Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing

Emergency services are vital services that Next Generation Networks (NGNs) have to provide. As the IP Multimedia Subsystem (IMS) is in the heart of NGNs, 3GPP has carried the burden of specifying a standardized IMS-based emergency services framework. Unfortunately, like any other IP-based standards, the IMS-based emergency service framework is prone to Distributed Denial of Service (DDoS) attacks. We propose in this work, a simple but efficient solution that can prevent certain types of such attacks by creating firewall pinholes that regular clients will surely be able to pass in contrast to the attackers clients. Our solution was implemented, tested in an appropriate testbed, and its efficiency was proven.Comment: 17 Pages, IJNGN Journa

Secure Service Provisioning (SSP) Framework for IP Multimedia Subsystem (IMS)

Mit dem Erscheinen mobiler Multimediadienste, wie z. B. Unified Messaging, Click-to-Dial-Applikationen, netzwerkübergeifende Multimedia-Konferenzen und nahtlose Multimedia-Streming-Dienste, begann die Konvergenz von mobilen Kommunikationsetzen und Festnetzen, begleitet von der Integration von Sprach- und Datenkommunikations-Übertragungstechnik Diese Entwicklungen bilden die Voraussetzung für die Verschmelzung des modernen Internet auf der einen Seite mit der Telekommunikation im klassischen Sinne auf der anderen. Das IP Multimedia-Subsystem (IMS) darf hierbei als die entscheidende Next-Generation-Service-Delivery-Plattform in einer vereinheitlichten Kommunikationswelt angesehen werden. Seine Architektur basiert auf einem modularen Design mit offenen Schnittstellen und bietet dedizierte Voraussetzungen zur Unterstützung von Multimedia-Diensten auf der Grundlage der Internet-Protokolle. Einhergehend mit dieser aufkommenden offenen Technologie stellen sich neue Sicherheits-Herausforderungen in einer vielschichtigen Kommunikationsinfrastruktur, im Wesentlichen bestehend aus dem Internet Protokoll (IP), dem SIP-Protokoll (Session Initiation Protocol) und dem Real-time Transport Protokoll (RTP). Die Zielsetzung des Secure Service Provisioning-Systems (SSP) ist, mögliche Angriffsszenarien und Sicherheitslücken in Verbindung mit dem IP Multimedia Subsystem zu erforschen und Sicherheitslösungen, wie sie von IETF, 3GPP und TISPAN vorgeschlagen werden, zu evaluieren. Im Rahmen dieser Forschungsarbeit werden die Lösungen als Teil des SSP-Systems berücksichtigt, mit dem Ziel, dem IMS und der Next-Generation-SDP einen hinreichenden Schutz zu garantieren. Dieser Teil, der als Sicherheitsschutzstufe 1 bezeichnet wird, beinhaltet unter anderem Maßnahmen zur Nutzer- und Netzwerk-Authentifizierung, die Autorisierung der Nutzung von Multimediadiensten und Vorkehrungen zur Gewährleistung der Geheimhaltung und Integrität von Daten im Zusammenhang mit dem Schutz vor Lauschangriffen, Session-Hijacking- und Man-in-the-Middle-Angriffen. Im nächsten Schritt werden die Beschränkungen untersucht, die für die Sicherheitsschutzstufe 1 charakteristisch sind und Maßnahmen zu Verbesserung des Sicherheitsschutzes entwickelt. Die entsprechenden Erweiterungen der Sicherheitsschutzstufe 1 führen zu einem Intrusion Detection and Prevention-System (IDP), das Schutz vor Denial-of-Service- (DoS) / Distributed-Denial-of-Service (DDoS)-Angriffen, missbräuchlicher Nutzung und Täuschungsversuchen in IMS-basierten Netzwerken bietet. Weder 3GPP noch TISPAN haben bisher Lösungen für diesen Bereich spezifiziert. In diesem Zusammenhang können die beschriebenen Forschungs- und Entwicklungsarbeiten einen Beitrag zur Standardisierung von Lösungen zum Schutz vor DoS- und DDoS-Angriffen in IMS-Netzwerken leisten. Der hier beschriebene Ansatz basiert auf der Entwicklung eines (stateful / stateless) Systems zur Erkennung und Verhinderung von Einbruchsversuchen (Intrusion Detection and Prevention System). Aus Entwicklungssicht wurde das IDP in zwei Module aufgeteilt: Das erste Modul beinhaltet die Basisfunktionen des IDP, die sich auf Flooding-Angriffe auf das IMS und ihre Kompensation richten. Ihr Ziel ist es, das IMS-Core-Netzwerk und die IMS-Ressourcen vor DoS- und DDoS-Angriffen zu schützen. Das entsprechende Modul basiert auf einer Online Stateless-Detection-Methodologie und wird aktiv, sobald die CPU-Auslastung der P-CSCF (Proxy-Call State Control Function) einen vordefinierten Grenzwert erreicht oder überschreitet. Das zweite Modul (IDP-AS) hat die Aufgabe, Angriffe, die sich gegen IMS Application Server (AS) richten abzufangen. Hierbei konzentrieren sich die Maßnahmen auf den Schutz des ISC-Interfaces zwischen IMS Core und Application Servern. Das betreffende Modul realisiert eine Stateful Detection Methodologie zur Erkennung missbräuchlicher