CN102546524A - Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system - Google Patents
Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system Download PDFInfo
- Publication number
- CN102546524A CN102546524A CN2010105813043A CN201010581304A CN102546524A CN 102546524 A CN102546524 A CN 102546524A CN 2010105813043 A CN2010105813043 A CN 2010105813043A CN 201010581304 A CN201010581304 A CN 201010581304A CN 102546524 A CN102546524 A CN 102546524A
- Authority
- CN
- China
- Prior art keywords
- sip
- agent
- attack
- message
- confidence level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks; the detection method comprises the following steps of: building a SIP intrusion-detection system; extracting characteristic data for detecting the SIP flooding attacks; obtaining the stability of SIP message distribution according to an establishing process of SIP sessions; measuring the stability of the SIP message distribution, and establishing a chi-square flow monitor; activating a multi-agent detector if flow suddenly changes; carrying out dynamic adjustment on the credibility coefficient of each agent in the system according to the network condition, and obtaining the credibility of each agent; and voting for decision-making by using the credibility of each agent, the influence degree of the stability of SIP message distribution and the percentage of request messages, providing a SIP single-source flooding attack source if the attacks occur, and writing the characteristics of the SIP single-source flooding attack source into an SIP attack rule base. The detection method has the advantages of rapidly and accurately alarming and detecting the SIP single-source flooding attacks, only needing to maintain the number of SIP messages in different IP addresses in the detection process and having low requirements on system resources.
Description
Technical field
The present invention relates to the voip network safety and the IP communications field, specifically a kind of detection method and SIP intruding detection system to the single source of SIP flood attack.
Background technology
Along with IP development of Communication Technique and the people variation to communication requirement, the category of IP communication is expansion greatly, begins from simple VoIP system (Voice Over IP) to unified communication evolution.SIP (Session Initiation Protocol; The signaling control protocol of application layer) as the core protocol of VoIP, IMS, IPTV; Become IP Multimedia System (IP Multimedia Subsystem; IMS) important component part, and also all adopted SIP in the NGN framework of ETSI and ITU-T definition.SIP has similar characteristic with HTTP, so the safety problem of SIP is academia's problem of greatest concern always.Along with 3G license is provided in China, 3G builds and operation obtains remarkable break-throughs at home, simultaneously, proposes higher requirement for the SIP network security.The professional development of 3G has been accelerated in the large scale deployment of IMS experimental network, and integration of three networks implementation step is put into effect, and requires complete IP network can be user's service safely and reliably.Unite States Standard and the NIST of Institute for Research and Technology with dos attack as a kind of serious security threat in the voip network framework.In the security threats analysis of UNE, dos attack has become the primary safety problem that UNE is considered.The Sprint of U.S. telecom operators claims that the VoIP that general dos attack detection technique can not solve based on SIP attacks, and they advise adopting SBC to detect and the first line of defence of defending as DOS.Germany fixed network operator Arcor is just at the NGN network of large scale deployment based on SIP, and they claim the detection and a urgent demand of defending to have become the service provider of dos attack.
Flooding (inundation) attacks a kind of common mode as dos attack; Session Initiation Protocol is operated in application layer; The SIP entity receives two types flooding attack possibly: from the attack of transport layer and application layer, the present invention only considers that the flooding of application layer attacks.SIP flooding attacks and can perhaps utilize the defective of agreement itself to exhaust the resource of goal systems through a large amount of SIP request of direct initiation.For flooding attacks; The assailant can reach the purpose of attack through the resource that exhausts target machine; Make that such as sending a large amount of INVITE the request message of normal users can not in time be handled, also can make have the server of state to exhaust memory source through the mode of not sending ACK.Yet attack for flooding, they can not set up the SIP session.
The research of attacking for SIP flooding also is in the starting stage, and existing SIP flooding intruding detection system roughly is divided into four big types: simple threshold setting, based on statistical information, based on state machine model, machine learning intruding detection system.Mode through setting threshold exist threshold value select, to the adaptability problem of change of network environment.In mode based on statistical information; Detect based on the mode of Hailin lattice distance and can only accomplish invasion is detected; Can not provide specifying information to be used for defence for the assailant. for carry out the mode that flooding detects through the Session Initiation Protocol state machine model, can attack flooding and carry out accurate in locating, but state machine need be kept the state of sip message; Be equivalent to a SIP server that state is arranged, system itself is open to attack.The machine learning intruding detection system, the quality of data set has direct influence to testing result, needs training simultaneously, a large amount of system resources of process consumption such as classification, processing speed is slow.
