網路電話服務之協同鑑識

Hsien-Ming Hsu; 徐賢明

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/65965

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yeali Sun)
dc.contributor.author	Hsien-Ming Hsu	en
dc.contributor.author	徐賢明	zh_TW
dc.date.accessioned	2021-06-17T00:16:55Z	-
dc.date.available	2022-06-30
dc.date.copyright	2012-07-16
dc.date.issued	2012
dc.date.submitted	2012-07-02
dc.identifier.citation	[1] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, “SIP: Session Initiation Protocol (SIP),” RFC 3261, IETF Network Working Group, 2002. [2] j. Postel, “IP: Internet Protocol,” RFC 0791, IETF Network Work Group, 1981. (Available at http://www.ietf.org/rfc/rfc0791.txt) [3] D. Endler, D. Ghosal, R. Jafari, A. Karlcut, M. Kolenko, N. Nguyen, W. Walkoe and Zar, J., “VoIP Security and Privacy Threat Taxonomy,” Public Release 1.0. 2005. [4] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2827, IETF Network Working Group, May 2000. (Available at http://www.ietf.org/rfc/rfc2827.txt) [5] B.-B. Anat and H. Levy, “Spoofing Prevent Method,” In Proc. of IEEE INFORCOM 2005. [6] G. Zhang, S. Ehlert and T. Magedanz, “Denial of Service Attack and Prevention on SIP VoIP Infrastructures Using DNS Flooding,” In Proc. of the 1st international conference on Principles, systems and applications of IP telecommunications 2007. [7] G. Ormazabal, S. Nagpal, E. Yardeni, and H. Schulzrinne, “Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems,” In Proc. of the 2nd international conference on Principles, systems and applications of IP telecommunications 2008. [8] B. Reynolds and D. Ghosal, “Secure IP Telephony using Multi-layered Protection,” In Proc. of the Network and Distributed System Security Symposium (NDSS), February 2003. [9] Y.-S. Wu, S. Bagchi, S. Garg, N. Singh, and T. Tsai, “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” In IEEE Dependable Systems and Networks Conference, 2004, pp. 433-442. [10] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “VoIP Intrusion Detection Through Interacting Protocol State Machines,” In IEEE Dependable Systems and Networks Conference, 2006, pp. 393-402. [11] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “Fast Detection of Denial-of-Service Attacks on IP Telephony,” 14th IEEE Internation Workshop on Quality of Service 2006, pp. 199-208. [12] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin, “Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing,” The 10th Annual Network and Distributed System Security Symposium, 2003. [13] M. Dawson, J. Winterbottom, and M. Thomson, “ IP Location- IP Location in Wireline Public Carrier Networks,” McGraw-Hill Companies, 2007. [14] J. Nena, “Homeland Security Techniques and Technologies,” Charles River Media, INC, 2004. [15] H.-M. Hsu, Y. S. Sun, and M. C. Chen, “A Collaborative Forensics Framework for VoIP Services in Multi-network Environments,” In Proc. of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics, Vol.5075, pp. 260-271. [16] T. Bray, J. Paoli, C. Sperberg-McQueen, and E. Maler, “Extensible Markup Language (XML) 1.0. Second Edition,” W3C Working Draft (2000). [17] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” In Proc. of the ACM SIGCOMM Conference 2000, pp. 295-306. [18] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, “Hash-based IP traceback,” In Proc. ACM SIGCOMM, 2000, pp. 3-14. [19] S. Bellovin, “ICMP traceback messages,” Internet draft: Draft-bellovin-itrace-00.txt, March 2000. [20] ETSI TR 101 944, “Telecommunications security; Lawful interception (LI),” Issues on IP Interception, 2001. [21] H.-M. Hsu, Y. S. Sun and M.