154 research outputs found
A hybrid and cross-protocol architecture with semantics and syntax awareness to improve intrusion detection efficiency in Voice over IP environments
Includes abstract.Includes bibliographical references (leaves 134-140).Voice and data have been traditionally carried on different types of networks based on different technologies, namely, circuit switching and packet switching respectively. Convergence in networks enables carrying voice, video, and other data on the same packet-switched infrastructure, and provides various services related to these kinds of data in a unified way. Voice over Internet Protocol (VoIP) stands out as the standard that benefits from convergence by carrying voice calls over the packet-switched infrastructure of the Internet. Although sharing the same physical infrastructure with data networks makes convergence attractive in terms of cost and management, it also makes VoIP environments inherit all the security weaknesses of Internet Protocol (IP). In addition, VoIP networks come with their own set of security concerns. Voice traffic on converged networks is packet-switched and vulnerable to interception with the same techniques used to sniff other traffic on a Local Area Network (LAN) or Wide Area Network (WAN). Denial of Service attacks (DoS) are among the most critical threats to VoIP due to the disruption of service and loss of revenue they cause. VoIP systems are supposed to provide the same level of security provided by traditional Public Switched Telephone Networks (PSTNs), although more functionality and intelligence are distributed to the endpoints, and more protocols are involved to provide better service. A new design taking into consideration all the above factors with better techniques in Intrusion Detection are therefore needed. This thesis describes the design and implementation of a host-based Intrusion Detection System (IDS) that targets VoIP environments. Our intrusion detection system combines two types of modules for better detection capabilities, namely, a specification-based and a signaturebased module. Our specification-based module takes the specifications of VoIP applications and protocols as the detection baseline. Any deviation from the protocol’s proper behavior described by its specifications is considered anomaly. The Communicating Extended Finite State Machines model (CEFSMs) is used to trace the behavior of the protocols involved in VoIP, and to help exchange detection results among protocols in a stateful and cross-protocol manner. The signature-based module is built in part upon State Transition Analysis Techniques which are used to model and detect computer penetrations. Both detection modules allow for protocol-syntax and protocol-semantics awareness. Our intrusion detection uses the aforementioned techniques to cover the threats propagated via low-level protocols such as IP, ICMP, UDP, and TCP
A Machine Learning Approach for Prediction of Signaling SIP Dialogs
POCI-01-0145-FEDER-030433
LISBOA-01-0145-FEDER-0307095
UIDB/EEA/50008/2020In this paper, we propose a machine learning methodology for prediction of signaling sessions established with the Session Initiation Protocol (SIP). Given the increasing importance of predicting and detecting abnormal sequences of SIP messages to avoid SIP signaling-based attacks, we first propose a Bayesian inference method capable of representing the statistical relation between a SIP message, observed by a SIP user agent or a SIP server, and prior trustworthy SIP dialogs. The Bayesian inference method, a Hidden Markov Model (HMM) enriched with gram Markov observations, is updated over time, so the inference can be used in real-time. The HMM is then used for predicting and detecting SIP dialogs through a lightweight implementation of Viterbi algorithm for sparse state spaces. Experimental results are also reported, where a SIP dataset representing prior information collected by a SIP user agent and/or a SIP server is used to predict or detect if a received sequence of SIP messages is legitimate according to similar SIP dialogs already observed. Finally, we discuss the results obtained for a dataset of abnormal SIP sequences, not observed during the inference stage, showing the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time.publishersversionpublishe
Security in transnational interoperable PPDR communications: threats and requirements
The relevance of cross border security operations
has been identified as a priority at European level for a long time.
A European network where Public Protection and Disaster Relief
(PPDR) forces share communications processes and a legal
framework would greatly enforce response to disaster recovery
and security against crime. Nevertheless, uncertainty on costs,
timescale and functionalities have slowed down the
interconnection of PPDR networks across countries and limited
the transnational cooperation of their PPDR forces so far. In this
context, the European research project ISITEP is aimed at
developing the legal, operational and technical framework to
achieve a cost effective solution for PPDR interoperability across
European countries. Inter alia, ISITEP project is specifying a
new Inter-System-Interface (ISI) interface for the
interconnection of current TETRA and TETRAPOL networks
that can be deployed over Internet Protocol (IP) connectivity.
This approach turns communications security as a central aspect
to consider when deploying the new IP ISI protocol between
PPDR national networks. Ensuring that threats to the
interconnected communications systems and terminals are
sufficiently and appropriately reduced by technical, procedural
and environmental countermeasures is vital to realise the trusted
and secure communication system needed for the pursued PPDR
transnational cooperation activities. In this context, this paper
describes the framework and methodology defined to carry out
the development of the security requirements and provides a
discussion on the undertaken security risk and vulnerability
analysis.Peer ReviewedPostprint (author's final draft
Risk Management in VoIP Infrastructures using Support Vector Machines
International audienceTelephony over IP is exposed to multiple security threats. Conventional protection mechanisms do not fit into the highly dynamic, open and large-scale settings of VoIP infrastructures, and may significantly impact on the performance of such a critical service. We propose in this paper a runtime risk management strategy based on anomaly detection techniques for continuously adapting the VoIP service exposure. This solution relies on support vector machines (SVM) and exploits dynamic security safeguards to reduce risks in a progressive manner. We describe how SVM parameters can be integrated into a runtime risk model, and show how this framework can be deployed into an Asterisk VoIP server. We evaluate the benefits and limits of our solution through a prototype and an extensive set of experimental results
- …