SIP网络中入侵检测与防御系统关键技术的研究
|
摘要
随着IP多媒体子系统(IMS)的大规模部署和商用,IMS系统在下一代网络(NGN)中的核心地位已经不可动摇,而IMS系统中的会话初始协议(SIP)的安全性,已成为国内外各大运营商在提供各类增值业务时必须要考虑的首要问题。目前大部分运营商多采用会话边界控制器(SBC)作为IMS运营商对于固网IP安全可控的网络接入设备,但SBC主要完成拓扑隐藏、媒体流整形、NAT穿越、接入控制和媒体加密等功能,并不能完成固网IP中的实时检测和防御功能。而采用基于SIP的入侵检测与防御系统是一种智能的、主动的SIP入侵检测和防御系统,通过使用高效的检测算法及时检测SIP入侵的发生,并采用一定的响应方式实时地阻止或减轻SIP入侵行为,保护SIP服务器/IMS系统不受实质性的恶意攻击的一种智能解决方案。本文紧紧围绕SIP网络中入侵检测与防御系统中的若干关键技术展开研究,主要工作和取得的成果包括:
1.参考RFC3261相关技术规范,针对SIP协议的规则定义,提出了一种安全的基于规则的SIP畸形消息检测与防御方法,设计了一种快速检测SIP畸形消息攻击的防御系统。分析了SIP畸形消息和畸形消息的攻击过程,根据SIP协议的特点,抽象了一种通用的数据模型,并借鉴Snort和Netfilter框架,在Linux内核层实现了一种高效的SIP畸形消息的检测和防御系统。
2.通过对SIP DoS攻击的原理、方式和特征以及SIP网络面对的典型的洪泛攻击的深入研究,设计了一种阈值动态调整和实时动态防御相结合的SIP单源洪泛攻击防御模型。分析了SIP洪泛攻击的流量特征,针对SIP DoS攻击的实时防御,提出了一种基于滑动时间窗口的流量异常检测算法和阈值动态调整算法,同时采用时间惩罚算法减少系统误判率。通过此防御模型的检测与防御,系统可以在SIP单源洪泛攻击发生时有效地阻止SIP服务器/IMS系统被攻击的可能,保证网络的实时可用性。
3.提出了一种基于安全级别设定的攻击减弱方法。根据SIP协议自身特点和SIP消息的历史记录,将SIP消息按照历史记录、协议自身进行安全级别分类,利用流量监控对洪泛攻击检测。当发生分布式洪泛攻击时,通过设定合适的安全级别减弱攻击造成的影响,并且将此方法应用在两级防御DoS攻击体系结构中。
4.提出了一种针对SIP分布式洪泛攻击的两级防御DoS攻击体系结构(TDASDFA):一级防御子系统(FDS)和二级防御子系统(SDS)。FDS对SIP的信令流进行粗粒度检测与防御,旨在过滤非VoIP消息和丢弃超出指定速率的IP地址的SIP信令,保证服务的可用性;SDS对SIP信令流进行细粒度检测与防御,利用一种基于安全级别设定的攻击减弱方法检测并过滤具有明显DoS攻击特征的恶意攻击和低流量攻击,FDS和SDS协同工作来实时检测网络状况,减弱SIP分布式洪泛攻击。
5.针对SIP即时消息的实时性问题,研究了其在SIP网络中的行为特征及黑白名单机制处理检测的高效性,提出了一种基于社会网络和黑白名单机制的SPIM检测和防御模型。该模型将基于社会网络的识别模型和改进的黑白名单机制结合,并利用自动更新算法对基于社会网络的识别模型进行自动更新,提高了SIP垃圾即时消息的检测性能和检测准确率。
最后,提出了一种两层融合分类器检测和防御机制,将研究成果应用到融合分类器的各个部分中,并通过实验验证了设计机制的可行性和有效性。
With the large-scale development and application of IP Multimedia Subsystem(IMS), IMS has become a core control in NGN (Next Generation Network).Otherwise,the security of session initiation protocol (SIP) in IMS has become an most importantproblem that major carrier at home and abroad must be considered when they provide awide range of value-added service.At present, most carriers use mainly session bordercontroller (SBC) as an security network access equipment to the fixed-IP network. But,SBC mainly completes topology hiding and media stream shaping, NAT traversal,access control and media encryption functions, and it can not complete real-timedetection and prevention functions in the fixed-IP network. SIP-based intrusiondetection and prevention system is an intelligent, active intrusion detection andprevention system which can detect SIP invasion occurs with efficient detectionalgorithms and real-time terminate or mitigate the intrusion occurred through someresponse, and it is an intelligent solutions that can real-time protects that SIP/IMSsystem is not a substantive attack in the SIP network. Some key technologies ofintrusion detection and prevention system in SIP network are researched. The mainwork and contributions are as follows.
1. Taking technical specifications defined by RFC3261as reference and followingthe rule definition for SIP, a safe rule-based detection and prevention method againstSIP malformed messages is presented, then a defense system for rapid detection ofSIP malformed message attacks is designed,which utilizes the safe rule-based detectionand prevention method. According to the characteristics of the SIP protocol, a commondata model is abstracted. Drawing on the experience of snort and netfilter architecture,an efficient detection and prevention system against SIP malformed message attacks isachieved in the linux kernel layer.
2. Through deeply analyzing on the principle, mode, characteristics of SIP DoS,and the flooding attacks in SIP network, the prevention model to combine a dynamicthreshold adjustment with real-time dynamic prevention for SIP flooding attacks wasproposed. Analyzing flow characteristics of the SIP flooding attacks, an trafficanomaly detection algorithms based on sliding time window and the thresholddynamically adjusts algorithm are designed, whiletime a time penalty algorithm ismade use of to reduce false positives. SIP/IMS system with deployment of thedetection and prevention model can effectively prevent the possibility of the SIP/IMSattacked by SIP single source flooding messages, and designed detection and prevention model can ensures network real-time availability.
3. For reducing the impact of SIP Distributed flooding attack to SIP/IMS system,a mitigation method based on security level for SIP distributed flooding attack isproposed. According to the SIP characteristics and historical record of the SIP message,SIP messages are classified in accordance with the SIP session history records and SIPitself, and attacks are alarmed by the traffic monitoring. While Distributed flood attackoccurs, mitigation method will set up the suitable security level to weaken the impactof the attacks, and this method is indexed in the architecture of the two defense DoSattacks.
4. The two levels defense architecture against SIP distributed flooding attacks(TDASDFA) is presented. Two levels defensive components make up of theTDASDFA logically: the First Level defense subsystem (FDS) and the second leveldefense subsystem (SDS). FDS on the SIP signaling stream coarse-grained detects anddefends the SIP messages to filter out non-VoIP messages and discard SIP messages ofthe IP address for exceeding the specified rate to ensure service availability; SDSfine-grained detects and defends the SIP messages using a mitigation method based onsecurity level to identity the cunning attacks and low-flow attacks with obviousfeatures of malicious DoS attacks, FDS and SDS can detect and defense togethernetwork status in real-time to weaken SIP distributed flooding attacks.
