CN101459677A - Detection apparatus and method for SIP message flooding attack - Google Patents

Abstract

The invention relates to a detecting device of SIP message flooding and a detecting method thereof, wherein the detecting device is composed of correlated functional modules of a four layer structure which comprises a collecting layer, a data layer, a detecting layer and a response layer. Wherein, the collecting layer is provided with a packet capturing module which is used to collect SIP data packets in networks. The data layer is used to pre-process the SIP data packets from the collecting layer and respectively store total numbers of captured INVITE messages and REGISTER messages. The detecting layer takes charge of transferring the stored INVITE message values and the stored REGISTER message values, and DW-CUSUM algorithms are adopted to detect the values and output the detected results. A warning module of the response layer is used to judge the detected results to decide to give an alarm or not, if the detected results exceed the set threshold values, SIP message flooding is encountered, and warming signals are sent, and otherwise the network operations are considered to be normal. The detecting device and the detecting method can effectively detect flooding aiming at the SIP messages in NGN networks, the detecting performance is excellent, and safety guarantee is provided for NGN communication services.

Description

A kind of checkout gear of sip message flood attack and detection method

Technical field

The present invention relates to a kind of apparatus and method that guarantee network information security transmission, exactly, relate to the checkout gear and the detection method of a kind of sip message (comprising INVITE and REGISTER message) flood attack, belong to the technical field of the network information security.

Background technology

Next generation network NGN (Next Generation Network) is to use Session initiation Protocol SIP (Session Initiation Protocol) to create, manage by session control mechanism and the multimedia service of all kinds message that terminates.NGN is a milestone on the telecommunication history, indicates the arriving in new generation telecommunication network epoch.Along with popularizing rapidly and the continuous rise of the various new business of communication network of computer network, network security problem has been penetrated into the every field of social life gradually, and becomes more and more severeer.Because NGN has network IPization and the open characteristic of networking, makes that telecommunications network will be in the face of the challenge of various security threats on original the Internet.

In numerous safety problems, based on the flood attack of the sip message of Session Initiation Protocol, with the safety of serious threat NGN network; Wherein, invite (INVITE) message attack and registration (REGISTER) message attack the most general.The attack principle of INVITE and INVITE is similar, all be to send a large amount of related news to target of attack by the assailant, the server that feasible quilt is attacked is busy with handling this type of flood tide message and exhausts server resource, thereby to normally, legal message can't be handled, cause the paralysis of whole communication network, the attack of these two kinds of INVITE and REGISTER message seems simple, but, their still suitable difficulties of real defence: on the one hand, it all is normal data packet that the sip message of this Session Initiation Protocol is attacked the packet that uses, and such packet can not be refused and forbid to the webserver when normal operation; On the other hand, the assailant does not need to obtain the return information of destination host, source IP address that just can the data falsification bag, thereby make that attacking main frame has no way of tracing its source, therefore the detection of these message and blocking-up are all very difficult, thereby make assailant, saboteur or the terrorist of network security that opportunity arranged.So network security problem not only influences the normal operation of telecommunications network, and may cause the massive losses of national security and national economy, its loss and influence even are not second to an attack of terrorism.For example, the flood attack that took place in 2003 causes the obstruction of the Internet occurrence of large-area in North America, Europe and Asia, have at least 2.2 ten thousand webservers and 250,000 computers to be attacked according to estimates, the heaviest disaster-stricken Korea S's national network has been paralysed whole 24 hours, has caused the massive losses that is difficult to retrieve.Therefore, press for the attack that a kind of effective detection means in time finds to destroy network security, so that can in time take spreading and developing of corresponding measure containment correlation attack.

From 2002 so far, the people such as Moustakides of the Tao Peng of the H.Wang of external Univ Michigan-Ann Arbor USA, Univ Melbourne Australia, Greece Sai Sali university successively propose to use Non-parametric CUSUM Algorithm to detect SYN flood attack in the Internet.The people such as Yacine Rebahi of Germany open communication system research institute use the SIP flood attack in the above-mentioned algorithm detection IMS network.Domestic also since 2005, the woods of information engineering university of PLA is white, the Chen Wei of Nanjing Univ. of Posts and Telecommunications, the tight sweet smell of Nanjing University, the people such as Yu Ming of Dalian University of Technology successively use above-mentioned algorithm to conduct a research at the SYN flood attack in the Internet.Yet, by the end of at present, domestic utilization nonparametric accumulation and CUSUM (cumulative sum) algorithm, promptly abbreviate the CUSUM method as and detect flood attack and also only rest at TCP message phase, and almost be blank out at the detection of the flood attack of sip message and the research of mean of defense.Its main cause is that operator does not also introduce NGN to the market at present.

