New Approaches to Mitigation of Malicious Traffic in VoIP Networks

Voice over IP (VoIP) telephony is becoming widespread in use, and is often integrated into computer networks. Because of this, malicious software threatens VoIP systems in the same way that traditional computer systems have been attacked by viruses, worms, and other automated agents. VoIP networks are a challenge to secure against such malware as much of the network intelligence is focused on the edge devices and access environment. This paper describes the design and implementation of a novel VoIP security architecture in which evaluation of, and mitigation against, malicious traffic is demonstrated by the use of virtual machines to emulate vulnerable clients and servers through the use of apparent attack vectors. This new architecture, which is part of an ongoing research project, establishes interaction between the VoIP backend and the end users, thus providing information about ongoing and unknown attacks to users

Artemisa: an Open-Source Honeypot Back-end to Support Security in VoIP Domains

International audienceVoice over IP (VoIP) and the Session Initiation Protocol (SIP) are establishing themselves as strong players in the field of multimedia communications over IP, leveraged by low cost services and easy management. Nevertheless, the security aspects are not yet fully mastered. In this paper we present an open-source implementation of a VoIP SIP-specific honeypot named Artemisa. The honeypot is designed to connect to a VoIP enterprise domain as a back-end user-agent in order to detect malicious activity at an early stage. Moreover, the honeypot can play a role in the real time adjustment of the security policies of the enterprise domain where it is deployed. We aim, by this contribution, to encourage the deployment of such honeypots at large scale and the collection of attack traces. We test the capacity of the honeypot to handle a series of known SIP attacks and present results from diverse scenarios

A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

Classiffier Detecting Attacks in VoIP Infrastructure.

Import 06/11/2014Bakalářská práce se zabývá vytvořením klasifikátoru detekující útoky ve VoIP infrastruktuře. V první části práce je popsán teoretický rozbor bezpečnosti VoIP s možnými útoky a obranami proti nim. Druhá část je zaměřena na honeypoty, jejich druhy, rozdíly a vlastnosti. Ve třetí části se práce zabývá rozpoznáním útoků pomocí rozhodovacího stromu navrženého v Matlabu a také pomocí nástroje WEKA na datech z reálného provozu.Bachelor's thesis aim is to create classifier for detecting attacks in the VoIP infrastructure. In the first part of thesis, security of VoIP and potential threats with corresponding defense are discussed. Second part deals with honeypots, particularly with their attributes, types a differences among them. In the third part of thesis is discussed recognizing threats using decision tree that has been designed in Matlab and another tool called WEKA, both applied on the real traffic data.440 - Katedra telekomunikační technikydobř

Managing Risks at Runtime in VoIP Networks and Services

International audienceIP telephony is less confined than traditional PSTN telephony. As a consequence, it is more exposed to security attacks. These attacks are specific to VoIP protocols such as SPIT, or are inherited from the IP layer such as ARP poisoning. Protection mechanisms are often available, but they may seriously impact on the quality of service of such critical environments. We propose to exploit and automate risk management methods and techniques for VoIP infrastructures. Our objective is to dynamically adapt the exposure of a VoIP network with regard to the attack potentiality while minimizing the impact for the service. This paper describes the challenges of risk management for VoIP, our runtime strategy for assessing and treating risks, preliminary results based on Monte-Carlo simulations and future work

ASAP : automatic semantics-aware analysis of network payloads

Automatic inspection of network payloads is a prerequisite for effective analysis of network communication. Security research has largely focused on network analysis using protocol specifications, for example for intrusion detection, fuzz testing and forensic analysis. The specification of a protocol alone, however, is often not sufficient for accurate analysis of communication, as it fails to reflect individual semantics of network applications. We propose a framework for semantics-aware analysis of network payloads which automaticylly extracts semantic components from recorded network traffic. Our method proceeds by mapping network payloads to a vector space and identifying semantic templates corresponding to base directions in the vector space. We demonstrate the efficacy of semantics-aware analysis in different security applications: automatic discovery of patterns in honeypot data, analysis of malware communication and network intrusion detection

ASAP: Automatic semantics-aware analysis of network payloads

Automatic inspection of network payloads is a prerequisite for effective analysis of network communication. Security research has largely focused on network analysis using protocol specifications, for example for intrusion detection, fuzz testing and forensic analysis. The specification of a protocol alone, however, is often not sufficient for accurate analysis of communication, as it fails to reflect individual semantics of network applications. We propose a framework for semantics-aware analysis of network payloads which automaticylly extracts semantic components from recorded network traffic. Our method proceeds by mapping network payloads to a vector space and identifying semantic templates corresponding to base directions in the vector space. We demonstrate the efficacy of semantics-aware analysis in different security applications: automatic discovery of patterns in honeypot data, analysis of malware communication and network intrusion detection

Distributed System for Attack Classification in VoIP Infrastructure Based on SIP Protocol

Import 14/02/2017Dizertační práce se zaměřuje na strojové metody klasifikace SIP útoků. Data o VoIP útocích jsou získána distribuovanou sítí detekčních sond s honeypot aplikacemi. Zachycené útoky následně zpracovává centralizovaný expertní systém Beekeeper. Tento systém provádí transformaci dat a jejich klasifikaci algoritmy strojového učení. V práci rozebírám různé typy těchto algoritmů, využívající učení bez i s učitelem, kdy nejlepších výsledků klasifikace dosahuje MLP neuronová síť. Tato neuronová síť je blíže popsána a testována v různých konfiguracích a nastaveních. Výsledná implementace obsahuje i techniky k vylepšení přesnosti, které stávající implementace nevyužívají. V práci seznamuji čtenáře se SIP protokolem, VoIP útoky a současným stavem na poli detekce těchto útoků. Navrhované řešení spoléhá na nasazení expertního systému Beekeeper s distribuovanou sítí detekčních sond. Koncept systému Beekeeper má modulární design s moduly pro agregaci a čištění dat, analýzu a vyhodnocení útoku, monitoring stavu jednotlivých sond, webové rozhraní pro komunikaci s uživateli atd. Různorodost a široká škála dostupných sond umožňuje jejich snadné nasazení v cílové síti, přičemž vyhodnocení nežádoucího provozu provádí autonomně systém Beekeeper. Díky modulární architektuře však není nutné omezovat funkci tohoto systému jen na detekci útoků. Věrohodnost a přesnost klasifikace útoků neuronovou sítí byla ověřena srovnáním s ostatními algoritmy strojového učení a výhody modelu byly popsány.The dissertation thesis focuses on machine learning methods for SIP attack classification. VoIP attacks are gathered with various types of detection nodes through a set of a honeypot applications. The data uncovered by different nodes collects centralized expert system Beekeeper. The system transforms attacks to the database and classifies them with machine learning algorithms. The thesis covers various supervised and unsupervised algorithms, but the best results and highest classification accuracy achieves MLP neural network. The neural network model is closely described and tested under varying condition and settings. The final neural network implementation contains the latest improvements for enhancing the MLP accuracy. The thesis familiarizes the reader with SIP protocol, VoIP attacks and the current state of the art methods for attack detection and mitigation. I propose the concept of a centralized expert system with distributed detection nodes. This concept also provides techniques for attack aggregation, data cleaning, node state monitoring, an analysis module, web interface and so on. The expert system Beekeeper is a modular system for attack classification and evaluation. Various detection nodes enable easy deployment in target network by the administrator, while the Beekeeper interprets the malicious traffic on the node. But the general nature and modularity of the expert system Beekeeper allow it to be used in other cases as well. The reliability and accuracy of the neural network model are verified and compared with other machine learning available nowadays. The benefits of proposed model are highlighted.440 - Katedra telekomunikační technikyvyhově

Towards a Forensic Analysis for Multimedia Communication Services

No matter how robust the employed security mechanisms are malicious users or attackers will always find a way to bypass them. In addition, National Institute of Security and Technology mentions "In conjunction with appropriate tools and procedures, audit trail can assist in detecting security violation and flaws in applications". Until now, in Multimedia Communication Services (MCS), such as Voice over IP, audit trails are not utilized in security audits due to (a) the lack of the appropriate analysis tools and (b) privacy restrictions. In this paper we report on the analysis of MCS audit trail by employing a novel method for identifying "uncommon" traffic indicating non normal behaviour that does not violate users' privacy. We rely on entropy theory and the notion of "itself information" to quantify the randomness of specific message segments, and we also introduce the term "actual itself information" for the assessment of entire message randomness. To protect users' privacy we hash audit trail's data. For evaluating the applicability of our proposed method we utilize an audit trail of a real MCS provider published by honey pot project. Initial outcomes show the feasibility of employing such a method to recognize "uncommon" traffic, recorded in MCS audit trail

Risk Management in VoIP Infrastructures using Support Vector Machines

International audienceTelephony over IP is exposed to multiple security threats. Conventional protection mechanisms do not fit into the highly dynamic, open and large-scale settings of VoIP infrastructures, and may significantly impact on the performance of such a critical service. We propose in this paper a runtime risk management strategy based on anomaly detection techniques for continuously adapting the VoIP service exposure. This solution relies on support vector machines (SVM) and exploits dynamic security safeguards to reduce risks in a progressive manner. We describe how SVM parameters can be integrated into a runtime risk model, and show how this framework can be deployed into an Asterisk VoIP server. We evaluate the benefits and limits of our solution through a prototype and an extensive set of experimental results