788 research outputs found
Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing
Emergency services are vital services that Next Generation Networks (NGNs)
have to provide. As the IP Multimedia Subsystem (IMS) is in the heart of NGNs,
3GPP has carried the burden of specifying a standardized IMS-based emergency
services framework. Unfortunately, like any other IP-based standards, the
IMS-based emergency service framework is prone to Distributed Denial of Service
(DDoS) attacks. We propose in this work, a simple but efficient solution that
can prevent certain types of such attacks by creating firewall pinholes that
regular clients will surely be able to pass in contrast to the attackers
clients. Our solution was implemented, tested in an appropriate testbed, and
its efficiency was proven.Comment: 17 Pages, IJNGN Journa
Empirical assessment of VoIP overload detection tests
The control of communication networks critically relies on procedures capable of detecting unanticipated load changes. In this paper we explore such techniques, in a setting in which each connection consumes roughly the same amount of bandwidth (with VoIP as a leading example). We focus on large-deviations based techniques developed earlier in that monitor the number of connections present, and that issue an alarm when this number abruptly changes. The procedures proposed in are demonstrated by using real traces from an operational environment. Our experiments show that our detection procedure is capable of adequately identifying load changes
Anomaly Detection in Network Streams Through a Distributional Lens
Anomaly detection in computer networks yields valuable information on events relating to the components of a network, their states, the users in a network and their activities. This thesis provides a unified distribution-based methodology for online detection of anomalies in network traffic streams. The methodology is distribution-based in that it regards the traffic stream as a time series of distributions (histograms), and monitors metrics of distributions in the time series. The effectiveness of the methodology is demonstrated in three application scenarios. First, in 802.11 wireless traffic, we show the ability to detect certain classes of attacks using the methodology. Second, in information network update streams (specifically in Wikipedia) we show the ability to detect the activity of bots, flash events, and outages, as they occur. Third, in Voice over IP traffic streams, we show the ability to detect covert channels that exfiltrate confidential information out of the network. Our experiments show the high detection rate of the methodology when compared to other existing methods, while maintaining a low rate of false positives. Furthermore, we provide algorithmic results that enable efficient and scalable implementation of the above methodology, to accomodate the massive data rates observed in modern infomation streams on the Internet. Through these applications, we present an extensive study of several aspects of the methodology. We analyze the behavior of metrics we consider, providing justification of our choice of those metrics, and how they can be used to diagnose anomalies. We provide insight into the choice of parameters, like window length and threshold, used in anomaly detection
Recommended from our members
A Comprehensive Survey of Voice over IP Security Research
We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems
Detecting Anomalies in VoIP traffic usign Principal Components Analysis
The idea of using a method based on Principal Components Analysis to detect anomalies in network's
traffic was first introduced by A. Lakina, M. Crovella and C. Diot in an article published in 2004 called
âDiagnosing NetworkÂWide Traffic Anomaliesâ [1].
They proposed a general method to diagnose traffic anomalies, using PCA to effectively separate the
highÂdimensional space occupied by a set of network traffic measurements into disjoint subspaces
corresponding to normal and anomalous network conditions.
This algorithm was tested in subsequent works, taking into consideration different characteristics of IP
traffic over a network (such as byte counts, packet counts, IPÂflow counts, etc...) [2].
The proposal of using entropy as a summarization tool inside the algorithm led to significant advances
in terms or possibility of analyzing massive data sources [3]; but this type of AD method still lacked the
possibility of recognizing the users responsible of the anomalies detected.
This last step was obtained using random aggregations of the IP flows, by means of sketches [4], leading
to better performances in the detection of anomalies and to the possibility of identifying the responsible
IP flows.
This version of the algorithm has been implemented by C. Callegari and L. Gazzarini, in UniversitĂĄ di
Pisa, in an AD software, described in [5], for analyzing IP traffic traces and detecting anomalies in them.
Our work consisted in adapting this software (designed for working with IP traffic traces) for using it
with VoIP Call Data Records, in order to test its applicability as an Anomaly Detection system for voice
traffic.
We then used our modified version of the software to scan a real VoIP traffic trace, obtained by a
telephonic operator, in order to analyze the software's performances in a real environment situation. We
used two different types of analysis on the same traffic trace, in order to understand software's features
and limits, other than its possibility of application in AD problematics.
As we discovered that the software's performances are heavily dependent on the input parameters used
in the analysis, we concluded with several tests performed using artificially created anomalies, in order
to understand the relationships between each input parameter's value and the software's capability of
detecting different types of anomalies.
