CN102546524B - Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system - Google Patents

Abstract

The invention relates to a detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks; the detection method comprises the following steps of: building a SIP intrusion-detection system; extracting characteristic data for detecting the SIP flooding attacks; obtaining the stability of SIP message distribution according to an establishing process of SIP sessions; measuring the stability of the SIP message distribution, and establishing a chi-square flow monitor; activating a multi-agent detector if flow suddenly changes; carrying out dynamic adjustment on the credibility coefficient of each agent in the system according to the network condition, and obtaining the credibility of each agent; and voting for decision-making by using the credibility of each agent, the influence degree of the stability of SIP message distribution and the percentage of request messages, providing a SIP single-source flooding attack source if the attacks occur, and writing the characteristics of the SIP single-source flooding attack source into an SIP attack rule base. The detection method has the advantages of rapidly and accurately alarming and detecting the SIP single-source flooding attacks, only needing to maintain the number of SIP messages in different IP addresses in the detection process and having low requirements on system resources.

Description

A kind of detection method and SIP intruding detection system for the mono-source of SIP flood attack

Technical field

The present invention relates to voip network safety and the IP communications field, specifically a kind of detection method and SIP intruding detection system for the mono-source of SIP flood attack.

Background technology

Along with development and the variation of people to communication requirement of the IP communication technology, the category of IP communication is expansion greatly, starts from simple VoIP system (Voice Over IP) to Unified Communication evolution.SIP (Session Initiation Protocol, the signaling control protocol of application layer) as the core protocol of VoIP, IMS, IPTV, become IP Multimedia System (IP Multimedia Subsystem, IMS) important component part, and also all adopted SIP in the NGN framework of ETSI and ITU-T definition.SIP has similar characteristic to HTTP, and therefore the safety problem of SIP is academia's problem of greatest concern always.Along with 3G license is provided in China, 3G builds and operation obtains remarkable break-throughs at home, meanwhile, proposes higher requirement for SIP network security.The large scale deployment of IMS experimental network, has accelerated the development of 3G business, and integration of three networks implementation step is put into effect, and requiring complete IP network can be user's service safely and reliably.Unite States Standard and the NIST of Institute for Research and Technology are using dos attack a kind of serious security threat in voip network framework.In the security threat analysis of UNE, dos attack has become the primary safety problem that UNE is considered.The Sprint of telecom operators of the U.S. claims that the VoIP that general dos attack detection technique can not solve based on SIP attacks, and they advise adopting SBC to detect and the first line of defence of defending as DOS.The just NGN network based on SIP in large scale deployment of Germany fixed network operator Arcor, they claim the detection and a urgent demand of defending to have become service provider of dos attack.

Flooding (inundation) attacks a kind of common mode as dos attack, Session Initiation Protocol is operated in application layer, SIP entity is subject to the flooding attack of two types possibly: from the attack of transport layer and application layer, the present invention only considers that the flooding of application layer attacks.SIP flooding attacks and can or utilize the defect of agreement itself to exhaust the resource of goal systems by a large amount of SIP request of direct initiation.For flooding attacks, assailant can reach by exhausting the resource of target machine the object of attack, such as sending a large amount of INVITE, the request message of normal users can not be processed in time, also can make the server of state exhaust memory source by not sending the mode of ACK.But attack for flooding, they can not set up SIP session.

The research of attacking for SIP flooding is also in the starting stage, and existing SIP flooding intruding detection system is roughly divided into four large classes: simply Threshold, based on statistical information, based on state machine model, machine learning intruding detection system.Have by the mode of setting threshold that threshold value is selected, adaptability problem to change of network environment.In the mode based on statistical information, mode based on Hailin lattice distance detects can only accomplish invasion to detect, can not provide for assailant's specifying information for defence. for the mode of carrying out flooding detection by Session Initiation Protocol state machine model, can flooding be attacked and be located accurately, but state machine need to maintain the state of sip message, be equivalent to a SIP server who has state, system itself is open to attack.Machine learning intruding detection system, the quality of data set has direct impact to testing result, needs training simultaneously, a large amount of system resources of process consumption such as classification, processing speed is slow.

