A method for forensic artifact collection, analysis and incident response in environments running Session Initiation Protocol (SIP) and Session Description protocol

In this paper, we perform an analysis of SIP, a popular voice over IP (VoIP) protocol and propose a framework for capturing and analysing volatile VoIP data in order to determine forensic readiness requirements for effectively identifying an attacker. The analysis was performed on real attack data and the findings were encouraging. It seems that if appropriate forensic readiness processes and controls are in place, a wealth of evidence can be obtained. The type of the end user equipment of the internal users, the private IP, the software that is used can help build a reliable baseline information database. On the other hand the private IP addresses of the potential attacker even during the presence of NAT services, as well as and the attack tools employed by the malicious parties are logged for further analysis

Sending multiple RTP streams in a single RTP session

This memo expands and clarifies the behavior of Real-time Transport Protocol (RTP) endpoints that use multiple synchronization sources (SSRCs). This occurs, for example, when an endpoint sends multiple RTP streams in a single RTP session. This memo updates RFC 3550 with regard to handling multiple SSRCs per endpoint in RTP sessions, with a particular focus on RTP Control Protocol (RTCP) behavior. It also updates RFC 4585 to change and clarify the calculation of the timeout of SSRCs and the inclusion of feedback messages

Serviços multimédia multicast de próxima geração

Mestrado em Engenharia Electrónica e TelecomunicaçõesUma das mais recentes conquistas na evolução móvel foi o 3G, permitindo o acesso a serviços multimédia com qualidade de serviço assegurada. No entanto, a tecnologia UMTS, tal como definida na sua Release ’99, é apenas capaz de transmitir em modo unicast, sendo manifestamente ineficiente para comunicações multimédia almejando grupos de utilizadores. A tecnologia IMS surge na Release 5 do 3GPP que começou a responder já a algumas necessidades, permitindo comunicações sobre IP oferecendo serviços Internet a qualquer momento e em qualquer lugar sobre tecnologias de comunicação móveis fornecendo pela primeira vez sessões multimédia satisfatórias. A Release 6 por sua vez trouxe a tecnologia MBMS que permite transmissões em broadcast e multicast para redes móveis. O MBMS fornece os serviços de aplicações multimédia que todos estavam à espera, tanto para os utilizadores como para os prestadores de serviços. O operador pode agora fazer uso da tecnologia existente aumentando todo o tipo de benefícios no serviço prestado ao cliente. Com a possível integração destas duas tecnologias passa a ser possível desenvolver serviços assentes em redes convergentes em que os conteúdos são entregues usando tecnologias unicast, multicast ou broadcast. Neste contexto, o principal motivo deste trabalho consiste essencialmente em fazer uso dos recursos da rede terminando com o desperdício dos mesmos e aumentando a eficiência dos serviços através da integração das tecnologias IMS e MBMS. O trabalho realizado começa com o estudo do estado da arte das telecomunicações móveis com referência às tecnologias referidas, seguindo-se a apresentação da possível integração IMS-MBMS e terminando com o projecto de uma plataforma de demonstração que no futuro possa ser uma implementação de serviço multimédia multicast. O objectivo principal é mostrar os benefícios de um serviço que era normalmente executado em unicast relativamente ao modo multicast, fazendo uso da nova convergência de tecnologias IMS e MBMS. Na conclusão do trabalho são referidas as vantagens do uso de portadoras multicast e broadcast, tendo como perspectiva de que este trabalho possa ser um ponto de partida para um novo conjunto de serviços poupando recursos de rede e permitindo uma eficiência considerável em serviços inovadores.3G is bang up to date in the mobile phone industry. It allows access to multimedia services and gives a guarantee of quality of service. The UMTS technology, defined in 3GPP Release ’99, provides an unicast transmission, but it is completely inefficient when it comes to multimedia group communications. The IMS technology first appeared in Release 5 that has already started to consider the interests of the clients. It provides communications over IP, offering Internet services anytime, anywhere on mobile communication technologies. Also, it offers for the first time satisfactory multimedia sessions. On the other hand, Release 6 gave rise to the MBMS technology that provides broadcast and multicast transmissions for mobile networks. The MBMS provides multimedia applications services that everyone was waiting, including users and service providers. Now the operator makes use of existing technology in order to provide better costumer services. The possible integration of these two technologies will contribute to develop services based on converged networks in which contents are delivered through the unicast, multicast or broadcast technologies. Therefore, the objective of this work is basically to make use of network resources avoiding wastes and improving customer services through the integration of the IMS and the MBMS technologies. The executed work starts with the mobile telecommunications state of the art with reference to the referred technologies, followed by the IMS-MBMS convergence presentation and finishing with the proposal for implementation of a service platform that can be used for a multimedia multicast service. The main point is to show the benefits of a service that has been normally executed in unicast mode over the multicast mode, making use of the new IMS and MBMS technologies integration. To closure the work it is referred the advantages to use multicast and broadcast bearers, with the perspective that this work could be a starting point to a new set of services, saving network resources and allowing for innovate services a considerable efficency

