SecMon: End-to-End Quality and Security Monitoring System

The Voice over Internet Protocol (VoIP) is becoming a more available and popular way of communicating for Internet users. This also applies to Peer-to-Peer (P2P) systems and merging these two have already proven to be successful (e.g. Skype). Even the existing standards of VoIP provide an assurance of security and Quality of Service (QoS), however, these features are usually optional and supported by limited number of implementations. As a result, the lack of mandatory and widely applicable QoS and security guaranties makes the contemporary VoIP systems vulnerable to attacks and network disturbances. In this paper we are facing these issues and propose the SecMon system, which simultaneously provides a lightweight security mechanism and improves quality parameters of the call. SecMon is intended specially for VoIP service over P2P networks and its main advantage is that it provides authentication, data integrity services, adaptive QoS and (D)DoS attack detection. Moreover, the SecMon approach represents a low-bandwidth consumption solution that is transparent to the users and possesses a self-organizing capability. The above-mentioned features are accomplished mainly by utilizing two information hiding techniques: digital audio watermarking and network steganography. These techniques are used to create covert channels that serve as transport channels for lightweight QoS measurement's results. Furthermore, these metrics are aggregated in a reputation system that enables best route path selection in the P2P network. The reputation system helps also to mitigate (D)DoS attacks, maximize performance and increase transmission efficiency in the network.Comment: Paper was presented at 7th international conference IBIZA 2008: On Computer Science - Research And Applications, Poland, Kazimierz Dolny 31.01-2.02 2008; 14 pages, 5 figure

A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

Agent based infrastructure for real-time applications

In this paper we propose a new infrastructure for real-time applications. As a preliminary, we describe basic characteristics of the most popular real-time services like VoIP, videoconferencing, live media streaming, and network multiplayer games. We focus on the end-to-end latency, bandwidth and efficient transmission methods. Next, we present our project concepts, infrastructure model, details of implementation and our testing environment which was designed for testing many aspects of real-time services. The system combines mechanisms for ensuring best possible connection quality (QoS), load balance of servers in infrastructure and gives control over the packet routing decisions. Additionally, provided security mechanisms make it a good choice even in the environment where a high security level is required. The system is based on the Peer-to-Peer (P2P) model and data between users is routed over an overlay network, consisting of all participating peers as network nodes. This overlay can by used for application level multicast or live media stream. In the logging process each user is assigned to a specific node (based on his geographic location and nodes load). Because nodes are participating in data transmission, we have control over the data flow route. It is possible to specify the desired route, so, regardless of the external routing protocol, we can avoid paths that are susceptible to eavesdropping. Another feature of the presented system is usage of agents. Each agent acts within the single node. Its main task is to constantly control the quality of transmission. It analyzes such parameters like link bandwidth use, number of lost packets, time interval between each packet etc. The information collected by the agents from all nodes allows to build a dynamic routing table. Every node uses the Dijkstra's algorithm to find the best at the moment route to all other nodes. The routes are constantly modified as a consequence of changes found by agents or updates sent by other nodes. In VoD services agents also analyze popularity of streamed media, which helps build intelligent video cache. To ensure greater security and high reliability of the system, we have provided a reputation mechanism. It is used during bringing up to date the information about possible routes and their quality, given by other nodes. Owing to this solution nodes and routes which are more reliable get higher priority

Detecting and Mitigating Denial-of-Service Attacks on Voice over IP Networks

Voice over IP (VoIP) is more susceptible to Denial of Service attacks than traditional data traffic, due to the former's low tolerance to delay and jitter. We describe the design of our VoIP Vulnerability Assessment Tool (VVAT) with which we demonstrate vulnerabilities to DoS attacks inherent in many of the popular VoIP applications available today. In our threat model we assume an adversary who is not a network administrator, nor has direct control of the channel and key VoIP elements. His aim is to degrade his victim's QoS without giving away his presence by making his attack look like a normal network degradation. Even black-boxed, applications like Skype that use proprietary protocols show poor performance under specially crafted DoS attacks to its media stream. Finally we show how securing Skype relays not only preserves many of its useful features such as seamless traversal of firewalls but also protects its users from DoS attacks such as recording of conversations and disruption of voice quality. We also present our experiences using virtualization to protect VoIP applications from 'insider attacks'. Our contribution is two fold we: 1) Outline a threat model for VoIP, incorporating our attack models in an open-source network simulator/emulator allowing VoIP vendors to check their software for vulnerabilities in a controlled environment before releasing it. 2) We present two promising approaches for protecting the confidentiality, availability and authentication of VoIP Services

SecMon: end-to-end quality and security monitoring system

The Voice over Internet Protocol (VoIP) is becoming a more available and popular way of communication for the Internet users. This also applies to the Peer-to-Peer (P2P) systems and merging these two have already proven to be successful (e.g. Skype). Even the existing standards of VoIP provide an assurance of security and Quality of Service (QoS), however, these features are usually optional and supported by a limited number of implementations. As a result, the lack of mandatory and widely applicable QoS and security guarantee makes the contemporary VoIP systems vulnerable to attacks and network disturbances. In this paper we are facing these issues and propose the SecMon system, which simultaneously provides a lightweight security mechanism and improves quality parameters of the call. SecMon is intended specially for VoIP service over P2P networks and its main advantage is that it provides authentication, data integrity services, adaptive QoS and (D)DoS attack detection. Moreover, the SecMon approach represents a lowbandwidth consumption solution that is transparent to the users and possesses a self-organizing capability. The above-mentioned features are accomplished mainly by utilizing two information hiding techniques: digital audio watermarking and network steganography. These techniques are used to create covert channels that serve as transport channels for lightweight QoS measurement results. Furthermore, these metrics are aggregated in a reputation system that enables best route path selection in the P2P network. The reputation system helps also to mitigate (D)DoS attacks, maximize performance and increase transmission efficiency in the network

Extending AES with DH Key-Exchange to Enhance VoIP Encryption in Mobile Networks

Recently,the evolution and progress have become significant in the field of information technology and mobile technology, especially inSmartphone applications that are currently widely spreading. Due to the huge developments in mobile and smartphone technologies in recent years, more attention is given to voice data transmission such as VoIP (Voice overIP) technologies– e.g. (WhatsApp, Skype, and Face Book Messenger). When using VoIP services over smartphones, there are always security and privacy concerns like the eavesdropping of calls between the communicating parties. Therefore, there is a pressing need to address these risks by enhancing the security level and encryption methods. In this work, we use scheme to encrypt VoIP channels using (128, 192 & 256-bit) enhanced encryption based on the Advanced Encryption Standard (AES) algorithm, by extending it with the well-known Diffie-Hellman (DH) key exchange method. We have performed a series of real tests on the enhanced (AES-DH) algorithm and compared its performance with the generic AES algorithm. The results have shown that we can get a significant increase in the encryption strength at a very small overhead between 4% and 7% of execution timebetween AES and AEScombine withDH for all scenario which was incurred by added time of encryption and decryption. Our approach uses high security and speed and reduces the voice delay.In dealing with sound transfer process via the internet, we use the SIP server to authenticate the communication process between the two parties. The implementation is done on a mobile device (Which is operated by (Android) system) because it has recently been widely used among different people around the world.اصبحت الثورة والتطور كبيرة حديثاً في حقول تكنولوجيا االتصاالت واليواتف النقالة، وخصوصا في تطبيقات اليواتف الذكية التي تنتشر حاليا بشكل واسع. وتم اعطاء المزيد من االىتمام لنقل البيانات الصوتية مثل تكنولوجيا االتصال عبر بروتكول االنترنت، عمى سبيل المثال: )الواتساب، السكايب، الفيس بوك، والماسنجر(. ويعزى ذلك لمتطور الكبير في تكنولوجيا اليواتف النقالة والذكية في السنوات االخيرة. عند استخدام خدمات االتصال عبر بروتكول االنترنت VoIP ،ىناك مخاوف دائمة حول الحماية والخصوصية كالتجسس عمى المكالمات بين جيات االتصال. ولذلك ىنالك حاجة ماسة لمعالجة ىذه المخاطر عن طريق تحسين مستوى الحماية وطرق التشفير. في ىذا العمل، نستخدم/ نجمع بين اثنتين من الخوارزميات لتشفير قنوات االتصال عبر بروتوكول االنترنت )128 ، 192 ،و 256 بت( عبر خوارزمية AESوتمديدىا عبر طريقة تبادل ديفي ىيممان الرئيسية المعروفة. وقمنا باداء العديد من التجارب الحقيقية عمى DH-AES ، وقمنا بمقارنة ادائيا مع اداء خوارزمية معيار التشفير المتقدم العامة. اظيرت النتائج انو بامكاننا الحصول عمى زيادة كبيرة في قوة التشفير بنسبة صغيرة جدا بين 4 %و7 %من وقت التنفيذ بين AESو DH/AES لجميع السيناريو والتي تم تكبدىا من قبل الوقت المضاف لمتشفير وفك التشفير. يستخدم نيجنا درجة عالية من الحماية والسرعة ويقمل من تأخير الصوت، ونستخدم في التعامل مع عممية نقل الصوت عبر االنترنت Server SIPلتوثيق عممية االتصال بين الجيتين. وتم التنفيذ عمى ىاتف نقال يعمل عمى نظام اندرويد؛ النو استخدم بشكل واسع مؤخرا بين مختمف الناس حول العالم

Security in peer-to-peer communication systems

P2PSIP (Peer-to-Peer Session Initiation Protocol) is a protocol developed by the IETF (Internet Engineering Task Force) for the establishment, completion and modi¿cation of communication sessions that emerges as a complement to SIP (Session Initiation Protocol) in environments where the original SIP protocol may fail for technical, ¿nancial, security, or social reasons. In order to do so, P2PSIP systems replace all the architecture of servers of the original SIP systems used for the registration and location of users, by a structured P2P network that distributes these functions among all the user agents that are part of the system. This new architecture, as with any emerging system, presents a completely new security problematic which analysis, subject of this thesis, is of crucial importance for its secure development and future standardization. Starting with a study of the state of the art in network security and continuing with more speci¿c systems such as SIP and P2P, we identify the most important security services within the architecture of a P2PSIP communication system: access control, bootstrap, routing, storage and communication. Once the security services have been identi¿ed, we conduct an analysis of the attacks that can a¿ect each of them, as well as a study of the existing countermeasures that can be used to prevent or mitigate these attacks. Based on the presented attacks and the weaknesses found in the existing measures to prevent them, we design speci¿c solutions to improve the security of P2PSIP communication systems. To this end, we focus on the service that stands as the cornerstone of P2PSIP communication systems¿ security: access control. Among the new designed solutions stand out: a certi¿cation model based on the segregation of the identity of users and nodes, a model for secure access control for on-the-¿y P2PSIP systems and an authorization framework for P2PSIP systems built on the recently published Internet Attribute Certi¿cate Pro¿le for Authorization. Finally, based on the existing measures and the new solutions designed, we de¿ne a set of security recommendations that should be considered for the design, implementation and maintenance of P2PSIP communication systems.Postprint (published version

Security for Decentralised Service Location - Exemplified with Real-Time Communication Session Establishment

Decentralised Service Location, i.e. finding an application communication endpoint based on a Distributed Hash Table (DHT), is a fairly new concept. The precise security implications of this approach have not been studied in detail. More importantly, a detailed analysis regarding the applicability of existing security solutions to this concept has not been conducted. In many cases existing client-server approaches to security may not be feasible. In addition, to understand the necessity for such an analysis, it is key to acknowledge that Decentralised Service Location has some unique security requirements compared to other P2P applications such as filesharing or live streaming. This thesis concerns the security challenges for Decentralised Service Location. The goals of our work are on the one hand to precisely understand the security requirements and research challenges for Decentralised Service Location, and on the other hand to develop and evaluate corresponding security mechanisms. The thesis is organised as follows. First, fundamentals are explained and the scope of the thesis is defined. Decentralised Service Location is defined and P2PSIP is explained technically as a prototypical example. Then, a security analysis for P2PSIP is presented. Based on this security analysis, security requirements for Decentralised Service Location and the corresponding research challenges -- i.e. security concerns not suitably mitigated by existing solutions -- are derived. Second, several decentralised solutions are presented and evaluated to tackle the security challenges for Decentralised Service Location. We present decentralised algorithms to enable availability of the DHTs lookup service in the presence of adversary nodes. These algorithms are evaluated via simulation and compared to analytical bounds. Further, a cryptographic approach based on self-certifying identities is illustrated and discussed. This approach enables decentralised integrity protection of location-bindings. Finally, a decentralised approach to assess unknown identities is introduced. The approach is based on a Web-of-Trust model. It is evaluated via prototypical implementation. Finally, the thesis closes with a summary of the main contributions and a discussion of open issues