Formal analysis for robust anti-SPIT protection using model checking

Anti-SPIT policies counter the SPam over Internet Telephony (SPIT) by distinguishing bots launching unsolicited bulks of VoIP calls from human beings. We propose an Anti-SPIT Policy Management mechanism (aSPM) that detects spam calls and prevents VoIP session establishment by the Session Initiation Protocol (SIP). The SPIN model checker is used to formally model and analyze the robustness of the aSPM mechanism in execution scenarios with parallel SIP sessions. In case of a possible design flaw, the model checker provides a trace of the caught unexpected behavior (counterexample), that can be used for the revision of the mechanism’s design. Our SPIN model is parameterized, based on measurements from experiments with VoIP users. Non-determinism plays a key role in representing all possible anti-SPIT policy decisions, in terms of the SIP messages that may be exchanged. The model checking results provide evidence for the timeliness of the parallel SIP sessions, the absence of deadlocks or livelocks, and the fairness for the VoIP service users. These findings ensure robust anti-SPIT protection, meaning that the aSPM mechanism operates as expected, despite the occurrence of random SPIT calls and communication error messages. To the best of our knowledge, this is the first analysis for exhaustively searching security policy flaws, due to complex interactions between anti-SPIT measures and the SIP protocol services.     

Robust smart card secured authentication scheme on SIP using Elliptic Curve Cryptography

Recently, Voice over Internet Protocol (VoIP) has been one of the more popular applications in Internet technology. For VoIP and other IP applications, issues surrounding Session Initiation Protocol (SIP) have received significant attention. SIP is a widely used signaling protocol and is capable of operating on Internet Telephony, typically using Hyper Text Transport Protocol (HTTP) digest authentication protocol. Authentication is becoming increasingly crucial because it accesses the server when a user asks to use SIP services. In this paper, we concentrate on the security flaws in the current SIP authentication procedure. We propose a secure ECC-based authentication mechanism to conquer many forms of attacks in previous schemes. By a sophisticated analysis of the security of the ECC-based protocol, we show that it is suitable for applications with higher security requirements.     

基于相对熵的SIP DoS洪泛攻击检测算法和仿真

随着SIP协议的广泛应用,SIP网络的安全机制也逐渐成为研究热点.针对SIP DoS洪泛攻击,本文将相对熵引入SIP网络,提出了一种基于相对熵的检测算法,并与传统的信息熵检测算法进行比较.实验结果表明:正常网络流量下信息熵值和相对熵值都基本稳定,在发生DoS攻击时相对熵值波动明显,比信息熵检测算法检测率更高,检测结果更准确.     

Utilizing bloom filters for detecting flooding attacks against SIP based services

Any application or service utilizing the Internet is exposed to both general Internet attacks and other specific ones. Most of the times the latter are exploiting a vulnerability or misconfiguration in the provided service and/or in the utilized protocol itself. Consequently, the employment of critical services, like Voice over IP (VoIP) services, over the Internet is vulnerable to such attacks and, on top of that, they offer a field for new attacks or variations of existing ones. Among the various threats–attacks that a service provider should consider are the flooding attacks, at the signaling level, which are very similar to those against TCP servers but have emerged at the application level of the Internet architecture. This paper examines flooding attacks against VoIP architectures that employ the Session Initiation Protocol (SIP) as their signaling protocol. The focus is on the design and implementation of the appropriate detection method. Specifically, a bloom filter based monitor is presented and a new metric, named session distance, is introduced in order to provide an effective protection scheme against flooding attacks. The proposed scheme is evaluated through experimental test bed architecture under different scenarios. The results of the evaluation demonstrate that the required time to detect such an attack is negligible and also that the number of false alarms is close to zero.     

Detecting VoIP Floods Using the Hellinger Distance

Voice over IP (VoIP), also known as Internet telephony, is gaining market share rapidly and now competes favorably as one of the visible applications of the Internet. Nevertheless, being an application running over the TCP/IP suite, it is susceptible to flooding attacks. If flooded, as a time-sensitive service, VoIP may show noticeable service degradation and even encounter sudden service disruptions. Because multiple protocols are involved in a VoIP service and most of them are susceptible to flooding, an effective solution must be able to detect and overcome hybrid floods. As a solution, we offer the VoIP flooding detection system (vFDS)-an online statistical anomaly detection framework that generates alerts based on abnormal variations in a selected hybrid collection of traffic flows. It does so by viewing collections of related packet streams as evolving probability distributions and measuring abnormal variations in their relationships based on the Hellinger distance-a measure of variability between two probability distributions. Experimental results show that vFDS is fast and accurate in detecting flooding attacks, without noticeably increasing call setup times or introducing jitter into the voice streams.     

OntoSPIT: SPIT management through ontologies

VoIP enables new ways for communication. At the same time, it provides new means, in terms of transmitting bulk unsolicited messages and calls, namely SPam over Internet telephony (SPIT). In this paper, we propose a conceptual model, based on an underlying ontology, which describes the SPIT domain. The ontology provides capabilities, such as modeling the SPIT phenomenon in a SIP-based VoIP environment, a common understanding of SPIT domain, as well as reusable SPIT-related knowledge interoperability, aggregation and reasoning. We demonstrate that the proposed ontology, combined with a set of SPIT identification criteria, as its underlying axioms and rules, could enhance the correlation and management of SPIT incidents. It could also support SPIT detection, thus facilitating the better protection of VoIP environments in a holistic, cooperative, and effective way.     

A VoIP Traffic Identification Scheme Based on Host and Flow Behavior Analysis

With the development of network and multimedia coding techniques, more and more Voice over Internet Protocol (VoIP) applications have emerged. The traffic identification on VoIP applications becomes an important issue in network management and traffic analysis. In this paper, a new traffic identification scheme, which combines traffic flow statistic analysis with host behavior estimation, is proposed to identify the VoIP traffic at the transport layer of the Internet. The host IP addresses and the port numbers are examined as the host behavior to distinguish the VoIP traffic from traditional traffic flows. The packet size has been modeled by a function of entropy while the inter-packet time has been modeled by the self-adaptive estimation. The experiment results show that our scheme could obtain a stable performance. At the same time, the proposed scheme could maintain its validity when existing VoIP applications are updated or the new ones admitted. Both accuracy and flexibility can be improved.     

VoIP业务入侵检测模型

提出一种SIP信令协议的入侵检测方法,用以加强VoIP业务环境的安全。重点对基于SIP的VoIP业务环境的安全威胁和业务流量分析,利用数据挖掘算法和改进的贝叶斯算法构建针对SIP下的入侵检测模型。实验结果表明,该方法可以对VoIP业务环境下的网络攻击进行有效检测。     

基于流量行为特征的DoS&DDoS攻击检测与异常流识别

针对现有方法仅分析粗粒度的网络流量特征参数,无法在保证检测实时性的前提下识别出拒绝服务(DoS)和分布式拒绝服务(DDoS)的攻击流这一问题,提出一种骨干网络DoS&DDoS攻击检测与异常流识别方法。首先,通过粗粒度的流量行为特征参数确定流量异常行为发生的时间点;然后,在每个流量异常行为发生的时间点对细粒度的流量行为特征参数进行分析,以找出异常行为对应的目的IP地址;最后,提取出与异常行为相关的流量进行综合分析,以判断异常行为是否为DoS攻击或者DDoS攻击。仿真实验的结果表明,基于流量行为特征的DoS&DDoS攻击检测与异常流识别方法能有效检测出骨干网络中的DoS攻击和DDoS攻击,并且在保证检测实时性的同时,准确地识别出与攻击相关的网络流量     

Design and realization of ad-hoc VoIP with embedded p-SIP server

In this paper we design and implement the pseudo session initiation protocol (p-SIP) server embedded in each mobile node to provide the ad-hoc voice over Internet protocol (VoIP) services. The implemented p-SIP server, being compatible with common VoIP user agents, integrates the standard SIP protocol with SIP presence to handle SIP signaling and discovery mechanism in the ad-hoc VoIP networks. The ad-hoc VoIP signaling and voice traffic performances are analyzed using E-model R rating value for up to six hops in the implemented test-bed. We also conduct the interference experiments to imitate the practical ad-hoc VoIP environment. The analyzed results demonstrate the realization of ad-hoc VoIP services by using p-SIP server.     

A framework for protecting a SIP-based infrastructure against malformed message attacks

This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infrastructures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adapted to heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a novel detection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Furthermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposes negligible overheads in terms of the overall SIP system performance.     

Robust and efficient detection of DDoS attacks for large-scale internet

In recent years, distributed denial of service (DDoS) attacks have become a major security threat to Internet services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we propose a novel framework to robustly and efficiently detect DDoS attacks and identify attack packets. The key idea of our framework is to exploit spatial and temporal correlation of DDoS attack traffic. In this framework, we design a perimeter-based anti-DDoS system, in which traffic is analyzed only at the edge routers of an internet service provider (ISP) network. Our framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. The novelties of our framework are (1) temporal-correlation based feature extraction and (2) spatial-correlation based detection. With these techniques, our scheme can accurately detect DDoS attacks and identify attack packets without modifying existing IP forwarding mechanisms at routers. Our simulation results show that the proposed framework can detect DDoS attacks even if the volume of attack traffic on each link is extremely small. Especially, for the same false alarm probability, our scheme has a detection probability of 0.97, while the existing scheme has a detection probability of 0.17, which demonstrates the superior performance of our scheme.     

DEVS-Based modeling of VoIP spam callers’ behavior for SPIT level calculation

At the present time the VoIP (Voice over Internet Protocol) service is generally accepted as an alternative for people seeking cheaper means to make a phone call. Users of VoIP service may fall anywhere along a spectrum between types at two extremes: one of which is an ordinary caller who doesn’t use the telephone for commercial purposes, while the other is a person who generates spam calls for commercial purposes. The focus of this paper concerns modeling of spam callers’ behavior to calculate the SPIT (Spam over Internet Telephony) level for management of the quality of service. From the perspective of a VoIP service provider’s view, spam callers are also a type of customer and sometimes they are valuable for increasing revenue. However, if a service provider does not manage spam calls, it can harm their business, because ordinary users might not receive phone calls using the phone numbers of the VoIP service. Thus, there is a trade-off between revenues and usability in managing spam calls in the VoIP service. This work presents a model of spam caller’s behavior using the DEVS (Discrete Event System Specification) formalism. The DEVS formalism is applicable as a model of behavior, by defining the state and state transition of the target of the model. In our model, we use six main parameters to define the states and state transitions. Each state is represented by a number which indicates the SPIT level of a caller. If the value is 1.0 then the caller is more similar to a spam caller. Based on the model definition, we constructed a SPIT level Calculation UI (User Interface) that is used to manage spam calls to improve VoIP service quality.     

一种高效抵御SIP洪泛攻击的防御模型

根据会话初始协议(SIP)拒绝服务攻击的原理和方式,将阈值动态调整和实时动态防御相结合,提出一种抵御SIP洪泛攻击的防御模型,利用卡方流量判定模型与累计和统计模型动态调整阈值,并检测SIP洪泛攻击,通过IP防御模型动态抵御基于IP的SIP洪泛攻击。实验结果表明,该模型可以实时、高效地检测SIP洪泛攻击,在异常发生时有效防止SIP/ IMS服务器被攻击。     

实现非对称型NAT穿越的VoIP系统设计方案

基于SIP的VoIP系统在Internet上已经取得广泛应用,但在企业网环境中,由于大量NAT设备的存在,端到端的SIP呼叫难以实现。分析了四类NAT的映射规则及其对SIP消息造成的影响,介绍了现有的NAT穿越方法,最后在STUN方式基础上提出了一种实现非对称型NAT穿越的VoIP系统设计方案。该方案在用户认证服务器和VoIP软终端上各开设一个端口侦听穿越请求,并对收到的包进行相应处理。经过校园网到企业网环境的测试证明该方案能达到很好的接通率。     

Dynamic entropy based DoS attack detection method

Denial of Service (DoS) attack poses a severe threat to the Internet. Entropy-based methods have been successfully used to detect specific types of malicious traffic. This paper presents a novel dynamic entropy-based model for the detection of DoS attack. Based on the theory of alive communication, the dynamic entropy model is constructed by combining the information entropy as well as the feature of netflow conversation correlation. This is the first application of the theory of alive communication in the network anomalies detection. To evaluate the performance of the dynamic entropy model, we compare it with the traditional information entropy model. The experiment results demonstrate the presence of traffic’s dynamic entropy and show that the dynamic entropy keeps stable under normal traffic. By contrast, it fluctuates significantly when the network subjects to DoS attacks. Moreover, the detection rate of dynamic entropy-based model is higher and can detect unknown DoS attacks effectively.     

Traffic analysis attacks on Skype VoIP calls

Skype is one of the most popular voice-over-IP (VoIP) service providers. One of the main reasons for the popularity of Skype VoIP services is its unique set of features to protect privacy of VoIP calls such as strong encryption, proprietary protocols, unknown codecs, dynamic path selection, and the constant packet rate. In this paper, we propose a class of passive traffic analysis attacks to compromise privacy of Skype VoIP calls. The proposed attacks are based on application-level features extracted from VoIP call traces. The proposed attacks are evaluated by extensive experiments over different types of networks including commercialized anonymity networks and our campus network. The experiment results show that the proposed traffic analysis attacks can greatly compromise the privacy of Skype calls. Possible countermeasure to mitigate the proposed traffic analysis attacks are analyzed in this paper.     

Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography

The session initiation protocol (SIP) has been receiving a lot of attention to provide security in the Voice over IP (VoIP) in Internet and mobility management. Recently, Yeh et al. proposed a smart card-based authentication scheme for SIP using elliptic curve cryptography (ECC). They claimed that their scheme is secure against known security attacks. However, in this paper, we indicate that Yeh et al.’s scheme is vulnerable to off-line password guessing attack, user impersonation attack and server impersonation attack, in the case that the smart card is stolen and the information stored in the smart card is disclosed. As a remedy, we also propose an improved smart card-based authentication scheme which not only conquers the security weaknesses of the related schemes but also provides a reduction in computational cost. The proposed scheme also provides the user anonymity and untraceability, and allows a user to change his/her password without informing the remote server. To show the security of our protocol, we prove its security the random oracle model.     

A queueing analysis for the denial of service (DoS) attacks in computer networks

In most network security analysis, researchers mainly focus on qualitative studies on security schemes and possible attacks, and there are few papers on quantitative analysis in the current literature. In this paper, we propose one queueing model for the evaluation of the denial of service (DoS) attacks in computer networks. The network under DoS attacks is characterized by a two-dimensional embedded Markov chain model. With this model, we can develop a memory-efficient algorithm for finding the stationary probability distribution which can be used to find other interesting performance metrics such as the connection loss probability and buffer occupancy percentages of half-open connections for regular traffic and attack traffic. Different from previous works in the literature, this paper gives a more general analytical approach to the study of security measures of a computer network under DoS attacks. We hope that our approach opens a new avenue to the quantitative evaluation of more complicated security schemes in computer networks.     

Secure seamless peer-to-peer (P2P) UDP communication using IPv4 LSRR option and IPv4+4 addresses

The current structure of the Internet, with hosts behind network address translation (NAT) boxes, causes well-known problems for P2P applications. There are several proposals, e.g., STUN, UPnP, MIDCOM, TURN among others, to enable P2P UDP communication for nodes behind NAT boxes, but each technique offers a partial solution that works in special limited cases and fails in others. In this paper, we present a framework based on the use of IPv4+4 addresses and the standard IPv4 Loose Source Record Route (LSRR) option that offers a complete solution to the secure seamless P2P UDP communication problem. Our proposal requires no changes whatsoever to end-host protocol stacks and Internet routers. The only requirement is a simple upgrade of border routers with a new LSRR-based packet forwarding algorithm for the P2P UDP traffic. We detail our implementation of a Linux-based border router that runs the proposed forwarding algorithm, and describe how applications requiring P2P UDP communication such as Voice over IP (VoIP) using SIP can benefit from our framework.