SIP DDoS分布式入侵防御系统及其负载均衡策略

对SIP DDoS攻击的原理和检测算法进行研究,结合SIP协议本身的特点和一般网络中的分布式入侵防御系统,提出一种在高效防御SIP DDoS攻击的同时使用检测算法检测攻击的分布式防御系统,并为该系统设计了负载交互流程和防火墙模块.根据SIP负载均衡算法和检测算法的要求,为分布式防御系统设计了两级负载均衡策略并给出了实现方法,其中一级负载均衡模块根据SIP消息的头域进行转发,保证对话的完整性和检测算法的要求;二级负载均衡模块根据防御检测节点负载进行转发,保证防御检测节点的负载均衡特性.仿真实验结果表明系统的两级负载均衡算法能够在保证检测算法要求的前提下表现出良好的负载均衡特性.     

一种基于P2P的IP网络分层移动性管理方法

针对传统网络技术不适合移动通信且移动IP和SIP有单失效点固有缺陷的问题,文章提出了一种基于对等网络的IP网络分层移动性管理方法.该方法首先将问题结构定义为本地接入域网络和Internet全局网络两层模型,使用本地和全局两级覆盖网来处理该模型中接入网内的水平切换和跨接入网的垂直切换,并使用HIP协议来解耦静态主机标识和实际的网络位置.文章通过仿真实验指明将对等网络与移动性管理相结合的方法可以有效改善网络的可扩展性,并且信令开销和时延增加较少,此外HIP协议还为应用提供了透明的移动性和安全性的支持.     

基于SIP协议的VOIP用户代理研究

为了解决传统的VOIP系统组网复杂、灵活性不佳的问题,对目前的SIP技术和STUN技术进行了研究。利用STUN技术解决了内网IP端口到公网IP端口转换问题。以开源Lumisoft SIP为核心,结合RTP/RTCP相关技术,设计了一种基于SIP协议的VOIP UA用户代理系统模型。实现了通过访问网络上的SIP用户代理或者SIP音乐服务器,为网络用户提供便捷的网络语音、音乐点播等服务。实验表明,基于SIP的VOIP网络结构更简单,更灵活。     

对等网络(Peer-to-Peer,P2P)综览

与PUSH技术一样,P2P会使我们应用网络的方式发生革命性的变化;与PUSH技术一样,P2P会改变网络的内容传输模式;与PUSH技术一样,P2P将掀起一股投资热潮……然而,与PUSH技术类似,P2P也面临着巨大的困境;象PUSH技术一样,P2P提供了一个出售网络内容的新方法,但这也是人们完全不愿为之付出代价的服务。 1999年以来,Intel制定了旨在推动P2P技术发展的庞大计划;风险投资商们对这一领域的态度却莫衷一是。Napster的知识产权问题,Gnutella的迅速成功……P2P到底是不是最新的PUSH技术?     

分布式容错SIP协议栈的设计

SIP从20世纪90年起一经使用,就彻底改进了人们使用融合服务彼此进行通信的方式。会话初始协议提供了在网络上无缝透明传递声音、视频、数据和无线服务的框架结构。但SIP应用的可靠性的研究还处于初级阶段。文章阐述一种分布式容错SIP协议栈的实现方式,以方便可靠的SIP网络的设计和构建,从而使得SIP服务的用户得到更好的服务体验。     

下一代网络多媒体会话中H.248与SIP之间协议协作的研究

H.248和SIP是下一代电信网络的两个核心协议,通过H.248和SIP之间的协作来完成多媒体会话的建立、调整和删除是在下一代网络中实现多媒体业务需面临的重要问题。文章在深入研究H.248和SIP协议的基础上针对协议协作的应用环境抽象了一个协作模型。依据此模型,对两方多媒体会话和多方多媒体会话中各信令交互阶段H.248和SIP之间的协作进行了详细阐述。对H.248和SIP协议之间协作的研究可以应用到下一代电信网络的工程技术领域。     

基于SIP的域间网络会议系统

在会话初始协议（SIP）和一般网络会议模型的基础上,设计了一种用于域间会议的双层SIP网络会议管理系统,并给出了其功能实现。还提出了一个新的SIP协议扩展方案。     

基于SIP的嵌入式网络可视电话的研究与实现

SIP(Session Initiation Protocol)是下一代网络(NGN)的核心控制协议之一.文章介绍了以SIP作为基础的嵌入式网络可视电话的结构设计,并提出了实验模型.     

基于SIP B2BUA的媒体服务器的集成

媒体服务器的集成,不仅要提升服务性能,还需要解决不同媒体服务模块之间的通信问题.提出两种基于应用层负载调度的模式,SIP Server分发模式和服务代理模式,SIP Server分发模式通过SIP Server服务器作为信令转发器,负责多台媒体服务器的信令分发,提升了服务器的性能,服务代理模式通过在媒体服务器中添加代理模块,解决了两个服务模块之间的通信问题.     

SIP多媒体网络模型在Windows平台上的实现

SIP多媒体网络模型包括各种类型的SIP服务器及SIP终端。文章分析了SIP协议的特点和优势，描述了Windows平台SIP多媒体网络的构架，提出了多用途SIP服务器的实现以及SIP终端的实现过程。     

A SIP servlets-based framework for service provisioning in stand-alone MANETs

Mobile Ad hoc Networks (MANETs) are transient networks formed dynamically by a collection of arbitrarily located wireless mobile nodes without relying on any existing network infrastructure or centralized administration. They are either stand alone or connected to a fixed infrastructure such as 3G. They are useful in situations such as natural disasters, and their use is gaining more and more momentum. This paper proposes a framework for service provisioning in stand-alone MANETs. It focuses on the invocation and execution phases of the service life cycle. The framework is based on SIP servlets and comprises a novel business model and an overlay network. The business model enables service invocation and execution. The overlay network is used for service execution and is based on a distributed SIP servlets engine. Validation aspects are also discussed.     

A framework for identity privacy in SIP

Secure multimedia delivery in modern and future networks is one of the most challenging problems towards the system integration of fourth generation (4G) networks. This integration means that different service and network providers will have to interoperate in order to offer their services to end users. This multidomain environment poses serious threats to the end user who has contract with, and trusts only a limited number of operators and service providers. One such threat is end users’ privacy on which we will focus in this paper. Probably the most promising protocol for multimedia session management is the Session Initiation Protocol (SIP), which is an application layer protocol and thus can operate on top of different lower layer technologies. SIP is quite popular and a lot of research has been conducted; however, it still has some security issues, one of which is related to privacy and more particularly the protection of user identities (IDs). In this paper we comment on the ID privacy issue of SIP and propose a framework called PrivaSIP that can protect either the caller's ID or both the caller's and the callee's IDs in multidomain environments. We present different implementations of our framework based on asymmetric and symmetric cryptography analyzing the pros and cons of each one of them. Furthermore, we provide performance measurements in order to estimate the performance penalty of our framework over standard SIP. The most significant advantage of our method is that it can assure user ID protection even when SIP messages are transmitted through untrusted SIP domains, while our results show that this can be achieved with no perceived delay by the end user.     

PrivaSIP: Ad-hoc identity privacy in SIP

In modern and future networks that belong to different providers, multimedia protocols will have to operate through multiple domains. In such an environment security is considered a crucial parameter; this is true especially for privacy since not all domains can be considered trusted beforehand in terms of personal data protection. Probably the most promising protocol for multimedia session management is SIP. While SIP is popular and a lot of research has been conducted, it still has some security issues, one of which is related to privacy and more particularly the protection of user identities (IDs). In the general case everybody can reveal the communicating parties IDs by simply eavesdropping on the exchanged SIP messages. In this paper we analyze the lack of user ID protection in SIP and propose two solutions; in the first the ID of the caller is protected while in the second both IDs of the caller and the callee are protected. Our work also includes performance results and extensive comparison with similar methods. The most significant advantage of our method is that it can assure user ID protection even when SIP messages are transmitted through untrusted SIP domains before reaching the Home Domain of the user or another trusted domain. Moreover, it does not require from the SIP Proxy server to maintain state information for exchanged SIP requests and respective responses.     

A study of performance and scalability metrics of a SIP proxy server – a practical approach

In recent years, Internet Protocol (IP) telephony has been a real alternative to the traditional Public Switched Telephone Networks (PSTN). IP telephony offers more flexibility in the implementation of new features and services. The Session Initiation Protocol (SIP) is becoming a popular signalling protocol for Voice over IP (VoIP) based applications. The SIP proxy server is a software application that provides call routing services by parsing and forwarding all the incoming SIP packets in an IP telephony network. The efficiency of this process can create large scale, highly reliable packet voice networks for service providers and enterprises. We established that the efficient design and implementation of the SIP proxy server architecture can enhance the performance characteristics of a SIP proxy server significantly. Since SIP proxy server performance can be characterised by its transaction states of each SIP session, we emulated the $M/M/1$ performance model of the SIP proxy server and studied some of the key performance benchmarks such as average response time to process the SIP calls, and mean number of SIP calls in the system. We showed its limitations, and then studied an alternative $M/M/c$ based SIP proxy server performance model with enhanced performance model and studied additional key performance characteristics such as server utilisation, queue size and memory utilisation. Provided the comparative results between the predicted results with the experimental results conducted in a lab environment.     

基于SIP的集中式会议控制模型及实现

在前人研究的基础上提出了一种独立于应用的、适用于集中式会议的会议控制模型。模型包括会议配置、用户管理、Floor control、应用会话管理和网络管理各组件,采用了SIP协议作为会话控制协议。会议控制消息分为命令和通知两种。会议命令使用SOAP协议实现,会议消息采用了SIP事件通知机制。该会议控制模型被成功地应用于基于SIP的实时多媒体视频会议系统。实践表明,该会议控制模型是合理的、有效的。     

基于JXTA的SIP终端设计与实现

JXTA是Sun公司为构建P2P网络而制定的一个平台，与操作系统和语言无关，为P2P应用提供服务和基础。P2P网络中的对等机可直接通信，无需依赖集中式服务器或资源。将P2P技术引入到SIP中可大大降低通信成本，并将VOIP通信扩展到更低端的消费市场，比之SkyPe也更加容易与其他标准设备互通。本文介绍了一种基于JXTA平台的SIP终端设计方案，主要描述了JXTASIP的原理，以及JXTASIP终端的启动注册，发起呼叫和退出流程。     

一个NGN中骨干网的域内QoS估算和域间QoS通告模型

NGN是一个面向服务的网络, 整个网络被划分为不同的管理域（也可称之为自治系统）. 以前对网络QoS的研究的目标主要是网络内部报文流的处理及其相应的网络资源分配, 如分类/整形/调度, QoS路由选择, 带宽分配等, 但在NGN环境中, 有更多的因素需要考虑. 本文主要提出并分析了三个问题： （1）如何在网络内部计算最大的带宽瓶颈路径;（2） 如何至少在一定程度上将QoS的三个基本参数（带宽,时延,丢包率）划归为一个单一单数（带宽）, 从而简化域内QoS的估算; （3）如何进行域间的QoS协商和通告.本文分析上述问题更多的是按＂每服务＂而不是＂每流＂或＂每报文＂, 因为按＂每服务＂的QoS粒度符合下一代网络面向服务的思想; 其次,在＂域间＂这个层面上,按＂每服务＂的视角能够建立一个较宏观的QoS模型.     

无线传感器网络数据分发方案研究综述

无线传感器网络是一种新型的自组织网络，有着广泛的应用前景。本文分析了无线传感器网络的特性、结构及应用领域，给出了传感器网络数据分发的定义和依赖的一些底层路由通讯机制。对于已有的一些传感器网络数据分发算法进行了分类，并具体给出了几种重要的数据分发算法的关键思想。最后，总结了今后能量高效的数据分发算法的设计
计研究思路。     

Emerging research areas in SIP-based converged services for extended Web clients

The convergence of Next Generation Networks and Internet-based rich applications are generating relevant industrial opportunities in the market of mobility-enabled services. Even if this trend is widely recognized, there are still a few industrial-level solutions that effectively support session mobility in a transparent way and with the capability of openly integrating with existing and legacy applications. In this paper we propose a SIP-based hybrid architecture for Web session mobility that offers content sharing and session handoff between Web browsers. In addition, its technical originality includes integrating a SIP stack into a Web browser, thus offering the advantage of extending a Web browser to act as a SIP client. Lastly, a rich set of control services that prevent abuse of content sharing and session handoff are introduced into the proposed system. The implemented solution uses SIP in a standard way to migrate Web sessions between Web browsers; it is made up of a SIP integrated Web client and a converged (SIP and HTTP) Application Server that can be easily used to enable session mobility in any kind of Web-based application. In addition, the implemented system has recently evolved to a framework for developing different kinds of converged services over the Internet, analogously to what is possible with Google Wave and the existing telephony APIs. Finally, the paper reports the evaluation of the proposed framework and of the employed technologies, together with directions of future work, in terms of both extension to other application domains and exploration of research areas/models that can benefit form the adoption of SIP and Web-related solutions.     

Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.