Towards a Forensic Analysis for Multimedia Communication Services

No matter how robust the employed security mechanisms are malicious users or attackers will always find a way to bypass them. In addition, National Institute of Security and Technology mentions "In conjunction with appropriate tools & procedures, audit trail can assist in detecting security violation and flaws in applications". Until now, in Multimedia Communication Services (MCS), such as Voice over IP, audit trails are not utilized in security audits due to (a) the lack of the appropriate analysis tools and (b) privacy restrictions. In this paper we report on the analysis of MCS audit trail by employing a novel method for identifying "uncommon" traffic indicating non normal behaviour that does not violate users’ privacy. We rely on entropy theory and the notion of "itself information" to quantify the randomness of specific message segments, and we also introduce the term "actual itself information" for the assessment of entire message randomness. To protect users’ privacy we hash audit trail’s data. For evaluating the applicability of our proposed method we utilize an audit trail of a real MCS provider published by honey pot project. Initial outcomes show the feasibility of employing such a method to recognize "uncommon" traffic, recorded in MCS audit trail.

[1]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[2]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[3]  Andrew A. Chien,et al.  Tolerating denial-of-service attacks using overlay networks: impact of topology , 2003, SSRS '03.

[4]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[5]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[6]  Marianne Swanson,et al.  SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .

[7]  Olivier Hersent,et al.  IP Telephony: Deploying Voice-over-IP Protocols , 2005 .

[8]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[9]  Willa K. Ehrlich,et al.  An Entropy Based Method to Detect Spoofed Denial of Service (Dos) Attacks , 2008 .

[10]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[11]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[12]  Thomas Magedanz,et al.  Survey of network security systems to counter SIP-based denial-of-service attacks , 2010, Comput. Secur..

[13]  G. Meera Gandhi,et al.  An Entropy Algorithm to Improve the Performance and Protection from Denial-of-Service Attacks in NIDS , 2009, 2009 Second International Conference on Computer and Electrical Engineering.

[14]  Costas Lambrinoudakis,et al.  A framework for protecting a SIP-based infrastructure against malformed message attacks , 2007, Comput. Networks.

[15]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[16]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[17]  Eduardo B. Fernandez,et al.  VoIP Network Forensic Patterns , 2009, 2009 Fourth International Multi-Conference on Computing in the Global Information Technology.

[18]  Nikos Vrakas,et al.  Utilizing bloom filters for detecting flooding attacks against SIP based services , 2009, Comput. Secur..

[19]  Angelos D. Keromytis,et al.  Voice-over-IP Security: Research and Practice , 2010, IEEE Security & Privacy.

[20]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[21]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .