CN101459561A - Apparatus and method for detecting SIP message flooding attack based on CUSUM algorithm - Google Patents

Abstract

The invention relates to a device and a method for detecting SIP message flood attacking based on a CUSUM algorithm, wherein the device is formed by a multifunction module formed by a gathering layer, a data layer, a detecting layer and a response layer, wherein a bale grabber module of the gathering layer gathers an SIP data packet in network, a module of the data layer preprocesses the SIP data packet from the gathering layer, and respectively stores the grabbed total amount of INVITE messages and REGISTER messages, a CUSUM module of the detecting layer adopts a CUSUM algorithm to correct INVITE message value and REGISTER message value, which are stored to detect and output detection results. An alarm module of the response layer judges whether the detection result gives alarm or not to the detection result, if the detection result exceeds a preset threshold value, SIP information flood attacking is regarded to come across, and alarm signals are sent out, if not, network is represented to be normal. The device and the method are simple and practical, which are easily achieved, and can effectively detect out flood attacking aiming at SIP information in NGN network.

Description

Detect the apparatus and method of sip message flood attack based on the CUSUM algorithm

Technical field

The present invention relates to a kind of method that guarantees network information security transmission, exactly, relate to a kind of apparatus and method, belong to the technical field of the network information security based on CUSUM algorithm detection sip message (comprising INVITE and REGISTER message) flood attack.。

Background technology

Next generation network NGN (Next Generation Network) is to use Session initiation Protocol SIP (Session Initiation Protocol) to create, manage by session control mechanism and the multimedia service of all kinds message that terminates.NGN is a milestone on the telecommunication history, indicates the arriving in new generation telecommunication network epoch.Along with popularizing rapidly and the continuous rise of the various new business of telecommunications network of computer network, network security problem has been penetrated into the every field of social life gradually, and becomes more and more severeer.Because NGN has network IPization and the open characteristic of networking, makes that telecommunications network will be in the face of the challenge of various security threats on original the Internet.

In numerous safety problems, based on the flood attack of the sip message of Session Initiation Protocol, with the safety of serious threat NGN network; Wherein, invite (INVITE) message attack and registration (REGISTER) message attack the most general.The attack principle of INVITE and INVITE is similar, all be to send a large amount of related news to target of attack by the assailant, the server that feasible quilt is attacked is busy with handling this type of flood tide message and break the bank, thereby to normally, legal message can't be handled, cause the paralysis of whole communication network, the flood attack of these two kinds of INVITE and REGISTER message seems simple, but, their still suitable difficulties of real defence: on the one hand, the packet that this sip message flood attack uses all is a normal data packet, and such packet can not be refused and forbid to the webserver when normal operation; On the other hand, the assailant does not need to obtain the return information of destination host, source IP address that just can spoofed IP data packet, thereby make that attacking main frame has no way of tracing its source, therefore the detection of these message and blocking-up are all very difficult, thereby make the assailant or the terrorist that destroy network security that opportunity arranged.So network security problem not only influences the normal operation of telecommunications network, and may cause the massive losses of national security and national economy, its loss and influence even are not second to an attack of terrorism.For example, the flood attack that took place in 2003 causes the obstruction of the Internet occurrence of large-area in North America, Europe and Asia, have at least 2.2 ten thousand webservers and 250,000 computers to be attacked according to estimates, the national network of the heaviest disaster-stricken Korea S has been paralysed whole 24 hours, has caused the massive losses that is difficult to retrieve.Therefore, press for a kind of effective detection means and in time find this flood attack behavior that jeopardizes network security, so that can in time take spreading and developing of corresponding measure containment flood attack.

From 2002 so far, the people such as Moustakides of the Tao Peng of the H.Wang of external Univ Michigan-Ann Arbor USA, Univ Melbourne Australia, Greece Sai Sali university successively propose to use Non-parametric CUSUM Algorithm to detect SYN flood attack in the Internet.The people such as Yacine Rebahi of Germany open communication system research institute use the SIP flood attack in the above-mentioned algorithm detection IMS network.Domestic also since 2005, the woods of information engineering university of PLA is white, the Chen Wei of Nanjing Univ. of Posts and Telecommunications, the tight sweet smell of Nanjing University, the people such as Yu Ming of Dalian University of Technology successively use above-mentioned algorithm to conduct a research at the SYN flood attack in the Internet.Yet by the end of at present, domestic utilization CUSUM method detects flood attack and also only rests at TCP message phase, and almost is blank at the detection of the flood attack of sip message and the achievement in research of mean of defense; Its main cause is that operator does not also introduce NGN to the market at present.

