KR101089269B1 - Attack Detection Method And System with Secure SIP Protocol - Google Patents

Abstract

The present invention relates to an attack detection method and system using a secure SIP protocol providing a security function, wherein a plurality of clients are provided with a proxy (SIP: Session Initiation Protocol) protocol firewall through a wired / wireless communication network. (Proxy) In the SIP protocol-based attack detection system that provides a security function in connection with the server, the SIP firewall 24 is a SIP packet filtering module 242 for filtering the input communication packet, the filtered communication packet IP / MAC authentication module 244 for authenticating IP or MAC, session classification module 246 for classifying sessions of communication packets authenticated by the IP / MAC authentication module 244, and session classification module 246 SIP key identification and generation module 254 for extracting the communication packet passed through the) to check the SIP key and generate the session key, the central control unit 240 for controlling the overall device, the session Classify and analyze the communication packets passing through the flow module 246 in the SIP state table 264, create a SIP session, check the session state through the SIP formal model unit 256, and encrypt / decrypt when negotiated. The SIP analysis module 252 checks the state through the algorithm 258 and blacklists or outputs a packet to the blacklist storage unit 266, and includes various formal models. SIP formal model unit 256 that operates in conjunction with 252, and the encryption / decryption algorithm 258 that operates in conjunction with the SIP analysis module 252 to encrypt or decrypt communication packets in response to various types of attacks, Characterized in that made.

SIP, Session Key, Encryption, Decryption

Description

Attack Detection Method and System with Secure SIP Protocol that Provides Security Functions

The present invention relates to an attack detection method and system using a secure SIP protocol providing a security function, and more particularly, to detect a SIP packet flooding attack by monitoring the SIP status code to solve the SIP vulnerability The present invention relates to a method and system for detecting an attack using a secure SIP protocol that effectively provides a security function of an SIP protocol by presenting a protocol for which authentication and security functions are enhanced for SIP packets.

SIP protocol-based VoIP services are rapidly increasing in number due to convenience and low communication costs. However, because the SIP protocol transmits text header information in the form of UDP, it can be easily forged, and since it does not provide authentication function for the sender, it is very vulnerable to SIP packet flooding attack by malicious attacker.

SIP  Protocol analysis

Session Initiation Protocol (SIP) is a technology that can create, delete and change multimedia communication sessions such as video and text including voice, and is a technology adopted by the Internet Engineering Task Force (IETF). SIP has several advantages over H.323 protocol and is widely used at a high speed.

The SIP session establishment and communication process begins with the user registering with the proxy server. SIP Proxy Server (not shown) is a server that handles call connection and release requests from users.

1 is a general diagram of a packet flow of a SIP communication process according to the prior art.

SIP messages consist of text-based messages. In detail, the message structure of the existing HTTP language type is used. The categories and types of messages are shown in Table 1.

When the flow of these messages is expressed in order using a diagram, it can represent the session state flow of the SIP protocol as shown in FIG. 2.

SIP  Vulnerability analysis

The SIP protocol has many advantages, but at the same time, current SIP services have many vulnerabilities. As described above, the biggest vulnerability of the SIP protocol is that text-based packets using UDP or TCP protocols are used, and when an attacker freely modifies / deletes the packets and transmits them, various types of service malfunction and disconnection are performed. Such attacks occur.

3 is a tool that can typically attack by scanning SIP server and client and modifying / deleting packets accordingly (SiVus tool).

4 is a tool for testing vulnerabilities of target users and proxy servers. The tool also generates thousands or tens of thousands of messages and tests them for vulnerabilities.

In addition, the attacker can attack the SIP protocol by using existing attack tools such as Wireshark and get the information he / she wants. Also, the attacker can easily modify / delete the packet to interrupt the normal service. The resulting problem could be any attack, including DoS attacks such as SIP mass spamming, SIP packet forgery attacks, and bulk duplicate packet transmission. Therefore, additional security functions must be provided to ensure authentication and secure SIP communication, guarantee the QoS of service, and provide SIP service without service delay like other existing technologies.

