Method for protecting SIP-based applications

Abstract

A method for protecting SIP (Session Initiation Protocol)-based applications wherein SIP messages are analyzed and malicious SIP messages that potentially constitute a security risk for the SIP-based application are identified is discloses. Regarding a realization of a particularly high security [level] with means that are easy to implement—a pre-definable number N of pre-configurable parameters—identities—is extracted from the SIP messages and that for each SIP message a comparison of the identities with the identities extracted from previous SIP message is performed, on the base of which a maliciousness level ML is assessed for every SIP message.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing a scheme of an example of an embodiment of a method according to the invention to protect SIP-based applications;

FIG. 2 is a diagram showing a scheme of storing identities in hash tables with doubled entries;

FIG. 3 is a diagram showing a scheme of storing identities in hash tables with shared entries;

FIG. 4 is a diagram showing a scheme of extracting different identities from a SIP message;

FIG. 5 is a diagram showing an example of an embodiment of a hyperspace of the dimension N=2; and

FIG. 6 is a diagram showing the hyperspace referred to in FIG. 5, wherein additionally distances are depicted.

Claims

1. A method for protecting SIP (Session Initiation Protocol)-based applications wherein SIP messages are analyzed and malicious SIP messages that potentially constitute a security risk for the SIP-based application are identified, the method comprising: extracting a pre-definable number N of pre-configurable parameters—identities—from the SIP messages;comparing said identities with identities extracted from previous SIP messages for each SIP message; andassessing a maliciousness level ML on the base of the comparison results for every SIP message.

2. The method according to claim 1, wherein the analysis and identification are performed by a Session Border Controller (SBC), an application layer firewall, a proxy server, a back-to-back user agent, a client or the like.

3. The method according to claim 1, wherein the extracted identities are user-specific and/or device-specific parameters.

4. The method according claim 3, wherein the extracted identities are the SIP URI of the party sending the message, the MAC address, the Host Identity Protocol (HIP) identifier, the SIP VIA header field value, SIP contact header field value, the SDP protocol header field values including the IP address, as well as the ports of the sending party, or the like.

5. The method according to claim 4, wherein the corresponding result of a transformation, preferably a hash function, is applied to one of the values as identity.

6. The method according to claim 1, wherein an N-dimensional hyperspace is formed, which is created by the pre-defined identities, and characterized in that for each SIP message one point is entered in the hyperspace.

7. The method according to claim 6, wherein the maliciousness level ML for an n-th message is a function f of points of previous messages entered in the hyperspace.

8. The method according to claim 6, wherein the points are erased from the hyperspace after a configurable duration according to their entry order.

9. The method according to claim 6, wherein the maliciousness level ML for an n-th message is different from zero, if the comparison results in that at least one identity of the point of the n-th message matches with an identity of at least one of the entered points.

10. The method according to claim 6, wherein the maliciousness level ML for an n-th message is higher the higher the number of entered points is for which at least one identity matches the corresponding identity of the point of the n-th message.

11. The method according to claim 6, wherein the maliciousness level ML for an n-th message is higher the higher the number of matching identities between one of the entered points and the point of the n-th message is.

12. The method according to claim 6, wherein the maliciousness level ML is computed as the sum of pre-configurable distances between the points in the N-dimensional hyperspace.

13. The method according to claim 12, wherein the values of the individual distances are fixed values.

14. The method according to claim 12, wherein the values of the individual distances are adjusted dynamically.

15. The method according to claim 1, wherein hash tables are used for storing the N-dimensional identities.

16. The method according to claim 15 characterized in that a hash table is used for each identity.

17. The method according to claim 15, wherein in the key columns of the hash tables the corresponding hash value of the respective identity is stored, and as entries respectively the set of identities are stored.

18. The method according to claim 15, wherein shared entries are used in such a way that pointers to shared sets of identities are stored as entries.

19. The method according to claim 1, wherein only those SIP messages, are analyzed that have previously passed a syntax analysis without detection of anomalies.

20. The method according to claim 1, wherein a threshold for the maliciousness level is pre-set, and in that a SIP message is classified as malicious when exceeding it.

21. The method according to claim 1, wherein a SIP message that has been identified as malicious generates an alarm and/or is blocked.

22. The method according to claim 20, wherein two or more thresholds are pre-set and different consequences are connected to exceeding each of the respective thresholds.

23. The method according to claim 20, wherein the thresholds are updated dynamically.

24. The method according to claim 1, wherein the SIP messages that have been identified as malicious are further analyzed.

25. A system for protecting SIP (Session Initiation Protocol)-based applications in a network including at least one client device and at least one node involved in communication of said at least one client, wherein said at least one node comprises: an analyzer for analyzing SIP messages transmitted and/or received by said at least one client device;an extractor for extracting a pre-definable number N of pre-configurable parameters—identities—from the SIP messages;a comparator for comparing said identities with identities extracted from previous SIP messages for each SIP message; andan assessing section for assessing a maliciousness level ML on the base of the comparison results for every SIP message.