Therefore, each present telecom operators and administrative department all wish that eager utilization NGN network provides the carrier class business, and still, the following safety problem that exists has obviously been slowed down this trend.So, how to develop a kind of apparatus and method that can effectively detect generation sip message flood attack as early as possible, to contain spreading and developing of this type of attack, for the communication service of NGN network provides the assurance of good safe transmission and service quality, just become in the industry scientific and technical personnel and be badly in need of solving and duty-bound task.

Summary of the invention

In view of this, the apparatus and method that the purpose of this invention is to provide a kind of detection sip message flood attack based on nonparametric accumulation and CUSUM algorithm, the checkout gear that the present invention is based on CUSUM detection module structure is deployed in the Next Generation Telecommunication Networks, can detect the flood attack in the NGN network efficiently and accurately at sip message, for the NGN communication service provides safety assurance, and this checkout gear is simple in structure, highly sensitive, realizes easily; The computation complexity of detection method is low, and operation is convenient, is easy to dispose and safeguard that detection time is fast, the verification and measurement ratio height.

In order to achieve the above object, the invention provides a kind of device of the detection sip message flood attack based on nonparametric accumulation and CUSUM algorithm, it is characterized in that: described device is made up of the correlation function module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein:

Acquisition layer is provided with by calling UNIX/LINUX system function and use Session Initiation Protocol stack grasp the SIP packet that transmits in network packet capturing module, to finish the function of the SIP packet in the collection network;

Data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVITE that obtains and the numerical value of REGISTER message are carried out stores processor respectively; Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively, and the INVITE value storage module and the REGISTER value storage module of storing the statistic of INVITE and REGISTER message respectively, calling for detection layers;

Detection layers, be provided with respectively the functional module that INVITE numerical value and REGISTER message numerical value are handled based on nonparametric accumulation and CUSUM (non-parametric cumulative sum) algorithm, be responsible for calling respectively stored invite message values and REGISTER message numerical value in the data Layer, and adopt the CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result;

Response layer is provided with the testing result data that receive detection layers, and judges whether the alarm module alarmed, and when the testing result data surpassed the response layer preset threshold, this alarm module was thought and suffered just to send alarm signal by the sip message flood attack; Otherwise the expression network operation is normal, and the sip message flood attack does not take place.

Described the add up INVITE of statistics of quantity that carries out comprises two kinds: the INVITE sum T that grasps respectively in the time period n that sets _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); Described the add up REGISTER message of statistics of quantity of carrying out comprises two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum S that the reciprocal process of its corresponding response message of this REGESTER message is complete _Register(n).

Described device is installed on the station server, and be connected with local NGN network or the network that uses Session Initiation Protocol and the Internet Internet, mobile network PLMN, other NGN network or the three-tier switch between the network of use Session Initiation Protocol, perhaps connect the Call Agent-conversation control function P-CSCF node among the local NGN.

In order to achieve the above object, the present invention also provides a kind of method of the detection sip message flood attack based on nonparametric accumulation and CUSUM algorithm, it is characterized in that: comprise following operating procedure:

(1) the packet capturing module of acquisition layer by call wherein be provided with can provide in the UNIX/LINUX system that independent user rank network packet catches interface catch the bag function, obtain local module information and gather the SIP packet;

(2) data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored;

(3) the CUSUM module of detection layers calls respectively that the data in the INVITE value storage module and REGISTER value storage module detect in the data Layer, judges whether to take place the sip message flood attack;

(4) alarm module in the response layer receives the testing result of the CUSUM module of detection layers, if judge that this alarm module sends warning when suffering the sip message flood attack;

(5) return step (1), continue to carry out the associative operation that detects sip message.