5. For solving real-time problem for SIP instant messaging (SPIM), the behavioralcharacteristics of SPIM in SIP network and black/white list mechanism to deal with thedetection efficiency are discussed, and SPIM detection and prevention model based onsocial networks and black/white list mechanism is proposed. The model combines therecognition model based on the social network with the improved black/white listmechanism, and it is automatic updated using an auto-update algorithm. As a result,detection performance and detection accuracy of the SIP SPIM are improved.
Finally, a detection and prevention mechanism of two-layer convergence classifieris proposed. The previous research contributions are applied to various parts of theconvergence classifier, and the feasibility and effectiveness of the designed mechanismare verified.
1.参考RFC3261相关技术规范,针对SIP协议的规则定义,提出了一种安全的基于规则的SIP畸形消息检测与防御方法,设计了一种快速检测SIP畸形消息攻击的防御系统。分析了SIP畸形消息和畸形消息的攻击过程,根据SIP协议的特点,抽象了一种通用的数据模型,并借鉴Snort和Netfilter框架,在Linux内核层实现了一种高效的SIP畸形消息的检测和防御系统。
2.通过对SIP DoS攻击的原理、方式和特征以及SIP网络面对的典型的洪泛攻击的深入研究,设计了一种阈值动态调整和实时动态防御相结合的SIP单源洪泛攻击防御模型。分析了SIP洪泛攻击的流量特征,针对SIP DoS攻击的实时防御,提出了一种基于滑动时间窗口的流量异常检测算法和阈值动态调整算法,同时采用时间惩罚算法减少系统误判率。通过此防御模型的检测与防御,系统可以在SIP单源洪泛攻击发生时有效地阻止SIP服务器/IMS系统被攻击的可能,保证网络的实时可用性。
3.提出了一种基于安全级别设定的攻击减弱方法。根据SIP协议自身特点和SIP消息的历史记录,将SIP消息按照历史记录、协议自身进行安全级别分类,利用流量监控对洪泛攻击检测。当发生分布式洪泛攻击时,通过设定合适的安全级别减弱攻击造成的影响,并且将此方法应用在两级防御DoS攻击体系结构中。
4.提出了一种针对SIP分布式洪泛攻击的两级防御DoS攻击体系结构(TDASDFA):一级防御子系统(FDS)和二级防御子系统(SDS)。FDS对SIP的信令流进行粗粒度检测与防御,旨在过滤非VoIP消息和丢弃超出指定速率的IP地址的SIP信令,保证服务的可用性;SDS对SIP信令流进行细粒度检测与防御,利用一种基于安全级别设定的攻击减弱方法检测并过滤具有明显DoS攻击特征的恶意攻击和低流量攻击,FDS和SDS协同工作来实时检测网络状况,减弱SIP分布式洪泛攻击。
5.针对SIP即时消息的实时性问题,研究了其在SIP网络中的行为特征及黑白名单机制处理检测的高效性,提出了一种基于社会网络和黑白名单机制的SPIM检测和防御模型。该模型将基于社会网络的识别模型和改进的黑白名单机制结合,并利用自动更新算法对基于社会网络的识别模型进行自动更新,提高了SIP垃圾即时消息的检测性能和检测准确率。
最后,提出了一种两层融合分类器检测和防御机制,将研究成果应用到融合分类器的各个部分中,并通过实验验证了设计机制的可行性和有效性。
With the large-scale development and application of IP Multimedia Subsystem(IMS), IMS has become a core control in NGN (Next Generation Network).Otherwise,the security of session initiation protocol (SIP) in IMS has become an most importantproblem that major carrier at home and abroad must be considered when they provide awide range of value-added service.At present, most carriers use mainly session bordercontroller (SBC) as an security network access equipment to the fixed-IP network. But,SBC mainly completes topology hiding and media stream shaping, NAT traversal,access control and media encryption functions, and it can not complete real-timedetection and prevention functions in the fixed-IP network. SIP-based intrusiondetection and prevention system is an intelligent, active intrusion detection andprevention system which can detect SIP invasion occurs with efficient detectionalgorithms and real-time terminate or mitigate the intrusion occurred through someresponse, and it is an intelligent solutions that can real-time protects that SIP/IMSsystem is not a substantive attack in the SIP network. Some key technologies ofintrusion detection and prevention system in SIP network are researched. The mainwork and contributions are as follows.
1. Taking technical specifications defined by RFC3261as reference and followingthe rule definition for SIP, a safe rule-based detection and prevention method againstSIP malformed messages is presented, then a defense system for rapid detection ofSIP malformed message attacks is designed,which utilizes the safe rule-based detectionand prevention method. According to the characteristics of the SIP protocol, a commondata model is abstracted. Drawing on the experience of snort and netfilter architecture,an efficient detection and prevention system against SIP malformed message attacks isachieved in the linux kernel layer.
2. Through deeply analyzing on the principle, mode, characteristics of SIP DoS,and the flooding attacks in SIP network, the prevention model to combine a dynamicthreshold adjustment with real-time dynamic prevention for SIP flooding attacks wasproposed. Analyzing flow characteristics of the SIP flooding attacks, an trafficanomaly detection algorithms based on sliding time window and the thresholddynamically adjusts algorithm are designed, whiletime a time penalty algorithm ismade use of to reduce false positives. SIP/IMS system with deployment of thedetection and prevention model can effectively prevent the possibility of the SIP/IMSattacked by SIP single source flooding messages, and designed detection and prevention model can ensures network real-time availability.
3. For reducing the impact of SIP Distributed flooding attack to SIP/IMS system,a mitigation method based on security level for SIP distributed flooding attack isproposed. According to the SIP characteristics and historical record of the SIP message,SIP messages are classified in accordance with the SIP session history records and SIPitself, and attacks are alarmed by the traffic monitoring. While Distributed flood attackoccurs, mitigation method will set up the suitable security level to weaken the impactof the attacks, and this method is indexed in the architecture of the two defense DoSattacks.
4. The two levels defense architecture against SIP distributed flooding attacks(TDASDFA) is presented. Two levels defensive components make up of theTDASDFA logically: the First Level defense subsystem (FDS) and the second leveldefense subsystem (SDS). FDS on the SIP signaling stream coarse-grained detects anddefends the SIP messages to filter out non-VoIP messages and discard SIP messages ofthe IP address for exceeding the specified rate to ensure service availability; SDSfine-grained detects and defends the SIP messages using a mitigation method based onsecurity level to identity the cunning attacks and low-flow attacks with obviousfeatures of malicious DoS attacks, FDS and SDS can detect and defense togethernetwork status in real-time to weaken SIP distributed flooding attacks.
5. For solving real-time problem for SIP instant messaging (SPIM), the behavioralcharacteristics of SPIM in SIP network and black/white list mechanism to deal with thedetection efficiency are discussed, and SPIM detection and prevention model based onsocial networks and black/white list mechanism is proposed. The model combines therecognition model based on the social network with the improved black/white listmechanism, and it is automatic updated using an auto-update algorithm. As a result,detection performance and detection accuracy of the SIP SPIM are improved.
Finally, a detection and prevention mechanism of two-layer convergence classifieris proposed. The previous research contributions are applied to various parts of theconvergence classifier, and the feasibility and effectiveness of the designed mechanismare verified.
引文
[1] Schulzrinne H, Rosenberg J. Internet Telephony: Architecture and Protocols anIETF Perspective[J]. Computer Networks,1999,31(1):237-255.
