Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Flow-based Detection Method for VoIP Anomaly Traffic

VoIP 이상 트래픽의 플로우 기반 탐지 방법

  • 손현구 (충남대학교 컴퓨터공학과) ;
  • 이영석 (충남대학교 컴퓨터공학과)
  • Received : 2010.02.09
  • Accepted : 2010.04.13
  • Published : 2010.08.15
Download PDF
⟨ Previous Next ⟩

Abstract

SIP/RTP-based VoIP services are being popular. Recently, however, VoIP anomaly traffic such as delay, interference and termination of call establishment, and degradation of voice quality has been reported. An attacker could intercept a packet, and obtain user and header information so as to generate an anomaly traffic, because most Korean VoIP applications do not use standard security protocols. In this paper, we propose three VoIP anomaly traffic generation methods for CANCEL;BYE DoS and RTP flooding, and a detection method through flow-based traffic measurement. From our experiments, we showed that 97% of anomaly traffic could be detected in real commercial VoIP networks in Korea.

SIP와 RTP를 기반으로 한 인터넷 전화 서비스가 널리 보급되고 있다. 이와 함께 VoIP 전화연결 지연, 방해, 종료 및 음성 통화 품질 감소 등의 피해를 주는 VoIP 이상 트래픽들이 등장하기 시작했다. 국내 대부분의 VoIP 응용들은 현재 표준으로 정의되어 있는 보안 프로토콜을 사용하지 않고 있어 공격자가 패킷을 쉽게 스니핑하고 사용자의 정보 및 헤더 정보를 얻을 수 있을 뿐만 아니라 이상 트래픽을 쉽게 생성시킬 수 있다. 본 논문에서는 무선랜 상에서 SIP/RTP 패킷 스니핑을 통하여 CANCEL, BYE DoS 및 RTP 플러딩 이상 트래픽의 생성 방법과 플로우 기반 트래픽 모니터링을 통하여 VoIP 응용 이상 트래픽 탐지 방법을 제시한다. 실제 상용 VoIP 망에서 실험한 결과 이들 이상 트래픽을 97% 탐지하였다.

Keywords

References

  1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, SIP:Session Initiation Protocol, IETF RFC 3261, June 2002.
  2. H. Schulzrinne, S. Casner, R. Frederick and V. Jacobson, RTP: A Transport Protocol for Real- Time Applications, IETF RFC 1889, Jan. 1996.
  3. http://www.asiae.co.kr/news/view.htm?idxno=2009093011543343825.
  4. 정재훈, "인터넷전화(VoIP) 보안위협 및 대책", KTOA(한국통신사업자연합회), 통신연합 47호, 2008. 11.
  5. http://kr.ahnlab.com/company/pr/comIntroKoNDView.ahn?B_SEQ=143229.
  6. M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman, "The Secure Real-time Transport Protocol(SRTP)," IETF RFC 3711, Mar. 2004.
  7. S. Kent, R. Atkinson, "Security Architecture for the Internet Protocol," IETF RFC 2401, Nov.
  8. T. Dierks, E. Rescorla, "The Transport Layer Security (TLS) Protocol," IETF RFC 5246, Aug. 2008.
  9. D. Geneiatakis, T. Daguklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, K. S. Ehlert, D. Sisalem, "Survey of Security Vulnerabilities in Session Initiation Protocol," IEEE Communications Surveys & Tutorials, vol.8 no.3, pp.68-81, 2006. https://doi.org/10.1109/COMST.2006.253270
  10. H. Son, Y. Lee, "An Anomaly Traffic Detection Method for VoIP Applications using Flow Data," PAM 2009 Student Workshop, Apr. 2009.
  11. J. Quittek, T. Zseby, B. Claise, and S. Zander, "Requirements for IP Flow Information Export (IPFIX)," IETF RFC3917, Oct. 2004.
  12. C. Lee, H. Kim, K. Ko, J. Kim, H. Jeong, "A VoIP Traffic Monitoring System based on NetFlow v9," International Journal of Advanced Science and Technology, vol.4, pp.1-9 Mar. 2009.
  13. K. Darilion, "Analysis of a VoIP Attack," IPCom, Oct. 2008.
  14. S. Anderson, S. Niccolini, D. Hogrefe, "SIPFIX: A Scheme For Distributed SIP Monitoring," IEEE IM, pp.382-389, June 2009.
  15. J. Rosenberg and H. Schulzrinne, An Offer/Answer Model with the Session Description Protocol (SDP), IETF RFC 3264.
  16. A. Lahmadi, O. Festor, "SecSip: A Stateful Firewall for SIP-based Networks," IEEE IM, pp.172-179, June 2009.
  17. H. Sengar, H. Wang, D. Wijesekera, S. Jajodia, "Detecting VoIP Floods Using the Hellinger Distance," IEEE Transactions on Parallel and Distributed systems, vol.19, no.6, pp.794-805, June 2008.
  18. L. Deri, "nProbe: an Open Source NetFlow Probe for Gigabit Networks," TERENA Networking Conference, 2003.
  19. libipfix, http://ants.fokus.fraunhofer.de/libipfix/.
  20. mysql, http://www.mysql.com/.
  21. C. Goutte and E. Gaussier, "A probabilistic Interpretation of Precision, Recall and F-score, with Implication for Evaluation," ECIR, LNCS 3408, pp. 345-359, 2005.
  22. F. Guo, and T. Chiueh, "Sequence Number-based MAC Address Spoof Detection," in Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection(RAID 2005), Sep. 2005.