1 / 25

Fast Detection of Denial-of-Service Attacks on IP Telephony

Fast Detection of Denial-of-Service Attacks on IP Telephony. Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary. Outline.

sonel
Download Presentation

Fast Detection of Denial-of-Service Attacks on IP Telephony

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary

  2. Outline • IP Telephony and Security Threats • Flooding DoS Attacks • Observation of Protocol Behaviors • Design of vFDS • Performance Evaluation • Conclusion

  3. IP Telephony • Marriage of IP with traditional Telephony • VoIP uses multiple protocol for call control and data delivery

  4. SIP-based IP Telephony

  5. Threats • Device mis-configuration • Improper usage of signaling messages • DoS attacks (towards SIP Proxy server or SIP UAs) • SIP UA may issue multiple simultaneous requests VoIP telephony is plagued by known Internet Vulnerabilities (e.g., worms, Viruses, etc.) as well as threats specific to VoIP.

  6. Our Focus • Denial of Service Attacks due to Flooding • TCP-based SIP entities are prone to SYN flooding attack • At the application layer : • INVITE Flooding (SIP Proxy or SIP UA) • RTP Flooding to SIP UA

  7. TCP Protocol Behavior (I) Front Range GigaPoP, November 1, 2005

  8. TCP Protocol Behavior (II) Digital Equipment Corporation, March 8, 1995

  9. SIP Protocol Behavior

  10. RTP Traffic Behavior G.711 Codec (50 packets per second)

  11. Observations In spite of traffic diversity, at any instant of time, there is strong correlation among protocol attributes • In RTP: • Derived Attributes : Gaps between Attributes remain relatively stable

  12. Challenges Is it possible to compare and quantify the gap between a number of attributes (taken at a time), observed at two different instants of time ? Determine whether two instants of time are similar (or dissimilar) with respect to protocol attributes behavior

  13. Detection Scheme Hellinger Distance P and Q (each with N attributes) are two probability measures with and Distance satisfies the inequality of The distance is 0 when P = Q . Disjoint P and Q shows a maximum distance of 1.

  14. Distance Measurement :

  15. Hellinger Distance of TCP Attributes P is an array of normalized frequencies over the training data set Q is an array of normalized frequencies over the testing data set Distance between P and Q at the end of (n+1)th time period

  16. Hellinger Distance of TCP Attributes :

  17. Hellinger Distance of SIP Attributes INVITE, 200 OK, ACK and BYE

  18. Hellinger distance of RTP Attributes

  19. Detection Threshold Setup • Estimation of the threshold distance is an instance of Jacobson’s Fast algorithm for RTT mean and variation • Gives a dynamic threshold Threshold Hellinger Distance

  20. Detection of SYN Flooding Attack

  21. Detection of INVITE Flooding

  22. Detection of RTP Flooding Attack

  23. Detection Accuracy and Time • High Detection Probability (> 80%) • Varies between 1-2 observation periods • Detection resolution and sensitivity depends upon • Value of observation time period • Low value is better but at the cost of computational resources

  24. Conclusion • vFDS utilizes Hellinger distance for online statistical flooding detection • Holistic view of protocol behaviors • Simple and efficient • High accuracy with short detection time

  25. Questions

More Related