CN111556013A - Method for discovering VoIP malicious behavior under complex large flow - Google Patents
Method for discovering VoIP malicious behavior under complex large flow Download PDFInfo
- Publication number
- CN111556013A CN111556013A CN202010213472.0A CN202010213472A CN111556013A CN 111556013 A CN111556013 A CN 111556013A CN 202010213472 A CN202010213472 A CN 202010213472A CN 111556013 A CN111556013 A CN 111556013A
- Authority
- CN
- China
- Prior art keywords
- account
- called
- calling
- call
- voip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method for discovering malicious VoIP behaviors under complex large flow, which comprises the following steps: 1) screening out VoIP call signaling from network flow; 2) screening VoIP call signaling by using a set filtering threshold to find out suspicious network flow; 3) extracting historical call signaling data of each called account in suspicious network traffic, comparing the call behavior characteristics of the called account obtained through statistical analysis with corresponding threshold values, and determining whether the called account is attacked maliciously. The method can comprehensively and finely detect the complex real-time data stream, fully excavate historical data, effectively detect the VoIP malicious behavior, and better cope with the VoIP malicious behavior with high complexity and high imperceptibility.
Description
Technical Field
The invention relates to a method for discovering malicious VoIP behaviors under complex large flow, belonging to the technical field of computer networks.
Background
With the development of network convergence and the popularization of IP telephones, people have more and more communication means, and the increase of the communication means also brings many new security threats to the IP telephones. The malicious occupation of the VoIP speech path becomes a new attack means for attackers. The attack is a meaningless continuous mandatory VoIP malicious behavior initiated by an attacker to a called user in order to achieve the purposes of occupying the line of the called user and interfering the normal conversation of the called user. Once the called user is attacked, the voice channel of the called user is completely blocked, which seriously affects the communication freedom and life peace of the user.
At present, a lot of researches on finding the malicious behaviors of the VoIP exist, but the finding and detecting methods are mostly based on specific data sets, have weak generalization capability and cannot be well applied to real-time detection under complex large flow.
VoIP is known as Voice Over Internet Protocol. The system has the remarkable advantages of low cost and low deployment difficulty, is widely applied to voice communication services at present, and simultaneously faces a plurality of safety problems although the system brings good development opportunities. Such as call hijacking, spoofing messages, etc. With the convergence of networks, these security problems begin to extend into circuit-Switched networks, so that voice sessions of the originally closed Public Switched Telephone Network (PSTN) can also be maliciously occupied by illegal users.
The malicious behavior of VoIP is different from the dos (dental of service) attack in the traditional manner. Firstly, main attack targets are different, DoS attacks in a traditional mode mainly aim at transmission bandwidth or available resources of a server, and a malicious behavior of VoIP mainly aims at damaging a call completing rate of a user, which is specifically expressed in the following two aspects: one is to make the session unable to be normally established (the user is unable to make and receive calls normally), and the other is to make the established session unable to keep normal conversation. Secondly, the mechanisms of action are different, the DoS attack in the traditional mode is to send a large number of attack messages by utilizing protocol loopholes or start a large number of hosts to attack the same target (transmission bandwidth or server), while the malicious behavior of the VoIP is more reflected in the continuous calling behavior on the time axis, only one host can completely block one telephone terminal user, which undoubtedly creates richer attack means and opportunities for hackers. The attack cost of the VoIP malicious behavior is reduced due to the integration of the network, an attacker basically does not need to consider the problem of the attack cost, and an attack initiator can repeatedly try various attack means. Once one end of a called VoIP lacks a protection measure for the malicious behavior of the VoIP, a telephone line of a user is blocked for a long time, so that the user cannot normally answer a legal call, the communication freedom and the peace of life of the user are seriously influenced, and the malicious behavior of the VoIP brings more obvious harm.
Behavior characteristics of an attacker with the VoIP malicious behavior have certain similarity with behavior characteristics of the attacker in a spam telephone (SPIT), and both have higher calling frequency and shorter calling interval. The difference is that in the malicious behavior of the VoIP, an attacker generally does not actively hang up the phone in order to occupy the called speech path for as long as possible, and the attacker may initiate a continuous call only for a certain called party; an attacker of the spam call generally hangs up the call after sending the spam message to the called party and continues to send the spam message to another called party in order to send the spam message to the called party as much as possible. In the two attack forms, the attack purpose of an attacker is different, so that the called user has certain difference in call behavior characteristics. In the malicious behavior of the VoIP, a called user is generally attacked continuously, and the call rejection rate of the called user is higher within a certain time; in the garbage telephone, the rate of refused calls of a single called user is not necessarily high within a certain time. Thus, it may be inspired without reference to the detection method of spam calls.
The existing detection methods for spam calls mainly comprise list-based discrimination, reputation-based filtering, Turing test and puzzle calculation, behavior analysis according to statistical information and the like, and only the advantages and the disadvantages of a plurality of mainstream detection methods are analyzed and summarized below.
1) List-based discrimination
The list can be divided into three categories, black list, white list and grey list, according to the type of the list. In the process of comparing the list, if the calling account number is in the blacklist, directly rejecting the call; if the calling account number is in the white list, the call is accepted; if the calling account number is in the gray list, further discrimination is needed.
Judging based on the list, wherein the type of the account needs to be determined in advance, if the attacker is not in the blacklist, the attacker still can attack the called user until the attacker is added into the blacklist; the white list is just the opposite, and the friendly calls which are not in the white list can be prevented; the grey list is a dynamic learning and distinguishing process. Advantages of employing list-based discrimination include:
a) the method is simple to implement, can quickly judge and consumes less system resources;
b) the whole VoIP system architecture does not need to be changed, and only the list needs to be placed on the proxy server;
c) the protocol need not be changed.
2) Reputation based filtering
The filtering based on the reputation requires a system similar to a community network, users communicating with each other in the community give reputation values to each other, and the satisfaction degree of one-time communication is judged. In each call, the called user decides whether to answer the call according to the reputation value of the calling user.
Compared with other detection methods, the reputation-based filtering method is more complex to implement, and the implementation quality depends on the judgment of a user on one call, so that attackers can apply for a plurality of accounts and then communicate with each other to improve the reputation value of the attackers. This method can only mitigate the harm of spam calls to some extent.
3) Turing test and computational puzzle
The Turing test is essentially the same as the computational puzzle, and the system provides some tests to the call originator, who needs to answer correctly to prove the validity of his identity.
The Turing test and computational puzzle method requires, on the one hand, some change in the protocol and, on the other hand, is very unfriendly to the caller. The method has the advantages that the whole VoIP system architecture does not need to be changed, the test can be implemented on the proxy server, and the participation of a called user is not needed.
4) Behavioral analysis from statistical information
According to the behavior analysis of the statistical information, the call data record is restored through the signaling analysis by mainly collecting the signaling message of the user, and the call record is stored to form historical data, so that the later analysis is facilitated. This method requires a process of historical call accumulation, and the accuracy of detection is fully based on the analysis of the call data. The method has the advantages that the analysis is carried out at the server side, the participation of a user is not needed, and no change is made to the protocol and the VoIP system architecture.
With further deepening of network convergence and popularization of IP phones, the number of malicious behaviors of VoIP increases, attack forms are more diversified, and it is important to research malicious behaviors of VoIP under complex large flows and corresponding detection and discovery methods, to prevent a large number of malicious behaviors of VoIP, reduce damage of the malicious behaviors of VoIP to legitimate users, and ensure smooth voice channels of legitimate users, and to detect and intercept the malicious behaviors of VoIP in time and by means.
The existing detection method is not suitable for accurately detecting the source of the malicious behavior of the VoIP in time. The existing method cannot give good consideration to both real-time performance and accuracy, and online detection is generally based on a list or reputation, has serious background data dependence and poor generalization capability; while the offline detection method may have higher accuracy, the real-time performance is poor, and particularly, the real-time detection discovery under the TB-level flow cannot be met.
Disclosure of Invention
The invention aims to provide a method for discovering malicious VoIP behaviors under complex large flow. The invention provides a method for discovering VoIP malicious behaviors from large-scale, distributed and asymmetric passive flow, the complex large flow exists in a national or regional large gateway, the gateway has the characteristics of TB-level flow, cross-domain deployment, asymmetric routing, complex flow and the like, and massive distributed communication data brings huge challenges to fine-grained malicious behavior discovery.
The method comprises the steps of firstly screening original VoIP call signaling in online flow, carrying out primary screening on the call signaling by utilizing a filtering threshold, and quickly finding out suspicious flow from a large amount of call flow; and then starting fine analysis, extracting historical call signaling data of the called account in the suspicious flow, performing detailed statistical analysis to obtain call behavior characteristic parameters, and finally analyzing whether the called account is attacked maliciously to realize real-time discovery of the VoIP maliciousness.
The technical scheme of the invention is as follows:
a method for discovering VoIP malicious behaviors under complex large flow comprises the following steps:
1) screening out VoIP call signaling from network flow;
2) screening VoIP call signaling by using a set filtering threshold to find out suspicious network flow;
3) extracting historical call signaling data of each called account in suspicious network traffic, comparing the call behavior characteristics of the called account obtained through statistical analysis with corresponding threshold values, and determining whether the called account is attacked maliciously.
Further, step 3) is carried out when the calling data of a called account number is accumulated to the threshold of the called times or the integral multiple of the threshold of the called times); or if one call meets the filtering threshold, performing step 3); and if the ith call is received by the same called account and the (i + 1) th call meets the filtering threshold condition, judging that the called account is not attacked maliciously.
Further, the method for screening out suspicious network traffic comprises the following steps: firstly, analyzing VoIP call signaling, wherein if the call ending mode is busy, the VoIP call signaling is non-suspicious network flow; if the call ending mode is normal ending, overtime or refusal, further judging whether the called account in the VoIP call signaling is a new called account, namely judging whether the called account already exists in a hash table, if the called account is a new called account, initializing a new hash table item, recording relevant information of the called account, including the called account, call starting time, call ending time and called times, and setting a called call record identifier to be true; if the called account exists in the hash table, further obtaining the difference between the call ending time and the call initiating time of the called account through calculation, and judging whether the time difference meets the preset filtering threshold condition, the VoIP call signaling is suspicious network flow; judging a called call record identifier of the called account, if the identifier is false, performing the step 3) and updating the hash table, setting the called times of the called account to be 1, setting the first call time of the called account to be the initiation request time and the session ending time in the VoIP call signaling to be the current system time, and setting the called call record identifier to be true; if the call record identification of the called account is true, updating the hash table, wherein the first call starting time of the called account is set as the initiation request time in the VoIP signaling data, and the call ending time is set as the current system time; and if the interval between the two adjacent calls of the called account does not meet the filtering threshold condition, updating the hash table, wherein the hash table comprises that the called times of the called account are set as the current called times plus 1, the call ending time is the current system time, and the record identifier of the called call is false.
Further, the method for judging whether the called account is attacked maliciously comprises the following steps:
31) acquiring a called history record of the called account in a time window of the first call starting time and the current called call ending time in the hash table, then calculating according to the acquired call history record to obtain the number of calling accounts calling the called account, judging whether the number is smaller than a threshold value of the number of call sources, and if the number is smaller than the threshold value of the number of call sources, performing step 32); if the number of calling sources of the called account is greater than or equal to the threshold value of the number of calling sources and the voice channel occupancy rate of the called account is less than the threshold value of the called voice channel occupancy rate, counting the calling times and the calling voice channel occupancy rate of all calling sources, namely calling accounts, in the time window respectively, and if the calling times of the calling accounts are not greater than the threshold value of the calling times, judging the calling accounts as suspicious accounts; if the calling times of the calling account are larger than the calling time threshold and the calling session occupancy rate of the calling account is not larger than the calling session occupancy rate threshold, the calling account is judged as a suspicious account; otherwise, the calling account is judged as a malicious calling initiating account;
32) calculating the average observation duration of each calling account and the called account, and if the average observation duration of the calling account and the called account is less than a set average observation duration threshold value, performing step 33); otherwise, judging whether the number of times that the calling account calls the called account is larger than a set calling number threshold value, if so, judging the calling account as a suspicious account, otherwise, judging the calling account as a normal account;
33) judging whether the number of times that the calling account calls the called account is greater than a set calling number threshold value or not; if yes, go to step 34), otherwise, judge whether the rejection ratio of the caller is greater than the rejection ratio threshold value, if yes, judge the caller account number as suspicious account number, otherwise, judge the caller account number as normal account number;
34) and judging whether the rejection ratio of the calling is greater than the rejection ratio threshold value, if so, judging the calling account as a malicious call initiating account, and otherwise, judging the calling account as a suspicious account.
Further, the call behavior characteristics include average observation duration, call times, rejection ratio and speech path occupancy rate.
Further, the calling account with the average observation duration smaller than the set average observation duration threshold value, the calling times larger than the set calling times threshold value and the rejection ratio higher than the rejection ratio threshold value is determined as the account initiated by the VoIP malicious behavior.
Further, the calling account with the calling times larger than the set threshold value of the calling times and the calling session occupancy rate larger than the threshold value of the calling session occupancy rate is determined as the initiating account of the VoIP malicious behavior.
Further, adding the account number for initiating the VoIP malicious behavior into a blacklist, adding the suspected account number into a grey list, and transmitting the blacklist and the grey list to a corresponding defense interception system to intercept or limit the VoIP malicious behavior.
Further, determining the value of the filtering threshold according to the maximum historical idle time and the maximum historical speech channel occupation time; and if one idle time or one speech path occupation time of the calling account is less than or equal to the filtering threshold, judging that the calling account is the VoIP malicious behavior initiating account.
A server, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for carrying out the steps of the above method.
Compared with the prior art, the invention has the following positive effects:
aiming at the problem that the VoIP malicious behavior is difficult to find in real time and analyze in fine granularity due to mass communication data in a complex high-speed network environment, the invention develops the VoIP malicious behavior finding method based on VoIP user call behavior characteristic analysis under complex large flow, can carry out comprehensive and detailed detection on complex real-time data flow, fully excavates historical data, effectively detects the VoIP malicious behavior, and better deals with the VoIP malicious behavior with high complexity and high concealment.
Drawings
FIG. 1 is a schematic diagram of a filtering threshold selection method;
FIG. 2 is a flow chart of a screening process;
FIG. 3 is a process flow diagram of a method of fine analysis.
Detailed Description
The technical solution of the present invention is further described in detail below with reference to the accompanying drawings.
The invention relates to a VoIP malicious behavior discovery method based on VoIP user call behavior characteristic analysis under complex large flow. For a VoIP malicious behavior process, the user call behavior has the following characteristics:
1) each call is actively initiated by an attacker, but almost all session end requests are made by the called user;
2) the voice channel of an attacker is usually unidirectional, generally only a calling telephone is used, and rarely an access telephone is used;
3) because the called user can hang up the phone soon after being attacked, the single call time of one-time VoIP malicious behavior is very short;
4) in order to continuously occupy the called speech channel, once the called user hangs up, the attacker immediately makes the next call, which results in high frequency of calls and short interval between calls. Correspondingly, the called user shows high ringing frequency;
5) after the called user is continuously attacked, the called user can directly refuse to receive the call or simply ignore the call until the ringing is overtime. Therefore, the attacked called user will appear to refuse to accept the call for a large number of times.
The discovery method based on VoIP calling behavior characteristic analysis provided by the invention is an efficient method of screening first and then fine analysis, can be combined with list judgment and detection, and has higher real-time performance of detection and discovery.
The general idea of the detection method based on the call behavior characteristic analysis is as follows: firstly, original VoIP call signaling in online received flow is screened, preliminary screening is carried out on the call signaling by utilizing a filtering threshold, and suspicious flow is quickly found out from a large amount of call flow; and then starting fine analysis, extracting historical call signaling data of the called account in the suspicious flow, carrying out detailed statistical analysis to obtain call behavior characteristic parameters, and finally determining whether the called account is attacked or not. The following describes a detection method based on call behavior feature analysis in detail.
First, screening
The main screening function comprises two aspects, namely filtering or accumulating the call data according to a filtering threshold; and secondly, triggering the fine analysis, namely starting the fine analysis when the call data reaches a certain amount. To better describe the screening method, this section first gives two definitions of terms.
Definition 1: the speech path occupation duration refers to a time period from the beginning of a call to the end of the call;
definition 2: the idle duration refers herein to the period between the end of the last call and the beginning of the present call.
1. Filter threshold selection
The relationship between a calling party and a called party is related to the conversation time and the conversation frequency of the calling party and the called party, the longer the conversation time between the calling party and the called party is, the more important the matters are explained to a certain extent, and the more closely the two people are related; the higher the call connection frequency between the two is, the more closely the two people are related to a certain extent.
Therefore, for a certain called party, if the situation that the idle time is long for a plurality of times continuously occurs, it indicates that the called party's telephone channel is in an idle state for most of the time, and is not disturbed, and there is no malicious behavior of VoIP for the called account; if the continuous multiple speech path occupation time is long, the call answered by the user is a normal call, and no abnormity exists, because for the malicious behavior of the VoIP, the user cannot answer for a long time, and the speech path occupation time is short.
The following assumptions are not made for VoIP malicious behavior:
assume that 1: multiple idle durations greater than a maximum idle duration (e.g., 15 minutes) are not considered VoIP malicious behavior;
assume 2: a multiple session occupancy duration greater than the maximum session occupancy duration (e.g., 6 minutes) is not considered a VoIP malicious activity.
Since the behavior of each called subscriber consists of alternating idle duration and speech path occupation duration, as shown in fig. 1.
The minimum filtering threshold is the sum of the maximum idle duration and the maximum session occupancy duration (e.g., 21 minutes). Further obtaining: if an idle duration or a session occupancy duration is greater than a filtering threshold, then it is not considered a VoIP malicious activity.
The method is also easy to obtain, the larger the value of the filtering threshold is, the less the data is filtered, and the more the data can be left for analysis; conversely, the smaller the filtering threshold, the more data is filtered out and the less data can be left for analysis. After a certain filtering threshold is selected, the call data is filtered or accumulated, the call data larger than the filtering threshold is filtered, otherwise, the call data in the filtering threshold is accumulated.
2. Fine analysis trigger condition
The screening method has two modes for triggering the fine analysis, one mode is to trigger when the call data is accumulated to a certain called frequency threshold, and the other mode is to trigger the fine analysis when the call data does not reach the multiple of the called frequency threshold (for example, 5 times), but a certain call already meets the filtering threshold condition, namely, a possible VoIP malicious behavior is finished. The multiple is that the fine analysis can be triggered for a plurality of times, for example, 5 times, one fine analysis is triggered, 10 times are reached without zero clearing, and one fine analysis is triggered again.
In the second triggering mode, there is a special case that a called party receives a call, and the second call meets the filtering threshold condition, which is common in reality and is not considered as a malicious behavior of VoIP, so for the special case, the detailed analysis is not triggered.
3. Screening process flow
In order to rapidly process call data, a hash table data structure is introduced to match a called account, and entries of the hash table include: the starting time of the first call, the called account number, the called times in the set time of the called party, the record mark of the called party and the ending time of the current called party. The called record flag is initially true to resolve the special case that occurred in the previous section. The specific processing flow of the screening method is shown in FIG. 2.
The screening method comprises the steps of firstly receiving VoIP signaling call data in real time, then analyzing the call data, judging a call ending mode after analysis, finishing processing the call signaling data if the call ending mode is busy, and continuously screening to receive the next call signaling data for processing; if the call ending mode is normal ending, overtime or refusal, further judging whether the called account is a new called account according to the analyzed call signaling data, namely judging whether the called account is in a hash table of a screening method, if the called account is a newly received called account, initializing a new hash table item, namely adding related information of the called account into the screened hash table, wherein the called account in the hash table is set as the called account in the signaling data, the first call starting time is set as the initiation request time (namely the current session starting time of the current called account) in the signaling data (namely the current VoIP call signaling), the current call ending time is set as the current system time, the called times is set as 1, and the called call record identifier is set as true; on the contrary, if the called account exists in the hash table, the difference between the ending time of the current call and the initiating time of the first call of the called account is further obtained by calculation, namely the sum of the occupied time of a speech path of the called account and the idle time of an adjacent speech path, whether the time meets the preset filtering threshold condition is judged, if the filtering threshold condition is met, the record identifier of the called call is further judged, if the identifier is false, the called account does not currently receive the call, a trigger message is sent to a fine analysis method module, a fine analysis method is started for accurate detection, and the hash table is updated and screened, the called number is set to be 1 again, the first call time is set as the initiating request time in the signaling data of the current call, and the session ending time is set as the current system time, the called call record mark is set to be true, and the screening is continued to receive the next call signaling data for processing; on the contrary, if the identifier is still true, that is, the above-mentioned special condition, the hash table to be screened needs to be updated, including setting the first call start time as the initiation request time in the signaling data, and the current call end time as the current system time, and the screening continues to receive the next signaling data for processing; if the interval of finishing the call of two times does not meet the condition of filtering the threshold, need to upgrade the hash table screened, include setting the number of times of called as the present number of times of called plus 1, the end time of this call is the present system time, the record label of the called call is false, then judge the number of times of called whether reaches the multiple of the threshold of number of times of called (for example 5 times) further to the cumulative call data, if reach the multiple of the threshold of number of times of called, send the trigger message to the fine analysis method module, start the fine analysis method to carry on the accurate detection; otherwise, ending the processing of the call signaling data, and screening to continue to receive the next call signaling data for processing.
In the specific processing flow of the screening method, the time window sliding in the screening method can be found to be dynamically adjusted, and the called frequency threshold is also multi-level, so that the advantages of greatly reducing the processing pressure of the fine analysis method on one hand, and entering the fine analysis more quickly to find the account number of the VoIP malicious behavior as soon as possible are achieved. It is not difficult to imagine that after the fine analysis is triggered by the called number threshold for the first time, if the fine analysis finds the account with the malicious behavior of the VoIP, the intercepting system can intercept the malicious account, and then when the called receives the call next time, the filtering threshold is exceeded, the starting point of the time window slides backwards, and the window becomes smaller; if the VoIP malicious behavior account is not found through fine analysis, the called times continue to be accumulated, the end point of the time window slides backwards, and when the called times reach the threshold for the second time, the analyzed data is increased due to the amplification of the time window, so that the VoIP malicious behavior account can be found more favorably.
Second, fine analysis
The fine analysis mainly uses the collected call records to calculate some statistic information related to the call, so as to generate the judgment result of the call account. These statistics include average observed duration, number of calls, rejection ratio, traffic occupancy, etc. To better describe the fine analysis method, this section first gives a definition of the statistical information.
Definition 1: the observation duration is referred to herein as the duration between the beginning of a call from ringing and the end of the call (timeout, reject, normal hang up);
definition 2: the average observation duration refers to the ratio of all observation durations of a calling subscriber A to a called subscriber B to the number of calls of the calling subscriber A to the called subscriber B in a certain time window;
definition 3: the rejection ratio refers to the ratio of the calling time of a calling subscriber A to a called subscriber B to the total calling time of the calling subscriber A to the called subscriber B after the calling time is less than a certain value (15 seconds) times, the overtime times and the rejection times;
definition 4: the speech path occupancy rate in this document refers to the ratio of the duration occupied by all speech paths of a certain calling party or called party to the size of a time window.
The method is not difficult to imagine that in the process of calling and called calls for many times, the smaller the average observation time length is, the worse the relationship between the calling and the called is; the higher the rejection ratio is, the worse the relationship between the calling and called parties is; the higher the occupancy rate of the called speech path is, the more congested the called speech path is; the higher the occupancy rate of the calling speech path, the more frequent the calling call is. The detailed processing flow of the fine analysis method is shown in fig. 3.
After receiving the trigger message sent by the screening module, the fine analysis method acquires a time window of first call start time and current called call end time in the hash table entry to extract a called call history record matched with a called account in the trigger message in the database, calculates the number of calling accounts calling the called account according to the call history record, judges whether the number is smaller than a calling source number threshold value, if so, continues to calculate to obtain the average observation duration of each calling account and the called account, the number of times that each calling account calls the called account and the rejection ratio of each calling, and compares the average observation duration threshold value, the call times threshold value and the rejection ratio threshold value which are preset respectively with the threshold value of the average observation duration, the call times threshold value and the rejection ratio threshold value to obtain the judgment result of each calling account; otherwise, if the number of the calling sources of the called account is greater than or equal to the threshold value of the number of the calling sources, and the speech path occupancy rate of the called account is less than the threshold value of the called speech path occupancy rate, counting the calling times and the calling speech path occupancy rate of all the calling sources, namely the calling account, in the time window, and comparing the counted calling times and the counted calling speech path occupancy rate with the preset calling times threshold and the preset calling speech path occupancy rate, so as to obtain the judgment result of each calling account. After the judgment result of the account is obtained, a list is correspondingly generated.
In the fine analysis method, the account initiated by the malicious behavior of the VoIP can be regarded as a blacklist, and the suspected account can be regarded as a grey list, and the list is transmitted to a corresponding defense interception system, so that the malicious behavior of the VoIP can be well intercepted and limited.
From the detailed processing flow of the fine analysis method, it can be found that when the number of call sources is large, calls with congested called speech paths are processed preferentially, so that the pressure of the system is relieved.
In addition, there are two types of calls that are relatively easy to distinguish:
A. the average observation time length, the calling times are more, and the call with high rejection ratio can be judged as the VoIP malicious behavior initiating account;
B. calls with a large number of calls and frequent calling (high calling speech path occupancy rate) can be distinguished as VoIP malicious behavior originating accounts.
Although specific details of the invention, algorithms and figures are disclosed for illustrative purposes, these are intended to aid in the understanding of the contents of the invention and the implementation in accordance therewith, as will be appreciated by those skilled in the art: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. The invention should not be limited to the preferred embodiments and drawings disclosed herein, but rather should be defined only by the scope of the appended claims.
Claims (10)
1. A method for discovering VoIP malicious behaviors under complex large flow comprises the following steps:
1) screening out VoIP call signaling from network flow;
2) screening VoIP call signaling by using a set filtering threshold to find out suspicious network flow;
3) extracting historical call signaling data of each called account in suspicious network traffic, comparing the call behavior characteristics of the called account obtained through statistical analysis with corresponding threshold values, and determining whether the called account is attacked maliciously.
