Five Significant Publications

[1] Saurabh Bagchi, Yu-Sung Wu (Purdue U., USA), Sachin Garg, Navjot Singh, and Tim Tsai (Avaya Labs, USA) “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” In Proceedings of the IEEE Dependable Systems and Networks Conference (DSN), pp. 401-410, June 28-July 1, 2004, Florence, Italy. (Acceptance rate: 58/276 = 21.0%)

[ Paper in pdf ]

Problem Statement: Many critical parts of our information infrastructure comprise distributed computer systems with myriad application level and system level components deployed on multiple platforms. The infrastructures are vulnerable to subtle attacks that have a multi-step nature, i.e., they gain elevated privileges on some front-facing computing service and then "hop" onto internal services and ultimately reaching the attack goal, such as, exfiltrating sensitive data. This attack model has spurred the development of collaborative intrusion detection systems (CIDS). The main advantages of collaboration for intrusion detection and prevention are the scalability of solutions as well as robustness and availability, e.g. due to the lack of a Single-Point-of-Failure. CIDS are also able to compensate lack of central components, e.g. in the case of embedded wireless networks where there are no centralized entities to rely on. The second main advantage is that it can compensate for the shortcomings of individual detectors, both in terms of missed alarms and false alarms.

At the time of this work, Voice over IP (VoIP) systems were gaining in popularity as the technology for transmitting voice traffic over IP networks – and now they are ubiquitous. As the popularity of VoIP systems increased, they were being subjected to different kinds of intrusions some of which are specific to such systems and some of which follow a general pattern. VoIP systems posed several new challenges to Intrusion Detection System (IDS) designers. First, these systems employ multiple protocols for call management (e.g., SIP) and data delivery (e.g., RTP). Second, the systems are distributed in nature and employ distributed clients, servers and proxies. Third, the attacks to such systems span a large class, from denial of service to billing fraud attacks. Finally, the systems are heterogeneous and typically under several different administrative domains.

Contribution of Paper: SCIDIVE proposed two abstractions for VoIP IDS – stateful detection and cross-protocol detection. Stateful detection denotes the functionality of assembling state from multiple packets and using the aggregated state in the rule-matching engine. Cross protocol detection denotes the functionality of matching rules that span multiple protocols, e.g., detecting a pattern in a SIP packet followed by one in a succeeding RTP packet followed by one in an RTCP packet. The aggregation across protocols can be chained in an arbitrarily long manner and spread out in time. This abstraction turned out to be powerful for VoIP systems because they involve multiple protocols and several attacks are based on sequences that cross protocol boundaries.

The work led to some patents filed jointly with Avaya and a feature designed for Avaya phones to detect and terminate spurious calls.