Monitoring SIP traffic using Support Vector Machines

International audienceIn this paper, we propose a novel online monitoring approach able to distinguish between attacks and normal activity in SIP based Voice over IP environments. We demonstrate the efficiency of the approach even in presence of very limited data sets for the learning phase. The solution builds on the monitoring of a set of 38 features in VoIP flows and on Support Vector Machines for the classification part. We validate our proposal through large offline experiments performed over a mix of real world traces from a large VoIP provider and attacks locally generated on our own testbed. Results show high accuracy to detect SPIT and flooding attacks and promising performance for an online deployment are measured

MAGDA: A Mobile Agent based Grid Architecture

Mobile agents mean both a technology and a programming paradigm. They allow for a flexible approach which can alleviate a number of issues present in distributed and Grid-based systems, by means of features such as migration, cloning, messaging and other provided mechanisms. In this paper we describe an architecture (MAGDA – Mobile Agent based Grid Architecture) we have designed and we are currently developing to support programming and execution of mobile agent based application upon Grid systems

A Two-stage Flow-based Intrusion Detection Model ForNext-generation Networks

The next-generation network provides state-of-the-art access-independent services over converged mobile and fixed networks. Security in the converged network environment is a major challenge. Traditional packet and protocol-based intrusion detection techniques cannot be used in next-generation networks due to slow throughput, low accuracy and their inability to inspect encrypted payload. An alternative solution for protection of next-generation networks is to use network flow records for detection of malicious activity in the network traffic. The network flow records are independent of access networks and user applications. In this paper, we propose a two-stage flow-based intrusion detection system for next-generation networks. The first stage uses an enhanced unsupervised one-class support vector machine which separates malicious flows from normal network traffic. The second stage uses a self-organizing map which automatically groups malicious flows into different alert clusters. We validated the proposed approach on two flow-based datasets and obtained promising results

Novel Approach for IP-PBX Denial of Service Intrusion Detection Using Support Vector Machine Algorithm.

Recent trends have revealed that SIP based IP-PBX DoS attacks contribute to most overall IP-PBX attacks which is resulting in loss of revenues and quality of service in telecommunication providers. IP-PBX face challenges in detecting and mitigating malicious traffic. In this research, Support Vector Machine (SVM) machine learning detection & prevention algorithm were developed to detect this type of attacks Two other techniques were benchmarked decision tree and Naïve Bayes. The training phase of the machine learning algorithm used proposed real-time training datasets benchmarked with two training datasets from CICIDS and NSL-KDD. Proposed real-time training dataset for SVM algorithm achieved highest detection rate of 99.13% while decision tree and Naïve Bayes has 93.28% & 86.41% of attack detection rate, respectively. For CICIDS dataset, SVM algorithm achieved highest detection rate of 76.47% while decision tree and Naïve Bayes has 63.71% & 41.58% of detection rate, respectively. Using NSL-KDD training dataset, SVM achieved 65.17%, while decision tree and Naïve Bayes has 51.96% & 38.26% of detection rate, respectively.The time taken by the algorithms to classify the attack is very important. SVM gives less time (2.9 minutes) for detecting attacks while decision tree and naïve Bayes gives 13.6 minutes 26.2 minutes, respectively. Proposed SVM algorithm achieved the lowest false negative value of (87 messages) while decision table and Naïve Bayes achieved false negative messages of 672 and 1359, respectively

An Event System Architecture for Scaling Scale-Resistant Services

Large organizations are deploying ever-increasing numbers of networked compute devices, from utilities installing smart controllers on electricity distribution cables, to the military giving PDAs to soldiers, to corporations putting PCs on the desks of employees. These computers are often far more capable than is needed to accomplish their primary task, whether it be guarding a circuit breaker, displaying a map, or running a word processor. These devices would be far more useful if they had some awareness of the world around them: a controller that resists tripping a switch, knowing that it would set off a cascade failure, a PDA that warns its owner of imminent danger, a PC that exchanges reports of suspicious network activity to its peers to identify stealthy computer crackers. In order to provide these higher-level services, the devices need a model of their environment. The controller needs a model of the distribution grid, the PDA needs a model of the battlespace, and the PC needs a model of the network and of normal network and user behavior. Unfortunately, not only might models such as these require substantial computational resources, but generating and updating them is even more demanding. Modelbuilding algorithms tend to be bad in three ways: requiring large amounts of CPU and memory to run, needing large amounts of data from the outside to stay up to date, and running so slowly that can't keep up with any fast changes in the environment that might occur. We can solve these problems by reducing the scope of the model to the immediate locale of the device, since reducing the size of the model makes the problem of model generation much more tractable. But such models are also much less useful, having no knowledge of the wider system. This thesis proposes a better solution to this problem called Level of Detail, after the computer graphics technique of the same name. Instead of simplifying the representation of distant objects, however, we simplify less-important data. Compute devices in the system receive streams of data that is a mixture of detailed data from devices that directly affect them and data summaries (aggregated data) from less directly influential devices. The degree to which the data is aggregated (i.e., how much it is reduced) is determined by calculating an influence metric between the target device and the remote device. The smart controller thus receives a continuous stream of raw data from the adjacent transformer, but only an occasional small status report summarizing all the equipment in a neighborhood in another part of the city. This thesis describes the data distribution system, the aggregation functions, and the influence metrics that can be used to implement such a system. I also describe my current towards establishing a test environment and validating the concepts, and describe the next steps in the research plan