Untitled Document

Project Title: Intrusion Detection for Voice-over-IP Systems

Description

Voice over IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. As the popularity of VoIP systems increases and VoIP services become commercial, the systems are likely to be subjected to different kinds of intrusions, some of which are specific to such systems, and some of which are shared with general-purpose data networks. There have been enormous strides made in the field of inrusion detection systems (IDS) for general-purpose data networks. However, intrusion detection systems and intrusion prevention systems (IPS) for VoIP systems have lagged far behind. VoIP systems pose several new challenges to IDS and IPS designers. First, these systems employ multiple protocols for call management and data delivery. Within each class, there may be multiple protocols co-existing in the system. Second, the systems are distributed in nature and employ distributed clients, servers, and proxies thereby increasing the access points for an adversary. Third, VoIP traffic is delay sensitive and therefore launching a denial of service is easier than in conventional networks—for example, increase the latency or the jitter of the packets. Finally, the systems are heterogeneous and typically under several different administrative domains, e.g., the proxy server may be provided by the service provider and the client managed by the home organization.

We have been developing a system for intrusion detection and intrusion prevention customized to VoIP systems, called SpaceDive. The system comprises multiple components, which are distributed among the end clients and the servers. SpaceDive provides fast matching of network packets at a host against a rulebase specified in a novel language, coordination among multiple components to detect attacks that manifest themselves at multiple points of the network, and mechanism for aborting an attack based on initial symptoms. At the next level of sophistication, SpaceDive is customized to learn to detect previously unknown attacks. It uses machine learning clustering to detect spam VoIP calls and build profiles of legitimate behavior.

The requirements driving the design of SpaceDive are outlined below.

The mechanisms should be light-weight in terms of the computational load on the hosts as well as the consumption of memory resources. This will make the system sutoiable for client phones of different form factors and not interfere wioth the real time nature of the traffic.
The mechanisms should be extendible to differenty protocols in each class – CMP or MDP, co-existing in the same VoIP application. Also the system should be able to habndle translation between VoIP and PSTN traffic.
The system should sacrifice generality for efficiency in detecting and preventing VoIP attacks. This entails decisions, such as, removing functionality for matching some patterns in the detector, and changing the priority of rule matching.

Our current work is focusing on the following directions.

Detection of SPIT calls.
Development of a testbed and a rigorous evaluation tool for VoIP systems.

Current Students: Yu-Sung Wu (PhD), Ratsameetip Wita (Exchange student)
Collaborators: Navjot Singh (Avaya)

Past Students: Vinita Apte (MS)

Papers: See here.