通信類英文文獻(xiàn)及翻譯

1、真誠為您提供優(yōu)質(zhì)參考資料，若有不當(dāng)之處，請指正。姓名：劉峻霖 班級：通信143班學(xué)號：2014101108附 錄一、英文原文：Detecting Anomaly Trafc using Flow Data in the real VoIP networkI. INTRODUCTIONRecently, many SIP3/RTP4-based VoIP applications and services have appeared and their penetration ratio is gradually increasing due to the free or cheap call

2、charge and the easy subscription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone services to VoIP products. For example, companies in Korea such as LG Dacom, Samsung Net- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported that

3、 more than ve million users have subscribed the commercial VoIP services and 50% of all the users are joined in 2009 in Korea 1. According to IDC, it is expected that the number of VoIP users in US will increase to 27 millions in 2009 2. Hence, as the VoIP service becomes popular, it is not surprisi

4、ng that a lot of VoIP anomaly trafc has been already known 5. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious trafc. Particu- larly, most of current SIP/RTP-based V

5、oIP services supply the minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) 6 or Secure RTP (SRTP) 7 have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the

6、 overheads of implementation and performance. Thus, un-encrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could be maliciously exploited, because SIP is a text-based protocol and une

7、ncrypted SIP packets are easily decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly trafc detection method using the ow-based trafc measurement archi-tecture. We consider three representative VoIP anomalies called CANCEL, BYE De

8、nial of Service (DoS) and RTP ooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) 9 standard that is based on NetFlow v9. Th

9、is trafc measurement method provides a exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ows 10. In order to capture and export VoIP packets into IPFIX ows, we dene two additional IPFIX templates for SIP and RTP ows. Furthermore, we add four IPFIX

10、elds to observe 802.11 packets which are necessary to detect VoIP source spoong attacks in WLANs.II. RELATED WORK8 proposed a ooding detection method by the Hellinger Distance (HD) concept. In 8, they have pre- sented INVITE, SYN and RTP ooding detection meth-ods. The HD is the difference value betw

11、een a training data set and a testing data set. The training data set collected trafc over n sampling period of duration t.The testing data set collected trafc next the training data set in the same period. If the HD is close to 1, this testing data set is regarded as anomaly trafc. For using this m

12、ethod, they assumed that initial training data set did not have any anomaly trafc. Since this method was based on packet counts, it might not easily extended to detect other anomaly trafc except ooding. On the other hand, 11 has proposed a VoIP anomaly trafc detection method using Extended Finite St

13、ate Machine (EFSM). 11 has suggested INVITE ooding, BYE DoS anomaly trafc and media spamming detection methods. However, the state machine required more memory because it had to maintain each ow. 13 has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER, RTP ooding, and REG

14、ISTER/INVITE scan. How-ever, the VoIP DoS attacks considered in this paper were not considered. In 14, an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP trafc, SIPFIX 10 has been proposed as an IPFIX extension. The key ideas of the

15、SIPFIX are application-layer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly trafc detection and prevention. We described the preliminary idea of detecting VoIP anomaly trafc in 15. This paper elabora

16、tes BYE DoS anomaly trafc and RTP ooding anomaly trafc detec-tion method based on IPFIX. Based on 15, we have considered SIP and RTP anomaly trafc generated in wireless LAN. In this case, it is possible to generate the similiar anomaly trafc with normal VoIP trafc, because attackers can easily extra

17、ct normal user information from unencrypted VoIP packets. In this paper, we have extended the idea with additional SIP detection methods using information of wireless LAN packets. Furthermore, we have shown the real experiment results at the commercial VoIP network.III. THE VOIP ANOMALY TRAFFIC DETE

18、CTION METHODA. CANCEL DoS Anomaly Trafc Detection As the SIP INVITE message is not usually encrypted, attackers could extract elds necessary to reproduce the forged SIP CANCEL message by snifng SIP INVITE packets, especially in wireless LANs. Thus, we cannot tell the difference between the normal SI

19、P CANCEL message and the replicated one, because the faked CANCEL packet includes the normal elds inferred from the SIP INVITE message. The attacker will perform the SIP CANCEL DoS attack at the same wireless LAN, because the purpose of the SIP CANCEL attack is to prevent the normal call estab-lishm

