Please use this identifier to cite or link to this item:
標題: Honeypot-based VoIP防禦系統
Honeypot-based VoIP Protection System
作者: 蔡威廷
Tsai, Wei-Ting
關鍵字: VoIP;網路語音;SIP;IDS;FSM;Honeypot;會話啟始協定;入侵偵測系統;有限狀態機;蜜罐
出版社: 資訊科學與工程學系所
引用: [1] 通訊展業發展推動小組, “2006第一季我國通訊產業產銷調查報告”, [2] J. Rosenberg, H. Schulzrinne, G. Camarillo et al, “SIP: Session Initiation Protocol”, RFC 3261, June 2002. [3] M. Arango et al., “Media Gateway Control Protocol (MGCP) Version 1.0”, RFC 2705, Oct. 1999. [4] ITU-T Recommendation H.323, “Packet-based multimedia communications systems”, June 2006. [5] H. Schulzrinne et al, “RTP: A Transport Protocol for Real-Time Applications”, RFC 1889, January 1996. [6] L. Spitzner, “Honeytokens: The Other Honeypot”,, July 2003. [7] Schneier Bruce, “Attack Trees : Modeling security threats”, Dr. Dobb''s Journal, v.24, n.12, December 1999. [8] M. Handley et al, “SIP: Session Initiation Protocol”, RFC 2543, March 1999. [9] M. Handley, V. Jacobson, “SDP: Session Description Protocol”, RFC 2327, April 1998. [10] J. Arkko, V. Torvinen, G. Camarillo et al, “Security Mechanism Agreement for the Session Initiation Protocol (SIP)”, RFC 3329, January 2003. [11] J. Franks, P. Hallam-Baker, J. Hostetler et al, “HTTP Authentication: Basic and Digest Access Authentication”, RFC 2617, June 1999. [12] 張志成, “模糊自適應共振理論於通訊協定異常偵測之研究”, 碩士論文, 九十四年六月. [13] 王義智, “台灣資訊安全市場四大需求-弱點評估掃瞄、入侵偵測防禦、數位版權管理、無線網路安全”, [14] D.Gibson, “Finite State Machines - Making simple work of complex functions”, 1999. [15] J. Postel, J. Reynolds, ISI, “FILE TRANSFER PROTOCOL (FTP)”, RFC 765, October 1985. [16] Hemant Sengar, Duminda Wijesekera, Haining Wang, Sushil Jajodia, “VoIP Intrusion Detection Through Interacting Protocol State Machines”, Proceedings of the 2006 International Conference on Dependable Systems and Networks (DSN’06), 2006. [17] Yanlan Ding, Guiping Su, “Intrusion detection system for signal based SIP attacks through timed HCPN”, Second International Conference on Availability, Reliability and Security (ARES''07), April 2007. [18] Mohamed Nassar, Radu State, Olivier Festor, “VoIP Honeypot Architecture”, Integrated Network Management, 2007. IM ''07. 10th IFIP/IEEE International Symposium on. [19] H. Abdelnur, R. State, I. Chrisment, C. Popi, “Assessing the security of VoIP Services”, Integrated Network Management, 2007. IM ''07. 10th IFIP/IEEE International Symposium on. [20] Samer EL SAWDA, Pascal URIEN, “SIP Security Attacks and Solutions: A state-of-the-art review”, 2nd IEEE International Conference Information & Communication Technologies: from Theory to Applications, ICCTA’06, April 2006. [21] SNORT, a lightweight intrusion detection technology system, [22] BASE, a web front-end to query and analyze the alerts coming from a SNORT IDS system”, [23] SER, a high-performance, configurable, free SIP registrar, proxy or redirect server, [24] RTPPoxy, [25] MJSIP, complete java-based implementation of a SIP stack, [26] SIPp, a free Open Source test tool / traffic generator for the SIP protocol, [27] SIPSAK, a small command line tool for developers and administrators of SIP applications, [28] Y.Wu, S. Bagchi, S. Garg, N. Singh, and T. Tsai, “SCIDIVE:A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments”, Dependable Systems and Networks Conference (DSN 2004), June 2004. [29] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, “2006 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY”, December 2006.
隨著網路普及化,電腦設備的低廉,透過網路交談(Voice over Internet Protocol)變成了一種新的通訊趨勢,通訊變得更加便利、快速,也進而降低通訊成本。訊令啟始協定SIP(Session Initiation Protocol)是目前最普遍負責控制VoIP通話建立的訊令控制協定,絕大部分攻擊的目標都是從此下手,又因為SIP是應用層的通訊協定,存在著不少網路協定存在的弱點與威脅,為了維護正常使用者的權益,安全防範的工作就日益重要,目前大部分運用一些現有的方法:HTTP digest、TLS(Transport Layer Security)、secure SIP(SIPS)、IP security(IPsec)及S/MIME(Secure MIME)等方法維護系統的安全性。
除了利用現行的技術之外,入侵偵測系統( Intrusion Detection System, IDS )提供管理者在攻擊展開攻擊之前,偵測出攻擊產生並發出警訊,管理者能夠提早做好防備,然而入侵偵測系統很大的問題是警訊的數量為其龐大,一天內可能已經累積數萬筆,必需要透過篩選或是經由軟體去分析。本文中參考目前常見之VoIP相關的攻擊手法,利用攻擊樹(Attack Tree)的架構做為分類,試著完整的表現出各種針對VoIP的攻擊。此外,我們利用Honeypot的概念,設計出用來收集攻擊者資訊的SIP服務使用者,刻意部署SIP通訊服務,與攻擊者之間進行互動,藉著紀錄攻擊者的行為,以彌補入侵偵測系統在收集資訊上不足的缺點。並且在入侵偵測系統上,分析收集到的攻擊者來源的警訊,藉此提升發現真正攻擊行為的機率,改善入侵偵測系統的效率,以期有效地減少損害的程度。

With the Internet being universal, it becomes a new trend to communicate with others through Voice over Internet Protocol (VoIP). Communication is getting more populous. Session Initiation Protocol (SIP) is in charge of controlling the signaling of communication establishment. Because SIP is a communication protocol of application layer, a lot of weakness and threats are possible. At present, most commonly de facto standardization protocols, such as HTTP digest, Transport Layer Security (TLS), secure SIP (SIPS), IP security (IPsec) and Secure MIME (S/MIME), are employed to meet the system security requirement.
In addition to the proposals of standardization techniques, an IDS can provide system managers an alert message before assailant attacks are taking place. The critical challenge of IDS is the large amount of alert occurrences within a short period of time. In the paper, we will assort the VoIP-related assailments by attack tree, and also forge the communications between users and attackers by using Honeypot to collect the information of the despiteful attackers. The Honeypot-based user agent will not only supplement the deficiency in the information collection by Intrusion Detection Systems, but also increase the probability of capturing real invaders. We expect to effectively protect SIP services from damages caused by malicious attacks.
其他識別: U0005-1801200823375800
Appears in Collections:資訊科學與工程學系所

Show full item record

Google ScholarTM


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.