Secure Service Provisioning (SSP) framework for IP Multimedia Subsystem (IMS)

v Abstract With the emergence of mobile multimedia services, such as unified messaging, click to dial, cross network multiparty conferencing and seamless multimedia streaming services, the fixed–mobile convergence and voice–data integration has started, leading to an overall Internet–Telecommunications merger. The IP Multimedia Subsystem (IMS) is considered as the next generation service delivery platform in the converged communication world. It consists of modular design with open interfaces and enables the flexibility for providing multimedia services over IP technology. In parallel this open based emerging technology has security challenges from multiple communication platforms and protocols like IP, Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). The objective of Secure Service Provisioning (SSP) Framework is to cram the potential attacks and security threats to IP Multimedia Subsystem (IMS) and to explore security solutions developed by IETF, 3GPP and TISPAN. This research work incorporates these solutions into SSP Framework to secure IMS and next generation Service Delivery Platform (SDP). We define this part as level 1 security protection which includes user and network authentication, authorization to access multimedia services, providing confidentiality and integrity protection etc. against eavesdropping, session hijacking and man-in-the middle attacks etc. In the next step, we have investigated the limitations and improvements to level 1 security and proposed the enhancement and extension as level 2 security by developing Intrusion Detection and Prevention (IDP) system against Denial-of-Service (DoS)/Distributed DoS (DDoS) flooding attacks, misuses and frauds in IMS-based networks. These security threats recently have been identified by 3GPP and TISPAN but no solution is recommended and developed. Therefore our solution may be considered as recommendation in future. Our approach based on developing both stateless and stateful intrusion detection and prevention system. From development point of view, we have divided the work into two modules: the first module is IDP-Core; addressing and mitigating the flooding attacks in IMS core. Its objective is to protect the IMS resources and IMS-core entities from DoS/DDoS flooding attacks. This module based on online stateless detection methodology and activates when CPU processing load of P-CSCF (Proxy-Call State Control Function) reaches or crosses the defined threshold limit. The second module is IDP-AS; addressing and mitigating the misuse attacks facing to IMS Application Servers (AS). Its focus is to secure the ISC interface between IMS Core and Application Servers. This module is based on stateful misuse detection methodology by creating and comparing user state (partner) when he/she is communicating with …

[1]  E.Y. Chen,et al.  Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[2]  Victor Fajardo,et al.  Diameter Base Protocol , 2003, RFC.

[3]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[4]  Steve Lloyd,et al.  PKI Basics - A Technical Perspective , 2002 .

[5]  John Loughney Diameter Command Codes for Third Generation Partnership Project (3GPP) Release 5 , 2003, RFC.

[6]  Muhammad Sher,et al.  Secure access to IP multimedia services using generic bootstrapping architecture (GBA) for 3G & beyond mobile networks , 2006, Q2SWinet '06.

[7]  Thomas Magedanz,et al.  VoIP defender: highly scalable SIP-based security architecture , 2007, IPTComm '07.

[8]  Cheryl Madson,et al.  The Use of HMAC-SHA-1-96 within ESP and AH , 1998, RFC.

[9]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[10]  Muhammad Sher,et al.  Mobile multimedia broadcasting vulnerability threats, attacks and security solutions , 2007, 2007 9th IFIP International Conference on Mobile Wireless Communications Networks.

[11]  Cheryl Madson,et al.  The Use of HMAC-MD5-96 within ESP and AH , 1998, RFC.

[12]  Muhammad Sher,et al.  Inter-domains security management (IDSM) model for IP multimedia subsystem (IMS) , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[13]  Thomas Magedanz,et al.  The IMS playground @ FOKUS-an open testbed for generation network multimedia services , 2005, First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities.

[14]  Carlos Pignataro,et al.  Extended ICMP to Support Multi-Part Messages , 2007, RFC.

[15]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[16]  Angelos D. Keromytis,et al.  On the Use of Stream Control Transmission Protocol (SCTP) with IPsec , 2003, RFC.

[17]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[18]  Sheila Frankel,et al.  The AES-CBC Cipher Algorithm and Its Use with IPsec , 2003, RFC.

[19]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[20]  Muhammad Sher,et al.  Development of IMS privacy & security management framework for Fokus open IMS testbed , 2006 .

[21]  Muhammad Sher,et al.  Protecting IP Multimedia Subsystem (IMS) Service Delivery Platform from Time Independent Attacks , 2007, Third International Symposium on Information Assurance and Security.

[22]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[23]  Muhammad Sher,et al.  Developing Network Domain Security (NDS) Model for IP Multimedia Subsystem (IMS) , 2006, J. Networks.

[24]  Jari Arkko,et al.  Security Mechanism Agreement for the Session Initiation Protocol (SIP) , 2003, RFC.

[25]  Xiaomin Zhu,et al.  The IMS: IP multimedia concepts and services in the mobile domain , 2007 .

[26]  Muhammad Sher,et al.  IP Multimedia Subsystem (IMS) for Emerging All-IP Networks , 2008 .

[27]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[28]  Gonzalo Camarillo,et al.  The 3G IP Multimedia Subsystem (IMS) , 2008 .

[29]  Muhammad Sher,et al.  IT-Based Open Service Delivery Platforms for Mobile Networks , 2006, The Handbook of Mobile Middleware.

[30]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[31]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[32]  Muhammad Sher,et al.  Understanding the issues of providing IMS capabilities on different access networks: the use of policies for QoS provision , 2005 .

[33]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[34]  Rob Adams,et al.  The ESP CBC-Mode Cipher Algorithms , 1998, RFC.

[35]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension , 2005, RFC.

[36]  Muhammad Sher,et al.  Security Associations Management (SAM) Model for IP Multimedia System (IMS) , 2005, Net-Con.

[37]  Muhammad Sher,et al.  A vulnerabilities analysis and corresponding middleware security extensions for securing NGN applications , 2007, Comput. Networks.

[38]  Robert J. Sparks,et al.  The Session Initiation Protocol (SIP) Referred-By Mechanism , 2004, RFC.

[39]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[40]  Muhammad Sher,et al.  Network Access Security Management (NASM) Model for Next Generation Mobile Telecommunication Networks , 2005, MATA.