• DocumentCode
    3147878
  • Title

    SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments

  • Author

    Yu-Sung Wu ; Bagchi, Saurabh ; Garg, Shelly ; Singh, Navab

  • Author_Institution
    Sch. of Electr. & Comput. Eng., Purdue Univ., West Lafayette, IN, USA
  • fYear
    2004
  • fDate
    28 June-1 July 2004
  • Firstpage
    433
  • Lastpage
    442
  • Abstract
    Voice-over-IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. As the popularity of VoIP systems increases, they are being subjected to different kinds of intrusions some of which are specific to such systems and some of which follow a general pattern. VoIP systems pose several new challenges to intrusion detection system (IDS) designers. First, these systems employ multiple protocols for call management (e.g., SIP) and data delivery (e.g., RTP). Second, the systems are distributed in nature and employ distributed clients, servers and proxies. Third, the attacks to such systems span a large class, from denial of service to billing fraud attacks. Finally, the systems are heterogeneous and typically under several different administrative domains. In this paper, we propose the design of an intrusion detection system targeted to VoIP systems, called SCIDIVE (pronounced "Skydive"). SCIDIVE is structured to detect different classes of intrusions, including, masquerading, denial of service, and media stream-based attacks. It can operate with both classes of protocols that compose VoIP systems - call management protocols (CMP), e.g., SIP, and media delivery protocols (MDP), e.g., RTP. SCIDIVE proposes two abstractions for VoIP IDS - stateful detection and cross-protocol detection. Stateful detection denotes assembling state from multiple packets and using the aggregated state in the rule-matching engine. Cross protocol detection denotes matching rules that span multiple protocols. SCIDIVE is demonstrated on a sample VoIP system that comprises SIP clients and SIP proxy servers with RTP as the data delivery protocol. Four attack scenarios are created and the accuracy and the efficiency of the system evaluated with rules meant to catch these attacks.
  • Keywords
    IP networks; Internet telephony; client-server systems; data communication; protocols; security of data; IP networks; SCIDIVE; SIP proxy servers; VoIP systems; billing fraud attacks; call management protocols; cross-protocol detection; data delivery; denial-of-service intrusion; intrusion detection; masquerading intrusion; media delivery protocols; media stream-based attacks; rule-matching engine; stateful detection; voice traffic transmition; voice-over-IP; Computer architecture; Computer crime; Computer networks; IP networks; Internet telephony; Intrusion detection; Protocols; Streaming media; Sun; Telecommunication traffic;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Dependable Systems and Networks, 2004 International Conference on
  • Print_ISBN
    0-7695-2052-9
  • Type

    conf

  • DOI
    10.1109/DSN.2004.1311913
  • Filename
    1311913