Nutzungsaktivitäten. Während der Nutzer mit dem Application Server kommuniziert, werden dabei nutzerspezifische Zustandsdaten aufgezeichnet, die zur Prüfung der Legitimität herangezogen werden. Das IDP-AS prüft alle eingehenden Requests und alle abgehenden Responses, die von IMS Application Servern stammen oder die an IMS Application Server gerichtet sind, auf ihre Zulässigkeit im Hinblick auf die definierten Attack Rules. Mit Hilfe der Kriterien Fehlerfreiheit und Processing Delay bei der Identifikation potenzieller Angriffe wird die Leistungsfähigkeit der IDP-Module bewertet. Für die entsprechenden Referenzwerte werden hierbei die Zustände Nomallast und Überlast verglichen. Falls die Leistungsfähigkeit des IDP nicht unter den Erwartungen zurückbleibt, wird ein IDP-Prototyp zur Evaluation im Open IMS Playground des Fokus Fraunhofer 3Gb-Testbeds eingesetzt, um unter realen Einsatzbedingungen z. B. in VoIP-, Videokonferenz- , IPTV-, Presence- und Push-to-Talk-Szenarien getestet werden zu können.With the emergence of mobile multimedia services, such as unified messaging, click to dial, cross network multiparty conferencing and seamless multimedia streaming services, the fixed–mobile convergence and voice–data integration has started, leading to an overall Internet–Telecommunications merger. The IP Multimedia Subsystem (IMS) is considered as the next generation service delivery platform in the converged communication world. It consists of modular design with open interfaces and enables the flexibility for providing multimedia services over IP technology. In parallel this open based emerging technology has security challenges from multiple communication platforms and protocols like IP, Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). The objective of Secure Service Provisioning (SSP) Framework is to cram the potential attacks and security threats to IP Multimedia Subsystem (IMS) and to explore security solutions developed by IETF, 3GPP and TISPAN. This research work incorporates these solutions into SSP Framework to secure IMS and next generation Service Delivery Platform (SDP). We define this part as level 1 security protection which includes user and network authentication, authorization to access multimedia services, providing confidentiality and integrity protection etc. against eavesdropping, session hijacking and man-in-the middle attacks etc. In the next step, we have investigated the limitations and improvements to level 1 security and proposed the enhancement and extension as level 2 security by developing Intrusion Detection and Prevention (IDP) system against Denial-of-Service (DoS)/Distributed DoS (DDoS) flooding attacks, misuses and frauds in IMS-based networks. These security threats recently have been identified by 3GPP and TISPAN but no solution is recommended and developed. Therefore our solution may be considered as recommendation in future. Our approach based on developing both stateless and stateful intrusion detection and prevention system. From development point of view, we have divided the work into two modules: the first module is IDP-Core; addressing and mitigating the flooding attacks in IMS core. Its objective is to protect the IMS resources and IMS-core entities from DoS/DDoS flooding attacks. This module based on online stateless detection methodology and activates when CPU processing load of P-CSCF (Proxy-Call State Control Function) reaches or crosses the defined threshold limit. The second module is IDP-AS; addressing and mitigating the misuse attacks facing to IMS Application Servers (AS). Its focus is to secure the ISC interface between IMS Core and Application Servers. This module is based on stateful misuse detection methodology by creating and comparing user state (partner) when he/she is communicating with application server to check whether user is performing legitimate or illegitimate action with attacks rules. The IDP-AS also compared the incoming request and outgoing response to and from IMS Application Servers with the defined attacks rules. In the performance analysis, the processing delay and attacks detection accuracy of both Intrusion Detection and Prevention (IDP) modules have been measured at Fraunhofer FOKUS IMS Testbed which is developed for research purpose. The performance evaluation based on normal and overload conditions scenarios. The results showed that the processing delay introduced by both IDP modules satisfied the standard requirements and did not cause retransmission of SIP REGISTER and INVITE requests. The developed prototype is under testing phase at Fraunhofer FOKUS 3Gb Testbed for evaluation in real world communication scenarios like VoIP, video conferencing, IPTV, presence, push-to-talk etc

