A Lightweight Privacy Preserving Approach for Analyzing Communication Records to Prevent VoIP Attacks Using Toll Fraud as an Example

Voice-over-IP systems are quite frequently attacked with the intent of service theft. While VoIP security has been intensively researched in the past, devised solutions often demand significant changes to the VoIP systems. In addition, several solutions propose the filtering of telephone calls, but these solutions only have a limited focus on the privacy rights of the call participants. We propose a method for analyzing communication records with the primary purpose to prevent VoIP attacks. Moreover, our approach integrates with little effort into common VoIP usage scenarios. As an example we use the prevention of toll-fraud attacks as a running example. The analysis of the communication records, however, requires investigating personal information in the communication records, e.g., call habits and phone numbers. Consequently we give an overview of major US and EU laws and regulations to elicit privacy requirements. We also demonstrate how these requirements can be implemented using Comercial-Off-The-Shelf VoIP systems.

[1]  Alfred Kobsa,et al.  Privacy Considerations in Awareness Systems: Designing with Privacy in Mind , 2009, Awareness Systems.

[2]  Dogan Kesdogan,et al.  Privacy enhancing identity management: protection against re-identification and profiling , 2005, DIM '05.

[3]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[4]  Gerald Quirchmayr,et al.  Transaction pseudonyms in mobile environments , 2007, Journal in Computer Virology.

[5]  American National Standard for Information Technology – Role Based Access Control , 2004 .

[6]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[7]  H. P Gassmann,et al.  OECD guidelines governing the protection of privacy and transborder flows of personal data , 1981 .

[8]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[9]  Eduardo B. Fernández,et al.  Security Patterns for Voice over IP Networks , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[10]  Gerald Quirchmayr,et al.  CDRAS: An Approach to Dealing with Man-in-the-Middle Attacks in the Context of Voice over IP , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[11]  Joseph Gray Jackson,et al.  Privacy and Freedom , 1968 .

[12]  Christoph Sorge,et al.  The Legal Ramifications of Call-Filtering Solutions , 2010, IEEE Security & Privacy.

[13]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[14]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[15]  Dongwook Shin,et al.  Progressive multi gray-leveling: a voice spam protection algorithm , 2006, IEEE Network.

[16]  Marit Hansen,et al.  Privacy and Identity Management , 2008, IEEE Security & Privacy.

[17]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[18]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.