CN102546524A - Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system - Google Patents

Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system Download PDF

Info

Publication number
CN102546524A
CN102546524A CN2010105813043A CN201010581304A CN102546524A CN 102546524 A CN102546524 A CN 102546524A CN 2010105813043 A CN2010105813043 A CN 2010105813043A CN 201010581304 A CN201010581304 A CN 201010581304A CN 102546524 A CN102546524 A CN 102546524A
Authority
CN
China
Prior art keywords
sip
agent
attack
message
confidence level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010105813043A
Other languages
Chinese (zh)
Other versions
CN102546524B (en
Inventor
李鸿彬
林浒
侯辉超
孙建伟
李俊超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Computing Technology of CAS
Original Assignee
Shenyang Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Computing Technology of CAS filed Critical Shenyang Institute of Computing Technology of CAS
Priority to CN201010581304.3A priority Critical patent/CN102546524B/en
Publication of CN102546524A publication Critical patent/CN102546524A/en
Application granted granted Critical
Publication of CN102546524B publication Critical patent/CN102546524B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks; the detection method comprises the following steps of: building a SIP intrusion-detection system; extracting characteristic data for detecting the SIP flooding attacks; obtaining the stability of SIP message distribution according to an establishing process of SIP sessions; measuring the stability of the SIP message distribution, and establishing a chi-square flow monitor; activating a multi-agent detector if flow suddenly changes; carrying out dynamic adjustment on the credibility coefficient of each agent in the system according to the network condition, and obtaining the credibility of each agent; and voting for decision-making by using the credibility of each agent, the influence degree of the stability of SIP message distribution and the percentage of request messages, providing a SIP single-source flooding attack source if the attacks occur, and writing the characteristics of the SIP single-source flooding attack source into an SIP attack rule base. The detection method has the advantages of rapidly and accurately alarming and detecting the SIP single-source flooding attacks, only needing to maintain the number of SIP messages in different IP addresses in the detection process and having low requirements on system resources.