[2] Varshney U, Snow A. M, Howard C.M. Voice Over IP[J]. Communications of theACM,2002,45(1):89-96.
[3] Karim S. A, Hovell P. Everything over IP-An Overview of the Strategic Changein Voice and Data Networks[J]. BT Technology Journal, July2007,25(3&4):198-204.
[4]拉奥,博伊科维奇,米洛瓦诺维奇.多媒体通信系统技术、标准及网络[M].北京:清华大学出版社,2003.6.
[5]张秀武,雷为民,张伟,李鸿彬. IP通信中媒体传输的应用层路由机制研究综述[J].小型微型计算机系统,Aug2010,31(8):1526-1531.
[6]张琳琳,梁冰. SIP安全威胁及安全机制分析[J].现在电信科技, Sep2008,38(9):37-40.
[7] Schulzrinne H, Casner S, R.Frederick, et al. RTP:A Transport Protoco1forReal-Time Applications[S]. IETF Network Working Group,RFC1889,1996.
[8] Campbell B, Mahy R, and Jennings C. The Message Session Relay Protocol(MSRP)[S]. RFC4975, Sep2007.
[9] Rosenberg J, Schulzrinne H, Camarillo G, et al. SIP: Session InitiationProtocol[S]. RFC3261, Jun2002.
[10] Camarillo G. SIP揭密[M].白建军,彭晖,田敏等译.北京:人民邮电出版社,2003.
[11] IP Multimedia Subsystem (IMS); Stage2[R]. Technical Report TS23.238(Release8),3GPP,2007.
[12] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); NGN Functional Architecture[R]. Technical Report ETSIES282001V2.0.0, ETSI TISPAN, Mar2008.
[13]万晓榆,樊自甫,宗晓飞等.下一代网络安全技术[M].北京:人民邮电出版社,2007.7.
[14]李德全.拒绝服务攻击[M].北京:人民邮电出版社,2007.1.
[15] Kuhn R, Walsh T.J and Fries S. Security Considerations for Voice OverIPSystems-Recommendations of the National Institute of Standards andTechnology[R]. Technical Report SP800-58, National Institute of Standards andTechnology, USA, Jan2005.
[16] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); TISPAN NGN Security (SEC); Threat, Vulnerability andRisk Analysis[R]. Technical Report ETSI TS187002V1.2.1, ETSI TISPAN, Mar2008.
[17] Tzvetkov V and Zuleger H. Service Provider Implementation of SIP RegardingSecurity[C]. The IEEE21st International Conference on Advanced InformationNetworking and Applications Workshops (AINAW2007), May2007:30-35.
[18]3GPP TS33.210v11.3.0-2011Network Domain Security; IP Network LayerSecurity [EB/OL]. http://www.3gpp.org, Jan2010.
[19]3GPP TS33.203v11.0.1-2011Access security for IP-based services [EB/OL].http://www.3gpp.org, Jan2011.
[20] Handley M and Jacobson V. SDP: Session Description Protocol [S]. RFC2327,Apr1998.
[21] Rosenberg J and Jennings C. The session initiation protocol (SIP) and spam[S].RFC5039, Jan2008.
[22]洪东.基于行为识别的垃圾邮件过滤模型研究[J].网络安全技术与应用,2007(12):13-14.
[23] TAT C, SENGODAN S. On applying SIP security to networked appliances[C].Proceedings of the IEEE4th International Workshop on Networked Appliances,2002:31-40.
[24]吴劲,张凤荔,何兴高,陆庆.电子科技大学学报[J]. SIP安全机制的研究,Dec2007,36(6):1211-1214.
[25]索望,方勇,王昆. SIP协议中的安全机制[J].网络信息安全,2004,10:32-35.
[26]储泰山,潘雪增. SIP安全模型研究及实现[J].计算机应用与软件,2004,21(12):101-104.
[27] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); NGN Functional Architecture[S]. Technical Report ETSIES282001V2.0.0, ETSI TISPAN, Mar2008.
[28]杜治国,杨从保. IPv6网络环境中SIP的安全性研究[J].中国人民公安大学学报:自然科学版,2007,13(1):77-80.
[29]张兆心,方滨兴,张宏莉,姜春祥. IPv6网络环境中SIP的安全性研究[J].通信学报,2007,28(12):39-47.
[30] Niccolini S, Garroppo R.G, Giordano S, et al. SIP Intrusion Detection andPrevention: Recommendations and Prototype Implementation IEEEXplore[EB/OL].http://shay.ecn.purdue.edu/~dcsl/Publications/papers/scidive_dsn04_submit.pdf, July2008.
[31] Geneiatakis D, Dagiuklas T, Lambrinoudakis C, et al. Novel protectingmechanism for SIP-based infrastructure against malformed message attacks:Performance evaluation study[C]. Proceedings of the5th InternationalConference on Communication Systems, Networks and Digital Signal Processing(CSNDSP '06), July2006.
[32] Geneiatakis D, Kambourakis G., Dagiuklas T, Lambrinoudakis C, et al. Aframework for detecting malformed messages in SIP networks[C]. Proceedings ofthe14th IEEE Workshop on Local and Metropolitan Area Networks LANMAN,Sep2005:1-5.
[33] Geneiatakis D, Kambourakis G, Gritzalis S. A framework for protecting aSIP-based infrastructure against malformed message attacks[J]. ComputerNetworks,2007,51(10):2580-2593.
[34] Markl J, Sisalem D, Ehlert S, et al. General Reliability and Security Frameworkfor VoIP Infrastructures [EB/OL]. Technical report. Deliverable SNOCER-D2.2,http://www.snocer.org, May2008.
[35] Iancu B. SER PIKE Excessive Traffic Monitoring Module [EB/OL].http://www.iptel.org/ser/doc/modules/pike, June2009.
[36] Bouzida Y and Mangin C. A Framework for Detecting Anomalies in VoIPNetworks [C]. Proceedings of the3rd International Conference on Availability,Reliability and Security (ARES08), Mar2008:204-211.
[37] Yu-Sung Wu, Saurabh B, Sachin G, et al. SCIDIVE: A Stateful and CrossProtocol Intrusion Detection Architecture for Voice-over-IPEnvironments[EB/OL]. http://shay.ecn.purdue.edu/~dcsl/Publications/papers/scidive_dsn04_submit.pdf, Oct2009.
[38] Sengar H, Wijesekera D, Wang H, et al. Fast Detection of Denial of ServiceAttacks on IP Telephone[C]. Proceedings of the14th IEEE InternationalWorkshop on Quality of Service, June2006:199-208.
[39] Rieck K, Wahl S, Laskov P, et al. A Self-Learning System for Detection ofAnomalous SIP Messages[C]. Proceedings of the2nd International Conferenceon Principles, Systems and Applications of IP Telecommunications IPTCOMM(IPTComm2008), July2008:90-106.
[40] Ehlert S, Wang C, Magedanz T, et al. Specification-based Denial-of-ServiceDetection for SIP Voice-over-IP Networks[C]. Proceedings of the3rdInternational Conference on Internet Monitoring and Protection (ICIMP2008),July2008:59-66.