Summary of the invention
To the defective that the intruding detection system of the single source of existing SIP flood attack exists, the technical problem that the present invention will solve provides the detection method and the SIP intruding detection system to the single source of SIP flood attack of extensibility of adaptivity and the system of a kind of high efficiency that can realize detecting, network.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is:
The detection method that the present invention is directed to the single source of SIP flood attack may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
The characteristic that is used to detect the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Judged whether to attack and taken place; Then provide flood attack source, the single source of SIP if having, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
The characteristic process that described foundation detects the SIP flood attack is following:
Through analyzing the behavioral characteristic of flood attack, learn that the single source of SIP flood attack can not set up normal session, the stability that sip message distributes is broken;
In the sip message flow, extract the message count in the sliding time window of INVITE, ACK, three types of message of 200OK and these three types of message;
Extraction obtains the SIP characteristic and deposits in the SIP property data base according to the message count in the sliding time window.
The said foundation side of card flow monitor step is following:
Obtain the sip message characteristic according to the SIP property data base;
Adopt chi amount χ
2Sip message distributional stability to based on the sliding time window sequence is measured;
After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
The characteristic of the said SIP of utilization flood attack to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion, confirms that flood attack source, the single source of SIP step is following through the multi-Agent detector:
The source IP address of each SIP INVITE is as the sign of agent;
Set up many agent detector model; Degree of influence and the three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability that utilize agent are to the flood attack person affirmation of voting; Whether to each agent is that the attack source is judged, confirms flood attack source, the single source of SIP.
The evaluation algorithms step of confidence level is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
The confidence level of each agent of initialization is 1/N;
Calculate the confidence level of each agent;
Judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes the confidence level step of calculating each agent over to.
Said many agent detector utilizes degree of influence and three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability of agent to the flood attack person affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
Said card side flow monitor utilizes the chi amount that the SIP flow is monitored, and abnormal flow is reported to the police.
The present invention has following beneficial effect and advantage:
1) property is quick and precisely utilized sip message chi amount to calculate with many agent detector ballot and is made a strategic decision and just can judge single source flood attack of SIP fast and accurately.
2) adaptivity, each agent detector can dynamically be adjusted according to network condition, can adapt to the variation of network traffics.
3) resource friendly, testing process only need be safeguarded the sip message number of different IP addresses, require very low to system resource.
4) good concurrency has adopted many agent detection technique, has born concurrent processing ability.
Description of drawings
Fig. 1 is the inventive method flow chart;
Fig. 2 is a SIP intruding detection system structure chart of the present invention;
Fig. 3 is many agent of the present invention detector illustraton of model;
Fig. 4 is the sketch map of confidence level evaluation result between the agent;
Fig. 5 distributes and the chi spirogram for sip message;
Fig. 6 is the agent number of agent detector and the graph of a relation of detection time;
Fig. 7 is system's verification and measurement ratio contrast table.
Embodiment
For example the present invention is done description in more detail below in conjunction with accompanying drawing.
1) workflow
As shown in Figure 1, the detection method that the present invention is directed to the single source of SIP flood attack may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
Be used to set up the characteristic that detects the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Confirm flood attack source, the single source of SIP, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
2) structure of SIP intruding detection system is formed
The SIP intruding detection system comprises characteristics flood attack and many agent system from the single source of SIP, and Fig. 2 has provided the single source of SIP flood attack intruding detection system structure and formed.In the SIP intruding detection system, the logic entity relevant with the present invention comprises that SIP property data base, the side's of card flow monitor, many agent detector and SIP attack parts such as rule base, and wherein concrete logical relation is described below:
The SIP intruding detection system adopts the bypass detection technique, from network, gathers the SIP signaling traffic and deposits in the SIP characteristic, and the side's of card flow monitor utilizes the chi amount that the SIP flow is judged according to the data of SIP feature database extraction needs statistics.If it is unusual to find that flow occurs; Then report to the police to many gent detector; Many agent detector detects current SIP data on flows; And judge that whether the abnormal flow data are because flooding attacks produces, if then provide assailant's source IP address and SIP feature description, and attack the rule base form according to SIP source IP address and SIP feature description are write SIP attack rule base; Otherwise abandon this data.
