Social Behavior Analysis of VoIP Users and its application to Malicious Users Detection (Extended Version { V1.0)

IP Telephony has become very popular and Session Initiation Protocol (SIP)-based telephony systems are almost substituting the traditional PSTN systems. Being so widespread and ubiquitous, the protocol’s resilience and security in presence of incorrect, malformed or malicious messages is fundamental for the correct management of a network. This is of particular importance for the session-based applications since they appear to be much more sensitive very sensitive not only to malicious attacks, but also to errors, and even incorrect interpretation of the standard. To have an in-depth knowledge about the net-work behavior is primary requirement to design and tune any attack or anomaly detection system. In the context of VoIP, traffic analysis plays a very significant role due to the fact that SIP based VoIP traffic does not follow any generic model to describe its characteristics like traditional telephony. To this end, we have performed a thorough analysis on SIP traces captured from the VoIP network of our institution. Here, we use social network analysis techniques to capture the relationship behavior of users and to explore distinct behavioral patterns of users inside the VoIP network. Knowledge about the normal behavior of the system and users gained from the traffic analysis is helpful in detecting intrusion and anomalies. In this paper, we also present an anomaly detection architecture where we train an automated machine with the normal behavioral pattern of the users. The machine, thus trained, is capable of identifying malicious users.

[1]  Adrian E. Raftery,et al.  How Many Clusters? Which Clustering Method? Answers Via Model-Based Cluster Analysis , 1998, Comput. J..

[2]  Saurabh Bagchi,et al.  Spam detection in voice-over-IP calls through semi-supervised clustering , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[3]  Ram Dantu,et al.  Socio-technical defense against voice spamming , 2007, TAAS.

[4]  Hyung-Jong Kim,et al.  DEVS-Based modeling of VoIP spam callers' behavior for SPIT level calculation , 2009, Simul. Model. Pract. Theory.

[5]  Philip Chan,et al.  Determining the number of clusters/segments in hierarchical clustering/segmentation algorithms , 2004, 16th IEEE International Conference on Tools with Artificial Intelligence.

[6]  M E J Newman,et al.  Finding and evaluating community structure in networks. , 2003, Physical review. E, Statistical, nonlinear, and soft matter physics.

[7]  Henning Schulzrinne,et al.  SIP Security , 2009 .

[8]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.

[9]  David J. Ketchen,et al.  THE APPLICATION OF CLUSTER ANALYSIS IN STRATEGIC MANAGEMENT RESEARCH: AN ANALYSIS AND CRITIQUE , 1996 .

[10]  M E J Newman,et al.  Community structure in social and biological networks , 2001, Proceedings of the National Academy of Sciences of the United States of America.

[11]  Andrea Lancichinetti,et al.  Community detection algorithms: a comparative analysis: invited presentation, extended abstract , 2009, VALUETOOLS.

[12]  Haesun Park,et al.  CallRank: Combating SPIT Using Call Duration, Social Networks and Global Reputation , 2007, CEAS.

[13]  Christos Faloutsos,et al.  Mobile call graphs: beyond power-law and lognormal distributions , 2008, KDD.

[14]  Saverio Niccolini,et al.  Analyzing Telemarketer Behavior in Massive Telecom Data Records , 2011 .

[15]  Adrian E. Raftery,et al.  mclust Version 4 for R : Normal Mixture Modeling for Model-Based Clustering , Classification , and Density Estimation , 2012 .

[16]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[17]  Xinyuan Wang,et al.  Thwarting Spam over Internet Telephony (SPIT) attacks on VoIP networks , 2011, 2011 IEEE Nineteenth IEEE International Workshop on Quality of Service.

[18]  Renato Lo Cigno,et al.  Classification of SIP messages by a syntax filter and SVMs , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[19]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[20]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[21]  M. Newman,et al.  Finding community structure in very large networks. , 2004, Physical review. E, Statistical, nonlinear, and soft matter physics.

[22]  R. L. Thorndike Who belongs in the family? , 1953 .

[23]  Gregory Blanc,et al.  Trust-Based VoIP Spam Detection Based on Call Duration and Human Relationships , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[24]  Mark Collier,et al.  Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions , 2006 .

[25]  G. Schwarz Estimating the Dimension of a Model , 1978 .

[26]  J. A. Hartigan,et al.  A k-means clustering algorithm , 1979 .

[27]  Renato Lo Cigno,et al.  On the Use of SVMs to Detect Anomalies in a Stream of SIP Messages , 2012, 2012 11th International Conference on Machine Learning and Applications.

[28]  Mason A. Porter,et al.  Communities in Networks , 2009, ArXiv.

[29]  D.M. Mount,et al.  An Efficient k-Means Clustering Algorithm: Analysis and Implementation , 2002, IEEE Trans. Pattern Anal. Mach. Intell..