[41] Chen E.Y. Detecting DoS attacks on SIP systems[C]. The1st IEEE Workshop onVoIP Management and Security, Apr2006:53-58.
[42] Reynolds B and Ghosal D. Secure IP Telephony using Multi-layeredProtection[C]. Proceedings of the10th Annual Network and Distributed SystemSecurity Symposium, Feb2003.
[43] Sengar H, Wang H, Wijesekera D, et al. Detecting VoIP Floods using theHellinger Distance[J]. IEEE Transactions on Parallel and Distributed Systems,June2008,19(6):794–805.
[44] Rebahi Y and Sisalem D. Change-Point Detection for Voice over IP Denial ofService Attacks[C]. Proceedings of the15th2007ITG/GI Conference onCommunication in Distributed Systems (KiVS), Mar2007:1-7.
[45] Rebahi Y, Sher M, and Magedanz T. Detecting Flooding Attacks Against IPMultimedia Subsystem (IMS) Networks[C]. Proceedings of the6th ACS/IEEEInternational Conference on Computer Systems and Applications (AICCSA-08),Mar2008:848-851.
[46] Nassar M, State R, and Festor O. Intrusion Detection Mechanisms for VoIPApplications[C]. Proceedings of the3rd Annual VoIP Security Workshop, June2006:233-238.
[47] Nassar M, Niccolini S, State R, et al. Holistic VoIP Intrusion Detection andPrevention System[C], Proceedings of the1st international conference onPrinciples, systems and applications of IP telecommunications (IPTCOMM’07),July2007:1-9.
[48] Barry B.I.A and Chan H.A. A Hybrid Stateful and Cross-Protocol IntrusionDetection System for Converged Applications[C]. Proceedings of theInternational Conference on Grid computing, high-performance and DistributedApplications (GADA’07), Nov2007:1616-1633.
[49] Seo D, Lee H, and Nuwere E. Detecting More SIP Attacks on VoIP Services byCombining Rule Matching and State Transition Models[C]. Proceedings of the23rd International Information Security Conference on IFIP TC11, Sep2008:397-411.
[50] Nagpal S, Yardeni E, Schulzrinne H, and Ormazabal G. Secure SIP: A ScalablePrevention Mechanism for DoS Attacks on SIP-based VoIP Systems[C].Proceedings of the2nd International Conference on Principles, Systems andApplications of IP Telecommunications IPTCOMM (IPTComm2008), July2008:107-132.
[51] Sentivist-intrusion prevention system (IPS)[EB/OL]. Web product page,http://www.nfr.com/solutions/sentivist-ips.php, Apr2009.
[52] Rosenberg J and Jennings C. The session initiation protocol(SIP) and Spam[S].RFC5039. Jan2008.
[53] Soupionis Y, Marias G, Ehlert S, et al. SPAM over Internet telephony DetectionService[EB/OL]. Nov2008, http://www.projectspider.org.
[54] Mathieu B, Gourhant Y and Loudier Q. SPIT mitigation by a network-levelanti-SPIT entity[C]. Proceedings of the3rd Annual Security Workshop (VSW'06),ACM Press, June2006.
[55] Shin D and Shim C. Progressive multi gray-leveling: a voice spam protectionalgorithm [J]. IEEE NETWORK,2006,20(5):18-24.
[56]赵宏,闻英友,何光宇,陈书义等.一种垃圾语音信息的检测方法和装置[P],发明专利:200710194877.9,2007-12-23.
[57]何光宇,闻英友,赵宏.基于反馈评判的SPIT检测与防范方法.东北大学学报(自然科学版),Apr2009,30(4):526-530.
[58] Falomi M, Garroppo R and Niccolini S. Simulation and Optimization of SPITDetection Framework[C], Proceedings of the IEEE Global CommunicationsConference(GLOBECOM '07), Nov2007:2156-2161.
[59] Soupionis Y, Dritsas S and Gritzalis D. An adaptive policy-based approach toSPIT management[C]. Proceedings of the13th European Symposium onResearch in Computer Security (ESORICS2008), Oct2008:446-460.
[60] Tschofenig H, Falk R, Peterson J, et al. Using SAML to Protect the SessionInitiation Protocol (SIP)[J]. IEEE Network,2006,20(5):14-17.
[61] Peterson C.J. Enhancements for Authenticated Identity Management in theSessioin Initiation Protocol(SIP)[S]. RFC4474, Aug2006.
[62] Srivastava K and Schulzrinne H. Preventing Spam For SIP-based InstantMessages and Sessions[R]. Technical Report CUCS-042-04, University ofColumbia, Oct2004.
[63] Quittek J, Niccolini S, Tartarelli S, et al. Detecting SPIT calls by checkinghuman communication patterns[C]. Proceedings of the IEEE InternationalConference on ICC '07, June2007:1979-1984.
[64] Croft N and Olivier M. A Model for Spam Prevention in IP TelephonyNetworks using Anonymous Verifying Authorities[C], Proceedings of theInformation Security South Africa2005Conference (ISSA2005), July2005.
[65] Madhosingh A. The Design of a Differentiated Session Initiation Protocol toControl VoIP Spam[D]. Florida State University,2006.
[66] Dantu R and Kolan P. Detecting spam in VoIP networks[J], USENIXAssociation,2005:31-37.
[67] Balasubramaniyan V, Ahamad M, and Park H. CallRank: Combating SPIT usingcall duration, social networks and global reputation[C]. Proceedings of the FourthConference on Email and Anti-Spam(CEAS2007), Aug2007.
[68] Kamvar S.D, Schlosser M.T and Garcia-Molina H. The eigentrust algorithm forreputation management in P2P networks[C]. Proceedings of the12thInternational Conference on World Wide Web(WWW'03), ACM Press,2003:640-651.
[69] Rebahi Y and Sisalem D. SIP service providers and the spam problem[C].Proceedings of the2nd Workshop on Securing Voice over IP, Washington USA,June2005.
[70] Rebahi Y, Sisalem D and Magedanz T. SIP Spam Detection[C]. Proceedings ofthe International Conference on Digital Telecommunications(ICDT '06), Aug2006:68-68.
[71] Guang-Yu H, Ying-You W and Hong Z. SPIT detection and Prevention Method inVoIP Environment [J]. IEEE Computer Society,2008:473-478.
[72]张黎. VoIP中基于信誉机制的垃圾语音检测与防御[D].华中科技学,2007.
[73] Zhang R and Gurtov A. Collaborative Reputation-based Voice Spam Filtering[C].In: DEXA Workshops: IEEE Computer Society (2009),2009:33-37.
[74] Yang W and Judge P. VISOR: VoIP Security using Reputation[C]. Proceedings ofthe IEEE International Conference on Communications(ICC’08), May2008:1489-1493.
[75]张卫兵,魏更宇,黄玮等.一种基于布鲁姆过滤器的网络垃圾语音检测方法[J].信息工程大学学报, Oct2010,11(5):557-561.
[76] Wang F, Mo Y and Huang B. P2P-AVS: P2P Based Cooperative VoIP SpamFiltering[C].2007IEEE Wireless Communications and NetworkingConference(WCNC2007), Mar2007:3547-3552.
[77] Jun Bi, Jianping Wu and Wenmao Zhang. A Trust and Reputation basedAnti-SPIM Method[C]. Proceedings of the27th IEEE Conference on ComputerCommunications (INFOCOM’08), Sep2008:2485-2493.
