A survey on fraud and service misuse in voice over IP (VoIP) networks

The migration from circuit-switched networks to packet-switched networks necessitates the investigation of related issues such as service delivery, QoS, security, and service fraud and misuse. The latter can be seen as a combination of accounting and security aspects. In traditional telecommunication networks, fraud accounts for annual losses at an average of 3%–5% of the operators’ revenue and still increasing at a rate of more than 10% yearly. It is also expected that in VoIP networks, the situation will be worse due to the lack of strong built-in security mechanisms, and the use of open standards. This paper discusses the fraud problem in VoIP networks and evaluates the related available solutions.     

Challenges in securing voice over IP

Although VoIP offers lower cost and greater flexibility, it can also introduce significant risks and vulnerabilities. This article explains the challenges of VoIP security and outlines steps for helping to secure an organization's VoIP network.     

Intrusion detection in voice over IP environments

In this article, we present the design of an intrusion detection system for voice over IP (VoIP) networks. The first part of our work consists of a simple single- component intrusion detection system called Scidive. In the second part, we extend the design of Scidive and build a distributed and correlation-based intrusion detection system called Space Dive. We create several attack scenarios and evaluate the accuracy and efficiency of the system in the face of these attacks. To the best of our knowledge, this is the first comprehensive look at the problem of intrusion detection in VoIP systems. It includes treatment of the challenges faced due to the distributed nature of the system, the nature of the VoIP traffic, and the specific kinds of attacks at such systems. Y.-S. Wu and V. Apte contributed equally to the paper.     

Design and implementation of QoS-provisioning system for voice over IP

In this paper, we address issues in implementing voice over IP (VoIP) services in packet switching networks. VoIP has been identified as a critical real-time application in the network QoS research community and has been implemented in commercial products. To provide competent quality of service for VoIP systems comparable to traditional PSTN systems, a call admission control (CAC) mechanism has to be introduced to prevent packet loss and over-queuing. Several well-designed CAC mechanisms, such as the site-utilization-based CAC-and the link-utilization-based CAC mechanisms have been in place. However, the existing commercial VoIP systems have not been able to adequately apply and support these CAC mechanisms and, hence, have been unable to provide QoS guarantees to voice over IP networks. We have designed and implemented a QoS-provisioning system that can be seamlessly integrated with the existing VoIP systems to overcome their weakness in offering QoS guarantees. A practical implementation of our QoS-provisioning system has been realized.     

Load characterization and anomaly detection for voice over IP traffic

We consider the problem of traffic anomaly detection in IP networks. Traffic anomalies typically arise when there is focused overload or when a network element fails and it is desired to infer these purely from the measured traffic. We derive new general formulae for the variance of the cumulative traffic over a fixed time interval and show how the derived analytical expression simplifies for the case of voice over IP traffic, the focus of this paper. To detect load anomalies, we show it is sufficient to consider cumulative traffic over relatively long intervals such as 5 min. We also propose simple anomaly detection tests including detection of over/underload. This approach substantially extends the current practice in IP network management where only the first-order statistics and fixed thresholds are used to identify abnormal behavior. We conclude with the application of the scheme to field data from an operational network.     

Hidden Markov model-based packet loss concealment for voice over IP

As voice over IP proliferates, packet loss concealment (PLC) at the receiver has emerged as an important factor in determining voice quality of service. Through the use of heuristic variations of signal and parameter repetition and overlap-add interpolation to handle packet loss, conventional PLC systems largely ignore the dynamics of the statistical evolution of the speech signal, possibly leading to perceptually annoying artifacts. To address this problem, we propose the use of hidden Markov models for PLC. With a hidden Markov model (HMM) tracking the evolution of speech signal parameters, we demonstrate how PLC is performed within a statistical signal processing framework. Moreover, we show how the HMM is used to index a specially designed PLC module for the particular signal context, leading to signal-contingent PLC. Simulation examples, objective tests, and subjective listening tests are provided showing the ability of an HMM-based PLC built with a sinusoidal analysis/synthesis model to provide better loss concealment than a conventional PLC based on the same sinusoidal model for all types of speech signals, including onsets and signal transitions.     

Call admission control and load balancing for voice over IP

IP networks are traditionally designed to support a best-effort service, with no guarantees on the reliable and timely delivery of packets. With the migration of real-time applications such as voice onto IP-based platforms, the existing IP network capabilities become inadequate to provide the quality-of-service (QoS) levels that the end-users are accustomed to. While new protocols such as DiffServ and MPLS allow some amount of traffic prioritization, guaranteed QoS requires call admission control. This paper reviews several possible implementations and shows simulation results for one promising method that makes efficient use of the network and is scalable to large networks.     

EVoIP: Energy efficient voice over IP privacy

Due to the convergence of telecommunication technologies and pervasive computing, voice is increasingly being transmitted over IP networks, in what is commonly known as Voice over IP (VoIP). Despite many advantages offered by this technology, VoIP applications inherit many challenging characteristics from the underlying IP network related to quality of service and security concerns. Traditional ways to secure data over IP networks have negative effects on real-time applications and on power consumption, which is scarce in power-constrained handheld devices. In this work, a new codec-independent Energy Efficient Voice over IP Privacy (E²VoIP²) algorithm is devised to limit the overhead of the encryption process, without compromising the end-to-end confidentiality of the conversation. The design takes advantage of VoIP stream characteristics to encrypt selected packets using a secure algorithm, while relaxing the encryption procedure in-between these packets. We evaluated experimentally the difficulty of conducting known plaintext attacks on VoIP by demonstrating that a sound recorded simultaneously by different sources results in apparently random encoded files. Regarding E²VoIP², experimental and simulation results show a substantial improvement in terms of the number of CPU cycles which results in a reduction of latency and a reduction in consumed power with respect to that of the SRTP. In addition, the proposed method is flexible in terms of the balance between security and power consumption.     

The IP multimedia domain: service architecture for the delivery of voice, data, and next generation multimedia applications

The IP Multimedia Subsystem (IMS) is defined by the 3^rd Generation Partnership Project (3GPP) as a new core network domain. IMS provides a service control platform that allows creation of new multimedia and multi-session applications utilizing wireless and wireline transport capabilities. In this paper we will cover the concepts and standards defining IMS and review the network architecture from a mobile perspective. We will see how IMS interacts with the Packet Switched Domain (e.g. Wireless LAN, GPRS, and UMTS networks), the Internet, and application services. Then we will examine the key IMS capabilities and show how they can be combined to create new mobile IP services. Finally, we present a software architecture, which is enabled by IMS and allows development of unique applications (with multimedia/multi-session functionality, single/multi-user, service to user). The software architecture is illustrated by an example of a prototype application. This work was done when the author was with Siemens Communications Inc., Boca Raton, FL     

The IP multimedia domain: service architecture for the delivery of voice, data, and next generation multimedia applications

The IP Multimedia Subsystem (IMS) is defined by the 3 ^rd Generation Partnership Project (3GPP) as a new core network domain. IMS provides a service control platform that allows creation of new multimedia and multi-session applications utilizing wireless and wireline transport capabilities. In this paper we will cover the concepts and standards defining IMS and review the network architecture from a mobile perspective. We will see how IMS interacts with the Packet Switched Domain (e.g. Wireless LAN, GPRS, and UMTS networks), the Internet, and application services. Then we will examine the key IMS capabilities and show how they can be combined to create new mobile IP services. Finally, we present a software architecture, which is enabled by IMS and allows development of unique applications (with multimedia/multi-session functionality, single/multi-user, service to user). The software architecture is illustrated by an example of a prototype application. This work was done when the author was with Siemens Communications Inc., Boca Raton, FL     

Audio steganography with AES for real-time covert voice over internet protocol communications

