This application claims priority from Korean Patent Application No. 10-2010-0074934 filed on Aug. 3, 2010, the disclosure of which is incorporated herein by reference in its entirety.
1. Field of the Invention
The present invention relates to a system and method for detecting abnormal traffic on a network.
2. Description of the Related Art
Conventional technologies related to a system for detecting abnormal traffic on a network analyze characteristics of Internet protocol (IP) traffic based only on 5-tuple information (i.e., source IP, source port, destination IP, destination port, and protocol (transmission control protocol (TCP), user datagram protocol (UDP), or Internet control message protocol (ICMP)) of the IP traffic and detect abnormal traffic based on the analysis result. However, in the case of session initiation protocol (SIP) application services which have explosively grown in popularity with the development of Internet telephony, conventional IP traffic monitoring technology and abnormal IP traffic detection technology are unable to effectively monitor SIP traffic or detect abnormal SIP traffic.
This is first because of universal resource identifiers (URIs) that are used to provide application services. That is, SIP traffic uses URIs in addition to the IP and port information, but the conventional technologies cannot properly monitor the URIs. Furthermore, although SIP traffic for call setup and real-time transport protocol (RTP) traffic for media transmission are actually in the same application service session, they may be delivered through different paths. However, conventional IP traffic monitoring equipment or IP-based security equipment cannot recognize that.
Accordingly, this has led to a demand for a system that can detect abnormal SIP traffic (e.g., distributed denial-of-service (DDoS) attack traffic, SCAN attack traffic, etc.) on a network.
Aspects of the present invention provide an abnormal traffic detection system which can detect abnormal session initiation protocol (SIP) traffic on a network.
Aspects of the present invention also provide an abnormal traffic detection method used to detect abnormal SIP traffic on a network.
However, aspects of the present invention are not restricted to the one set forth herein. The above and other aspects of the present invention will become more apparent to one of ordinary skill in the art to which the present invention pertains by referencing the detailed description of the present invention given below.
According to an aspect of the present invention, there is provided an abnormal traffic detection system including: a receiving module which receives SIP traffic information from a network; a decoding module which receives the SIP traffic information from the receiving module and decodes the received SIP traffic information; a traffic information database (DB) which receives the decoded SIP traffic information from the decoding module and stores the received SIP traffic information; an analysis traffic information DB which collects information from the traffic information DB for a predetermined period and stores the collected information as analysis traffic information; a reference traffic information DB which stores reference traffic information; and an attack detection module which compares the analysis traffic information with the reference traffic information and detects whether analysis traffic is attack traffic.
According to another aspect of the present invention, there is provided an abnormal traffic detection method including: receiving SIP traffic information from a network; decoding the received SIP traffic information; collecting the decoded SIP traffic information for a predetermined period and generating analysis traffic information; comparing the analysis traffic information with reference traffic information and detecting whether analysis traffic is at least one of SIP distributed denial-of-service (DDoS) attack traffic, SIP SCAN attack traffic, and real-time transport protocol (RTP) DDoS attack traffic; and alerting a user when it is detected that the analysis traffic is at least one of the SIP DDoS attack traffic, the SIP SCAN attack traffic, and the RTP DDoS attack traffic.
The above and other aspects and features of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings, in which:
Advantages and features of the present invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of exemplary embodiments and the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the present invention will only be defined by the appended claims. In the drawings, sizes and relative sizes of elements may be exaggerated for clarity.
Like reference numerals refer to like elements throughout the specification. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “made of,” when used in this specification, specify the presence of stated components, steps, operations, and/or elements, but do not preclude the presence or addition of one or more other components, steps, operations, elements, and/or groups thereof.
It will be understood that, although the terms first, second, third, etc., may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. Thus, a first element discussed below could be termed a second element without departing from the teachings of the present invention
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Hereinafter, an abnormal traffic detection system according to an exemplary embodiment of the present invention will be described with reference to
Referring to
The receiving module 10 may receive SIP traffic information from a network. Specifically, the receiving module 10 may receive the SIP traffic information from the network by using a plurality of collection sensors (not shown). Here, the SIP traffic information may be a NetFlow-based SIP traffic flow. Specifically, the SIP traffic information may be an SIP traffic flow that follows, e.g., a NetFlow V9 format. The SIP traffic information may include information about SIP traffic and information about real-time transport protocol (RTP), as illustrated in
The decoding module 20 may receive the SIP traffic information from the receiving module 10 and decode the received SIP traffic information. Here, the term “decode” denotes classifying the received SIP traffic (e.g., an SIP traffic flow that follows the NetFlow V9 (Version 9) format) according to item, thereby converting the SIP traffic information into a data structure. The received SIP traffic may be stored, in the form of the data structure, in the traffic information DB 30.