Summary of the invention

The defect existing for the intruding detection system of the mono-source of existing SIP flood attack, the technical problem to be solved in the present invention is to provide a kind of detection method and SIP intruding detection system for the mono-source of SIP flood attack of high efficiency, the adaptivity of network and the extensibility of system that can realize detection.

For solving the problems of the technologies described above, the technical solution used in the present invention is:

The detection method that the present invention is directed to the mono-source of SIP flood attack comprises the following steps:

Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;

Characteristic according to existing SIP flood attack feature extraction for detection of SIP flood attack;

Obtain sip message distributional stability according to SIP session establishment process;

Utilize sip message distributional stability, by chi amount, sip message distributional stability is measured, set up card side's flow monitor;

Determine whether flow sudden change occurs by the chi amount of sip message to be detected, if flow is undergone mutation, activate multi-Agent detector;

By trust evaluation algorithm, the each agent in system is dynamically adjusted reliability coefficient according to network condition, obtain the confidence level of each agent;

Utilize the decision-making of voting of the degree of impact of the characteristic confidence level on each agent, sip message distributional stability by multi-Agent detector of SIP flood attack and request message proportion, judge whether to attack and occurred, provide flood attack source, the mono-source of SIP if having, and flood attack source, mono-SIP source feature is write to SIP attack rule base.

The characteristic process that described foundation detects SIP flood attack is as follows:

By analyzing the behavioral characteristic of flood attack, learn that the mono-source of SIP flood attack can not set up normal session, the stability of sip message distribution is broken;

In sip message flow, extract the message count in the sliding time window of INVITE, ACK, 200OK tri-class message and this three classes message;

Extract and obtain SIP characteristic and deposit in SIP property data base according to the message count in sliding time window.

The described foundation side of card flow monitor step is as follows:

Obtain sip message feature according to SIP property data base;

Adopt chi amount χ ²sip message distributional stability based on sliding time window sequence is measured;

After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that occurs to attack will be further processed.

The decision-making of voting of the degree of impact of the characteristic of the described SIP of utilization the flood attack confidence level on each agent, sip message distributional stability by multi-Agent detector and request message proportion, determine that flood attack source, the mono-source of SIP step is as follows:

The source IP address of each SIP INVITE is as the mark of agent;

Set up many agent detector model, utilize the degree of impact of confidence level, sip message distributional stability of agent and three kinds of decision schemes of request message proportion to the flood attack person confirmation of voting, whether be that attack source judges to each agent, determine flood attack source, the mono-source of SIP.

The evaluation algorithms step of confidence level is as follows:

The number of supposing agent in current time window is N, and assailant's number is M, and (M < < N, M >=0) satisfies condition;

The confidence level of the each agent of initialization is 1/N;

Calculate the confidence level of each agent;

Judge whether to exist the confidence level of agent drop to very low meet be less than specific threshold or iterations reaches set point, if the algorithm that satisfies condition stops, provide the confidence level of each agent, otherwise proceed to the confidence level step of calculating each agent.

Described many agent detector utilizes the degree of impact of confidence level, sip message distributional stability of agent and three kinds of decision schemes of request message proportion to the flood attack person confirmation of voting, and take veto by one vote mode, in the situation of only having three kinds of decision schemes all to think to attack, could confirm assailant.

Described card side flow monitor utilizes chi amount to monitor SIP flow, and abnormal flow is reported to the police.

The present invention has following beneficial effect and advantage:

1) property quick and precisely, utilizes sip message chi amount to calculate and the decision-making of voting of many agent detector just can be judged single source flood attack of SIP fast and accurately.

2) adaptivity, each agent detector can dynamically be adjusted according to network condition, can adapt to the variation of network traffics.