[78] Madhosingh A. The Design of a Differentiated Session Initiation Protocol toControl VoIP Spam [D]. Florida State University,2006.
[79]黎路,秦卫平.浅析贝叶斯分类方法在手机垃圾短信过滤系统中的应用[J].科技广场,2007,2007(7):76-78.
[80]王忠军.文本分类在短信过滤中的应用[D].大连理工大学硕士论文,2006,9.
[81]黄萱菁,夏迎炬,吴立德.基于向量空间模型的文本过滤系统[J].软件学报,2003,14(3):435-442.
[82]金展,范晶.基于朴素贝叶斯和支持向量机的自适应垃圾短信过滤系[J].计算机应用,2008,28(3):714-718.
[83]夏虎,傅彦,方育柯等.一种自反馈垃圾信息综合过滤方法[J].智能系统学报,2010,5(2):117-121.
[84]刘金岭.基于查询词扩展的中文垃圾短信检索[J].计算机工程,2011,37(8):52-54.
[85]赵阔.高速网络入侵检测与防御[D].吉林大学博士论文,2008,12.
[86]董晓梅,肖珂,于戈.入侵检测系统评估技术研究[J].小型微型计算机系统,Apr2005,26(4):568-571.
[87] Fiedler J, Kupka T, Ehlert S, et al. VoIP Defender: Highly Scalable SIP-basedSecurity Architecture[C]. Proceedings of the1nd International Conference onPrinciples, Systems and Applications of IP Telecommunications IPTCOMM(IPTComm2007), July2007:11-17.
[88]孙宗宝.基于软间隔支持向量机和核主成分分析的入侵检测研究[D].哈尔滨理工大学硕士论文,2007,3.
[89]李佳.基于特征自生成的畸形SIP信令检测技术的研究与实现[D].北京邮电大学硕士论文,2010,10.
[90]王玉龙,杨鸿飞,杨逸. IMS网络中畸形SIP信令的快速检测[J].北京邮电大学学报,2009,32(1):51-54.
[91] Andrew Baker, Jay Beale, Brian Caswell, et al. Snort2.1Intrusion Detection[M],Syngress, May2004.
[92]杜世星,陈鸿昶,于洪涛.针对SIP解析器的攻击与防范[J].计算机工程,Dec2008,34(23):161-163.
[93] Crocker D and Overell P. Augmented BNF for Syntax Specifications: ABNF[S].IETF Network Working Group, RFC4234,2005.
[94] Hongbin Li, Hu Lin, Huichao Hou, Xuehua Yang. An Efficient IntrusionDetection and Prevention System against SIP Malformed Message Attacks[C].The2nd International Conference on Computational Aspects of Social Networks(CASoN2010), Sep2010:69-73.
[95] PROTOS test-suite: C07-SIP[EB/OL]. https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip, Aug2009.
[96] Asteroid SIP Denial of service Tool [EB/OL]. http://swik.net/asteroid, Dec2008
[97]李鸿彬,雷为民,杨雪华.基于SIP的VoIP安全测试工具的研究[J].小型微型计算机系统,2010,31(10):2017-2023.
[98] Fang-Yie Leu and Chia-Chi Pai. Detecting DoS and DDoS Attacks usingChi-Square[C]. The fifth International Conference on Information Assurance andSecurity(IAS’09), Aug2009:255-258.
[99]樊自甫,杨俊蓉,万晓榆.定制加权公平队列调度下的SIP DoS攻击防御机制[J].计算机工程与应用,2011,47(8):62-65.
[100]李鸿彬,林浒,吕昕,杨雪华.抵御SIP分布式洪泛攻击的入侵防御系统[J].计算机应用,2011,31(10):2660-2664.
[101]Deri L. Improving passive packet capture: Beyond device polling [EB/OL].http://luca.ntop.org/Ring.pdf, Nov2008.
[102]Ming L, Tao P and Leckie C. CPU-based DoS Attacks Against SIP Servers[C].The11th Asia-Pacific Network Operations and ManagementSymposium(APNOMS2008), June2008:41-48.
[103]Roesch M. Snort–Lightweight Intrusion Detection for Networks[C]. The13thUSENIX Large Installation System Administration Conference, Nov1999:229-238.
[104]张兆心,杜跃进,李斌,张宏莉. SIP代理服务器抗拒绝服务攻击自防御模型[J].通信学报,2009,30(4):93-97.
[105]张兆心,张冰,方滨兴,胡萍等.基于状态转换的容侵模型的研究[J].通信学报,2009,30(12):1-11.
[106]Lahmadi A and Festor O. SecSip: A Stateful Firewall for SIP-based Networks[C].Proceedings of the11th IFIP/IEEE international conference on Symposium onIntegrated Network Management, June2009:172-179.
[107]Ehlert S, Geneiatakis D and Magedanz T. Survey of Network Security Systems toCounter SIP-based Denial-of-Service Attacks[J]. Computers and Security Journal,Mar2010,29(2):225–243.
[108]Papoulis A and PiIlai S.U. Probabilities,Random Variables and StochasticProcess[M]. McGraw-Hili, New York,2002.
[109]Pareto standard[EB/OL]. Interactive Encyclopedia, http://www.hudong.com/wiki,June2010.
[110]杨国良.国际VoIP流量特征分析[J].电信科学,2007,23(6):7-16.
[111]3GPP TS23.228.IP Multimedia Subsystem(IMS) Stage2[R], Rel.7,V7.7.0. Mar2007.
[112]Rosenberg J, Schulzrinne H, Huitema C, et al. Session Initiation Protocol (SIP)Extension for Instant Messaging [S]. RFC3428, Dec2002.
[113]彭冬生,林闯,刘卫东.一种直接评价节点诚信度的分布式信任机制[J].软件学报,2008,19(4):946-955.
[114]王亮,郭亚军. P2P系统中基于声誉的信任评估机制[J].计算机工程与应用,2009,45(15):136-138.
[115]黄文良.垃圾短信过滤关键技术研究[D].浙江大学博士论文,2008,9.
[116]杨武,张乐君,王巍.一种基于拓扑行为的垃圾邮件判定方法[P].发明专利:200810064510. X,2008-11-05.
[117]Richard G. and Olivier J. SIPp[EB/OL]. http://sipp. sourceforge.net, Oct2010.
[118]Littlestone N. Learning quickly when irrelevant attributes abound: a new linearthreshold algorithm[J]. Machine Learning,1987,2(4):285-318.
[119]Shannon CE. A Mathematical Theory of Communication[J]. The Bell SystemTechnical Journal,1948,27:379-423.
[120]维基百科.熵(信息论)[EB/OL]. http://zh.wikipedia.org/wiki, Sep2010.
[121]丁森林,吴军,毛伟.利用熵检测DNS异常[J].计算机系统应用,2010,19(12):195-198.
[122]陈锶奇,王娟.基于信息熵理论的教育网异常流量发现[J].计算机应用研究,2010,27(4):1434-1436.
[123]钱亚冠,关晓惠,王滨.基于最大信息熵模型的异常流量分类方法[J].计算机应用研究,2012,29(3):1019-1023.
[2] Varshney U, Snow A. M, Howard C.M. Voice Over IP[J]. Communications of theACM,2002,45(1):89-96.
[3] Karim S. A, Hovell P. Everything over IP-An Overview of the Strategic Changein Voice and Data Networks[J]. BT Technology Journal, July2007,25(3&4):198-204.
[4]拉奥,博伊科维奇,米洛瓦诺维奇.多媒体通信系统技术、标准及网络[M].北京:清华大学出版社,2003.6.
[5]张秀武,雷为民,张伟,李鸿彬. IP通信中媒体传输的应用层路由机制研究综述[J].小型微型计算机系统,Aug2010,31(8):1526-1531.
[6]张琳琳,梁冰. SIP安全威胁及安全机制分析[J].现在电信科技, Sep2008,38(9):37-40.
[7] Schulzrinne H, Casner S, R.Frederick, et al. RTP:A Transport Protoco1forReal-Time Applications[S]. IETF Network Working Group,RFC1889,1996.
[8] Campbell B, Mahy R, and Jennings C. The Message Session Relay Protocol(MSRP)[S]. RFC4975, Sep2007.
[9] Rosenberg J, Schulzrinne H, Camarillo G, et al. SIP: Session InitiationProtocol[S]. RFC3261, Jun2002.
[10] Camarillo G. SIP揭密[M].白建军,彭晖,田敏等译.北京:人民邮电出版社,2003.
[11] IP Multimedia Subsystem (IMS); Stage2[R]. Technical Report TS23.238(Release8),3GPP,2007.
[12] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); NGN Functional Architecture[R]. Technical Report ETSIES282001V2.0.0, ETSI TISPAN, Mar2008.
[13]万晓榆,樊自甫,宗晓飞等.下一代网络安全技术[M].北京:人民邮电出版社,2007.7.
[14]李德全.拒绝服务攻击[M].北京:人民邮电出版社,2007.1.
[15] Kuhn R, Walsh T.J and Fries S. Security Considerations for Voice OverIPSystems-Recommendations of the National Institute of Standards andTechnology[R]. Technical Report SP800-58, National Institute of Standards andTechnology, USA, Jan2005.
[16] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); TISPAN NGN Security (SEC); Threat, Vulnerability andRisk Analysis[R]. Technical Report ETSI TS187002V1.2.1, ETSI TISPAN, Mar2008.
[17] Tzvetkov V and Zuleger H. Service Provider Implementation of SIP RegardingSecurity[C]. The IEEE21st International Conference on Advanced InformationNetworking and Applications Workshops (AINAW2007), May2007:30-35.
[18]3GPP TS33.210v11.3.0-2011Network Domain Security; IP Network LayerSecurity [EB/OL]. http://www.3gpp.org, Jan2010.
[19]3GPP TS33.203v11.0.1-2011Access security for IP-based services [EB/OL].http://www.3gpp.org, Jan2011.
[20] Handley M and Jacobson V. SDP: Session Description Protocol [S]. RFC2327,Apr1998.
[21] Rosenberg J and Jennings C. The session initiation protocol (SIP) and spam[S].RFC5039, Jan2008.
[22]洪东.基于行为识别的垃圾邮件过滤模型研究[J].网络安全技术与应用,2007(12):13-14.
[23] TAT C, SENGODAN S. On applying SIP security to networked appliances[C].Proceedings of the IEEE4th International Workshop on Networked Appliances,2002:31-40.
[24]吴劲,张凤荔,何兴高,陆庆.电子科技大学学报[J]. SIP安全机制的研究,Dec2007,36(6):1211-1214.
[25]索望,方勇,王昆. SIP协议中的安全机制[J].网络信息安全,2004,10:32-35.
[26]储泰山,潘雪增. SIP安全模型研究及实现[J].计算机应用与软件,2004,21(12):101-104.
[27] Telecommunications and Internet converged Services and Protocols for AdvancedNetworking (TISPAN); NGN Functional Architecture[S]. Technical Report ETSIES282001V2.0.0, ETSI TISPAN, Mar2008.
[28]杜治国,杨从保. IPv6网络环境中SIP的安全性研究[J].中国人民公安大学学报:自然科学版,2007,13(1):77-80.
[29]张兆心,方滨兴,张宏莉,姜春祥. IPv6网络环境中SIP的安全性研究[J].通信学报,2007,28(12):39-47.
[30] Niccolini S, Garroppo R.G, Giordano S, et al. SIP Intrusion Detection andPrevention: Recommendations and Prototype Implementation IEEEXplore[EB/OL].http://shay.ecn.purdue.edu/~dcsl/Publications/papers/scidive_dsn04_submit.pdf, July2008.
[31] Geneiatakis D, Dagiuklas T, Lambrinoudakis C, et al. Novel protectingmechanism for SIP-based infrastructure against malformed message attacks:Performance evaluation study[C]. Proceedings of the5th InternationalConference on Communication Systems, Networks and Digital Signal Processing(CSNDSP '06), July2006.
[32] Geneiatakis D, Kambourakis G., Dagiuklas T, Lambrinoudakis C, et al. Aframework for detecting malformed messages in SIP networks[C]. Proceedings ofthe14th IEEE Workshop on Local and Metropolitan Area Networks LANMAN,Sep2005:1-5.
[33] Geneiatakis D, Kambourakis G, Gritzalis S. A framework for protecting aSIP-based infrastructure against malformed message attacks[J]. ComputerNetworks,2007,51(10):2580-2593.
[34] Markl J, Sisalem D, Ehlert S, et al. General Reliability and Security Frameworkfor VoIP Infrastructures [EB/OL]. Technical report. Deliverable SNOCER-D2.2,http://www.snocer.org, May2008.
[35] Iancu B. SER PIKE Excessive Traffic Monitoring Module [EB/OL].http://www.iptel.org/ser/doc/modules/pike, June2009.
[36] Bouzida Y and Mangin C. A Framework for Detecting Anomalies in VoIPNetworks [C]. Proceedings of the3rd International Conference on Availability,Reliability and Security (ARES08), Mar2008:204-211.
[37] Yu-Sung Wu, Saurabh B, Sachin G, et al. SCIDIVE: A Stateful and CrossProtocol Intrusion Detection Architecture for Voice-over-IPEnvironments[EB/OL]. http://shay.ecn.purdue.edu/~dcsl/Publications/papers/scidive_dsn04_submit.pdf, Oct2009.
[38] Sengar H, Wijesekera D, Wang H, et al. Fast Detection of Denial of ServiceAttacks on IP Telephone[C]. Proceedings of the14th IEEE InternationalWorkshop on Quality of Service, June2006:199-208.
[39] Rieck K, Wahl S, Laskov P, et al. A Self-Learning System for Detection ofAnomalous SIP Messages[C]. Proceedings of the2nd International Conferenceon Principles, Systems and Applications of IP Telecommunications IPTCOMM(IPTComm2008), July2008:90-106.
[40] Ehlert S, Wang C, Magedanz T, et al. Specification-based Denial-of-ServiceDetection for SIP Voice-over-IP Networks[C]. Proceedings of the3rdInternational Conference on Internet Monitoring and Protection (ICIMP2008),July2008:59-66.
