This application claims priority from Korean Patent Application No. 10-2010-0085782 filed on Sep. 2, 2010 in the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference in its entirety.
1. Field of the Invention
The present invention relates to a system and method for blocking session initiation protocol (SIP)-based abnormal traffic.
2. Description of the Related Art
Session initiation protocol (SIP) is an application-level protocol that is used for creating, modifying, and terminating multimedia sessions. Examples of services based on the SIP include voice over Internet protocol (VoIP), instant messaging, and video conferencing services. These SIP-based services are becoming more closely related to the lives of people today.
However, as the SIP-based services become more common, various malicious attacks using the SIP-based services are increasing day by day. Major examples of such malicious attacks include denial-of-service (DoS) attacks and spam over Internet telephony (SPIT) attacks using SIP request and response messages. Also, toll fraud attacks and call hijacking attacks occur frequently.
Therefore, for smooth service provision, there is a need for a technology that can selectively provide normal SIP traffic while blocking abnormal traffic generated for the purpose of malicious attacks.
Aspects of the present invention provide a system for blocking session initiation protocol (SIP)-based abnormal traffic, which selectively provides normal SIP traffic while blocking abnormal traffic generated for the purpose of malicious attacks.
Aspects of the present invention also provide a method of blocking SIP-based abnormal traffic, in which normal SIP traffic is selectively provided, while abnormal traffic generated for the purpose of malicious attacks is blocked.
However, aspects of the present invention are not restricted to the one set forth herein. The above and other aspects of the present invention will become more apparent to one of ordinary skill in the art to which the present invention pertains by referencing the detailed description of the present invention given below.
According to an aspect of the present invention, there is provided a system for blocking SIP-based abnormal traffic. The system includes: a policy database (DB) in which allowed traffic is stored according to transmission priority; an abnormal traffic response module which receives traffic from a first network and transmits only portions of the received traffic, which match the allowed traffic stored in the policy DB, to a second network in order of transmission priority; and an abnormal traffic detection module which analyzes the traffic received from the first network and provides an activation signal to the abnormal traffic response module when detecting that the received traffic is abnormal traffic, wherein the abnormal traffic response module transmits the portions of the received traffic, which match the allowed traffic stored in the policy DB, to the second network such that the sum of the portions transmitted to the second network does not exceed a maximum allowed traffic limit.
According to another aspect of the present invention, there is provided a method of blocking SIP-based abnormal traffic. The method includes: receiving traffic from a first network; detecting whether the received traffic is abnormal traffic; and, when the received traffic is the abnormal traffic, transmitting only allowed portions of the received traffic to a second network in order of transmission priority such that the sum of the allowed portions transmitted to the second network does not exceed a maximum allowed traffic limit.
The above and other aspects and features of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, in which:
Advantages and features of the present invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of exemplary embodiments and the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the present invention will only be defined by the appended claims. In the drawings, sizes and relative sizes of elements may be exaggerated for clarity.
Like reference numerals refer to like elements throughout the specification. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “made of,” when used in this specification, specify the presence of stated components, steps, operations, and/or elements, but do not preclude the presence or addition of one or more other components, steps, operations, elements, and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Hereinafter, a system for blocking session initiation protocol (SIP)-based abnormal traffic according to an exemplary embodiment of the present invention will be described with reference to
Referring to
The abnormal traffic detection module 200 may analyze traffic received from a first network NETWORK A and provide an activation signal ACT to the abnormal traffic response module 300 when detecting that the received traffic is abnormal traffic and provide a deactivation signal INACT to the abnormal traffic response module 300 when detecting that the received traffic is normal traffic. The abnormal traffic response module 300 is enabled by the activation signal ACT transmitted from the abnormal traffic detection module 200. When receiving the deactivation signal INACT from the abnormal traffic detection module 200, the abnormal traffic response module 300 provides the traffic received from the first network NETWORK A to a second network NETWORK B without processing the traffic.
The first network NETWORK A may be an SIP-based network that provides voice over Internet protocol (VoIP) services, instant messaging services, video conferencing services, and the like. The second network NETWORK B may also be an SIP-based network.
The abnormal traffic detection module 200 may include a threshold-based determination module 210 and a distributed denial-of-service (DDoS) attack determination module 220 to determine whether input traffic is normal or abnormal.