20、ent when a victim is waiting for calls. Therefore, as soon as the attacker catches a call invitation message for a victim, it will send a SIP CANCEL message, which makes the call establishment failed. We have generated faked SIP CANCEL message using sniffed a SIP INVITE message.Fields in SIP header

21、of this CANCEL message is the same as normal SIP CANCEL message, because the attacker can obtain the SIP header eld from unencrypted normal SIP message in wireless LAN environment. Therefore it is impossible to detect the CANCEL DoS anomaly trafc using SIP headers, we use the different values of the

22、 wireless LAN frame. That is, the sequence number in the 802.11 frame will tell the difference between a victim host and an attacker. We look into source MAC address and sequence number in the 802.11 MAC frame including a SIP CANCEL message as shown in Algorithm 1. We compare the source MAC address

23、of SIP CANCEL packets with that of the previously saved SIP INVITE ow. If the source MAC address of a SIP CANCEL ow is changed, it will be highly probable that the CANCEL packet is generated by a unknown user. However, the source MAC address could be spoofed. Regarding 802.11 source spoong detection

24、, we employ the method in 12 that uses sequence numbers of 802.11 frames. We calculate the gap between n-th and (n-1)-th 802.11 frames. As the sequence number eld in a 802.11 MAC header uses 12 bits, it varies from 0 to 4095. When we nd that the sequence number gap between a single SIP ow is greater

25、 than the threshold value of N that will be set from the experiments, we determine that the SIP host address as been spoofed for the anomaly trafc.B. BYE DoS Anomaly Trafc DetectionIn commercial VoIP applications, SIP BYE messages use the same authentication eld is included in the SIP IN-VITE messag

26、e for security and accounting purposes. How-ever, attackers can reproduce BYE DoS packets through snifng normal SIP INVITE packets in wireless LANs.The faked SIP BYE message is same with the normal SIP BYE. Therefore, it is difcult to detect the BYE DoS anomaly trafc using only SIP header informatio

27、n.After snifng SIP INVITE message, the attacker at the same or different subnets could terminate the normal in- progress call, because it could succeed in generating a BYE message to the SIP proxy server. In the SIP BYE attack, it is difcult to distinguish from the normal call termination procedure.

28、 That is, we apply the timestamp of RTP trafc for detecting the SIP BYE attack. Generally, after normal call termination, the bi-directional RTP ow is terminated in a bref space of time. However, if the call termination procedure is anomaly, we can observe that a directional RTP media ow is still on

29、going, whereas an attacked directional RTP ow is broken. Therefore, in order to detect the SIP BYE attack, we decide that we watch a directional RTP ow for a long time threshold of N sec after SIP BYE message. The threshold of N is also set from the experiments.Algorithm 2 explains the procedure to

30、detect BYE DoS anomal trafc using captured timestamp of the RTP packet. We maintain SIP session information between clients with INVITE and OK messages including the same Call-ID and 4-tuple (source/destination IP Address and port number) of the BYE packet. We set a time threshold value by adding Ns

31、ec to the timestamp value of the BYE message. The reason why we use the captured timestamp is that a few RTP packets are observed under 0.5 second. If RTP trafc is observed after the time threshold, this will be considered as a BYE DoS attack, because the VoIP session will be terminated with normal

32、BYE messages. C. RTP Anomaly Trafc Detection Algorithm 3 describes an RTP ooding detection method that uses SSRC and sequence numbers of the RTP header. During a single RTP session, typically, the same SSRC value is maintained. If SSRC is changed, it is highly probable that anomaly has occurred. In

33、addition, if there is a big sequence number gap between RTP packets, we determine that anomaly RTP trafc has happened. As inspecting every sequence number for a packet is difcult, we calculate the sequence number gap using the rst, last, maximum and minimum sequence numbers. In the RTP header, the s

34、equence number eld uses 16 bits from 0 to 65535. When we observe a wide sequence number gap in our algorithm, we consider it as an RTP ooding attack.IV. PERFORMANCE EVALUATIONA. Experiment EnvironmentIn order to detect VoIP anomaly trafc, we established an experimental environment as gure 1. In this

35、 envi-ronment, we employed two VoIP phones with wireless LANs, one attacker, a wireless access router and an IPFIX ow collector. For the realistic performance evaluation, we directly used one of the working VoIP networks deployed in Korea where an 11-digit telephone number (070-XXXX-XXXX) has been a