A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

POCI-01-0145-FEDER-030433 LISBOA-01-0145-FEDER-0307095 UIDB/EEA/50008/2020In this paper, we propose a machine learning methodology for prediction of signaling sessions established with the Session Initiation Protocol (SIP). Given the increasing importance of predicting and detecting abnormal sequences of SIP messages to avoid SIP signaling-based attacks, we first propose a Bayesian inference method capable of representing the statistical relation between a SIP message, observed by a SIP user agent or a SIP server, and prior trustworthy SIP dialogs. The Bayesian inference method, a Hidden Markov Model (HMM) enriched with $n-$ gram Markov observations, is updated over time, so the inference can be used in real-time. The HMM is then used for predicting and detecting SIP dialogs through a lightweight implementation of Viterbi algorithm for sparse state spaces. Experimental results are also reported, where a SIP dataset representing prior information collected by a SIP user agent and/or a SIP server is used to predict or detect if a received sequence of SIP messages is legitimate according to similar SIP dialogs already observed. Finally, we discuss the results obtained for a dataset of abnormal SIP sequences, not observed during the inference stage, showing the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time.publishersversionpublishe

Security Enhancements in Voice Over Ip Networks

Voice delivery over IP networks including VoIP (Voice over IP) and VoLTE (Voice over LTE) are emerging as the alternatives to the conventional public telephony networks. With the growing number of subscribers and the global integration of 4/5G by operations, VoIP/VoLTE as the only option for voice delivery becomes an attractive target to be abused and exploited by malicious attackers. This dissertation aims to address some of the security challenges in VoIP/VoLTE. When we examine the past events to identify trends and changes in attacking strategies, we find that spam calls, caller-ID spoofing, and DoS attacks are the most imminent threats to VoIP deployments. Compared to email spam, voice spam will be much more obnoxious and time consuming nuisance for human subscribers to filter out. Since the threat of voice spam could become as serious as email spam, we first focus on spam detection and propose a content-based approach to protect telephone subscribers\u27 voice mailboxes from voice spam. Caller-ID has long been used to enable the callee parties know who is calling, verify his identity for authentication and his physical location for emergency services. VoIP and other packet switched networks such as all-IP Long Term Evolution (LTE) network provide flexibility that helps subscribers to use arbitrary caller-ID. Moreover, interconnecting between IP telephony and other Circuit-Switched (CS) legacy telephone networks has also weakened the security of caller-ID systems. We observe that the determination of true identity of a calling device helps us in preventing many VoIP attacks, such as caller-ID spoofing, spamming and call flooding attacks. This motivates us to take a very different approach to the VoIP problems and attempt to answer a fundamental question: is it possible to know the type of a device a subscriber uses to originate a call? By exploiting the impreciseness of the codec sampling rate in the caller\u27s RTP streams, we propose a fuzzy rule-based system to remotely identify calling devices. Finally, we propose a caller-ID based public key infrastructure for VoIP and VoLTE that provides signature generation at the calling party side as well as signature verification at the callee party side. The proposed signature can be used as caller-ID trust to prevent caller-ID spoofing and unsolicited calls. Our approach is based on the identity-based cryptography, and it also leverages the Domain Name System (DNS) and proxy servers in the VoIP architecture, as well as the Home Subscriber Server (HSS) and Call Session Control Function (CSCF) in the IP Multimedia Subsystem (IMS) architecture. Using OPNET, we then develop a comprehensive simulation testbed for the evaluation of our proposed infrastructure. Our simulation results show that the average call setup delays induced by our infrastructure are hardly noticeable by telephony subscribers and the extra signaling overhead is negligible. Therefore, our proposed infrastructure can be adopted to widely verify caller-ID in telephony networks