Described step (1) further comprises following content of operation:

(11) packet capturing module begins to monitor session by catching available Network Interface Module in the bag function searching system;

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch is set to the message of INVITE or REGISTER, so that can effectively catch the IP packet of setting type;

(13) circulation is caught in execution: after whenever catching an IP packet, with regard to the call back function of invoke user this IP packet is handled.

In the described step (2), further comprise following content of operation:

(21) after data preprocessing module receives the IP packet that the packet capturing module sends here, judge whether it is the SIP packet earlier, if then carry out subsequent operation; If not, then abandon this IP packet;

(22) data preprocessing module is checked the method attribute item in this SIP packet, if this property value is INVITE or REGISTER, then transmits a mark value to INVITE value storage module or REGISTER value storage module respectively, is designated as T _Invite(n)=T _InviteOr T (n)+1 _Register(n)=T _Register(n)+1, show INVITE of discovery or REGISTER message in this setting-up time interval; If this property value is not INVITE or REGISTER, then abandon this SIP packet;

(23) data preprocessing module continues to analyze this SIP packet, if finding this SIP packet is a complete packet of interaction flow that comprises INVITE or REGISTER message, then transmit a mark value to INVITE value storage module or REGISTER value storage module more respectively, be designated as: S _Invite(n)=S _InviteOr S (n)+1 _Register(n)=S _Register(n)+1, show an INVITE or REGISTER message that interaction flow is complete of discovery in this setting-up time interval; If finding this SIP packet is not the complete SIP packet of interaction flow that comprises INVITE or REGISTER message, then abandon it.

In the described step (3), further comprise following content of operation:

(31) after the CUSUM module initialization is provided with sampling interval time, call in the data Layer INVITE sum T that monitors in the inherent network of n sampling interval time _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time;

(32) the CUSUM module is to above-mentioned each difference X _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\‾}{F}\left(n\right),$ In the formula, F (n) is the complete INVITE sum S of reciprocal process that the cycle upgrades by real-time estimation _Invite(n) average, the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

(33) the CUSUM module is to sequence of differences In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\β},$ In the formula, β is not under network has attack condition

The maximum of sequence, this β parameter is provided with according to network condition, β≤1, thus form Z _nSequence of values;

(34) the CUSUM module is utilized formula $y_n={(y_{n-1}+Z_n)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n,& y_{n-1}+Z_n>0\\ y_{n-1},& y_{n-1}+Z_n\≤0\end{array}\right.$ Logarithm value sequence Z _nValue accumulate and computing the y that will obtain so then _nSequence of values sends alarm module to as the testing result data; The connotation of this computing formula is: work as Z _nNumerical value greater than zero the time, y _nValue be y _N-1With Z _nSum; Work as Z _nNumerical value be when being less than or equal to zero, y _nValue be exactly y _N-1, promptly do not do add operation.

Described step (3) is in detecting the operating procedure of handling REGISTER message, and just after described step (31) initialization was provided with sampling interval time, the CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), other corresponding content of operation is all identical with the operating procedure that detects the processing INVITE.

The operating procedure of the alarm module in the described step (4) is as follows: sets earlier and detects the judgement threshold value N that attack takes place, and the testing result data y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of sip message flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be the court verdict in n sampling interval time: if y _nMore than or equal to N, then the warning message value is " 1 ", and the sip message flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", represents that the network normal operation takes place no sip message flood attack.

The key of technological innovation of the present invention is the CUSUM detection module in this checkout gear, with its corn module as sip message flood attack checkout gear, and developed for this reason and a kind ofly can in network, effectively detect the detection method that the sip message flood attack takes place, for the safe transmission and the service quality of NGN communication service provides reliable assurance.

The innovative technology characteristics of this CUSUM detection module are: for INVITE or the REGISTER message number that this detection module is received has nothing to do with network environment, utilization exponential weighting is earlier moved average (EWMA) test data is carried out normalized, obtains the normalization sequence of values.After more above-mentioned test number sequence being changed, accumulate and calculate: if certain numerical value in this sequence of values then will add this numerical value with the testing result that obtains greater than zero; If certain numerical value in this sequence of values is less than or equal to zero, then do not do above-mentioned add operation.At last, directly the accumulation of above-mentioned sequence of values and the alarming threshold value of numerical value and setting are compared,, just report to the police if more than or equal to alarming threshold value; Otherwise, continue to carry out the detection task.