3) resource friendly, testing process only need be safeguarded the sip message number of different IP addresses, requires very low to system resource.

4) good concurrency, has adopted many agent detection technique, has born concurrent processing ability.

Brief description of the drawings

Fig. 1 is the inventive method flow chart;

Fig. 2 is SIP intruding detection system structure chart of the present invention;

Fig. 3 is many agent of the present invention detector illustraton of model;

Fig. 4 is the schematic diagram of trust evaluation result between agent;

Fig. 5 is that sip message distributes and chi spirogram;

Fig. 6 is the agent number of agent detector and the graph of a relation of detection time;

Fig. 7 is system verification and measurement ratio contrast table.

Embodiment

For example the present invention is described in more detail below in conjunction with accompanying drawing.

1) workflow

As shown in Figure 1, the detection method that the present invention is directed to the mono-source of SIP flood attack comprises the following steps:

Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;

Be used for setting up according to existing SIP flood attack feature extraction the characteristic that detects SIP flood attack;

Obtain sip message distributional stability according to SIP session establishment process;

Utilize sip message distributional stability, by chi amount, sip message distributional stability is measured, set up card side's flow monitor;

Determine whether flow sudden change occurs by the chi amount of sip message to be detected, if flow is undergone mutation, activate multi-Agent detector;

By trust evaluation algorithm, the each agent in system is dynamically adjusted reliability coefficient according to network condition, obtain the confidence level of each agent;

Utilize the decision-making of voting of the degree of impact of the characteristic confidence level on each agent, sip message distributional stability by multi-Agent detector of SIP flood attack and request message proportion, determine flood attack source, the mono-source of SIP, and flood attack source, mono-SIP source feature is write to SIP attack rule base.

2) structure of SIP intruding detection system composition

SIP intruding detection system comprises feature flood attack and many agent system from the mono-source of SIP, and Fig. 2 has provided the mono-source of SIP flood attack intruding detection system structure composition.In SIP intruding detection system, logic entity related to the present invention comprises that SIP property data base, the side's of card flow monitor, many agent detector and SIP attack the parts such as rule base, and wherein concrete logical relation is described below:

SIP intruding detection system adopts bypass detection technique, gathers SIP signaling traffic and deposit in SIP characteristic from network, and the side's of card flow monitor extracts the data that need statistics according to SIP feature database, utilize chi amount to judge SIP flow.If it is abnormal to find that flow occurs, report to the police to many gent detector, many agent detector detects current SIP data on flows, and judge whether abnormal flow data are to produce because flooding attacks, describe if provide assailant's source IP address and SIP feature, and according to SIP attack rule base form, source IP address and the description of SIP feature are write to SIP attack rule base; Otherwise abandon this data.

The characteristic process of setting up detection SIP flood attack is as follows:

(1) behavioural characteristic of labor SIP flood attack, according to the process of SIP session establishment, in normal SIP flow, SIP data distribute and are in a stable state; For SIP flooding attacks, their object is DOS, can not set up normal session, and the stability that causes sip message to distribute is broken.

(2) extract INVITE, ACK, 200OK tri-class message and the message count of this three classes message in sliding time window.

(3) the SIP characteristic of extraction is deposited in SIP property data base according to attack type classification.

The side's of card flow monitor, analyzes knownly to the process of SIP session establishment, the distribution of sip message number presents a kind of stable distribution under normal circumstances.These message comprise INVITE, ACK, 200OK.Under the flooding attack condition of the mono-source of SIP, assailant can not complete the process of session establishment, causes the abnormal of sip message distribution.Therefore the variation that, the present invention distributes by sip message is attacked and is detected flooding.We adopt chi amount to measure the sip message distribution similarity based on sliding time window sequence, and the computational methods of chi amount are as formula 1.Wherein k=3, n _ibe illustrated in message m sg in current time window _ishared ratio, n _i' be illustrated in msg in previous time window _ishared ratio.