Detection of Abnormal SIP Signaling Patterns: A Deep Learning Comparison

UIDB/ 50008/2020This paper investigates the detection of abnormal sequences of signaling packets purposely generated to perpetuate signaling-based attacks in computer networks. The problem is studied for the Session Initiation Protocol (SIP) using a dataset of signaling packets exchanged by multiple end-users. A sequence of SIP messages never observed before can indicate possible exploitation of a vulnerability and its detection or prediction is of high importance to avoid security attacks due to unknown abnormal SIP dialogs. The paper starts to briefly characterize the adopted dataset and introduces multiple definitions to detail how the deep learning-based approach is adopted to detect possible attacks. The proposed solution is based on a convolutional neural network capable of exploring the definition of an orthogonal space representing the SIP dialogs. The space is then used to train the neural network model to classify the type of SIP dialog according to a sequence of SIP packets prior observed. The classifier of unknown SIP dialogs relies on the statistical properties of the supervised learning of known SIP dialogs. Experimental results are presented to assess the solution in terms of SIP dialogs prediction, unknown SIP dialogs detection, and computational performance, demonstrating the usefulness of the proposed methodology to rapidly detect signaling-based attacks.publishersversionpublishe

Abnormal Signaling SIP Dialogs Detection based on Deep Learning

Funding Information: V. CONCLUSIONS This work proposed four classification models based on LSTM RNNs to classify SIP dialogs. The detection probability was evaluated based on experimental data. To detect abnormal SIP dialogs, we have adopted classification features computed from the output of the LSTM RNN model and two different classification schemes were proposed. A semi-supervised scheme is shown to reach higher performance, achieving a detection probability of 99.45%, thus confirming the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time. ACKNOWLEDGEMENTS This work was funded by Fundac¸ão para a Ciência e Tecnologia, under the projects InfoCent-IoT (PTDC/EEI-TEL/30433/2017), CoSHARE (PTDC/EEI-TEL/30709/2017), and RFSense (UIDB/50008/2020).The detection of abnormal sequences of SIP messages in real-time is crucial to avoid SIP signaling-based attacks. In this paper, we propose a deep learning approach to detect signaling patterns of multimedia sessions established with the Session Initiation Protocol (SIP). The approach is based on a recurrent neural network (RNN). We study the performance of different Long Short-term Memory (LSTM) RNN architectures, which are trained using a SIP signaling dataset of trustworthy SIP dialogs captured by a SIP server. The trained RNNs are then used to detect the SIP dialogs in real-time. After characterizing the dataset adopted for the training, validation, and testing, we present the experimental results obtained for the different RNN architectures, showing that the classification probability of trustworthy SIP dialogs exceeds 93% in the test stage. Finally, we present two methodologies to detect abnormal SIP dialogs, i.e., not contained in the trustworthy training dataset. After a detailed analysis of the skewness and kurtosis computed with the numerical RNN outputs, we show that they can be used as classification features. The first method is based on a K-means unsupervised classifier, while the second one is based on a semi-supervised threshold-based classifier. Experimental results show that the threshold-based classifier achieves 99.45% of detection probability, showing the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time.authorsversionpublishe

Análisis de efectivad de la autenticación y control de acceso IMS-AKA como mecanismo de protección de integridad y confidencialidad de la información en los servicios basados en IP

Las redes de nueva generación (NGN) son consideradas en la actualidad como redes seguras y confiables con capacidad de integración y multiservicio. La arquitectura de las NGN se describe bajo un conjunto de especificaciones a través del protocolo de internet (IP) conocido como subsistema multimedia IP (IMS). No obstante, este protocolo ha tenido dificultades de seguridad lo que reduce la confiabilidad de las NGN; entre los protocolos más usados para reducir los problemas de seguridad se encuentra el acuerdo de autenticación y clave inicial (AKA) que se configura como un protocolo en constante evolución para reducir los problemas de seguridad emergente o inherentes en el IMS. La presente monografía realiza un análisis de la efectivad de la autenticación y control de acceso IMS-AKA como mecanismo de protección de integridad y confidencialidad de la información en los servicios basados en IP. Para cumplir con este fin, se identificó la arquitectura IMS-AKA y sus características de seguridad para el acceso seguro. En segundo lugar, se examinaron los diferentes mecanismos de seguridad utilizados por IMS-AKA para la autenticación y control de acceso en los servicios basados en IP, en tercer lugar, se establecieron los errores o fallos de autenticación y control de acceso relacionados con la configuración de seguridad IMS-AKA y, finalmente, se determinaron los procedimientos de configuración de la asociación de seguridad que influyen en la efectividad como mecanismo de protección de integridad y confidencialidad de la información en los servicios basados en IP. Se concluye que la mayoría de los aspectos dentro de la seguridad informática de las redes de nueva generación se encuentran en constante evolución y cambio y que estas son más vulnerables a ataques, se recomienda ejercer procedimientos de configuración que tenga en cuenta aspectos corporativos de prevención.New generation networks (NGN) are currently considered safe and reliable networks with integration and multi-service capacity. The NGN architecture is described under a set of specifications through the Internet Protocol (IP) known as IP Multimedia Subsystem (IMS). However, this protocol has had security difficulties, which reduces the reliability of the NGN; Among the most used protocols to reduce security problems is the initial key and authentication agreement (AKA), which is configured as a protocol in constant evolution to reduce emerging or inherent security problems in the IMS. This monograph aims to analyze the effectiveness of IMS-AKA authentication and access control as a protection mechanism for the integrity and confidentiality of information in IP-based services. To accomplish this, the IMS-AKA architecture and its security features for secure access were identified. Second, the different security mechanisms used by IMS-AKA for authentication and access control in IP-based services were examined, thirdly, the configuration-related authentication and access control errors or failures were established. IMS-AKA security system and, finally, the security association configuration procedures that influence the effectiveness as a mechanism for protecting the integrity and confidentiality of information in IP-based services were determined. It is concluded that most of the aspects within the computer security of the new generation networks are in constant evolution and change and that these are more vulnerable to attacks, it is recommended to exercise configuration procedures that take into account corporate aspects of prevention

Classification of Abnormal Signaling SIP Dialogs through Deep Learning

POCI-01-0145-FEDER-030433 UIDB/50008/2020 PRT/BD/152200/2021Due to the high utilization of the Session Initiation Protocol (SIP) in the signaling of cellular networks and voice over IP multimedia systems, the avoidance of security vulnerabilities in SIP systems is a major aspect to assure that the operators can reach satisfactory readiness levels of service. This work is focused on the detection and prediction of abnormal signaling SIP dialogs as they evolve. Abnormal dialogs include two classes: the ones observed so far and thus labeled as abnormal and already known, but also the unknown ones, i.e., specific sequences of SIP messages never observed before. Taking advantage of recent advances in deep learning, we use Long Short-Term Memory (LSTM) recurrent neural networks (RNNs) to detect and predict dialogs already observed. Additionally, and based on the outputs of the LSTM neural network, we propose two different classifiers capable of identifying unknown SIP dialogs, given the high level of vulnerability they may represent for the SIP operation. The proposed approaches achieve higher SIP dialogs detection scores in a shorter time when compared to a reference probabilistic-based approach. Moreover, the proposed detectors of unknown SIP dialogs achieve a detection probability above 94%, indicating its capability to detect a significant number of unknown SIP dialogs in a short amount of time.publishersversionpublishe

INSTANT MESSAGING SPAM DETECTION IN LONG TERM EVOLUTION NETWORKS

The lack of efficient spam detection modules for packet data communication is resulting to increased threat exposure for the telecommunication network users and the service providers. In this thesis, we propose a novel approach to classify spam at the server side by intercepting packet-data communication among instant messaging applications. Spam detection is performed using machine learning techniques on packet headers and contents (if unencrypted) in two different phases: offline training and online classification. The contribution of this study is threefold. First, it identifies the scope of deploying a spam detection module in a state-of-the-art telecommunication architecture. Secondly, it compares the usefulness of various existing machine learning algorithms in order to intercept and classify data packets in near real-time communication of the instant messengers. Finally, it evaluates the accuracy and classification time of spam detection using our approach in a simulated environment of continuous packet data communication. Our research results are mainly generated by executing instances of a peer-to-peer instant messaging application prototype within a simulated Long Term Evolution (LTE) telecommunication network environment. This prototype is modeled and executed using OPNET network modeling and simulation tools. The research produces considerable knowledge on addressing unsolicited packet monitoring in instant messaging and similar applications