The traffic information DB 30 may be a storage unit that receives the decoded SIP traffic information from the decoding module 20 and stores the received SIP traffic information. The traffic information DB 30 may generate an information storage table at intervals of, e.g., one hour and store the decoded SIP traffic information in the generated information storage table.
The analysis traffic information DB 40 may be a storage unit that collects information from the traffic information DB 30 for a predetermined period T and stores the collected information as analysis traffic information which is used to detect whether SIP traffic is abnormal traffic (e.g., attack traffic). Here, the predetermined period T may be, e.g., one minute.
The reference traffic information DB 45 may be a storage unit that stores reference traffic information. The reference traffic information will be described in more detail when the attack detection module 50 is described.
The attack detection module 50 may compare the analysis traffic information of the analysis traffic information DB 40 with the reference traffic information of the reference traffic information DB 45 and detect whether analysis traffic is abnormal traffic (e.g., attack traffic). Specifically, referring to
The SIP DDoS detection module 52 may detect whether the analysis traffic is SIP DDoS attack traffic. Specifically, the SIP DDoS detection module 52 may detect the analysis traffic as potential SIP DDoS attack traffic when at least one of the SIP traffic volume, method ratio, and universal resource identifier (URI) ratio of the analysis traffic is greater than a corresponding threshold value of reference traffic.
More specifically, the SIP DDoS detection module 52 may detect the analysis traffic as the potential SIP DDoS attack traffic as follows. First, the SIP DDoS detection module 52 analyzes the SIP traffic volume, method ratio, and URI ratio information of the analysis traffic. The SIP traffic volume, method ratio and URI ratio information of the analysis traffic may be as shown in Table 1 below (see also
Then, the SIP DDoS detection module 52 compares the SIP traffic volume, method ratio and URI ratio information of the analysis traffic with corresponding threshold values of the reference traffic which are stored in the reference traffic information DB 45. When at least one of the SIP traffic volume, method ratio and URI ratio of the analysis traffic is greater than a corresponding threshold value of the reference traffic, the SIP DDoS detection module 52 detects the analysis traffic as the potential SIP DDoS attack traffic. The threshold value of the reference traffic for each item may be as shown in Table 2 below.
For example, when the ‘amount (bytes) of SIP traffic on current day of the week, at current time’ of analysis traffic is greater than the ‘average amount (bytes) of SIP traffic for three weeks on same day of the week, at same time+a’ of reference traffic, the SIP DDoS detection module 52 detects the analysis traffic as the potential SIP DDoS attack traffic. Here, ‘a’ is an offset value and can be arbitrarily adjusted by a user as desired.
Even when the ‘SIP bps’ of the analysis traffic is less than a corresponding threshold value of the reference traffic, if the ‘INVITE ratio’ of the analysis traffic is greater than a corresponding threshold value of the reference traffic, the analysis traffic is detected as the potential SIP DDoS attack traffic. That is, the SIP DDoS detection module 52 detects the analysis traffic as the potential SIP DDoS attack traffic when at least one of the SIP traffic volume, method ratio and URI ratio of the analysis traffic is greater than a corresponding threshold value of the reference traffic.
Once detecting the analysis traffic as the potential SIP DDoS attack traffic, the SIP DDoS detection module 52 analyzes an acknowledgement (ACK) method count of the analysis traffic and a ratio of a response method to a request method of the analysis traffic. This is because if the analysis traffic is the SIP DDoS attack traffic, the ACK method may not exist in the analysis traffic as illustrated in (b) of
The SIP SCAN detection module 54 also may be a module that detects the analysis traffic as SIP SCAN attack traffic when at least one of the SIP traffic volume, method ratio and URI ratio of the analysis traffic is greater than a corresponding threshold value of the reference traffic. Specifically, the SIP SCAN detection module 54 may detect the analysis traffic as the SIP SCAN attack traffic when at least one of the SIP traffic volume, method ratio and URI ratio of the analysis traffic is greater than a corresponding threshold value of the reference traffic.
