题名

網路電話服務之協同鑑識

并列篇名

Collaborative Forensics for Voice over IP Services

DOI

10.6342/NTU.2012.01623

作者

徐賢明

关键词

網路電話 ; 協同鑑識 ; 安全 ; 協定設計 ; 攻擊源網址識別 ; VoIP ; Collaborative forensics ; Security ; Collaborative Forensics Protocol Design ; Attacking source IP identification

期刊名称

國立臺灣大學資訊管理學系學位論文

卷期/出版年月

2012年

学位类别

博士
导师

孫雅麗
内容语文

英文
中文摘要

隨著網際網路的盛行,使得技術單純及建置成本較低的網路電話(VoIP)也隨之廣為流行。然而、不幸的是,網路電話的特性不僅受合法的使用者所喜好,同時也吸引了歹徒將其運用為進行非法活動(如詐騙、恐嚇等)時躲避執法單位(LEA)監察(Interception)的通訊工具,因此、執法單位如何對網路電話服務進行鑑識(含找出發話者所使用的IP)則成為重要的議題。 論文中,我們研擬了一套針對網路電話服務的協同鑑識的機制(collaborative forensics mechanism, CFM),這機制會與網路提供者(Network Operators)、服務提供者(Service Providers)合作,不需要於溯源路徑上的路由器協助,就能對SIP-based的網路電話進行鑑識(含攻擊源的網址識別, attacking source IP identification)。我們也針對SIP-based網路電話服務的典型攻擊方式,對「詢問訊息」(query message)可被偽造的欄位進行討論,藉由觀察這些可被偽造的欄位,可主動進行協同鑑識(Active Forensics),減低所儲存的網路電話資訊,在啟動協同鑑識之前因超過儲存的期限而被刪除的機率,如此,將有助於執法單位對網路電話服務的犯罪行為進行鑑識之成功率。 近年來對網路協同鑑識的研究、大多數的學者僅僅研擬進行鑑識工作的架構,並未對所研擬的鑑識架構同時設計共同的鑑識協定(Collaborative Forensics Protocol, CFP),因此所研提的協同鑑識架構無法於網路上廣為推行。有鑑於此,在此論文中,我們依所研提的協同鑑識架構及程序,為其在應用層設計了一套專屬使用的協同鑑識協定,提供不同區域的鑑識中心能相互交換協同鑑識的「詢問訊息」及「回覆訊息」(response message);同時,在論文中將討論協同鑑識機制架構在公開金鑰基礎建設上的合作方式,來防護網路上不同型式的攻擊;另我們依協同鑑識機制建立雛型,用來驗證協同鑑識程序並用四個例子展示鑑識分析,最後我們也對協同鑑識程序的效能(時間與記憶體)進行評估,並對所設計的協同鑑識協定(CFP)的特性進行分析。
英文摘要