Description

A kind of detection method and SIP intruding detection system to the single source of SIP flood attack
Technical field
The present invention relates to the voip network safety and the IP communications field, specifically a kind of detection method and SIP intruding detection system to the single source of SIP flood attack.
Background technology
Along with IP development of Communication Technique and the people variation to communication requirement, the category of IP communication is expansion greatly, begins from simple VoIP system (Voice Over IP) to unified communication evolution.SIP (Session Initiation Protocol; The signaling control protocol of application layer) as the core protocol of VoIP, IMS, IPTV; Become IP Multimedia System (IP Multimedia Subsystem; IMS) important component part, and also all adopted SIP in the NGN framework of ETSI and ITU-T definition.SIP has similar characteristic with HTTP, so the safety problem of SIP is academia's problem of greatest concern always.Along with 3G license is provided in China, 3G builds and operation obtains remarkable break-throughs at home, simultaneously, proposes higher requirement for the SIP network security.The professional development of 3G has been accelerated in the large scale deployment of IMS experimental network, and integration of three networks implementation step is put into effect, and requires complete IP network can be user's service safely and reliably.Unite States Standard and the NIST of Institute for Research and Technology with dos attack as a kind of serious security threat in the voip network framework.In the security threats analysis of UNE, dos attack has become the primary safety problem that UNE is considered.The Sprint of U.S. telecom operators claims that the VoIP that general dos attack detection technique can not solve based on SIP attacks, and they advise adopting SBC to detect and the first line of defence of defending as DOS.Germany fixed network operator Arcor is just at the NGN network of large scale deployment based on SIP, and they claim the detection and a urgent demand of defending to have become the service provider of dos attack.
Flooding (inundation) attacks a kind of common mode as dos attack; Session Initiation Protocol is operated in application layer; The SIP entity receives two types flooding attack possibly: from the attack of transport layer and application layer, the present invention only considers that the flooding of application layer attacks.SIP flooding attacks and can perhaps utilize the defective of agreement itself to exhaust the resource of goal systems through a large amount of SIP request of direct initiation.For flooding attacks; The assailant can reach the purpose of attack through the resource that exhausts target machine; Make that such as sending a large amount of INVITE the request message of normal users can not in time be handled, also can make have the server of state to exhaust memory source through the mode of not sending ACK.Yet attack for flooding, they can not set up the SIP session.
The research of attacking for SIP flooding also is in the starting stage, and existing SIP flooding intruding detection system roughly is divided into four big types: simple threshold setting, based on statistical information, based on state machine model, machine learning intruding detection system.Mode through setting threshold exist threshold value select, to the adaptability problem of change of network environment.In mode based on statistical information; Detect based on the mode of Hailin lattice distance and can only accomplish invasion is detected; Can not provide specifying information to be used for defence for the assailant. for carry out the mode that flooding detects through the Session Initiation Protocol state machine model, can attack flooding and carry out accurate in locating, but state machine need be kept the state of sip message; Be equivalent to a SIP server that state is arranged, system itself is open to attack.The machine learning intruding detection system, the quality of data set has direct influence to testing result, needs training simultaneously, a large amount of system resources of process consumption such as classification, processing speed is slow.
Summary of the invention
To the defective that the intruding detection system of the single source of existing SIP flood attack exists, the technical problem that the present invention will solve provides the detection method and the SIP intruding detection system to the single source of SIP flood attack of extensibility of adaptivity and the system of a kind of high efficiency that can realize detecting, network.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is:
The detection method that the present invention is directed to the single source of SIP flood attack may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
The characteristic that is used to detect the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Judged whether to attack and taken place; Then provide flood attack source, the single source of SIP if having, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
The characteristic process that described foundation detects the SIP flood attack is following:
Through analyzing the behavioral characteristic of flood attack, learn that the single source of SIP flood attack can not set up normal session, the stability that sip message distributes is broken;
In the sip message flow, extract the message count in the sliding time window of INVITE, ACK, three types of message of 200OK and these three types of message;
Extraction obtains the SIP characteristic and deposits in the SIP property data base according to the message count in the sliding time window.
The said foundation side of card flow monitor step is following:
Obtain the sip message characteristic according to the SIP property data base;
Adopt chi amount χ 2Sip message distributional stability to based on the sliding time window sequence is measured;
After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
The characteristic of the said SIP of utilization flood attack to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion, confirms that flood attack source, the single source of SIP step is following through the multi-Agent detector:
The source IP address of each SIP INVITE is as the sign of agent;
