439 research outputs found

    Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing

    Full text link
    Emergency services are vital services that Next Generation Networks (NGNs) have to provide. As the IP Multimedia Subsystem (IMS) is in the heart of NGNs, 3GPP has carried the burden of specifying a standardized IMS-based emergency services framework. Unfortunately, like any other IP-based standards, the IMS-based emergency service framework is prone to Distributed Denial of Service (DDoS) attacks. We propose in this work, a simple but efficient solution that can prevent certain types of such attacks by creating firewall pinholes that regular clients will surely be able to pass in contrast to the attackers clients. Our solution was implemented, tested in an appropriate testbed, and its efficiency was proven.Comment: 17 Pages, IJNGN Journa

    Optimização de recursos para difusão em redes de próxima geração

    Get PDF
    Doutoramento em ElectrotecniaEsta tese aborda o problema de optimização de recursos de rede, na entrega de Serviços de Comunicação em Grupo, em Redes de Próxima Geração que suportem tecnologias de difusão. De acordo com esta problemática, são feitas propostas que levam em atenção a evolução espectável das redes 3G em Redes Heterogéneas de Próxima Geração que incluam tecnologias de difusão tais como o DVB. A optimização de recursos em Comunicações em Grupo é apresentada como um desafio vertical que deve cruzar diversas camadas. As optimizações aqui propostas cobrem tanto a interface entre Aplicação e a Plataforma de Serviços para a disponibilização de serviços de comunicação em grupo, como as abstracções e mapeamentos feitos na interface entre a Rede Central e a Rede de Acesso Rádio. As optimizações propostas nesta tese, assumem que o caminho evolutivo na direcção de uma Rede de Próxima Geração é feito através do IP. Em primeiro lugar são endereçadas as optimizações entre a Aplicação e a Plataforma de Serviços que já podem ser integradas nas redes 3G existentes. Estas optimizações podem potenciar o desenvolvimento de novas e inovadoras aplicações, que através do uso de mecanismos de distribuição em difusão podem fazer um uso mais eficiente dos recursos de rede. De seguida são apresentadas optimizações ao nível da interface entre a Rede Central e a Rede de Acesso Rádio que abordam a heterogeneidade das redes futuras assim como a necessidade de suportar tecnologias de difusão. É ainda considerada a possibilidade de aumentar a qualidade de serviço de serviços de difusão através do mapeamento do IP multicast em portadoras unidireccionais. Por forma a validar todas estas optimizações, vários protótipos foram desenvolvidos com base num router avançado para redes de acesso de próxima geração. As funcionalidades e arquitectura de software desse router são também aqui apresentadas.This thesis addresses the problem of optimizing network resource usage, for the delivery of Group Services, in Next Generation Networks featuring broadcast technologies. In this scope, proposals are made according to the expected evolution of 3G networks into Next Generation Heterogeneous Networks that include broadcast technologies such as DVB. Group Communication resource optimization is considered a vertical challenge that must cross several layers. The optimizations here proposed cover both Application to Service Platform interfaces for group communication services, and Core Network to Radio Access Network interface abstractions and mappings. The proposed optimizations are also presented taking into consideration network evolution path towards an All-IP based Next Generation Network. First it is addressed the Application to Service Platform optimization, which can already be deployed over 3G networks. This optimization could potentiate the development of new and innovative applications that through the use of broadcast/multicast service delivery mechanisms could be more efficient network wise. Next proposals are made on the Core Network to Radio Access Network interfaces that address the heterogeneity of future networks and consider the need to support broadcast networks. It is also considered the possibility to increase the Quality of Service of broadcast/multicast services based on the dynamic mapping of IP multicast into unicast radio bearers. In order to validate these optimizations, several prototypes were built based on an advanced access router for next generation networks. Such access router functionalities and software architecture are also presented here

    Automated Anomaly Detection in Virtualized Services Using Deep Packet Inspection

    Get PDF
    Virtualization technologies have proven to be important drivers for the fast and cost-efficient development and deployment of services. While the benefits are tremendous, there are many challenges to be faced when developing or porting services to virtualized infrastructure. Especially critical applications like Virtualized Network Functions must meet high requirements in terms of reliability and resilience. An important tool when meeting such requirements is detecting anomalous system components and recovering the anomaly before it turns into a fault and subsequently into a failure visible to the client. Anomaly detection for virtualized services relies on collecting system metrics that represent the normal operation state of every component and allow the usage of machine learning algorithms to automatically build models representing such state. This paper presents an approach for collecting service-layer metrics while treating services as black-boxes. This allows service providers to implement anomaly detection on the application layer without the need to modify third-party software. Deep Packet Inspection is used to analyse the traffic of virtual machines on the hypervisor layer, producing both generic and protocol-specific communication metrics. An evaluation shows that the resulting metrics represent the normal operation state of an example Virtualized Network Function and are therefore a valuable contribution to automatic anomaly detection in virtualized services

    Secure Service Provisioning (SSP) Framework for IP Multimedia Subsystem (IMS)

    Get PDF
    Mit dem Erscheinen mobiler Multimediadienste, wie z. B. Unified Messaging, Click-to-Dial-Applikationen, netzwerkübergeifende Multimedia-Konferenzen und nahtlose Multimedia-Streming-Dienste, begann die Konvergenz von mobilen Kommunikationsetzen und Festnetzen, begleitet von der Integration von Sprach- und Datenkommunikations-Übertragungstechnik Diese Entwicklungen bilden die Voraussetzung für die Verschmelzung des modernen Internet auf der einen Seite mit der Telekommunikation im klassischen Sinne auf der anderen. Das IP Multimedia-Subsystem (IMS) darf hierbei als die entscheidende Next-Generation-Service-Delivery-Plattform in einer vereinheitlichten Kommunikationswelt angesehen werden. Seine Architektur basiert auf einem modularen Design mit offenen Schnittstellen und bietet dedizierte Voraussetzungen zur Unterstützung von Multimedia-Diensten auf der Grundlage der Internet-Protokolle. Einhergehend mit dieser aufkommenden offenen Technologie stellen sich neue Sicherheits-Herausforderungen in einer vielschichtigen Kommunikationsinfrastruktur, im Wesentlichen bestehend aus dem Internet Protokoll (IP), dem SIP-Protokoll (Session Initiation Protocol) und dem Real-time Transport Protokoll (RTP). Die Zielsetzung des Secure Service Provisioning-Systems (SSP) ist, mögliche Angriffsszenarien und Sicherheitslücken in Verbindung mit dem IP Multimedia Subsystem zu erforschen und Sicherheitslösungen, wie sie von IETF, 3GPP und TISPAN vorgeschlagen werden, zu evaluieren. Im Rahmen dieser Forschungsarbeit werden die Lösungen als Teil des SSP-Systems berücksichtigt, mit dem Ziel, dem IMS und der Next-Generation-SDP einen hinreichenden Schutz zu garantieren. Dieser Teil, der als Sicherheitsschutzstufe 1 bezeichnet wird, beinhaltet unter anderem Maßnahmen zur Nutzer- und Netzwerk-Authentifizierung, die Autorisierung der Nutzung von Multimediadiensten und Vorkehrungen zur Gewährleistung der Geheimhaltung und Integrität von Daten im Zusammenhang mit dem Schutz vor Lauschangriffen, Session-Hijacking- und Man-in-the-Middle-Angriffen. Im nächsten Schritt werden die Beschränkungen untersucht, die für die Sicherheitsschutzstufe 1 charakteristisch sind und Maßnahmen zu Verbesserung des Sicherheitsschutzes entwickelt. Die entsprechenden Erweiterungen der Sicherheitsschutzstufe 1 führen zu einem Intrusion Detection and Prevention-System (IDP), das Schutz vor Denial-of-Service- (DoS) / Distributed-Denial-of-Service (DDoS)-Angriffen, missbräuchlicher Nutzung und Täuschungsversuchen in IMS-basierten Netzwerken bietet. Weder 3GPP noch TISPAN haben bisher Lösungen für diesen Bereich spezifiziert. In diesem Zusammenhang können die beschriebenen Forschungs- und Entwicklungsarbeiten einen Beitrag zur Standardisierung von Lösungen zum Schutz vor DoS- und DDoS-Angriffen in IMS-Netzwerken leisten. Der hier beschriebene Ansatz basiert auf der Entwicklung eines (stateful / stateless) Systems zur Erkennung und Verhinderung von Einbruchsversuchen (Intrusion Detection and Prevention System). Aus Entwicklungssicht wurde das IDP in zwei Module aufgeteilt: Das erste Modul beinhaltet die Basisfunktionen des IDP, die sich auf Flooding-Angriffe auf das IMS und ihre Kompensation richten. Ihr Ziel ist es, das IMS-Core-Netzwerk und die IMS-Ressourcen vor DoS- und DDoS-Angriffen zu schützen. Das entsprechende Modul basiert auf einer Online Stateless-Detection-Methodologie und wird aktiv, sobald die CPU-Auslastung der P-CSCF (Proxy-Call State Control Function) einen vordefinierten Grenzwert erreicht oder überschreitet. Das zweite Modul (IDP-AS) hat die Aufgabe, Angriffe, die sich gegen IMS Application Server (AS) richten abzufangen. Hierbei konzentrieren sich die Maßnahmen auf den Schutz des ISC-Interfaces zwischen IMS Core und Application Servern. Das betreffende Modul realisiert eine Stateful Detection Methodologie zur Erkennung missbräuchlicher Nutzungsaktivitäten. Während der Nutzer mit dem Application Server kommuniziert, werden dabei nutzerspezifische Zustandsdaten aufgezeichnet, die zur Prüfung der Legitimität herangezogen werden. Das IDP-AS prüft alle eingehenden Requests und alle abgehenden Responses, die von IMS Application Servern stammen oder die an IMS Application Server gerichtet sind, auf ihre Zulässigkeit im Hinblick auf die definierten Attack Rules. Mit Hilfe der Kriterien Fehlerfreiheit und Processing Delay bei der Identifikation potenzieller Angriffe wird die Leistungsfähigkeit der IDP-Module bewertet. Für die entsprechenden Referenzwerte werden hierbei die Zustände Nomallast und Überlast verglichen. Falls die Leistungsfähigkeit des IDP nicht unter den Erwartungen zurückbleibt, wird ein IDP-Prototyp zur Evaluation im Open IMS Playground des Fokus Fraunhofer 3Gb-Testbeds eingesetzt, um unter realen Einsatzbedingungen z. B. in VoIP-, Videokonferenz- , IPTV-, Presence- und Push-to-Talk-Szenarien getestet werden zu können.With the emergence of mobile multimedia services, such as unified messaging, click to dial, cross network multiparty conferencing and seamless multimedia streaming services, the fixed–mobile convergence and voice–data integration has started, leading to an overall Internet–Telecommunications merger. The IP Multimedia Subsystem (IMS) is considered as the next generation service delivery platform in the converged communication world. It consists of modular design with open interfaces and enables the flexibility for providing multimedia services over IP technology. In parallel this open based emerging technology has security challenges from multiple communication platforms and protocols like IP, Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). The objective of Secure Service Provisioning (SSP) Framework is to cram the potential attacks and security threats to IP Multimedia Subsystem (IMS) and to explore security solutions developed by IETF, 3GPP and TISPAN. This research work incorporates these solutions into SSP Framework to secure IMS and next generation Service Delivery Platform (SDP). We define this part as level 1 security protection which includes user and network authentication, authorization to access multimedia services, providing confidentiality and integrity protection etc. against eavesdropping, session hijacking and man-in-the middle attacks etc. In the next step, we have investigated the limitations and improvements to level 1 security and proposed the enhancement and extension as level 2 security by developing Intrusion Detection and Prevention (IDP) system against Denial-of-Service (DoS)/Distributed DoS (DDoS) flooding attacks, misuses and frauds in IMS-based networks. These security threats recently have been identified by 3GPP and TISPAN but no solution is recommended and developed. Therefore our solution may be considered as recommendation in future. Our approach based on developing both stateless and stateful intrusion detection and prevention system. From development point of view, we have divided the work into two modules: the first module is IDP-Core; addressing and mitigating the flooding attacks in IMS core. Its objective is to protect the IMS resources and IMS-core entities from DoS/DDoS flooding attacks. This module based on online stateless detection methodology and activates when CPU processing load of P-CSCF (Proxy-Call State Control Function) reaches or crosses the defined threshold limit. The second module is IDP-AS; addressing and mitigating the misuse attacks facing to IMS Application Servers (AS). Its focus is to secure the ISC interface between IMS Core and Application Servers. This module is based on stateful misuse detection methodology by creating and comparing user state (partner) when he/she is communicating with application server to check whether user is performing legitimate or illegitimate action with attacks rules. The IDP-AS also compared the incoming request and outgoing response to and from IMS Application Servers with the defined attacks rules. In the performance analysis, the processing delay and attacks detection accuracy of both Intrusion Detection and Prevention (IDP) modules have been measured at Fraunhofer FOKUS IMS Testbed which is developed for research purpose. The performance evaluation based on normal and overload conditions scenarios. The results showed that the processing delay introduced by both IDP modules satisfied the standard requirements and did not cause retransmission of SIP REGISTER and INVITE requests. The developed prototype is under testing phase at Fraunhofer FOKUS 3Gb Testbed for evaluation in real world communication scenarios like VoIP, video conferencing, IPTV, presence, push-to-talk etc