The simplicity and low cost of Voice over Internet Protocol (VoIP) services has made these services increasingly popular as the Internet has grown. Unfortunately, the advantages of VoIP are attractive to both legitimate and nefarious users, and VoIP is often used by criminals to communicate and conduct illegal activities (such as fraud or blackmail) without being intercepted by Law Enforcement Agencies (LEAs). Therefore, how to perform forensics (including attacking source IP identification) for VoIP services is one of the most import issues for LEAs. In this doctoral dissertation, we propose a collaborative forensics mechanism (CFM) that cooperates with related network operators (NWO) and service providers (SvP) in forensics for VoIP calls without depending on routers throughout the full trace path. We discuss the various kinds of attacks of VoIP services and the characteristics of VoIP service requests as they pertain to those attacks. We propose a procedure for identifying forged header field values (HFVs) on SIP requests, and introduce the concept of active forensics, which could lead to a reduction in the probability of important information being deleted by the time collaborative forensics is initiated and could thus assist law enforcement agencies in intercepting criminals. Currently, VoIP researchers have only proposed a framework for this type of partnership and have yet to provide a common protocol for forensic Internet collaboration. As a result, Internet-based collaboration between agencies is not widespread. Building from the collaborative forensics mechanism and the procedures of collaborative forensics work, this dissertation designs a novel application-layer collaborative forensics protocol (CFP) to exchange collaborative request and response messages between collaborative forensics region centers, in order to acquire collaborative forensics information. We present a procedure for collaborative forensics and discuss the details of protocol design. In addition, we discuss the defense of public-key infrastructure (PKI) working with CFM against various types of attacks; we set up a prototype of a collaborative forensics mechanism to validate the collaborative forensic procedure and demonstrate forensic analyses for four scenarios. Lastly, we evaluate the time consumption and memory for a collaborative forensics procedure and analyze the features of CFP.
主题分类 基礎與應用科學 > 資訊科學
管理學院 > 資訊管理學系
社會科學 > 管理學
参考文献
  1. [6] G. Zhang, S. Ehlert and T. Magedanz, “Denial of Service Attack and Prevention on SIP VoIP Infrastructures Using DNS Flooding,” In Proc. of the 1st international conference on Principles, systems and applications of IP telecommunications 2007.
    連結:
  2. [7] G. Ormazabal, S. Nagpal, E. Yardeni, and H. Schulzrinne, “Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems,” In Proc. of the 2nd international conference on Principles, systems and applications of IP telecommunications 2008.
    連結:
  3. [8] B. Reynolds and D. Ghosal, “Secure IP Telephony using Multi-layered Protection,” In Proc. of the Network and Distributed System Security Symposium (NDSS), February 2003.
    連結:
  4. [9] Y.-S. Wu, S. Bagchi, S. Garg, N. Singh, and T. Tsai, “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” In IEEE Dependable Systems and Networks Conference, 2004, pp. 433-442.
    連結:
  5. [10] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “VoIP Intrusion Detection Through Interacting Protocol State Machines,” In IEEE Dependable Systems and Networks Conference, 2006, pp. 393-402.
    連結:
  6. [11] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “Fast Detection of Denial-of-Service Attacks on IP Telephony,” 14th IEEE Internation Workshop on Quality of Service 2006, pp. 199-208.
    連結:
  7. [12] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin, “Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing,” The 10th Annual Network and Distributed System Security Symposium, 2003.
    連結:
  8. [14] J. Nena, “Homeland Security Techniques and Technologies,” Charles River Media, INC, 2004.
    連結:
  9. [15] H.-M. Hsu, Y. S. Sun, and M. C. Chen, “A Collaborative Forensics Framework for VoIP Services in Multi-network Environments,” In Proc. of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics, Vol.5075, pp. 260-271.
    連結:
  10. [16] T. Bray, J. Paoli, C. Sperberg-McQueen, and E. Maler, “Extensible Markup Language (XML) 1.0. Second Edition,” W3C Working Draft (2000).
    連結:
  11. [17] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” In Proc. of the ACM SIGCOMM Conference 2000, pp. 295-306.
    連結:
  12. [21] H.-M. Hsu, Y. S. Sun and M.-C. Chen, “Collaborative Scheme for VoIP Traceback,” Digital Investigation, (2011) Vol. 7, issues 3-4, pp. 185-195, doi:10.1016/j.diin.2010.10.003.
    連結:
  13. [24] D. Song, and A. Perrig, “Advanced and Authenticated Marking Schemes for IP traceback,” In Proc. of IEEE INFOCOM 2001.
    連結:
  14. [26] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” In Proc. of IEEE Symposium on Security and Privacy, IEEE Symposium on Security and Privacy, pp. 93-107, 2003.
    連結:
  15. [27] A. Yaar, A. Perrig, and D. Song, “FIT: Fast Internet Traceback,” In Proc. of IEEE INFOCOM 2005.
    連結:
  16. [28] A. Yaar, A. Perrig and D. Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,” IEEE Journal on Selected Areas in Communications, Vol. 24, No. 10, OCT. 2006.
    連結:
  17. [29] J. Li, M. Sung, J. Xu, and L. Li, “Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation,” In Proc. of IEEE Symposium on Security and Privacy, 2004.
    連結:
  18. [30] B. H. Bloom, “Space/Time Trade-offs in hash coding with allowable errors,” Communication of ACM, Vol. 13, July 1970, pp. 422-426.
    連結:
  19. [31] A. M. Mankin, D. Massey, C.-L. Wu, S. F. Wu and L. Zhang, “On design and evaluation of ‘Intention-Driven’ ICMP Traceback,” Computer Communications and Networks, 2001.
    連結:
  20. [33] C. Gong and K. Sarac, “IP Traceback based on Packet Marking and Logging,” IEEE Communications Magazine, Vol. 2, pp. 1043–1047, May 2005.
    連結:
  21. [35] Y. Tang and T. E. Daniels, “A Simple Framework for Distributed Forensics,” In Proc. of the 25th IEEE international Conference on Distributed Computing Systems Workshops, 2005, pp. 163-169.
    連結:
  22. [37] V. Jacobson, G. Leres, and S. McCanne, “libpcap,” Lawrence Berkeley National Laboratory, 1994. (Available at http://www-nrg.ee.lbl.gov/)
    連結:
  23. [38] J. Yu, Y.V. R. Reddy, S. Selliah and S. Reddy, “TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation,” Advance Engineering Informatics, 2005. pp. 93-101.
    連結:
  24. [39] Y. Xie, V. Sekar, M.K. Reiter and H. Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks,” In Proc. of the 14th IEEE ICNP, 2006.
    連結:
  25. [41] E. S. Pilli, R. C. Joshi and R. Niyogi, “Network Forensic frameworks: Survey and Research Challenges,” Digital Investigation, 2010, Vol. 7, issues 1-2, pp. 14-27, doi: 10.1016/ j.diin.2010.02.003.
    連結:
  26. [44] S. S. Die, L. Veltri and D. P. CoRiTel, “SIP Security Issues: The SIP Authentication Procedure and its Processing Load,” IEEE Network, 2002.
    連結:
  27. [46] J. Postel, “TCP: Transmission Control Protocol,” RFC 0793, IETF Network Working Group, 1981. (Available at http://www.ietf.org/rfc/rfc0793.txt)
    連結:
  28. [48] G. J. Holzmann, “Design and Validation of Computer Protocols,” Published by Prentice-Hall, 1991.
    連結:
  29. [50] G. Palmer, “A Road Map for Digital Forensic Research,” First Digital Forensic Research Workshop (DFRWS 2001), p. 27-30, 2001.
    連結:
  30. [51] A. Almulhem, “Network Forensics: Notions and Challenges,” Proceedings of the ninth IEEE international symposium on signal processing and information technology (ISSPIT 2009), UAE; Dec. 2009.
    連結:
  31. [52] A. Yasinsac and Y. Manzano, “Policies to Enhance Computer and Network Forensics,” Proceedings of the IEEE workshop on information assurance and security, New York, p. 289–95, 2001.
    連結:
  32. [55] “Skype,” the Global Internet Telephony Company.