[41] Chen E.Y. Detecting DoS attacks on SIP systems[C]. The1st IEEE Workshop onVoIP Management and Security, Apr2006:53-58.
[42] Reynolds B and Ghosal D. Secure IP Telephony using Multi-layeredProtection[C]. Proceedings of the10th Annual Network and Distributed SystemSecurity Symposium, Feb2003.
[43] Sengar H, Wang H, Wijesekera D, et al. Detecting VoIP Floods using theHellinger Distance[J]. IEEE Transactions on Parallel and Distributed Systems,June2008,19(6):794–805.
[44] Rebahi Y and Sisalem D. Change-Point Detection for Voice over IP Denial ofService Attacks[C]. Proceedings of the15th2007ITG/GI Conference onCommunication in Distributed Systems (KiVS), Mar2007:1-7.
[45] Rebahi Y, Sher M, and Magedanz T. Detecting Flooding Attacks Against IPMultimedia Subsystem (IMS) Networks[C]. Proceedings of the6th ACS/IEEEInternational Conference on Computer Systems and Applications (AICCSA-08),Mar2008:848-851.
[46] Nassar M, State R, and Festor O. Intrusion Detection Mechanisms for VoIPApplications[C]. Proceedings of the3rd Annual VoIP Security Workshop, June2006:233-238.
[47] Nassar M, Niccolini S, State R, et al. Holistic VoIP Intrusion Detection andPrevention System[C], Proceedings of the1st international conference onPrinciples, systems and applications of IP telecommunications (IPTCOMM’07),July2007:1-9.
[48] Barry B.I.A and Chan H.A. A Hybrid Stateful and Cross-Protocol IntrusionDetection System for Converged Applications[C]. Proceedings of theInternational Conference on Grid computing, high-performance and DistributedApplications (GADA’07), Nov2007:1616-1633.
[49] Seo D, Lee H, and Nuwere E. Detecting More SIP Attacks on VoIP Services byCombining Rule Matching and State Transition Models[C]. Proceedings of the23rd International Information Security Conference on IFIP TC11, Sep2008:397-411.
[50] Nagpal S, Yardeni E, Schulzrinne H, and Ormazabal G. Secure SIP: A ScalablePrevention Mechanism for DoS Attacks on SIP-based VoIP Systems[C].Proceedings of the2nd International Conference on Principles, Systems andApplications of IP Telecommunications IPTCOMM (IPTComm2008), July2008:107-132.
[51] Sentivist-intrusion prevention system (IPS)[EB/OL]. Web product page,http://www.nfr.com/solutions/sentivist-ips.php, Apr2009.
[52] Rosenberg J and Jennings C. The session initiation protocol(SIP) and Spam[S].RFC5039. Jan2008.
[53] Soupionis Y, Marias G, Ehlert S, et al. SPAM over Internet telephony DetectionService[EB/OL]. Nov2008, http://www.projectspider.org.
[54] Mathieu B, Gourhant Y and Loudier Q. SPIT mitigation by a network-levelanti-SPIT entity[C]. Proceedings of the3rd Annual Security Workshop (VSW'06),ACM Press, June2006.
[55] Shin D and Shim C. Progressive multi gray-leveling: a voice spam protectionalgorithm [J]. IEEE NETWORK,2006,20(5):18-24.
[56]赵宏,闻英友,何光宇,陈书义等.一种垃圾语音信息的检测方法和装置[P],发明专利:200710194877.9,2007-12-23.
[57]何光宇,闻英友,赵宏.基于反馈评判的SPIT检测与防范方法.东北大学学报(自然科学版),Apr2009,30(4):526-530.
[58] Falomi M, Garroppo R and Niccolini S. Simulation and Optimization of SPITDetection Framework[C], Proceedings of the IEEE Global CommunicationsConference(GLOBECOM '07), Nov2007:2156-2161.
[59] Soupionis Y, Dritsas S and Gritzalis D. An adaptive policy-based approach toSPIT management[C]. Proceedings of the13th European Symposium onResearch in Computer Security (ESORICS2008), Oct2008:446-460.
[60] Tschofenig H, Falk R, Peterson J, et al. Using SAML to Protect the SessionInitiation Protocol (SIP)[J]. IEEE Network,2006,20(5):14-17.
[61] Peterson C.J. Enhancements for Authenticated Identity Management in theSessioin Initiation Protocol(SIP)[S]. RFC4474, Aug2006.
[62] Srivastava K and Schulzrinne H. Preventing Spam For SIP-based InstantMessages and Sessions[R]. Technical Report CUCS-042-04, University ofColumbia, Oct2004.
[63] Quittek J, Niccolini S, Tartarelli S, et al. Detecting SPIT calls by checkinghuman communication patterns[C]. Proceedings of the IEEE InternationalConference on ICC '07, June2007:1979-1984.
[64] Croft N and Olivier M. A Model for Spam Prevention in IP TelephonyNetworks using Anonymous Verifying Authorities[C], Proceedings of theInformation Security South Africa2005Conference (ISSA2005), July2005.
[65] Madhosingh A. The Design of a Differentiated Session Initiation Protocol toControl VoIP Spam[D]. Florida State University,2006.
[66] Dantu R and Kolan P. Detecting spam in VoIP networks[J], USENIXAssociation,2005:31-37.
[67] Balasubramaniyan V, Ahamad M, and Park H. CallRank: Combating SPIT usingcall duration, social networks and global reputation[C]. Proceedings of the FourthConference on Email and Anti-Spam(CEAS2007), Aug2007.
[68] Kamvar S.D, Schlosser M.T and Garcia-Molina H. The eigentrust algorithm forreputation management in P2P networks[C]. Proceedings of the12thInternational Conference on World Wide Web(WWW'03), ACM Press,2003:640-651.
[69] Rebahi Y and Sisalem D. SIP service providers and the spam problem[C].Proceedings of the2nd Workshop on Securing Voice over IP, Washington USA,June2005.
[70] Rebahi Y, Sisalem D and Magedanz T. SIP Spam Detection[C]. Proceedings ofthe International Conference on Digital Telecommunications(ICDT '06), Aug2006:68-68.
[71] Guang-Yu H, Ying-You W and Hong Z. SPIT detection and Prevention Method inVoIP Environment [J]. IEEE Computer Society,2008:473-478.
[72]张黎. VoIP中基于信誉机制的垃圾语音检测与防御[D].华中科技学,2007.
[73] Zhang R and Gurtov A. Collaborative Reputation-based Voice Spam Filtering[C].In: DEXA Workshops: IEEE Computer Society (2009),2009:33-37.
[74] Yang W and Judge P. VISOR: VoIP Security using Reputation[C]. Proceedings ofthe IEEE International Conference on Communications(ICC’08), May2008:1489-1493.
[75]张卫兵,魏更宇,黄玮等.一种基于布鲁姆过滤器的网络垃圾语音检测方法[J].信息工程大学学报, Oct2010,11(5):557-561.
[76] Wang F, Mo Y and Huang B. P2P-AVS: P2P Based Cooperative VoIP SpamFiltering[C].2007IEEE Wireless Communications and NetworkingConference(WCNC2007), Mar2007:3547-3552.
