CN110784460A - Call attack detection method and device and readable storage medium - Google Patents

Call attack detection method and device and readable storage medium Download PDF

Info

Publication number
CN110784460A
CN110784460A CN201911011321.0A CN201911011321A CN110784460A CN 110784460 A CN110784460 A CN 110784460A CN 201911011321 A CN201911011321 A CN 201911011321A CN 110784460 A CN110784460 A CN 110784460A
Authority
CN
China
Prior art keywords
uri
request
requests
terminal
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911011321.0A
Other languages
Chinese (zh)
Inventor
邹学强
张震
杜梅婕
金鑫
郑超
刘洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201911011321.0A priority Critical patent/CN110784460A/en
Publication of CN110784460A publication Critical patent/CN110784460A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • H04M7/006Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
    • H04M7/0078Security; Fraud detection; Fraud prevention

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a call attack detection method, a device and a readable storage medium, belonging to the technical field of communication, wherein the method comprises the steps of obtaining the number of requests sent to each terminal, and determining Uniform Resource Identifiers (URIs) of abnormal requests according to the number of the requests; and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker. The method determines Uniform Resource Identifiers (URIs) of abnormal requests according to the number of the requests; the URI of the high call frequency establishment session request is extracted from the URI of the abnormal request to judge the attacker, so that the problems of false alarm, missing report and low detection rate in the prior art are solved, and the positive technical effect is achieved.