In addition, if existing detection SYN flood attack method is used for the detection of SIP flood attack, have following shortcoming: (1) is long detection time, detects just that to attack the time difference between the two moment that moment of taking place and actual attack take place long.(2) overlong time of checkout gear recovery, promptly after network attack stopped, checkout gear returned to the overlong time of normal operating conditions.(3) it is low to be detected as power.

At present, each telecom operators and administrative department all wish that eager utilization NGN network provides communication service.But following latent diverse network safety problem of depositing has been slowed down this trend significantly.

Therefore, how to develop a kind of checkout gear and method that can effectively stop the sip message flood attack as early as possible, to contain spreading and developing of this type of attack, for the communication service of NGN network provides the assurance of good safe transmission and service quality, just become in the industry scientific and technical personnel and be badly in need of solving and duty-bound task.

Summary of the invention

In view of this, the checkout gear and the detection method that the purpose of this invention is to provide a kind of sip message flood attack, checkout gear of the present invention and method all are based on the DW-CUSUM module construction, be deployed in the Next Generation Telecommunication Networks, can detect the flood attack in the NGN network effectively at sip message, for the NGN communication service provides safety assurance, and then be that national communications industry contributes.

In order to achieve the above object, the invention provides a kind of checkout gear of sip message flood attack, it is characterized in that: described device is made up of the correlation function module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein:

Acquisition layer is provided with by calling UNIX/LINUX system function and use Session Initiation Protocol stack grasp the SIP packet that transmits in network packet capturing module, to finish the function of the SIP packet in the collection network;

Data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVITE that obtains and the numerical value of REGISTER message are carried out stores processor respectively; Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively, and the INVITE value storage module and the REGISTER value storage module of storing the statistic of INVITE and REGISTER message respectively, calling for detection layers;

Detection layers, be provided with respectively the functional module that INVITE numerical value and REGISTER message numerical value are handled based on accumulation of double window mouth nonparametric and DW-CUSUM (double windows non-parametriccumulative sum) algorithm, be responsible for calling stored invite message values and REGISTER message numerical value in the data Layer, and adopt the DW-CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result;

Response layer is provided with the alarm module that the testing result data that receive detection layers output are made a strategic decision and whether alarmed, and when the testing result data surpassed the response layer preset threshold, this module was thought and suffered just to send alarm signal by the SIP flood attack; Otherwise the expression network operation is normal, and the SIP flood attack does not take place.

Described the add up INVITE of statistics of quantity that carries out comprises two kinds: the INVITE sum T that grasps respectively in the time period n that sets _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); Described the add up REGISTER message of statistics of quantity of carrying out comprises two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum Sr that the reciprocal process of its corresponding response message of this REGESTER message is complete _Egister(n).

Described device is installed on the station server, and be connected with local NGN network or the network that uses Session Initiation Protocol and the Internet Internet, mobile network PLMN, other NGN network or the three-tier switch between the network of use Session Initiation Protocol, perhaps connect the Call Agent-conversation control function P-CSCF node among the local NGN.

In order to achieve the above object, the present invention also provides a kind of detection method of sip message flood attack, it is characterized in that: comprise following operating procedure:

(1) the packet capturing module of acquisition layer by call wherein be provided with can provide in the UNIX/LINUX system that independent user rank network packet catches interface catch the bag function, obtain local module information and gather the SIP packet;

(2) data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored;

(3) the DW-CUSUM module of detection layers calls respectively that the related data in the INVITE value storage module and REGISTER value storage module detects in the data Layer, judges whether to take place the sip message flood attack;

(4) alarm module in the response layer receives the testing result of the DW-CUSUM module of detection layers, if judge that this alarm module sends warning when suffering the SIP flood attack;

(5) return step (1), continue to carry out the associative operation that detects sip message.

