SIP 기반의 VoIP 시스템에서 서비스 거부 및 통화단절 공격 탐지
Detection of Flooding and Call Disruption Attacks on SIP based VoIP Systems
- 주제(키워드) SIP security , flooding attack , call disruption
- 발행기관 아주대학교
- 지도교수 유승화
- 발행년도 2011
- 학위수여년월 2011. 2
- 학위명 석사
- 학과 및 전공 정보통신전문대학원 정보통신공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000011586
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
This dissertation provides an in depth analysis of the existing security threats which are call disruption attacks and flooding attacks in SIP(Session Initiation Protocol) based VoIP(Voice over IP) systems. Also it discusses the goals and requirements of detection schemes for reliable SIP based VoIP systems. This dissertation presents various enhanced detection schemes against such attacks as the systems degrade QoS(Quality of Service). The first scheme is detection of SIP flooding attacks based on the upper bound of the possible number of SIP messages, which is an effective detection method for SIP flooding attacks in order to deal with the problems of conventional schemes. We derive the upper bound of the possible number of SIP messages, considering not only the network congestion status but also the different properties of individual SIP messages such as INVITE, BYE and CANCEL. This method can be easily extended to detect flooding attacks by other SIP messages. However, such attacks cannot be easily classified the attack signatures, since they may be frequently modified and newly created. That is, it makes difficult to provide the additional countermeasure scheme after detecting the attacks. Therefore, we also propose bloom filter based SIP flooding attack detection scheme. This scheme utilizes bloom filter for classifying SIP flooding attacks whose attack signatures is defined according to the modulated message pattern. In case of call disruption attacks, we propose an effective detection method for those attack(CANCEL, BYE or REGISTER attack) without authentication or encryption schemes. In order to achieve that, Extended INFO method is utilized to deal with the security threats and can be applied in both pre-call and mid-call VoIP mobility environments without additional functions or systems. The performance of our proposed schemes is evaluated in terms of attack detection time, system resource cost(Memory, CPU consumption and so on) and effectiveness of the schemes both in simulation and analytically.
more목차
ACKNOWLEDGEMENTS 2
ABSTRACT 3
TABLE OF CONTENTS 4
LIST OF FIGURES 6
CHAPTER 1 9
INTRODUCTION 9
1.1 Motivation 9
1.2 Thesis Objectives 11
1.3 Thesis Contribution 12
1.4 Thesis Contribution 13
CHAPTER 2 15
BACKGROUND 15
2.1 SIP Overview 15
2.2 Session Establishment 15
2.2.1 Session Cancellation 16
2.2.2 Session Termination 17
2.2.3 Session Registration 17
2.3 SIP Security Threat Issues 18
2.3.1 SIP Flooding Attack Overview 18
2.3.2 SIP Call Disruption Attack Overview 20
2.4 Security Threats Issues on SIP based Mobility Environment 23
2.4.1 Pre-call Mobility 24
2.4.2 Mid-call Mobility 25
2.4.3 REGISTER Attack related to Pre-call Mobility 26
2.4.4 re-INVITE Attack in Mid-call Mobility 28
2.5 Bloom Filter Overview 29
CHAPTER 3 31
DETECTION OF SIP FLOODING ATTACKS BASED ON THE UPPER BOUND OF THE POSSIBLE NUMBER OF SIP MESSAGES 31
3.1 SIP Retransmission Mechanism 32
3.1.1 Retransmission of INVITE Request Messages 32
3.1.2 Retransmission of non-INVITE Request Messages 32
3.2 Upper Bound of the Possible Number of SIP Messages 33
3.3 Detection of SIP Flooding Attacks 38
3.3.1 Algorithm 1: Detection of INVITE Flooding Attacks 38
3.3.2 Algorithm 2: Detection of BYE Flooding Attacks 41
3.3.3 Algorithm 3: Detection of CANCEL Flooding Attacks 43
3.4 Experimental Results 44
3.4.1 Effect of Retransmission Rate 44
3.4.2 Effectiveness of Algorithm 1 46
3.4.3 Effectiveness of Algorithm 2 49
3.4.4 Effectiveness of Algorithm 3 52
3.5 Discussion 54
3.6 Summary 55
CHAPTER 4 56
DETECTION OF SIP FLOODING ATTACK BASED ON BLOOM FILTER 56
4.1 Classification of SIP Flooding Attacks 57
4.1.1 Bloom Filter based SIP Flooding Attack Classification 60
4.1.2 SIP Flooding Attack Detection Algorithm based on Bloom filter 62
4.2 Performance Evaluation 64
4.3 Summary 68
CHAPTER 5 69
DETECTION OF SIP CALL-DISRUPTION ATTACK ON SIP BASED VOIP SYSTEMS 69
5.1 Extension of the INFO Method for Detection of Call Disruption Attacks 70
5.1.1 INFO Method 71
5.1.2 Extension of the INFO Method 72
5.1.3 Example Usage of an INFO Method against a CANCEL Attack 74
5.1.4 Example Usage of an INFO Method against and a BYE Message Attack Detection 76
5.1.5 Example Usage of an INFO Method against a REGISTER Attack in Pre-call Mobility 77
5.1.6 Example of the Use of the INFO Method against a re-INVITE Attack in Mid-call Mobility 78
5.2 A Weakness of Proposed scheme 79
5.3 Hybrid Detection Scheme for Call disruption attacks 80
5.4 Performance Evaluation 82
5.5 Summary 86
CHAPTER 6 88
CONCLUSION AND FUTURE WORK 88
REFERENCES 90
List of Publications 95
