CN101047509B - Session attack detection system and method - Google Patents

Session attack detection system and method Download PDF

Info

Publication number
CN101047509B
CN101047509B CN200610084973A CN200610084973A CN101047509B CN 101047509 B CN101047509 B CN 101047509B CN 200610084973 A CN200610084973 A CN 200610084973A CN 200610084973 A CN200610084973 A CN 200610084973A CN 101047509 B CN101047509 B CN 101047509B
Authority
CN
China
Prior art keywords
session
rule
packet
module
incident
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200610084973A
Other languages
Chinese (zh)
Other versions
CN101047509A (en
Inventor
刘利锋
郑志彬
欧静
赵凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200610084973A priority Critical patent/CN101047509B/en
Publication of CN101047509A publication Critical patent/CN101047509A/en
Application granted granted Critical
Publication of CN101047509B publication Critical patent/CN101047509B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

A method for detecting attack on session includes carrying out depth layer filtering on input data packet according to preset filtering rule, setting up and storing correlation record of said data packet to session, generating rule according to preset event to carry out analysis on updated record in session correlation databank and carrying out treatment on generated event according to preset event treatment rule. The system used for realizing said method is also disclosed.

Description

Session attack detection system and detection method
Technical field
The present invention relates to session attack detection system and detection method, particularly can realize session attack detection system and detection method the deep layer detection of packet, the reorganization of conversation-based packet and conversation-based multi-protocols joint-detection.
Background technology
Under new telecommunication market situation, the competitive environment of opening day by day between market control relieving, the operator, the explosive increase of amount of data traffic and ever-increasing multimedia service demand of user and mobility demand etc. all are to promote the key factor of legacy network to UNE evolution of future generation.The business demand of next generation network is: various bandwidth such as comprise speech, data, video, Streaming Media, Internet access, digital television broadcasting, move, wired and wireless professional and use are provided, and open business interface is provided, allow multiple business provider structure and provide professional.For satisfying the user's communications demand, next generation network should allow the Multimedia session of different media types, and allows user flexibility ground to carry out session control and medium control.
In the prior art, realize that the agreement of setting up and control Multimedia session comprises session initiation protocol (Session Initial Protocol, be called for short SIP), MGCP (Media GatewayControl Protocol is called for short MGCP) and agreement etc. H.323.
Wherein, Session Initiation Protocol is in the next generation network between soft switch and the soft switch, the call control protocol between soft switch and the application server, between soft switch and the intelligent terminal, it simultaneously also is the multimedia call control protocol between the call control server in the IP Multimedia System (IP Multimedia Subsystem is called for short IMS).Therefore the Session Initiation Protocol field that has a wide range of applications comprises: be applied to basic voice and multiple communication value increasing service in the IP network; As the communication core net signaling protocol of (comprise next generation network, IMS network and do not fix and move the FMC network that merges) based on soft switch; Be applied in the business platform, realize service logic control; Be applied in intelligent terminal and the following digital home gateway equipment.
H.323 agreement is no service quality (the Quality ofService that International Telecommunication Union formulates, abbreviation QoS) packet network (the Packet Based Networks that guarantees, abbreviation PBN) the multimedia communications system standard on, these packet networks have been dominated current desktop network system, comprise Ethernet based on TCP/IP, IPX packet switching, Fast Ethernet, Token Ring, fiber distributed data interface (FDDI) technology etc.Therefore, H.323 agreement is used for local area network (LAN), wide area network, multimedia communication on the internet technical foundation and guarantee is provided.
The MGCP agreement is the MGCP that the Internet engineering duty group (IETF) is formulated, be applied to that medium in the next generation network are handled and signaling control separates the control interface of generation afterwards, its objective is by the Call Control Unit of Call Agent (Call Agent) or Media Gateway Controller outsides such as (MGC) and control media gateway (MG), thus be used for the audio signal on the telephone circuit and be used in Internet or other packet-based networks on packet between conversion operations is provided.
The above-mentioned agreement that is used for Multimedia session foundation and control needs to cooperate with various protocols in actual applications, real time transport protocol (Real-time Transport Protocol for example, be called for short RTP), RTCP Real-time Transport Control Protocol (Real-time Transport Control Protocol, be called for short RTCP), Session Description Protocol (Session Description Protocol, be called for short SDP), real-time streaming protocol (Real Time Streaming Protocol, be called for short RTSP), remote authentication dial-in customer service agreement (Remote Authentication Dial In User Service, be called for short RADIUS), address resolution protocol (Address Resolution Protocol, be called for short ARP), Internet Control Message Protocol (Internet Control Message Protocol, be called for short ICMP) etc., with foundation and the media negotiation of finishing Multimedia session.
Because reasons such as the defective in the software implementing course and employing User Datagram Protoco (UDP) (UDP) or transmission control protocol (TCP) transmission, there is safety problem in actual applications in the above-mentioned agreement that is used for Multimedia session foundation and control, especially is subjected to session attack in the Multimedia session process easily.So-called session attack is meant that in the process of Multimedia session the assailant utilizes the session key message of intercepting and capturing to destroy normal talking, and typical session attack comprises attack patterns such as CANCLE attacks, BYE attacks, registration abduction.Because the above-mentioned agreement that is used for Multimedia session foundation and control needs to cooperate with various protocols in actual applications, finishing session foundation and media negotiation, therefore need set up various protocols in the process to session and carry out joint-detection and could determine for the detection of session attack.
Attack detection method of the prior art mainly is to adopt condition detection method, based on various rules, in actual applications by comparing to determine whether being once to attack or intrusion behavior with predefined various rules.
The weak point of this method is:
