Monitoring SIP Traffic Using Support Vector Machines

Similar documents
3.1 SESSION INITIATION PROTOCOL (SIP) OVERVIEW

For internal circulation of BSNL only

How to make free phone calls and influence people by the grugq

SIP : Session Initiation Protocol

An outline of the security threats that face SIP based VoIP and other real-time applications

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

NTP VoIP Platform: A SIP VoIP Platform and Its Services

Monitoring SIP Trac Using Support Vector Machines

Denial of Services on SIP VoIP infrastructures

SIP Essentials Training

Formación en Tecnologías Avanzadas

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Request for Comments: August 2006

Session Initiation Protocol (SIP)

Prevention of Anomalous SIP Messages

The Design of a Differentiated Session Initiation Protocol to Control VoIP Spam

SIP Messages. 180 Ringing The UA receiving the INVITE is trying to alert the user. This response MAY be used to initiate local ringback.

Session Initiation Protocol

Detecting Spam in VoIP Networks. Ram Dantu Prakash Kolan

Multimedia Communication in the Internet. SIP Security Threads. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS 1

The use of IP networks, namely the LAN and WAN, to carry voice. Voice was originally carried over circuit switched networks

Media Gateway Controller RTP

Session Initiation Protocol and Services

Voice over IP Security

Telecommunication Services Engineering (TSE) Lab. Chapter V. SIP Technology For Value Added Services (VAS) in NGNs

IP-Telephony SIP & MEGACO

IxLoad: Advanced VoIP

Spam Detection in Voice-over-IP Calls through Semi-Supervised Clustering

Grandstream Networks, Inc. UCM6100 Security Manual

SIP Trunking. Service Guide. Learn More: Call us at

Radware s Behavioral Server Cracking Protection

Three-Way Calling using the Conferencing-URI

internet technologies and standards

Security of VoIP. Analysis, Testing and Mitigation of SIP-based DDoS attacks on VoIP Networks

Ram Dantu. VOIP: Are We Secured?

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

SIP: Protocol Overview

Technical Manual 3CX Phone System for Windows

NCAS National Caller ID Authentication System

Voice over IP (SIP) Milan Milinković

TSIN02 - Internetworking

The VoIP Vulnerability Scanner

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

Grandstream Networks, Inc. GXP2130/2140/2160 Auto-configuration Plug and Play

EE4607 Session Initiation Protocol

Manual. ABTO Software

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

MOHAMED EL-SHAER Teaching Assistant. Room TASK Exercises Thu., Nov. 17, 2014 CONTENT

NAT TCP SIP ALG Support

Voice Over IP (VoIP) Denial of Service (DoS)

FOSDEM 2007 Brussels, Belgium. Daniel Pocock B.CompSc(Melbourne)

A Study on Countering VoIP Spam using RBL

Basic Vulnerability Issues for SIP Security

CE Advanced Network Security VoIP Security

A Phased Framework for Countering VoIP SPAM

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

SPAM over Internet Telephony (SPIT) und Abwehrmöglichkeiten

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Chapter 2 PSTN and VoIP Services Context

OpenSIPS For Asterisk Users

Managing Risks at Runtime in VoIP Networks and Services

Analysis of a VoIP Attack

Voice Printing And Reachability Code (VPARC) Mechanism for prevention of Spam over IP Telephony (SPIT)

Voice over IP Fundamentals

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

How To Send A Connection From A Proxy To A User Agent Server On A Web Browser On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Webmail Web Browser (For Ipad) On An Ipad Or

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

Technical Communication 1201 Norphonic emergency rugged telephone on Alcatel-Lucent OmniPCX Enterprise

A Lightweight Countermeasure to Cope with Flooding Attacks Against Session Initiation Protocol

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Prevention of Spam over IP Telephony (SPIT)

Session Initiation Protocol (SIP)

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

Interoperability Test Plan for International Voice services (Release 6) May 2014

SIP Security in IP Telephony

An Overview on Security Analysis of Session Initiation Protocol in VoIP network

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

BROADWORKS SIP ACCESS SIDE EXTENSIONS INTERFACE SPECIFICATIONS RELEASE Version 1

DoS/DDoS Attacks and Protection on VoIP/UC

SIP Introduction. Jan Janak

Columbia - Verizon Research Securing SIP: Scalable Mechanisms For Protecting SIP-Based Systems

WHITE PAPER. Testing Voice over IP (VolP) Networks

VoIP Fraud Analysis. Simwood esms Limited Tel:

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

White paper. SIP An introduction

Avaya IP Office 4.0 Customer Configuration Guide SIP Trunking Configuration For Use with Cbeyond s BeyondVoice with SIPconnect Service

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

SPAM over Internet Telephony and how to deal with it

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Evaluation of Security and Countermeasures for a SIP-based VoIP Architecture

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

A Model-based Methodology for Developing Secure VoIP Systems

This specification this document to get an official version of this User Network Interface Specification

Deployment of Snort IDS in SIP based VoIP environments

Security challenges for Voice over IP

Multimedia & Protocols in the Internet - Introduction to SIP

Transcription:

Monitoring SIP Traffic Using Support Vector Machines Mohamed Nassar, Radu State, Olivier Festor (nassar, state, festor)@loria.fr MADYNES Team INRIA, Nancy Grand Est 17 September 2008

Outline Introduction to SIP Threats Monitoring system Experiments Future works and Conclusion 2/25

SIP Hard phone bob@192.168.1.10 Soft phone 1000@192.168.1.12 SIP (Session Initiation Protocol - RFC 3261) Text-based like HTTP Request + response = transaction URI = sip:user@host:port;parameters 5060 5060 5060 5060 INVITE (SDP (U-Law) ) 100 Trying 180 Ringing 200 OK (SDP (A-Law)) ACK 5060 5060 5060 5060 5060 10502 10502 5060 RTP (A-Law) RTP (A-Law) BYE 200 OK 5060 34154 34154 5060 5060 5060 3/25

DNS server IP address of SIP service at berlin.org SIP Trapezoid Where Alice is registered? Database server Bob Proxy server INVITE sip:alice@berlin.org SIP/2.0 Via: SIP/2.0/UDP loria.nancy.org:5060;branch=z9hg4bkfw19b Max-Forwards: 70 To: Alice <sip:alice@berlin.org> From: Bob <sip:bob@nancy.org>;tag=76341 Call-ID: 123456789@loria.nancy.org CSeq: 1 INVITE Contact: <sip:bob@nancy.org> Content-Type: application/sdp <SDP body not shown> INVITE sip:alice@berlin.org Proxy server INVITE sip:alice@berlin.org Alice 4/25

Threats in the VoIP domain Unwanted calls for telemarketing and advertising Misrepresentation identity to obtain personal information Displaying a number different than the originating one Discovering the users extensions in a VoIP domain Brute force voice-mail and register-account password cracking Messages not compliant to protocol specifications Resulting in resource exhaustion of the target Resulting in premature session tear down or service abuse 5/25

DoS Using invalid destination domains with 100 Invite/second Flooding attacks target the signaling plane elements (e.g. proxy, gateway, etc.) with the objective to take them down or to limit their quality, reliability and availability Strategy Legitimate SIP messages Malformed SIP messages Invalid SIP messages Spoofed SIP messages CPU-based attacks targeting the authentication process Destination A valid URI in the target domain A non existent URI in the target domain A URI with an invalid domain or IP address An invalid URI in another domain A valid URI in another domain. 6/25

SPIT or SPam over Internet Telephony Like SPAM (cost-free) but more annoying (phone ringing all the day, interruption of work) Expected to become a severe issue with the large deployment of VoIP services SPIT transactions are technically correct We don t know the content until the phone rings We need to be reachable SPAM filtering solutions are not directly applicable Current approaches: multi-level grey list, Turing tests, Trust management, VoIP SEAL from NEC, VoIP SPAM detector from University of North Texas *From winnipeg.ca 7/25

Monitoring Approach SIP Flow Queue is full Vector (Features) Queue Processor Classifier Events Event Correlator/ Decider Update Couples (vector, Class Id) Border Effect False Positives Learning Alarms Normal Attack Period Normal 8/25

Monitoring System Short-term window Selected features Analyser Adjustment Vector (Features) Learning Id) Classifier Couples (vector, Class Flood detection Recovery algorithm Alarms SIP flow Long-term window Analyser Vector (Features) Start/Stop Classifier Events Event Correlator / Decider Short-term/long-term monitoring Count-related/chronological windows Update Learning Different classification and anomaly detection techniques Learning-updating/ testing Defense against manipulation attacks (poisoning) Feature selection and extraction Event correlation Prevention Couples (vector, Class Id) Alarms 9/25

Why SVM? Kernel Function (Radial Basis, Linear, polynomial, sigmoid ) Known to process high dimensional data Classification, regression and exploration of data High performance in many domains (Bioinformatics, pattern recognition) and in networkbased intrusion detection as well Unsupervised Learning 10/25

Feature Selection We have 38 Features characterizing the SIP traffic Distributed over 5 groups: 1. General statistics 2. Call-ID based statistics 3. Dialog final state distribution 4. Request distribution 5. Response distribution We take into account inbound and outbound messages Other features can be investigated as well Features must be characterized by a small extraction complexity Our feature extraction tool is written in Java using the Jain SIP parser INVITE (SDP) 100 Inter request arrival Inter SDP arrival OPTIONS Inter response arrival 200 OK (SDP) Inter request arrival Inter response arrival 200 OK ACK Average inter request arrival Average inter response arrival Average inter SDP arrival Number of request / total number of messages Number of responses /total number of messages Number of SDP/ total number of messages Number of messages having the same Call-ID 11/25

Traces and testbed Real World VoIP service provider 12/25

VoIP specific bots Available from www.loria.fr/ ~nassar VoIP Bot Launches attacks Asterisk Cisco Linksys Thomson, Grandstream DoS SPIT Victim commands Retrieves exploit Malicious user VoIP Bot Web server With dynamic DNS Upload Exploit code IRC IRC SIP RTP HTTP Manager IRC server / channel VoIP Agent 13/25

Classification time < 1s Experiments Trace Normal DoS KIF Unknown SIP pkts 57960 6076 2305 7033 Duration(min) 8.6 3.1 50.9 83.7 14/25

Normal Data Coherence Test Day 1 Day 1 Day 1 Day 2 15/25

Monitoring Window Size The overall trace is about 8.6 minutes and message arrival is about 147 Msg/s 16/25

Feature selection 17/25

Feature Selection Greater number of features doesn t mean higher accuracy Feature selection increases the accuracy and the performance of the system Selected features are highly dependent on the underlying traffic and the attacks to be detected A preliminary approach combines F-score and SVM 18/25

Flooding Detection Background traffic ~ 147 Msg/sec Window = 30 messages A N Attack Period t 19/25

Selected Features for Flooding / Short Term Monitoring Number Name 11 NbReceivers F-score 14 NbCALLSET 20 NbInv 4 NbSdp 2 NbReq 3 NbResp 13 NbNOTACALL 12 AvMsg 20/25

Background traffic ~ 147 Msg/sec Window = 30 messages SPIT Detection False Positive = 0 % A N Attack Period t 21/25

Selected Features for SPIT / Long Term Monitoring Number Name 16 NbRejected F-score 4 NbSdp 20 NbInv 23 NbAck 36 Nb4xx 34 Nb2xx 7 AvInterSdp 35 Nb3xx 13 NbNOTACALL 22/25

Event Correlation Predicate 10 Distributed positives in a 2 minutes period SPIT Intensity Low (Stealthy) Multiple Series of 5 successive Positives Medium Multiple Series of 10 successive Positives High 23/25

Conclusion and Future works Online monitoring methodology is proposed based on SVM learning machine Offline experiments shows real-time performance and high detection accuracy Anomaly detection and unsupervised learning approach are future works Studying traces of other VoIP attacks More investigation about the set of features and the selection algorithms Extending the event correlation framework in order to reveal attack strategies and attacker plan recognition 24/25

Annex 25/25

Features Group 1 - General Statistics 1 Duration Total time of the slice 2 NbReq # of requests / Total # of messages 3 NbResp # of responses / Total # of messages 4 NbSdp # of messages carrying SDP / Total # of messages 5 AvInterReq Average inter arrival of requests 6 AvInterResp Average inter arrival of responses 7 AvInterSdp Average inter arrival of messages carrying SDP bodies 26/25

Features Group2 - Call-Id based statistics 8 NbSess # of different Call-IDs 9 AvDuration Average duration of a Call-ID 10 NbSenders # of different senders / Total # of Call-IDs 11 NbReceivers # of different receivers / Total # of Call-IDs 12 AvMsg Average # of messages per Call-ID 27/25

Features Group 3 Dialogs Final State Distribution 13 NbNOTACALL # of NOTACALL/ Total # of Call-ID 14 NbCALLSET # of CALLSET/ Total # of Call-ID 15 NbCANCELED # of CANCELED/ Total # of Call-ID 16 NbREJECTED # of REJECTED/ Total # of Call-ID 17 NbINCALL # of INCALL/ Total # of Call-ID 18 NbCOMPLETED # of COMPLETE/ Total # of Call-ID 19 NbRESIDUE # of RESIDUE/ Total # of Call-ID 28/25

Features Group 4 Request Distribution 20 NbInv # of INVITE / Total # of requests 21 NbReg # of REGISTER/ Total # of requests 22 NbBye # of BYE/ Total # of requests 23 NbAck # of ACK/ Total # of requests 24 NbCan # of CANCEL/ Total # of requests 25 NbOpt # of OPTIONS / Total # of requests 26 NbRef # of REFER/ Total # of requests 27 NbSub # of SUBSCRIBE/ Total # of requests 28 NbNot # of NOTIFY/ Total # of requests 29 NbMes # of MESSAGE/ Total # of requests 30 NbInf # of INFO/ Total # of requests 31 NbPra # of PRACK/ Total # of requests 32 NbUpd # of UPDATE/ Total # of requests 29/25

Features Group5 Response Distribution 33 Nb1xx # of Informational responses / Total # of responses 34 Nb2xx # of Success responses / Total # of responses 35 Nb3xx # of Redirection responses / Total # of responses 36 Nb4xx # of Client error responses / Total # of responses 37 Nb5xx # of Server error responses / Total # of responses 38 Nb6xx # of Global error responses / Total # of responses 30/25

Phreaking by social engineering scheme I am a technician doing a test, please transfer me to that operator by dialing 9 0 # and hang up Gateway SIP / PSTN Trudy IP network PSTN network Bob has a contract to make phone calls towards the PSTN 31/25

Machine Learning Pros Better accuracy, small false alarm rate Compact representation Detecting Novelty Cons Embedding of network data in metric spaces Difficulty of getting labels Vulnerable to malicious noise Huge data volumes 32/25

*From Wikipedia 33/25

Traces Call Setup is a small fraction of the signaling traffic Some empty messages are used as Ping or KeepALive for device management Some messages throw parsing exceptions 34/25

Traces OPTIONS and REGISTER messages are the most numerous MESSAGE, PRACK and UPDATE are absent The number of NOTIFY is constant over the time (messages automatically generated at fixed rate) #INVITE/#BYE = 2.15 (Not every INVITE result s in a BYE e.g. callee is busy, retransmission, re- INVITE) #INVITE/#ACK = 0.92 (Some INVITE are acknowledged twice) 35/25

Traces The most numerous is the 2xx family (in response to REGISTER and OPTIONS messages) #INVITE/#1xx = 0.59 (Probably a 100 Trying and 180 Ringing for each INVITE) 36/25

Traces Average Inter-request = Average Inter Response = 20 ms Average inter-request with SDP bodies is inversely proportional to the #INVITE, BYE, ACK and 1xx (which are only used in callsetup) Average inter-request carrying SDP reaches 3s in quiet hours and 0.5s in rush hours which reveals a high call-setup traffic 37/25

LibSVM 38/25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information