1. Technical Field
The present disclosure relates to a method of detecting anomaly traffic for Voice over Internet Protocol (VoIP) applications using Session Initiation Protocol (SIP)/Real-time Transport Protocol (RTP) through traffic monitoring over a network.
2. Background Art
The term VoIP refers to a collection of transmission technologies for delivery of voice traffic between users employing Internet Protocols (IPs) over IP-based networks, thereby enabling Internet telephony communications services. That is, VoIP enables transmission of voice data in the digital form over the Internet. The VoIP technique, which has been spotlighted since Internet phones were commercialized in 1995, is widely popularized such that an increasing number of international telecommunications service operators use the technique for the purpose of reducing call charges and an increasing number of people use Internet phones based on the technique.
Since the VoIP service is a media service performed through the call connection between two parties, a protocol for establishing the call connection is needed. Also, the VoIP service must be operated cooperatively in an IP-based network, a Public Switched Telephone Network (PSTN), or a combined network thereof, and thus standardization of the technology and the protocol is very important.
Examples of the standard connection protocol include H.323 developed by International Telecommunication Union (ITU-T) and Session Initiation Protocol (SIP) developed by Internet Engineering Task Force (IETF). Recently, the SIP is widely used as a protocol for delivering signal messages to connect VoIP phones between users as having been adopted as a de jure standard of the IETF in 1999, and is spotlighted as a next-generation VoIP signaling protocol. In addition, the SIP has advantages in that it is simper than the H.323 in terms of a process of establishing the call connection between users, and can be easily applied to the Internet environment since header information of a packet is composed of general texts such as HTTP. Moreover, advantageously, the SIP has a reduced connection load.
A Real-time Transport Protocol (RTP) is an application layer protocol that can transport packetized audio and video streaming traffic over a network. That is, the SIP serves to establish and release the call connection between users whereas the RTP serves to transmit multimedia data such as audio, video and the like. The RTP is executed based on a transport protocol called a “User Datagram Protocol (UDP)” which has no reliability but has the capability of delivering data, and provides timestamp in RTP header which is needed for real-time application and a media synchronization function.
As such, since the VoIP service is dividedly performed by both the SIP and the RTP, a VoIP traffic refers to a traffic including an SIP message and an RTP traffic. Accordingly, a VoIP anomaly traffic can be divided into an SIP-based anomaly traffic and an RTP-based anomaly traffic. The SIP-based anomaly traffic is an anomaly traffic related with the call connection. Examples of the SIP-based anomaly traffic include CANCEL Denial of Service (DoS) anomaly traffic in which when a user makes a phone call, this call connection is forcibly cancelled, and BYE DoS anomaly traffic in which the call of either one or two users is forcibly terminated during the phone call between the two users. Such SIP-based anomaly traffic involves a shortcoming in that only one packet can deactivate the VoIP service between users. On the other hand, the RTP-based anomaly traffic is an anomaly traffic based on RTP flooding attacks, in which a call connection is normally established but an actual phone call is problematic. In the RTP-based anomaly traffic, ineffective RTP packets are sent in a large quantity so that voice call quality is lowered or an abnormal sound is reproduced due to insertion of arbitrary data. In addition, since a current VoIP service is supported even in a wireless Internet environment, a malicious attacker can generate the anomaly traffic through sniffing normal VoIP traffic in a wireless network.
A currently used normal traffic detection method provides only an anomaly traffic detection function such as detection of DoS worm, virus and the like in a general network and is not configured to be suited for anomaly traffic detection intended for the VoIP service.
Therefore, there is a need for a method for detecting the anomaly traffic in a cost-effective way.
The above information disclosed in this Background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.