36、ssigned to a SIP phone.With wireless SIP phones supporting 802.11, we could make calls to/from the PSTN or cellular phones. In the wireless access router, we used two wireless LAN cards- one is to support the AP service, and the other is to monitor 802.11 packets. Moreover, in order to observe VoIP

37、packets in the wireless access router, we modied nProbe 16, that is an open IPFIX ow generator, to create and export IPFIX ows related with SIP, RTP, and 802.11 information. As the IPFIX collector, we have modied libipx so that it could provide the IPFIX ow decoding function for SIP, RTP, and 802.11

38、 templates. We used MySQL for the ow DB.B. Experimental ResultsIn order to evaluate our proposed algorithms, we gen-erated 1,946 VoIP calls with two commercial SIP phones and a VoIP anomaly trafc generator. Table I shows our experimental results with precision, recall, and F-score that is the harmon

39、ic mean of precision and recall. In CANCEL DoS anomaly trafc detection, our algorithm represented a few false negative cases, which was related with the gap threshold of the sequence number in 802.11 MAC header. The average of the F-score value for detecting the SIP CANCEL anomaly is 97.69%.For BYE

40、anomaly tests, we generated 755 BYE mes-sages including 118 BYE DoS anomalies in the exper-iment. The proposed BYE DoS anomaly trafc detec-tion algorithm found 112 anomalies with the F-score of 96.13%. If an RTP ow is terminated before the threshold, we regard the anomaly ow as a normal one. In this

41、 algorithm, we extract RTP session information from INVITE and OK or session description messages using the same Call-ID of BYE message. It is possible not to capture those packet, resulting in a few false-negative cases. The RTP ooding anomaly trafc detection experiment for 810 RTP sessions resulte

42、d in the F score of 98%.The reason of false-positive cases was related with the sequence number in RTP header. If the sequence number of anomaly trafc is overlapped with the range of the normal trafc, our algorithm will consider it as normal trafc.V. CONCLUSIONSWe have proposed a ow-based anomaly tr

43、afc detec-tion method against SIP and RTP-based anomaly trafc in this paper. We presented VoIP anomaly trafc detection methods with ow data on the wireless access router. We used the IETF IPFIX standard to monitor SIP/RTP ows passing through wireless access routers, because its template architecture

44、 is easily extensible to several protocols. For this purpose, we dened two new IPFIX templates for SIP and RTP trafc and four new IPFIX elds for 802.11 trafc. Using these IPFIX ow templates,we proposed CANCEL/BYE DoS and RTP ooding trafc detection algorithms. From experimental results on the working

45、 VoIP network in Korea, we showed that our method is able to detect three representative VoIP attacks on SIP phones. In CANCEL/BYE DoS anomaly trafcdetection method, we employed threshold values about time and sequence number gap for classcation of normal and abnormal VoIP packets. This paper has no

46、t been mentioned the test result about suitable threshold values. For the future work, we will show the experimental result about evaluation of the threshold values for our detection method.9 / 9二、英文翻譯：交通流數(shù)據(jù)檢測異常在真實(shí)的世界中使用的VoIP網(wǎng)絡(luò)一 .介紹最近,許多SIP3,4基于服務(wù)器的VoIP應(yīng)用和服務(wù)出現(xiàn)了,并逐漸增加他們的穿透比及由于自由和廉價的通話費(fèi)且極易訂閱的方法。因此,一些用

47、戶服務(wù)傾向于改變他們PSTN家里電話服務(wù)VoIP產(chǎn)品。例如,公司在韓國LG、三星等Dacom網(wǎng)-作品、KT已經(jīng)開始部署SIP / RTP-based VoIP服務(wù)。據(jù)報道,超過5百萬的用戶已訂閱商業(yè)VoIP服務(wù)和50%的所有的用戶都參加了2009年在韓國1。據(jù)IDC,預(yù)期該用戶的數(shù)量將增加在我們的VoIP 2009年到27百萬2。因此,隨著VoIP服務(wù)變得很受歡迎,這是一點(diǎn)也不意外,很多人對VoIP異常交通已經(jīng)知道5。所以,大多數(shù)商業(yè)服務(wù)如VoIP服務(wù)應(yīng)該提供必要的安全功能對于隱私、認(rèn)證、完整性和不可否認(rèn)對于防止惡意的交通。Particu - larly,大多數(shù)的電流SIP / RTP-bas