Described step (1) further comprises following content of operation:

(11) packet capturing module begins to monitor session by catching available Network Interface Module in the bag function searching system;

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch is set to the message of INVITE or REGISTER, so that can catch the packet of this module specified type effectively;

(13) circulation is caught in execution: with regard to the call back function of invoke user packet is handled after whenever catching a packet.

Described step (3) further comprises following content of operation when detecting the processing INVITE:

(31) after initialization is provided with sampling interval time, n INVITE sum T that the sampling interval time section is interior in the DW-CUSUM module invokes data Layer _Invite(n) and comprise the INVITE sum S that the transmission reciprocal process of its corresponding response message of this INVITE is complete _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time;

(32) the DW-CUSUM module is to above-mentioned each difference X _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\‾}{F}\left(n\right)$ , in the formula, F (n) is the complete INVITE sum S of transmission reciprocal process _Invite(n) average, it is the cycle renewal by real-time estimation, and the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

(33) the DW-CUSUM module is again to sequence of differences

In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\β},$ In the formula, β is not under network has attack condition

The maximum of sequence, this β parameter is provided with according to network condition, thereby forms z _nSequence of values;

(34) for improving detection efficiency and shortening detection time, this DW-CUSUM module is used first sliding window K logarithm value sequence Z sequentially _nIntercept and assignment again, this sliding window length is K, i.e. Z in this sliding window _nOrdered series of numbers has K; And with K Z in this sliding window _nValue compares with threshold values respectively, if each z wherein _nValue is all greater than threshold values, and after then choosing wherein maximum and substituting first numerical value in this sliding window, continuation is to front sequence this window that slides; Otherwise, to each Z in this window _nValue is not done any change and is continued to front sequence this window that slides; After the operation via the said sequence sliding window, obtain new sequence of values Z _n';

(35) for after shortening the attack detecting end, this device returns to the time of normal condition, and the DW-CUSUM module is used second sliding window K ' logarithm value sequence Z sequentially _n' intercepting and assignment again, second sliding window length is K ', i.e. Z in this sliding window _n' ordered series of numbers has K ' individual; Then, utilize formula $y_n={(y_{n-1}+Z_n\′)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n\′,& y_{n-1}+Z_n\′>0\\ y_{n-1},& y_{n-1}+Z_n\′\≤0\end{array}\right.$ To the individual Z of K ' in this second sliding window _nAfter ' value is accumulated together and calculated, obtain a y _nNumerical value; The connotation of this formula is: work as Z _n' numerical value greater than zero the time, y _nValue be y _N-1With Z _n' sum; Work as Z _n' numerical value when being less than or equal to zero, y _nValue be exactly y _N-1, promptly do not do add operation; If the y that obtains _nMore than or equal to the threshold values N that is provided with and product L * N, then with this y greater than 1 threshold coefficient L _nNumerical value again assignment be product L ' N of threshold values N and new threshold coefficient L ', i.e. y _n=L ' * N, wherein, 1＜L '≤L, the numerical value of two threshold coefficient L and L ' is all set according to the network concrete condition; Otherwise, y _nRemain unchanged, so that y _nCan return to normal operating conditions within a short period of time; Then, this second window continues to slide to front sequence, again to the individual Z of the K ' in the next window _nAfter ' value is calculated, obtain second y _nNumerical value; The operation and the calculating of order sliding window so successively, the y that obtains _nSequence of values export as the testing result data.

Described step (3) is in detecting the operating procedure of handling REGISTER message, and just after described step (31) initialization was provided with sampling interval time, the DW-CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), other corresponding content of operation is all identical with the operating procedure that detects the processing INVITE.

The operating procedure of the alarm module in the described step (4) is as follows: sets earlier and detects the judgement threshold value N that attacks, and the testing result information y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of INVITE flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be court verdict at moment n: if y _nMore than or equal to N, then the warning message value is " 1 ", and flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", and expression does not have the generation of attack, network normal operation.

The key of technological innovation of the present invention is a kind of DW-CUSUM detection module of development, with the core of its conduct at the checkout gear of sip message flood attack, and succeed in developing a kind of method that can in the NGN network, effectively detect at the flood attack of sip message for this reason, for the safe transmission and the service quality of NGN communication service provides reliable assurance.

