docSIP Firewall
download 
Plainte Transcription
SIP Firewall
Self-Learning SIP Anomaly Detection
Algorithm and Architecture (SIP Firewall)
Protecting SIP Networks From Attack
BELL LABS Research Project
Context
Deployment of network and applications services
based on IP Multimedia Subsystem (3GPP IMS) is a key
networking trend. Yet, SIP-based control protocols of
IMS IP core networks have left communication and
data services vulnerable to growing security dangers.
There is thus a critical need for guarantees of SIP
level integrity. However, providing guarantees,
protecting IMS servers against malicious SIP attacks,
poses major technical challenges.
Challenge
First appearances of previously unknown ('zero day')
SIP attacks can have severe impact on service
availability. Zero day attack protection, while more
powerful, is more challenging to create than typical
Internet firewalls, which
recognize attacks by
matching signature patterns of known attacks via
deep packet inspection of incoming messages. Zero
day threats dictate immediate detection and
elimination of harmful messages without preknowledge of attack design. An additional challenge
arises by the fact of attacks may be hidden in single
messages or across message sequences, with both
needing rapid analysis. The proposed solution is the
first available protection for NGN/IMS providers
against such attacks.
SIP Anomaly Detection Algorithm
Anomaly detection methods identify abnormal events
based on a learned model of normality. The majority
of anomaly detection methods are defined for
vectorial data and thus are not directly suitable for
application to SIP protection.
To address this, a technique was derived to embed
SIP messages in a vector space. A SIP message is
characterized by frequencies of contained features
strings, whereby the frequency acts as a measure of
its importance. But, this feature set cannot be
defined a priori because the patterns of unknown and
novel attacks are impossible to determine in advance.
The feature strings are defined implicitly using the
definitions of tokens and n-grams. A so-called kernelfunction maps SIP messages into a linear vector space
where theory-based machine-learning methods are
applied for anomaly detection.
A simplest geometric model of normality uses a single
hypersphere for anomaly detection. It places a
hypersphere around a trained set of given feature
vectors, which represent transformed SIP messages
into the linear vector space (see Figure 2).
Figure 2: Geometric Anomaly Detection.
Innovation
Alcatel-Lucent Bell Labs solution (patent pending)
combines novel self-learning algorithms with SIP
message processing and overlay protection to create
zero day protection. Figure 1 is a SIP/IMS-based core
network with security border nodes. It has typical
security functions, and uses a self-learning algorithm
for zero day anomaly detection, with the detection
module embedded in the node’s security processing
pipeline. An additional protection overlay among
border nodes creates new attack signatures from
detected anomalies and provides increased security
for all border nodes.
Figure 1: Network view
3
zero day
anomaly
detected
1
Protection Overlay (across Border Nodes)
SIP
anomaly
report
4
4
4
Border
Node
Border
Node
2
4
new
signature
AS
S-CSCF
I-CSCF
AN
Border
Node
HSS
SIP/IMS based
core network
MRFP
MGCF
Border
Node
BGCF
MRFC
Border
Node
Experiments were conducted on realistic and testing
tool generated SIP message traffic. Figure 3 shows the
detection performance averaged over independent
samples of evaluation data using 2-grams, 4-grams
and tokens as string features. The receiver operating
characteristic curves (ROC curves) show true-positive
vs. false-positive rates for different thresholds. High
detection accuracy is in the top left of a ROC curve
and can be seen for the 4-grams features. About 99%
of attacks are detected with no false-positives –
although all attacks were previously unknown.
Border
Node
Alcatel-Lucent Innovation Days – December 2008
Figure 3: ROC curve.
should be trained with complemented SIP message
information where additional proprietary information
fields for session context are appended as in Figure 5.
Figure 5: State aware SIP anomaly detection.
Protection Overlay (across Border Nodes)
SIP Anomaly Detection
new
SIP
signature
client/ session contextanomaly
database
report
session
addressing
SIP
ABNF
Checker
pre- processing
drop
Advanced Security Architecture
The advanced security architecture is mainly
characterized by two new major components (see
Figure 4). The SIP anomaly detection module is the
central component. If it identifies any message
anomaly - the message will not be processed in the
business SIP stack but is executed in a sandbox
secured SIP stack.
In parallel, the SIP message is forwarded in a slow
path to the protection overlay, where offline
processing is performed. Within the protection
overlay a new signature is deduced from a bunch of
abnormal SIP messages. After signature validation,
the signature is distributed to the second new
component (SIP signature analysis) located in all
border nodes improving the hardening of all nodes.
Figure 4: Advanced security architecture.
Decisions are made on each SIP message without
awareness of any sessions, clients or history. But
application layer attacks may not be found by
verifying stateless SIP messages regardless of other
valid SIP context information. Plus, the module
original
getting
session
context
Insertion
of
SIP
Additional
Signature
Session
Analysis
Context
drop
SIP
Anomaly
Detection
Anomaly
SIP m essage
Detection
Module
extended
decision
feedback
Q ueuing
Execution
of
Anomaly
Detection
-Sandbox
Decision
trained for
SIP
SIP
stack
stack
process
process
Secured
SIP
stack
process
original
Scenario
The demo scenario shows the ‘zero day’ SIP attack
detection capability of the self-learning algorithm.
Benefit: This Bell Labs innovation is the first
available protection of NGN and IMS networks from
unknown SIP-based message attacks.
Contact:
[email protected]
Bell Labs, Germany - SIRD Domain
Résumé:
La faculté de détecter des attaques revêt un caractère
essentiel pour la sécurité des infrastructures NGN et IMS.
L'architecture proposée pour accroître la protection des
nœuds IMS périphériques contre les attaques inconnues
intègre un composant de détection des anomalies capable
d'identifier efficacement les attaques malveillantes
perpétrées via le trafic SIP. Ce composant est renforcé par
une fonction de génération automatique de signatures, qui
peut être déployée pour l'ensemble d'un site ou d'un
domaine. Les évaluations expérimentales dont cette
architecture a fait l'objet, réalisées dans les conditions d'un
trafic SIP réel, ont confirmé la fiabilité des capacités de
détection (jusqu'à 99 %) de ce système.
Les principes sous-jacents de cette proposition, qui
consistent à imbriquer des messages SIP dans un espace de
fonctions de grande dimension et à mettre en œuvre des
opérations reposant sur des similarités, peuvent être
utilisés pour de nombreuses autres applications IMS. Les
travaux futurs porteront sur l'utilisation, dans les
algorithmes d'apprentissage, d'informations sémantiques
générées à chaque étape du traitement SIP, pour offrir des
performances et une fiabilité encore accrues.
Alcatel-Lucent Innovation Days – December 2008
