2019年3月1日
By 迈克尔•史密斯安全CTO，媒体 & 载体,Akamai, 亚历克斯Balford Sr. Akamai产品营销经理
专题文章

Best Practices for Premium Video Streaming, Part 6: 内容保护

Best practices for security in commercial video streaming are becoming increasingly complicated. 分销商必须应对内容保护的复杂性，以及对运营中断的新级别防御的需求.

当涉及到内容保护, 发行商必须能够适应许多直接影响数字版权管理(数字版权管理)平台使用的因素, 是否需要法医水印, and which other advanced protection mechanisms might be required. 但是，水印和其他新要求的出现给利用超高清技术的经销商带来了额外的不确定性, 早期的窗口发布, 和虚拟现实. 在网络安全层面, media and entertainment companies have entered a new era in which the risks of disruption, 入侵, 个人身份盗窃需要进一步的保护.

本文探讨了要求新的安全级别的条件，并就内容保护和网络安全领域的最佳实践提出了建议.

影响内容保护策略的趋势和问题

Many of the procedures content suppliers set for OTT consumption have become fairly routine for distributors. But, 在规划商业策略方面, 对于分销商来说，重要的是要了解授权方在授予他们特定类别或内容使用的权利时的保护政策是什么，而不是做出假设.

Accommodating Protection Requirements in the SD and HD Domains

最低级别的内容保护为授权用户使用身份验证令牌，以防止链接共享. 在某些情况下, distributors use a basic level of encryption with Advanced Encryption Standard (AES) 128, delivering decryption keys only to token-authorized recipients. 这种保护模式通常用于没有与复制或再分发相关的策略条款的较旧的SVOD内容.

许可证持有人通常需要更严格的保护或对新的或实时高清的地理限制，例如提供检测来自vpn和DNS代理的用户请求的服务, as well as 数字版权管理 systems that set policy restrictions for on-demand distribution. Industry consolidation on specific 数字版权管理 has made providing this level of protection much easier for distributors, 但行业标准仍在不断发展.

Distributors must take policies for different formats into account when setting up 数字版权管理. On-demand content typically uses a single key from the 数字版权管理 server for as long as the session is active. But live streaming now requires key refreshment at regular intervals. 及时提供保护和身份验证机制对于可能导致收视率飙升的直播节目也至关重要, 比如体育或特殊赛事. Without backup capacity, user session requests can linger on 数字版权管理 servers, resulting in delays.

Meeting Protection Requirements for UHD 4K and Other High-End Services

MovieLabs, the research and development joint venture started by the six major motion picture studios, 最近发布了加强内容保护(ECP)建议，以解决在线隐私和新视频格式问题. 虽然尚未被广泛要求, they may spell additional operations costs for distributors as new requirements emerge.

最显著, these include the insertion of forensic watermarks into content streams, 这一需求通常与超高清内容的出现有关，但也可以附加到高清内容上，以便提前发布窗口或高调的直播内容流. They are also forming as streaming VR content becomes more common.

Beyond watermarking, advanced protection requirements recommended by MovieLabs include:

“Factory burned” hardware roots of trust to provide a secure mechanism for locally storing encryption keys
硬件支持数字版权管理的软件可再生性
端到端安全媒体路径, 包括从外部网络到内部网络的过渡，以及其他不属于典型流媒体许可范例的措施

There is still much to be worked out when it comes to watermarking. 根据工作室的标准，水印必须在播放时由设备注入到内容中，或者在每个会话的基础上从服务器注入. 无论哪种方式, 分销商需要能够提供全面支持自动化内容预处理的供应商，以便对实时内容进行动态水印. 水印供应商和cdn应该以一种健壮的方式集成，在边缘上使用每会话唯一的水印ID (a /B模式)进行大规模的a /B切换.

此外, 要有效率, 水印必须得到广泛合作的支持，使用这些看不见的代码来跟踪和关闭非法运营商. CDN服务应利用与取证水印解决方案和执法服务的关系，帮助分销商实时关闭非法直播流或未经授权的会话. 这种关系要求CDN运营商承诺验证警报的可信度，以避免关闭合法的流. CDN services can also help facilitate server-side watermarking, 使提供商能够直接与单个会话流交互，以插入带有水印的流段.

应对日益增长的网络安全威胁

随着诸如凭证填充之类的全球攻击激增，对网络安全保护的需求变得更加迫切, 分布式拒绝服务(DDoS), 自动机器人, 黑客入侵, and others signal the threat to providers of video streaming services can no longer be ignored.

凭证填充攻击

恶意活动迅速增加的一个领域是“凭证填充攻击”的兴起，这需要流媒体提供商的关注,，这是一种针对登录字段的自动试错攻击，以发现可用的用户名和密码组合. A variation of this attack involves the attackers creating a large amount of trial accounts.

根据… Akamai的报告, more than 40% of global login attempts are attributable to malicious bot-driven credential stuffing attacks. Akamai在2017年第四季度的一个月内就发现了近4亿次针对媒体和娱乐客户的此类攻击.

通过向流媒体服务妥协多个帐户, attackers are able to evade 数字版权管理 by pivoting between user accounts as they are blocked by the streaming service, 下载一个服务的全部视频点播百家乐软件, 并建立了自己的营利性盗版直播服务，当一个流令牌被禁用时，该服务仍能正常运行. They then steal users’ payment and other personal data and generate spam reviews and ratings. 类似的“用户账户切换”攻击可以用来下载所有服务的视频点播内容.

污损和水坑攻击

有时, the websites hosting streaming content are attacked simply because they have a large viewership. 在污损中, the attacker alters the site content to display their message, usually around geopolitical issues associated with a live streaming event location. 在水坑袭击事件中, the site is compromised and used to distribute 恶意软件 to the end user.

分布式拒绝服务

In 2017, 根据Akamai对其CDN流量的分析，第四季度全球范围内的DDoS攻击与去年同期相比增长了14%. Akamai和其他人的研究表明，对于使用互联网的企业来说，DDoS和网站攻击的成本比任何其他由外部指使的攻击模式都要高, 与内部人士犯下的网络犯罪相当.

内部数据泄露

Most enterprises have a large variety of internal data that is targeted by attackers: finance and payments, 内部IT, 合同, 人力百家乐软件. 以流媒体服务为例, they also have high-quality versions of content (mezzanine files), 数据查看器, 内容许可. This allows traditional enterprise attacks such as phishing, 恶意软件, ransomware, and more to impact the streaming service in the form of lost assets, 调查成本, 失去服务.

与此相关的一类攻击与抵御外部承包商和其他第三方滥用授权访问(或过度特权)网络访问的薄弱防御有关. 一旦访问凭证被泄露, attackers have access to roam through the victim’s network until target data is identified.

Protection against such threats is especially challenging in video distribution. Content producers regularly outsource preparation functions, including mezzanine-level encoding and transcoding for OTT streaming. Simply granting network-level access through traditional approaches like VPNs to all these parties, and trusting that they are not coming into the internal environment with infected devices, 构成不可接受的风险.

毫无疑问，OTT提供商在安全漏洞和内容保护方面面临的风险将继续增加. 每家公司在评估采取何种预防措施时，都应该考虑到随着时间的推移，它们可能需要额外的保护层. 当他们在网络安全和内容保护方面采取初步措施时，至关重要的是，他们的措施具有覆盖范围, 分析情报, 以及足以满足未来需求的解决方案.

这是一篇来自Akamai的供应商贡献的文章. 流媒体 accepts 文章 from vendors based solely on their value to our readers.]