48、ed VoIP服務(wù)提供最小安全功能相關(guān)的認(rèn)證。雖然安全transport-layer一類協(xié)議傳輸層安全(TLS)6或安全服務(wù)器(SRTP)7已經(jīng)被修正,它們并沒有被完全實(shí)施和部署在當(dāng)前的VoIP應(yīng)用的實(shí)施,因?yàn)檫^頂球和性能。因此,un-encrypted VoIP包可以輕易地嗅和偽造的,特別是在無線局域網(wǎng)。盡管的認(rèn)證, 認(rèn)證鍵,如MD5在SIP頭可以狠的剝削,因?yàn)镾IP是基于文本的協(xié)議和未加密的SIP包都很容易地被解碼。因此,VoIP服務(wù)很容易被攻擊開發(fā)SIP和服務(wù)器。我們的目標(biāo)是在提出一個VoIP異常交通檢測方法archi-tecture使用流轉(zhuǎn)交通測量。我們認(rèn)為有代表性的VoIP異常稱為取

49、消,再見拒絕服務(wù)(DoS)和快速的洪水襲擊在本文中,因?yàn)槲覀儼l(fā)現(xiàn)惡意的用戶在無線局域網(wǎng)可以很容易地履行這些襲擊的真正的VoIP網(wǎng)絡(luò)。VoIP包監(jiān)測,利用IETF出口(IPFIX IP流信息)9標(biāo)準(zhǔn)的基礎(chǔ)上,對NetFlow 9節(jié)。這一交通測量方法的研究提供了一個靈活的、可擴(kuò)展的模板結(jié)構(gòu)為各種各樣的協(xié)議,有利于對觀察SIP /服務(wù)器流10。摘要為獲取和出口VoIP包成IPFIX流中,我們定義兩個額外的IPFIX模板為SIP和快速流動。此外,我們加上四個IPFIX領(lǐng)域觀察802.11包所必需的欺騙攻擊的檢測在WLANs VoIP來源。二.相關(guān)工作8提出了一種檢測方法Hellinger洪水的距離(簡

50、稱HD)的概念。文獻(xiàn)8中,他們有售前介紹邀請,洪水:SYN和快速檢測種方法。高清是之間的差異值的訓(xùn)練數(shù)據(jù)集和測試的數(shù)據(jù)集。收集的訓(xùn)練數(shù)據(jù)集的交通量持續(xù)時間n采樣周期t。收集的測試數(shù)據(jù)集的訓(xùn)練數(shù)據(jù)集下的流量可以在同一時間內(nèi)。如果高清接近 1 ,該測試數(shù)據(jù)集被視為異常交通。為使用這個方法,他們假定初始訓(xùn)練數(shù)據(jù)集上沒有任何異常交通。因?yàn)檫@種方法是基于分組數(shù),它可能不會很容易地擴(kuò)展來偵測其他異常交通除了洪水泛濫。另一方面,11提出了一項(xiàng)VoIP異常交通檢測方法,利用擴(kuò)展有限狀態(tài)機(jī)(EFSM)。11建議邀請洪水,再見DoS異常交通和媒體垃圾郵件檢測的方法。然而,狀態(tài)機(jī)的需要更多的內(nèi)存空間,因?yàn)樗呀?jīng)保持

51、每個流程。13已經(jīng)呈現(xiàn)出NetFlow-based VoIP異常檢測方法,REGIS-TER邀請,琳瑯驅(qū),而注冊/邀請掃描。How-ever VoIP DoS攻擊,本文認(rèn)為不被考慮。在14,一個入侵檢測系統(tǒng)(IDS)的方法來檢測,研制了SIP的異常,但是只有仿真的結(jié)果。VoIP交通、SIPFIX監(jiān)測10作為IPFIX提出了延長。 SIPFIX的主要思路的分析是應(yīng)用層檢驗(yàn)和SDP裝載媒體會話的信息。然而,本文提出只有中應(yīng)用的可能性,SIPFIX DoS異常交通檢測器和預(yù)防。我們描述了初步的構(gòu)思的交通狀況檢測VoIP異常15。闡述了交通,再見DoS異常交通detec-tion洪水異?？焖買PFIX