Description

Call attack detection method and device and readable storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for detecting a call attack, and a readable storage medium.
Background
Session Initiation Protocol (SIP), and Session Description Protocol (SDP) describe initialization parameters of streaming media. SIP, like h.323, is one of the most prominent signaling protocols for VoIP. SIP was originally standardized and managed by the IETF. One of the design goals of SIP is to provide an expanded set of call processing functions like in the Public Switched Telephone Network (PSTN), where daily telephone like operation is achieved: dial, ring back tone or busy tone.
SIP message flooding attacks (also called SIP DDoS attacks) mainly include invite message flooding and register message flooding, an attacker sends a large number of SIP invite messages (source IP addresses spoof using IP addresses) to an attack target, and an attacked server is busy processing a large number of invite messages, so that the server resources are exhausted and normal and legal messages cannot be processed. The register message flooding attack is similar to the invite message flooding attack.
The SIP DDoS attack is easy to realize, difficult to defend and large in attack harm, and causes great threat to the SIP protocol. The invention aims to solve the technical problem of efficiently, quickly and accurately identifying SIP DDoS attack flow from complex flow with a large amount of incomplete flow.
The traditional SIP DDoS intrusion detection system is roughly divided into four categories: simple threshold setting, statistical information based, state machine model based, machine learning intrusion detection system. The threshold value is set, so that the problems of threshold value selection and adaptability to network environment change exist. In the statistical information-based method, the hailing distance-based method can only detect intrusion, and cannot provide specific information for an attacker for defense. For the mode of detecting flooding through the SIP protocol state machine model, flooding attack can be accurately positioned, but the state machine needs to maintain the state of the SIP message, which is equivalent to a stateful SIP server, and the system is easily attacked. For the machine learning intrusion detection system, the quality of the data set has direct influence on the detection result, and meanwhile, a large amount of system resources are consumed in the processes of training, classification and the like, and the processing speed is relatively low.
In addition, the deeper SIP DDoS attack detection method includes:
taking detection of INVITE message flooding attack as an example, a ratio of the number of all INVITE messages in a certain sampling interval to the average number of all INVITE messages before the sampling interval is firstly calculated, then a set threshold value is subtracted, and finally a cumulant Sums (CUSUM) algorithm is used for accumulation. CUSUM is based on the fact that: if a change occurs, the probability distribution of the random sequence will also change. Typically CUSUM requires a parametric model of the random sequence so that the sequence can be monitored with a probability density function. Unfortunately, the internet is a very dynamic and complex entity, and the theoretical structure of its business model is very complex, so that a major challenge is how to model the random sequence { Xn }. And whether attack occurs is determined only according to the number of the INVITEs, normal call surge in the network is not considered, normal flow and attack flow cannot be distinguished, and therefore false alarm is high.
The utilization rate of a session function entity CPU in an IMS network is taken as a detection characteristic, if the utilization rate exceeds a set threshold value, the method is simple, but has the following two defects: firstly, an attacker can construct an attack data packet manually and start an attack under the condition that the CPU utilization rate is kept lower than a set threshold value, so that the detection method is invalid; secondly, the method cannot distinguish instant congestion from flooding attack, resulting in false alarm.
Disclosure of Invention
The embodiment of the invention provides a call attack detection method, a call attack detection device and a readable storage medium, which are used for solving the problems of false alarm, missed report and low detection rate in the prior art.
In a first aspect, an embodiment of the present invention provides a method for detecting a call attack, where the method includes:
acquiring the number of requests sent to each terminal, and determining Uniform Resource Identifiers (URIs) of abnormal requests according to the number of the requests;
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
Optionally, the obtaining the number of requests sent to each terminal includes:
and acquiring the quantity of the requests sent to each terminal in the current sampling period.
Optionally, determining uniform resource identifiers URI of the abnormal requests according to the number of the requests includes:
according to the head mark of the session initiation protocol SIP of the request sent to each terminal, obtaining the URI of the terminal;
performing hash operation based on the URI of the terminal and recording the hash value of the URI of the obtained terminal;
and after the current sampling period is finished, comparing the hash value of the terminal URI with the predicted value in the current sampling period to determine the URI of the abnormal request.
Optionally, comparing the hash value of the URI of the terminal with the predicted value in the current sampling period to determine the URI of the abnormal request, includes:
and comparing the predicted value, the predicted offset and the threshold value in the current sampling period with the hash value of the terminal URI to determine the URI of the abnormal request.
Optionally, after determining the uniform resource identifier URI of the abnormal request according to the number of requests, the method further includes,
under the condition that the URI of the abnormal request is not detected, calculating the predicted value, the predicted offset and the threshold of the next sampling period according to the predicted value, the predicted offset and the threshold in the current sampling period;
and under the condition that the URI of the abnormal request is detected, keeping the predicted value, the prediction offset and the threshold value in the current sampling period unchanged.
Optionally, after determining Uniform Resource Identifiers (URIs) of the abnormal requests according to the number of the requests, the method further includes:
and determining a predicted value of the next period according to the historical sampling data and the current sampling data.
Optionally, extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to determine the attacker includes:
acquiring a source URI of the abnormal request according to an SIP source message header;
and filtering the source URI to obtain the URI of the high call frequency establishment session request so as to judge the attacker.
Optionally, after extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to determine the attacker, the method further includes:
acquiring a CANCEL request sent to a URI of an attacked terminal, and recording a source URI corresponding to the CANCEL request;
counting the CANCEL request times of the source URI corresponding to the CANCEL request;
and determining an attacker according to the URI of the high call frequency session establishment request and the CANCEL request times.
In a second aspect, an embodiment of the present invention provides a device for detecting a call attack, where the device includes:
the acquisition module is used for acquiring the number of requests sent to each terminal;
the identification module is used for determining Uniform Resource Identifiers (URIs) of the abnormal requests according to the request quantity; and the number of the first and second groups,
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which an implementation program for information transfer is stored, and when the program is executed by a processor, the method implements the steps of the method as described above.
The embodiment of the invention determines the uniform resource identifier URI of the abnormal request according to the request quantity; the URI of the high call frequency establishment session request is extracted from the URI of the abnormal request to judge the attacker, so that the problems of false alarm, missing report and low detection rate in the prior art are solved, and the positive technical effect is achieved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a first embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In a VoIP environment, when an attacker continuously sends an INVITE request to a attacked terminal, session connection is established with the attacked terminal, so that the terminal continuously rings and is always in a busy state. Thereby causing the attacked terminal to be unable to communicate with other normal users.
Such attacks are very easy to launch and very difficult to defend. Compared with the flooding attack initiated aiming at the server, the attack needs small flow, follows the normal session establishment flow, basically does not affect the server, and can avoid the firewall or the intrusion detection system. The flooding attack aiming at the server can cause that the server can not provide service for all terminals connected with the server, the loss and the influence range are large, and the attack only destroys a plurality of attacked terminals and has small influence range.
First, once the attack occurs, the victim user has little coping method. The terminal rings continuously, and other calls cannot be answered unless a user hooks off or logs off an account; secondly, the attacked object may be a relatively important or even all terminals in a company or a government department, and it is expected that the attack will cause serious disturbance to the daily business of the company or the department. Therefore, it is of practical significance to make more intensive studies on such attacks and to find suitable detection methods.
The initiating process of the SIP DDoS attack is simple, and the attack effect is obvious. However, detection of an attack is difficult. From the signaling aspect, the session establishment procedure initiated by the attacker is a normal procedure, and the sent SIP signaling is legal signaling. Although the frequency of requests is higher than normal, compared with the flooding attack to the server, the signaling traffic is very small, and the server or the attacked end can not generate abnormal traffic at all. Therefore, the traditional attack detection method for the server is not suitable, and further analysis on the characteristics of the attack is needed to carry out symptomatic medication.
Firstly, when an attack occurs, the terminal rings continuously, which can bring annoying harassment to users, and the terminal cannot be used when the user is in a hurry to communicate with other users. This requires that the attack defense module be able to detect and eliminate attacks as quickly as possible, minimizing the duration of the terminal ringing. This requires that the attack detection method be as fast and real-time as possible. Secondly, in order to achieve a good attack effect, an attacker needs to send a high frequency of requests, and an attacked terminal can receive a large number of requests in a short time. From a signaling point of view these requests are all perfectly normal, whereas from a user behavior point of view this is an abnormal behavior.
At the same time, the time interval between the sending of the request and the interruption of the connection is very short, i.e. the duration of the session is much shorter than normal. From the point of view of signaling, it is also normal behavior that an attacker sends a request to interrupt a session, while from the point of view of user behavior, a large number of sessions last for a short time, which is also an abnormal behavior.
According to the characteristics, through research on various intrusion detection methods, the embodiment of the invention provides a sketch-based attacked terminal detection method and a user behavior-based attacker detection method, so that attack can be quickly and accurately detected.