-C. Chen, “Collaborative Scheme for VoIP Traceback,” Digital Investigation, (2011) Vol. 7, issues 3-4, pp. 185-195, doi:10.1016/j.diin.2010.10.003. [22] P. Resnick, “Internet Message Format,” RFC 2822, IETF Network Working Group, April 2001. (Available: http://www.ietf.org/rfc/rfc2822.txt) [23] D. Cooper et al., “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 5280, IETF Network Working Group, 2008. (Available: http://www.ietf.org/rfc/rfc5280.txt) [24] D. Song, and A. Perrig, “Advanced and Authenticated Marking Schemes for IP traceback,” In Proc. of IEEE INFOCOM 2001. [25] D. Dean, M. Franklin and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Transactions on Information and System Security 2001. [26] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” In Proc. of IEEE Symposium on Security and Privacy, IEEE Symposium on Security and Privacy, pp. 93-107, 2003. [27] A. Yaar, A. Perrig, and D. Song, “FIT: Fast Internet Traceback,” In Proc. of IEEE INFOCOM 2005. [28] A. Yaar, A. Perrig and D. Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,” IEEE Journal on Selected Areas in Communications, Vol. 24, No. 10, OCT. 2006. [29] J. Li, M. Sung, J. Xu, and L. Li, “Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation,” In Proc. of IEEE Symposium on Security and Privacy, 2004. [30] B. H. Bloom, “Space/Time Trade-offs in hash coding with allowable errors,” Communication of ACM, Vol. 13, July 1970, pp. 422-426. [31] A. M. Mankin, D. Massey, C.-L. Wu, S. F. Wu and L. Zhang, “On design and evaluation of ‘Intention-Driven’ ICMP Traceback,” Computer Communications and Networks, 2001. [32] E. Kim, D. Massey and I. Ray, “Global Internet routing forensics: Validation of BGP paths using ICMP traceback,” IFIP International Federation for Information Processing, Vol. 194, pp. 165-176, 2005. (Available at http://www.springerlink.com/content/6120jm8530713408) [33] C. Gong and K. Sarac, “IP Traceback based on Packet Marking and Logging,” IEEE Communications Magazine, Vol. 2, pp. 1043–1047, May 2005. [34] K. Shanmugasundaram, N. Memon, A. Savant, and H. Bronnimann, “ForNet: A Distributed Forensics Network,” The Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, 2003, St. Petersburg, Russia. (Available at http://isis.poly.edu/projects/fornet/docs/talks/mmm-acns-2003.pdf) [35] Y. Tang and T. E. Daniels, “A Simple Framework for Distributed Forensics,” In Proc. of the 25th IEEE international Conference on Distributed Computing Systems Workshops, 2005, pp. 163-169. [36] M. Roesch, “Snort-Lightweight Intrusion Detection for networks,” In Proc. of USINIX LISA’99, November 1999. [37] V. Jacobson, G. Leres, and S. McCanne, “libpcap,” Lawrence Berkeley National Laboratory, 1994. (Available at http://www-nrg.ee.lbl.gov/) [38] J. Yu, Y.V. R. Reddy, S. Selliah and S. Reddy, “TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation,” Advance Engineering Informatics, 2005. pp. 93-101. [39] Y. Xie, V. Sekar, M.K. Reiter and H. Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks,” In Proc. of the 14th IEEE ICNP, 2006. [40] H. Khurana, J. Basney, M. Bakht, M. Freemon, V. Welch, and R. Butler, “Palantir: A Framework for Collaborative Incident Response and Investigation,” In Proc. of the 8th symposium on Identity and Trust on the Internet, 2009. [41] E. S. Pilli, R. C. Joshi and R. Niyogi, “Network Forensic frameworks: Survey and Research Challenges,” Digital Investigation, 2010, Vol. 7, issues 1-2, pp. 14-27, doi: 10.1016/ j.diin.2010.02.003. [42] M. Handley and V. Jacobson “SDP: Session Description Protocol,” RFC 2327, IETF Network Working Group, 1998. Available at http://www.ietf.org/rfc/rfc2327.txt) [43] H. Schulzrinne, S. Casner, R. Frederick and V. Jacobson, “RTP: A Transport Protocol for Real-time Applications,” RFC 3550, IETF Network Working Group (2003). (Available at http//www.ietf.org/rfc/rfc3550.txt?number=3550) [44] S. S. Die, L. Veltri and D. P. CoRiTel, “SIP Security Issues: The SIP Authentication Procedure and its Processing Load,” IEEE Network, 2002. [45] B.-B. Anat, H.-B. Ronit, and K. Jussi, “Unregister Attacks in SIP,” IEEE 2006. [46] J. Postel, “TCP: Transmission Control Protocol,” RFC 0793, IETF Network Working Group, 1981. (Available at http://www.ietf.org/rfc/rfc0793.txt) [47] J. F. Kurose and K. W. Ross, “Computer Network,” Published by Addison Wesley, 3th Edition, 2005. [48] G. J. Holzmann, “Design and Validation of Computer Protocols,” Published by Prentice-Hall, 1991. [49] W. Stallings, “Cryptography and Network Security-Principles and Practices,” Published by Pearson Education International, 4th Edition, 2006. [50] G. Palmer, “A Road Map for Digital Forensic Research,” First Digital Forensic Research Workshop (DFRWS 2001), p. 27-30, 2001. [51] A. Almulhem, “Network Forensics: Notions and Challenges,” Proceedings of the ninth IEEE international symposium on signal processing and information technology (ISSPIT 2009), UAE; Dec. 2009. [52] A. Yasinsac and Y. Manzano, “Policies to Enhance Computer and Network Forensics,” Proceedings of the IEEE workshop on information assurance and security, New York, p. 289–95, 2001. [53] A. Nagesh, “Distributed Network Forensics using JADE Mobile Agent Framework,” Master’s thesis. Department of Computing Studies, Arizona State University; 2007. (Available at http://www.technology.asu.edu/files/documents/tradeshow/Dec06/asha_nagesh_report.pdf) [54] D. Wang, T. Li, S. Liu, J. Zhang and C. Liu, “Dynamical Network Forensics Based on Immune Agent,” Proceedings of the international conference on natural computation (ICNC 2007), vol. 3, p. 651–656, Aug. 2007. [55] “Skype,” the Global Internet Telephony Company. [56] Visual studio 2010. (Available at http://www.microsoft.com/visualstudio/zh-tw) [57] SQLlite. (Available at http://www.sqlite.org/).
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/65965	-
dc.description.abstract	隨著網際網路的盛行，使得技術單純及建置成本較低的網路電話(VoIP)也隨之廣為流行。然而、不幸的是，網路電話的特性不僅受合法的使用者所喜好，同時也吸引了歹徒將其運用為進行非法活動(如詐騙、恐嚇等)時躲避執法單位(LEA)監察(Interception)的通訊工具，因此、執法單位如何對網路電話服務進行鑑識(含找出發話者所使用的IP)則成為重要的議題。論文中，我們研擬了一套針對網路電話服務的協同鑑識的機制(collaborative forensics mechanism, CFM)，這機制會與網路提供者(Network Operators)、服務提供者(Service Providers)合作，不需要於溯源路徑上的路由器協助，就能對SIP-based的網路電話進行鑑識(含攻擊源的網址識別, attacking source IP identification)。我們也針對SIP-based網路電話服務的典型攻擊方式，對「詢問訊息」(query message)可被偽造的欄位進行討論，藉由觀察這些可被偽造的欄位，可主動進行協同鑑識(Active Forensics)，減低所儲存的網路電話資訊，在啟動協同鑑識之前因超過儲存的期限而被刪除的機率，如此，將有助於執法單位對網路電話服務的犯罪行為進行鑑識之成功率。近年來對網路協同鑑識的研究、大多數的學者僅僅研擬進行鑑識工作的架構，並未對所研擬的鑑識架構同時設計共同的鑑識協定(Collaborative Forensics Protocol, CFP)，因此所研提的協同鑑識架構無法於網路上廣為推行。有鑑於此，在此論文中，我們依所研提的協同鑑識架構及程序，為其在應用層設計了一套專屬使用的協同鑑識協定，提供不同區域的鑑識中心能相互交換協同鑑識的「詢問訊息」及「回覆訊息」(response message)；同時，在論文中將討論協同鑑識機制架構在公開金鑰基礎建設上的合作方式，來防護網路上不同型式的攻擊；另我們依協同鑑識機制建立雛型，用來驗證協同鑑識程序並用四個例子展示鑑識分析，最後我們也對協同鑑識程序的效能(時間與記憶體)進行評估，並對所設計的協同鑑識協定(CFP)的特性進行分析。	zh_TW
dc.description.abstract	The simplicity and low cost of Voice over Internet Protocol (VoIP) services has made these services increasingly popular as the Internet has grown. Unfortunately, the advantages of VoIP are attractive to both legitimate and nefarious users, and VoIP is often used by criminals to communicate and conduct illegal activities (such as fraud or blackmail) without being intercepted by Law Enforcement Agencies (LEAs). Therefore, how to perform forensics (including attacking source IP identification) for VoIP services is one of the most import issues for LEAs. In this doctoral dissertation, we propose a collaborative forensics mechanism (CFM) that cooperates with related network operators (NWO) and service providers (SvP) in forensics for VoIP calls without depending on routers throughout the full trace path. We discuss the various kinds of attacks of VoIP services and the characteristics of VoIP service requests as they pertain to those attacks. We propose a procedure for identifying forged header field values (HFVs) on SIP requests, and introduce the concept of active forensics, which could lead to a reduction in the probability of important information being deleted by the time collaborative forensics is initiated and could thus assist law enforcement agencies in intercepting criminals. Currently, VoIP researchers have only proposed a framework for this type of partnership and have yet to provide a common protocol for forensic Internet collaboration. As a result, Internet-based collaboration between agencies is not widespread. Building from the collaborative forensics mechanism and the procedures of collaborative forensics work, this dissertation designs a novel application-layer collaborative forensics protocol (CFP) to exchange collaborative request and response messages between collaborative forensics region centers, in order to acquire collaborative forensics information. We present a procedure for collaborative forensics and discuss the details of protocol design. In addition, we discuss the defense of public-key infrastructure (PKI) working with CFM against various types of attacks; we set up a prototype of a collaborative forensics mechanism to validate the collaborative forensic procedure and demonstrate forensic analyses for four scenarios. Lastly, we evaluate the time consumption and memory for a collaborative forensics procedure and analyze the features of CFP.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T00:16:55Z (GMT). No. of bitstreams: 1 ntu-101-D94725002-1.pdf: 13034726 bytes, checksum: e3234a1838ed573b6b137f52f3ef7f43 (MD5) Previous issue date: 2012	en
dc.description.tableofcontents	Table of Contents 口試委員會論文審定書 i 謝辭 ii 中文摘要 iii Abstract v Table of Contents vii List of Figures ix List of Tables xi Glossary of Abbreviations of Acronyms xii Glossary of Notations xv Chapter 1 Introduction 1 1.1 Background and Motivation 1 1.2 Problem Definition and Objectives 2 1.3 Contributions 6 1.4 Dissertation Structure 7 Chapter 2 Related Work 9 2.1 Network Forensics Mechanisms 9 2.2 Traceback Mechanisms 12 Chapter 3 SIP Background, Signaling Attacks and the Characteristics of Various Requests 15 3.1 SIP-based Signaling 15 3.2 Weaknesses of SIP Services 19 3.3 The Typical SIP-based Signaling Attacks 19 3.4 The Required Information That NWO/SvP Collaboratively Logs 24 3.5 The Characteristics of Various Requests on SIP-based VoIP Services 26 3.6 Identifying the Forged Header Field Values 31 Chapter 4 Collaborative Forensics 37 4.1 The Collaborative Forensics Mechanism (CFM) 37 4.2 The Collaborative Forensics Work 43 4.3 Caller’s and Callee’s Locations in a Single or Multiple AS Network 50 4.4 A Scenario with Collaborative Forensics 53 4.5 Forensics Investigation for Distributed Denial of Service and Mobile Phones 58 Chapter 5 Protocol Design and Procedure of Generating Collaborative Forensics Message 59 5.1 Protocol Design for VoIP SIP-based Collaborative Forensics 59 5.2 The PKI for Digital Signature and Cryptography Services 66 5.3 Collaborative Forensics Procedure 66 5.4 A Scenario with Collaborative Forensics Protocol 68 Chapter 6 Evaluation and Discussion 70 6.1 Prototype and Forensics Analyses 70 6.2 Performance Analyses 83 6.3 Discussion 89 Chapter 7 Conclusions and Future Work 92 References 94 List of Figures Figure 3.1 The SIP-based IP telephony 17 Figure 3.2 SIP signaling flow. 18 Figure 3.3 The characteristics of requests on SIP-based VoIP services. 