Mohamed Nassar
ABSTRACT
VoIP security is crucial for current and future networks and services. The rapid shift from a closed and confined telephony towards an all IP network supporting end to end VoIP services provides major challenges to the security plane. Faced with multiple attack vectors, new and comprehensive defensive security solutions for VoIP must emerge from the research community.
This paper describes a multilayer intrusion detection and prevention system architecture for VoIP infrastructures. The key components of the approach are based on a VoIP-specific honeypot and on an application layer event correlation engine. While each component alone can detect only a subset of VoIP-specific attacks, the two of them together can provide an effective defense for the many class of attacks. We show in this paper, how different and complementary conceptual approaches can jointly provide an in depth defense for VoIP architectures.
- J. Brown. Working with SEC - the Simple Event Correlator. http://sixshooter.v6.thrupoint.net/SEC-examples/article.html;http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html.Google Scholar
- D. E. Denning. An Intrusion-Detection Model. In IEEE Symposium on Security and Privacy, pages 118--133. IEEE Computer Society Press, Apr 1986.Google Scholar
- D. Endler and M. Collier. Hacking VoIP Exposed. McGraw-Hill Osborne Media, 2006.Google Scholar
- C. Krügel, T. Toth, and E. Kirda. Service specific anomaly detection for network intrusion detection. In SAC '02: Proceedings of the 2002 ACM symposium on Applied computing, pages 201--208, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
- B. Mathieu, Y. Gourhant, and Q. Loudier. SPIT mitigation by a network level anti SPIT entity. In Third annual security workshop (VSW'06). ACM Press, June 2006.Google Scholar
- M. Nassar, R. State, and O. Festor. Intrusion detections mechanisms for VoIP applications. In Third annual security workshop (VSW'06). ACM Press, June 2006.Google Scholar
- M. Nassar, R. State, and O. Festor. VoIP Honeypot Architecture. In Proc. of 10 th. IEEE/IFIP Symposium on Integrated Management, June 2007.Google ScholarCross Ref
- S. Niccolini. SPIT and SPIM. In Third annual security workshop (VSW'06). ACM Press, June 2006.Google Scholar
- J. Quittek. Detecting SPIT calls by checking communication patterns. In IEEE ICC 2007, Jun 2007.Google ScholarCross Ref
- J. P. Rouillard. Real-tile Logfile Analysis Using the Simple Event Correlator (SEC). In 18th USENIX System Administration Conference (LISA '04) Proccedings, pages 133--149, November 2004. Google ScholarDigital Library
- D. Shin and C. Shim. Voice SPAM Control with Gray Leveling. In 2nd Workshop on Securing Voice over IP, June 2005.Google Scholar
- R. Vaarandi. SEC - A Lightweight Event Correltion Tool. In Proceedings of the 2002 IEEE Workshop on IP operations and Management, number 0-7803-7658-7, pages 111--115, October 2002.Google Scholar
- VoIPSA. VoIP security and privacy threat taxonomy. Public Realease 1.0, Oct 2005. http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf.Google Scholar
- Y. Wu, S. Bagchi, S. Garg, N. Singh, and T. K. Tsai. SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments. In International Conference on Dependable Systems and Networks (DSN 2004), pages 433--442. IEEE Computer Society, Jun 2004. Google ScholarDigital Library
- H. Yan, K. Sripanidkulchai, H. Zhang, Z. Shae, and D. Saha. Incorporating Active Fingerprinting into SPIT Prevention Systems. In Third annual security workshop (VSW'06). ACM Press, June 2006.Google Scholar
Index Terms
(auto-classified)Holistic VoIP intrusion detection and prevention system
Recommendations
Collaborative Intrusion Prevention
Intrusion Prevention Systems (IPSs) have long been pro- posed as a defense against attacks that propagate too fast for any manual response to be useful. In an important class of IPSs, the host-based IPSs, honeypots are used to collect information about ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Overview of intrusion detection and intrusion prevention
This report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
Comments