1. Field of the Invention
The present invention relates a method for protecting SIP (Session Initiation Protocol)-based applications wherein SIP messages are analyzed and malicious SIP messages that potentially constitute a security risk for the SIP-based application are identified.
2. Description of the Related Art
The Session Initiation Protocol (SIP) is a standardized network protocol to establish a session between two or more participants. SIP is supported by devices of many manufacturers and has developed into a widely used protocol for Voice over IP (VoIP) over the last years. The application of SIP is not restricted to Internet telephony, but communication sessions can be established for a multitude of different data streams. SIP only serves the establishment of a communication session, whereas the exchange of the actual communication data is performed over other protocols—Session Description Protocol (SDP), Real-time Transport Protocol (RTP).
Whereas SIP is advantageous in terms of easy implement ability, scalability, expandability and flexibility, it is rather poor regarding security of applications and identity management. The security risk consists in the possibility that malicious users can retrieve unsecured information in order to launch security attacks on the SIP-based system. Currently, there are efforts at the IETF to standardize a complete set of security protocols and applications in order to add security relevant features to SIP-based applications. But even if these efforts succeeded, such standards will not result in 100% security that cannot be broken with appropriate knowledge by a malicious user.
Regarding a secure identity management, there will for sure always be some SIP service providers in the future that will be ready to disclose SIP identities, even if such standards will be available. With such an insufficient identity management there is the security threat that malicious users catch a multitude of SIP identities in order to launch security attacks against SIP-based systems on said base.
In the following, two different kinds of security attacks of essential importance will be looked at in detail. First of all, they are attacks that aim at disturbing or interrupting services and are known as DoS (Denial of Service) attacks. The others are social attacks that are known in the context of Internet telephony as SPIT (Spam over Internet Telephony). The threat of SPIT is comparable to the threat as known from Spam in e-mail traffic; the only difference is that the unwanted messages are distributed in form of phone calls. In practice this can mean that one person gets hundreds of phone calls that only contain publicity messages, or that the phone rings all the time. Against the background of the rapid development and distribution of the Internet telephony it has to be feared that DoS attacks and SPIT will also become dominant in the telephony world.
Technologies to prevent DoS attacks that are available nowadays are mainly based on a strict syntax analysis (parsing) of the SIP protocols of dialogues and transactions in order to find inconsistencies in the protocols that may result in an interruption of services. Those messages, where a deviation from the SIP syntax is detected, are discarded.
Other methods to protect SIP-based applications against DoS attacks take advantage of the fact that a system overload can result in an interruption of service and aim therefore at a limitation of the SIP traffic to a maximum rate allowed for SIP messages, in order to prevent an overload of the SIP system.
Technologies to prevent SPIT attacks available nowadays are mainly based on white and black listing and on content filtering. The content filtering of a voice call is performed by some kind of Turing test which aims at finding out whether the caller is a human being or a machine. Other recently proposed methods consider also social networks between users, as well as friendship relationships that use buddy lists.
Regarding the identity management as mentioned above, the known methods also have some disadvantages. For example, e-mail systems try to identify the sender by the original IP address of the sender in the header of the e-mail message. Based on this information, the e-mail systems perform DNS checks. It is a problem that malicious senders do not insert their real IP address or domain name, so the known systems do not match correctly. Anyway, such analyses are in case of real-time communications, as addressed here, not applicable anyway, because they run on different time scales. For example, e-mail applications are no real-time applications, whereas VoIP—as real-time application—cannot wait until a DNS name has been checked. In addition, there are completely different traffic characteristics,because the simultaneous sending of a multitude of e-mail messages cannot be regarded as malicious action, but is a common usage. In contrast, this traffic characteristic would have to be regarded most probably as malicious in case of a SIP-based application. Consequently, the methods for security and identity management as known from the e-mail world cannot be transferred in any way to SIP-based applications.