Security issues like service misuse and fraud are well-known problems of SIP-based networks. To develop effective countermeasures, it is important to know how these attacks are launched in reality. For gathering the required data, a specialized SIP Honeynet System has been running since January 2009 and has recorded over 58 million SIP messages. The analyses have shown that SIP-based misuse is typically performed as a multistage attack and the IP address of the attacker changes before the actual Toll Fraud calls. To be able to correlate all attack stages despite intermediate changes of the attacker's IP address we developed the new Dynamic Honeynet System (DHS), which reacts according to the attackers' behaviour and uses a dynamic Honeypot configuration in real-time to significantly improve the detection efficiency. We present the architecture and new features such as dynamic reconfiguration and demonstrate its attack correlation capabilities. We developed a Sensor component to realize this system. The Sensor provides active monitoring based on signatures to detect attacks in real-time and controls the dynamic Honeypot.
[1]
Craig Valli.
An Analysis of Malfeasant Activity Directed at a VoIP Honeypot
,
2010
.
[2]
Erwin P. Rathgeb,et al.
Analysis of SIP-Based Threats Using a VoIP Honeynet System
,
2012,
2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.
[3]
Erwin P. Rathgeb,et al.
SIP Trace Recorder: Monitor and analysis tool for threats in SIP-based networks
,
2012,
2012 8th International Wireless Communications and Mobile Computing Conference (IWCMC).
[4]
Iyatiti Mokube,et al.
Honeypots: concepts, approaches, and challenges
,
2007,
ACM-SE 45.