Security Enhancements in Voice Over Ip Networks

Voice delivery over IP networks including VoIP (Voice over IP) and VoLTE (Voice over LTE) are emerging as the alternatives to the conventional public telephony networks. With the growing number of subscribers and the global integration of 4/5G by operations, VoIP/VoLTE as the only option for voice delivery becomes an attractive target to be abused and exploited by malicious attackers. This dissertation aims to address some of the security challenges in VoIP/VoLTE. When we examine the past events to identify trends and changes in attacking strategies, we find that spam calls, caller-ID spoofing, and DoS attacks are the most imminent threats to VoIP deployments. Compared to email spam, voice spam will be much more obnoxious and time consuming nuisance for human subscribers to filter out. Since the threat of voice spam could become as serious as email spam, we first focus on spam detection and propose a content-based approach to protect telephone subscribers\u27 voice mailboxes from voice spam. Caller-ID has long been used to enable the callee parties know who is calling, verify his identity for authentication and his physical location for emergency services. VoIP and other packet switched networks such as all-IP Long Term Evolution (LTE) network provide flexibility that helps subscribers to use arbitrary caller-ID. Moreover, interconnecting between IP telephony and other Circuit-Switched (CS) legacy telephone networks has also weakened the security of caller-ID systems. We observe that the determination of true identity of a calling device helps us in preventing many VoIP attacks, such as caller-ID spoofing, spamming and call flooding attacks. This motivates us to take a very different approach to the VoIP problems and attempt to answer a fundamental question: is it possible to know the type of a device a subscriber uses to originate a call? By exploiting the impreciseness of the codec sampling rate in the caller\u27s RTP streams, we propose a fuzzy rule-based system to remotely identify calling devices. Finally, we propose a caller-ID based public key infrastructure for VoIP and VoLTE that provides signature generation at the calling party side as well as signature verification at the callee party side. The proposed signature can be used as caller-ID trust to prevent caller-ID spoofing and unsolicited calls. Our approach is based on the identity-based cryptography, and it also leverages the Domain Name System (DNS) and proxy servers in the VoIP architecture, as well as the Home Subscriber Server (HSS) and Call Session Control Function (CSCF) in the IP Multimedia Subsystem (IMS) architecture. Using OPNET, we then develop a comprehensive simulation testbed for the evaluation of our proposed infrastructure. Our simulation results show that the average call setup delays induced by our infrastructure are hardly noticeable by telephony subscribers and the extra signaling overhead is negligible. Therefore, our proposed infrastructure can be adopted to widely verify caller-ID in telephony networks

Making the Distribution Subsystem Secure

This report presents how the Distribution Subsystem is made secure. A set of different security threats to a shared data programming system are identifed. The report presents the extensions nessesary to the DSS in order to cope with the identified security threats by maintaining reference security. A reference to a shared data structure cannot be forged or guessed; only by proper delegation can a thread acquire access to data originating at remote processes. Referential security is a requirement for secure distributed applications. By programmatically restricting access to distributed data to trusted nodes, a distributed application can be made secure. However, for this to be true, referential security must be supported on the level of the implementation

The flask security architecture: system support for diverse security policies

technical reportOperating systems must be flexible in their support for security policies, i.e., the operating system must provide sufficient mechanisms for supporting the wide variety of real-world security policies. Systems claiming to provide this support have failed to do so in two ways: they either fail to provide sufficient control over the propagation of access rights, or they fail to provide enforcement mechanisms to support fine-grained control and dynamic security policies. In this paper we present an operating systems security architecture that solves both of these problems. The first problem is solved by ensuring that the security policy (through a consistent replica) is consulted for every security decision. The second problem is solved through mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernel-based OS, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture's performance impact is modest. Moreover, our architecture is applicable to many other types of operating systems and environments

Enhancing User Authentication with Facial Recognition and Feature-Based Credentials

This research proposes a novel and trustworthy user authentication method that creates individualized and trusted credentials based on distinctive facial traits using facial recognition technology. The ability to easily validate user identification across various login methods is provided by this feature. The fundamental elements of this system are face recognition, feature extraction, and the hashing of characteristics to produce usernames and passwords. This method makes use of the OpenCV library, which is free software for computer vision. Additionally, it employs Hashlib for secure hashing and Image-based Deep Learning for Identification (IDLI) technology to extract facial tags. For increased security and dependability, the system mandates a maximum of ten characters for users and passwords. By imposing this restriction, the system increases its resilience by reducing any possible weaknesses in its defense. The policy also generates certificates that are neatly arranged in an Excel file for easy access and management. To improve user data and provide reliable biometric authentication, this study intends to create and implement a recognition system that incorporates cutting-edge approaches such as face feature extraction, feature hashing, and password creation. Additionally, the system has robust security features using face recognition

Heartland Payment Systems: lessons learned from a data breach

On August 13, 2009, the Payment Cards Center hosted a workshop examining the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS or Heartland), Robert (Bob) Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. The former director of the Payment Cards Center, Peter Burns, who is acting as a senior payments advisor to HPS, also joined the discussion to outline Heartland's post-breach efforts aimed at improving information sharing and data security within the consumer payments industry. In conclusion, Carr introduced several technology solutions that are under discussion in payment security circles as ways to better secure payment card data as they move among the different parties in the card payment systems: end-to-end encryption, tokenization, and chip technology. While HPS has been very supportive of end-to-end encryption, each of these alternatives offers its own set of advantages and disadvantages.Payment systems ; Data protection ; Electronic commerce

A survey of distributed certificate authorities in MANETs

A Certificate Authority (CA) provides the critical authentication and security services for Public Key Infrastructure (PKI) which are used for the Internet and wired networks. In MANETs (wireless and ad hoc) there is an inability to offer a centralized CA to provide these security services. Recent research has looked to facilitate the use of CAs within MANETs through the use of a Distributed Certificate Authority (DCA) for wireless and ad hoc networks. This paper presents a number of different types of DCA protocols and categorizes them into groups based on their factors and specifications. The paper concludes by proposing the best DCA security services in terms of performance and level of security

Enhancements to the XNS authentication-by-proxy model

Authentication is the secure network architecture mechanism by which a pair of suspicious principals communicating over presumably unsecure channels assure themselves that each is that whom it claims to be. The Xerox Network Systems architecture proposes one such authentication scheme. This thesis examines the system consequences of the XNS model\u27s unique proxy variant, by which a principal may temporarily commission a second network entity to assume its identity as a means of authority transfer. Specific attendant system failure modes are highlighted. The student\u27s associated original contributions include proposed model revisions which rectify authentication shortfalls yet facilitate the temporal authority transfer motivating the proxy model. Consistent with the acknowledgement that no single solution is defensible as best under circumstances of such technical and administrative complexity, three viable such architectures are specified. Finally, the demand for a disciplined agent management mechanism within a distributed system such as XNS is resoundingly affirmed in the course of these first-order pursuits