It is following to set up the characteristic process that detects the SIP flood attack:
(1) behavioural characteristic of labor SIP flood attack, according to the process that the SIP session is set up, in normal SIP flow, the SIP data distribute and are in a stable status; For SIP flooding attacked, their purpose was DOS, can not set up normal session, and the stability that causes sip message to distribute is broken.
(2) extract INVITE, ACK, three types of message of 200OK and the message count of these three types of message in sliding time window.
(3) the SIP characteristic that extracts is deposited in the SIP property data base according to the attack type classification.
The side's of card flow monitor can know that to the process analysis that the SIP session is set up the distribution of sip message number under normal circumstances demonstrates a kind of stable distribution.These message comprise INVITE, ACK, 200OK.Under the flooding attack condition of the single source of SIP, the assailant can not accomplish the process that session is set up, and causes the unusual of sip message distribution.Therefore, the present invention attacks flooding through the variation of sip message distribution and detects.We adopt the chi amount that the sip message distribution similarity based on the sliding time window sequence is measured, the computational methods of chi amount such as formula 1.K=3 wherein, n
iBe illustrated in message m sg in the current time window
iShared ratio, n
i' be illustrated in msg in the previous time window
iShared ratio.
When sip message distribution appearance is unusual; The chi amount can be undergone mutation; Therefore can be used for the SIP flow is monitored, this method only needs the chi amount that the sip message in the adjacent time window distributes is calculated, and system resource is had good friendly.But this decision model can only be reported to the police to abnormal flow, can not provide about causing unusual information, and under the excessive situation that causes the server overload of sip message burst flow, wrong report also can occur.In view of the above, we transfer to many agent detector with the SIP data and do further processing after sending warning.
It is following that described card side flow monitor utilizes the chi amount that data on flows is carried out determining step:
(1) according to the SIP flow in the measurement type collection network in the SIP property data base;
(2) adopt chi amount χ
2Sip message distributional stability to based on the sliding time window sequence is measured;
(3) after flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
Many agent detector will activate the agent detector after card side's flow monitor sends warning, the sip message in the time window that takes place to attack is detected, and it is following to detect step:
(1) generate agent, each source IP address will be as the sign of agent, and the attribute of agent comprises the sip message number, the confidence level coefficient.
(2) whether many agent detector is the attack source judgement of voting to each agent, as shown in Figure 3.Can not set up the fact of session based on the flooding assailant; We utilize the confidence level of each agent and to the degree of influence of sip message distributional stability and three kinds of decision schemes of request message proportion to the flooding assailant affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
(3) if defining in the step 2 to attack produces, then the characteristic with the assailant writes in the intrusion feature database.
Being described below of three kinds of decision schemes described in many agent detector:
(1) to the degree of influence of message distributional stability: each agent calculates the similitude of in this time window, removing behind the own sip message with previous time window sip message distribution as the degree of influencing of agent to message distribution; Same; We adopt formula (1) that this variation is measured, and it is big more to the unusual contribution that distributes of message to be worth big more this agent of expression.
(2) request message proportion: for single source flooding, need just can reach the purpose of attack through the sip request message of initiating some.Therefore the request message ratio of agent also can be used as a kind of scheme of detection.
(3) confidence level coefficient: in many agent detection system, each agent can be known the confidence level coefficient of oneself through other agent to the evaluation of oneself.
Dynamic confidence level evaluation algorithms in decision scheme 3 is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
(1) confidence level of each agent of initialization is 1/N
(2) calculate the confidence level of each agent:
Provide confidence level r in the formula 2
jCalculating, confidence level is the weighted sum of evaluation to oneself of other agent, e
IjFor agenti to agent
iEvaluation, agent
jEvaluation, Z
IjBe to be used for calculating agent
iAnd agent
jBetween the quantized value of similitude, the similitude between the agent still adopts the chi amount to calculate, when between the two difference greater than certain threshold value Z
0The time, then be evaluated as the assailant to the other side mutually.
(3) judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes step 2 over to.