Set up many agent detector model; Degree of influence and the three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability that utilize agent are to the flood attack person affirmation of voting; Whether to each agent is that the attack source is judged, confirms flood attack source, the single source of SIP.
The evaluation algorithms step of confidence level is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
The confidence level of each agent of initialization is 1/N;
Calculate the confidence level of each agent;
Judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes the confidence level step of calculating each agent over to.
Said many agent detector utilizes degree of influence and three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability of agent to the flood attack person affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
Said card side flow monitor utilizes the chi amount that the SIP flow is monitored, and abnormal flow is reported to the police.
The present invention has following beneficial effect and advantage:
1) property is quick and precisely utilized sip message chi amount to calculate with many agent detector ballot and is made a strategic decision and just can judge single source flood attack of SIP fast and accurately.
2) adaptivity, each agent detector can dynamically be adjusted according to network condition, can adapt to the variation of network traffics.
3) resource friendly, testing process only need be safeguarded the sip message number of different IP addresses, require very low to system resource.
4) good concurrency has adopted many agent detection technique, has born concurrent processing ability.
Description of drawings
Fig. 1 is the inventive method flow chart;
Fig. 2 is a SIP intruding detection system structure chart of the present invention;
Fig. 3 is many agent of the present invention detector illustraton of model;
Fig. 4 is the sketch map of confidence level evaluation result between the agent;
Fig. 5 distributes and the chi spirogram for sip message;
Fig. 6 is the agent number of agent detector and the graph of a relation of detection time;
Fig. 7 is system's verification and measurement ratio contrast table.
Embodiment
For example the present invention is done description in more detail below in conjunction with accompanying drawing.
1) workflow
As shown in Figure 1, the detection method that the present invention is directed to the single source of SIP flood attack may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
Be used to set up the characteristic that detects the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Confirm flood attack source, the single source of SIP, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
2) structure of SIP intruding detection system is formed
The SIP intruding detection system comprises characteristics flood attack and many agent system from the single source of SIP, and Fig. 2 has provided the single source of SIP flood attack intruding detection system structure and formed.In the SIP intruding detection system, the logic entity relevant with the present invention comprises that SIP property data base, the side's of card flow monitor, many agent detector and SIP attack parts such as rule base, and wherein concrete logical relation is described below:
The SIP intruding detection system adopts the bypass detection technique, from network, gathers the SIP signaling traffic and deposits in the SIP characteristic, and the side's of card flow monitor utilizes the chi amount that the SIP flow is judged according to the data of SIP feature database extraction needs statistics.If it is unusual to find that flow occurs; Then report to the police to many gent detector; Many agent detector detects current SIP data on flows; And judge that whether the abnormal flow data are because flooding attacks produces, if then provide assailant's source IP address and SIP feature description, and attack the rule base form according to SIP source IP address and SIP feature description are write SIP attack rule base; Otherwise abandon this data.
It is following to set up the characteristic process that detects the SIP flood attack:
(1) behavioural characteristic of labor SIP flood attack, according to the process that the SIP session is set up, in normal SIP flow, the SIP data distribute and are in a stable status; For SIP flooding attacked, their purpose was DOS, can not set up normal session, and the stability that causes sip message to distribute is broken.
(2) extract INVITE, ACK, three types of message of 200OK and the message count of these three types of message in sliding time window.
(3) the SIP characteristic that extracts is deposited in the SIP property data base according to the attack type classification.
The side's of card flow monitor can know that to the process analysis that the SIP session is set up the distribution of sip message number under normal circumstances demonstrates a kind of stable distribution.These message comprise INVITE, ACK, 200OK.Under the flooding attack condition of the single source of SIP, the assailant can not accomplish the process that session is set up, and causes the unusual of sip message distribution.Therefore, the present invention attacks flooding through the variation of sip message distribution and detects.We adopt the chi amount that the sip message distribution similarity based on the sliding time window sequence is measured, the computational methods of chi amount such as formula 1.K=3 wherein, n iBe illustrated in message m sg in the current time window iShared ratio, n i' be illustrated in msg in the previous time window iShared ratio.
χ 2 = Σ i = 1 k ( n i - n i ′ ) 2 n i ′ - - - ( 1 )
When sip message distribution appearance is unusual; The chi amount can be undergone mutation; Therefore can be used for the SIP flow is monitored, this method only needs the chi amount that the sip message in the adjacent time window distributes is calculated, and system resource is had good friendly.But this decision model can only be reported to the police to abnormal flow, can not provide about causing unusual information, and under the excessive situation that causes the server overload of sip message burst flow, wrong report also can occur.In view of the above, we transfer to many agent detector with the SIP data and do further processing after sending warning.
It is following that described card side flow monitor utilizes the chi amount that data on flows is carried out determining step:
(1) according to the SIP flow in the measurement type collection network in the SIP property data base;
(2) adopt chi amount χ 2Sip message distributional stability to based on the sliding time window sequence is measured;
(3) after flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
Many agent detector will activate the agent detector after card side's flow monitor sends warning, the sip message in the time window that takes place to attack is detected, and it is following to detect step:
(1) generate agent, each source IP address will be as the sign of agent, and the attribute of agent comprises the sip message number, the confidence level coefficient.
(2) whether many agent detector is the attack source judgement of voting to each agent, as shown in Figure 3.Can not set up the fact of session based on the flooding assailant; We utilize the confidence level of each agent and to the degree of influence of sip message distributional stability and three kinds of decision schemes of request message proportion to the flooding assailant affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
(3) if defining in the step 2 to attack produces, then the characteristic with the assailant writes in the intrusion feature database.
Being described below of three kinds of decision schemes described in many agent detector:
(1) to the degree of influence of message distributional stability: each agent calculates the similitude of in this time window, removing behind the own sip message with previous time window sip message distribution as the degree of influencing of agent to message distribution; Same; We adopt formula (1) that this variation is measured, and it is big more to the unusual contribution that distributes of message to be worth big more this agent of expression.
(2) request message proportion: for single source flooding, need just can reach the purpose of attack through the sip request message of initiating some.Therefore the request message ratio of agent also can be used as a kind of scheme of detection.
(3) confidence level coefficient: in many agent detection system, each agent can be known the confidence level coefficient of oneself through other agent to the evaluation of oneself.
Dynamic confidence level evaluation algorithms in decision scheme 3 is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
(1) confidence level of each agent of initialization is 1/N
(2) calculate the confidence level of each agent:
r j = Σ i = 1 N r i * e ij - - - ( 2 )
e ij = 0 , Z ij &GreaterEqual; Z 0 1 , Z ij < Z 0 - - - ( 3 )
Z ij = exp { - &chi; ij 2 } - - - ( 4 )
&chi; ij 2 = &Sigma; i = 1 k ( n j - n i ) 2 n j - - - ( 5 )
Provide confidence level r in the formula 2 jCalculating, confidence level is the weighted sum of evaluation to oneself of other agent, e IjFor agenti to agent iEvaluation, agent jEvaluation, Z IjBe to be used for calculating agent iAnd agent jBetween the quantized value of similitude, the similitude between the agent still adopts the chi amount to calculate, when between the two difference greater than certain threshold value Z 0The time, then be evaluated as the assailant to the other side mutually.
(3) judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes step 2 over to.
Under the flood attack situation of single source, confidence level computational process convergence is fine, and iteration result's sketch map is as shown in Figure 4, proves as follows:
After the k time iteration, the confidence level of non-attack agent is a formula 6, and the confidence level of attack source agent is a formula 7.So because M<<N assailant's confidence level index magnitude convergence.
r i = ( N - M ) k - 1 ( N - M ) k + M k - - - ( 6 )
r i = M k ( N - M ) k + M k - - - ( 7 )
3) experiment and analysis
Sip server adopts the Openser server, and background traffic produces through the SIPp instrument, and the flooding of initiation attacks and burst flow all is the scene control documents generation through SIPp.
Experiment is made as per second 100invite message with the background traffic of sip message, and Fig. 5 has provided the distribution map of testing the sip message in being provided with, and has initiated 4 times in the experiment altogether and has attacked.Wherein, first and second time attacked and adopted registered users not send the mode of ACK message, and its attack rate is 100invite/s, 1000invite/s.The unregistered user who adopts in the time of third and fourth time attack sends invite message, and attack rate is 100invite/s, 1000invite/s.Among Fig. 5, in the time period that other invite message bursts increases, all produce through burst flow in the experiment, except last burst flow is 1000invite/s, other all be 100invite/s.The latter half at Fig. 5 provides the chi spirogram, and wherein the time interval of chi magnitude calculation is chosen for 2 seconds.It is unusual as can be seen from Figure 5 under the excessive situation of burst flow, can to cause sip message to distribute, and the value of chi amount also can increase suddenly, causes system's wrong report, also this problem can occur based on Hailin lattice distance calculation.But in the detection system based on many agent, system will utilize many agent detector model to be for further processing through many agent detector, judge whether to attack to take place.Take place if having to attack, then provide assailant's the IP address and the details of sip message.Through initiating repeatedly to attack the detection efficiency of this detection method is tested in the experiment, and with carried out comparative result based on the detection method of Hailin lattice distance calculation as shown in Figure 7.When the accuracy rate of the enough low situation system of detection threshold can reach 100%, but too low threshold value possibly activate many agent detector always, and system is caused certain delay.Fig. 6 provides in the experiment agent number and the relation of detection time when activating many agent detector, does not activate many agent detector under the alarm condition at chi amount watch-dog, and can ignore detection time at this moment.As can beappreciated from fig. 6 this system can position the assailant timely, for defense work provides enough information.
To sum up, experimental data has proved that further the detection method based on the SIP flood attack of many agent has the high efficiency of detection, the adaptivity of network and the extensibility of system.