Currently, there are many security mechanisms for solving the above problems, but it is still insufficient to respond immediately to new attacks. In addition, there is a problem that does not solve the problem of delay and overload of the system. Therefore, in order to solve the weaknesses of the SIP protocol, it is necessary to improve the security function through a method and system that provides encryption and authentication functions for packets to SIP protocol.

An object of the present invention is to detect a SIP packet flooding attack by monitoring the SIP status code in order to solve the SIP vulnerability as described above, and to provide a protocol with enhanced authentication and security for SIP packets.

It is another object of the present invention to analyze a state information and quickly classify an attack causing a security breach, and to perform a technique for efficiently detecting abnormal behavior and a stateful information based analysis technique between each user and the Proxy Server. It is to provide a secure SIP environment through authentication of.

Another object of the present invention is to analyze the status information to solve this existing problem, to ensure the communication of the secure SIP protocol, to ensure the individual authentication and data integrity of each user, and a security function to ensure a secure session An object of the present invention is to provide an attack detection method and system using a secure SIP protocol.

According to a preferred embodiment of the present invention for achieving the above object, the attack detection method using a secure SIP protocol providing a security function is the SIP (Session Initiation Protocol) protocol through a plurality of clients through a wired or wireless communication network In the attack detection method using a secure SIP protocol that provides a secure security function that communicates with a proxy server having a firewall,

A first step of filtering an input packet to check SIP packets and authenticating users using a black list and session keys for each user;

After classifying each user's session, the user authenticates the user through the verification step with the key table by separating the actual SIP packet and the user's key, and at the same time, the SIP state table is passed through the SIP analysis step. ) To update the current status information in

A third step of checking whether or not normal status information comes by comparing / analyzing real-time status information based on SIP formal model, and a third step of verifying whether a packet has passed; and

A fourth step of outputting a packet by checking a negotiation state step and negotiating a necessary algorithm by referring to a public algorithm table in a SIP firewall if applicable;

Including,
During call setup for client-to-client communication, and SIP firewall repeats the user authentication step by verifying each user's unique session key, and delivers a new session key that combines the session keys of the two users who requested the call connection. Characterized in that.

According to still another aspect of the present invention, a plurality of clients communicate with a proxy server having a proxy server having a SIP (Session Initiation Protocol) protocol firewall through a wired or wireless network. In the attack detection system using a secure SIP protocol providing a function,

The SIP firewall

SIP packet filtering module for filtering the input communication packet,

IP / MAC authentication module for authenticating the IP or MAC of the filtered communication packet,

A session classification module for classifying sessions of the communication packet authenticated by the IP / MAC authentication module;

SIP key identification and generation module for extracting the communication packet passed through the session classification module to verify the SIP key and generate a session key,

Central control unit for controlling the overall device,

Classify and analyze the communication packets that have passed through the session classification module, store them in a SIP state table, create a SIP session, check the state of the session through the SIP formal model unit, and check the state through encryption / decryption algorithms when negotiated. SIP analysis module for blacklisting or outputting packets to list storage,

SIP formal model unit having a variety of formal (formal) model operating in conjunction with the SIP analysis module,

It works with the SIP analysis module and includes an encryption / decryption algorithm for encrypting or decrypting a communication packet in response to various encryption algorithms,
During call setup for client-to-client communication, and SIP firewall repeats the user authentication step by verifying each user's unique session key, and delivers a new session key that combines the session keys of the two users who requested the call connection. An attack detection system using a secure SIP protocol is provided.

As described above, according to the attack detection method using the secure SIP protocol that provides the security function according to the present invention, a SIP attack detection system is established to actively manage SIP sessions, and user authentication is applied to enhance security functions. This solves the vulnerability of SIP protocol.

The technique proposed in the present invention solves the security vulnerabilities in the existing SIP protocol and enables the secure packet transmission and reception with minimal traffic transmission delay and minimizes the problems such as service delay and overload of the server in the SIP proxy server. It works.