Advantage of the present invention is as follows: apparatus of the present invention are simple in structure, and every layer software function module is also very simple, compact, makes apparatus of the present invention have features simple structure, dexterity, and manufacturing is convenient, realize easily and deployment, practical characteristics.And the computation complexity of apparatus of the present invention detection method is low, and operating procedure is simple, is easy to safeguard that detection time is fast, and is highly sensitive, is detected as the power height, and rate of false alarm is low.If apparatus of the present invention are arranged in the network away from the attack source, can effectively detect flood attack at present networks; If directly be deployed in the source-end networks that takes place to attack, then can detect flood attack rapidly and find the attack source; Therefore, detection performance of the present invention is strong, practicality good, has good popularization and application prospect.

Description of drawings

Fig. 1 is that the apparatus structure that the present invention is based on the detection sip message flood attack of CUSUM algorithm is formed schematic diagram.

Fig. 2 is that checkout gear of the present invention is arranged on the position view on the network.

Fig. 3 is the method operating procedure flow chart that the present invention is based on the detection sip message flood attack of CUSUM algorithm.

Fig. 4 is the data preprocessing module operating process schematic diagram in the inventive method.

Fig. 5 is the CUSUM module workflow schematic diagram in the inventive method.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

Referring to Fig. 1, introduce the apparatus structure of the detection sip message flood attack that the present invention is based on the CUSUM algorithm and form schematic diagram.

Apparatus of the present invention are made up of a plurality of functional module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein in acquisition layer, be provided with the packet capturing module, this packet capturing module is responsible for finishing the function of the SIP packet in the collection network by calling the UNIX/LINUX system function and using the Session Initiation Protocol stack to grasp the SIP packet that transmits in network.Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively at data Layer, and INVITE value storage module and REGISTER value storage module, these two modules be respectively applied for storage of collected to, the INVITE that calls for detection layers and the statistic of REGISTER message; This data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVIT message that obtains and the numerical value of REGISTER message are carried out stores processor respectively.In the CUSUM module that detection layers is provided with, be responsible for calling respectively stored invite message values and REGISTER message numerical value in the data Layer, and adopt the CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result after, be sent to alarm module again.Be provided with alarm module in response layer, be used to receive the testing result data of detection layers output, and decision-making judges whether alarm: when the testing result data surpassed the response layer preset threshold, this alarm module was thought and is suffered just to send alarm signal by the SIP flood attack; Otherwise the expression network operation is normal, and the SIP flood attack does not take place.

Data preprocessing module in apparatus of the present invention is carried out the add up INVITE of statistics of quantity two kinds: the INVITE sum T that grasps respectively in setting-up time section n _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); The REGISTER message of the statistical magnitude that adds up also is two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum S that the reciprocal process of its corresponding response message of this REGESTER message is complete _Register(n).

Referring to Fig. 2, introduce the installation site of apparatus of the present invention: this device is installed on the station server, this server is connected with local NGN network or the network that uses Session Initiation Protocol and the Internet Internet, mobile network PLMN, other NGN network or the three-tier switch between the network of use Session Initiation Protocol respectively, and perhaps this device connects the Call Agent-conversation control function P-CSCF node among the local NGN.

Apparatus of the present invention can detect external or local sip message flood attack in the very first time of take place attacking, improved the sensitivity that network is resisted flood attack, and earlier detection and prevention are become a reality; And, can take corresponding defensive measure to provide safeguard and save time for follow-up, become the important barrier that NGN resists flood attack.

Referring to Fig. 3, specify the concrete operations step of detection method of the present invention:

The packet capturing module of step 1, acquisition layer the Libpcap that can provide independent user rank network packet to catch interface in the UNIX/LINUX system wherein is provided is caught the bag function by calling, and obtains local module information and gathers the SIP packet.This step further comprises following content of operation:

(11) packet capturing module is caught available Network Interface Module in the bag function searching system by Libpcap, returns the character string of an expression network adapter; Then, open module and begin to set up the monitoring session by function pcap_open_live ().