Specifically, a first embodiment of the present invention provides a method for detecting a call attack, where the method includes:
acquiring the number of requests sent to each terminal, and determining Uniform Resource Identifiers (URIs) of abnormal requests according to the number of the requests;
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
The embodiment of the invention determines the uniform resource identifier URI of the abnormal request according to the request quantity; the URI of the high call frequency establishment session request is extracted from the URI of the abnormal request to judge the attacker, so that the problems of false alarm, missing report and low detection rate in the prior art are solved.
Optionally, in an optional embodiment of the present invention, acquiring the number of requests sent to each terminal includes:
and acquiring the quantity of the requests sent to each terminal in the current sampling period.
Specifically, since the number of requests for each URI is a value that fluctuates with time, it is difficult to compare the requests with a fixed predicted value, and therefore, in this embodiment, the number of requests to each terminal is obtained in the current sampling period by a scheme of dividing the period.
Optionally, in an optional embodiment of the present invention, determining a uniform resource identifier URI of an abnormal request according to the number of requests includes:
according to the head mark of the session initiation protocol SIP of the request sent to each terminal, obtaining the URI of the terminal;
performing hash operation based on the URI of the terminal and recording the hash value of the URI of the obtained terminal;
and after the current sampling period is finished, comparing the hash value of the terminal URI with the predicted value in the current sampling period to determine the URI of the abnormal request.
In this embodiment, SketcH is the H mutually independent hash functions which are respectively used for k iPerforming hash operation to obtain w h(k i)=hash h(k i),hash hRepresenting one of H hash functions. Then, the table a with H rows and L columns is used for storage, that is, the H-th hash function corresponds to the H row in the table a, and k is calculated iThe hash value of (a) corresponds to the w-th of the line h(k i) One bit, then k iThe corresponding value is accumulated into the bit. In the embodiment, the H independent hash functions are used, so that the conflict generated by a single hash function can be eliminated, and the values of the H hash functions are required to be matched at the same time for positioning one IP address, so that all possible IP addresses can be counted by using the storage space of H rows and L columns, and the counting result can be quickly retrieved by the hash function.
Specifically, in this embodiment, first, the amount of the INVITE request sent To each terminal is counted, in this embodiment, the SIP URI of the terminal is defined as a key To facilitate the subsequent hash operation, and the SIP URI of the terminal can be obtained from the value of the "To:" flag in the SIP header of the INVITE request. In a sampling period delta t, each time an INVITE data packet is collected, then a URI of a terminal is obtained, a key required by calculation is obtained based on the URI of the terminal, H hash operations are carried out on a target URI based on the key corresponding to the URI of the terminal, 1 is added to a value on a bit corresponding to a table a until the sampling period is finished, and after the current sampling period is finished, the value of each bit is counted and compared with a predicted value corresponding to each bit, so that the abnormal target URI can be obtained.
Optionally, after determining Uniform Resource Identifiers (URIs) of the abnormal requests according to the number of the requests, the method further includes:
and determining a predicted value of the next period according to the historical sampling data and the current sampling data.
Specifically, after the current sampling period ends, since the number of requests for each URI is a value that fluctuates with time, it is difficult to make a comparison with a fixed predicted value. In this embodiment, in order to obtain a more accurate detection result, a method of performing dynamic adaptive adjustment according to historical data is adopted, that is, a predicted value of a next period is calculated according to historical sampling data and current sampling data.
The six prediction methods are two types of ARIMA0 and ARIMA1 in a Moving Average Model (MA), an S-shaped Moving Average model (SMA), an exponential weighted Moving Average model (EWMA), a Non-Seasonal Holt-winter model (NSHW), and an autoregressive Moving Average model (ARIMA). The EWMA model only needs to calculate the next predicted value according to the value of the current period and the predicted value of the previous period, statistics on all historical data is not needed, and the calculation amount is small.
In particular, the EWMA model actually adds a weight to historical observed data to predict the next data. The more recent historical data, the greater the weight. The weights are exponentially decreasing with time. The calculation formula is as follows:
U i+1=α*u i+(1-α)*U i
wherein u is iSample values, U, representing the current period iA predicted value, U, representing the current period i+1α is a coefficient for weighting the current value and the historical value, the predicted value and the sampling value are not likely to be matched in percentage, so that the comparison between the sampling value and the predicted value cannot be used for judging whether an attack exists, and a threshold value needs to be calculated according to the predicted value, so that in the embodiment, the attack is detected by comparing the sampling value and the threshold value, and the calculation method of the threshold value is as follows:
D i+1=β|U i-u i|+(1-β)*D i
N i+1=θ*U i+1+δ*D i+1
wherein D iRepresenting the prediction offset, N, of the predicted value from the actual value in the current cycle i+1Indicates the next cycleIn this embodiment, the predicted offset for the next cycle is calculated using the current predicted offset and the actual offset, and then the predicted offset for the next cycle and the predicted value for the next cycle are used to calculate the threshold for the next cycle β and α are weight factors, plus two multiplier factors, θ and δ, to give the threshold a safe margin to reduce false positives.