More specifically, the SIP SCAN detection module 54 may detect the analysis traffic as the SIP SCAN attack traffic as follows. First, the SIP SCAN detection module 54 analyzes the SIP traffic volume, method ratio, and URI ratio information of the analysis traffic. The SIP traffic volume, method ratio and URI ratio information of the analysis traffic may be as shown in Table 3 below (see also
Then, the SIP SCAN detection module 54 compares the SIP traffic volume, method ratio and URI ratio information of the analysis traffic with corresponding threshold values of the reference traffic which are stored in the reference traffic information DB 45. When at least one of the SIP traffic volume, method ratio and URI ratio of the analysis traffic is greater than a corresponding threshold value of the reference traffic, the SIP SCAN detection module 54 detects the analysis traffic as the SIP SCAN attack traffic. The threshold value of the reference traffic for each item may be as shown in Table 4 below.
The process in which the SIP SCAN detection module 54 detects the analysis traffic as the SIP SCAN attack traffic is similar to the above-described detection process of the SIP DDoS detection module 52, and thus a redundant description thereof is omitted.
Lastly, the RTP DDoS detection module 56 may detect the analysis traffic as RTP DDoS attack traffic in a similar process. The RTP DDoS detection module 56 may detect the analysis traffic as the RTP DDoS attack traffic when at least one of the RTP traffic volume and RTP traffic mean opinion score (MOS) of the analysis traffic is greater than a corresponding threshold value of the reference traffic which is stored in the reference traffic information DB 45. Here, analysis items and threshold values may be as shown in Tables 5 and 6.
Referring back to
The abnormal traffic detection system 1 according to the current exemplary embodiment can detect abnormal SIP traffic on the network (e.g., a voice over Internet protocol (VoIP) network). Specifically, referring to
However, the abnormal traffic detection system 1 according to the current exemplary embodiment detects DDoS attack traffic at the application level based on various information, as described above. Thus, SIP DDoS attack traffic as the one illustrated in
Hereinafter, an abnormal traffic detection system according to another exemplary embodiment of the present invention will be described with reference to
For the sake of simplicity, a redundant description of elements and features identical to those of the previous exemplary embodiment will be omitted. That is, the following description will focus on differences from the previous exemplary embodiment.
Referring to
When an attack detection module 50 detects analysis traffic as non-attack traffic, the reference traffic information generation module 70 may update reference traffic information stored in a reference traffic information DB 45 to SIP traffic information stored in a traffic information DB 30. That is, the reference traffic information generation module 70 may update the reference traffic information stored in the reference traffic information DB 45 to the normal traffic information, thereby updating a threshold value for each analysis item.
When the reference traffic information generation module 70 is further installed, each threshold value of the reference traffic can be adjusted in real time according network conditions. This enables more reliable detection of attack traffic.
Hereinafter, an abnormal traffic detection method according to an exemplary embodiment of the present invention will be described with reference to
Referring to
Here, the network may include a VoIP network, and the SIP traffic information received from the network may include NetFlow-based SIP traffic flow information.
Next, the decoded SIP traffic information is collected for a predetermined period to generate analysis traffic information (operation S120). As described above, the predetermined period may be, e.g., one minute.
Next, the analysis traffic information is compared with reference traffic information to detect whether analysis traffic is at least one of SIP DDoS attack traffic, SIP SCAN attack traffic, and RTP DDoS attack traffic (operation S130). When it is detected that the analysis traffic is attack traffic, a user is alerted (operation S140).
The process of detecting whether the analysis traffic is at least one of the SIP DDoS attack traffic, the SIP SCAN attack traffic, and the RTP DDoS attack traffic has been described above when describing the abnormal traffic detection system 1 of
Hereinafter, an abnormal traffic detection method according to another exemplary embodiment of the present invention will be described with reference to
Referring to
As described above, an abnormal traffic detection system according to exemplary embodiments of the present invention detects abnormal traffic (e.g., SIP DDoS attack traffic, SIP SCAN attack traffic, RTP DDoS attack traffic, etc.) on a network based on NetFlow-based SIP traffic flow information which includes various application layer information as well as 5-tuple information. Therefore, the abnormal traffic detection system can detect abnormal traffic more accurately than conventional detection systems.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present invention as defined by the following claims. The exemplary embodiments should be considered in a descriptive sense only and not for purposes of limitation.
Number | Date | Country | Kind |
---|---|---|---|
10-2010-0074934 | Aug 2010 | KR | national |