1, can not detect conversation-based attack.This method is at fixed protocol, and is irrelevant with session, can't carry out joint-detection to the various protocols in the conversation procedure, thereby detect session attack;
2, can not realize conversation-based packet reorganization.Though this method can provide the packet reorganization based on transmission control protocol (TCP), conversation-based packet reorganization is not provided, if the assailant uses the packet of dispersion to attack, then can not effectively detect.
Summary of the invention
The objective of the invention is at above-mentioned the deficiencies in the prior art, realize the deep layer detection of packet, the reorganization of conversation-based packet and conversation-based multi-protocols joint-detection, thereby can detect session attack effectively.
For achieving the above object, the invention provides a kind of session attack detection system, comprising:
Deep layer bag detection module is used for according to predefined filtering rule the packet of importing being carried out deep layer and detects, and abandons the packet that does not meet described filtering rule;
The session association database, be used to preserve detected conversation recording and with the packet feature of session association;
The session mapping block, be connected with described session association database with described deep layer bag detection module, be used to receive the packet that described deep layer bag detection module sends, and, set up the associated record of this packet and session and be saved in described session association database according to the characteristic information and the predefined session association rule of this packet;
Event processing module, be connected with described session association database with described session mapping block, be used for: behind the session association database update message that receives described session mapping block transmission, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
Further, described session mapping block can comprise: the session characteristics rule base is used to preserve the predefined session characteristics rule relevant with the session attack that will detect; The session characteristics extraction module, be connected with described deep layer bag detection module with described session characteristics rule base, be used for: receive the packet that described deep layer bag detection module sends, and, extract the session characteristics of this packet according to the predefined session characteristics rule that described session characteristics rule base is preserved; The session association rule base is used to preserve the correlation rule of predefined packet feature and session; The session association module, be connected with described session characteristics extraction module, described session association rule base, described session association database and described processing module respectively, be used for according to the packet feature of described session characteristics extraction module extraction and the predefined session association rule of described session association rule base preservation, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described processing module.
Further, described event processing module can comprise: incident generation rule storehouse is used to preserve the rule of correspondence of predefined session characteristics and incident; Analysis module, be connected with described session mapping block, described session association database and described incident generation rule storehouse, be used for: receive the update notification that described session mapping block sends, inquire about record corresponding in the described session association database according to this notice, and Query Result is analyzed and produced events corresponding according to the rule of preserving in the described incident generation rule storehouse; The event handling rule base is used to preserve the predefined rule that the incident that produces is handled; Processing module is connected with described event handling rule base with described analysis module, is used for the rule of preserving according to described event handling rule base, and the incident that described analysis module produces is handled; Attack matching rule base, be used to preserve the matched rule of predefined incident and session attack; The composition of matter module, be connected with described attack matching rule base with described processing module, be used for the incident after the described processing module processing is made up, and the processing of correspondence is analyzed and carried out to the incident after making up according to the rule of preserving in the described attack matching rule base.
For realizing goal of the invention, the present invention also provides a kind of session attack detection method, may further comprise the steps:
Step 1, according to predefined filtering rule the packet of input is carried out deep layer and detect, and abandon the packet that does not meet described filtering rule;
Step 2, according to the characteristic information and the predefined session association rule of packet, set up the associated record of this packet and session and be saved in the session association database, and after upgrading described session association database the notification event processing module;
Step 3, described event processing module are after the notice that receives described session association database update, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
Further, described step 1 can specifically may further comprise the steps: in step 10, according to the rule of preserving in the described superlong signaling message recognition rule storehouse, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule; In step 11,, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule according to the rule of preserving in the described feature abnormalities character repertoire.Described step 2 can specifically may further comprise the steps: in step 20, described session characteristics extraction module receives the packet that described deep layer bag detection module sends, and according to the session characteristics of predefined this packet of session characteristics Rule Extraction; Then in step 21, packet feature and predefined session association rule that described session association module is extracted according to described session characteristics extraction module, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module.
Further, described step 3 can specifically may further comprise the steps: in step 31, described analysis module receives the notice of the described session association database of renewal of described session mapping block transmission, inquire about record corresponding in the described session association database according to this notice, and Query Result is analyzed and produced events corresponding according to the rule of preserving in the described incident generation rule storehouse; In step 32, described processing module is handled the incident that described analysis module produces according to the rule of preserving in the described event handling rule base then; Then in step 33, after described composition of matter module is handled described processing module
