通信类英文文献及翻译

姓名：刘峻霖班级：通信143班学号：2014101108

附录

一、英文原文：

Detecting Anomaly Traffic using Flow Data in the real

VoIP network

I. INTRODUCTION

Recently, many SIP[3]/RTP[4]-based VoIP applications and services have appeared and their penetration ratio is gradually increasing due to the free or cheap call charge and the easy subscription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone services to VoIP products. For example, companies in Korea such as LG Dacom, Samsung Net- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported that more than five million users have subscribed the commercial VoIP services and 50% of all the users are joined in 2009 in Korea [1]. According to IDC, it is expected that the number of VoIP users in US will increase to 27 millions in 2009 [2]. Hence, as the VoIP service becomes popular, it is not surprising that a lot of VoIP anomaly traffic has been already known [5]. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious traffic. Particu- larly, most of current SIP/RTP-based VoIP services supply the minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) [6] or Secure RTP (SRTP) [7] have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the overheads of implementation and performance. Thus, un-encrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could be maliciously exploited, because SIP is a text-based protocol and unencrypted SIP packets are easily decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traffic detection method using the flow-based traffic measurement archi-tecture. We consider three representative VoIP anomalies called CANCEL, BYE Denial of Service (DoS) and RTP flooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) [9] standard that is based on NetFlow v9. This traffic measurement method

provides a flexible and extensible template structure for various protocols, which is useful for observing SIP/RTP flows [10]. In order to capture and export VoIP packets into IPFIX flows, we define two additional IPFIX templates for SIP and RTP flows. Furthermore, we add four IPFIX fields to observe 802.11 packets which are necessary to detect VoIP source spoofing attacks in WLANs.

II. RELATED WORK

[8] proposed a flooding detection method by the Hellinger Distance (HD) concept. In [8], they have pre- sented INVITE, SYN and RTP flooding detection meth-ods. The HD is the difference value between a training data set and a testing data set. The training data set collected traffic over n sampling period of duration Δ t.The testing data set collected traffic next the training data set in the same period. If the HD is close to ‘1’, this testing data set is regarded as anomaly traffic. For u sing this method, they assumed that initial training data set did not have any anomaly traffic. Since this method was based on packet counts, it might not easily extended to detect other anomaly traffic except flooding. On the other hand, [11] has proposed a VoIP anomaly traffic detection method using Extended Finite State Machine (EFSM). [11] has suggested INVITE flooding, BYE DoS anomaly traffic and media spamming detection methods. However, the state machine required more memory because it had to maintain each flow. [13] has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER, RTP flooding, and REGISTER/INVITE scan. How-ever, the VoIP DoS attacks considered in this paper were not considered. In [14], an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP traffic, SIPFIX [10] has been proposed as an IPFIX extension. The key ideas of the SIPFIX are application-layer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traffic detection and prevention. We described the preliminary idea of detecting VoIP anomaly traffic in [15]. This paper elaborates BYE DoS anomaly traffic and RTP flooding ano maly traffic detec-tion method based on IPFIX. Based on [15], we have considered SIP and RTP anomaly traffic generated in wireless LAN. In this case, it is possible to generate the similiar anomaly traffic with normal VoIP traffic, because attackers can easily extract normal user information from unencrypted VoIP packets. In this paper, we have extended the idea with additional SIP detection methods using information of wireless LAN packets. Furthermore, we have shown the real experiment results at the commercial VoIP network.

III. THE VOIP ANOMALY TRAFFIC DETECTION METHOD

A. CANCEL DoS Anomaly Traffic Detection

As the SIP INVITE message is not usually encrypted, attackers could extract fields necessary to reproduce the forged SIP CANCEL message by sniffing SIP IN VITE packets, especially in wireless LANs. Thus, we cannot tell the difference between the normal SIP CANCEL message and the replicated one, because the faked CANCEL packet includes the normal fields inferred from the SIP INVITE message. The attacker will p erform the SIP CANCEL DoS attack at the same wireless LAN, because the purpose of the SIP CANCEL