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch be set to INVITE or REGISTER message (method=" INVITE ", method=" REGISTER "), so that can catch the packet of this module specified type effectively;

(13) circulation is caught in execution: with regard to the call back function of invoke user packet is handled after whenever catching a packet.

Step 2, data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored.

Referring to Fig. 4, the following operating process of data preprocessing module in the data Layer is described:

(21) receive the IP packet that the packet capturing module sends here after, judge whether it is the SIP packet earlier, if then carry out subsequent operation; If not, then abandon this IP packet.

(22) check method attribute item in this SIP packet,, then transmit a mark value to INVITE value storage module or REGISTER value storage module respectively, be designated as T if this property value is INVITE or REGISTER _Invite(n)=T _InviteOr T (n)+1 _Register(n)=T _Register(n)+1, show INVITE of discovery or REGISTER message in this setting-up time interval; If this property value is not INVITE or REGISTER, then abandon this SIP packet.

(23) data preprocessing module continues to analyze this SIP packet, if finding this SIP packet is a complete packet of interaction flow that comprises INVITE or REGISTER message, then transmit a mark value to INVITE value storage module or REGISTER value storage module more respectively, be designated as: S _Invite(n)=S _InviteOr S (n)+1 _Register(n)=S _Register(n)+1, show an INVITE or REGISTER message that interaction flow is complete of discovery in this setting-up time interval; If finding this SIP packet is not the complete SIP packet of interaction flow that comprises INVITE or REGISTER message, then abandon it.

The CUSUM module of step 3, detection layers calls respectively that the related data in the INVITE value storage module and REGISTER value storage module detects in the data Layer, judges whether to take place the sip message flood attack.

Be example to detect the INVITE attack below, the concrete operations content of this step 3 when detecting INVITE be described:

(31) after initialization is provided with sampling interval time (for example 60 seconds), n INVITE sum T that the sampling interval time section is interior in the CUSUM module invokes data Layer _Invite(n) and comprise its corresponding response message of this INVITE (INVITE, RES, the complete INVITE of reciprocal process ACK) sum S _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time.The function of CUSUM module is by monitoring X _nNumerical value change judge whether network is receiving unusual INVITE and connecting.

Usually when attack occurs, T _Invite(n) value can be greater than S _Invite(n) value, and difference between the two can be increased sharply.And when the SIP network normally moves, the INVITE that sends between terminal and network entity sum with comprise its corresponding response message (INVITE of this INVITE, RES, ACK) present very strong positive correlation between the complete INVITE sum of reciprocal process, both quantity differences are very little, i.e. X _nLevel off to 0; Just strict between the two correspondence one by one is the normal behaviour of SIP network.And under INVITE flood attack scene, the assailant sends a large amount of INVITE to the SIP network entity, but it can not replied making corresponding ACK from the 2XX/4XX/5XX/6XX RES response of SIP network entity, thereby make the statistical property between two kinds of message sequences that bigger change, i.e. T take place _Invite(n) and S _Invite(n) difference increases rapidly, i.e. X _nBe far longer than 0, will undergo mutation.

(32) after the measurement through n sample time, obtain a group reaction T _Invite(n) and S _Invite(n) sequence of the array at random { X of difference situation of change _n, n=1,2,3...}.As everyone knows, array sequence { X _nAverage normally substantial connection is arranged with the scale of SIP network and the time interval of sampling.For reducing the influence of above-mentioned factor, make the inventive method can be applicable to various SIP networks and have versatility and generality, the CUSUM module will be to each the difference X in the above-mentioned array sequence _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\&OverBar;}{F}\left(n\right),$ In the formula, F (n) adopts in real time to estimate and the complete INVITE sum S of the reciprocal process of cycle renewal _Invite(n) average, the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

After carrying out normalization,

Represent the side-play amount ratio shared, random sequence with respect to the legitimate traffic flow $\{{\tilde{X}}_n,n=\mathrm{1,2,3}...\}$ No longer relevant with network size and sampling time, but a stable independent random process.At the SIP network work just often,

Average $E\left({\tilde{X}}_n\right)=c<<1,$ Be that the shared ratio of side-play amount is minimum under the normal condition, approach 0.In case the INVITE flood attack has taken place, T _Invite(n) and S _Invite(n) difference increases rapidly,

Average will undergo mutation.

