SIP Firewall
Transcription
SIP Firewall
Self-Learning SIP Anomaly Detection Algorithm and Architecture (SIP Firewall) Protecting SIP Networks From Attack BELL LABS Research Project Context Deployment of network and applications services based on IP Multimedia Subsystem (3GPP IMS) is a key networking trend. Yet, SIP-based control protocols of IMS IP core networks have left communication and data services vulnerable to growing security dangers. There is thus a critical need for guarantees of SIP level integrity. However, providing guarantees, protecting IMS servers against malicious SIP attacks, poses major technical challenges. Challenge First appearances of previously unknown ('zero day') SIP attacks can have severe impact on service availability. Zero day attack protection, while more powerful, is more challenging to create than typical Internet firewalls, which recognize attacks by matching signature patterns of known attacks via deep packet inspection of incoming messages. Zero day threats dictate immediate detection and elimination of harmful messages without preknowledge of attack design. An additional challenge arises by the fact of attacks may be hidden in single messages or across message sequences, with both needing rapid analysis. The proposed solution is the first available protection for NGN/IMS providers against such attacks. SIP Anomaly Detection Algorithm Anomaly detection methods identify abnormal events based on a learned model of normality. The majority of anomaly detection methods are defined for vectorial data and thus are not directly suitable for application to SIP protection. To address this, a technique was derived to embed SIP messages in a vector space. A SIP message is characterized by frequencies of contained features strings, whereby the frequency acts as a measure of its importance. But, this feature set cannot be defined a priori because the patterns of unknown and novel attacks are impossible to determine in advance. The feature strings are defined implicitly using the definitions of tokens and n-grams. A so-called kernelfunction maps SIP messages into a linear vector space where theory-based machine-learning methods are applied for anomaly detection. A simplest geometric model of normality uses a single hypersphere for anomaly detection. It places a hypersphere around a trained set of given feature vectors, which represent transformed SIP messages into the linear vector space (see Figure 2). Figure 2: Geometric Anomaly Detection. Innovation Alcatel-Lucent Bell Labs solution (patent pending) combines novel self-learning algorithms with SIP message processing and overlay protection to create zero day protection. Figure 1 is a SIP/IMS-based core network with security border nodes. It has typical security functions, and uses a self-learning algorithm for zero day anomaly detection, with the detection module embedded in the node’s security processing pipeline. An additional protection overlay among border nodes creates new attack signatures from detected anomalies and provides increased security for all border nodes. Figure 1: Network view 3 zero day anomaly detected 1 Protection Overlay (across Border Nodes) SIP anomaly report 4 4 4 Border Node Border Node 2 4 new signature AS S-CSCF I-CSCF AN Border Node HSS SIP/IMS based core network MRFP MGCF Border Node BGCF MRFC Border Node Experiments were conducted on realistic and testing tool generated SIP message traffic. Figure 3 shows the detection performance averaged over independent samples of evaluation data using 2-grams, 4-grams and tokens as string features. The receiver operating characteristic curves (ROC curves) show true-positive vs. false-positive rates for different thresholds. High detection accuracy is in the top left of a ROC curve and can be seen for the 4-grams features. About 99% of attacks are detected with no false-positives – although all attacks were previously unknown. Border Node Alcatel-Lucent Innovation Days – December 2008 Figure 3: ROC curve. should be trained with complemented SIP message information where additional proprietary information fields for session context are appended as in Figure 5. Figure 5: State aware SIP anomaly detection. Protection Overlay (across Border Nodes) SIP Anomaly Detection new SIP signature client/ session contextanomaly database report session addressing SIP ABNF Checker pre- processing drop Advanced Security Architecture The advanced security architecture is mainly characterized by two new major components (see Figure 4). The SIP anomaly detection module is the central component. If it identifies any message anomaly - the message will not be processed in the business SIP stack but is executed in a sandbox secured SIP stack. In parallel, the SIP message is forwarded in a slow path to the protection overlay, where offline processing is performed. Within the protection overlay a new signature is deduced from a bunch of abnormal SIP messages. After signature validation, the signature is distributed to the second new component (SIP signature analysis) located in all border nodes improving the hardening of all nodes. Figure 4: Advanced security architecture. Decisions are made on each SIP message without awareness of any sessions, clients or history. But application layer attacks may not be found by verifying stateless SIP messages regardless of other valid SIP context information. Plus, the module original getting session context Insertion of SIP Additional Signature Session Analysis Context drop SIP Anomaly Detection Anomaly SIP m essage Detection Module extended decision feedback Q ueuing Execution of Anomaly Detection -Sandbox Decision trained for SIP SIP stack stack process process Secured SIP stack process original Scenario The demo scenario shows the ‘zero day’ SIP attack detection capability of the self-learning algorithm. Benefit: This Bell Labs innovation is the first available protection of NGN and IMS networks from unknown SIP-based message attacks. Contact: [email protected] Bell Labs, Germany - SIRD Domain Résumé: La faculté de détecter des attaques revêt un caractère essentiel pour la sécurité des infrastructures NGN et IMS. L'architecture proposée pour accroître la protection des nœuds IMS périphériques contre les attaques inconnues intègre un composant de détection des anomalies capable d'identifier efficacement les attaques malveillantes perpétrées via le trafic SIP. Ce composant est renforcé par une fonction de génération automatique de signatures, qui peut être déployée pour l'ensemble d'un site ou d'un domaine. Les évaluations expérimentales dont cette architecture a fait l'objet, réalisées dans les conditions d'un trafic SIP réel, ont confirmé la fiabilité des capacités de détection (jusqu'à 99 %) de ce système. Les principes sous-jacents de cette proposition, qui consistent à imbriquer des messages SIP dans un espace de fonctions de grande dimension et à mettre en œuvre des opérations reposant sur des similarités, peuvent être utilisés pour de nombreuses autres applications IMS. Les travaux futurs porteront sur l'utilisation, dans les algorithmes d'apprentissage, d'informations sémantiques générées à chaque étape du traitement SIP, pour offrir des performances et une fiabilité encore accrues. Alcatel-Lucent Innovation Days – December 2008