The different analysis performed, in the ending, led us to some considerations upon the possibility of
applying this PCA's based software as an Anomaly Detector in VoIP environments.
At the best of our knowledge this is the first time a technique based on Principal Components Analysis
is used to detect anomalous users in VoIP traffic; in more detail our contribution consisted in:
⢠Creating a version of an AD software based on PCA that could be used on VoIP traffic traces
⢠Testing the software's performances on a real traffic trace, obtained by a telephonic operator
⢠From the first tests, analyzing the appropriate parameters' values that permitted us to obtain
results that could be useful for detecting anomalous users in a VoIP environment
Observing the types of users detected using the software on this trace and classify them,
according to their behavior during the whole duration of the trace
Analyzing how the parameters' choice impact the type of detections obtained from the analysis
and testing which are the best choices for detecting each type of anomalous users
Proposing a new kind of application of the software that avoids the biggest limitation of the first
type of analysis (that we will see that is the impossibility of detecting more than one anomalous
user per timeÂbin)
Testing the software's performances with this new type of analysis, observing also how this
different type of applications impacts the results' dependence from the input parameters
Comparing the software's ability of detecting anomalous users with another type of AD
software that works on the same type of trace (VoIP SEAL)
Modifying the trace in order to obtain, from the real trace, a version cleaned from all the
detectable anomalies, in order to add in that trace artificial anomalies
Testing the software's performances in detecting different type of artificial anomalies
Analyzing in more detail the software's sensibility from the input parameters, when used for
detecting artificially created anomalies
Comparing results and observations obtained from these different types of analysis to derive a
global analysis of the characteristics of an Anomaly Detector based on Principal Components
Analysis, its values and its lacks when applying it on a VoIP trace
The structure of our work is the following:
1. We will start analyzing the PCA theory, describing the structure of the algorithm used in our
software, his features and the type of data it needs to be used as an Anomaly Detection system
for VoIP traffic.
2. Then, after shortly describing the type of trace we used to test our software, we will introduce
the first type of analysis performed, the single round analysis, pointing out the results obtained
and their dependence from the parameters' values.
3. In the following section we will focus on a different type of analysis, the multiple round
analysis, that we introduced to test the software's performances, removing its biggest limitation
(the impossibility of detecting more than one user per timeÂbin); we will describe the results
obtained, comparing them with the ones obtained with the single round analysis, check their
dependence from the parameters and compare the performances with the ones obtained using
another type of AD software (VoIP SEAL) on the same trace.
4. We will then consider the results and observations obtained testing our software using artificial
anomalies added on a âcleanedâ version of our original trace (in which we removed all the
anomalous users detectable with our software), comparing the software's performances in
detecting different types of anomalies and analyzing in detail their dependence from the
parameters' values.
5. At last we will describe our conclusions, derived using all the observations obtained with
different types of analysis, about the applicability of a software based on PCA as an Anomaly
Detector in a VoIP environment
SecMon: End-to-End Quality and Security Monitoring System
The Voice over Internet Protocol (VoIP) is becoming a more available and
popular way of communicating for Internet users. This also applies to
Peer-to-Peer (P2P) systems and merging these two have already proven to be
successful (e.g. Skype). Even the existing standards of VoIP provide an
assurance of security and Quality of Service (QoS), however, these features are
usually optional and supported by limited number of implementations. As a
result, the lack of mandatory and widely applicable QoS and security guaranties
makes the contemporary VoIP systems vulnerable to attacks and network
disturbances. In this paper we are facing these issues and propose the SecMon
system, which simultaneously provides a lightweight security mechanism and
improves quality parameters of the call. SecMon is intended specially for VoIP
service over P2P networks and its main advantage is that it provides
authentication, data integrity services, adaptive QoS and (D)DoS attack
detection. Moreover, the SecMon approach represents a low-bandwidth consumption
solution that is transparent to the users and possesses a self-organizing
capability. The above-mentioned features are accomplished mainly by utilizing
two information hiding techniques: digital audio watermarking and network
steganography. These techniques are used to create covert channels that serve
as transport channels for lightweight QoS measurement's results. Furthermore,
these metrics are aggregated in a reputation system that enables best route
path selection in the P2P network. The reputation system helps also to mitigate
(D)DoS attacks, maximize performance and increase transmission efficiency in
the network.Comment: Paper was presented at 7th international conference IBIZA 2008: On
Computer Science - Research And Applications, Poland, Kazimierz Dolny
31.01-2.02 2008; 14 pages, 5 figure
- âŚ