisdif?
cult,wecalculatethesequencenumbergapusingthe?
rst,last,maximumandmini
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 通信 英文 文献 翻译