Unified Description for Network Information Hiding Methods

Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.Comment: 24 pages, 7 figures, 1 table; currently under revie

An Exploration of covert channels within voice over IP

In the following thesis, an overview of covert channels within Voice over IP is given and then expanded upon by presenting an experiment which proves the ability to hide messages within the Session Initiation Protocol (SIP) and Session Description Protocol (SDP) of a Voice over IP packet. The plain text nature of the SIP and SDP packets allow for an easily embedded message to be encoded into the expected data, while also being hidden in plain sight due to the packet only being sent once per VoIP session. While previous papers [15] have proposed the ability to hide covert messages within the plain text SIP and SDP packets of a VoIP call stream, this thesis is the first to carefully analyze and test the ability to embed data in these packets and send a covert message, based on an agreement between the sending and receiving parties. Results include the success for covert messages to be hidden within the Max-Forwards field, a field used for the total number of hops between sender and receiver, the V field, a field used for the version of SIP being used, the T field, usually used for the time a session becomes active on the sending and receiving ends, and finally the O field which designates the owner the call was originally sent from. This success was met with equal failure of previously proposed abilities to hide messages [15] in the Branch statement, tag field, and Call-ID field. A method for systems administrators or network administrators to detect covert channels coming in over a VoIP enabled network using a simple, modified java based packet capture tool is then presented with the ability to check the Max-Forwards, V, T and O fields, due to their low entropy and easy detectability. Using this method, a discussion is given regarding the detectability of covert channels as compared to previous research papers

Linking session based services with transport plane resources in IP multimedia subsystems.

The massive success and proliferation of Internet technologies has forced network operators to recognise the benefits of an IP-based communications framework. The IP Multimedia Subsystem (IMS) has been proposed as a candidate technology to provide a non-disruptive strategy in the move to all-IP and to facilitate the true convergence of data and real-time multimedia services. Despite the obvious advantages of creating a controlled environment for deploying IP services, and hence increasing the value of the telco bundle, there are several challenges that face IMS deployment. The most critical is that posed by the widespread proliferation ofWeb 2.0 services. This environment is not seen as robust enough to be used by network operators for revenue generating services. However IMS operators will need to justify charging for services that are typically available free of charge in the Internet space. Reliability and guaranteed transport of multimedia services by the efficient management of resources will be critical to differentiate IMS services. This thesis investigates resource management within the IMS framework. The standardisation of NGN/IMS resource management frameworks has been fragmented, resulting in weak functional and interface specifications. To facilitate more coherent, focused research and address interoperability concerns that could hamper deployment, a Common Policy and Charging Control (PCC) architecture is presented that defines a set of generic terms and functional elements. A review of related literature and standardisation reveals severe shortcomings regarding vertical and horizontal coordination of resources in the IMS framework. The deployment of new services should not require QoS standardisation or network upgrade, though in the current architecture advanced multimedia services are not catered for. It has been found that end-to-end QoS mechanisms in the Common PCC framework are elementary. To address these challenges and assist network operators when formulating their iii NGN strategies, this thesis proposes an application driven policy control architecture that incorporates end-user and service requirements into the QoS negotiation procedure. This architecture facilitates full interaction between service control and resource control planes, and between application developers and the policies that govern resource control. Furthermore, a novel, session based end-to-end policy control architecture is proposed to support inter-domain coordination across IMS domains. This architecture uses SIP inherent routing information to discover the routes traversed by the signalling and the associated routes traversed by the media. This mechanism effectively allows applications to issue resource requests from their home domain and enable end-to-end QoS connectivity across all traversed transport segments. Standard interfaces are used and transport plane overhaul is not necessary for this functionality. The Common PCC, application driven and session based end-to-end architectures are implemented in a standards compliant and entirely open source practical testbed. This demonstrates proof of concept and provides a platform for performance evaluations. It has been found that while there is a cost in delay and traffic overhead when implementing the complete architecture, this cost falls within established criteria and will have an acceptable effect on end-user experience. The open nature of the practical testbed ensures that all evaluations are fully reproducible and provides a convenient point of departure for future work. While it is important to leave room for flexibility and vendor innovation, it is critical that the harmonisation of NGN/IMS resource management frameworks takes place and that the architectures proposed in this thesis be further developed and integrated into the single set of specifications. The alternative is general interoperability issues that could render end-to-end QoS provisioning for advanced multimedia services almost impossible