Under the flood attack situation of single source, confidence level computational process convergence is fine, and iteration result's sketch map is as shown in Figure 4, proves as follows:
After the k time iteration, the confidence level of non-attack agent is a formula 6, and the confidence level of attack source agent is a formula 7.So because M<<N assailant's confidence level index magnitude convergence.
3) experiment and analysis
Sip server adopts the Openser server, and background traffic produces through the SIPp instrument, and the flooding of initiation attacks and burst flow all is the scene control documents generation through SIPp.
Experiment is made as per second 100invite message with the background traffic of sip message, and Fig. 5 has provided the distribution map of testing the sip message in being provided with, and has initiated 4 times in the experiment altogether and has attacked.Wherein, first and second time attacked and adopted registered users not send the mode of ACK message, and its attack rate is 100invite/s, 1000invite/s.The unregistered user who adopts in the time of third and fourth time attack sends invite message, and attack rate is 100invite/s, 1000invite/s.Among Fig. 5, in the time period that other invite message bursts increases, all produce through burst flow in the experiment, except last burst flow is 1000invite/s, other all be 100invite/s.The latter half at Fig. 5 provides the chi spirogram, and wherein the time interval of chi magnitude calculation is chosen for 2 seconds.It is unusual as can be seen from Figure 5 under the excessive situation of burst flow, can to cause sip message to distribute, and the value of chi amount also can increase suddenly, causes system's wrong report, also this problem can occur based on Hailin lattice distance calculation.But in the detection system based on many agent, system will utilize many agent detector model to be for further processing through many agent detector, judge whether to attack to take place.Take place if having to attack, then provide assailant's the IP address and the details of sip message.Through initiating repeatedly to attack the detection efficiency of this detection method is tested in the experiment, and with carried out comparative result based on the detection method of Hailin lattice distance calculation as shown in Figure 7.When the accuracy rate of the enough low situation system of detection threshold can reach 100%, but too low threshold value possibly activate many agent detector always, and system is caused certain delay.Fig. 6 provides in the experiment agent number and the relation of detection time when activating many agent detector, does not activate many agent detector under the alarm condition at chi amount watch-dog, and can ignore detection time at this moment.As can beappreciated from fig. 6 this system can position the assailant timely, for defense work provides enough information.
To sum up, experimental data has proved that further the detection method based on the SIP flood attack of many agent has the high efficiency of detection, the adaptivity of network and the extensibility of system.
Claims (7)
1. detection method to the single source of SIP flood attack is characterized in that may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
The characteristic that is used to detect the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Judged whether to attack and taken place; Then provide flood attack source, the single source of SIP if having, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
2. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that the characteristic process of described foundation detection SIP flood attack is following:
Through analyzing the behavioral characteristic of flood attack, learn that the single source of SIP flood attack can not set up normal session, the stability that sip message distributes is broken;
In the sip message flow, extract the message count in the sliding time window of INVITE, ACK, three types of message of 200OK and these three types of message;
Extraction obtains the SIP characteristic and deposits in the SIP property data base according to the message count in the sliding time window.
3. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that the said foundation side of card flow monitor step is following:
Obtain the sip message characteristic according to the SIP property data base;
Adopt chi amount x2 that the sip message distributional stability based on the sliding time window sequence is measured;
After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
4. the detection method of the single source of a kind of SIP according to claim 1 flood attack; It is characterized in that: the characteristic of the said SIP of utilization flood attack to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion, confirms that flood attack source, the single source of SIP step is following through the multi-Agent detector:
The source IP address of each SIP INVITE is as the sign of agent;
Set up many agent detector model; Degree of influence and the three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability that utilize agent are to the flood attack person affirmation of voting; Whether to each agent is that the attack source is judged, confirms flood attack source, the single source of SIP.
5. the detection method of the single source of a kind of SIP according to claim 4 flood attack, it is characterized in that: the evaluation algorithms step of confidence level is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
The confidence level of each agent of initialization is 1/N;
Calculate the confidence level of each agent;
Judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes the confidence level step of calculating each agent over to.
6. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that:
Said many agent detector utilizes degree of influence and three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability of agent to the flood attack person affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
7. the detection method of the single source of a kind of SIP according to claim 1 flood attack, it is characterized in that: said card side flow monitor utilizes the chi amount that the SIP flow is monitored, and abnormal flow is reported to the police.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010581304.3A CN102546524B (en) | 2010-12-09 | 2010-12-09 | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010581304.3A CN102546524B (en) | 2010-12-09 | 2010-12-09 | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102546524A true CN102546524A (en) | 2012-07-04 |
CN102546524B CN102546524B (en) | 2014-09-03 |
Family
ID=46352498
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010581304.3A Active CN102546524B (en) | 2010-12-09 | 2010-12-09 | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102546524B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104539590A (en) * | 2014-12-10 | 2015-04-22 | 深圳市共进电子股份有限公司 | Message processing method and device |
CN107124427A (en) * | 2017-05-31 | 2017-09-01 | 上海交通大学 | The detection of SIP flood attacks and prevention method in a kind of VoLTE |
CN107431695A (en) * | 2015-03-06 | 2017-12-01 | 诺基亚技术有限公司 | Method and apparatus for the mutual assistance collusion attack detection in online ballot system |
CN108206826A (en) * | 2017-11-29 | 2018-06-26 | 华东师范大学 | A kind of lightweight intrusion detection method towards Integrated Electronic System |
CN109194668A (en) * | 2018-09-18 | 2019-01-11 | 中国人民解放军战略支援部队信息工程大学 | The anti-device and method of distorting of IMS network SIP session |
CN110198476A (en) * | 2018-02-27 | 2019-09-03 | 武汉斗鱼网络科技有限公司 | Barrage abnormal behavior detection method, storage medium, electronic equipment and system |
CN110311888A (en) * | 2019-05-09 | 2019-10-08 | 深信服科技股份有限公司 | A kind of Web anomalous traffic detection method, device, equipment and medium |
CN110784460A (en) * | 2019-10-23 | 2020-02-11 | 国家计算机网络与信息安全管理中心 | Call attack detection method and device and readable storage medium |
CN114037172A (en) * | 2021-11-18 | 2022-02-11 | 国网江苏省电力有限公司电力科学研究院 | Push optimization method and device for conversation ability evaluation test questions |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090043724A1 (en) * | 2007-08-08 | 2009-02-12 | Radware, Ltd. | Method, System and Computer Program Product for Preventing SIP Attacks |
CN101459677A (en) * | 2009-01-09 | 2009-06-17 | 北京邮电大学 | Detection apparatus and method for SIP message flooding attack |
CN101557324A (en) * | 2008-12-17 | 2009-10-14 | 天津大学 | Real-time visual detection method for DDoS attack |
EP2202938A1 (en) * | 2008-12-24 | 2010-06-30 | Mitsubishi Electric R&D Centre Europe B.V. | Protection against flooding attacks in a network |
-
2010
- 2010-12-09 CN CN201010581304.3A patent/CN102546524B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090043724A1 (en) * | 2007-08-08 | 2009-02-12 | Radware, Ltd. | Method, System and Computer Program Product for Preventing SIP Attacks |
CN101557324A (en) * | 2008-12-17 | 2009-10-14 | 天津大学 | Real-time visual detection method for DDoS attack |
EP2202938A1 (en) * | 2008-12-24 | 2010-06-30 | Mitsubishi Electric R&D Centre Europe B.V. | Protection against flooding attacks in a network |
CN101459677A (en) * | 2009-01-09 | 2009-06-17 | 北京邮电大学 | Detection apparatus and method for SIP message flooding attack |
Non-Patent Citations (5)
Title |
---|
JOON HEO等: "《Statistical SIP traffic modeling and analysis system》", 《COMMUNICATIONS AND INFORMATION TECHNOLOGIES (ISCIT), 2010 INTERNATIONAL SYMPOSIUM ON》 * |
JUN BI等: "《A Trust and Reputation based Anti-SPIM Method》", 《INFOCOM 2008. THE 27TH CONFERENCE ON COMPUTER COMMUNICATIONS. IEEE》 * |
SISALEM, D.等: "《Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms》", 《NETWORK, IEEE》 * |
TIANLU YANG等: "《A Novel VoIP Flooding Detection Method Basing on Call Duration》", 《2010 FIRST INTERNATIONAL CONFERENCE ON PERVASIVE COMPUTING, SIGNAL PROCESSING AND APPLICATIONS》 * |
