An intrusion detection and prevention system for IMS and VoIP services

The Voice Over IP (VoIP) environments and the most contemporary ones such as the IP Multimedia Subsystem (IMS) are deployed in order to provide cheap and at the same time high quality services to their users. Video calls, conferences, and applications can be provided to mobile devices with the lowest possible delay, while the Quality of Service (QoS) remains as the top priority for users and providers. Toward this objective, these infrastructures utilize the Session Initiation Protocol (SIP) for signaling handshakes since it is the most flexible and lightweight protocol available. However, according to many researches, it happens to be vulnerable to many attacks that threaten system’s security and availability. In this paper, we introduce a cross-layer mechanism that is able to mitigate in real-time spoofing attacks such as SIP signaling, identity theft, masquerading, and Man in the middle, and also single and distributed source flooding. It consists of three components: the policy enforcer which acts as a black list, and the spoofing and flooding modules. We also introduce a classification of SIP flooding attacks for better representation of the detection coverage. To the best of our knowledge, the proposed detection system is the most complete and accurate in terms of the attack range that is able to deter. Concerning its performance, it does not require computational expensive calculations nor resource demanding security protocols, thus being a lightweight mechanism. The experimental results have demonstrated high detection rates with false alarm rates approaching zero. Finally, it is platform independent and transparent to networks’ operations and thus can be deployed in both VoIP and IMS environments.

[1]  Hitesh Tewari,et al.  Performance analysis of cryptographic protocols on handheld devices , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..

[2]  Saurabh Bagchi,et al.  Intrusion detection in voice over IP environments , 2009, International Journal of Information Security.

[3]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[4]  Nikos Vrakas,et al.  Utilizing bloom filters for detecting flooding attacks against SIP based services , 2009, Comput. Secur..

[5]  Radu State,et al.  Abusing SIP Authentication , 2008, 2008 The Fourth International Conference on Information Assurance and Security.

[6]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[7]  Patrick Traynor,et al.  PinDr0p: using single-ended audio features to determine call provenance , 2010, CCS '10.

[8]  Taejoon Park,et al.  A Survey of Security Threats on 4G Networks , 2007, 2007 IEEE Globecom Workshops.

[9]  T. Dagiuklas,et al.  SIP Security Mechanisms : A state-ofthe-art review , 2005 .

[10]  Xuxian Jiang,et al.  On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers , 2009, ASIACCS '09.

[11]  Valtteri Niemi,et al.  Man-in-the-Middle in Tunnelled Authentication Protocols , 2003, Security Protocols Workshop.

[12]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[13]  Nikos Vrakas,et al.  A Call Conference Room Interception Attack and Its Detection , 2010, TrustBus.

[14]  A. Bremler-Barr,et al.  Unregister Attacks in SIP , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[15]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[16]  Zhang Li,et al.  A SIP DoS flooding attack defense mechanism based on priority class queue , 2010, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security.

[17]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[18]  Radu State,et al.  Holistic VoIP intrusion detection and prevention system , 2007, IPTComm '07.

[19]  Thiagarajan Hamsapriya,et al.  Statistical Segregation Method to Minimize the False Detections During DDoS Attacks , 2011, Int. J. Netw. Secur..

[20]  V. Vaidehi,et al.  Authentication of Signaling in VoIP Applications , 2005, 2005 Asia-Pacific Conference on Communications.

[21]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[22]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[23]  Christian Callegari,et al.  A novel method for detecting attacks towards the SIP protocol , 2009, 2009 International Symposium on Performance Evaluation of Computer & Telecommunication Systems.

[24]  Angelos D. Keromytis,et al.  A Survey of Voice over IP Security Research , 2009, ICISS.

[25]  Motonori Nakamura,et al.  Enhancement of SIP Signaling for Integrity Verification , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[26]  Nikos Vrakas,et al.  Is IP Multimedia Subsystem affected by ‘malformed message’ attacks? - An evaluation of OpenIMS , 2011, Proceedings of the International Conference on Security and Cryptography.

[27]  Eric Y. Chen,et al.  A whitelist approach to protect SIP servers from flooding attacks , 2010, 2010 IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR 2010).

[28]  Nikos Vrakas,et al.  A Cross Layer Spoofing Detection Mechanism for Multimedia Communication Services , 2011, Int. J. Inf. Technol. Syst. Approach.

[29]  SchulzrinneHenning,et al.  The impact of TLS on SIP server performance , 2012 .

[30]  Amit Klein March,et al.  BIND 9 DNS Cache Poisoning , 2007 .

[31]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..