通信类英文文献及翻译

1、.姓名：刘峻霖 班级：通信143班学号：2014101108附 录一、英文原文：Detecting Anomaly Trafc using Flow Data in the real VoIP networkI. INTRODUCTIONRecently, many SIP3/RTP4-based VoIP applications and services have appeared and their penetration ratio is gradually increasing due to the free or cheap call charge and the easy sub

2、scription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone services to VoIP products. For example, companies in Korea such as LG Dacom, Samsung Net- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reported that more than ve million u

3、sers have subscribed the commercial VoIP services and 50% of all the users are joined in 2009 in Korea 1. According to IDC, it is expected that the number of VoIP users in US will increase to 27 millions in 2009 2. Hence, as the VoIP service becomes popular, it is not surprising that a lot of VoIP a

4、nomaly trafc has been already known 5. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious trafc. Particu- larly, most of current SIP/RTP-based VoIP services supply the

5、 minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) 6 or Secure RTP (SRTP) 7 have been standardized, they have not been fully implemented and deployed in current VoIP applications because of the overheads of implement

6、ation and performance. Thus, un-encrypted VoIP packets could be easily sniffed and forged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5 in the SIP header could be maliciously exploited, because SIP is a text-based protocol and unencrypted SIP packets ar

7、e easily decoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly trafc detection method using the ow-based trafc measurement archi-tecture. We consider three representative VoIP anomalies called CANCEL, BYE Denial of Service (DoS) a

8、nd RTP ooding attacks in this paper, because we found that malicious users in wireless LAN could easily perform these attacks in the real VoIP network. For monitoring VoIP packets, we employ the IETF IP Flow Information eXport (IPFIX) 9 standard that is based on NetFlow v9. This trafc measurement me

9、thod provides a exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ows 10. In order to capture and export VoIP packets into IPFIX ows, we dene two additional IPFIX templates for SIP and RTP ows. Furthermore, we add four IPFIX elds to observe 802.11

10、packets which are necessary to detect VoIP source spoong attacks in WLANs.II. RELATED WORK8 proposed a ooding detection method by the Hellinger Distance (HD) concept. In 8, they have pre- sented INVITE, SYN and RTP ooding detection meth-ods. The HD is the difference value between a training data set

11、 and a testing data set. The training data set collected trafc over n sampling period of duration t.The testing data set collected trafc next the training data set in the same period. If the HD is close to 1, this testing data set is regarded as anomaly trafc. For using this method, they assumed tha

12、t initial training data set did not have any anomaly trafc. Since this method was based on packet counts, it might not easily extended to detect other anomaly trafc except ooding. On the other hand, 11 has proposed a VoIP anomaly trafc detection method using Extended Finite State Machine (EFSM). 11

13、has suggested INVITE ooding, BYE DoS anomaly trafc and media spamming detection methods. However, the state machine required more memory because it had to maintain each ow. 13 has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER, RTP ooding, and REGISTER/INVITE scan. How-

14、ever, the VoIP DoS attacks considered in this paper were not considered. In 14, an IDS approach to detect SIP anomalies was developed, but only simulation results are presented. For monitoring VoIP trafc, SIPFIX 10 has been proposed as an IPFIX extension. The key ideas of the SIPFIX are application-

15、layer inspection and SDP analysis for carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly trafc detection and prevention. We described the preliminary idea of detecting VoIP anomaly trafc in 15. This paper elaborates BYE DoS anomaly tra

16、fc and RTP ooding anomaly trafc detec-tion method based on IPFIX. Based on 15, we have considered SIP and RTP anomaly trafc generated in wireless LAN. In this case, it is possible to generate the similiar anomaly trafc with normal VoIP trafc, because attackers can easily extract normal user informat

17、ion from unencrypted VoIP packets. In this paper, we have extended the idea with additional SIP detection methods using information of wireless LAN packets. Furthermore, we have shown the real experiment results at the commercial VoIP network.III. THE VOIP ANOMALY TRAFFIC DETECTION METHODA. CANCEL D

18、oS Anomaly Trafc Detection As the SIP INVITE message is not usually encrypted, attackers could extract elds necessary to reproduce the forged SIP CANCEL message by snifng SIP INVITE packets, especially in wireless LANs. Thus, we cannot tell the difference between the normal SIP CANCEL message and th

19、e replicated one, because the faked CANCEL packet includes the normal elds inferred from the SIP INVITE message. The attacker will perform the SIP CANCEL DoS attack at the same wireless LAN, because the purpose of the SIP CANCEL attack is to prevent the normal call estab-lishment when a victim is wa

20、iting for calls. Therefore, as soon as the attacker catches a call invitation message for a victim, it will send a SIP CANCEL message, which makes the call establishment failed. We have generated faked SIP CANCEL message using sniffed a SIP INVITE message.Fields in SIP header of this CANCEL message

