

Research on the Key Technologies of Intrusion and Prevention System in SIP Network

【作者】 李鸿彬

【导师】 林浒;

【作者基本信息】 中国科学院研究生院(沈阳计算技术研究所) , 计算机应用技术, 2012, 博士

【摘要】 随着IP多媒体子系统(IMS)的大规模部署和商用,IMS系统在下一代网络(NGN)中的核心地位已经不可动摇,而IMS系统中的会话初始协议(SIP)的安全性,已成为国内外各大运营商在提供各类增值业务时必须要考虑的首要问题。目前大部分运营商多采用会话边界控制器(SBC)作为IMS运营商对于固网IP安全可控的网络接入设备,但SBC主要完成拓扑隐藏、媒体流整形、NAT穿越、接入控制和媒体加密等功能,并不能完成固网IP中的实时检测和防御功能。而采用基于SIP的入侵检测与防御系统是一种智能的、主动的SIP入侵检测和防御系统,通过使用高效的检测算法及时检测SIP入侵的发生,并采用一定的响应方式实时地阻止或减轻SIP入侵行为,保护SIP服务器/IMS系统不受实质性的恶意攻击的一种智能解决方案。本文紧紧围绕SIP网络中入侵检测与防御系统中的若干关键技术展开研究,主要工作和取得的成果包括:1.参考RFC3261相关技术规范,针对SIP协议的规则定义,提出了一种安全的基于规则的SIP畸形消息检测与防御方法,设计了一种快速检测SIP畸形消息攻击的防御系统。分析了SIP畸形消息和畸形消息的攻击过程,根据SIP协议的特点,抽象了一种通用的数据模型,并借鉴Snort和Netfilter框架,在Linux内核层实现了一种高效的SIP畸形消息的检测和防御系统。2.通过对SIP DoS攻击的原理、方式和特征以及SIP网络面对的典型的洪泛攻击的深入研究,设计了一种阈值动态调整和实时动态防御相结合的SIP单源洪泛攻击防御模型。分析了SIP洪泛攻击的流量特征,针对SIP DoS攻击的实时防御,提出了一种基于滑动时间窗口的流量异常检测算法和阈值动态调整算法,同时采用时间惩罚算法减少系统误判率。通过此防御模型的检测与防御,系统可以在SIP单源洪泛攻击发生时有效地阻止SIP服务器/IMS系统被攻击的可能,保证网络的实时可用性。3.提出了一种基于安全级别设定的攻击减弱方法。根据SIP协议自身特点和SIP消息的历史记录,将SIP消息按照历史记录、协议自身进行安全级别分类,利用流量监控对洪泛攻击检测。当发生分布式洪泛攻击时,通过设定合适的安全级别减弱攻击造成的影响,并且将此方法应用在两级防御DoS攻击体系结构中。4.提出了一种针对SIP分布式洪泛攻击的两级防御DoS攻击体系结构(TDASDFA):一级防御子系统(FDS)和二级防御子系统(SDS)。FDS对SIP的信令流进行粗粒度检测与防御,旨在过滤非VoIP消息和丢弃超出指定速率的IP地址的SIP信令,保证服务的可用性;SDS对SIP信令流进行细粒度检测与防御,利用一种基于安全级别设定的攻击减弱方法检测并过滤具有明显DoS攻击特征的恶意攻击和低流量攻击,FDS和SDS协同工作来实时检测网络状况,减弱SIP分布式洪泛攻击。5.针对SIP即时消息的实时性问题,研究了其在SIP网络中的行为特征及黑白名单机制处理检测的高效性,提出了一种基于社会网络和黑白名单机制的SPIM检测和防御模型。该模型将基于社会网络的识别模型和改进的黑白名单机制结合,并利用自动更新算法对基于社会网络的识别模型进行自动更新,提高了SIP垃圾即时消息的检测性能和检测准确率。最后,提出了一种两层融合分类器检测和防御机制,将研究成果应用到融合分类器的各个部分中,并通过实验验证了设计机制的可行性和有效性。