    Design and implementation of a distributed file directory for mobile peer-to-peer

    Get PDF
    Vertaisverkot ovat osoittautuneet hyvin suosituiksi kiinteässä Internetissä. Akateemisesta näkökulmasta mielenkiintoista on, että matkapuhelinverkkoa varten suunniteltuja vertaisverkkoja ei vielä ole. Tässä diplomityössä käymme aluksi läpi mobiilivertaisverkosta tehtyjä tutkimuksia. Tämän jälkeen kuvaamme uudenlaista lähestymistapaa, joka käyttää SIP (Session Initiation Protocol) -protokollaa vertaisverkon merkinantosanomien kuljettamiseen. Tästä lähestymistavasta, joka tarjoaa useita etuja, käytämme nimeä P2P-over-SIP. Seuraavaksi kuvaamme mobiilivertaisverkosta tehdyn toteutuksen. Erityisesti kuvaamme tekemämme supersolmun ohjelmistototeutuksen, jonka avulla puolikeskitetty järjestämätön arkkitehtuuri muodostuu. Testaamme toteutusta oikeudenmukaisissa skenaarioissa ja tuloksia analysoimalla teemme päätelmiä arkkitehtuurin soveltuvuudesta laajempaan käyttöön. Lopuksi pohdimme aiheeseen liittyviä kehitysmahdollisuuksia.The absence of a Peer-To-Peer (P2P) network designed specifically for mobile phones, which has proven extremely popular on fixed networks, is a very attractive topic from an academic research standpoint. This thesis begins by exploring the work done by the scientific community thus far in the field of mobile Peer-To-Peer. It then describes a novel approach [1] that utilizes the Session Initiation Protocol (SIP) to carry P2P control messages. This approach is called P2P-Over-SIP, and has several advantages over other non standard protocols. We then describe a software implementation using P2P-Over-SIP. Especially we describe our implementation of a super-peer node, used to build a mobile P2P network with an unstructured semi-centralized architecture. We detail the results obtained from testing our implementation with realistic usage scenarios. An analysis of our results is done and conclusions are drawn on the properties of our network. Lastly we comment on possible future work to be done in this area

    Traffic Model of IMS/NGN Architecture with Transport Stratum Based on MPLS Technology

    Get PDF
    Growing expectations for a fast access to information create strong demands for a universal telecommunication network architecture, which provides various services with strictly determined quality. Currently it is assumed that these requirements will be satisfied by Next Generation Network (NGN), which consists of two stratums and includes IP Multimedia Subsystem (IMS) elements. To guarantee Quality of Service (QoS) all NGN stratums have to be correctly designed and dimensioned. For this reason appropriate traffic models must be developed and applied, which should be efficient and simple enough for practical applications. In the paper such a traffic model of a single domain of NGN with transport stratum based on Multiprotocol Label Switching (MPLS) technology is presented. The model allows evaluation of mean transport stratum response time and can be useful for calculating time of processing requests in the entire NGN architecture. Results obtained using the presented model are described and discussed. As a result of the discussion, elementary relationships between network parameters and transport stratum response time are indicated

    Charging in IP multimedia networks

    Get PDF
    ArticleIMS charging can be performed at various planes of the IMS architecture. Different charging schemes may be utilized. The optimal charging scheme would be service dependent, but may also be influenced by user expectations. The 3GPP has standardized charging mechanisms, protocols and interfaces for IMS charging control; online and offline charging have been standardized. However, the design and development of charging systems is operator dependent. This paper presents an IMS charging prototype developed and implemented in C, in line with Open IMS research. The testbed supports flow level, subsystem level and content level charging for IPTV and VoIP. The testbed supports online and offline charging; it has been tested with the UCT IMS client and the Fokus Open IMS system. Testbed proof of concept and performance results are presented.IMS charging can be performed at various planes of the IMS architecture. Different charging schemes may be utilized. The optimal charging scheme would be service dependent, but may also be influenced by user expectations. The 3GPP has standardized charging mechanisms, protocols and interfaces for IMS charging control; online and offline charging have been standardized. However, the design and development of charging systems is operator dependent. This paper presents an IMS charging prototype developed and implemented in C, in line with Open IMS research. The testbed supports flow level, subsystem level and content level charging for IPTV and VoIP. The testbed supports online and offline charging; it has been tested with the UCT IMS client and the Fokus Open IMS system. Testbed proof of concept and performance results are presented
    corecore