30 Figure 3.4 Identifying forged field values on the characteristics of REGISTER requests 33 Figure 3.5 Identifying forged field values on the characteristics of INVITEOKBYE requests 34 Figure 3.6 Identifying forged field values on the characteristics of CANCELBYE requests. 35 Figure 3.7 The algorithm for data merged and identifying the forged header fields values. 36 Figure 4.1 The architecture and work procedure of SKYEYE. 40 Figure 4.2 The collaborative forensics mechanism (CFM): the primary CFRC (pCFRC), located near the caller, needs to communicate with the secondary CFRC (sCFRC) and request the LEv from the callee’s AS to perform VoIP attacking source IP identification. 45 Figure 4.3 Procedure for collaborative forensics with cooperating units and other collaborative forensics region centers. 46 Figure 4.4 The necessary information recorded by the components of SIP-based telephony to perform collaborative forensics within Single and Multi-operators 52 Figure 4.5 The caller and attacker are located at the same service provider (SvP) in BYE session teardown attack scenario. 55 Figure 4.6 The signaling flow for BYE session teardown attack. 56 Figure 4.7 An example of interpretation for fraud local events: A (attacker) attacks V (victim) by the forged account and public IP/Port of B. 57 Figure 5.1 The CFP data formed as SEAL protocol. 61 Figure 5.2 collaborative forensics protocol (CFP): header and data values. 64 Figure 6.1 Prototype of collaborative forensics mechanism (CFM) working with collaborative forensics protocol (CFP). 72 Figure 6.2 GUIs of LEA and SKYEYE 73 Figure 6.3 Required information of SIP proxy, SIP registrar and NAT/DHCH router, keyed in by hand according to the scenarios. 74 Figure 6.4 The forensics analysis for normal SIP-based call 76 Figure 6.5 The forensics analysis for fraud & blackmail attack 78 Figure 6.6 The forensics analysis for de-register attack 80 Figure 6.7 The forensics analysis for BYE session teardown attack 82 Figure 6.8 The time consumption for collaborative forensics 86 List of Tables Table 3.1 The typical SIP-based signaling attacks 23 Table 3.2 The information recorded by SIP Registrar server 25 Table 3.3 The information recorded by NWO (NAT/DHCP) 25 Table 3.4 The information recorded by SIP Proxy server 29 Table 3.5 Identifying forged header field values using the required information. 32 Table 5.1 The fields and values description within collaborative forensics protocol header 65
dc.language.iso	en
dc.subject	攻擊源網址識別	zh_TW
dc.subject	協定設計	zh_TW
dc.subject	安全	zh_TW
dc.subject	協同鑑識	zh_TW
dc.subject	網路電話	zh_TW
dc.subject	VoIP	en
dc.subject	Collaborative forensics	en
dc.subject	Security	en
dc.subject	Collaborative Forensics Protocol Design	en
dc.subject	Attacking source IP identification	en
dc.title	網路電話服務之協同鑑識	zh_TW
dc.title	Collaborative Forensics for Voice over IP Services	en
dc.type	Thesis
dc.date.schoolyear	100-2
dc.description.degree	博士
dc.contributor.oralexamcommittee	陳孟彰(Meng Chang Chen),廖有祿(Yeou-Luh Liaw),林盈?(Ying-Dar Lin),陳建錦(Chien Chin Chen)
dc.subject.keyword	網路電話,協同鑑識,安全,協定設計,攻擊源網址識別,	zh_TW
dc.subject.keyword	VoIP,Collaborative forensics,Security,Collaborative Forensics Protocol Design,Attacking source IP identification,	en
dc.relation.page	101
dc.rights.note	有償授權
dc.date.accepted	2012-07-02
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-101-1.pdf 未授權公開取用	12.73 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。