The innovative characteristics of this DW-CUSUM detection module is: irrelevant with network environment for INVITE or REGISTER message number that this module is received, utilization exponential weighting is earlier moved average (EWMA) and is carried out normalized, exports the normalization sequence of values.Again above-mentioned sequence is deducted the upper bound of this sequence, make this sequence sampling time numerical value under normal circumstances usually all less than zero; When only suffering flood attack, this sequential sampling number constantly just can help correct judgement greater than zero.In addition, for improving detection efficiency and shortening detection time, also to after the above-mentioned sequence of values conversion, accumulate again and calculates: if certain numerical value in this sequence of values then will be added to this numerical value on the testing result greater than zero; If be less than or equal to zero, then this numerical value be not added on the testing result.Then, to through accumulation and a threshold values being provided with this module again of the value after calculating relatively, if more than or equal to this threshold values, then to its assignment again, otherwise, do not carry out any change.At last, just with above-mentioned accumulation and numerical value and the alarming threshold value of setting compare, if more than or equal to alarming threshold value, with regard to output alarm; Otherwise, continue to carry out the detection task.

Advantage of the present invention is as follows: the detection performance of (1) apparatus of the present invention and method is outstanding, and it is detected as power near 100%, and rate of false alarm is near 0, and the recovery time after detection time and the detection end is all shorter.(2) framework of apparatus of the present invention is simple, has only four layers, and every layer functional module is also very simple, compact, thereby it is simple in structure, small and exquisite, easy to manufacture, flexible to make that this device has, and is easy to dispose and practical characteristics.(3) if the present invention is arranged in the network away from the attack source, can detect flood attack effectively at present networks; If directly be deployed in the source-end networks that takes place to attack, then can in the shortest time, detect rapidly and attack and find the attack source.Therefore, detection performance of the present invention is strong, practicality good, has good popularization and application prospect.

Description of drawings

Fig. 1 is that the checkout gear structure of sip message flood attack of the present invention is formed schematic diagram.

Fig. 2 is that apparatus of the present invention are arranged on the position view on the network.

Fig. 3 is the detection method operating procedure flow chart of sip message flood attack of the present invention.

Fig. 4 is the data preprocessing module operating process schematic diagram in the detection method of the present invention.

Fig. 5 is the DW-CUSUM module workflow schematic diagram in the detection method of the present invention.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

Referring to Fig. 1, introduce the checkout gear structure of sip message flood attack of the present invention and form.

Checkout gear of the present invention is made up of the correlation function module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein in acquisition layer, be provided with the packet capturing module, this packet capturing module is responsible for finishing the function of the SIP packet in the collection network by calling the UNIX/LINUX system function and using the Session Initiation Protocol stack to grasp the SIP packet that transmits in network.Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively at data Layer, and INVITE value storage module and REGISTER value storage module, the responsible respectively storage of these two modules INVITE that collected, that the confession detection layers is called and the statistic of REGISTER message; This data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVIT message that obtains and the numerical value of REGISTER message are carried out stores processor respectively.In detection layers, be provided with two DW-CUSUM modules.Be responsible for calling stored invite message values and REGISTER message numerical value in the data Layer respectively, and adopt the DW-CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result after, be sent to alarm module again.In response layer, be provided with alarm module, be used to receive the testing result data of detection layers output, and make a strategic decision and judge whether alarm: when the testing result data surpassed the response layer preset threshold, this alarm module was thought and is suffered just to send alarm signal by the SIP flood attack; Otherwise the expression network operation is normal, and the SIP flood attack does not take place.

Data preprocessing module in apparatus of the present invention is carried out the add up INVITE of statistics of quantity two kinds: the INVITE sum T that grasps respectively in setting-up time section n _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); The REGISTER message of the statistical magnitude that adds up also is two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum S that the reciprocal process of its corresponding response message of this REGESTER message is complete _Register(n)

Referring to Fig. 2, introduce the installation site of apparatus of the present invention: apparatus of the present invention are installed on the station server, this server is connected with local NGN network or the network that uses Session Initiation Protocol and Internet (the Internet), PLMN (mobile network), other NGN network or the three-tier switch between the network of use Session Initiation Protocol respectively, and perhaps this device connects the Call Agent-conversation control function P-CSCF node among the local NGN.

After apparatus of the present invention are disposed, can take place to detect external or local flood attack in the very first time of attacking, resist the sensitivity that Hong Fan attacks, earlier detection and prevention are become a reality thereby improved network; And, can take corresponding defensive measure to provide safeguard and save time for follow-up, become the important barrier that NGN resists flood attack.

Referring to Fig. 3, specify the concrete operations step of detection method of the present invention:

The packet capturing module of step 1, acquisition layer the Libpcap that can provide independent user rank network packet to catch interface in the UNIX/LINUX system wherein is provided is caught the bag function by calling, and obtains local module information and gathers the SIP packet.This step further comprises following content of operation:

(11) packet capturing module is caught available Network Interface Module in the bag function searching system by Libpcap, returns the character string of an expression network adapter; Then, open module and begin to set up the monitoring session by function pcap_open_live ().

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch be set to INVITE or REGISTER message (method=" INVITE ", method=" REGISTER "), so that can catch the packet of this module specified type effectively;

(13) circulation is caught in execution: with regard to the call back function of invoke user packet is handled after whenever catching a packet.

Step 2, data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored.

Referring to Fig. 4, the operating process of data preprocessing module in the data Layer is described: after it receives the packet that the packet capturing module sends here, judge whether packet earlier into SIP, if not, then abandon.If, then continue to check the method attribute item in the SIP packet, if the value of this attribute item is INVITE,, shows and in this setting-up time, find an INVITE then to mark value of INVITE value storage module transmission; If the value of this attribute item is REGISTER, then give the transmission of REGISTER value storage module a mark value, show and in this setting-up time, find a REGISTER message; If not above-mentioned two attribute items, then abandon this packet.

Two DW-CUSUM modules of step 3, detection layers call respectively that the related data in the INVITE value storage module and REGISTER value storage module detects in the data Layer, judge whether to take place the sip message flood attack.

Be example to detect the INVITE attack below, the concrete operations content of this step 3 when detecting INVITE be described:

(31) after initialization is provided with sampling interval time (for example 60 seconds), n INVITE sum T that the sampling interval time section is interior in the DW-CUSUM module invokes data Layer _Invite(n) and comprise its corresponding response message of this INVITE (INVITE, RES, the complete INVITE of transmission reciprocal process ACK) sum S _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time.The function of DW-CUSUM module is exactly by monitoring X _nNumerical value change judge whether network is receiving unusual INVITE and connecting.

Usually when attack occurs, T _Invite(n) value can be greater than S _Invite(n) value, and difference between the two can be increased sharply.And when the SIP network normally moves, the INVITE that sends between terminal and network entity sum with comprise its corresponding response message (INVITE of this INVITE, RES, ACK) present very strong positive correlation between the complete INVITE sum of transmission reciprocal process, both quantity differences are very little, i.e. X _nLevel off to 0; Just strict between the two correspondence one by one is the normal behaviour of SIP network.And under INVITE flood attack scene, the assailant sends a large amount of INVITE to the SIP network entity, but it can not replied making corresponding ACK from the 2XX/4XX/5XX/6XX RES response of SIP network entity, thereby make the statistical property between two kinds of message sequences that bigger change, i.e. T take place _Invite(n) and S _Invite(n) difference increases rapidly, i.e. X _nBe far longer than 0, will undergo mutation.

(32) after the measurement through n sample time, obtain a group reaction T _Invite(n) and S _Invite(n) sequence of the array at random { X of difference situation of change _n, n=1,2,3...}.As everyone knows, array sequence { X _nAverage normally substantial connection is arranged with the scale of SIP network and the time interval of sampling.For reducing the influence of above-mentioned factor, make detection method of the present invention can be applicable to various SIP networks and have versatility and generality, the DW-CUSUM module will be to each the difference X in the above-mentioned array sequence _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\&OverBar;}{F}\left(n\right),$ In the formula, F (n) is the complete INVITE sum S of transmission reciprocal process _Invite(n) average, it is to adopt to estimate in real time and the cycle upgrades, the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

After carrying out normalization, Represent the side-play amount ratio shared, random sequence with respect to the legitimate traffic flow $\{{\tilde{X}}_n,n=\mathrm{1,2,3}...\}$ No longer relevant with network size and sampling time, but an independent random process stably.At the SIP network work just often, Average $E\left({\tilde{X}}_n\right)=c<<1,$ Be that the shared ratio of side-play amount is minimum under the normal condition, approach 0.In case the INVITE flood attack has taken place, T _Invite(n) and S _Invite(n) difference increases rapidly,

Average will undergo mutation.

(33) the DW-CUSUM algorithm a assumed condition is: under normal circumstances the average of array sequence is a negative value at random, and after unusual condition occurring, its become on the occasion of.For this reason, the DW-CUSUM module is again to sequence of differences

In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\&beta;},$ In the formula, parameter beta is not have sequence under the attack condition at network Maximum, this β is provided with according to network condition, thereby forms Z _nSequence of values; Like this, under the situation of not losing any statistical property,

Just be converted into another average and be negative random number sequence.Under normal circumstances, Z _nAverage for negative; And when attacking generation, z _nCan become very big suddenly and for just, i.e. Z _n0.

(34) for improving detection efficiency and shortening detection time, this DW-CUSUM module uses first sliding window sequentially to random number sequence Z _nIntercept and assignment again, first sliding window length is K, i.e. z in this sliding window _nOrdered series of numbers has K; And with K Z in this sliding window _nValue compares with threshold values respectively, if each Z wherein _nValue is all greater than threshold values, and after then choosing maximum wherein and substituting first numerical value in this sliding window, continuation is to front sequence this window that slides; Otherwise, to each Z in this window _nValue is not done any change and is continued to front sequence this window that slides; After the operation via the said sequence sliding window, obtain new random number sequence Z _n'.For example, setting first sliding window size is 3, if Z _iH ₁, and Z _I+1H ₂And Z _I+2H ₃, Z then _i=max (Z _i, Z _I+1, Z _I+2), h wherein ₁, h ₂, h ₃For being threshold values (adjustable parameter).After so carrying out again assignment, obtain new random number sequence Z through first sliding window _n'.

(35) for after making that attack detecting finishes, the time that this checkout gear resets into normal operating conditions can shorten, and the DW-CUSUM module uses second sliding window sequentially to random number sequence Z again _n' intercepting and carry out accumulation and calculate, second sliding window length is K ', i.e. Z in this sliding window _n' ordered series of numbers has K ' individual; Then, utilize formula $y_n={(y_{n-1}+Z_n\&prime;)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n\&prime;,& y_{n-1}+Z_n\&prime;>0\\ y_{n-1},& y_{n-1}+Z_n\&prime;\&le;0\end{array}\right.$ To the individual Z of K ' in second sliding window _n' value obtains y after calculating together _nNumerical value; The connotation of this formula is: work as Z _n' numerical value greater than zero the time, y _nValue be y _N-1With Z _n' sum; Work as Z _n' numerical value when being less than or equal to zero, y _nValue be exactly y _N-1, promptly no longer carry out add operation.If the y that obtains _nMore than or equal to the threshold values N that is provided with and product L * N, then with this y greater than 1 threshold coefficient L _nNumerical value again assignment be product L ' N of threshold values N and new threshold coefficient L ', i.e. y _n=L ' * N, wherein, 1＜L '≤L, the numerical value of two threshold coefficient L and L ' is all set according to the network concrete condition; Otherwise, y _nRemain unchanged, so that y _nCan return to normal operating conditions within a short period of time; Then, second window continues to slide to front sequence, again to the individual Z of the K ' in the next window _n' value obtains second y after calculating together _nNumerical value; So order is carried out the operation and the calculating of sliding window, the y that obtains _nSequence of values export as the testing result data.The length of window of above-mentioned this second sliding window can be set to different numerical value.

Need to prove: this step 3 is when detecting the REGISTER message attack, and just after step (31) initialization was provided with sampling interval time, the DW-CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), all the operating procedure with above-mentioned detection processing INVITE is identical for other corresponding content of operation.

Alarm module in step 4, the response layer receives the testing result of two DW-CUSUM modules of detection layers, if judge that this alarm module sends warning when suffering the sip message flood attack.

The operating procedure of the alarm module in this step is as follows: sets earlier and detects the judgement threshold value N that attacks, and the testing result information y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of sip message flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be the court verdict of sampling interval time section in n: if y _nMore than or equal to N, then the warning message value is " 1 ", and flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", represents that the network normal operation takes place no flood attack.

Step 5, return step (1), continue to carry out the associative operation that detects sip message.

Claims (8)

1, a kind of checkout gear of sip message flood attack is characterized in that: described device is made up of the correlation function module of acquisition layer, data Layer, detection layers and response layer four layer architectures, wherein:

Acquisition layer is provided with by calling UNIX/LINUX system function and use Session Initiation Protocol stack grasp the SIP packet that transmits in network packet capturing module, to finish the function of the SIP packet in the collection network;

Data Layer is responsible for the SIP packet from acquisition layer is carried out preliminary treatment, and the INVITE that obtains and the numerical value of REGISTER message are carried out stores processor respectively; Be provided with the INVITE in the SIP packet and REGISTER message its quantity data pretreatment module of statistics that adds up respectively, and the INVITE value storage module and the REGISTER value storage module of storing the statistic of INVITE and REGISTER message respectively, calling for detection layers;

Detection layers, be provided with respectively the functional module that INVITE numerical value and REGISTER message numerical value are handled based on accumulation of double window mouth nonparametric and DW-CUSUM algorithm, be responsible for calling stored invite message values and REGISTER message numerical value in the data Layer, and adopt the DW-CUSUM algorithm that above-mentioned message numerical value is detected processing, obtain testing result;

Response layer is provided with the alarm module that the testing result data that receive detection layers output are made a strategic decision and whether alarmed, and when the testing result data surpassed the response layer preset threshold, this module was thought and suffered just to send alarm signal by the SIP flood attack; Otherwise the expression network operation is normal, and the SIP flood attack does not take place.

2, checkout gear according to claim 1 is characterized in that: described the add up INVITE of statistics of quantity that carries out comprises two kinds: the INVITE sum T that grasps respectively in the time period n that sets _Invite(n) and comprise the INVITE sum S that the reciprocal process of its corresponding response message of this INVITE is complete _Invite(n); Described the add up REGISTER message of statistics of quantity of carrying out comprises two kinds: the REGESTER message sum T that grasps respectively in the time period n that sets _Register(n) and comprise the REGESTER message sum S that the reciprocal process of its corresponding response message of this REGESTER message is complete _Register(n).

3, checkout gear according to claim 1, it is characterized in that: described device is installed on the station server, and be connected with local NGN network or the network that uses Session Initiation Protocol and the Internet Internet, mobile network PLMN, other NGN network or the three-tier switch between the network of use Session Initiation Protocol, perhaps connect the Call Agent-conversation control function P-CSCF node among the local NGN.

4, a kind of detection method of sip message flood attack is characterized in that: comprise following operating procedure:

(1) the packet capturing module of acquisition layer by call wherein be provided with can provide in the UNIX/LINUX system that independent user rank network packet catches interface catch the bag function, obtain local module information and gather the SIP packet;

(2) data Layer receive from the SIP data packet transmission of acquisition layer to data preprocessing module, add up the INVITE in this packet and the quantity of REGISTER message respectively, and statistics is sent to INVITE value storage module respectively and REGISTER value storage module is stored;

(3) the DW-CUSUM module of detection layers calls respectively that the related data in the INVITE value storage module and REGISTER value storage module detects in the data Layer, judges whether to take place the sip message flood attack;

(4) alarm module in the response layer receives the testing result of the DW-CUSUM module of detection layers, if judge that this alarm module sends warning when suffering the sip message flood attack;

(5) return step (1), continue to carry out the associative operation that detects sip message.

5, detection method according to claim 4 is characterized in that: described step (1) further comprises following content of operation:

(11) packet capturing module begins to monitor session by catching available Network Interface Module in the bag function searching system;

(12) filter the filtercondition that character string is provided with filter by editor, and the attribute of formulating the Session Initiation Protocol that will catch is set to the message of INVITE or REGISTER, so that can catch the packet of this module specified type effectively;

(13) circulation is caught in execution: with regard to the call back function of invoke user packet is handled after whenever catching a packet.

6, detection method according to claim 4 is characterized in that: described step (3) further comprises following content of operation when detecting the processing INVITE:

(31) after initialization is provided with sampling interval time, n INVITE sum T that the sampling interval time section is interior in the DW-CUSUM module invokes data Layer _Invite(n) and comprise the INVITE sum S that the transmission reciprocal process of its corresponding response message of this INVITE is complete _Invite(n), both are subtracted each other obtain its difference X again _n: X _n=T _Invite(n)-S _Invite(n), in the formula, natural number n is the sequence number of sampling interval time;

(32) the DW-CUSUM module is to above-mentioned each difference X _nCarry out the normalization conversion process: ${\tilde{X}}_n=X_n/\stackrel{\&OverBar;}{F}\left(n\right),$ In the formula, F (n) is the complete INVITE sum S of transmission reciprocal process _Invite(n) average, it is the cycle renewal by real-time estimation, and the recurrence estimated value of this F (n) is: F (n)=λ F (n-1)+(1-λ) S _Invite(n), F (0)=S _Invite(1), in the formula, λ is an exponentially weighted moving average (EWMA) EWMA coefficient, and span is [0,1]; Obtain a sequence of differences like this

(33) the DW-CUSUM module is again to sequence of differences

In each difference X _nCarry out conversion process: order $Z_n={\tilde{X}}_n-\mathrm{\&beta;},$ In the formula, β is not under network has attack condition

The maximum of sequence, this β parameter is provided with according to network condition, thereby forms Z _nSequence of values;

(34) for improving detection efficiency and shortening detection time, this DW-CUSUM module is used first sliding window K logarithm value sequence Z sequentially _nIntercept and assignment again, this sliding window length is K, i.e. Z in this sliding window _nOrdered series of numbers has K; And with K Z in this sliding window _nValue compares with threshold values respectively, if each Z wherein _nValue is all greater than threshold values, and after then choosing wherein maximum and substituting first numerical value in this sliding window, continuation is to front sequence this window that slides; Otherwise, to each Z in this window _nValue is not done any change and is continued to front sequence this window that slides; After the operation via the said sequence sliding window, obtain new sequence of values

(35) for after shortening the attack detecting end, this device returns to the time of normal condition, and the DW-CUSUM module is used second sliding window K ' logarithm value sequence sequentially

Accumulate and calculate, second sliding window length is K ', promptly in this sliding window

Ordered series of numbers has K ' individual; Then, utilize formula $y_n={(y_{n-1}+Z_n\&prime;)}^{+}=\left\{\begin{array}{cc}{y}_{n-1}+Z_n\&prime;,& y_{n-1}+Z_n\&prime;>0\\ y_{n-1},& y_{n-1}+Z_n\&prime;\&le;0\end{array}\right.$ Individual to the K ' in this second sliding window

After value is calculated together, obtain a y _nNumerical value; The connotation of this formula is: when

Numerical value greater than zero the time, y _nValue be y _N-1With Sum; When Numerical value when being less than or equal to zero, y _nValue be exactly y _N-1, promptly do not do add operation; If the y that obtains _nMore than or equal to the threshold values N that is provided with and product L * N, then with this y greater than 1 threshold coefficient L _nNumerical value again assignment be product L ' N of threshold values N and new threshold coefficient L ', i.e. y _n=L ' * N, wherein, 1＜L '≤L, the numerical value of threshold coefficient L and L ' set according to the network concrete condition; Otherwise, y _nRemain unchanged, so that y _nCan return to normal operating conditions within a short period of time; Then, this second window continues to slide to front sequence, and be individual to the K ' in the next window again

After value is calculated, obtain second y _nNumerical value; The operation and the calculating of order sliding window so successively, the y that obtains _nSequence of values export as the testing result data.

7, according to claim 4 or 6 described detection methods, it is characterized in that: described step (3) is in detecting the operating procedure of handling REGISTER message, just after described step (31) initialization was provided with sampling interval time, the DW-CUSUM module was to call the REGISTER message sum T of setting-up time interval stored in the data Layer _Register(n) and comprise the complete interaction sequence sum S of its corresponding response message of this REGISTER message _Register(n), other corresponding content of operation is all identical with the operating procedure that detects the processing INVITE.

8, detection method according to claim 4 is characterized in that: the operating procedure of the alarm module in the described step (4) is as follows: set earlier and detect the judgement threshold value N that attacks, and the testing result information y from detection layers that will receive _nN compares with this threshold value, and promptly the decision function of INVITE flood attack is: $d_N\left(y_n\right)=\left\{\begin{array}{c}1,y_n\&GreaterEqual;N\\ 0,y_n<N\end{array}\right.;$ In the formula, d _N(y _n) be court verdict at moment n: if y _nMore than or equal to N, then the warning message value is " 1 ", and flood attack has taken place in expression, and alarm module sends warning, and y _nShow that attack is strong more greatly more; Otherwise the warning message value is " 0 ", and expression does not have the generation of attack, network normal operation.

Images