Advertisement

Abstract

VoIP has become a major application of multimedia communications over IP. Many initiatives around the world focus on the detection of attacks against VoIP services and infrastructures. Because of the lack of a common labeled data-set similarly to what is available in TCP/IP network-based intrusion detection, their results can not be compared. VoIP providers are not able to contribute their data because of user privacy agreements. In this paper, we propose a framework for customizing and generating VoIP traffic within controlled environments. We provide a labeled data-set generated in two types of SIP networks. Our data-set is composed of signaling and other protocol traces, call detail records and server logs. By this contribution we aim to enable the works on VoIP anomaly and intrusion detection to become comparable through its application to common datasets.

Keywords

Intrusion Detection Session Initiation Protocol Intrusion Detection System Attack Scenario Internet Relay Chat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    VoIPSA: VoIP security and privacy threat taxonomy. Public Release 1.0 (2005), http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf
  2. 2.
    Reynolds, B., Ghosal, D.: Secure IP telephony using multi-layered protection. In: Proceedings of The 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA (2003)Google Scholar
  3. 3.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: RFC3261: SIP: Session initiation protocol (2002)Google Scholar
  4. 4.
    Niccolini, S., Garroppo, R., Giordano, S., Risi, G., Ventura, S.: SIP intrusion detection and prevention: recommendations and prototype implementation. In: 1st IEEE Workshop on VoIP Management and Security, pp. 47–52 (2006)Google Scholar
  5. 5.
    Wu, Y., Bagchi, S., Garg, S., Singh, N., Tsai, T.K.: SCIDIVE: A stateful and cross protocol intrusion detection architecture for Voice-over-IP environments. In: International Conference on Dependable Systems and Networks (DSN 2004), pp. 433–442. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  6. 6.
    Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: VoIP intrusion detection through interacting protocol state machines. In: Proceedings of the 38th IEEE International Conference on Dependable Systems and Networks (DSN 2006). IEEE Computer Society, Los Alamitos (2006)Google Scholar
  7. 7.
    Fiedler, J., Kupka, T., Ehlert, S., Magedanz, T., Sisalem, D.: VoIP defender: Highly scalable SIP-based security architecture. In: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications (IPTComm 2007). ACM, New York (2007)Google Scholar
  8. 8.
    Chen, E.Y.: Detecting DoS attacks on SIP systems. In: Proceedings of 1st IEEE Workshop on VoIP Management and Security, San Diego, CA, USA, pp. 53–58 (2006)Google Scholar
  9. 9.
    Ehlert, S., Wang, C., Magedanz, T., Sisalem, D.: Specification-based denial-of-service detection for SIP Voice-over-IP networks. In: The Third International Conference on Internet Monitoring and Protection (ICIMP), pp. 59–66. IEEE Computer Society, Los Alamitos (2008)CrossRefGoogle Scholar
  10. 10.
    Zhang, G., Ehlert, S., Magedanz, T., Sisalem, D.: Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding. In: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications (IPTComm 2007), pp. 57–66. ACM, New York (2007)CrossRefGoogle Scholar
  11. 11.
    Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Detecting VoIP floods using the Hellinger distance. IEEE Trans. Parallel Distrib. Syst. 19, 794–805 (2008)CrossRefGoogle Scholar
  12. 12.
    Kang, H., Zhang, Z., Ranjan, S., Nucci, A.: SIP-based VoIP traffic behavior profiling and its applications. In: Proceedings of the 3rd annual ACM workshop on Mining network data (MineNet 2007), pp. 39–44. ACM, New York (2007)CrossRefGoogle Scholar
  13. 13.
    Nassar, M., State, R., Festor, O.: Monitoring SIP traffic using support vector machines. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 311–330. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Nassar, M., State, R., Festor, O.: The VoIP Bot project, http://gforge.inria.fr/projects/voipbot/
  15. 15.
    Nassar, M., State, R., Festor, O.: VoIP malware: Attack tool & attack scenarios. In: Proceedings of the IEEE International Conference on Communications, Communication and Information Systems Security Symposium (ICC 2009, CISS). IEEE, Los Alamitos (2009)Google Scholar
  16. 16.
    Dang, T.D., Sonkoly, B., Molnar, S.: Fractal analysis and modeling of VoIP traffic. In: Proceedings of Networks 2004, pp. 217–222 (2004)Google Scholar
  17. 17.
    Duffy, F., Mercer, R.: A study of network performance and customer behavior during-direct-distance-dialing call attempts in the USA. Bell System Technical Journal 57, 1–33 (1978)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mohamed Nassar
    • 1
  • Radu State
    • 1
  • Olivier Festor
    • 1
  1. 1.INRIA Research Center, Nancy - Grand EstVillers-Lès-NancyFrance

Personalised recommendations