52、方法的基礎(chǔ)上?；?5,我們一直認(rèn)為SIP和服務(wù)器異常交通產(chǎn)生在無線局域網(wǎng)。在這種情況下,就有可能產(chǎn)生類似的異常交通與正常VoIP交通,因?yàn)楣粽呔秃苋菀讖钠胀ㄓ脩粜畔⑻崛∥醇用艿腣oIP的數(shù)據(jù)包。在本文中,我們已經(jīng)將這個想法與額外的SIP檢測方法的使用信息的無線局域網(wǎng)的數(shù)據(jù)包。此外,我們已經(jīng)表現(xiàn)出真正的實(shí)驗(yàn)結(jié)果在商業(yè)VoIP網(wǎng)絡(luò)。三.交通檢測器的VOIP異常方法a.取消DoS異常交通檢測器為SIP邀請信息通常是不加密的,攻擊者可以提取領(lǐng)域繁殖偽造的必要信息通過嗅聞啜啜取消邀請包,特別是在無線局域網(wǎng)。因此,我們不能辨別其正常SIP取消短信與復(fù)制的一個,因?yàn)楣芾眍I(lǐng)域包括正常取消包推斷出SIP邀請

53、的訊息。攻擊者將會執(zhí)行的園區(qū)取消DoS攻擊,因?yàn)橄嗤臒o線局域網(wǎng)的目的是為了防止SIP取消攻擊時的正常叫estab-lishment受害者正等待著電話。因此,盡快打電話邀請襲擊者漁獲的信息,為一個受害者,就會發(fā)送一個SIP取消消息,這使得叫建立失敗了。我們產(chǎn)生了偽造的SIP取消消息使用嗅一口邀請的訊息。蘇州工業(yè)園區(qū)頭球的領(lǐng)域都是一樣的,取消信息正常SIP取消留言,因?yàn)楣粽邿o法獲得SIP標(biāo)題域SIP消息未加密的正常從無線局域網(wǎng)的環(huán)境。因此無法檢測交通使用DoS異常取消標(biāo)題,我們使用了SIP的值不同的無線局域網(wǎng)幀。也就是說,序號在畫框會在802.11分辨一個受害者的主人和一個攻擊者。我們看著源M

54、AC地址和序列號的MAC框架包括一小口802.11取消信息顯示在算法1。我們比較了源MAC地址的SIP取消包與先前儲存的SIP邀請流動。如果源MAC地址的一小口取消流量發(fā)生變化時,它會有很高的可能取消包所產(chǎn)生的未知的用戶。然而,源MAC地址可以欺騙時。關(guān)于802.11源摻假檢測,利用法在12,使用序列號802.11的幀。我們之間的差距,最后對計(jì)算-th(n-1 802.11的幀。)作為序號在現(xiàn)場的使用12位802.11 MAC頭球,它不同于從0到4095。當(dāng)我們發(fā)現(xiàn)序號在一個單一的SIP流量差距大于閾值,將定氮的實(shí)驗(yàn)結(jié)果,我們確定SIP主機(jī)地址被欺騙時為異常交通。b.再見DoS異常交通檢測器V

55、oIP應(yīng)用在商業(yè),SIP再見消息使用相同的認(rèn)證領(lǐng)域包括在SIP IN-VITE的信息,為安全、會計(jì)的目的。How-ever,攻擊者可以復(fù)制再見DoS信息包通過嗅正常SIP邀請包的無線局域網(wǎng)。信息管理SIP再見也用正常的SIP再見。因此,很難偵測再見DoS異常交通只利用SIP的標(biāo)題信息。信息后,聞了聞SIP邀請攻擊者在相同或不同的子網(wǎng),可以終止在正常范圍之內(nèi),因?yàn)樗梢赃M(jìn)步電話中獲得成功,生成了再見消息給SIP代理服務(wù)器。在SIP再見攻擊,難以區(qū)分,從普通的電話終止程序。也就是說,我們申請時間戳的快速交通偵測SIP再見的攻擊。一般來說,普通電話后,由雙向快速流終止結(jié)束時仍很快就空間的時間。然而,如果這個調(diào)用終止程序是異常時,我們能觀察到的媒體流方向快速仍在進(jìn)行,但是攻擊流量定