一种基于SIP的VoIP通信安全框架

该文分析了基于SIP的VoIP安全问题,阐述了SIP基本网络模型和多层安全认证机制,提出了一种基于SIP的企业级VoIP安全框架,分析表明该框架可以消除VoIP通信存在的安全隐患。     

基于SIP的VoIP的移动性研究

SIP协议提供了一个全新的支持会话的移动性的概念.几个无线技术论坛,比如3GPP2,已经决定采用SIP作为移动因特网会话管理的基础,但其QoS、性能和故障率并没有达到最优.如今已经成熟的GSM/UMTS移动通信已经对终端移动性树立了一个典范.利用这个事实作为依据,本文对SIP的移动性技术做了新的研究,并且分析了性能负担、加密和故障恢复等.这必将是SIP移动性的一个更有效的运作方式.     

基于SIP协议的VoIP中的威胁、风险和控制

IP语音技术(VoIP)的来临和推动有极大改变电信面貌的潜力。然而,作为一个相对较新的技术,VoIP仍然面临着来自技术和社会的各种安全困扰。在本文中,提出了基于SIP协议的VoIP技术中存在的主要威胁和弱点。此外,将讨论一些应该在企业VoIP系统中实施的安全规定、政策和健全做法。     

Inexpensive high availability solutions for the SIP-based VoIP service

In the era of IP-based service, people expect a simple, cheap, and competent Voice over IP (VoIP) service as an alternative of the traditional voice over PSTN. The introduction of the SIP protocol realizes the expectation. Following the cost saving spirit of VoIP, we focus on studying inexpensive high availability solutions for the SIP-based VoIP Service. In this paper, Peer-to-Peer (P2P) based and DN-LB based schemes are mainly compared in the paper. A P2P-based scheme enables an inexpensive high availability solution to the VoIP service by the shared computation resources form P2P nodes. Such a P2P-based solution may be appropriate for an individual VoIP user. However, a caller may take a large volume of messages to find out a callee via the proxy nodes in the P2P network. This inherent property of a P2P network may induce the message overhead and long call setup delay. Based on above, another inexpensive scheme, which is a probing-based name resolution solution, is proposed to achieve high availability and load balancing for the VoIP service. We tag the probing mechanism onto the open source project Domain Name Relay Daemon (DNRD) to become a domain name resolution based load balancer (DN-LB). With DN-LB, all request messages from clients can be fairly distributed to all failure-proof proxy servers in the server farm without using any additional costly intermediate network device and changing the standard SIP architecture. Such a DN-LB based solution may be a good choice for a VoIP service provider.     

一种基于SIP的自适应端到端VoIP系统设计与实现

VoIP应用程序可以以相对低廉的价格,为用户提供优质的语音甚至是视频实时通信服务,然而,IETF提供的请求/应答机制在当前充满NAT的网络环境面前,经常无法正常工作.目前的解决方案都是基于STUN协议的,而该协议会周期性地发出心跳消息以维持公网和私网地址的映射关系;这些消息对VoIP服务器来说是一种极大的资源浪费,设计并实现了一种基于SIP的自适应端到端通信系统,支持NAT下的端到端VoIP通信.系统扩展了SDP请.求/应答模型,使其能够令一个会话中的各个端用户交换公网和私网地址/端口号.通过实现一个实际系统证明了该扩展方案的可行性.一系列实验证明了提出的系统相比其它基于超级结点转发机制的VoIP应用在效率和表现上的优越性.     

基于SIP的VoIP网络中DoS攻击的分析与研究

SIP协议是NGN中的重要协议之一,它在Internet环境下建立并管理会话,正以迅猛的速度改变当今企业及各种机构的沟通方式,因此对SIP协议安全性的研究也就显得格外重要.尽管多年来全球无数网络安全专家都在潜心研究DoS攻击的解决办法,但到目前为止收效不大,因为DoS攻击利用了协议本身的弱点.研究了针对VoIP环境下的DoS攻击,在简单介绍SIP协议和DoS攻击的基础上,详细地描述了基于SIP的VoIP网络环境中的DoS攻击的多种攻击类型,并给出针对这些攻击的网络安全维护对策.     

Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony

Security of session initiation protocol (SIP) servers is a serious concern of Voice over Internet (VoIP) vendors. The important contribution of our paper is an accurate and real-time attack classification system that detects: (1) application layer SIP flood attacks that result in denial of service (DoS) and distributed DoS attacks, and (2) Spam over Internet Telephony (SPIT). The major advantage of our framework over existing schemes is that it performs packet-based analysis using a set of spatial and temporal features. As a result, we do not need to transform network packet streams into traffic flows and thus save significant processing and memory overheads associated with the flow-based analysis. We evaluate our framework on a real-world SIP traffic—collected from the SIP server of a VoIP vendor—by injecting a number of application layer anomalies in it. The results of our experiments show that our proposed framework achieves significantly greater detection accuracy compared with existing state-of-the-art flooding and SPIT detection schemes.     

Managing vulnerabilities in networked systems

Most organizations recognize the importance of cyber security and are implementing various forms of protection. However, many are failing to find and fix known security problems in the software packages they use as the building blocks of their networks and systems, a vulnerability that a hacker can exploit to bypass all other efforts to secure the enterprise. The Common Vulnerabilities and Exposures (CVE) initiative seeks to avoid such disasters and transform this area from a liability to a key asset in the fight to build and maintain secure systems. Coordinating international, community-based efforts from industry, government and academia, CVE strives to find and fix software product vulnerabilities more rapidly, predictably, and efficiently. The initiative seeks the adoption of a common naming practice for describing software vulnerabilities. Once adopted, these names will be included within security tools and services and on the fix sites of commercial and open source software package providers. As vendors respond to more users requests for CVE-compatible fix sites, securing the enterprise will gradually include the complete cycle of finding, analyzing, and fixing vulnerabilities     

Signaling vulnerabilities in wiretapping systems

Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit the unprotected in-band signals passed between the telephone network and the collection system. This article describes the problem as well as some remedies and workarounds.     

On the performance of secure user-centric VoIP communication

Motivated by the increased Wi-Fi coverage in metropolitan areas and the emergence of user-centric wireless access schemes, we focus on the provision of secure, user-centric voice services and explore their potential performance-wise, by designing a VoIP communications scheme tailored to open-access wireless environments, but also with wider applicability, and experimenting with it to estimate its upper bounds on VoIP capacity, under constraints posed by user-centrism; operation at low-cost and on user-controlled equipment, minimal dependence on centralized entities, and tackling specific security challenges. We identify quality degradation factors and quantify their importance by simple analysis and experimentation, showing that typical user Wi-Fi equipment can sustain a satisfactory number of concurrent secure VoIP sessions with acceptable Quality of Experience and, at the same time, protection from malicious user activity can be offered to access providers, while a level of roaming privacy can be guaranteed.     

On the capability of static code analysis to detect security vulnerabilities

Context: Static analysis of source code is a scalable method for discovery of software faults and security vulnerabilities. Techniques for static code analysis have matured in the last decade and many tools have been developed to support automatic detection.Objective: This research work is focused on empirical evaluation of the ability of static code analysis tools to detect security vulnerabilities with an objective to better understand their strengths and shortcomings.Method: We conducted an experiment which consisted of using the benchmarking test suite Juliet to evaluate three widely used commercial tools for static code analysis. Using design of experiments approach to conduct the analysis and evaluation and including statistical testing of the results are unique characteristics of this work. In addition to the controlled experiment, the empirical evaluation included case studies based on three open source programs.Results: Our experiment showed that 27% of C/C++ vulnerabilities and 11% of Java vulnerabilities were missed by all three tools. Some vulnerabilities were detected by only one or combination of two tools; 41% of C/C++ and 21% of Java vulnerabilities were detected by all three tools. More importantly, static code analysis tools did not show statistically significant difference in their ability to detect security vulnerabilities for both C/C++ and Java. Interestingly, all tools had median and mean of the per CWE recall values and overall recall across all CWEs close to or below 50%, which indicates comparable or worse performance than random guessing. While for C/C++ vulnerabilities one of the tools had better performance in terms of probability of false alarm than the other two tools, there was no statistically significant difference among tools’ probability of false alarm for Java test cases.Conclusions: Despite recent advances in methods for static code analysis, the state-of-the-art tools are not very effective in detecting security vulnerabilities.     

基于SIP协议的远程教学系统的实现

SIP协议(Session Initiation Protocol)作为一种应用层的信令控制协议具有灵活、方便、易扩展的特性。文章针对目前远程教学系统灵活度不够的问题，综合SIP协义的特性，提出了一种基于SIP协议的远程教学系统。     

基于SIP的事件通知模型设计

SOAP协议提供一种新的RPC手段,有助于实现事件通知,在一定范围内能改善CORBA／DCOM技术的不足。文章分析了CORBA／DCOM的局限性,在该基础上提出了一个新的事件通知模型,并结合实例深入分析了如何运用SIP和SOAP构造事件通知系统。     

基于SIP的网络家电安全解决方案

在分析网络家电现有安全问题的基础上,提出一种新的滑动窗口算法,深入分析算法的工作原理.在与公私钥安全方案对比的基础上,用实验论证此算法作为网络家电安全访问方案的高效性.     

基于SBC的SIP网络互通的研究

本文讨论了在Firewall和NAT环境下,部署大范围基于SIP的语音和多媒体业务的过程中引发的问题,并就如何在保证用户安全性不受影响的前提下为位于防火墙(Firewall)和网络地址转换(NAT,Network Address Translation)设备之后的终端用户提供业务接入问题进行了研究.然后引出并详细介绍基于会话边界控制(Session Border Control)的SIP多媒体网络安全互通的解决方案,具有较高的实用价值.     

IEEE 802.16中改进的VoIP服务调度算法设计

提出了一种应用于IEEE 802.16系统的改进的VoIP服务上行链路调度算法,此算法是一种基于语音活动检测的调度算法,BS根据SS的语音状态转换来分配上行链路资源。它可以弥补传统的调度算法中的一些不足,例如对上行链路资源的浪费、增大MAC负载和引入附加的接入时延等。就系统的吞吐量和接入时延两方面分别对传统的算法和提出的算法作了具体地分析和仿真,结果表明,提出的算法在吞吐量和系统容量方面具有更优的性能。