附录一、英文原文：Detecting Anomaly Traf?c using Flow Data in the realVoIP networkI. INTRODUCTIONRecently, many SIP[3]/RTP[4]-based VoIP applications and services haveappeared and their penetration ratio is gradually increasing due to the freeor cheap call charge and the easy subscription method. Thus, some of the subscribers to the PSTN service tend to change their home telephone servicesto VoIP products. For example, companies in Korea such as LGDacom, SamsungNet- works, and KT have begun to deploy SIP/RTP-based VoIP services. It is reportedthat more than ?ve million users have subscribed the commercial VoIP servicesand 50% of all the users are joined in 2009 in Korea [1]. According to IDC, itis expected that the number of VoIP users in US will increase to 27 millionsin 2009 [2]. Hence, as the VoIP service becomes popular, it is not surprisingthat a lot of VoIP anomaly traf ?c has been already known [5]. So, Most commercial service such as VoIP services should provide essential security functions regarding privacy, authentication, integrity and non-repudiation for preventing malicious traf ?c. Particu- larly, most of current SIP/RTP-based VoIP servicessupply the minimal security function related with authentication. Though secure transport-layer protocols such as Transport Layer Security (TLS) [6] or Secure RTP(SRTP) [7] have been standardized, they have not been fully implemented anddeployed in current VoIP applications because of the overheads of implementation and performance. Thus, un-encrypted VoIP packets could be easily sniffed andforged, especially in wireless LANs. In spite of authentication,the authentication keys such as MD5in the SIP header could be maliciously exploited, because SIP is a text-based protocol and unencrypted SIP packets are easilydecoded. Therefore, VoIP services are very vulnerable to attacks exploiting SIP and RTP. We aim at proposing a VoIP anomaly traf ?c detection method using the?ow-based traf ?c measurement archi-tecture. We consider three representativeVoIP anomalies called CANCEL,BYEDenial of Service (DoS) and RTP?ooding attacks in this paper, because we found that malicious users in wireless LANcould easily perform these attacks in the real VoIP network. For monitoring VoIP packets,we employ the IETF IP Flow Information eXport (IPFIX) [9] standard that is based on NetFlow v9. This traf ?c measurement method provides a ?exible and extensible template structure for various protocols, which is useful for observing SIP/RTP ?ows [10]. In order to capture and export VoIP packets into IPFIX ?ows, we de?ne two additional IPFIX templates for SIP and RTP ?ows. Furthermore, we add four IPFIX ?elds to observe packets which are necessary to detect VoIP source spoo?ng attacks in WLANs.II. RELATED WORK[8] proposed a ?ooding detection method by the Hellinger Distance (HD) concept. In [8], they have pre- sented INVITE, SYN and RTP?ooding detection meth-ods.The HD is the difference value between a training data set and a testing dataset. The training data set collected traf?c over n sampling period of duration testing data set collected traf?c next the training data set in the sameperiod. If the HD is close to ‘1’, this testing data set is regarded as anomaly traf ?c. For using this method, they assumed that initial training data set didnot have any anomaly traf ?c. Since this method was based on packet counts, itmight not easily extended to detect other anomaly traf ?c except ?ooding. On the other hand, [11] has proposed a VoIP anomaly traf ?c detection method using Extended Finite State Machine (EFSM). [11] has suggested INVITE ?ooding, BYEDoS anomaly traf ?c and media spamming detection methods. However, the statemachine required more memory because it had to maintain each ?ow. [13] has presented NetFlow-based VoIP anomaly detection methods for INVITE, REGIS-TER,RTP?ooding, and REGISTER/INVITEscan. How-ever, the VoIP DoSattacks consideredin this paper were not considered. In [14], an IDS approach to detect SIPanomalies was developed, but only simulation results are presented. For monitoring VoIP traf ?c, SIPFIX [10] has been proposed as an IPFIX extension.The key ideas of the SIPFIX are application-layer inspection and SDP analysisfor carrying media session information. Yet, this paper presents only the possibility of applying SIPFIX to DoS anomaly traf ?c detection and prevention. Wedescribed the preliminary idea of detecting VoIP anomaly traf ?c in [15]. This paper elaborates BYEDoSanomaly traf ?c and RTP?ooding anomaly traf ?c detec-tion method