${\mathrm{\&chi;}}^2=\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\frac{{(n_i-n_i^{\&prime;})}^2}{n_i^{\&prime;}}---\left(1\right)$

In the time that sip message distribution appearance is abnormal, chi amount can be undergone mutation, therefore can be used for SIP flow to monitor, the chi amount that the method only need distribute to the sip message in adjacent time window is calculated, and system resource is had to good friendly.But this decision model can only be reported to the police to abnormal flow, can not provide about causing abnormal information, and cause server overload in the situation that also to there will be wrong report sip message burst flow is excessive.Accordingly, we transfer to many agent detector to do further processing SIP data sending after warning.

It is as follows that described card side's flow monitor utilizes chi amount to carry out determining step to data on flows:

(1) according to the SIP flow in the measurement type collection network in SIP property data base;

(2) adopt chi amount χ ²sip message distributional stability based on sliding time window sequence is measured;

(3) after flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that occurs to attack will be further processed.

Many agent detector will activate agent detector after card side's flow monitor sends warning, and the sip message in the time window that occurs to attack is detected, and detecting step is as follows:

(1) generate agent, each source IP address is using the mark as agent, and the attribute of agent comprises sip message number, reliability coefficient.

(2) whether many agent detector is the attack source judgement of voting to each agent, as shown in Figure 3.Can not set up the fact of session based on flooding assailant, we utilize the confidence level of each agent and the degree of impact on sip message distributional stability and three kinds of decision schemes of request message proportion thereof to the flooding assailant confirmation of voting, and take veto by one vote mode, in the situation of only having three kinds of decision schemes all to think to attack, could confirm assailant.

(3) if defining in step 2 to attack produces, assailant's feature is write in intrusion feature database.

Being described below of three kinds of decision schemes described in many agent detector:

(1) degree of impact on message distributional stability: each agent calculate in this time window, remove after own sip message with the similitude of previous time window sip message distribution as agent the degree of impact on message distribution, same, we adopt formula (1) to measure this variation, are worth this agent of larger expression larger to the abnormal contribution distributing of message.

(2) request message proportion: for single source flooding, need to just can reach by initiating the sip request message of some the object of attack.Therefore the request message ratio of agent also can be used as a kind of scheme of detection.

(3) reliability coefficient: in many agent detection system, each agent can be known by other agent the reliability coefficient of oneself to the evaluation of oneself.

Dynamic trust evaluation algorithm in decision scheme 3 is as follows:

The number of supposing agent in current time window is N, and assailant's number is M, and (M < < N, M >=0) satisfies condition;

(1) confidence level of the each agent of initialization is 1/N

(2) calculate the confidence level of each agent:

$r_j=\underset{i=1}{\overset{N}{\mathrm{\&Sigma;}}}{r}_i*e_{\mathrm{ij}}---\left(2\right)$

$e_{\mathrm{ij}}=\left\{\begin{array}{c}0,Z_{\mathrm{ij}}\&GreaterEqual;Z_0\\ 1,Z_{\mathrm{ij}}<Z_0\end{array}\right.---\left(3\right)$

$Z_{\mathrm{ij}}=\exp \left\{{-\mathrm{\&chi;}}_{\mathrm{ij}}^2\right\}---\left(4\right)$

${\mathrm{\&chi;}}_{\mathrm{ij}}^2=\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\frac{{(n_j-n_i)}^2}{n_j}---\left(5\right)$

In formula 2, provide confidence level r _jcalculating, the weighted sum of the evaluation to oneself that confidence level is other agent, e _ijfor agenti is to agent _ievaluation, agent _jevaluation, Z _ijfor calculating agent _iand agent _jbetween the quantized value of similitude, the similitude between agent still adopts chi amount to calculate, when difference is between the two greater than certain threshold value Z ₀time, be evaluated as assailant to the other side mutually.