张然等: "《基于Multi-agent的入侵检测模型的研究与实现》", 《小型微型计算机系统》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104539590A (en) * | 2014-12-10 | 2015-04-22 | 深圳市共进电子股份有限公司 | Message processing method and device |
CN107431695A (en) * | 2015-03-06 | 2017-12-01 | 诺基亚技术有限公司 | Method and apparatus for the mutual assistance collusion attack detection in online ballot system |
CN107124427B (en) * | 2017-05-31 | 2020-08-25 | 上海交通大学 | SIP flood attack detection and prevention method in VoLTE |
CN107124427A (en) * | 2017-05-31 | 2017-09-01 | 上海交通大学 | The detection of SIP flood attacks and prevention method in a kind of VoLTE |
CN108206826A (en) * | 2017-11-29 | 2018-06-26 | 华东师范大学 | A kind of lightweight intrusion detection method towards Integrated Electronic System |
CN108206826B (en) * | 2017-11-29 | 2020-07-14 | 华东师范大学 | Lightweight intrusion detection method for integrated electronic system |
CN110198476A (en) * | 2018-02-27 | 2019-09-03 | 武汉斗鱼网络科技有限公司 | Barrage abnormal behavior detection method, storage medium, electronic equipment and system |
CN110198476B (en) * | 2018-02-27 | 2021-09-07 | 武汉斗鱼网络科技有限公司 | Bullet screen behavior abnormity detection method, storage medium, electronic equipment and system |
CN109194668A (en) * | 2018-09-18 | 2019-01-11 | 中国人民解放军战略支援部队信息工程大学 | The anti-device and method of distorting of IMS network SIP session |
CN109194668B (en) * | 2018-09-18 | 2021-04-20 | 中国人民解放军战略支援部队信息工程大学 | Device and method for preventing SIP session of IMS network from being falsified |
CN110311888A (en) * | 2019-05-09 | 2019-10-08 | 深信服科技股份有限公司 | A kind of Web anomalous traffic detection method, device, equipment and medium |
CN110784460A (en) * | 2019-10-23 | 2020-02-11 | 国家计算机网络与信息安全管理中心 | Call attack detection method and device and readable storage medium |
CN114037172A (en) * | 2021-11-18 | 2022-02-11 | 国网江苏省电力有限公司电力科学研究院 | Push optimization method and device for conversation ability evaluation test questions |
Also Published As
Publication number | Publication date |
---|---|
CN102546524B (en) | 2014-09-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102546524B (en) | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system | |
CN109302378B (en) | SDN network DDoS attack detection method | |
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
Li | An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition | |
CN105407103B (en) | A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections | |
CN103581186B (en) | A kind of network security situational awareness method and system | |
Chen et al. | CBF: a packet filtering method for DDoS attack defense in cloud environment | |
Tang et al. | SIP flooding attack detection with a multi-dimensional sketch design | |
CN106357673A (en) | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system | |
CN101635658B (en) | Method and system for detecting abnormality of network secret stealing behavior | |
CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
CN103957203A (en) | Network security defense system | |
CN107248996A (en) | A kind of detection of DNS amplification attacks and filter method | |
Bhuyan et al. | Information metrics for low-rate DDoS attack detection: A comparative evaluation | |
CN104852914A (en) | Watermark hopping communication method based on data packet interval | |
Yeom et al. | LSTM-based collaborative source-side DDoS attack detection | |
Şimşek et al. | Fast and lightweight detection and filtering method for low‐rate TCP targeted distributed denial of service (LDDoS) attacks | |
CN103501302B (en) | Method and system for automatically extracting worm features | |
Callegari et al. | Combining sketches and wavelet analysis for multi time-scale network anomaly detection | |
Cheng et al. | DDoS attack detection using IP address feature interaction | |
Yan et al. | Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy | |
Liu et al. | Anomaly diagnosis based on regression and classification analysis of statistical traffic features | |
Zhan et al. | Adaptive detection method for Packet-In message injection attack in SDN | |
Xue et al. | Bound maxima as a traffic feature under DDOS flood attacks | |
Li et al. | Detection of variations of local irregularity of traffic under DDOS flood attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |