EP1949647A1 - Procédé, dispositif de détection et dispositif serveur permettant l interprétation d une communication recue au niveau d'un dispositif de communication - Google Patents

Procédé, dispositif de détection et dispositif serveur permettant l interprétation d une communication recue au niveau d'un dispositif de communication

Info

Publication number
EP1949647A1
EP1949647A1 EP06807286A EP06807286A EP1949647A1 EP 1949647 A1 EP1949647 A1 EP 1949647A1 EP 06807286 A EP06807286 A EP 06807286A EP 06807286 A EP06807286 A EP 06807286A EP 1949647 A1 EP1949647 A1 EP 1949647A1
Authority
EP
European Patent Office
Prior art keywords
communication
information
adp
incoming
egl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06807286A
Other languages
German (de)
English (en)
Inventor
Jorge Daetz
Holger Lankes
Stephan Schaade
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unify GmbH and Co KG
Original Assignee
Siemens Enterprise Communications GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Enterprise Communications GmbH and Co KG filed Critical Siemens Enterprise Communications GmbH and Co KG
Publication of EP1949647A1 publication Critical patent/EP1949647A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • IP IP-based data network
  • IP-based principles creates problems for the voice communication systems that were previously known only in computer networks.
  • an IP phone can be attacked by means of a so-called computer virus, a so-called computer worm or a denial of service attack and thereby caused to a misconduct. Protection against such attacks usually provides a firewall in the data network, which can block unwanted traffic.
  • a firewall is often not optimized to defend against attacks on IP phones.
  • a firewall must not be configured too restrictive, as the desired communication exchange should not be hindered.
  • the user is often unaware that his phone uses IP-based methods. He is therefore not at all sensitized to attacks on the phone, as this is largely unknown in traditional telephones based on time-slot-oriented procedures. Thus, the user was usually not attributed to a malfunction of the phone on an attack on the phone.
  • IP telephones which, according to a communication standard subjected to a dynamic expansion process - such as the SIP standard (SIP: Session Initiated Protocol) - communicate that the IP Phones as communication partners of a connection often did not implement the same protocol scope.
  • SIP Session Initiated Protocol
  • protocol elements can be sent out by a sending IP telephone, which are not expected by the received IP telephone and with which it can not handle. Again, for a user in such a situation, it is usually not apparent why a feature or function of his IP phone is not performed as desired.
  • Such misconduct is based in particular on the one hand on a lack of implementation of protocol elements of a Communication standards in the IP phone or on the other hand, an incorrect implementation of the protocol elements.
  • the present invention is therefore based on the object malfunction of a communication
  • Detection device with the features of claim 18, and by a server device with the features of claim 19.
  • Communication device is detected from the incoming communication or ascertainable communication information by a coupled between the connecting line and the communication device, the communication device one-to-one associated detection device detected.
  • “One-to-one” here means that each communication device exactly a detection device is assigned and that a respective detection device provides a service for exactly one communication device. By the detection device is checked whether the detected communication information with a predetermined
  • Data pattern information matches and / or whether a response message to be triggered by the incoming communication from the communication device via the connecting line fails. If the result of the check is positive, the detected communication information is stored. This storage is preferably carried out in the communication device or in a server device. The saved
  • Communication information is further read in the context of a central, by a, preferably different from the communication device, preferably central server device performed evaluation.
  • connection line is the coupling of the communication device to a communication system, a data network and / or a
  • this coupling via cable and via radio - for example, when coupled via WLAN (Wireless Local Area Network) - can be performed as a transmission medium.
  • connection line that connection is the
  • the incoming communication is in particular a packet-switched
  • Signaling connection or to a packet-switched user data connection for example according to the SIP protocol (SIP: Session Initiation Protocol) or according to a protocol according to the ITU-T Recommendation H.323 (ITU-T: International Telecommunication Union - Telecommunications Standardization Sector).
  • SIP Session Initiation Protocol
  • ITU-T International Telecommunication Union - Telecommunications Standardization Sector
  • it may be in the incoming communication to an undesirable attack on the Communication device to act as a so-called computer virus, a so-called computer worm, a so-called denial-of-service attack or a, a buffer overflow in the communication device generating attack.
  • the communication device is in particular a packet-oriented
  • Communication terminal such as an IP phone or running on a workstation telephone application - a so-called soft client -, a gateway and / or a gatekeeper for a packet-oriented voice, video and / or multimedia communication.
  • the communication information is read out or determined from the incoming communication and includes information as to which type of data packet is the incoming communication, from which sender the incoming communication is sent, via which path the incoming communication reaches the communication device, on which date or at which time the incoming communication is transmitted and / or which protocol element of a connection is the incoming communication. Furthermore, the
  • Communication information is a sequence of binary data of the incoming communication. Rules for determining the communication information can be found in the
  • Detection device are stored updateable.
  • the data pattern information can also be updated stored in the detection device and includes comparison values with which the detected
  • Communication information can be compared for compliance.
  • the data pattern information here is in particular a pattern of a computer virus or worm and / or the sender address of an incoming communication.
  • the data pattern information By checking for conformity or by comparing the communication information with the data pattern information, it can be recognized whether it is Incoming communication involves a computer virus, a computer worm, an unwanted so-called spam attack, or any other attack.
  • an undesired incoming communication or a malfunction initiating communication in the detection device can preferably be detected.
  • the acquired communication information is stored and provided to a server device for central evaluation.
  • the incoming communication can be analyzed and recorded in a communication device-specific manner.
  • the communication devices in a communication system individual data pattern information and / or rules for
  • Acquisition of the communication information can be provided. Furthermore, due to the central evaluation in the server device, a communication system-comprehensive analysis method can be used for the evaluation.
  • the inventive method can also be used to detect erroneous or missing implementations of protocol elements of a transmission protocol.
  • An absence of a response message here is an indication that the communication device can not respond appropriately or correctly to a protocol element of the sender, in particular because the communication device is not supported by a feature that is to be activated by the protocol element.
  • the incoming communication is therefore logged in the case of a missing response message by the communication device in such a way, that the detected communication information is stored if the expected response message fails.
  • it can be recognized which communication devices in a communication system do not harmonize with one another and which communication devices require a new software version. This is advantageous in particular when using the SIP protocol, in which usually by a communication device not recognized
  • Performance features or protocol elements is reacted by the absence of an associated acknowledgment message.
  • the evaluation in a server device is particularly advantageous in that as a result communication system-wide evaluations, but also communication device-specific evaluations for a plurality of detection devices of a plurality of communication devices can be performed.
  • the server device can send a query message to the relevant communication device at regular or irregular intervals. This then transmits the accumulated and stored up to that time communication information. Alternatively, the affected
  • Communication devices independently communicate the stored communication information to the server device - at intervals or in each case after the storage of the respective communication information.
  • the server device can analyze misbehavior of communication devices or alternatively perform a usage statistics of the features of the communication device.
  • the method according to the invention is particularly advantageous in that only communication data traffic that has passed through a firewall in the communication system is analyzed can be implemented and thus a multi-level security concept can be implemented. Furthermore, it is advantageous that rules for acquiring the communication information and that the data pattern information can be distributed and activated electronically in a communication device-specific manner. In addition, it is advantageous that the detection device only analyzes the incoming communication, but can forward it unchanged or largely unchanged, so that, in contrast to a firewall, there is no change in the communication traffic.
  • a central evaluation is carried out by the server device and thus a malfunction of a plurality of communication devices can be detected and possibly attributed to the same cause.
  • it can be easily recognized by a service employee by electronically polling the server device whether a plurality of terminals require a new software level.
  • the server device can automatically send a notification to a computer of a manufacturer of the communication device upon detection of a malfunction of a communication device. In this way, a manufacturer can react quickly to attacks against the communication device or to a faulty implementation of the communication device and then provide corrections.
  • the server device can be used in particular for distributing new software versions to the communication devices.
  • the server device with the communication device and others Communication facilities are connected and based on the evaluation of the
  • Direct communication devices to block specific ports or to communicate over another port. This makes it easy to respond to an attack on a particular port.
  • the server device can perform the query to the communication device - as the incoming communication - via the connecting line of the communication device.
  • the query is based on IP-based principles.
  • the server device can be integrated with little effort into an existing IP data network, for example a LAN (Local Area Network) of a company or organization.
  • the server device can thus be integrated in an already existing network infrastructure, for example in a gatekeeper, in a registration unit for the communication devices and / or in a gateway.
  • Figure 1 shows the integration of an inventive
  • FIG. 1 is a message flow diagram with the essential
  • Figure 3 is a flowchart with the essential in the
  • Procedural steps. 1 shows a schematic representation of a communication system for carrying out the inventive method is shown.
  • this communication system there is a first IP telephone EG1 as a communication device according to the invention, a second IP telephone EG2 and an attack computer AR.
  • the first IP telephone EG1 and the second IP telephone EG2 are IP telephones based on the SIP protocol standard.
  • These two IP telephones EG1, EG2 are connected via an IP network IPN.
  • the connection of the first IP telephone EGL to the IP network IPN via the connection line AL and can be wired or wireless, for example via wireless LAN configured.
  • a connection V between the first IP telephone EG1 and the second IP telephone EG2 takes place via the connection line AL and the IP network IPN and comprises packet-oriented signaling and user data messages, in particular for voice communication.
  • the attack computer AR is also coupled to the IP network IPN - possibly located outside a LAN and coupled via an access computer, not shown, to the LAN - and can send via this to the first IP phone EGL attack data packets ADP, thereby the first IP Telephone EGl to influence.
  • the attack data packets ADP and the connection V can in particular represent the inventive inbound communication.
  • a server S as a server device according to the invention is coupled to the IP network IPN. Via this coupling, the server S can query the first IP telephone EG1 as part of a central evaluation in the first IP telephone EGL stored communication information. This polling is performed by the readout unit AE of the server S.
  • the server S includes a
  • Evaluation console AK for triggering the central evaluation and a notification service BD to others, not Inform data processing devices shown in the communication system via the central evaluation.
  • the first IP telephone EGl includes a
  • the first IP telephone EG1 comprises a detection device DE according to the invention coupled to the telephone function device TF.
  • the detection device DE is also coupled directly to the connection line AL and, in addition, to a terminal memory EGDB which can store communication information, rules for the communication information, data pattern information and stored protocols generated by the method according to the invention.
  • IP phones which are queried together with the first IP phone EGL from server S for stored communication information. These queried data from different IP telephones are stored by the server S in the server database SDB coupled to the server S for further evaluation.
  • a connection V is established between the first IP telephone EG1 and the second IP telephone EG2.
  • the illustrated as a double arrow connection V proceeds starting from the second IP telephone EG2, via the IP network IPN, via the connection line AL, by the detection device DE of the first IP telephone EGL to the telephone function device TF of the first IP telephone EGL.
  • the connection path located router or switch are not shown.
  • the incoming via the connection line AL data packets in the context of the connection V - as according to the invention incoming communication - are in the detection device DE according to predetermined rules, which in Terminal memory EGDB are stored, analyzed.
  • the respective protocol elements of the SIP standard are extracted and stored as communication information in a local memory (not shown) or in the terminal memory EGDB.
  • the protocol elements represent features such as call setup, conference call, or call forwarding.
  • the phone function device TF sends a respective acknowledgment message back to the second IP phone EG2 via the detection device DE. If this does not happen and the telephone function device TF sends no response, then this is an indication that the corresponding feature or protocol element in the first IP telephone EGL is not - or not correctly - implemented and was therefore discarded.
  • the detection device DE After receipt and storage of a protocol element from the second IP phone EG2 is analyzed by the detection device DE any erroneous data traffic for a certain period of time after receiving the incoming communication from the second IP phone EG2 and checks whether a suitable response message to the stored protocol element of the phone function TF device to the second IP telephone EG2. If an associated response message remains after a predefinable period of time, then the detection device DE stores the protocol element in the terminal memory EGDB in a local protocol. This local log represents a list of all
  • Protocol elements that are not supported by the first IP telephone EGL.
  • the detection device DE directs the useful data and signaling traffic in both
  • further local protocols are stored in respective terminal stores by further IP telephones in the communication system, the protocols being determined by the respective detection devices uniquely assigned to the IP telephones.
  • each IP telephone locally stores which protocol elements the respective IP telephone does not support.
  • the readout unit AE of the server S cyclically and at regular intervals a query message A to the respective IP phones sent - in Figure 1 as a double arrow between readout unit AE and
  • the detection device A receiving detection device DE transmits the respective stored local protocol to the readout unit AE.
  • This stores the transmitted, received, local protocols and the communication information contained therein in a common protocol or a common database table in the server database SDB.
  • the stored communication information for a communication system-wide evaluation in a central server device - the server S - are available.
  • the evaluation console AK can now be used to perform a manual, central evaluation based on the stored data in the server database SDB. Furthermore, an automatic evaluation by the notification service BD based on the collected data of the server database SDB can be performed at cyclic intervals. As part of the evaluation, for example, communication device type-specific can be determined, which protocol elements are not supported by a specific device type. These evaluated or filtered data can then be transmitted, for example, by the notification service BD to a manufacturer's computer manufacturer of the respective IP phone. The manufacturer may then correct the firmware or software for the particular IP phone and provide the correction to the server S for redistribution.
  • the procedure is not restricted to the use for IP end devices, but can also be extended to server devices such as gatekeepers or gateways.
  • the server S has the ability to query various information from the respective IP phones, such as the current software release, the time at which a transmission has arrived and the date of the last readout of the terminal memory EGDB.
  • the integration of the detection device DE into the first IP telephone EG1 according to FIG. 1 is advantageous insofar as it can avoid a negative effect on the signaling or user data traffic. In particular, a delay of the communication structure or the transmission of user data can be prevented.
  • the integration of the detection device DE in the first IP telephone EGL is further particularly advantageous than that the detection device DE on hardware and software components of the first IP telephone EGL, such as a receiving unit, can fall back.
  • a processor of the first IP phone EGL also the functions of
  • Detection device DE export.
  • the detection device DE could also be coupled outside the first IP telephone EG1 to its communication input.
  • the invention can also be applied to existing, commercial, not adapted to the invention IP phones.
  • the detection device DE is used to detect attacks or obstructions from other computers and to develop coordinated defense strategies within the scope of a central evaluation.
  • patterns are stored in the terminal memory EGDB as data pattern information, against which the incoming communication traffic is compared.
  • a pattern is a byte string representing, for example, the code of a computer virus.
  • an attack computer AR transmits a computer virus packaged in attack data packets ADP to an address specified by an IP address and a port-a so-called socket-of the first IP phone EG1.
  • the attack data packets ADP are illustrated in FIG. 1 as a directed arrow from the attack computer AR to the detection device DE.
  • the detection device DE of the first IP telephone EG1 receives the incoming attack data packets ADP and determines therefrom according to predetermined and / or predefinable rules one or more communication information.
  • This communication information is, for example, an IP header content information of the attack data packets ADP or a data pattern within the payload area of the attack data packets ADP. Parallel to this or after reading and / or determining the communication information, the attack data packets ADP are transmitted largely immediately to the telephone function device TF. This ensures that no data that may be important to the telephone facility TF is lost.
  • the detection device DE now compares the determined communication information with the predetermined data pattern information and tries in this way to detect a computer virus, a computer worm, spam messages or other unwanted incoming data packets. If there is no match, the detection device DE discards the communication information. If a match takes place, then the
  • Detection DE a local protocol that includes information about this process. These are, in particular, information about which data pattern was detected - for example the name of a computer virus - at which time the data pattern was detected and from which attack computer the incoming attack data packets ADP were transmitted. Thus, it can be determined specific to the communication device, which attacks on a respective IP telephone, how frequently these attacks and from which sources these attacks are carried out.
  • the server S can cyclically and periodically interrogate this stored communication information from the respective IP telephones, in particular the first IP telephone EG1, by means of the readout unit AE and store it in the server database SDB. After being stored in the server database SDB, the communication information of all such IP telephones queried in the communication system is available for evaluation by the
  • Evaluation console AK or by the notification service BD.
  • About the evaluation console AK can In particular statistically determined over all IP phones in the communication system, which type of attacks on the communication system is performed on what terminals attacks are performed and through which communication paths these attacks are routed. It is particularly relevant over which firewall an attack has been passed.
  • the evaluation can be carried out under consideration of predetermined frequency threshold values. If an increase in the number of attacks can be detected, for example, by the notification service BD an alarm to an operator of the communication system will be triggered. In this way, for example, a denial-of-service attack can be seen, usually in short
  • the notification service BD can create a security report and / or initiate a software update to the manufacturer of the IP telephone or the firewall in the communication system. Furthermore, in the case of repeated attacks on a specific IP telephone by the server S, a new registration of this IP telephone can be carried out, so that a new communication address, in particular IP address and / or port number, is assigned to it. Furthermore, can be communicated as a measure against attacks by the server S the IP phone by means of a configuration message to perform the communication on another port and disable the existing port.
  • data pattern information includes all permitted protocol elements of a protocol standard Consideration.
  • this information for example, to determine the frequency of use of features - can also error analysis for malfunctions of the respective IP phones are facilitated.
  • the server S is integrated into existing infrastructure.
  • this is a license server for the IP phones or a gatekeeper
  • the integration of the server device according to the invention into an existing server computer advantageously makes it possible to avoid a change in the network infrastructure.
  • the detection, detection, testing and storage steps in the detection device can be performed by an independent process or by a stand-alone processor independently of the processing of the incoming communication in the communication device. This is advantageous in that it can be guaranteed that the analysis of the incoming data stream has no effect on the functionality of the communication device. A blocking of the communication device by the
  • the detection device DE can access several or all protocol layers of an incoming communication as part of the determination of the communication information and the
  • This information can greatly facilitate service personnel finding and correcting an error in an existing IP phone.
  • the server S can also remain passive and the respective IP telephones independently send the communication information to the user according to a predetermined time or procedure pattern Server S.
  • the address of the server S should be known to the respective IP telephones, so that these messages can be sent to the server S.
  • the transmission of the communication information by the respective communication device is in this case advantageous in that it can respond more quickly to critical actions in the communication system than with regular queries by the server S.
  • FIG. 2 illustrates in a message flow diagram an exchange of messages and / or data to and from the first IP telephone EG1.
  • a time axis is plotted from top to bottom.
  • Messages are displayed as directed arrows with the arrowhead at a receiver of a respective message.
  • Telephone function device TF and detection device DE, the second IP telephone EG2 and the attack computer AR, these components are arranged horizontally next to each other and are shown in the context of illustrating the message traffic as a vertical line.
  • Messages according to the SIP protocol are designated in FIG. 2 by the letter M and a consecutive number.
  • a possible message number is specified in part analogous to the SIP protocol and a name of the message.
  • FIG. 2 illustrates a connection setup according to the SIP protocol initiated by the telephone function device TF of the first IP telephone EG1 by means of a so-called Invite message Ml to the second IP telephone EG2.
  • the second IP telephone EG2 signals visually and / or acoustically an incoming call to a user and confirms this to the telephone function device TF by sending a so-called ringing message M2 with the SIP message number 180.
  • a so-called OK message M3 is transmitted with the SIP message number 200 to the telephone function device TF.
  • the input of the OK message M3 is signaled by the telephone function device TF by means of a confirmation message M4, also called ACK, the second IP telephone EG2. Subsequently, the payload connection between the
  • Telephone function device TF and the second IP telephone EG2 established.
  • the detection device DE leaves upon entry or passage of a message their idle state - state 1 in Figure 3 - and analyzed, which type of data traffic is - Query 2 in Figure 3.
  • there are SIP protocol elements wherein in the present exemplary embodiment it is assumed that the detection device DE has not defined any monitoring rules for the messages M 1 to M 4 and thus these messages are not considered further. It is therefore in Figure 3, starting from the query 2, the path "incoming communication is another SIP data packet" go through, which sounds in the idle state 1.
  • a feature is, for example, the initiation of a conference call between a plurality of communication terminals or a forwarding of the connection to another communication terminal, wherein the features are abstractly referred to as the first feature LMl and second feature LM2.
  • Activation of the first feature LM1 is initiated by the second IP telephone EG2 by means of a message M5 and transmitted to the telephone function device TF.
  • Message M5 is assigned the designation ACT_LM1 in FIG. 2, as well as the SIP message number 743.
  • the message M5 passes through the detection device DE at time Tl, it leaves its idle state 1, recognizes in step 2 that the incoming communication is a to be monitored
  • SIP data packet trades and stores the SIP message number 743 in a temporary memory - action 3 in FIG. 3.
  • a timer is started - action 4 - and until the expiration of the timer the jerking message traffic from the telephone function device TF to the second IP telephone EG2 analyzed - query 5.
  • the first IP telephone EG1 supports the first feature LM1 and responds to the message M5 with an acknowledgment message M6, ACK_LM1, with the SIP message number 744.
  • the time difference ⁇ ti has elapsed, this time difference ⁇ ti short as the timer duration.
  • the detection device DE recognizes the received acknowledgment message M6 as an acknowledgment for the message M5 and also recognizes that the timer duration has not yet expired is - query 5. Then it clears the temporary memory - action 7 - and returns to idle state 1.
  • the second feature LM2 Upon activation of a further feature, the second feature LM2, it is assumed that the first IP telephone EG1 has a software version which does not know this second feature LM2 and can not implement it. Analogously to message M5, the second IP telephone EG2 now transmits a message M7 for activating the second feature LM2 for the telephone function device TF.
  • the message M7 is assigned the designation ACT LM2, as well as the SIP message number 789 in FIG.
  • the message M7 passes through the detection device DE at time T3, it leaves its idle state 1, recognizes in step 2 that the incoming communication is to be monitored
  • SIP data packet trades and stores the SIP message number 789 in a temporary memory - action 3 in FIG. 3.
  • a timer is started - action 4 - and until the expiration of the timer the jerking message traffic from the telephone function device TF to the second IP telephone EG2 analyzed - query 5.
  • the telephone function TF receives the message M7 at time T4, but does not know this message M7 and can not respond to this message M7. No receipt will be sent - neither a positive nor a negative receipt. After expiration of the
  • the detection device DE After a period of time .DELTA.t 2 at time T5, the detection device DE from query state 5 to 6 action in which it permanently stores the unacknowledged, temporarily stored protocol element in the terminal memory EGDB and provides for an evaluation by the server S at your disposal. Following action 6, the temporary memory can be deleted by the detection device DE - action 7 - and the idle state 1 can be assumed.
  • the attacking computer AR is the attacking computer AR
  • the attack data packet ADP arrives at the detection device DE at a time T6 and becomes the
  • Telephone function device TF forwarded, where it arrives at a time T7.
  • the detection device DE Upon receipt of the attack data packet ADP, the detection device DE leaves its idle state 1, analyzes the attack data packet ADP - query 2 - and categorizes this as a non-SIP data packet. This is followed by a change to query state 8 by checking whether the data packet is a standard data packet in IP traffic and does not have to be considered separately. This is, for example, a so-called ping request or a configuration message to the first IP telephone EG1. If this is the case, the detection device DE changes back to its idle state 1 without further action.
  • a pattern comparison is carried out in query 9, which compares the incoming data packet with known virus patterns and known further attack patterns from the terminal memory EGDB. If no match is found, the detection device DE goes back to the idle state 1, since the incoming data packet is either no attack on the first IP phone EGL or represents an attack for which no comparison pattern is specified as data pattern information. If, on the other hand, agreement is found in the pattern comparison, information about the incoming pattern or the pattern itself is stored together with further information such as the current time and the current date in a log file in the terminal memory EGDB - action 10. Subsequently, the detection device DE goes into idle state 1 above.
  • FIGS. 2 and 3 clarify in what way Invention incoming traffic at a
  • Communications terminal can be monitored and logged and a central server device for further evaluation can be made available.
  • the invention allows the evaluation of whether a specific traffic, what type of traffic and how often the traffic in the
  • Communication end devices are detected without manual involvement of users of the communication terminals. Furthermore, a lack of implementation of features or protocol elements in the communication terminal can be disclosed and recognized. Missing implementations or errors in the security rules can be evaluated in such a way that, based on the evaluation, software corrections for the communication terminal device or a firewall in the communication system are triggered automatically and can possibly be installed automatically.
  • the invention allows in this way in particular an analysis of communication problems between communication devices in real operation. This is advantageous in that in the usual
  • Communication systems often a variety of different communication devices or a variety of the same communication devices but with different software levels and different protocol support may be present. Thus, problems of communication devices in real installations can be quickly located and corrected.
  • SIP features is particularly advantageous than that SIP communication devices usually when they are an incoming SIP protocol element do not recognize or do not support, do not return a receipt to the communication partner and thus protocol elements and / or requirements remain unconfirmed. This can be detected by means of the invention as part of the evaluation.
  • the data pattern information is regularly recorded or updated, so that the detection device can access an up-to-date level of comparison patterns.
  • the detection device can access an up-to-date level of comparison patterns.
  • when importing data pattern information when querying and / or when transmitting stored communication information secure mechanisms such as encryption or backup using electronic certificates used to prevent unauthorized monitoring or query the communication device of unauthorized persons.
  • the data pattern information may preferably be defined in a description language, such as XML (Extensible Markup Language), advantageously using wildcards, so that the data pattern information can be limited to a few, concise comparison patterns and a bytewise comparison of long byte sequences can be avoided. Furthermore, it can also be defined by means of the data pattern information, which is the set of permitted or known protocol elements and recognition of an unknown protocol element is evaluated as a positive check result in the sense of the invention.
  • a description language such as XML (Extensible Markup Language)
  • the incoming communication can be evaluated separately starting from an address outside a predetermined address range. This is advantageous in that the
  • the data pattern information may, for example, be the so-called netmask of an IP address range.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé, un dispositif de détection et un dispositif serveur permettant l'interprétation d'une communication (V, ADP, M5, M7) reçue par le biais d'un câble de raccordement (AL) au niveau d'un dispositif de communication (EG1). Pour ce faire, une information de communication lisible ou définissable à partir de la communication reçue (V, ADP, M5, M7) est acquise par le dispositif de détection (DE) associé de manière univoque au dispositif de communication, entre la câble de raccordement (AL) et le dispositif de communication (EG1) . De plus le dispositif de détection (DE) vérifie si l'information de communication détectée correspond à une information pilote de données prédéterminée et/ou si un message de réponse (M6) suscité par la communication reçue (V, ADP, M5, M7) reste du dispositif de communication (EG1) en empruntant le câble de raccordement (AL). En cas de résultat de contrôle positif l'information de communication détectée est mise en mémoire et lue dans le cadre d'une interprétation centrale, réalisée au niveau du dispositif serveur (S).
EP06807286A 2005-11-18 2006-10-16 Procédé, dispositif de détection et dispositif serveur permettant l interprétation d une communication recue au niveau d'un dispositif de communication Withdrawn EP1949647A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102005055148A DE102005055148B4 (de) 2005-11-18 2005-11-18 Verfahren, Detektionseinrichtung und Servereinrichtung zur Auswertung einer eingehenden Kommunikation an einer Kommunikationseinrichtung
PCT/EP2006/067427 WO2007057267A1 (fr) 2005-11-18 2006-10-16 Procédé, dispositif de détection et dispositif serveur permettant l’interprétation d’une communication recue au niveau d'un dispositif de communication

