Spacedive: a Distributed Intrusion Detection System for Voice-over-ip Environments Spacedive: a Distributed Intrusion Detection System for Voice-over-ip Environments

Voice over IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. As the popularity of VoIP systems increases, they are being subjected to different kinds of intrusions some of which are specific to such systems and some which follow a general pattern of IP attacks. VoIP systems pose several new challenges to Intrusion Detection System (IDS) designers. First, these systems employ multiple protocols for call management (e.g., SIP) and data delivery (e.g., RTP). Second, the systems are distributed in nature and employ distributed clients, servers and proxies. Third, the attacks to such systems span a large class, from denial of service to billing fraud attacks. Finally, the systems are heterogeneous, have soft real time requirements, and are typically under several different administrative domains. In this paper, we propose the design of an intrusion detection system targeted to VoIP systems, called SPACEDIVE. SPACEDIVE is structured to detect different classes of intrusions, including, masquerading, denial of service, and media stream-based attacks. It can be installed at multiple points – clients, servers, or proxies, and can operate with both classes of protocols that compose VoIP systems – call management protocols, e.g., the Session Initiation Protocol (SIP), and media delivery protocols, e.g., the Real Time Transport Protocol (RTP). SPACEDIVE proposes the abstraction of correlation based IDS and provides a rule language to express correlated rules. The correlation may be of information gathered from peer entities or entities at different levels. SPACEDIVE is demonstrated on a sample VoIP system that comprises SIP clients and SIP servers spread over two domains. Several attack scenarios are created and the accuracy and the efficiency of the system evaluated with rules meant to catch these attacks. 1 Introduction Voice over IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. Along with the anticipated widespread adoption of VoIP systems comes the possibility of security attacks targeted against such systems. VoIP systems use a multitude of protocols, primarily control protocols for signaling, establishing calls, negotiating call parameters, and monitoring health of the ongoing call and data protocols for carrying the voice data over the IP network. The attacks can be thought of as a combination of traditional kinds of security attacks against IP networks and novel attacks enabled by the architecture of VoIP systems. Let us first identify the key features of VoIP systems and …

[1]  Son T. Vuong,et al.  BLAZE: A Mobile Agent Paradigm for VoIP Intrusion Detection Systems , 2004, ICETE.

[2]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[3]  Dan Andersson,et al.  Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis , 2001 .

[4]  Mats Näslund,et al.  The Secure Real-time Transport Protocol (SRTP) , 2004, RFC.

[5]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[6]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[7]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[8]  Christian Huitema,et al.  Megaco Protocol Version 1.0 , 2000, RFC.

[9]  Yan Bai,et al.  A survey of VoIP intrusions and intrusion detection systems , 2004, The 6th International Conference on Advanced Communication Technology, 2004..

[10]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[11]  Flemming Andreasen,et al.  Media Gateway Control Protocol (MGCP) Version 1.0 , 2003, RFC.

[12]  Saurabh Bagchi,et al.  Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[13]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.