21、is the same as normal SIP CANCEL message, because the attacker can obtain the SIP header eld from unencrypted normal SIP message in wireless LAN environment. Therefore it is impossible to detect the CANCEL DoS anomaly trafc using SIP headers, we use the different values of the wireless LAN frame. Th

22、at is, the sequence number in the 802.11 frame will tell the difference between a victim host and an attacker. We look into source MAC address and sequence number in the 802.11 MAC frame including a SIP CANCEL message as shown in Algorithm 1. We compare the source MAC address of SIP CANCEL packets w

23、ith that of the previously saved SIP INVITE ow. If the source MAC address of a SIP CANCEL ow is changed, it will be highly probable that the CANCEL packet is generated by a unknown user. However, the source MAC address could be spoofed. Regarding 802.11 source spoong detection, we employ the method

24、in 12 that uses sequence numbers of 802.11 frames. We calculate the gap between n-th and (n-1)-th 802.11 frames. As the sequence number eld in a 802.11 MAC header uses 12 bits, it varies from 0 to 4095. When we nd that the sequence number gap between a single SIP ow is greater than the threshold val

25、ue of N that will be set from the experiments, we determine that the SIP host address as been spoofed for the anomaly trafc.B. BYE DoS Anomaly Trafc DetectionIn commercial VoIP applications, SIP BYE messages use the same authentication eld is included in the SIP IN-VITE message for security and acco

26、unting purposes. How-ever, attackers can reproduce BYE DoS packets through snifng normal SIP INVITE packets in wireless LANs.The faked SIP BYE message is same with the normal SIP BYE. Therefore, it is difcult to detect the BYE DoS anomaly trafc using only SIP header information.After snifng SIP INVI

27、TE message, the attacker at the same or different subnets could terminate the normal in- progress call, because it could succeed in generating a BYE message to the SIP proxy server. In the SIP BYE attack, it is difcult to distinguish from the normal call termination procedure. That is, we apply the

28、timestamp of RTP trafc for detecting the SIP BYE attack. Generally, after normal call termination, the bi-directional RTP ow is terminated in a bref space of time. However, if the call termination procedure is anomaly, we can observe that a directional RTP media ow is still ongoing, whereas an attac

29、ked directional RTP ow is broken. Therefore, in order to detect the SIP BYE attack, we decide that we watch a directional RTP ow for a long time threshold of N sec after SIP BYE message. The threshold of N is also set from the experiments.Algorithm 2 explains the procedure to detect BYE DoS anomal t

30、rafc using captured timestamp of the RTP packet. We maintain SIP session information between clients with INVITE and OK messages including the same Call-ID and 4-tuple (source/destination IP Address and port number) of the BYE packet. We set a time threshold value by adding Nsec to the timestamp val

31、ue of the BYE message. The reason why we use the captured timestamp is that a few RTP packets are observed under 0.5 second. If RTP trafc is observed after the time threshold, this will be considered as a BYE DoS attack, because the VoIP session will be terminated with normal BYE messages. C. RTP An

32、omaly Trafc Detection Algorithm 3 describes an RTP ooding detection method that uses SSRC and sequence numbers of the RTP header. During a single RTP session, typically, the same SSRC value is maintained. If SSRC is changed, it is highly probable that anomaly has occurred. In addition, if there is a

33、 big sequence number gap between RTP packets, we determine that anomaly RTP trafc has happened. As inspecting every sequence number for a packet is difcult, we calculate the sequence number gap using the rst, last, maximum and minimum sequence numbers. In the RTP header, the sequence number eld uses

34、 16 bits from 0 to 65535. When we observe a wide sequence number gap in our algorithm, we consider it as an RTP ooding attack.IV. PERFORMANCE EVALUATIONA. Experiment EnvironmentIn order to detect VoIP anomaly trafc, we established an experimental environment as gure 1. In this envi-ronment, we emplo

35、yed two VoIP phones with wireless LANs, one attacker, a wireless access router and an IPFIX ow collector. For the realistic performance evaluation, we directly used one of the working VoIP networks deployed in Korea where an 11-digit telephone number (070-XXXX-XXXX) has been assigned to a SIP phone.