Publications (1)

Publication Number Publication Date
EP1949647A1 true EP1949647A1 (fr) 2008-07-30

Family

ID=37654906

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06807286A Withdrawn EP1949647A1 (fr) 2005-11-18 2006-10-16 Procédé, dispositif de détection et dispositif serveur permettant l interprétation d une communication recue au niveau d'un dispositif de communication

Country Status (5)

Country Link
US (1) US7746792B2 (fr)
EP (1) EP1949647A1 (fr)
CN (1) CN101326786A (fr)
DE (1) DE102005055148B4 (fr)
WO (1) WO2007057267A1 (fr)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070300304A1 (en) * 2006-06-26 2007-12-27 Nokia Corporation SIP washing machine
EP2112803B1 (fr) * 2008-04-22 2013-12-18 Alcatel Lucent Protection contre des attaques pour un réseau basé sur paquets
US8321926B1 (en) * 2008-12-02 2012-11-27 Lockheed Martin Corporation System and method of protecting a system that includes unprotected computer devices
US8526306B2 (en) * 2008-12-05 2013-09-03 Cloudshield Technologies, Inc. Identification of patterns in stateful transactions
JP2011199847A (ja) * 2010-02-25 2011-10-06 Ricoh Co Ltd 会議システムの端末装置、会議システム
US20110307541A1 (en) * 2010-06-10 2011-12-15 Microsoft Corporation Server load balancing and draining in enhanced communication systems
KR101107739B1 (ko) * 2010-08-03 2012-01-20 한국인터넷진흥원 VoIP 네트워크의 비정상 SIP 트래픽 탐지 시스템 및 그 탐지 방법
US8953471B2 (en) * 2012-01-05 2015-02-10 International Business Machines Corporation Counteracting spam in voice over internet protocol telephony systems
CN105722226A (zh) * 2012-06-26 2016-06-29 电信科学技术研究院 一种数据处理方法、装置及系统
US11196611B1 (en) * 2017-08-24 2021-12-07 National Technology & Engineering Solutions Of Sandia, Llc Systems and methods for electronic communication with a device using an unknown communications protocol

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
IL152502A0 (en) 2000-04-28 2003-05-29 Internet Security Systems Inc Method and system for managing computer security information
US7254832B1 (en) * 2000-08-28 2007-08-07 Nortel Networks Limited Firewall control for secure private networks with public VoIP access
JP3593039B2 (ja) * 2001-01-22 2004-11-24 松下電器産業株式会社 誤り及び同期検出装置並びに方法
CA2465127A1 (fr) * 2001-11-16 2003-05-30 Cetacea Networks Corporation Procede et systeme de detection et de mise hors fonction de sources d'inondation de paquets du reseau
US20040111632A1 (en) 2002-05-06 2004-06-10 Avner Halperin System and method of virus containment in computer networks
DE10226744B4 (de) * 2002-06-14 2005-05-04 T-Mobile Deutschland Gmbh Content- und Security Proxy in einem Mobilkommunikationssystem
US7716725B2 (en) 2002-09-20 2010-05-11 Fortinet, Inc. Firewall interface configuration and processes to enable bi-directional VoIP traversal communications
US7228564B2 (en) * 2003-07-24 2007-06-05 Hewlett-Packard Development Company, L.P. Method for configuring a network intrusion detection system
BRPI0417358B1 (pt) * 2003-12-05 2018-12-11 Blackberry Ltd aparelho e método para controlar tráfego não-solicitado destinado a um dispositivo de comunicação sem fio
JP4616020B2 (ja) * 2005-01-27 2011-01-19 富士通株式会社 ネットワーク監視プログラム及びネットワークシステム
JP4454516B2 (ja) * 2005-02-16 2010-04-21 富士通株式会社 障害検出装置
US7486625B2 (en) * 2005-07-01 2009-02-03 Net Optics, Inc. Communications network tap with link fault detector

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2007057267A1 *

Also Published As

Publication number Publication date
WO2007057267A1 (fr) 2007-05-24
US20090252029A1 (en) 2009-10-08
US7746792B2 (en) 2010-06-29
CN101326786A (zh) 2008-12-17
DE102005055148A1 (de) 2007-05-24
DE102005055148B4 (de) 2008-04-10

Similar Documents

Publication Publication Date Title
DE102005055148B4 (de) Verfahren, Detektionseinrichtung und Servereinrichtung zur Auswertung einer eingehenden Kommunikation an einer Kommunikationseinrichtung
EP2005699B1 (fr) Procédé pour l'interception légale en cas de transfert d'appels dans un réseau de communication orienté par paquets
DE102005020098B4 (de) Verfahren und System zum Zuweisen von Teilnehmeridentifizierungsdaten zu Netzwerkübertragungsereignissen und Computerprogrammprodukt
DE102019210229A1 (de) Verfahren und Vorrichtung zur Analyse dienste-orientierter Kommunikation
EP3799379B1 (fr) Procédé et système de communication à base d'ip permettant de changer les instances de commande de connexion sans nouvel enregistrement des abonnés finaux
DE102019210224A1 (de) Vorrichtung und Verfahren für Angriffserkennung in einem Rechnernetzwerk
DE102006012439A1 (de) Verfahren und Vorrichtungen zur Vermeidung einer fehlerhaften Klassifizierung von erwünschten Nachrichten als Spam over Internet Telephony-Nachrichten, abgekürzt SPIT-Nachrichten, in einem Kommunikationsnetzwerk
EP1430693B1 (fr) Procede et dispositif de mise en oeuvre d'une application de pare-feu pour des donnees de communication
EP1400063B1 (fr) Test de communication tolerant aux erreurs
DE102006014594A1 (de) Verfahren zum Wiederherstellen einer mit IPsec kryptographisch gesicherten Verbindung
EP1771993B1 (fr) Procede pour surveiller un echange de messages, ainsi qu'une premiere et qu'une seconde unite de reseau pour mettre ledit procede en oeuvre
DE102019210225A1 (de) Verfahren und Vorrichtung zur Analyse dienste-orientierter Kommunikation
EP1618704B1 (fr) Procede et programme de commande permettant de faire fonctionner un terminal de communication pour la transmission de donnees orientee paquets
EP2681890B1 (fr) Procédé de communication et composants dans un réseau de communication
EP1560393B1 (fr) Dispositifs and méthode pour la vérification de l'authenticité et de l'autorisation d'un message de demande
DE102019210223A1 (de) Vorrichtung und Verfahren für Angriffserkennung in einem Rechnernetzwerk
EP2649751B1 (fr) Procédé et système de surveillance d'un système de communication
EP3439259B1 (fr) Durcissement d'un appareil de communication
WO2007107473A1 (fr) Procédé et dispositif de détection d'abonnés expéditeurs de messages indésirables par telephonie internet (spam over internet telephony ou spit) dans un réseau de communication ip
EP1981293B1 (fr) Procédé pour détecter des appels et équipements associés
DE102008045790B4 (de) Verfahren und Kommunikationsnetz zum mehrfachen Umleiten einer Kommunikationsverbindung
DE10152010B4 (de) Erkennung und Abwehr von unbefugtem Eindringen in ein Kommunikationsnetz
DE60319859T2 (de) Sicherheitsverwaltungsverfahren für eine integrierte einrichtung eines netzwerks
DE60225875T2 (de) Zugangskontrollegateway zu einem Aktiven Netzwerk
DE102006035834A1 (de) Analyseeinheit für ein paketvermittelndes Kommunikationsnetz

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20080411

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE FR GB IT SE

DAX Request for extension of the european patent (deleted)
RBV Designated contracting states (corrected)

Designated state(s): DE FR GB IT SE

17Q First examination report despatched

Effective date: 20090917

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20100330