【Abstract】 With the large-scale development and application of IP Multimedia Subsystem(IMS), IMS has become a core control in NGN (Next Generation Network).Otherwise,the security of session initiation protocol (SIP) in IMS has become an most importantproblem that major carrier at home and abroad must be considered when they provide awide range of value-added service.At present, most carriers use mainly session bordercontroller (SBC) as an security network access equipment to the fixed-IP network. But,SBC mainly completes topology hiding and media stream shaping, NAT traversal,access control and media encryption functions, and it can not complete real-timedetection and prevention functions in the fixed-IP network. SIP-based intrusiondetection and prevention system is an intelligent, active intrusion detection andprevention system which can detect SIP invasion occurs with efficient detectionalgorithms and real-time terminate or mitigate the intrusion occurred through someresponse, and it is an intelligent solutions that can real-time protects that SIP/IMSsystem is not a substantive attack in the SIP network. Some key technologies ofintrusion detection and prevention system in SIP network are researched. The mainwork and contributions are as follows.1. Taking technical specifications defined by RFC3261as reference and followingthe rule definition for SIP, a safe rule-based detection and prevention method againstSIP malformed messages is presented, then a defense system for rapid detection ofSIP malformed message attacks is designed,which utilizes the safe rule-based detectionand prevention method. According to the characteristics of the SIP protocol, a commondata model is abstracted. Drawing on the experience of snort and netfilter architecture,an efficient detection and prevention system against SIP malformed message attacks isachieved in the linux kernel layer.2. Through deeply analyzing on the principle, mode, characteristics of SIP DoS,and the flooding attacks in SIP network, the prevention model to combine a dynamicthreshold adjustment with real-time dynamic prevention for SIP flooding attacks wasproposed. Analyzing flow characteristics of the SIP flooding attacks, an trafficanomaly detection algorithms based on sliding time window and the thresholddynamically adjusts algorithm are designed, whiletime a time penalty algorithm ismade use of to reduce false positives. SIP/IMS system with deployment of thedetection and prevention model can effectively prevent the possibility of the SIP/IMSattacked by SIP single source flooding messages, and designed detection and prevention model can ensures network real-time availability.3. For reducing the impact of SIP Distributed flooding attack to SIP/IMS system,a mitigation method based on security level for SIP distributed flooding attack isproposed. According to the SIP characteristics and historical record of the SIP message,SIP messages are classified in accordance with the SIP session history records and SIPitself, and attacks are alarmed by the traffic monitoring. While Distributed flood attackoccurs, mitigation method will set up the suitable security level to weaken the impactof the attacks, and this method is indexed in the architecture of the two defense DoSattacks.4. The two levels defense architecture against SIP distributed flooding attacks(TDASDFA) is presented. Two levels defensive components make up of theTDASDFA logically: the First Level defense subsystem (FDS) and the second leveldefense subsystem (SDS). FDS on the SIP signaling stream coarse-grained detects anddefends the SIP messages to filter out non-VoIP messages and discard SIP messages ofthe IP address for exceeding the specified rate to ensure service availability; SDSfine-grained detects and defends the SIP messages using a mitigation method based onsecurity level to identity the cunning attacks and low-flow attacks with obviousfeatures of malicious DoS attacks, FDS and SDS can detect and defense togethernetwork status in real-time to weaken SIP distributed flooding attacks.5. For solving real-time problem for SIP instant messaging (SPIM), the behavioralcharacteristics of SPIM in SIP network and black/white list mechanism to deal with thedetection efficiency are discussed, and SPIM detection and prevention model based onsocial networks and black/white list mechanism is proposed. The model combines therecognition model based on the social network with the improved black/white listmechanism, and it is automatic updated using an auto-update algorithm. As a result,detection performance and detection accuracy of the SIP SPIM are improved.Finally, a detection and prevention mechanism of two-layer convergence classifieris proposed. The previous research contributions are applied to various parts of theconvergence classifier, and the feasibility and effectiveness of the designed mechanismare verified.