based on IPFIX. Based on [15], we have considered SIP and RTP anomalytraf ?c generated in wireless LAN. In this case, it is possible to generate thesimiliar anomaly traf ?c with normal VoIP traf ?c, because attackers can easilyextract normal user information from unencrypted VoIP packets. In this paper,we have extended the idea with additional SIP detection methods using informationof wireless LAN packets. Furthermore, we have shown the real experiment resultsat the commercial VoIP network.III. THE VOIP ANOMALY TRAFFIC DETECTION METHOD A. CANCEL DoS Anomaly Traf ?c DetectionAs the SIP INVITE message is not usually encrypted, attackers could extract ?elds necessary to reproduce the forged SIP CANCELmessage by snif ?ng SIP INVITE packets, especially in wireless LANs. Thus, wecannot tell the difference between the normal SIP CANCEL message and the replicated one, because the faked CANCEL packet includes the normal ?elds inferred from the SIP INVITE message. Theattacker will perform the SIP CANCELDoS attack at the samewireless LAN, because the purpose of the SIP CANCELattack is to prevent the normal call estab-lishment when a victim is waiting for calls. Therefore, as soon as the attacker catchesa call invitation message for a victim, it will send a SIP CANCELmessage, which makes the call establishment failed. Wehave generated faked SIP CANCELmessage using sniffed a SIP INVITE in SIP header of this CANCEL message is the sameas normal SIP CANCEL message, because the attacker can obtain the SIP header?eld from unencrypted normal SIP message in wireless LANenvironment. Therefore it is impossible to detect the CANCEL DoS anomaly traf ?c using SIP headers, we use the different values of the wireless LANframe. That is, the sequence number in the frame will tell the difference between a victim host and an attacker.Welook into source MACaddress and sequence number in the MAC frame including a SIP CANCEL messageas shown in Algorithm 1. We compare the source MAC address of SIP CANCEL packets with that of the previously saved SIP INVITE ?ow. If the source MAC address of a SIP CANCEL ?ow is changed, it will be highly probablethat the CANCEL packet is generated by a unknown user. However, the source MAC address could be spoofed. Regarding source spoo ?ng detection, we employ the method in [12] that uses sequence numbers of frames. We calculate the gapbetween n-th and (n-1)-th frames. As the sequence number ?eld in a MAC header uses 12 bits, it varies from 0 to 4095. When we ?nd that the sequence number gap between a single SIP ?ow is greater than the threshold value of N that willbe set from the experiments, we determine that the SIP host address as beenspoofed for the anomaly traf ?c.B. BYE DoS Anomaly Traf ?c DetectionIn commercial VoIP applications, SIP BYE messages use the same authentication ?eld is included in the SIP IN-VITE message for security andaccounting purposes. How-ever, attackers can reproduce BYEDoS packets through snif ?ng normal SIP INVITE packets in wireless faked SIP BYE message is samewith the normal SIP BYE. Therefore, it is dif ?cult to detect the BYEDoS anomaly traf ?c using only SIP header snif ?ng SIP INVITE message, the attacker at the same or different subnets could terminate the normal in- progress call, because it could succeed in generating a BYE message to the SIP proxy server. In theSIP BYE attack, it is dif ?cult to distinguish from the normal call termination procedure. That is, we apply the timestamp of RTP traf ?c for detecting the SIP BYE attack. Generally, after normal call termination, the bi-directional RTP?ow is terminated in a bref space of time. However, if the call terminationprocedure is anomaly, we can observe that a directional RTP media ?ow is still ongoing, whereas an attacked directional RTP?ow is broken. Therefore, in order to detect the SIP BYE attack, we decide that we watch a directional RTP ?ow for a long time threshold of N sec after SIP BYEmessage. The threshold of N is also set from the 2 explains the procedure to detect BYE DoS anomal traf ?c using captured timestamp of the RTPpacket. Wemaintain SIP session information between clients with INVITE and OK messages including the same Call-ID and 4-tuple(source/destination IP Address and port number) of the BYEpacket. Weset a time threshold value by adding Nsec to the timestamp value of the BYE message. Thereason why we use the captured timestamp is that a few RTP packets are observed under second. If RTP traf ?c is observed after the time threshold, this willbe considered as a BYE DoS attack, because the VoIP session will be terminatedwith normal BYEmessages. C. RTPAnomaly Traf ?c Detection Algorithm 3 describes an RTP ?ooding detection method that uses SSRC and sequence numbers of the RTP header. During a single RTPsession, typically, the sameSSRCvalue is maintained. If SSRCis changed, it is highly probable that anomaly has occurred. In addition,if there is a big sequence number gap between RTP packets, we determine thatanomaly RTPtraf ?c has happened. As inspecting every sequence number for a packet is dif ?cult, we calculate the sequence number gap using the ?rst, last, maximum and minimum sequence numbers. In the RTP header, the sequence number ?eld uses 16 bits from 0 to 65535. When we observe a wide sequence number gap in our algorithm, we consider it as an RTP ?ooding attack.IV. PERFORMANCE EVALUATIONA. Experiment EnvironmentIn order to detect VoIP anomaly traf ?c, we established an experimental environment as ?gure 1. In this envi-ronment, we employed two VoIP phones with wireless LANs, one attacker, a wireless access router and an IPFIX ?ow collector.For the realistic performance evaluation, we directly used one of the workingVoIP networks deployed in Korea where an 11-digit telephone number (070-XXXX-XXXX) has been assigned to a SIP wireless SIP phones supporting ,we could make calls to/from the PSTNor cellular phones. In the wireless access router, we used two wireless LAN cards- one is to support the AP service, andthe other is to monitor packets. Moreover, in order to observe VoIP packetsin the wireless access router, we modi ?ed nProbe [16], that is an open IPFIX?ow generator, to create and export IPFIX ?ows related with SIP, RTP, and information. As the IPFIX collector, we have modi ?ed libip ?x so that it could provide the IPFIX ?ow decoding function for SIP, RTP, and templates. We used MySQL for the ?ow DB.B. Experimental ResultsIn order to evaluate our proposed algorithms, we gen-erated 1,946 VoIP callswith two commercial SIP phones and a VoIP anomaly traf ?c generator. Table I showsour experimental results with precision, recall, and F-score that is the harmonic mean of precision and recall. In CANCEL DoS anomaly traf ?c detection, our algorithm represented a few false negative cases, which was related with thegap threshold of the sequence number in MAC header. The average of the F-score value for detecting the SIP CANCEL anomaly is %.For BYE anomaly tests, wegenerated 755 BYEmes-sages including 118 BYEDoSanomalies in the exper-iment. The proposed BYE DoS anomaly traf ?c detec-tion algorithm found 112 anomalieswith the F-score of %. If an RTP?ow is terminated before the threshold, we regard the anomaly ?ow as a normal one. In this algorithm, we extract RTP sessioninformation from INVITE and OK or session description messages using the sameCall-ID of BYE message. It is possible not to capture those packet, resultingin a few false-negative cases. The RTP ?ooding anomaly traf ?c detection experiment for 810 RTP sessions resulted in the F score of 98%.The reason offalse-positive cases was related with the sequence number in RTP header. If the sequence number of anomaly traf ?c is overlapped with the range of the normaltraf ?c, our algorithm will consider it as normal traf ?c.V. CONCLUSIONSWe have proposed a ?ow-based anomaly traf ?c detec-tion method against SIP and RTP-based anomaly traf ?c in this paper. We presented VoIP anomaly traf ?c detection methods with ?ow data on the wireless access router. Weused the IETF IPFIX standard to monitor SIP/RTP ?ows passing through wireless access routers, because its template architecture is easily extensible to several protocols.For this purpose, we de ?ned two new IPFIX templates for SIP and RTP traf ?c and four new IPFIX ?elds for traf ?c. Using these IPFIX ?ow templates,we proposed CANCEL/BYE DoS and RTP?ooding traf ?c detection algorithms. From experimental results on the working VoIP network in Korea, we showed that our method is able to detect three representative VoIP attacks on SIP phones. In CANCEL/BYE DoS anomaly traf ?cdetection method, we employed threshold values about time and sequence numbergap for class ?cation of normal and abnormal VoIP packets. This paper has notbeen mentioned the test result about suitable threshold values. For the futurework, we will show the experimental result about evaluation of thethreshold values for our detection method.二、英文翻译：交通流数据检测异常在真实的世界中使用的VoIP 网络一.介绍最近 , 许多 SIP[3],[4]基于服务器的VoIP应用和服务出现了,并逐渐增加他们的穿透比及由于自由和廉价的通话费且极易订阅的方法。