(3) judge whether to exist the confidence level of agent drop to very low meet be less than specific threshold or iterations reaches set point, if the algorithm that satisfies condition stops, provide the confidence level of each agent, otherwise proceed to step 2.

In the flood attack situation of single source, confidence level computational process convergence is fine, and the schematic diagram of iteration result as shown in Figure 4, proves as follows:

After the k time iteration, the confidence level of non-attack agent is formula 6, and the confidence level of attack source agent is formula 7.So due to M < < N assailant's reliability index magnitude convergence.

$r_i=\frac{{(N-M)}^{k-1}}{{(N-M)}^k+M^k}---\left(6\right)$

$r_i=\frac{M^k}{{(N-M)}^k+M^k}---\left(7\right)$

3) experiment and analysis

Sip server adopts Openser server, and background traffic produces by SIPp instrument, and the flooding of initiation attacks and burst flow is all to produce by the scene control documents of SIPp.

The background traffic of sip message is made as 100invite message per second by experiment, and Fig. 5 has provided the distribution map of testing the sip message in arranging, and initiated altogether 4 times and attack in experiment.Wherein, first and second time attacked and adopted registered users not send the mode of ACK message, and its attack rate is 100invite/s, 1000invite/s.The unregistered user who adopts when third and fourth attack sends invite message, and attack rate is 100invite/s, 1000invite/s.In Fig. 5, in the time period that other invite message bursts increases, be all by experiment in burst flow produce, except last burst flow is 1000invite/s, other be all 100invite/s.Provide chi spirogram in the latter half of Fig. 5, wherein the time interval of chi magnitude calculation is chosen for 2 seconds.As can be seen from Figure 5 in the situation that burst flow is excessive, can cause sip message abnormal distribution, the value of chi amount also can increase suddenly, causes misreport of system, also there will be this problem based on Hailin lattice apart from what calculate.But in the detection system based on many agent, system will utilize many agent detector model to be for further processing by many agent detector, judge whether to attack generation.Attack and occur if having, provide assailant's IP address and the details of sip message.In experiment by initiate multiple attack the detection efficiency of this detection method is tested, and with based on Hailin lattice apart from calculate detection method compare result as shown in Figure 7.When detection threshold enough the accuracy rate of low situation system can reach 100%, but too low threshold value may activate many agent detector always, and system is caused to certain time delay.Agent number when Fig. 6 provides and activates many agent detector in experiment and the relation of detection time, do not activate many agent detector under alarm condition at chi amount watch-dog, and can ignore detection time now.This system can position assailant timely as can be seen from Figure 6, for defense work provides enough information.

To sum up, experimental data has further proved that the detection method of the SIP flood attack based on many agent has the high efficiency of detection, the adaptivity of network and the extensibility of system.

Claims (5)

1. for a detection method for the mono-source of SIP flood attack, it is characterized in that comprising the following steps:

Structure comprises SIP property data base, the side's of card flow monitor, many agent detector and SIP and attacks rule base in interior SIP intruding detection system;

Characteristic according to existing SIP flood attack feature extraction for detection of SIP flood attack;

Obtain sip message distributional stability according to SIP session establishment process;

Utilize sip message distributional stability, by chi amount, sip message distributional stability is measured, set up card side's flow monitor;

Determine whether flow sudden change occurs by the chi amount of sip message to be detected, if flow is undergone mutation, activate multi-Agent detector;

By trust evaluation algorithm, the each agent in system is dynamically adjusted reliability coefficient according to network condition, obtain the confidence level of each agent;

Utilize the decision-making of voting of the degree of impact of the characteristic confidence level on each agent, sip message distributional stability by multi-Agent detector of SIP flood attack and request message proportion, judge whether to attack and occurred, provide flood attack source, the mono-source of SIP if having, and flood attack source, mono-SIP source feature is write to SIP attack rule base;

The decision-making of voting of the degree of impact of the characteristic of the described SIP of utilization the flood attack confidence level on each agent, sip message distributional stability by multi-Agent detector and request message proportion, determine that flood attack source, the mono-source of SIP step is as follows:

