VoIP Intrusion Detection Through Interacting Protocol State Machines

Being a fast-growing Internet application, voice over Internet protocol (VoIP) shares the network resources with the regular Internet traffic, and is susceptible to the existing security holes of the Internet. Moreover, given that voice communication is time sensitive and uses a suite of interacting protocols, VoIP exposes new forms of vulnerabilities to malicious attacks. In this paper, we propose a highly-needed VoIP intrusion detection system. Our approach is novel in that, it utilizes not only the state machines of network protocols but also the interaction among them for intrusion detection. This detection approach is particularly suited for protecting VoIP applications, in which a melange of protocols are involved to provide IP telephony services. Based on tracking deviations from interacting protocol state machines, our solution shows promising detection characteristics and low runtime impact on the perceived quality of voice streams

[1]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[2]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[3]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002 .

[4]  David Lee,et al.  Principles and methods of testing finite state machines-a survey , 1996, Proc. IEEE.

[5]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[6]  Giovanni Vigna,et al.  An intrusion detection tool for AODV-based ad hoc wireless networks , 2004, 20th Annual Computer Security Applications Conference.

[7]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .

[8]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[9]  Intrusion Prevention : The Future of VoIP Security , 2004 .

[10]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Alan B. Johnston,et al.  SIP: Understanding the Session Initiation Protocol , 2001 .

[12]  Hirozumi Yamaguchi,et al.  Synthesis of protocol entities specifications from service specifications in a Petri net model with registers , 1995, Proceedings of 15th International Conference on Distributed Computing Systems.

[13]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[14]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[17]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[18]  Alexandre Petrenko,et al.  Confirming configurations in EFSM testing , 2004, IEEE Transactions on Software Engineering.