1 / 17

Holistic VoIP Intrusion Detection and Prevention System

Holistic VoIP Intrusion Detection and Prevention System. Mohamed Nassar, Saverio Niccolini , Radu State, Thilo Ewald joint work of Loria-Inria and NEC Laboratories Europe. VoIP Security. We are experiencing the migration from circuit switched (PSTN) to packet switched (VoIP) telephony

emery
Download Presentation

Holistic VoIP Intrusion Detection and Prevention System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Holistic VoIP Intrusion Detection and Prevention System Mohamed Nassar, Saverio Niccolini,Radu State, Thilo Ewald joint work of Loria-Inria and NEC Laboratories Europe

  2. VoIP Security • We are experiencing the migration from circuit switched (PSTN) to packet switched (VoIP) telephony • Next Generation Networks (NGN) • Today’s VoIP is an insecure technology • Not sufficiently prepared for defense against attacks • New threat models and attacks • Security is very important when VoIP gets deployed massively like in Next Generation Networks (NGN) • Lack of secure solutions threatens to significantly reduce VoIP business • Providing secure solutions is required for continuing strong growth • there will not be THE solution

  3. SIP signaling Media Stream Media Stream Accounting data Sniffing VoIP Security Threats (D)DoS attack • VoIP protocols are vulnerable to attacks • Interruption of Service attacks (Denial of Service, DoS) • Attacks against infrastructures and terminals • Social attacks (SPam over Internet Telephony, SPIT) • Disturbances and interruptions of work by ringing phone for unsolicited calls • Interception and Modification • Conversations may be intercepted (lack of confidentiality) • Private information can be learnt (caller ID, DTMF password/accounts, etc.) • Conversations/signaling may be modified (lack of integrity) • Abuse of Service (Fraud) • Unauthorized or unaccountable resource utilization, fake identity, impersonation, session replay (bank session), etc. SIP server Accounting & Charging server Media proxy Wire tapping SIP server Fraud SPIT

  4. Intrusion detection and prevention: Architecture • Divide and conquer: distributed approach for countering different threats • Honey-pot to detect sources of malicious attacks and unsolicited calls • Network-based Intrusion Detection System (NIDS) to detect attack patterns • Event correlation framework to detect distributed signatures • Anomaly detection based on user profiles to detect abuse of services • Assembling complementary solutions in one holistic in depth approach

  5. Honey-pot • A Honey-pot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems • Generally consists of a computer, data or a network site • appears to be part of a network • but is actually isolated and protected • seems to contain information or a resource that would be of value to attackers • Honey-pots are used as surveillance and early-warning tools • Honey-pots masquerade as systems of the types abused by spammers to send spam. • for example, using domain names that attract interest (www.nec-bank.com) or covering all unused IP addresses of a range owned by an enterprise. • Ordinary e-mail never comes to a Honey-pot • They can categorize the material they trap 100% accurately: it is all illicit, no further checking required • Honey-pots are used • as attack detection systems and for attack analysis

  6. VoIP Honey-pot

  7. How to use Honey-pot • Step 1: make Honey-pot users a target • publish virtual SIP URLs and phone numbers at public places that are scanned by address search engines • easy to be detected by engines, but invisible for regular users (e.g. white font on white background of a web page) • host these published addresses at one or more Honey-pots • properly route calls to Honey-pot users • Step 2: store all callers using these addresses by calling the Honey-pot • Step 3: analyze the received calls/messages to gather more information • voice recognition, speaker recognition • match caller ID and source IP address (spoofing detection) • statistical analysis • identification of individual machines or entire bot networks • Step 4: use gathered information as input for prevention systems • add frequent callers (URL or IP address) to black list • increase malicious rating for calls/messages that have properties similar to calls observed at Honeypot

  8. VoIP: the need for Event Correlation • Example: Malicious Gateway MGCP Call Agent SIP SS7 SIP phone PSTN Internet PCM RTP-RTCP Gateway

  9. VoIP: the need for Event Correlation • Example: Malicious Gateway MGCP Call Agent SIP phone PSTN DLCX Internet 200 OK RTP flow still received !! Gateway

  10. VoIP: the need for Event Correlation • Example: Malicious Gateway MGCP Call Agent SIP phone PSTN t: “OK is received“ Internet Gateway > t: “RTP is still received“ ALARM

  11. Event Correlation in two layers

  12. Events : examples • Log files (e.g. Asterisk) • Call log (CDR’s) • Message log Oct 13 17:41:46 NOTICE[15410]: Registration from ‘”mohamed” <sip:mohamed@1.2.3.4>’ failed for ‘1.2.3.4’ • Protocol Messages • e.g. RTP

  13. Events modeling and generation • Threading • Example 1 : threading signaling messages in one call record • Example 2 : threading repeated events in one dense event • Temporal restrictions • Scheduling restrictions • Event A has to occur at time t • Inter-arrival time • Event B has to occur after Event A in a time window of T • VoIP Event correlation done using SEC (Security Event Correlation): • Open source and platform independent • Lightweight online monitoring tool • Middle-way between homegrown and commercial event correlation • Proven efficiency in several application domains (network management, intrusion detection, system monitoring, fraud detection) • Written in Perl and based on Perl regular expressions thanks to Risto Vaarandi • Powerful and extensible with medium effort

  14. Event correlation: Misuse detection Call-ID, From + To tags Call-ID, From + To tags PairWithWindow PairWithWindow INVITE INVITE 200 OK 200 OK event INVITE-200OK event INVITE-200OK Single Cond = INVITE PairWithWindow Window = 2s BYE ACK event INVITE-200OK-BYE event broken handshaking PairWithWindow Window = 5s SingleWithThreshold Threshold = 10 RTP Shellcmd notify.sh “broken handshaking DoS” Shellcmd notify.sh “broken handshaking DoS” Rule set to detect broken handshaking flooding Rule set to detect BYE-CANCEL Attack Diagram of SEC Rule sets

  15. Anomaly detection (using events) • User behavior, Group of users behavior, Software behavior, Traffic model • User behavior : • Stationary : • Bin = one hour (different level of aggregation) • Event = call • Metric = number of calls, number of different recipients, duration of a call • Defining long and short terms • Long term profile = one month • Short term profile = one day • Distance = Euclidean, Quadratic, etc. • Non stationary : • Comparing changing of a distribution to detect sudden bursts of changes= Distribution of calls over callees, shape of the callee list size over all dialed calls

  16. Implementation • “tosec” module in OpenSER server acting as a FIFO queue towards the SEC engine • Graphical interfacewith a round robin database to update traffic shape • Implementing misuse detection rule setsof well known signatures Detection of a DoS pitch

  17. Conclusion and Future works • Holistic security monitoring approach • VoIP honey pot (supposed to be effective mainly against SPIT, Vishing) • Two layers event correlation framework (for misuse detection) • SEC extensions different from other work in literature • not only based on the network traffic • covers a large set of events (log messages, CDRs). • events can be treated differently based on the priority of the related agent • (e.g. : SIP server against phone) • VoIP IDS / SEC prototype successfully tested in lab environment • ready to go to production environment • Future work: • Real life tests and performance evaluation • Investigating network anomaly detection and machine learning inspired paradigms • A dynamic threshold adjustment model to resolve the adversary adaptation and enhance defense against “tester attackers”

More Related