[77] Jun Bi, Jianping Wu and Wenmao Zhang. A Trust and Reputation basedAnti-SPIM Method[C]. Proceedings of the27th IEEE Conference on ComputerCommunications (INFOCOM’08), Sep2008:2485-2493.
[78] Madhosingh A. The Design of a Differentiated Session Initiation Protocol toControl VoIP Spam [D]. Florida State University,2006.
[79]黎路,秦卫平.浅析贝叶斯分类方法在手机垃圾短信过滤系统中的应用[J].科技广场,2007,2007(7):76-78.
[80]王忠军.文本分类在短信过滤中的应用[D].大连理工大学硕士论文,2006,9.
[81]黄萱菁,夏迎炬,吴立德.基于向量空间模型的文本过滤系统[J].软件学报,2003,14(3):435-442.
[82]金展,范晶.基于朴素贝叶斯和支持向量机的自适应垃圾短信过滤系[J].计算机应用,2008,28(3):714-718.
[83]夏虎,傅彦,方育柯等.一种自反馈垃圾信息综合过滤方法[J].智能系统学报,2010,5(2):117-121.
[84]刘金岭.基于查询词扩展的中文垃圾短信检索[J].计算机工程,2011,37(8):52-54.
[85]赵阔.高速网络入侵检测与防御[D].吉林大学博士论文,2008,12.
[86]董晓梅,肖珂,于戈.入侵检测系统评估技术研究[J].小型微型计算机系统,Apr2005,26(4):568-571.
[87] Fiedler J, Kupka T, Ehlert S, et al. VoIP Defender: Highly Scalable SIP-basedSecurity Architecture[C]. Proceedings of the1nd International Conference onPrinciples, Systems and Applications of IP Telecommunications IPTCOMM(IPTComm2007), July2007:11-17.
[88]孙宗宝.基于软间隔支持向量机和核主成分分析的入侵检测研究[D].哈尔滨理工大学硕士论文,2007,3.
[89]李佳.基于特征自生成的畸形SIP信令检测技术的研究与实现[D].北京邮电大学硕士论文,2010,10.
[90]王玉龙,杨鸿飞,杨逸. IMS网络中畸形SIP信令的快速检测[J].北京邮电大学学报,2009,32(1):51-54.
[91] Andrew Baker, Jay Beale, Brian Caswell, et al. Snort2.1Intrusion Detection[M],Syngress, May2004.
[92]杜世星,陈鸿昶,于洪涛.针对SIP解析器的攻击与防范[J].计算机工程,Dec2008,34(23):161-163.
[93] Crocker D and Overell P. Augmented BNF for Syntax Specifications: ABNF[S].IETF Network Working Group, RFC4234,2005.
[94] Hongbin Li, Hu Lin, Huichao Hou, Xuehua Yang. An Efficient IntrusionDetection and Prevention System against SIP Malformed Message Attacks[C].The2nd International Conference on Computational Aspects of Social Networks(CASoN2010), Sep2010:69-73.
[95] PROTOS test-suite: C07-SIP[EB/OL]. https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip, Aug2009.
[96] Asteroid SIP Denial of service Tool [EB/OL]. http://swik.net/asteroid, Dec2008
[97]李鸿彬,雷为民,杨雪华.基于SIP的VoIP安全测试工具的研究[J].小型微型计算机系统,2010,31(10):2017-2023.
[98] Fang-Yie Leu and Chia-Chi Pai. Detecting DoS and DDoS Attacks usingChi-Square[C]. The fifth International Conference on Information Assurance andSecurity(IAS’09), Aug2009:255-258.
[99]樊自甫,杨俊蓉,万晓榆.定制加权公平队列调度下的SIP DoS攻击防御机制[J].计算机工程与应用,2011,47(8):62-65.
[100]李鸿彬,林浒,吕昕,杨雪华.抵御SIP分布式洪泛攻击的入侵防御系统[J].计算机应用,2011,31(10):2660-2664.
[101]Deri L. Improving passive packet capture: Beyond device polling [EB/OL].http://luca.ntop.org/Ring.pdf, Nov2008.
[102]Ming L, Tao P and Leckie C. CPU-based DoS Attacks Against SIP Servers[C].The11th Asia-Pacific Network Operations and ManagementSymposium(APNOMS2008), June2008:41-48.
[103]Roesch M. Snort–Lightweight Intrusion Detection for Networks[C]. The13thUSENIX Large Installation System Administration Conference, Nov1999:229-238.
[104]张兆心,杜跃进,李斌,张宏莉. SIP代理服务器抗拒绝服务攻击自防御模型[J].通信学报,2009,30(4):93-97.
[105]张兆心,张冰,方滨兴,胡萍等.基于状态转换的容侵模型的研究[J].通信学报,2009,30(12):1-11.
[106]Lahmadi A and Festor O. SecSip: A Stateful Firewall for SIP-based Networks[C].Proceedings of the11th IFIP/IEEE international conference on Symposium onIntegrated Network Management, June2009:172-179.
[107]Ehlert S, Geneiatakis D and Magedanz T. Survey of Network Security Systems toCounter SIP-based Denial-of-Service Attacks[J]. Computers and Security Journal,Mar2010,29(2):225–243.
[108]Papoulis A and PiIlai S.U. Probabilities,Random Variables and StochasticProcess[M]. McGraw-Hili, New York,2002.
[109]Pareto standard[EB/OL]. Interactive Encyclopedia, http://www.hudong.com/wiki,June2010.
[110]杨国良.国际VoIP流量特征分析[J].电信科学,2007,23(6):7-16.
[111]3GPP TS23.228.IP Multimedia Subsystem(IMS) Stage2[R], Rel.7,V7.7.0. Mar2007.
[112]Rosenberg J, Schulzrinne H, Huitema C, et al. Session Initiation Protocol (SIP)Extension for Instant Messaging [S]. RFC3428, Dec2002.
[113]彭冬生,林闯,刘卫东.一种直接评价节点诚信度的分布式信任机制[J].软件学报,2008,19(4):946-955.
[114]王亮,郭亚军. P2P系统中基于声誉的信任评估机制[J].计算机工程与应用,2009,45(15):136-138.
[115]黄文良.垃圾短信过滤关键技术研究[D].浙江大学博士论文,2008,9.
[116]杨武,张乐君,王巍.一种基于拓扑行为的垃圾邮件判定方法[P].发明专利:200810064510. X,2008-11-05.
[117]Richard G. and Olivier J. SIPp[EB/OL]. http://sipp. sourceforge.net, Oct2010.
[118]Littlestone N. Learning quickly when irrelevant attributes abound: a new linearthreshold algorithm[J]. Machine Learning,1987,2(4):285-318.
[119]Shannon CE. A Mathematical Theory of Communication[J]. The Bell SystemTechnical Journal,1948,27:379-423.
[120]维基百科.熵(信息论)[EB/OL]. http://zh.wikipedia.org/wiki, Sep2010.
[121]丁森林,吴军,毛伟.利用熵检测DNS异常[J].计算机系统应用,2010,19(12):195-198.
[122]陈锶奇,王娟.基于信息熵理论的教育网异常流量发现[J].计算机应用研究,2010,27(4):1434-1436.
[123]钱亚冠,关晓惠,王滨.基于最大信息熵模型的异常流量分类方法[J].计算机应用研究,2012,29(3):1019-1023.