2. The method of claim 1, wherein step 3) is performed when the call data of a called account is accumulated to a called number threshold or an integer multiple of the called number threshold; or if one call meets the filtering threshold, performing step 3); and if the ith call is received by the same called account and the (i + 1) th call meets the filtering threshold condition, judging that the called account is not attacked maliciously.
3. The method of claim 1, wherein screening for suspicious network traffic is by: firstly, analyzing VoIP call signaling, wherein if the call ending mode is busy, the VoIP call signaling is non-suspicious network flow; if the call ending mode is normal ending, overtime or refusal, further judging whether the called account in the VoIP call signaling is a new called account, namely judging whether the called account already exists in a hash table, if the called account is a new called account, initializing a new hash table item, recording relevant information of the called account, including the called account, call starting time, call ending time and called times, and setting a called call record identifier to be true; if the called account exists in the hash table, further obtaining the difference between the call ending time and the call initiating time of the called account through calculation, and judging whether the time difference meets the preset filtering threshold condition, the VoIP call signaling is suspicious network flow; judging a called call record identifier of the called account, if the identifier is false, performing the step 3) and updating the hash table, setting the called times of the called account to be 1, setting the first call time of the called account to be the initiation request time and the session ending time in the VoIP call signaling to be the current system time, and setting the called call record identifier to be true; if the call record identification of the called account is true, updating the hash table, wherein the first call starting time of the called account is set as the initiation request time in the VoIP signaling data, and the call ending time is set as the current system time; and if the interval between the two adjacent calls of the called account does not meet the filtering threshold condition, updating the hash table, wherein the hash table comprises that the called times of the called account are set as the current called times plus 1, the call ending time is the current system time, and the record identifier of the called call is false.
4. The method of claim 3, wherein the method for determining whether the called account is attacked by malicious attacks comprises:
31) acquiring a called history record of the called account in a time window of the first call starting time and the current called call ending time in the hash table, then calculating according to the acquired call history record to obtain the number of calling accounts calling the called account, judging whether the number is smaller than a threshold value of the number of call sources, and if the number is smaller than the threshold value of the number of call sources, performing step 32); if the number of calling sources of the called account is greater than or equal to the threshold value of the number of calling sources and the voice channel occupancy rate of the called account is less than the threshold value of the called voice channel occupancy rate, counting the calling times and the calling voice channel occupancy rate of all calling sources, namely calling accounts, in the time window respectively, and if the calling times of the calling accounts are not greater than the threshold value of the calling times, judging the calling accounts as suspicious accounts; if the calling times of the calling account are larger than the calling time threshold and the calling session occupancy rate of the calling account is not larger than the calling session occupancy rate threshold, the calling account is judged as a suspicious account; otherwise, the calling account is judged as a malicious calling initiating account;
32) calculating the average observation duration of each calling account and the called account, and if the average observation duration of the calling account and the called account is less than a set average observation duration threshold value, performing step 33); otherwise, judging whether the number of times that the calling account calls the called account is larger than a set calling number threshold value, if so, judging the calling account as a suspicious account, otherwise, judging the calling account as a normal account;
33) judging whether the number of times that the calling account calls the called account is greater than a set calling number threshold value or not; if yes, go to step 34), otherwise, judge whether the rejection ratio of the caller is greater than the rejection ratio threshold value, if yes, judge the caller account number as suspicious account number, otherwise, judge the caller account number as normal account number;
34) and judging whether the rejection ratio of the calling is greater than the rejection ratio threshold value, if so, judging the calling account as a malicious call initiating account, and otherwise, judging the calling account as a suspicious account.
5. The method of claim 1, wherein the call behavior characteristics include average observed duration, number of calls, rejection ratio, and occupancy of a speech path.
6. The method of claim 5, wherein a calling account with an average observed duration less than a set average observed duration threshold, a calling number greater than a set calling number threshold and a rejection ratio greater than the rejection ratio threshold is determined as a VoIP malicious behavior originating account.
7. The method of claim 1, wherein a calling account with a calling number greater than a set calling number threshold and a calling session occupancy greater than a calling session occupancy threshold is determined as a VoIP malicious activity originating account.
8. The method as claimed in claim 4, 6 or 7, characterized in that, the account initiated by the VoIP malicious behavior is added into a blacklist, the account suspected to be added into a grey list, and the blacklist and the grey list are transmitted to a corresponding defense interception system to intercept or limit the VoIP malicious behavior.
9. The method of claim 1, wherein the filtering threshold value is determined according to a maximum historical idle duration and a maximum historical speech path occupancy duration; and if one idle time or one speech path occupation time of the calling account is less than or equal to the filtering threshold, judging that the calling account is the VoIP malicious behavior initiating account.
10. A server, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for carrying out the steps of the method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010213472.0A CN111556013A (en) | 2020-03-24 | 2020-03-24 | Method for discovering VoIP malicious behavior under complex large flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010213472.0A CN111556013A (en) | 2020-03-24 | 2020-03-24 | Method for discovering VoIP malicious behavior under complex large flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111556013A true CN111556013A (en) | 2020-08-18 |
Family
ID=72003718
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010213472.0A Pending CN111556013A (en) | 2020-03-24 | 2020-03-24 | Method for discovering VoIP malicious behavior under complex large flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111556013A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826735A (en) * | 2022-04-25 | 2022-07-29 | 国家计算机网络与信息安全管理中心 | VoIP malicious behavior detection method and system based on heterogeneous neural network technology |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945006A (en) * | 2010-09-03 | 2011-01-12 | 电子科技大学 | Detection method of abnormal call |
| CN108540634A (en) * | 2017-03-06 | 2018-09-14 | 中国移动通信集团北京有限公司 | A kind of malicious call detection method and device |
-
2020
- 2020-03-24 CN CN202010213472.0A patent/CN111556013A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945006A (en) * | 2010-09-03 | 2011-01-12 | 电子科技大学 | Detection method of abnormal call |
| CN108540634A (en) * | 2017-03-06 | 2018-09-14 | 中国移动通信集团北京有限公司 | A kind of malicious call detection method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826735A (en) * | 2022-04-25 | 2022-07-29 | 国家计算机网络与信息安全管理中心 | VoIP malicious behavior detection method and system based on heterogeneous neural network technology |
| CN114826735B (en) * | 2022-04-25 | 2023-11-03 | 国家计算机网络与信息安全管理中心 | VoIP malicious behavior detection method and system based on heterogeneous neural network technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101129752B1 (en) | Detection of spam/telemarketing phone campaigns with impersonated caller identities in converged networks | |
| CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
| EP1757068B1 (en) | Detection and mitigation of unwanted bulk calls (spam) in voip networks | |
| US20110280160A1 (en) | VoIP Caller Reputation System | |
| JP4692776B2 (en) | Method for protecting SIP-based applications | |
| US20120099711A1 (en) | Telecommunication fraud prevention system and method | |
| Gruber et al. | Voice calls for free: How the black market establishes free phone calls—Trapped and uncovered by a VoIP honeynet | |
| Sengar et al. | Call Behavioral analysis to Thwart SPIT attacks on VoIP networks | |
| US11647114B2 (en) | Call authentication service systems and methods | |
| Mathieu et al. | SDRS: a voice-over-IP spam detection and reaction system | |
| US6718024B1 (en) | System and method to discriminate call content type | |
| CN111556013A (en) | Method for discovering VoIP malicious behavior under complex large flow | |
| Azad et al. | Clustering VoIP caller for SPIT identification | |
| KR101190816B1 (en) | System for detecting SIP Denial of Service attack and SPAM attack and method for detecting the same | |
| KR101571100B1 (en) | Device and method for detecting illegal originating call by using pattern analysis | |
| Shivankar et al. | Comparative analysis on security techniques in VoIP environment | |
| KR101379779B1 (en) | Caller Information Modulated Voice/Message Phishing Detecting and Blocking Method | |
| KR101506982B1 (en) | System and method for detecting and bclocking illegal call through data network | |
| KR101381614B1 (en) | Countermeasure apparatus and method against sip flooding attacks using a bloom filter | |
| JP4800272B2 (en) | Number scanning detection device and number scanning detection program | |
| WO2019190438A2 (en) | Ott bypass fraud detection by using call detail record and voice quality analytics | |
| Scata et al. | Security analysis and countermeasures assessment against spit attacks on voip systems | |
| Bai et al. | Detection and filtering spam over internet telephony—a user-behavior-aware intermediate-network-based approach | |
| Kamas et al. | SPIT detection and prevention | |
| RU2704741C2 (en) | Method of protection against ddos-attack on basis of traffic classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200818 |
|
| RJ01 | Rejection of invention patent application after publication |