Optionally, comparing the hash value of the URI of the terminal with the predicted value in the current sampling period to determine the URI of the abnormal request, includes:
and comparing the predicted value, the predicted offset and the threshold value in the current sampling period with the hash value of the terminal URI to determine the URI of the abnormal request.
Specifically, in this embodiment, after one cycle is finished, the value of each bit in the table is compared with the threshold corresponding to the bit, if the value exceeds the threshold, it is determined that there is an attack on the bit, and the URI information of the bit is recorded.
Optionally, after determining the uniform resource identifier URI of the abnormal request according to the number of requests, the method further includes,
under the condition that the URI of the abnormal request is not detected, calculating the predicted value, the predicted offset and the threshold of the next sampling period according to the predicted value, the predicted offset and the threshold in the current sampling period;
and under the condition that the URI of the abnormal request is detected, keeping the predicted value, the prediction offset and the threshold value in the current sampling period unchanged.
Specifically, in this embodiment, after the detection is completed, for the bit in the table where no abnormality is detected, the prediction value, the prediction deviation, and the threshold value of the corresponding next cycle are calculated according to the equation. For the bit where an anomaly is detected, its prediction value, prediction bias, and threshold remain unchanged.
Through the above scheme, the embodiment proposes sketch-based attack target detection, and summarizes a process of detecting an attacked target as follows: in a sampling period, each time a data packet is collected, H hash operations are carried out on the target URI of the data packet, and the result is accumulated into corresponding bits. After one period is finished, comparing the value of each bit in the table with the threshold corresponding to the bit, if the value exceeds the threshold, judging that the bit is possible to have attack, and recording the URI information of the bit. After the detection is finished, for the bit without abnormality detection in the table, the corresponding predicted value, the predicted deviation and the threshold value of the next period are calculated according to the formula. For the bit where an anomaly is detected, its prediction value, prediction bias, and threshold remain unchanged. And finally, outputting the recorded abnormal URI information to a next detection module for further malicious user detection.
After the attacked target is detected, a malicious attacking user is further detected to eliminate the attack. The next subsection will present a detection method based on user behavior to locate malicious users and add them to the blacklist to eliminate attacks.
Optionally, in another optional embodiment of the present invention, extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to determine the attacker includes:
acquiring a source URI of the abnormal request according to an SIP source message header;
and filtering the source URI to obtain the URI of the high call frequency establishment session request so as to judge the attacker.
Specifically, based on the detection of the sketch-based module, the URI of the attacked terminal is already available. In this embodiment, further attention is paid to INVITE requests to these victim URIs.
More specifically, for the obtained URIs of the attacked terminals, that is, the URIs of the abnormal requests, statistical analysis is performed on the number of times that the resource URIs of the abnormal requests send requests, and the source URIs of the requests can be found From the 'From' identification value of the SIP source message header. Through a period of statistics, it can be obtained which URIs are sending session establishment requests at a high call frequency, and in this embodiment, the URIs are taken as malicious users.
Optionally, after extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to determine the attacker, the method further includes:
acquiring a CANCEL request sent to a URI of an attacked terminal, and recording a source URI corresponding to the CANCEL request;
counting the CANCEL request times of the source URI corresponding to the CANCEL request;
and determining an attacker according to the URI of the high call frequency session establishment request and the CANCEL request times.
Specifically, in this embodiment, on the basis of the obtained malicious user, in consideration of that a normal user may continuously try to call again in a short time after a call failure, the normal user may also have a high frequency call at this time. Therefore, in this embodiment, the attacker is finally determined according to the duration of the call.
Specifically, an attacker sends a large number of CANCEL requests to CANCEL the session that has just been established, while sending a large number of inite requests. Therefore, in this embodiment, CANCEL requests to the attacked URI are further collected at the same time, the source URI therein is recorded, and the same statistics are made on the number thereof.
Comparing the two statistics of INVITE request and CANCEL request, a suspicious URI sends a large number of INVITE requests in a short time, which indicates that the call frequency is high, and if a large number of CANCEL requests are sent at the same time, which indicates that most connections are cancelled in a short time after the URI establishes a connection, the call duration is short, so that the two characteristics just conform to the call behavior pattern of an attacker. Therefore, in this embodiment, a blacklist can be formed by extracting the common suspicious URI of the two statistical results.
In summary, SIP DDoS attacks are various in types and means, and it is almost impossible to find a once-for-all defense method. Even if the same is the DDoS attack based on the SIP, the adopted detection methods are different due to different signaling flows. The attack strategy for the server is different from that for the terminal, which makes the detection technique for the server side inapplicable in terms of the terminal. However, at present, much research on SIP DDoS attacks is concentrated on a server side, and research facing to a terminal is relatively deficient. In the embodiment, aiming at distributed SIP DDoS attack of the terminal, SIP DDos attack flow can be quickly and accurately identified from complex flow by combining an attacked terminal detection method based on sketch and an attacker detection method based on user behavior.
In a second aspect, an embodiment of the present invention provides a device for detecting a call attack, where the device includes:
the acquisition module is used for acquiring the number of requests sent to each terminal;
the identification module is used for determining Uniform Resource Identifiers (URIs) of the abnormal requests according to the request quantity; and the number of the first and second groups,
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
The embodiment determines the uniform resource identifier URI of the abnormal request according to the request number; the URI of the high call frequency establishment session request is extracted from the URI of the abnormal request to judge the attacker, so that the problems of false alarm, missing report and low detection rate in the prior art are solved, and the positive technical effect is achieved.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which an implementation program for information transfer is stored, and when the program is executed by a processor, the method implements the steps of the method as described above.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A call attack detection method is characterized by comprising the following steps:
acquiring the number of requests sent to each terminal, and determining Uniform Resource Identifiers (URIs) of abnormal requests according to the number of the requests;
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
2. The method of claim 1, wherein obtaining the number of requests directed to each terminal comprises:
and acquiring the quantity of the requests sent to each terminal in the current sampling period.
3. The method of claim 2, wherein determining uniform resource identifiers, URIs, for anomalous requests based on the number of requests comprises:
according to the head mark of the session initiation protocol SIP of the request sent to each terminal, obtaining the URI of the terminal;
performing hash operation based on the URI of the terminal and recording the hash value of the URI of the obtained terminal;
and after the current sampling period is finished, comparing the hash value of the terminal URI with the predicted value in the current sampling period to determine the URI of the abnormal request.
4. The method of claim 3, wherein comparing the hash value of the terminal URI with the predicted value in the current sampling period to determine the URI of the abnormal request comprises:
and comparing the predicted value, the predicted offset and the threshold value in the current sampling period with the hash value of the terminal URI to determine the URI of the abnormal request.
5. The method of claim 3, wherein after determining uniform resource identifiers, URIs, for anomalous requests based on the number of requests, the method further comprises:
under the condition that the URI of the abnormal request is not detected, calculating the predicted value, the predicted offset and the threshold of the next sampling period according to the predicted value, the predicted offset and the threshold in the current sampling period;
and under the condition that the URI of the abnormal request is detected, keeping the predicted value, the prediction offset and the threshold value in the current sampling period unchanged.
6. The method of claim 2, wherein after determining uniform resource identifiers, URIs, of anomalous requests based on the number of requests, the method further comprises:
and determining a predicted value of the next period according to the historical sampling data and the current sampling data.
7. The method of claim 3, wherein extracting the URI of the high call frequency setup session request from the URI of the exception request to determine the attacker comprises:
acquiring a source URI of the abnormal request according to an SIP source message header;
and filtering the source URI to obtain the URI of the high call frequency establishment session request so as to judge the attacker.
8. The method of claim 1, wherein after extracting the URI of the high call frequency setup session request from the URI of the exception request to determine the attacker, the method further comprises:
acquiring a CANCEL request sent to a URI of an attacked terminal, and recording a source URI corresponding to the CANCEL request;
counting the CANCEL request times of the source URI corresponding to the CANCEL request;
and determining an attacker according to the URI of the high call frequency session establishment request and the CANCEL request times.
9. A talk attack detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the number of requests sent to each terminal;
the identification module is used for determining Uniform Resource Identifiers (URIs) of the abnormal requests according to the request quantity; and the number of the first and second groups,
and extracting the URI of the high call frequency establishment session request from the URI of the abnormal request to judge the attacker.
10. A computer-readable storage medium, characterized in that it has stored thereon a program for implementing the transfer of information, which program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 8.
CN201911011321.0A 2019-10-23 2019-10-23 Call attack detection method and device and readable storage medium Pending CN110784460A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911011321.0A CN110784460A (en) 2019-10-23 2019-10-23 Call attack detection method and device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911011321.0A CN110784460A (en) 2019-10-23 2019-10-23 Call attack detection method and device and readable storage medium

Publications (1)

Publication Number Publication Date
CN110784460A true CN110784460A (en) 2020-02-11

Family

ID=69386518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911011321.0A Pending CN110784460A (en) 2019-10-23 2019-10-23 Call attack detection method and device and readable storage medium

Country Status (1)

Country Link
CN (1) CN110784460A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111586124A (en) * 2020-04-28 2020-08-25 广州锦行网络科技有限公司 Method for obtaining remote connection certificate
CN114499917A (en) * 2021-10-25 2022-05-13 中国银联股份有限公司 CC attack detection method and CC attack detection device
CN117527369A (en) * 2023-11-13 2024-02-06 无锡商业职业技术学院 Hash function-based android malicious attack monitoring method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546524A (en) * 2010-12-09 2012-07-04 中国科学院沈阳计算技术研究所有限公司 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system
CN103314562A (en) * 2011-01-10 2013-09-18 阿尔卡特朗讯公司 Session initiation protocol (SIP) firewall for IP multimedia subsystem (IMS) core to defend against SIP registration-based DOS/ODDS attacks
CN105791215A (en) * 2014-12-22 2016-07-20 上海粱江通信系统股份有限公司 Communication network attack detection method based on SIP protocol
CN107124427A (en) * 2017-05-31 2017-09-01 上海交通大学 The detection of SIP flood attacks and prevention method in a kind of VoLTE

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546524A (en) * 2010-12-09 2012-07-04 中国科学院沈阳计算技术研究所有限公司 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system
CN103314562A (en) * 2011-01-10 2013-09-18 阿尔卡特朗讯公司 Session initiation protocol (SIP) firewall for IP multimedia subsystem (IMS) core to defend against SIP registration-based DOS/ODDS attacks
CN105791215A (en) * 2014-12-22 2016-07-20 上海粱江通信系统股份有限公司 Communication network attack detection method based on SIP protocol
CN107124427A (en) * 2017-05-31 2017-09-01 上海交通大学 The detection of SIP flood attacks and prevention method in a kind of VoLTE

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈智强: "IMS中基于SIP的DDoS攻击检测", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111586124A (en) * 2020-04-28 2020-08-25 广州锦行网络科技有限公司 Method for obtaining remote connection certificate
CN114499917A (en) * 2021-10-25 2022-05-13 中国银联股份有限公司 CC attack detection method and CC attack detection device
CN114499917B (en) * 2021-10-25 2024-01-09 中国银联股份有限公司 CC attack detection method and CC attack detection device
CN117527369A (en) * 2023-11-13 2024-02-06 无锡商业职业技术学院 Hash function-based android malicious attack monitoring method and system
CN117527369B (en) * 2023-11-13 2024-06-04 无锡商业职业技术学院 Hash function-based android malicious attack monitoring method and system

Similar Documents

Publication Publication Date Title
US11797671B2 (en) Cyberanalysis workflow acceleration
CN110784460A (en) Call attack detection method and device and readable storage medium
US8973150B2 (en) Methods and apparatus to mitigate a denial-of-service attack in a voice over internet protocol network
CN101635658B (en) Method and system for detecting abnormality of network secret stealing behavior
JP2008306706A (en) Method and apparatus for detecting anomaly in signaling flows
Tang et al. Detection and prevention of SIP flooding attacks in voice over IP networks
CA2622821A1 (en) Method and system to prevent spam over internet telephony
JP4692776B2 (en) Method for protecting SIP-based applications
Golait et al. Detecting anomalous behavior in VoIP systems: A discrete event system modeling
Sengar et al. Call Behavioral analysis to Thwart SPIT attacks on VoIP networks
CN112055956A (en) Network security
CN106487790B (en) Cleaning method and system for ACK FLOOD attacks
Lee et al. VoIP-aware network attack detection based on statistics and behavior of SIP traffic
CN113242260A (en) Attack detection method and device, electronic equipment and storage medium
Golait et al. Voipfd: Voice over ip flooding detection
Son et al. Detecting anomaly traffic using flow data in the real voip network
Asgharian et al. Feature engineering for detection of Denial of Service attacks in session initiation protocol
CN114726607B (en) Network security monitoring system based on switch monitoring network data
Akbar et al. Leveraging the sip load balancer to detect and mitigate ddos attacks
Safoine et al. Comparative study on DOS attacks Detection Techniques in SIP-based VOIP networks
KR101095878B1 (en) SIP DoS Attack Detection and Prevention System and Method using Hidden Markov Model
Batthalla et al. VoIP profiler: profiling voice over IP user communication behavior
Amanian et al. New method for evaluating anti-SPIT in VoIP networks
Hosseinpour et al. Modeling SIP normal traffic to detect and prevent SIP-VoIP flooding attacks using fuzzy logic
Hosseinpour et al. An anomaly based VoIP DoS attack detection and prevention method using fuzzy logic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200211