Five Significant Publications
[1] Saurabh
Bagchi, Yu-Sung Wu (Purdue U., USA), Sachin Garg, Navjot Singh, and Tim Tsai
(Avaya Labs, USA) “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection
Architecture for Voice-over-IP Environments,” In Proceedings of the IEEE
Dependable Systems and Networks Conference (DSN), pp. 401-410, June 28-July 1,
2004, Florence, Italy. (Acceptance rate: 58/276 = 21.0%)
[ Paper in pdf ]
Problem Statement: Many
critical parts of our information infrastructure comprise distributed computer
systems with myriad application level and system level components deployed on
multiple platforms. The infrastructures are vulnerable to subtle attacks that
have a multi-step nature, i.e., they gain elevated privileges on some
front-facing computing service and then "hop" onto internal services
and ultimately reaching the attack goal, such as, exfiltrating sensitive data.
This attack model has spurred the development of collaborative intrusion
detection systems (CIDS). The main advantages of collaboration for intrusion
detection and prevention are the scalability of solutions as well as robustness
and availability, e.g. due to the lack of a Single-Point-of-Failure. CIDS are
also able to compensate lack of central components, e.g. in the case of
embedded wireless networks where there are no centralized entities to rely on.
The second main advantage is that it can compensate for the shortcomings of
individual detectors, both in terms of missed alarms and false alarms.
At the
time of this work, Voice over IP (VoIP) systems were gaining in popularity as
the technology for transmitting voice traffic over IP networks – and now they
are ubiquitous. As the popularity of VoIP systems increased, they were being
subjected to different kinds of intrusions some of which are specific to such
systems and some of which follow a general pattern. VoIP systems posed several
new challenges to Intrusion Detection System (IDS) designers. First, these
systems employ multiple protocols for call management (e.g., SIP) and data
delivery (e.g., RTP). Second, the systems are distributed in nature and employ
distributed clients, servers and proxies. Third, the attacks to such systems
span a large class, from denial of service to billing fraud attacks. Finally,
the systems are heterogeneous and typically under several different
administrative domains.
Contribution of Paper: SCIDIVE
proposed two abstractions for VoIP IDS – stateful
detection and cross-protocol
detection. Stateful detection denotes the functionality of assembling state
from multiple packets and using the aggregated state in the rule-matching
engine. Cross protocol detection denotes the functionality of matching rules
that span multiple protocols, e.g., detecting a pattern in a SIP packet
followed by one in a succeeding RTP packet followed by one in an RTCP packet.
The aggregation across protocols can be chained in an arbitrarily long manner
and spread out in time. This abstraction turned out to be powerful for VoIP
systems because they involve multiple protocols and several attacks are based
on sequences that cross protocol boundaries.
The
work led to some patents filed jointly with Avaya and a feature designed for
Avaya phones to detect and terminate spurious calls.