The threshold-based determination module 210 may transmit the activation signal ACT to the abnormal traffic response module 300 when the sum of traffic received from the first network NETWORK A exceeds a threshold.
More specifically, referring to
As for the threshold THRESHOLD, an administrator may calculate a threshold value in view of network traffic conditions and then input the calculated threshold value to the threshold-based determination module 210. Alternatively, the threshold-based determination module 210 may calculate a threshold value in real time according to input traffic and based on traffic information stored in the policy DB 400.
The DDoS attack determination module 220 may provide the activation signal ACT to the abnormal traffic response module 300 when detecting that input traffic is DDoS attack traffic.
Specifically, the DDoS attack determination module 220 may analyze, for example, the SIP traffic volume, method rate, and uniform resource identifier (URI) rate of input traffic and provide the activation signal ACT to the abnormal traffic response module 300 when determining that the input traffic includes malicious DDoS attack traffic.
Referring back to
The abnormal traffic response module 300 may receive traffic from the first network NETWORK A and transmit only portions of the received traffic, which match the allowed traffic stored in the policy DB 400, to the second network NETWORK B in order of transmission priority. Here, the abnormal traffic response module 300 may transmit the above portions of the received traffic to the second network NETWORK B such that the sum of the portions transmitted to the second network NETWORK B does not exceed a maximum allowed traffic limit. This will be described in more detail with reference to
The abnormal traffic response module 300 enabled by the activation signal ACT analyzes traffic received from the first network NETWORK A and transmits portions of the received traffic, which match traffic stored in the policy DB 400 as the first-through third-priority allowed traffic, to the second network NETWORK B. On the other hand, the abnormal traffic response module 300 drops, that is, blocks the transmission of portions of the received traffic, which do not match the allowed traffic stored in the policy DB 400, to the second network NETWORK B because these portions are highly likely to be malicious attack traffic.
Here, when the sum of the portions of the received traffic, which match the traffic stored in the policy DB 400 as the first-through third-priority allowed traffic, does not exceed a maximum allowed traffic limit MAX, all of the portions are transmitted to the second network NETWORK B. However, when the sum of the portions of the received traffic, which match the traffic stored in the policy DB 400 as the first-through third-priority traffic, exceeds the maximum allowed traffic limit MAX, the portions are blocked from being transmitted to the second network NETWORK B in order of lowest to highest priority.
For example, referring to
The above-described priority order of the allowed traffic stored in the policy DB 400 is only an example, and the present invention is not limited to this example. That is, the priority order and content of the allowed traffic can be changed as desired at any time.
Hereinafter, a system for blocking SIP-based abnormal traffic according to another exemplary embodiment of the present invention will be described with reference to
Referring to
Hereinafter, a method of blocking SIP-based abnormal traffic according to an exemplary embodiment of the present invention will be described with reference to
First, traffic is input from the first network NETWORK A. Then, it is detected whether the input traffic is abnormal traffic.
Specifically, referring to
When detecting that the input traffic is abnormal traffic, the abnormal traffic detection module 200 transmits the activation signal ACT to the abnormal traffic response module 300. The abnormal traffic response module 300 is enabled by the activation signal ACT. Then, the enabled abnormal traffic response module 300 transmits only allowed portions of the input traffic to the second network NETWORK B as illustrated in
On the contrary, when detecting that the input traffic is normal traffic, the abnormal traffic detection module 200 transmits the deactivation signal INACT to the abnormal traffic response module 300. The abnormal traffic response module 300 is disabled by the deactivation signal INACT. Then, the disabled abnormal traffic response module 300 transmits the traffic received from the first network NETWORK A to the second network NETWORK B without processing the input traffic.
A system for blocking SIP-based abnormal traffic according to an exemplary embodiment of the present invention, which operates as described above, can provide SIP-based services despite an explosive increase in the amount of input traffic due to abnormal traffic by selectively transmitting normal SIP traffic in order of priority. In addition, the system can efficiently utilize the entire network resources by blocking the abnormal traffic generated for the purpose of malicious attacks. Furthermore, the system can prevent network overload resulting from malicious attacks by using a maximum allowed traffic limit.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present invention as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.
Number | Date | Country | Kind |
---|---|---|---|
10-2010-0085782 | Sep 2010 | KR | national |