The source IP address of each SIP INVITE is as the mark of agent;

Set up many agent detector model, utilize the degree of impact of confidence level, sip message distributional stability of agent and three kinds of decision schemes of request message proportion to the flood attack person confirmation of voting, whether be that attack source judges to each agent, determine flood attack source, the mono-source of SIP;

The evaluation algorithms step of confidence level is as follows:

The number of supposing agent in current time window is N, and assailant's number is M, the M<<N that satisfies condition, M>=0;

The confidence level of the each agent of initialization is 1/N;

Calculate the confidence level of each agent:

$r_j=\underset{i=1}{\overset{N}{\mathrm{\&Sigma;}}}{r}_i*e_{\mathrm{ij}}---\left(2\right)$

$e_{\mathrm{ij}}=\left\{\begin{array}{c}0,Z_{\mathrm{ij}}\&GreaterEqual;Z_0\\ 1,Z_{\mathrm{ij}}<Z_0\end{array}\right.---\left(3\right)$

$Z_{\mathrm{ij}}=\exp \{-{\mathrm{\&chi;}}_{\mathrm{ij}}^2\}---\left(4\right)$

${\mathrm{\&chi;}}_{\mathrm{ij}}^2=\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\frac{{(n_j-n_i)}^2}{n_j}---\left(5\right)$

Wherein, r _jrepresent agent _jconfidence level, r _irepresent agent _iconfidence level, e _ijrepresent agent _ito agent _jevaluation, Z _ijfor calculating agent _iand agent _jbetween the quantized value of similitude, represent agent _iand agent _jbetween the chi amount of similitude;

Judge whether to exist the confidence level of agent drop to very low meet be less than specific threshold or iterations reaches set point, if the algorithm that satisfies condition stops, provide the confidence level of each agent, otherwise proceed to the confidence level step of calculating each agent;

The degree of impact of described sip message distributional stability is: each agent calculates and in this time window, removes the similitude distributing with previous time window sip message after own sip message, employing chi amount χ ²measure:

${\mathrm{\&chi;}}^2=\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}\frac{{(n_i-n_i^{\&prime;})}^2}{n_i^{\&prime;}}---\left(1\right)$

Wherein k=3, n _ibe illustrated in message m sg in current time window _ishared ratio, be illustrated in msg in previous time window _ishared ratio.

2. the detection method of the mono-source of a kind of SIP according to claim 1 flood attack, is characterized in that the characteristic process of described foundation detection SIP flood attack is as follows:

By analyzing the behavioral characteristic of flood attack, learn that the mono-source of SIP flood attack can not set up normal session, the stability of sip message distribution is broken;

In sip message flow, extract the message count in the sliding time window of INVITE, ACK, 200OK tri-class message and this three classes message;

Extract and obtain SIP characteristic and deposit in SIP property data base according to the message count in sliding time window.

3. the detection method of the mono-source of a kind of SIP according to claim 1 flood attack, is characterized in that the described foundation side of card flow monitor step is as follows:

Obtain sip message feature according to SIP property data base;

Adopt chi amount χ ²sip message distributional stability based on sliding time window sequence is measured;

After card side's flow monitor sends warning according to the sudden change of flow, will activate many agent detector, the sip message in the time window that occurs to attack will be further processed.

4. the detection method of the mono-source of a kind of SIP according to claim 1 flood attack, is characterized in that:

Described many agent detector utilizes the degree of impact of confidence level, sip message distributional stability of agent and three kinds of decision schemes of request message proportion to the flood attack person confirmation of voting, and take veto by one vote mode, in the situation of only having three kinds of decision schemes all to think to attack, could confirm assailant.

5. the detection method of the mono-source of a kind of SIP according to claim 1 flood attack, is characterized in that: described card side flow monitor utilizes chi amount to monitor SIP flow, and abnormal flow is reported to the police.