    連結:
  33. [1] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, “SIP: Session Initiation Protocol (SIP),” RFC 3261, IETF Network Working Group, 2002.
  34. [2] j. Postel, “IP: Internet Protocol,” RFC 0791, IETF Network Work Group, 1981. (Available at http://www.ietf.org/rfc/rfc0791.txt)
  35. [3] D. Endler, D. Ghosal, R. Jafari, A. Karlcut, M. Kolenko, N. Nguyen, W. Walkoe and Zar, J., “VoIP Security and Privacy Threat Taxonomy,” Public Release 1.0. 2005.
  36. [4] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2827, IETF Network Working Group, May 2000. (Available at http://www.ietf.org/rfc/rfc2827.txt)
  37. [5] B.-B. Anat and H. Levy, “Spoofing Prevent Method,” In Proc. of IEEE INFORCOM 2005.
  38. [13] M. Dawson, J. Winterbottom, and M. Thomson, “ IP Location- IP Location in Wireline Public Carrier Networks,” McGraw-Hill Companies, 2007.
  39. [18] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, “Hash-based IP traceback,” In Proc. ACM SIGCOMM, 2000, pp. 3-14.
  40. [19] S. Bellovin, “ICMP traceback messages,” Internet draft: Draft-bellovin-itrace-00.txt, March 2000.
  41. [20] ETSI TR 101 944, “Telecommunications security; Lawful interception (LI),” Issues on IP Interception, 2001.
  42. [22] P. Resnick, “Internet Message Format,” RFC 2822, IETF Network Working Group, April 2001. (Available: http://www.ietf.org/rfc/rfc2822.txt)
  43. [23] D. Cooper et al., “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 5280, IETF Network Working Group, 2008. (Available: http://www.ietf.org/rfc/rfc5280.txt)
  44. [25] D. Dean, M. Franklin and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Transactions on Information and System Security 2001.
  45. [32] E. Kim, D. Massey and I. Ray, “Global Internet routing forensics: Validation of BGP paths using ICMP traceback,” IFIP International Federation for Information Processing, Vol. 194, pp. 165-176, 2005. (Available at http://www.springerlink.com/content/6120jm8530713408)
  46. [34] K. Shanmugasundaram, N. Memon, A. Savant, and H. Bronnimann, “ForNet: A Distributed Forensics Network,” The Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, 2003, St. Petersburg, Russia. (Available at http://isis.poly.edu/projects/fornet/docs/talks/mmm-acns-2003.pdf)
  47. [36] M. Roesch, “Snort-Lightweight Intrusion Detection for networks,” In Proc. of USINIX LISA’99, November 1999.
  48. [40] H. Khurana, J. Basney, M. Bakht, M. Freemon, V. Welch, and R. Butler, “Palantir: A Framework for Collaborative Incident Response and Investigation,” In Proc. of the 8th symposium on Identity and Trust on the Internet, 2009.
  49. [42] M. Handley and V. Jacobson “SDP: Session Description Protocol,” RFC 2327, IETF Network Working Group, 1998. Available at http://www.ietf.org/rfc/rfc2327.txt)
  50. [43] H. Schulzrinne, S. Casner, R. Frederick and V. Jacobson, “RTP: A Transport Protocol for Real-time Applications,” RFC 3550, IETF Network Working Group (2003). (Available at http//www.ietf.org/rfc/rfc3550.txt?number=3550)
  51. [45] B.-B. Anat, H.-B. Ronit, and K. Jussi, “Unregister Attacks in SIP,” IEEE 2006.
  52. [47] J. F. Kurose and K. W. Ross, “Computer Network,” Published by Addison Wesley, 3th Edition, 2005.
  53. [49] W. Stallings, “Cryptography and Network Security-Principles and Practices,” Published by Pearson Education International, 4th Edition, 2006.
  54. [53] A. Nagesh, “Distributed Network Forensics using JADE Mobile Agent Framework,” Master’s thesis. Department of Computing Studies, Arizona State University; 2007. (Available at http://www.technology.asu.edu/files/documents/tradeshow/Dec06/asha_nagesh_report.pdf)
  55. [54] D. Wang, T. Li, S. Liu, J. Zhang and C. Liu, “Dynamical Network Forensics Based on Immune Agent,” Proceedings of the international conference on natural computation (ICNC 2007), vol. 3, p. 651–656, Aug. 2007.
  56. [56] Visual studio 2010. (Available at http://www.microsoft.com/visualstudio/zh-tw)
  57. [57] SQLlite. (Available at http://www.sqlite.org/).
print cancel