The SIP Firewall proposed in the present invention also solves the problem of overloading the existing SIP server and has the effect of quickly solving the message and user authentication problem by managing the key for each user by applying Kerberos.

Hereinafter, a method and system for detecting an attack using a secure SIP protocol providing a security function according to the present invention will be described in detail with reference to the accompanying drawings.

6 is a view showing the flow of the SIP protocol according to the present invention, Figure 7 is a view showing a user key registration process before communication in the SIP protocol according to the present invention, Figure 8 is a SIP protocol in accordance with the present invention 9 is a view showing a flow of registration using a user key, Figure 9 is a view showing a user authentication and registration process using a user key in the SIP protocol according to the present invention, Figure 10 is a call in the SIP protocol according to the present invention 11 is a diagram illustrating an authentication step when a setup request is made, and FIG. 11 is a diagram illustrating a call setup process of a user authenticated in an SIP protocol according to the present invention, and FIG. 13 is a view showing the authentication packet structure of the SIP protocol according to the present invention 14 is a diagram schematically showing the overall system structure to which the SIP protocol according to the present invention is applied, and FIG. 15 is a diagram showing an SPI formal state model in the SIP protocol according to the present invention. 16 is a block diagram showing the entire module configuration of the secure IP-based SIP firewall in the SIP protocol according to the present invention, Figure 17 is a comparative analysis process of the SIP packet encryption / decryption in the SIP protocol according to the present invention 18 is a block diagram illustrating a SIP firewall structure of an attack detection system using an SIP protocol according to the present invention.

Full protocol structure

The system structure proposed by the present invention adds a SIP Firewall to an existing SIP communication environment as shown in FIG. 6, and can check status information in real time and negotiate an encryption / decryption algorithm with an authentication module to provide secure SIP communication. A secure SIP protocol was designed by applying the steps. As a result, we propose a secure SIP protocol that can communicate while guaranteeing the integrity of data through the negotiation process of real-time status information, authentication information, and encryption algorithm that did not exist in the existing SIP, and also works through the SIP firewall with minimal changes to the existing SIP protocol. We solved the problem of service delay while distributed processing.

Stateful / Secure SIP protocol proposed in the present invention, in order to solve the fundamental problem of the SIP protocol as described above, the preparation step, authentication verification, negotiation step is required in detail for each step.

The Kerberos protocol is an authentication service developed as part of MIT's Athena project. It is used for user authentication in a distributed network environment when using workstations. It is a technique used to cope with packet spoofing, forgery, and retransmission attacks by using a previously used algorithm such as symmetric key algorithm. Kerberos uses an authentication medium called a ticket and supports all types of cryptography. The Kerberos protocol performs authentication as a third party authentication service as shown in FIG. The assumption that Kerberos does not rely on the authentication of the host operating system, is not based on trust in host addresses, does not require the actual security of all hosts on the network, and can read, modify, and insert packets that traverse the network at any time. Provides a means to verify identity under

Term definition ( Notation Definition )

Table 2 shows the terminology for understanding the protocol proposed by the present invention.

Key registration and SIP Registry  step

The technique proposed in the present invention is a technique applied to the SIP protocol by applying the Kerberos protocol and simplifying it. The first step in getting started with fast and secure communications is the preparation phase for user authentication and secure call setup. As shown in FIG. 7, a process of registering private keys of offline users.

As shown in FIG. 7, each of Client A (10-1N) and B (10-2N) can register key {Ka, Kb} securely with SIP Firewall in advance without going through network environment. do. Also, by using the key registered through this process, each user can exchange the pre-authentication step and secure connection through the SIP Firewall before requesting the server for various registration and call requests between himself and the server. After the above steps, the user can perform a secure call setup and register step as shown in FIG. 8 through a real-time authentication process. In addition, if the authentication key of each user does not match, it is possible to solve the overload problem of the SIP Proxy Server 22 by blocking the actual registration in the SIP Firewall.

In the present invention, each user (10-1N, 10-2N) as shown in Figure 9 through the previously exchanged key as shown in FIG. 7 proposed to securely set up and connect through their keys. In addition, in order not to interfere with the SIP communication environment and speed as much as possible, as shown in FIG. 9, by eliminating unnecessary parts of the entire packet, only the necessary information for authentication is encrypted through each user's key. The time of decryption is also saved.

SIP  Call setup step

There is a step of requesting through the Invite step to make a call (RTP / RTCP) with the counterpart user during the SIP communication process. Among the existing SIP vulnerabilities, the attacker (10-3N) is one of the most intrusive steps to modify / delete the message. Therefore, in the present invention, in order to prevent such attacks in advance, an authentication step is added to the existing protocol by using the user-specific key described in the previous step. Referring to FIG. 10 showing the SIP protocol flow proposed in the present invention, the SIP firewall 24 and the user can be assured of reliable communication with each other by adding a user authentication step to an existing protocol.

As in the registration step and in FIG. 10, a reliable SIP communication environment is proposed by encrypting a part of a packet for a secure connection between each user and a SIP firewall when making an Invite call setup request and other call setup. Call setup also saves time by encrypting / decrypting only a portion of the packet in order to minimize delay of SIP service (see FIG. 11).

RTP Of RTCP  Communication phase

In the present invention, in order to prepare for secure RTP communication, as shown in FIG. 12, a special session key of only two users can be delivered through a SIP firewall in a call setup step (Ringing) of RTP / RTCP communication. This is a preliminary countermeasure against packet delay in consideration of the precondition that SIP communication is UDP communication. As shown in FIG. 12, each call is repeated when the user establishes each session by verifying the unique session key of each user at the SIP firewall, and each Kab, which is a new session key combining the session keys of the two users who requested the call connection, is repeated. To the user.

When each user checks the key for communication, the two users can send the encrypted part of the packet as shown in Figure 12, and each decryption step can check whether the packet is from an abnormal user or a normal user.

Equation 1 above is a process of generating a new Kab by combining each user's private keys Ka and Kb and receiving each other through a SIP firewall. α includes TS (current time) and TD (valid time of key).

SIP Firewall helps authenticated users to share by encrypting separately so that each user can decrypt Kab's session key.

In addition, if it is confirmed that the key exchange is securely exchanged for a more secure SIP communication environment, the negotiation step for the selection of the proposed symmetric key algorithm and the length of the key through the negotiation stage (Negotiation) before the call starts Based on this, RTP communication is performed. In addition to the two information currently included in α, additional information can also be added.

Equation 3 above is a process in negotiation after exchanging session key Kab. In this step, the encryption algorithm and the length of the plaintext to be encrypted / decrypted are selected using random values. When the encryption algorithm and length to be used in the RTP / RTCP communication stage are determined, communication is performed using this.

Session key  Switch-based user authentication and data integrity guarantee

The key used in the present invention is a key which has a key for each user and a session key generated for communication when two users request a call connection. Through these two keys, a part of the packet is encrypted and compared, and through this, a scheme is proposed to ensure normal user authentication and data integrity at the same time. 13 is an authentication packet structure proposed in the present invention. As in the description, part of SIP Header, SDP packet is copied and encrypted by user key and added to the back of packet to check whether it is the correct user in SIP Firewall and authenticate. In addition, through the generated session key and the encryption algorithm determined in the negotiation step, the RTP / RTCP communication packet is partially encrypted to verify the authentication step and the integrity of the data.

The above-mentioned parts are also shown in FIG. 13. By encrypting only a part of the packet, which is a method different from the existing SIP encryption / decryption protocols, and comparing / analyzing the existing packet, it is possible to ensure more secure communication through whether the packet has been tampered with and authenticated to a normal user.

Attack detection and response mechanism

The system structure proposed by the present invention proposed a method of minimizing changes in the existing SIP communication environment and maintaining the existing method as much as possible, as shown in FIG. (1) SIP user who applied the existing SIP communication equipment and authentication module of SIP communication packet. (2) SIP Firewall which manages, checks and delivers user keys. Therefore, through this structure, it is possible to check the status information between each user and the server from time to time, check the key for each user, and verify the authenticity of each call request and the integrity of each message.

The module proposed in the present invention stores and manages SIP protocol state information between the client and the server in order to detect more secure and efficient attacks. After performing the user authentication process, as shown in FIG. 15, the SIP Formal State is compared / analyzed in consideration of the user authentication step added in the present invention, and the normal state information is maintained and analyzed in real time.

In addition, as shown in Figure 15 by inserting the authentication step for each step that did not exist in the existing more stable SIP communication is possible.

16 is a diagram illustrating the entire module configuration of the SeureSIP-based SIP Firewall proposed in the present invention. A step of referring to the authentication for each user, the inspection of the normal status information packet, and the encryption / decryption algorithm table for RTP communication is performed.

-Step 1: Checking whether there is a SIP packet through the filtering step and authenticating a user using a black list and session keys for each user.

Step 2: After performing the Session Classification step of each user, the user authenticates the user through Verification step with the key table by separating the actual SIP packet and the user's key. At the same time, it updates the current state information in the SIP State Table through the SIP Analysis step.

-Step 3: comparing / analyzing real time status information based on SIP Formal Model to check whether normal status information is coming and verifying whether the packet has passed.

Step 4: Check the Negotiation state step and negotiate the necessary algorithm by referring to the open algorithm table in the SIP Firewall, if applicable.

Through the above module, it is possible to proactively defend / respond to existing attacks by examining whether the user is normally authenticated and whether the packet contains normal status information.

In addition, it is determined that a packet that disturbs or does not match such a flow is an attack, and updates information so that it can be blocked in advance in the next case through a real-time BlackList registration process.

18 is a block diagram illustrating a SIP firewall structure of an attack detection system using an SIP protocol according to the present invention.

Referring to FIG. 18, the SIP firewall 24 is

SIP packet filtering module 242 for filtering the input communication packet,

IP / MAC authentication module 244 for authenticating the IP or MAC of the filtered communication packet,

A session classification module 246 for classifying sessions of the communication packet authenticated by the IP / MAC authentication module 244,

SIP key identification and generation module 254 for extracting the communication packet passed through the session classification module 246 to verify the SIP key and generate a session key,

Central control unit 240 for controlling the overall device,

Classify and analyze the communication packets that have passed through the session classification module 246 and store them in the SIP state table 264, create a SIP session, and check the session state through the SIP formal model unit 256 to encrypt when negotiated. SIP analysis module 252 for checking the status through the decoding / decryption algorithm 258 and blacklisting or outputting packets to the blacklist storage unit 266,

SIP formal model unit 256 having a variety of formal (formal) model to operate in conjunction with the SIP analysis module 252,

It operates in conjunction with the SIP analysis module 252 and includes an encryption / decryption algorithm 258 for encrypting or decrypting a communication packet in response to various types of references.

Guaranteed stability

Stateful / Secure SIP protocol proposed through the present invention is a countermeasure mechanism proposed to solve the existing problems and to supplement the SIP authentication vulnerability.

Detection and response to tampering attacks in SIP messages

As explained earlier, the packets of the existing SIP protocol are in text format. This is the biggest advantage and the disadvantage is that it is easy to modify and delete the attack. In the present invention, a method for detecting and responding to an underlying tampering attack of a SIP message is presented. There are a few major variations of SIP messages. The attacker modifies the information needed to direct the packet to his IP, or modifies and inserts the status information (Cancel, Bye) that is interrupted in the middle of communication to interrupt normal service. In the present invention, as shown in FIG. 16, a part of the SIP communication packet is encrypted and compared / analyzed by the SIP firewall to check whether the packet has been tampered with. Therefore, as a result of contrasting important parts, an abnormal user can detect an attack by checking whether it has been modified / modulated and update it on a blacklist to proactively respond to the next attack.

In addition, even when sending a large amount of messages, such as SIP Message Flooding attacks to interfere with the normal service, it is determined by mapping with the normal state information patterns of Figs. 16 and 14 above to determine and respond to the attack. The problem of the SIP Register Message Flooding attack, which was a problem of the prior art, was also easily solved by guaranteeing each user and session.

Message and user authentication

In order to analyze whether the message is tampered with, the user's authentication is essential. In the present invention, the problem for high speed and secure key delivery. As a result, secure key delivery has delivered the key in offline through out-of-band. Also, to solve the delay problem of SIP service and to guarantee the normal speed, only the necessary part of the packet was copied and encrypted and compared and analyzed in the SIP firewall.

In the message and user authentication, msg represents the SIP original message, and Pmsg represents the portion of the SIP message to encrypt. Ka is also the private key of the key set user. When authenticating a user, the user selects an important part of the msg packet, generates a Pmsg, encrypts the Pmsg with a key Ka, and authenticates the user and message through the SIP firewall before passing it to another user. In this step, the encrypted Pmsg is decrypted and compared / conformed with the actual Pmsg to confirm whether the key and the message of each user are tampered with.

Therefore, through this process, it checks whether the normal user and the normal key and whether the message has been tampered with to verify the authentication process of the message at the same time to efficiently authenticate it.

1) Confidentiality

Confidentiality means that unauthorized users or objects cannot know the content of the information. It is closely related to privacy protection in the sense of preventing unwanted disclosure of information. In the present invention, the confidentiality of the SIP communication is guaranteed through the encryption / decryption process of necessary important information and a more secure SIP communication environment is secured.

2) ensure integrity

This is to prevent unauthorized users or objects from tampering with the information. Therefore, it is necessary to guarantee that an attacker cannot arbitrarily modify / delete SIP communication packets, that is, messages. In the present invention, to ensure the integrity of the SIP communication to determine whether the attack by copying a part of the packet and examining whether or not the original packet has been tampered through the encryption process. Thus, the integrity of SIP communication can also be guaranteed.

3) Guaranteed availability

When an authorized user or object attempts to access information, it is not disturbed. Representative attacks that impair availability in SIP environments include SIP Message Flooding and Parser attacks. This ensures availability by detecting and responding to a case of non-normal packets through a formal state diagram proposed in the present invention.

4) Certification

The authentication process is performed through the user's private key proposed by the present invention and the session key of only two users used under RTP / RTCP communication. Each user's individual key is verified by SIP Firewall during call setup process and examines normal user's packet. Before RTP / RTCP communication, SIP Firewall delivers newly combined session key of two users and randomly. Negotiate the ciphertext length with the selected symmetric key algorithm to provide more secure communication.

Therefore, the present invention provides all four security elements above. In addition, it is possible to ensure the secure and fast SIP communication by providing the necessary functions to solve the problems of server overload and service delay, which were previously existing problems.

1 is a view showing a registration process of the SIP protocol according to the prior art.

2 is a diagram showing a SIP state diagram according to the prior art.

3 is a diagram showing an SIP and a client attack tool according to the prior art.

4 is a diagram illustrating a tool for testing a vulnerability of a target user and a proxy server according to the related art.

5 is a view showing a user authentication service process in the protocol according to the prior art.

6 is a view showing the flow of the SIP protocol according to the present invention.

7 is a diagram illustrating a user key registration process before communication in the SIP protocol according to the present invention.

8 is a diagram showing the flow of registration using the user key in the SIP protocol according to the present invention.

9 is a view showing a user authentication and registration process using a user key in the SIP protocol according to the present invention.

10 is a view showing an authentication step when each call setup request in the SIP protocol according to the present invention.

11 is a diagram illustrating a call setup process of an authenticated user in the SIP protocol according to the present invention.

12 is a diagram illustrating a session key delivery process in an SIP protocol according to the present invention.

13 is a view showing the authentication packet structure of the SIP protocol according to the present invention.

14 is a diagram schematically showing the overall system structure to which the SIP protocol according to the present invention is applied.

FIG. 15 is a diagram illustrating an SPI formal state model in an SPI protocol according to the present invention.

Figure 16 shows the overall module configuration of the secure IP-based SPI firewall in the SIP protocol according to the present invention.

FIG. 17 is a diagram illustrating a process of comparing and analyzing SIP packet encryption / decryption in the SIP protocol according to the present invention.

18 is a block diagram illustrating a SIP firewall structure of an attack detection system using an SIP protocol according to the present invention.

Explanation of symbols on the main parts of the drawings

10-1N, 10-2N, 10-3N: Client (User)

20: proxy server

24: SIP firewall

242: SIP packet filtering module

244: IP / MAC authentication module

246: session classification module

254: SIP key identification and generation module

240: central control unit

252 SIP analysis module

256: SIP formal model unit

258: encryption / decryption algorithm

Claims (8)

Attack detection using secure SIP protocol that provides security function where multiple clients communicate with proxy server equipped with SIP (Session Initiation Protocol) protocol firewall through wired / wireless communication network In the method, A first step of filtering an input packet to check SIP packets and authenticating users using a black list and session keys for each user; After classifying each user's session, the user authenticates the user through the verification step with the key table by separating the actual SIP packet and the user's key, and at the same time, the SIP state table is passed through the SIP analysis step. ) To update the current status information in A third step of checking whether or not normal status information comes by comparing / analyzing real-time status information based on SIP formal model, and a third step of verifying whether a packet has passed; and A fourth step of outputting a packet by checking a negotiation state step and negotiating a necessary algorithm by referring to a public algorithm table in a SIP firewall if applicable; Including, During call setup for client-to-client communication, and SIP firewall repeats the user authentication step by verifying each user's unique session key, and delivers a new session key that combines the session keys of the two users who requested the call connection. Attack detection method using a secure SIP protocol, characterized in that. The method of claim 1, A method for detecting an attack using a secure SPI protocol, characterized in that a part of a packet is encrypted / decrypted for a secure connection between each client and a SIP firewall when a call is set up for communication between clients and other call setup requests. delete The method of claim 1, Each client for communication has its own unique key, and the process of checking the tampering of each user's key and message is as follows.

Attack detection method using a secure SIP protocol, characterized in that made through. A secure SIP protocol is provided that provides multiple SPI protocols for communicating with a proxy server equipped with a SIP (Session Initiation Protocol) protocol firewall through a wired or wireless network. In the attack detection system used, The SIP firewall SIP packet filtering module for filtering the input communication packet, IP / MAC authentication module for authenticating the IP or MAC of the filtered communication packet, A session classification module for classifying sessions of a communication packet authenticated by the IP / MAC authentication module; SIP key identification and generation module for extracting the communication packet passed through the session classification module to verify the SIP key and generate a session key, Central control unit for controlling the overall device, Classify and analyze the communication packets that have passed through the session classification module, store them in a SIP state table, create a SIP session, check the state of the session through the SIP formal model unit, and check the state through encryption / decryption algorithms when negotiated. SIP analysis module for blacklisting or outputting packets to list storage, SIP formal model unit having a variety of formal (formal) model operating in conjunction with the SIP analysis module, It works with the SIP analysis module and includes an encryption / decryption algorithm for encrypting or decrypting a communication packet in response to various encryption algorithms, During call setup for client-to-client communication, and SIP firewall repeats the user authentication step by verifying each user's unique session key, and delivers a new session key that combines the session keys of the two users who requested the call connection. Attack detection system using a secure SIP protocol, characterized in that. The method of claim 5, An attack detection system using a secure SPI protocol, characterized in that a part of a packet is encrypted / decrypted for a secure connection between each client and a SIP firewall when a call is set up for communication between clients and other call setup requests. delete The method of claim 5, Each client for communication has its own unique key, and the process of checking the tampering of each user's key and message is as follows.

Attack detection system using a secure SIP protocol, characterized in that made through.

Images