36、With wireless SIP phones supporting 802.11, we could make calls to/from the PSTN or cellular phones. In the wireless access router, we used two wireless LAN cards- one is to support the AP service, and the other is to monitor 802.11 packets. Moreover, in order to observe VoIP packets in the wireless

37、 access router, we modied nProbe 16, that is an open IPFIX ow generator, to create and export IPFIX ows related with SIP, RTP, and 802.11 information. As the IPFIX collector, we have modied libipx so that it could provide the IPFIX ow decoding function for SIP, RTP, and 802.11 templates. We used MyS

38、QL for the ow DB.B. Experimental ResultsIn order to evaluate our proposed algorithms, we gen-erated 1,946 VoIP calls with two commercial SIP phones and a VoIP anomaly trafc generator. Table I shows our experimental results with precision, recall, and F-score that is the harmonic mean of precision an

39、d recall. In CANCEL DoS anomaly trafc detection, our algorithm represented a few false negative cases, which was related with the gap threshold of the sequence number in 802.11 MAC header. The average of the F-score value for detecting the SIP CANCEL anomaly is 97.69%.For BYE anomaly tests, we gener

40、ated 755 BYE mes-sages including 118 BYE DoS anomalies in the exper-iment. The proposed BYE DoS anomaly trafc detec-tion algorithm found 112 anomalies with the F-score of 96.13%. If an RTP ow is terminated before the threshold, we regard the anomaly ow as a normal one. In this algorithm, we extract

41、RTP session information from INVITE and OK or session description messages using the same Call-ID of BYE message. It is possible not to capture those packet, resulting in a few false-negative cases. The RTP ooding anomaly trafc detection experiment for 810 RTP sessions resulted in the F score of 98%

42、.The reason of false-positive cases was related with the sequence number in RTP header. If the sequence number of anomaly trafc is overlapped with the range of the normal trafc, our algorithm will consider it as normal trafc.V. CONCLUSIONSWe have proposed a ow-based anomaly trafc detec-tion method a

43、gainst SIP and RTP-based anomaly trafc in this paper. We presented VoIP anomaly trafc detection methods with ow data on the wireless access router. We used the IETF IPFIX standard to monitor SIP/RTP ows passing through wireless access routers, because its template architecture is easily extensible t

44、o several protocols. For this purpose, we dened two new IPFIX templates for SIP and RTP trafc and four new IPFIX elds for 802.11 trafc. Using these IPFIX ow templates,we proposed CANCEL/BYE DoS and RTP ooding trafc detection algorithms. From experimental results on the working VoIP network in Korea,

45、 we showed that our method is able to detect three representative VoIP attacks on SIP phones. In CANCEL/BYE DoS anomaly trafcdetection method, we employed threshold values about time and sequence number gap for classcation of normal and abnormal VoIP packets. This paper has not been mentioned the te

46、st result about suitable threshold values. For the future work, we will show the experimental result about evaluation of the threshold values for our detection method.；.二、英文翻译：交通流数据检测异常在真实的世界中使用的VoIP网络一 .介绍最近,许多SIP3,4基于服务器的VoIP应用和服务出现了,并逐渐增加他们的穿透比及由于自由和廉价的通话费且极易订阅的方法。因此,一些用户服务倾向于改变他们PSTN家里电话服务VoIP产品

47、。例如,公司在韩国LG、三星等Dacom网-作品、KT已经开始部署SIP / RTP-based VoIP服务。据报道,超过5百万的用户已订阅商业VoIP服务和50%的所有的用户都参加了2009年在韩国1。据IDC,预期该用户的数量将增加在我们的VoIP 2009年到27百万2。因此,随着VoIP服务变得很受欢迎,这是一点也不意外,很多人对VoIP异常交通已经知道5。所以,大多数商业服务如VoIP服务应该提供必要的安全功能对于隐私、认证、完整性和不可否认对于防止恶意的交通。Particu - larly,大多数的电流SIP / RTP-based VoIP服务提供最小安全功能相关的认证。虽然安

48、全transport-layer一类协议传输层安全(TLS)6或安全服务器(SRTP)7已经被修正,它们并没有被完全实施和部署在当前的VoIP应用的实施,因为过顶球和性能。因此,un-encrypted VoIP包可以轻易地嗅和伪造的,特别是在无线局域网。尽管的认证, 认证键,如MD5在SIP头可以狠的剥削,因为SIP是基于文本的协议和未加密的SIP包都很容易地被解码。因此,VoIP服务很容易被攻击开发SIP和服务器。我们的目标是在提出一个VoIP异常交通检测方法archi-tecture使用流转交通测量。我们认为有代表性的VoIP异常称为取消,再见拒绝服务(DoS)和快速的洪水袭击在本文中,

49、因为我们发现恶意的用户在无线局域网可以很容易地履行这些袭击的真正的VoIP网络。VoIP包监测,利用IETF出口(IPFIX IP流信息)9标准的基础上,对NetFlow 9节。这一交通测量方法的研究提供了一个灵活的、可扩展的模板结构为各种各样的协议,有利于对观察SIP /服务器流10。摘要为获取和出口VoIP包成IPFIX流中,我们定义两个额外的IPFIX模板为SIP和快速流动。此外,我们加上四个IPFIX领域观察802.11包所必需的欺骗攻击的检测在WLANs VoIP来源。二.相关工作8提出了一种检测方法Hellinger洪水的距离(简称HD)的概念。文献8中,他们有售前介绍邀请,洪水:

50、SYN和快速检测种方法。高清是之间的差异值的训练数据集和测试的数据集。收集的训练数据集的交通量持续时间n采样周期t。收集的测试数据集的训练数据集下的流量可以在同一时间内。如果高清接近 1 ,该测试数据集被视为异常交通。为使用这个方法,他们假定初始训练数据集上没有任何异常交通。因为这种方法是基于分组数,它可能不会很容易地扩展来侦测其他异常交通除了洪水泛滥。另一方面,11提出了一项VoIP异常交通检测方法,利用扩展有限状态机(EFSM)。11建议邀请洪水,再见DoS异常交通和媒体垃圾邮件检测的方法。然而,状态机的需要更多的内存空间,因为它已经保持每个流程。13已经呈现出NetFlow-based

51、VoIP异常检测方法,REGIS-TER邀请,琳琅驱,而注册/邀请扫描。How-ever VoIP DoS攻击,本文认为不被考虑。在14,一个入侵检测系统(IDS)的方法来检测,研制了SIP的异常,但是只有仿真的结果。VoIP交通、SIPFIX监测10作为IPFIX提出了延长。 SIPFIX的主要思路的分析是应用层检验和SDP装载媒体会话的信息。然而,本文提出只有中应用的可能性,SIPFIX DoS异常交通检测器和预防。我们描述了初步的构思的交通状况检测VoIP异常15。阐述了交通,再见DoS异常交通detec-tion洪水异常快速IPFIX方法的基础上。基于15,我们一直认为SIP和服务器异

52、常交通产生在无线局域网。在这种情况下,就有可能产生类似的异常交通与正常VoIP交通,因为攻击者就很容易从普通用户信息提取未加密的VoIP的数据包。在本文中,我们已经将这个想法与额外的SIP检测方法的使用信息的无线局域网的数据包。此外,我们已经表现出真正的实验结果在商业VoIP网络。三.交通检测器的VOIP异常方法a.取消DoS异常交通检测器为SIP邀请信息通常是不加密的,攻击者可以提取领域繁殖伪造的必要信息通过嗅闻啜啜取消邀请包,特别是在无线局域网。因此,我们不能辨别其正常SIP取消短信与复制的一个,因为管理领域包括正常取消包推断出SIP邀请的讯息。攻击者将会执行的园区取消DoS攻击,因为相同

53、的无线局域网的目的是为了防止SIP取消攻击时的正常叫estab-lishment受害者正等待着电话。因此,尽快打电话邀请袭击者渔获的信息,为一个受害者,就会发送一个SIP取消消息,这使得叫建立失败了。我们产生了伪造的SIP取消消息使用嗅一口邀请的讯息。苏州工业园区头球的领域都是一样的,取消信息正常SIP取消留言,因为攻击者无法获得SIP标题域SIP消息未加密的正常从无线局域网的环境。因此无法检测交通使用DoS异常取消标题,我们使用了SIP的值不同的无线局域网帧。也就是说,序号在画框会在802.11分辨一个受害者的主人和一个攻击者。我们看着源MAC地址和序列号的MAC框架包括一小口802.11取

54、消信息显示在算法1。我们比较了源MAC地址的SIP取消包与先前储存的SIP邀请流动。如果源MAC地址的一小口取消流量发生变化时,它会有很高的可能取消包所产生的未知的用户。然而,源MAC地址可以欺骗时。关于802.11源掺假检测,利用法在12,使用序列号802.11的帧。我们之间的差距,最后对计算-th(n-1 802.11的帧。)作为序号在现场的使用12位802.11 MAC头球,它不同于从0到4095。当我们发现序号在一个单一的SIP流量差距大于阈值,将定氮的实验结果,我们确定SIP主机地址被欺骗时为异常交通。b.再见DoS异常交通检测器VoIP应用在商业,SIP再见消息使用相同的认证领域包

55、括在SIP IN-VITE的信息,为安全、会计的目的。How-ever,攻击者可以复制再见DoS信息包通过嗅正常SIP邀请包的无线局域网。信息管理SIP再见也用正常的SIP再见。因此,很难侦测再见DoS异常交通只利用SIP的标题信息。信息后,闻了闻SIP邀请攻击者在相同或不同的子网,可以终止在正常范围之内,因为它可以进步电话中获得成功,生成了再见消息给SIP代理服务器。在SIP再见攻击,难以区分,从普通的电话终止程序。也就是说,我们申请时间戳的快速交通侦测SIP再见的攻击。一般来说,普通电话后,由双向快速流终止结束时仍很快就空间的时间。然而,如果这个调用终止程序是异常时,我们能观察到的媒体流方向快速仍在进行,但是攻击流量定向琳