In technique scheme, detect by the deep layer bag, session association, the testing mechanism of event handling, and by extracting session characteristics information at each packet, and whether belong to a session according to preset rule judgment data bag, thereby relevant agreement (comprises signaling protocol in the related conversation procedure, media stream protocol, procotol etc.), realization is to the detection of session attack. from the above, the present invention can realize the deep layer of packet is detected, conversation-based packet reorganization, and conversation-based multi-protocols joint-detection, thereby can reach the useful technique effect that detects session attack effectively.
Description of drawings
Fig. 1 is the schematic diagram of the specific embodiment of the invention one;
Fig. 2 is the schematic diagram of the specific embodiment of the invention two;
Fig. 3 is the schematic diagram of the specific embodiment of the invention three;
Fig. 4 is the schematic diagram of the specific embodiment of the invention four;
Fig. 5 is the schematic diagram of the specific embodiment of the invention five;
Fig. 6 is the schematic diagram of the specific embodiment of the invention six;
Fig. 7 is the interactive relation schematic diagram of composition of matter module of the present invention and processing module;
Fig. 8 is the schematic diagram of the specific embodiment of the invention seven;
Fig. 9 is the schematic diagram of the specific embodiment of the invention eight;
Figure 10 is the schematic diagram of the specific embodiment of the invention nine;
Figure 11 is the schematic diagram of the specific embodiment of the invention ten;
Figure 12 is the particular flow sheet of the specific embodiment of the invention 11.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Fig. 1 is the schematic diagram of the specific embodiment of the invention one, and a kind of session attack detection system A comprises:
Deep layer bag detection module a is used for according to predefined filtering rule the packet of importing being carried out deep layer and detects, and abandons the packet that does not meet described filtering rule; Session association database d, be used to preserve detected conversation recording and with the packet feature of session association; Session mapping block b, be connected with session association database d with deep layer bag detection module a, be used to receive the packet that deep layer bag detection module a sends, and, set up the associated record of this packet and session and be saved in session association database d according to the characteristic information and the predefined session association rule of this packet; Event processing module c, be connected with session association database d with session mapping block b, be used for: behind the session association database update message that receives session mapping block b transmission, according to predefined incident generation rule the record that upgrades among the session association database d is analyzed, and the incident that produces is handled according to predefined event handling rule.In this specific embodiment one, the packet of receiving is at first carried out deep layer detect, extract the key message of packet then and recombinate, realize detection session attack by joint-detection to used agreement in the conversation procedure according to session.
Fig. 2 is the schematic diagram of the specific embodiment of the invention two, a kind of session attack detection system B is with the difference of the specific embodiment of the invention one, also comprises packet filtering rules storehouse e, a1 is connected with deep layer bag detection module, is used to preserve predefined Packet Filtering rule; Correspondingly, deep layer bag detection module a1 is used for the predefined filtering rule preserved according to packet filtering rules storehouse e, the packet of input is carried out deep layer detect, and abandon the packet that does not meet described filtering rule.The functional module of deep layer bag detection module further is provided in this specific embodiment, deep layer bag detection module carries out recombination analysis to fragment packets, prevent the fragment message attack, it mainly carries out degree of depth inspection according to predefined filtering rule to the packet of importing, if the rule of not meeting, just filter out this packet, if meet rule, just continuing to next processing module is that session mapping block b transmits.
Schematic diagram referring to the specific embodiment of the invention shown in Figure 3 three, a kind of session attack detection system C, be with the difference of the specific embodiment of the invention two: deep layer bag detection module a2 comprises interconnective superlong signaling message detection module 301 and unusual character detection module 302, and packet filtering rules storehouse e1 comprises interconnective superlong signaling message recognition rule storehouse 101 and feature abnormalities character repertoire 102; Superlong signaling message recognition rule storehouse 101 is used to preserve predefinedly to be discerned and the rule of filtering superlong signaling message. and superlong signaling message detection module 301 is connected with superlong signaling message recognition rule storehouse 101, be used for rule, the packet that receives carried out deep layer detect and filter according to 101 preservations of superlong signaling message recognition rule storehouse; Feature abnormalities character repertoire 102 is used to preserve the predefined rule that the packet that comprises the feature abnormalities character is discerned and filtered; Unusual character detection module 302 is connected with feature abnormalities character repertoire 102, be used for the rule of preserving, the packet that receives carried out deep layer detect and filter according to feature abnormalities character repertoire 102. wherein the precedence handled of 302 pairs of packets of superlong signaling message detection module 301 and unusual character detection module can be changed.
In this specific embodiment three, provide the functional module in deep layer bag detection module and packet filtering rules storehouse further, the module that superlong signaling message and unusual character are detected is provided respectively.Respectively the detection of superlong signaling message and the detection of unusual character are elaborated below:
In next generation network, session initiation protocol (below be abbreviated as SIP), MGCP (below be abbreviated as MGCP) and Session Description Protocol signaling protocols such as (following abbreviation SDP) all are based on text code, are easy to be subjected to the attack of abnormal data bag.In the abnormal data packet attack, the ultra-long data bag is the most frequently used method and notable attribute.The assailant sends a large amount of ultra-long data bags to the other side's server, its objective is and causes server parses mistake or buffering area to overflow, and causes server end a fatal error to occur, or occurs crashing or server such as restarts suddenly at symptom.
Be the sample of an overlength deformity message below:
INVITE sip:bob@biloxi.com
SIP/2. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Via:SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds
Max-Forwards:70
To:Bob<sip:bob@biloxi.com>
From:Alice<sip:alice@atlanta.com>;tag=1928301774
Call-ID:a84b4c76e66710@pc33.atlanta.com
CSeq:314159 INVITE
Contact:<sip:alice@pc33.atlanta.com>
Content-Type:application/sdp
Content-Length:142
Wherein, underscore partly is the overlength part of this signaling, undoubtedly, this overlength message signaling may cause network efficiency to reduce so that cisco unity malfunction is the effective good recipe that stops this lopsided message invasion and the signaling message that arrives is effectively detected after entering system.
The superlong signaling message recognition rule storehouse 101 that provides in this specific embodiment three is to construct and preserve overlength message recognition function based on the feature separator in advance according to the signaling protocol of text code; 301 pairs of signaling messages of receiving of superlong signaling message detection module, whether the overlength message recognition function identification of preserving with superlong signaling message recognition rule storehouse 101 is the overlength message, as belongs to the overlength message then with its filtration.
In next generation network, session initiation protocol (SIP), Media Gateway Control Protocol and Session Description Protocol signaling protocols such as (SDP) all are based on text code, be easy to be subjected to the attack of abnormal data bag. in the abnormal data packet attack, the packet that structure contains unusual character is one of method of using always. the assailant sends a large amount of abnormal data bags to the other side's server, and purpose is to cause server parses mistake or buffering area to overflow; Cause server end a fatal error to occur, or occur crashing or server such as restarts suddenly at symptom.
Be a signaling message that contains unusual character below:
INVITE sip:bob@biloxi.example.com SIP/2.0
Via:SIP/2.0/TCP
client.atlanta.example.com:5060;branch=z9hG4bK74bf9
Max-Forwards:70
From:Alice<sip:alice@atlanta.example.com>;tag=9fxced76s1
To:Bob<sip:bob@biloxi.example.com>
Call-ID:3848276298220188511@atlanta.example.com
CSeq:1 INVITE
Contact:
<sip:alice@client.atlanta.example.com;transport=tcp>
Content-Type:0xE50xE40xF60xE50xE40xF60xE50xE40xF6/sdp
Content-Length:151
Wherein character 0xE50xE40xF60xE50xE40xF60xE50xE40xF6 (using hexadecimal) is unusual character, undoubtedly, this overlength message signaling may cause the syntax parsing mistake so that the server cisco unity malfunction after entering system, and the signaling message that arrives is effectively detected is to stop this effective good recipe that contains the invasion of unusual character message, existing technology can't provide the detection of the unusual character of this malice and prevention, brings many hidden danger for the limit safety of next generation network.
The feature abnormalities character repertoire 102 that this specific embodiment three provides is preserved predefined feature abnormalities character, the byte that unusual character detection module 302 extracts packets also detects, judge the byte that detects whether with feature abnormalities character repertoire 102 in the step of feature abnormalities character match; If the feature abnormalities character match in the byte that detects and the feature abnormalities character repertoire 102, then judge in this packet and contain unusual character, abandon this packet.
Fig. 4 is the schematic diagram of the specific embodiment of the invention four, a kind of session attack detection system D, be with the difference of specific embodiment three: session mapping block b1 comprises: session characteristics rule base 401a is used to preserve the predefined session characteristics rule relevant with the session attack that will detect; Session characteristics extraction module 401, be connected with deep layer bag detection module a2 with session characteristics rule base 401a, be used for: receive the packet that deep layer bag detection module a2 sends, and, extract the session characteristics of this packet according to the predefined session characteristics rule that session characteristics rule base 401a preserves; Session association rule base 402b is used to preserve the correlation rule of predefined packet feature and session; Session association module 402, respectively with session characteristic extracting module 401, session association rule base 402b, session association database d, and event processing module c connects, be used for according to the packet feature of session characteristics extraction module 401 extractions and the predefined session association rule of session association rule base 402b preservation, set up the associated record of packet and session and be saved in session association database d, and this specific embodiment of notification event processing module c. provides the functional module of session mapping block b1 further after upgrading session association database d, session mapping block b1 mainly is responsible for extracting the characteristic information of individual data bag, and these features being carried out association according to a session. session characteristics extraction module 401 is according to the protocol type of packet, extract corresponding key message, as extracting the SIP method to sip message, CALL-ID, the session promoter, session characteristics such as session recipient can abstraction sequence number to RTP message, session characteristics such as timestamp; Session association module 402 is associated with the record that also upgrades in the corresponding session among the corresponding session association database d according to the session characteristics of packet with it then: if once new session, then build the new session association record of a correspondence again, otherwise this packet is associated with in the session association record that has existed. and session association module 402 notification event processing module f after upgrading session association database d carries out analyzing and processing to this session association record.
Below respectively to this specific embodiment detect the SIP session attack, H.323 the application in session attack, the MGCP session attack elaborates:
1, detect the SIP session attack:
Preserve among the session characteristics rule base 401a in the predefined packet and the relevant session characteristics of judging each agreement of SIP session of attack, as shown in table 1.
Table 1 SIP session characteristics table
Preserve predefined being used among the session association rule base 402b packet is set up related SIP session association rule with the SIP session, as shown in table 2, listed in the table a SIP session, whether each agreement belongs to the criterion of this session.
Table 2 SIP session association rule list
The structure of session association database d is shown in table 3 and table 4, and wherein table 3 is the session information that has write down current active in the session identification table, and the project that wherein comprises is the minimum information of identification session.Table 4 is the characteristic information that has write down packets all in each session in the session correlated characteristic table, comprises SIP signaling message, RTP message, RTCP message, icmp packet and ARP message etc.Behind this time conversation end, then delete all relevant information of this session.
Table 3 session identification table
Table 4 session correlated characteristic table
Figure G06184973320060622D000132
2, detect H.323 session attack:
Preserve among the session characteristics rule base 401a in the predefined packet and judge the relevant session characteristics of attack of each agreement of session H.323, as shown in table 5.
Table 5 is the session characteristics table H.323
Figure G06184973320060622D000133
ICMP Whether record has the unreachable message of ICMP
Preserve predefined being used among the session association rule base 402b with packet and the related H.323 session association rule of session foundation H.323, as shown in table 6, listed in the table a H.323 session, whether each agreement belongs to the criterion of this session.
Table 6 is the session association rule list H.323
Figure G06184973320060622D000141
The structure of session association database d is still shown in table 3 and table 4.
3, detect the MGCP session attack:
Preserve among the session characteristics rule base 401a in the predefined packet and the relevant session characteristics of judging each agreement of MGCP session of attack, as shown in table 7.
Table 7 MGCP session characteristics table
Figure G06184973320060622D000151
Preserve predefined being used among the session association rule base 402b packet is set up related MGCP session association rule with the MGCP session, as shown in table 8, listed in the table a MGCP session, whether each agreement belongs to the criterion of this session.
Table 8 MGCP session association rule list
Figure G06184973320060622D000152
ARP Whether record has response to an ARP
Destination address Inquiry.Compare with the session identification of MGCP message
ICMP Source address Determine whether between session subscriber and another user.Compare with the session identification of MGCP message
The structure of session association database d is still shown in table 3 and table 4.
Fig. 5 is the schematic diagram of the specific embodiment of the invention five, a kind of session attack detection system E, be with the difference of the specific embodiment of the invention four: event processing module c1 comprises: incident generation rule storehouse 501a is used to preserve the rule of correspondence of predefined session characteristics and incident; Analysis module 501, be connected with session mapping block b1, session association database d and incident generation rule storehouse 501a, be used for: receive the update notification that session mapping block b1 sends, notify corresponding record among inquiry session linked database d according to this, and Query Result is analyzed and produced events corresponding according to the rule of preserving among the incident generation rule storehouse 501a; Event handling rule base 502a is used to preserve the predefined rule that the incident that produces is handled; Processing module 502 is connected with event handling rule base 502a with analysis module 501, is used for the rule of preserving according to event handling rule base 502a, and the incident that analysis module 501 produces is handled; Attack matching rule base 503a, be used to preserve the matched rule of predefined incident and session attack; Composition of matter module 503, be connected with attack matching rule base 503a with processing module 502, be used for the incident after processing module 502 processing is made up, and the processing of correspondence is analyzed and carried out to the incident after making up according to attacking the rule of preserving among the matching rule base 503a.
This specific embodiment five provides the functional module of event processing module further, and event processing module is handled incident according to the event handling rule, and incident is sent to the composition of matter module after disposing.The event handling rule base mainly comprises: the processing rule of packet, comprise processing rule to the packet that produces this incident, as transmit, abandon, buffer memory or the like; Enable timer or counter etc.; Upgrade the session association database, as receive the conversation end incident, can delete the relevant information of this session etc.
As shown in Figure 6, schematic diagram for the specific embodiment of the invention six, a kind of session attack detection system F, be with the difference of the specific embodiment of the invention five: also comprise timer module f, be connected with processing module 502, be used for the rule that processing module 502 is preserved in advance according to event handling rule base 502a, the corresponding timer of incident startup that analysis module 501 is produced carries out timing; Also comprise counter module g, be connected, be used for the rule that processing module 502 is preserved in advance according to event handling rule base 502a, the corresponding counter of incident startup that analysis module 501 produces is counted with processing module 502.
The functional module of event processing module is provided in the specific embodiment of the invention five and the specific embodiment six further, has attacked by one or a series of incident and form.Between composition of matter module and the processing module alternately as shown in Figure 7.The composition of matter module makes up the incident that produces in the session, and according to attacking coupling combination event is analyzed, if belong to attack, then reporting system is reported to the police.The composition of matter module is direct access session linked database also, extracts available information.For example can from current sessions representative record table, obtain assailant's information such as IP address.
Fig. 8 is the schematic diagram of the specific embodiment of the invention seven, a kind of session attack detection method, may further comprise the steps: at first in step 1, according to predefined filtering rule the packet of importing is carried out deep layer and detect, and abandon the packet that does not meet described filtering rule; Then in step 2, characteristic information and predefined session association rule according to packet, set up the associated record of this packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module; At last in step 3, described event processing module is after the notice that receives described session association database update, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
Fig. 9 is the schematic diagram of the specific embodiment of the invention eight, a kind of session attack detection method, may further comprise the steps: at first in step 10, according to the rule of preserving in the described superlong signaling message recognition rule storehouse, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule; In step 11,, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule then according to the rule of preserving in the described feature abnormalities character repertoire; Then in step 2, characteristic information and predefined session association rule according to packet, set up the associated record of this packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module; At last in step 3, described event processing module is after the notice that receives described session association database update, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
Figure 10 is the schematic diagram of the specific embodiment of the invention nine, a kind of session attack detection method, may further comprise the steps: at first in step 10, according to the rule of preserving in the described superlong signaling message recognition rule storehouse, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule; In step 11,, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule then according to the rule of preserving in the described feature abnormalities character repertoire; Then in step 20, the session characteristics extraction module receives the packet that deep layer bag detection module sends, and according to the session characteristics of predefined this packet of session characteristics Rule Extraction; Subsequently in step 21, packet feature and predefined session association rule that the session association module is extracted according to described session characteristics extraction module, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module; At last in step 3, described event processing module is after the notice that receives described session association database update, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
Further, in this specific embodiment nine, step 20 can specifically comprise: described session characteristics extraction module receives the packet that described deep layer bag detection module sends, and according to the session characteristics of this packet of Rule Extraction of preserving in advance in the described session characteristics rule base.Further, step 21 can specifically comprise: the session association rule of preserving in advance in packet feature that described session association module is extracted according to described session characteristics extraction module and the described session association rule base, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module.
Figure 11 is the schematic diagram of the specific embodiment of the invention ten, a kind of session attack detection method, may further comprise the steps: at first in step 10, according to the rule of preserving in the described superlong signaling message recognition rule storehouse, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule; In step 11,, the packet that receives is carried out deep layer detect and filter, and abandon the packet that does not meet rule then according to the rule of preserving in the described feature abnormalities character repertoire; Then in step 20, the session characteristics extraction module receives the packet that deep layer bag detection module sends, and according to the session characteristics of predefined this packet of session characteristics Rule Extraction; Subsequently in step 21, packet feature and predefined session association rule that the session association module is extracted according to described session characteristics extraction module, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module; Afterwards in step 31, described analysis module receives the notice of the described session association database of renewal of described session mapping block transmission, inquire about record corresponding in the described session association database according to this notice, and Query Result is analyzed and produced events corresponding according to the rule of preserving in the described incident generation rule storehouse; In step 32, described processing module is handled the incident that described analysis module produces according to the rule of preserving in the described event handling rule base thereupon; Then in step 33, the incident after described composition of matter module is handled described processing module makes up, and according to the rule of preserving in the described attack matching rule base processing of correspondence is analyzed and carried out to the incident after making up.
Further, in this specific embodiment ten, step 32 can specifically comprise: processing module is according to the rule of preserving in advance in the described event handling rule base, and the corresponding timer of incident startup that described analysis module is produced carries out timing.Step 32 also can specifically comprise: described processing module is counted the corresponding counter of incident startup that described analysis module produces according to the rule of preserving in advance in the described event handling rule base.Step 32 also can specifically comprise: processing module is according to the rule of preserving in advance in the described event handling rule base, to corresponding record in the described session association database of event update of described analysis module generation.
Further, in this specific embodiment 11, step 33 can specifically comprise: the composition of matter module is visited record corresponding in the described session association database and is obtained corresponding information the incident after the combination according to the rule of preserving in the described attack matching rule base.
Figure 12 is the particular flow sheet of the specific embodiment of the invention 11, after data message enters system, at first it being carried out the deep layer bag detects, pass through if detect, if just transmit this message to next processing module. belong to lopsided data message and just abandon this bag. after packet detects by the deep layer bag, extract this message key message, and judge whether feature message of this data message, if not just directly transmitting this message to next jumping, next packet is carried out feature extraction. just the original contents of this packet is preserved for the feature message, and the packet feature divided into groups by session, upgrade the session association database. when the packet feature is divided into groups, judge whether this packet feature belongs to an already present session, if, just in this session, write down this packet feature. if not, just open a new conversation recording, and in this session this packet feature of record. the renewal of session association database is with the trigger event analysis module. to the feature of new record with before the existing feature that belongs to same session analyze, check and whether constitute a certain incident, if not, just transmit this data message to next jumping, and the particular content of this packet removed. if, just write down this incident, this incident is done further processing, and this incident being joined in the composition of matter of this session. the composition of matter module is upgraded composition of matter in the session and is attacked coupling, judge whether the incident in the session mates certain attack, if, just report to the police. for example to the detection of SIP session attack: after detecting by the deep layer bag, receive that has a characteristic bag such as a BYE message of cutting off session, can classify as " folk prescription cut-out session " incident. to the processing of this incident, with this data pack buffer, open a timer and wait for " whether T has corresponding rtp streaming to arrive in second " is if the processing that decides bag of this incident. there is rtp streaming to arrive in second at T, then extract " media flow transmission " incident, and " media flow transmission " incident joins in this dialog events combination, attack coupling simultaneously, find and " SIP Session Hijack " coupling, this moment, the notifications alarm was reported to the police, and abandoned this BYE signaling message.
It should be noted last that: above embodiment is only in order to illustrating technical scheme of the present invention, but not the present invention is made restrictive sense.Although the present invention is had been described in detail with reference to above-mentioned preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and this modification or be equal to the spirit and scope that replacement does not break away from technical solution of the present invention.

Claims (20)

1. a session attack detection system is characterized in that, comprising:
Deep layer bag detection module is used for according to predefined filtering rule the packet of importing being carried out deep layer and detects, and abandons the packet that does not meet described filtering rule;
The session association database, be used to preserve detected conversation recording and with the packet feature of session association;
The session mapping block, be connected with described session association database with described deep layer bag detection module, be used to receive the packet that described deep layer bag detection module sends, and, set up the associated record of this packet and session and be saved in described session association database according to the characteristic information and the predefined session association rule of this packet;
Event processing module, be connected with described session association database with described session mapping block, be used for: behind the session association database update message that receives described session mapping block transmission, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
2. session attack detection system according to claim 1 is characterized in that: also comprise the packet filtering rules storehouse, be connected with described deep layer bag detection module, be used to preserve predefined Packet Filtering rule.
3. session attack detection system according to claim 2, it is characterized in that: described packet filtering rules storehouse comprises superlong signaling message recognition rule storehouse, be connected with described deep layer bag detection module, be used to preserve the predefined rule that superlong signaling message is discerned and filtered.
4. session attack detection system according to claim 3, it is characterized in that: described deep layer bag detection module comprises the superlong signaling message detection module, be connected with described superlong signaling message recognition rule storehouse, be used for the rule of preserving, the packet that receives carried out deep layer detect and filter according to described superlong signaling message recognition rule storehouse.
5. session attack detection system according to claim 2, it is characterized in that: described packet filtering rules storehouse comprises the feature abnormalities character repertoire, be connected with described deep layer bag detection module, be used to preserve the predefined rule that the packet that comprises the feature abnormalities character is discerned and filtered.
6. session attack detection system according to claim 5, it is characterized in that: described deep layer bag detection module comprises the unusual character detection module, be connected with described feature abnormalities character repertoire, be used for the rule of preserving, the packet that receives carried out deep layer detect and filter according to described feature abnormalities character repertoire.
7. session attack detection system according to claim 1 is characterized in that, described session mapping block comprises:
The session characteristics rule base is used to preserve the predefined session characteristics rule relevant with the session attack that will detect;
The session characteristics extraction module, be connected with described deep layer bag detection module with described session characteristics rule base, be used for: receive the packet that described deep layer bag detection module sends, and, extract the session characteristics of this packet according to the predefined session characteristics rule that described session characteristics rule base is preserved;
The session association rule base is used to preserve the correlation rule of predefined packet feature and session;
The session association module, be connected with described session characteristics extraction module, described session association rule base, described session association database and described event processing module respectively, be used for according to the packet feature of described session characteristics extraction module extraction and the predefined session association rule of described session association rule base preservation, set up the associated record of packet and session and be saved in described session association database, and after upgrading described session association database, notify described event processing module.
8. session attack detection system according to claim 1 is characterized in that, described event processing module comprises:
Incident generation rule storehouse is used to preserve the rule of correspondence of predefined session characteristics and incident;
Analysis module, be connected with described session mapping block, described session association database and described incident generation rule storehouse, be used for: receive the update notification that described session mapping block sends, inquire about record corresponding in the described session association database according to this notice, and Query Result is analyzed and produced events corresponding according to the rule of preserving in the described incident generation rule storehouse;
The event handling rule base is used to preserve the predefined rule that the incident that produces is handled;
Processing module is connected with described event handling rule base with described analysis module, is used for the rule of preserving according to described event handling rule base, and the incident that described analysis module produces is handled;
Attack matching rule base, be used to preserve the matched rule of predefined incident and session attack;
The composition of matter module, be connected with described attack matching rule base with described processing module, be used for the incident after the described processing module processing is made up, and the processing of correspondence is analyzed and carried out to the incident after making up according to the rule of preserving in the described attack matching rule base.
9. session attack detection system according to claim 8, it is characterized in that: also comprise timer module, be connected with described processing module, be used for the rule that described processing module is preserved in advance according to described event handling rule base, the corresponding timer of incident startup that described analysis module is produced carries out timing.
10. session attack detection system according to claim 8, it is characterized in that: also comprise counter module, be connected with described processing module, be used for the rule that described processing module is preserved in advance according to described event handling rule base, the corresponding counter of incident startup that described analysis module produces is counted.
11. a session attack detection method is characterized in that, may further comprise the steps:
Step 1, according to predefined filtering rule the packet of input is carried out deep layer and detect, and abandon the packet that does not meet described filtering rule;
Step 2, according to the characteristic information and the predefined session association rule of packet, set up the associated record of this packet and session and be saved in the session association database, and after upgrading described session association database the notification event processing module;
Step 3, described event processing module are after the notice that receives described session association database update, according to predefined incident generation rule the record that upgrades in the session association database is analyzed, and the incident that produces is handled according to predefined event handling rule.
12. method according to claim 11 is characterized in that: described step 1 specifically comprises:
Step 10, according to the rule of preserving in the superlong signaling message recognition rule storehouse, the packet that receives is carried out deep layer detects and filter, and abandon the packet that does not meet rule;
Step 11, according to the rule of preserving in the feature abnormalities character repertoire, the packet that receives is carried out deep layer detects and filter, and abandon the packet that does not meet rule.
13. method according to claim 11 is characterized in that, described step 2 specifically comprises:
Step 20, session characteristics extraction module receive the packet that deep layer bag detection module sends, and according to the session characteristics of predefined this packet of session characteristics Rule Extraction;
Packet feature and predefined session association rule that step 21, session association module are extracted according to described session characteristics extraction module, set up the associated record of packet and session and be saved in the session association database, and after upgrading described session association database the notification event processing module.
14. method according to claim 13, it is characterized in that, described step 20 specifically comprises: described session characteristics extraction module receives the packet that described deep layer bag detection module sends, and according to the session characteristics of this packet of Rule Extraction of preserving in advance in the session characteristics rule base.
15. method according to claim 13, it is characterized in that, described step 21 specifically comprises: the session association rule of preserving in advance in packet feature that described session association module is extracted according to described session characteristics extraction module and the session association rule base, set up the associated record of packet and session and be saved in the session association database, and after upgrading described session association database, notify described event processing module.
16. method according to claim 11 is characterized in that, described step 3 specifically comprises:
Step 31, analysis module receive the notice of the described session association database of renewal of session mapping block transmission, inquire about record corresponding in the described session association database according to this notice, and Query Result is analyzed and produced events corresponding according to the rule of preserving in the incident generation rule storehouse;
Step 32, processing module are handled the incident that described analysis module produces according to the rule of preserving in the event handling rule base;
Incident after step 33, composition of matter module are handled described processing module makes up, and according to attacking the rule of preserving in the matching rule base processing of correspondence is analyzed and carried out to the incident after making up.
17. method according to claim 16 is characterized in that, described step 32 specifically comprises: processing module is according to the rule of preserving in advance in the event handling rule base, and the corresponding timer of incident startup that analysis module is produced carries out timing.
18. method according to claim 16 is characterized in that, described step 32 specifically comprises: processing module is counted the corresponding counter of incident startup that analysis module produces according to the rule of preserving in advance in the event handling rule base.
19. method according to claim 16 is characterized in that, described step 32 specifically comprises: processing module is according to the rule of preserving in advance in the event handling rule base, to record corresponding in the described session association database of event update of analysis module generation.
20. method according to claim 16, it is characterized in that, described step 33 specifically comprises: described composition of matter module is visited record corresponding in the described session association database and is obtained corresponding information the incident after the combination according to the rule of preserving in the described attack matching rule base.
CN200610084973A 2006-05-31 2006-05-31 Session attack detection system and method Expired - Fee Related CN101047509B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610084973A CN101047509B (en) 2006-05-31 2006-05-31 Session attack detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610084973A CN101047509B (en) 2006-05-31 2006-05-31 Session attack detection system and method

Publications (2)

Publication Number Publication Date
CN101047509A CN101047509A (en) 2007-10-03
CN101047509B true CN101047509B (en) 2010-05-12

Family

ID=38771767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610084973A Expired - Fee Related CN101047509B (en) 2006-05-31 2006-05-31 Session attack detection system and method

Country Status (1)

Country Link
CN (1) CN101047509B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686180A (en) 2008-09-28 2010-03-31 华为技术有限公司 Data transmission method, network node and data transmission system
CN106416171B (en) * 2014-12-30 2020-06-16 华为技术有限公司 Characteristic information analysis method and device
CN107612646B (en) * 2017-10-31 2019-05-31 携程计算机技术(上海)有限公司 The emergency broadcase system and method for online customer service
CN110798427A (en) * 2018-08-01 2020-02-14 深信服科技股份有限公司 Anomaly detection method, device and equipment in network security defense
CN109067782B (en) * 2018-09-18 2021-09-03 中国人民解放军战略支援部队信息工程大学 IMS network session abnormal interruption attack detection device and method
CN112995099B (en) * 2019-12-16 2022-07-12 中国电信股份有限公司 Method and border access controller for voice communication attack protection
CN111371774A (en) * 2020-02-28 2020-07-03 深信服科技股份有限公司 Information processing method and device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578227A (en) * 2003-07-29 2005-02-09 上海聚友宽频网络投资有限公司 Dynamic IP data packet filtering method
CN1642107A (en) * 2004-01-15 2005-07-20 中兴通讯股份有限公司 Method for preventing address-depletion attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578227A (en) * 2003-07-29 2005-02-09 上海聚友宽频网络投资有限公司 Dynamic IP data packet filtering method
CN1642107A (en) * 2004-01-15 2005-07-20 中兴通讯股份有限公司 Method for preventing address-depletion attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JP特开2006-23934A 2006.01.26

Also Published As

Publication number Publication date
CN101047509A (en) 2007-10-03

Similar Documents

Publication Publication Date Title
CN101047509B (en) Session attack detection system and method
US11778091B2 (en) Utilizing sip messages to determine the status of a remote terminal in VOIP communication systems
US7570743B2 (en) Method and apparatus for surveillance of voice over internet protocol communications
CN101171809B (en) Method and system for transmitting a multicast stream in data exchange network
CN100558081C (en) The keepalive method of address repeat listing and system
KR101218253B1 (en) Fraud security detection system and method
US20090265456A1 (en) Method and system to manage multimedia sessions, allowing control over the set-up of communication channels
KR20100120823A (en) Voip anomaly traffic detection method with flow-level data
CN102075737A (en) Video monitoring conversation method
KR100849888B1 (en) Device, system and method for dropping attack multimedia packets
US8027841B2 (en) Centralized server obtaining security intelligence knowledge by analyzing VoIP bit-stream
CN101321173A (en) Method, system and device for preventing network attack
US20070002829A1 (en) Internet protocol voice logger
US20110194460A1 (en) Monitoring in an internet protocol (IP) domain
US8537996B2 (en) Selective response unit
CN101631174B (en) Network telephone real-time identification and filtering method based on session initiation protocol
CN102739458B (en) Method and system for detecting RTP threat aimed at IP multimedia subsystem
Park et al. Security threats and countermeasure frame using a session control mechanism on volte
KR20110043373A (en) Sip dos attack detection and prevention system and method using hidden markov model
KR101586626B1 (en) SIP Detection System and SIP Attack and Abnormal Detection Method Thereby In 4G Mobile Communication Network
US8917639B2 (en) Eliminating false audio associated with VoIP communications
CN102148720B (en) Method and system for detecting distributed denial of service (DDoS) vulnerability of internet protocol (IP) multimedia subsystem
CN102480488B (en) Independently catch the device and method of conversation media data
KR101074538B1 (en) System for schematizing flow of protocol message in Internet call service
JP2023117556A (en) Packet loss detection system and packet loss detection method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100512

Termination date: 20170531