(33) the CUSUM module is to sequence of differences

In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\&beta;},$ In the formula, parameter beta is not under network has attack condition

The maximum of sequence, this β parameter is provided with according to network condition, β≤1, thus form z _nSequence of values.Like this, under the situation of not losing any statistical property,

Be converted into another Z under normal circumstances _nAverage be negative random number sequence; And when attacking generation, Z _nCan become very big suddenly and for just, i.e. Z _n0.

(34) the CUSUM module is utilized formula $y_n={(y_{n-1}+Z_n)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n,& y_{n-1}+Z_n>0\\ y_{n-1},& y_{n-1}+Z_n\&le;0\end{array}\right.$ Logarithm value sequence Z _nValue accumulate and computing the y that will obtain so then _nSequence of values sends alarm module to as the testing result data; The connotation of this computing formula is: work as Z _nNumerical value greater than zero the time, y _nValue be y _N-1With Z _nSum; Work as Z _nNumerical value be when being less than or equal to zero, y _nValue be exactly y _N-1, promptly do not do add operation.

Need to prove: this step 3 is when detecting the REGISTER message attack, and just after step (31) initialization was provided with sampling interval time, the CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), all the operating procedure with above-mentioned detection processing INVITE is identical for other corresponding content of operation.

Alarm module in step 4, the response layer receives the testing result of detection layers CUSUM module, if judge that this alarm module sends warning when suffering the sip message flood attack.

The operating procedure of the alarm module in this step is as follows: sets earlier and detects the judgement threshold value N that attacks, and the testing result information y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of sip message flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be the court verdict of sampling interval time section in n: if y _nMore than or equal to N, then the warning message value is " 1 ", and flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", represents that the network normal operation takes place no flood attack.

Step 5, return step (1), continue to carry out the associative operation that detects sip message.

Claims (9)

1, a kind of device of the detection sip message flood attack based on nonparametric accumulation and CUSUM algorithm, it is characterized in that: described device is made up of the correlation function module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein:

Acquisition layer is provided with by calling UNIX/LINUX system function and use Session Initiation Protocol stack grasp the SIP packet that transmits in network packet capturing module, to finish the function of the SIP packet in the collection network;

Data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVITE that obtains and the numerical value of REGISTER message are carried out stores processor respectively; Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively, and the INVITE value storage module and the REGISTER value storage module of storing the statistic of INVITE and REGISTER message respectively, calling for detection layers;

Detection layers, be provided with respectively the functional module that INVITE numerical value and REGISTER message numerical value are handled based on nonparametric accumulation and CUSUM algorithm, be responsible for calling respectively stored invite message values and REGISTER message numerical value in the data Layer, and adopt the CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result;

Response layer is provided with the testing result data that receive detection layers, and judges whether the alarm module alarmed, and when the testing result data surpassed the response layer preset threshold, this alarm module was thought and suffered just to send alarm signal by the sip message flood attack; Otherwise the expression network operation is normal, and the sip message flood attack does not take place.

2, device according to claim 1 is characterized in that: described the add up INVITE of statistics of quantity that carries out comprises two kinds: the INVITE sum T that grasps respectively in the time period n that sets _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); Described the add up REGISTER message of statistics of quantity of carrying out comprises two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum S that the reciprocal process of its corresponding response message of this REGESTER message is complete _Register(n).

3, device according to claim 1, it is characterized in that: described device is installed on the station server, and be connected with local NGN network or the network that uses Session Initiation Protocol and the Internet Internet, mobile network PLMN, other NGN network or the three-tier switch between the network of use Session Initiation Protocol, perhaps connect the Call Agent-conversation control function P-CSCF node among the local NGN.

4, a kind of method of the detection sip message flood attack based on nonparametric accumulation and CUSUM algorithm is characterized in that: comprise following operating procedure:

(1) the packet capturing module of acquisition layer by call wherein be provided with can provide in the UNIX/LINUX system that independent user rank network packet catches interface catch the bag function, obtain local module information and gather the SIP packet;

(2) data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored;

(3) the CUSUM module of detection layers calls respectively that the data in the INVITE value storage module and REGISTER value storage module detect in the data Layer, judges whether to take place the sip message flood attack;

(4) alarm module in the response layer receives the testing result of the CUSUM module of detection layers, if judge that this alarm module sends warning when suffering the sip message flood attack;

(5) return step (1), continue to carry out the associative operation that detects sip message.

5, method according to claim 4 is characterized in that: described step (1) further comprises following content of operation:

(11) packet capturing module begins to monitor session by catching available Network Interface Module in the bag function searching system;

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch is set to the message of INVITE or REGISTER, so that can effectively catch the IP packet of setting type;

(13) circulation is caught in execution: after whenever catching an IP packet, with regard to the call back function of invoke user this IP packet is handled.

6, method according to claim 4 is characterized in that: in the described step (2), further comprise following content of operation:

(21) after data preprocessing module receives the IP packet that the packet capturing module sends here, judge whether it is the SIP packet earlier, if then carry out subsequent operation; If not, then abandon this IP packet;

(22) data preprocessing module is checked the method attribute item in this SIP packet, if this property value is INVITE or REGISTER, then transmits a mark value to INVITE value storage module or REGISTER value storage module respectively, is designated as T _Invite(n)=T _InviteOr T (n)+1 _Register(n)=T _Register(n)+1, show INVITE of discovery or REGISTER message in this setting-up time interval; If this property value is not INVITE or REGISTER, then abandon this SIP packet;

(23) data preprocessing module continues to analyze this SIP packet, if finding this SIP packet is a complete packet of interaction flow that comprises INVITE or REGISTER message, then transmit a mark value to INVITE value storage module or REGISTER value storage module more respectively, be designated as: S _Invite(n)=S _InviteOr S (n)+1 _Register(n)=S _Register(n)+1, show an INVITE or REGISTER message that interaction flow is complete of discovery in this setting-up time interval; If finding this SIP packet is not the complete SIP packet of interaction flow that comprises INVITE or REGISTER message, then abandon it.

7, method according to claim 4 is characterized in that: in the described step (3), further comprise following content of operation:

(31) after the CUSUM module initialization is provided with sampling interval time, call in the data Layer INVITE sum T that monitors in the inherent network of n sampling interval time _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time;

(32) the CUSUM module is to above-mentioned each difference X _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\&OverBar;}{F}\left(n\right),$ In the formula, F (n) is the complete INVITE sum S of reciprocal process that the cycle upgrades by real-time estimation _Invite(n) average, the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

(33) the CUSUM module is to sequence of differences

In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\&beta;},$ In the formula, β is not under network has attack condition The maximum of sequence, this β parameter is provided with according to network condition, β≤1, thus form Z _nSequence of values;

(34) the CUSUM module is utilized formula $y_n={(y_{n-1}+Z_n)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n,& y_{n-1}+Z_n>0\\ y_{n-1},& y_{n-1}+Z_n\&le;0\end{array}\right.$ Logarithm value sequence Z _nValue accumulate and computing the y that will obtain so then _nSequence of values sends alarm module to as the testing result data; The connotation of this computing formula is: work as Z _nNumerical value greater than zero the time, y _nValue be y _N-1With Z _nSum; Work as Z _nNumerical value be when being less than or equal to zero, y _nValue be exactly y _N-1, promptly do not do add operation.

8, according to claim 4 or 7 described methods, it is characterized in that: described step (3) is in detecting the operating procedure of handling REGISTER message, just after described step (31) initialization was provided with sampling interval time, the CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), other corresponding content of operation is all identical with the operating procedure that detects the processing INVITE.

9, method according to claim 4 is characterized in that: the operating procedure of the alarm module in the described step (4) is as follows: set earlier and detect the judgement threshold value N that attack takes place, and the testing result data y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of sip message flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be the court verdict in n sampling interval time: if y _nMore than or equal to N, then the warning message value is " 1 ", and the sip message flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", represents that the network normal operation takes place no sip message flood attack.

Images