As a popular real-time service on the Internet, Voice over Internet Protocol （VoIP） communication attracts more and more attention from the researchers in the information security field. In this study, we proposed a VoIP steganographic algorithm with variable embedding capacities, incorporating AES and key distribution, to realize a real-time covert VoIP communication. The covert communication system was implemented by embedding a secret message encrypted with symmetric cryptography AES-128 into audio signals encoded by PCM codec. At the beginning of each VoIP call, a symmetric session key （SK） was assigned to the receiver with a session initiation protocol-based authentication method. The secret message was encrypted and then embedded into audio packets with different embedding algorithms before sending them, so as to meet the real- time requirements of VolP communications. For each audio packet, the embedding capacity was calculated according to the specific embedding algorithm used. The encryption and embedding processes were almost synchronized. The time cost of encryption was so short that it could be ignored. As a result of AES-based steganography, observers could not detect the hidden message using simple statistical analysis. At the receiving end, the corresponding algorithm along with the SK was employed to retrieve the original secret message from the audio signals. Performance evaluation with state-of-the-art network equipment and security tests conducted using the Mann-Whitney-Wilcoxon method indicated that the proposed steganographic algorithm is secure, effective, and robust.     

Adaptive playout scheduling and loss concealment for voice communication over IP networks

The quality of service limitation of today's Internet is a major challenge for real-time voice communications. Excessive delay, packet loss, and high delay jitter all impair the communication quality. A new receiver-based playout scheduling scheme is proposed to improve the tradeoff between buffering delay and late loss for real-time voice communication over IP networks. In this scheme the network delay is estimated from past statistics and the playout time of the voice packets is adaptively adjusted. In contrast to previous work, the adjustment is not only performed between talkspurts, but also within talkspurts in a highly dynamic way. Proper reconstruction of continuous playout speech is achieved by scaling individual voice packets using a time-scale modification technique based on the Waveform Similarity Overlap-Add (WSOLA) algorithm. Results of subjective listening tests show that this operation does not impair audio quality, since the adaptation process requires infrequent scaling of the voice packets and low playout jitter is perceptually tolerable. The same time-scale modification technique is also used to conceal packet loss at very low delay, i.e., one packet time. Simulation results based on Internet measurements show that the tradeoff between buffering delay and late loss can be improved significantly. The overall audio quality is investigated based on subjective listening tests, showing typical gains of 1 on a 5-point scale of the Mean Opinion Score.     

Providing true end-to-end security in converged voice over IP infrastructures

Voice over Internet Protocol (VoIP) is the future for voice communication and, by using a unique IP infrastructure as the common transport platform, it brings invaluable benefits such as deployment cost reduction, ease of management, ubiquitous coverage and convergence of data and voice together. On the other side, VoIP introduces new security vulnerabilities, since it comes with completely different operational and security settings than the old telephone network: the physical location of clients is not fixed and great flexibility is required to provide enhanced mobile services. Furthermore, the integration with wireless LANs, with their inherent security weaknesses, introduces the need of new security features: the payloads of voice packets should be protected during conversations and no-replay as well as user authentication must be ensured on and end-to-end basis. The above concerns are actually the major barrier that may prevent the wide deployment of VoIP technologies, and coping with them is a truly challenging task. Consequently, we developed a novel hybrid framework for enhanced end-to-end security in the new generation SIP-empowered VoIP environments, based on the introduction of proven technologies such as digital signatures and efficient streamline encryption to enforce calling party identification, privacy, no-replay and non-repudiation throughout the whole IP Telephony system. All the security mechanisms used have been carefully chosen so that no systematic method is known to break the framework in realistic times and the overall voice quality will not be affected.     

Admission control by implicit signaling in support of voice over IP over ADSL

Voice over DSL (VoDSL) is a technology that enables the transport of data and multiple voice calls over a single copper-pair. Voice over ATM (VoATM) and Voice over IP (VoIP) are the two main alternatives for carrying voice over DSL. ATM is currently the preferred technology, since it offers the advantage of ATM’s built-in Quality of Service (QoS) mechanisms. IP QoS mechanisms have been maturing only in recent years. However, if VoIP can achieve comparable performance to that of VoATM in the access networks, it would facilitate end-to-end IP telephony and could result in major cost savings. In this paper, we propose a VoIP-based VoDSL architecture that provides QoS guarantees comparable to those offered by ATM in the DSL access network. Our QoS architecture supports Premium and Regular service categories for voice traffic and the Best-Effort service category for data traffic. The Weighted Fair Queuing algorithm is used to schedule voice and data packets for transmission over the bottleneck link. Fragmentation of large data packets reduces the waiting time for voice packets in the link. We also propose a new admission control mechanism called Admission Control by Implicit Signaling. This mechanism takes advantage of application layer signaling by mapping it to the IP header. We evaluate the performance of our QoS architecture by means of a simulation study. Our results show that our VoIP architecture can provide QoS comparable to that provided by the VoATM architecture.     

A PCS based architecture for tactical mobile communications

In this paper, we propose a novel resource management technique, namely virtual cell layout (VCL), for rapidly deployable wireless networks that can be operated in hostile environments. In VCL, the area of communications is tessellated with regularly shaped fixed size virtual cells. The radio resources such as frequency carriers and scrambling codes are assigned to the fixed cells of this layout. The real cells, which do not have to be identical in size to the virtual cells, are mobile over VCL. Mobile base stations that make up the real cells use the radio resources assigned to the virtual cell in which they are located. The terminals of the system access to the network, as they are the terminals of an ordinary cellular network. When the terminals are not in the coverage of any mobile base station, VCL helps them to be organized into clusters. The performance evaluation of the proposed system shows that the VCL based architecture satisfies the rapid deployment requirement and gives an acceptable grade of service.     

Adaptive partial-matching steganography for voice over IP using triple M sequences

Although steganographic transparency and steganographic bandwidth are believed to be two conflicting objectives in the design of steganographic systems, it is possible and necessary to strike an optimal balance between them. This paper presents an adaptive partial-matching steganography for voice over IP (VoIP). We introduce the notion of partial similarity value (PSV) to evaluate the partial matching between covers and secret messages. By properly setting a low threshold of PSV and a high threshold of PSV, we can adaptively balance steganographic transparency and bandwidth. Moreover, we employ triple m sequences to eliminate the correlation among secret messages, guide the adaptive embedding process, and encrypt synchronization signaling patterns. In addition, we introduce an improved strategy that takes into account the similarity between not only covers and encrypted messages but also covers and original messages. We evaluate the proposed approach and its improved strategy with ITU-T G.729a as the codec of the cover speech in StegVoIP that is a prototypical covert communication system based on VoIP and compare them with some existing approaches. The experimental results demonstrate that the proposed approaches can provide a better balance between steganographic transparency and bandwidth. Furthermore, the results of delay tests show that they adequately meet the real-time requirement of VoIP.     

A secure architecture for TCP/UDP-based cloud communications

International Journal of Information Security - Cloud communication is an intrinsic aspect of cloud architecture. It is an internet-based communication that enables access to millions of cloud...     

A pluggable service platform architecture for e-commerce

In the beginning of the e-commerce era, retailers mostly adopted vertically integrated solutions to control the entire e-commerce value chain. However, they began to realize that to achieve agility, a better approach would be to focus on certain core capabilities and then create a partner ecosystem around them. From a technical point of view, this means it is advised to have a lightweight platform architecture with small core e-commerce functionality which can be extended by additional services from third party providers. In a typical e-commerce ecosystem with diverse information systems of network partners, integration and interoperability become critical factors to enable seamless coordination among the partners. Furthermore an increasing adoption of cloud computing technology could be observed resulting in more challenging integration scenarios involving cloud services. Thus, an e-commerce platform is required that suites the advanced needs for flexible and agile service integration. Therefore, this paper aims to present a reference architecture of a novel pluggable service platform for e-commerce. We investigate on currently available online shop platform solutions and integration platforms in the market. Based on the findings and motivated by literature on service-oriented design, we develop an architecture of a service-based pluggable platform for online retailers. This design is then instantiated by means of a prototype for an e-commerce returns handling scenario to demonstrate the feasibility of our architecture design.