RTP-miner: a real-time security framework for RTP fuzzing attacks

Real-time Transport Protocol (RTP) is a widely adopted standard for transmission of multimedia traffic in Internet telephony (commonly known as VoIP). Therefore, it is a hot potential target for imposters who can launch different types of Denial of Service (DoS) attacks to disrupt communication; resulting in not only substantive revenue loss to VoIP operators but also undermining the reliability of VoIP infrastructure. The major contribution of this paper is an online framework -- RTP-Miner -- that detects RTP fuzzing attacks in realtime; as a result, it is not possible to deny access to legitimate users. RTP-Miner can detect both header and payload fuzzing attacks. Fuzzing in the header of RTP packets is detected by combining well known distance measures with a decision tree based classifier. In comparison, payload fuzzing is detected through a novel Markov state space model at the receiver. We evaluate RTP-Miner on a realworld RTP traffic dataset. The results show that RTP-Miner detects fuzzing in RTP header with more than 98% accuracy and less than 0.1% false alarm rate even when only 3% fuzzing is introduced. For the same fuzzing rate, it detects payload fuzzing -- a significantly more challenging problem -- with more than 80% accuracy and less than 2% false alarm rate. RTP-Miner has low memory and processing overheads that makes it well suited for deployment in real world VoIP infrastructure.

[1]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[2]  Colin Perkins,et al.  Options for Repair of Streaming Media , 1998, RFC.

[3]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[4]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[5]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[6]  Alberto Maria Segre,et al.  Programs for Machine Learning , 1994 .

[7]  B. Nordstrom FINITE MARKOV CHAINS , 2005 .

[8]  Muhammad Zubair Shafiq,et al.  Malware detection using statistical analysis of byte-level file content , 2009, CSI-KDD '09.

[9]  D Hoffman,et al.  Internet-draft Rtp Payload Format for Mpeg1/mpeg2 Video , 1997 .

[10]  Vivek K. Goyal,et al.  RTP Payload Format for MPEG1/MPEG2 Video , 1996, RFC.

[11]  金田 重郎,et al.  C4.5: Programs for Machine Learning (書評) , 1995 .

[12]  H. Schulzrinne,et al.  A Transport Protocol for Real-time Applications , 2010 .

[13]  Jonathon T. Giffin,et al.  Security Analysis of an IP Phone: Cisco 7960G , 2008, IPTComm.

[14]  Tom Cross,et al.  Emerging Cyber Threats Report for 2009 , 2008 .

[15]  Muhammad Ali Akbar,et al.  Application of evolutionary algorithms in detection of SIP based flooding attacks , 2009, GECCO '09.

[16]  Pascal Spincemaille,et al.  The mutual affinity of random measures , 2003, Period. Math. Hung..

[17]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[18]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[19]  Radu State,et al.  Monitoring SIP Traffic Using Support Vector Machines , 2008, RAID.