Claims (7)

1. detection method to the single source of SIP flood attack is characterized in that may further comprise the steps:
Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;
The characteristic that is used to detect the SIP flood attack according to existing SIP flood attack feature extraction;
Session is set up process and is obtained the sip message distributional stability according to SIP;
Utilize the sip message distributional stability, the sip message distributional stability is measured, set up card side's flow monitor through the chi amount;
Judge through the chi amount of sip message to be detected whether the flow sudden change takes place,, activate the multi-Agent detector if flow is undergone mutation;
Through the confidence level evaluation algorithms, each agent in the system is dynamically adjusted the confidence level coefficient according to network condition, obtain the confidence level of each agent;
The characteristic of utilizing the SIP flood attack through the multi-Agent detector to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion; Judged whether to attack and taken place; Then provide flood attack source, the single source of SIP if having, and flood attack source, the single source of SIP characteristic is write SIP attack rule base.
2. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that the characteristic process of described foundation detection SIP flood attack is following:
Through analyzing the behavioral characteristic of flood attack, learn that the single source of SIP flood attack can not set up normal session, the stability that sip message distributes is broken;
In the sip message flow, extract the message count in the sliding time window of INVITE, ACK, three types of message of 200OK and these three types of message;
Extraction obtains the SIP characteristic and deposits in the SIP property data base according to the message count in the sliding time window.
3. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that the said foundation side of card flow monitor step is following:
Obtain the sip message characteristic according to the SIP property data base;
Adopt chi amount x2 that the sip message distributional stability based on the sliding time window sequence is measured;
After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that takes place to attack will further be handled.
4. the detection method of the single source of a kind of SIP according to claim 1 flood attack; It is characterized in that: the characteristic of the said SIP of utilization flood attack to the decision-making of voting of the degree of influence of the confidence level of each agent, sip message distributional stability and request message proportion, confirms that flood attack source, the single source of SIP step is following through the multi-Agent detector:
The source IP address of each SIP INVITE is as the sign of agent;
Set up many agent detector model; Degree of influence and the three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability that utilize agent are to the flood attack person affirmation of voting; Whether to each agent is that the attack source is judged, confirms flood attack source, the single source of SIP.
5. the detection method of the single source of a kind of SIP according to claim 4 flood attack, it is characterized in that: the evaluation algorithms step of confidence level is following:
The number of supposing agent in the current time window is N, and assailant's number is M, satisfy condition (M<<N, M>=0);
The confidence level of each agent of initialization is 1/N;
Calculate the confidence level of each agent;
Judge whether to exist the confidence level of agent drop to very low satisfy reach set point less than specific threshold or iterations, algorithm stops if satisfy condition then, provides the confidence level of each agent, otherwise changes the confidence level step of calculating each agent over to.
6. the detection method of the single source of a kind of SIP according to claim 1 flood attack is characterized in that:
Said many agent detector utilizes degree of influence and three kinds of decision schemes of request message proportion of confidence level, sip message distributional stability of agent to the flood attack person affirmation of voting; And take the veto by one vote mode, could confirm the assailant under the situation of having only three kinds of decision schemes all to think to attack.
7. the detection method of the single source of a kind of SIP according to claim 1 flood attack, it is characterized in that: said card side flow monitor utilizes the chi amount that the SIP flow is monitored, and abnormal flow is reported to the police.
CN201010581304.3A 2010-12-09 2010-12-09 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system Active CN102546524B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010581304.3A CN102546524B (en) 2010-12-09 2010-12-09 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010581304.3A CN102546524B (en) 2010-12-09 2010-12-09 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system

Publications (2)

Publication Number Publication Date
CN102546524A true CN102546524A (en) 2012-07-04
CN102546524B CN102546524B (en) 2014-09-03

Family

ID=46352498

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010581304.3A Active CN102546524B (en) 2010-12-09 2010-12-09 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system

Country Status (1)

Country Link
CN (1) CN102546524B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539590A (en) * 2014-12-10 2015-04-22 深圳市共进电子股份有限公司 Message processing method and device
CN107124427A (en) * 2017-05-31 2017-09-01 上海交通大学 The detection of SIP flood attacks and prevention method in a kind of VoLTE
CN107431695A (en) * 2015-03-06 2017-12-01 诺基亚技术有限公司 Method and apparatus for the mutual assistance collusion attack detection in online ballot system
CN108206826A (en) * 2017-11-29 2018-06-26 华东师范大学 A kind of lightweight intrusion detection method towards Integrated Electronic System
CN109194668A (en) * 2018-09-18 2019-01-11 中国人民解放军战略支援部队信息工程大学 The anti-device and method of distorting of IMS network SIP session
CN110198476A (en) * 2018-02-27 2019-09-03 武汉斗鱼网络科技有限公司 Barrage abnormal behavior detection method, storage medium, electronic equipment and system
CN110311888A (en) * 2019-05-09 2019-10-08 深信服科技股份有限公司 A kind of Web anomalous traffic detection method, device, equipment and medium
CN110784460A (en) * 2019-10-23 2020-02-11 国家计算机网络与信息安全管理中心 Call attack detection method and device and readable storage medium
CN114037172A (en) * 2021-11-18 2022-02-11 国网江苏省电力有限公司电力科学研究院 Push optimization method and device for conversation ability evaluation test questions

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090043724A1 (en) * 2007-08-08 2009-02-12 Radware, Ltd. Method, System and Computer Program Product for Preventing SIP Attacks
CN101459677A (en) * 2009-01-09 2009-06-17 北京邮电大学 Detection apparatus and method for SIP message flooding attack
CN101557324A (en) * 2008-12-17 2009-10-14 天津大学 Real-time visual detection method for DDoS attack
EP2202938A1 (en) * 2008-12-24 2010-06-30 Mitsubishi Electric R&D Centre Europe B.V. Protection against flooding attacks in a network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090043724A1 (en) * 2007-08-08 2009-02-12 Radware, Ltd. Method, System and Computer Program Product for Preventing SIP Attacks
CN101557324A (en) * 2008-12-17 2009-10-14 天津大学 Real-time visual detection method for DDoS attack
EP2202938A1 (en) * 2008-12-24 2010-06-30 Mitsubishi Electric R&D Centre Europe B.V. Protection against flooding attacks in a network
CN101459677A (en) * 2009-01-09 2009-06-17 北京邮电大学 Detection apparatus and method for SIP message flooding attack

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
JOON HEO等: "《Statistical SIP traffic modeling and analysis system》", 《COMMUNICATIONS AND INFORMATION TECHNOLOGIES (ISCIT), 2010 INTERNATIONAL SYMPOSIUM ON》 *
JUN BI等: "《A Trust and Reputation based Anti-SPIM Method》", 《INFOCOM 2008. THE 27TH CONFERENCE ON COMPUTER COMMUNICATIONS. IEEE》 *
SISALEM, D.等: "《Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms》", 《NETWORK, IEEE》 *
TIANLU YANG等: "《A Novel VoIP Flooding Detection Method Basing on Call Duration》", 《2010 FIRST INTERNATIONAL CONFERENCE ON PERVASIVE COMPUTING, SIGNAL PROCESSING AND APPLICATIONS》 *
张然等: "《基于Multi-agent的入侵检测模型的研究与实现》", 《小型微型计算机系统》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539590A (en) * 2014-12-10 2015-04-22 深圳市共进电子股份有限公司 Message processing method and device
CN107431695A (en) * 2015-03-06 2017-12-01 诺基亚技术有限公司 Method and apparatus for the mutual assistance collusion attack detection in online ballot system
CN107124427B (en) * 2017-05-31 2020-08-25 上海交通大学 SIP flood attack detection and prevention method in VoLTE
CN107124427A (en) * 2017-05-31 2017-09-01 上海交通大学 The detection of SIP flood attacks and prevention method in a kind of VoLTE
CN108206826A (en) * 2017-11-29 2018-06-26 华东师范大学 A kind of lightweight intrusion detection method towards Integrated Electronic System
CN108206826B (en) * 2017-11-29 2020-07-14 华东师范大学 Lightweight intrusion detection method for integrated electronic system
CN110198476A (en) * 2018-02-27 2019-09-03 武汉斗鱼网络科技有限公司 Barrage abnormal behavior detection method, storage medium, electronic equipment and system
CN110198476B (en) * 2018-02-27 2021-09-07 武汉斗鱼网络科技有限公司 Bullet screen behavior abnormity detection method, storage medium, electronic equipment and system
CN109194668A (en) * 2018-09-18 2019-01-11 中国人民解放军战略支援部队信息工程大学 The anti-device and method of distorting of IMS network SIP session
CN109194668B (en) * 2018-09-18 2021-04-20 中国人民解放军战略支援部队信息工程大学 Device and method for preventing SIP session of IMS network from being falsified
CN110311888A (en) * 2019-05-09 2019-10-08 深信服科技股份有限公司 A kind of Web anomalous traffic detection method, device, equipment and medium
CN110784460A (en) * 2019-10-23 2020-02-11 国家计算机网络与信息安全管理中心 Call attack detection method and device and readable storage medium
CN114037172A (en) * 2021-11-18 2022-02-11 国网江苏省电力有限公司电力科学研究院 Push optimization method and device for conversation ability evaluation test questions

Also Published As

Publication number Publication date
CN102546524B (en) 2014-09-03

Similar Documents

Publication Publication Date Title
CN102546524B (en) Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system
CN109302378B (en) SDN network DDoS attack detection method
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Li An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition
CN105407103B (en) A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections
CN103581186B (en) A kind of network security situational awareness method and system
Chen et al. CBF: a packet filtering method for DDoS attack defense in cloud environment
Tang et al. SIP flooding attack detection with a multi-dimensional sketch design
CN106357673A (en) DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system
CN101635658B (en) Method and system for detecting abnormality of network secret stealing behavior
CN106330611A (en) Anonymous protocol classification method based on statistical feature classification
CN103957203A (en) Network security defense system
CN107248996A (en) A kind of detection of DNS amplification attacks and filter method
Bhuyan et al. Information metrics for low-rate DDoS attack detection: A comparative evaluation
CN104852914A (en) Watermark hopping communication method based on data packet interval
Yeom et al. LSTM-based collaborative source-side DDoS attack detection
Şimşek et al. Fast and lightweight detection and filtering method for low‐rate TCP targeted distributed denial of service (LDDoS) attacks
CN103501302B (en) Method and system for automatically extracting worm features
Callegari et al. Combining sketches and wavelet analysis for multi time-scale network anomaly detection
Cheng et al. DDoS attack detection using IP address feature interaction
Yan et al. Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy
Liu et al. Anomaly diagnosis based on regression and classification analysis of statistical traffic features
Zhan et al. Adaptive detection method for Packet-In message injection attack in SDN
Xue et al. Bound maxima as a traffic feature under DDOS flood attacks
Li et al. Detection of variations of local irregularity of traffic under DDOS flood attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant