DocumentCode
3147878
Title
SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments
Author
Yu-Sung Wu ; Bagchi, Saurabh ; Garg, Shelly ; Singh, Navab
Author_Institution
Sch. of Electr. & Comput. Eng., Purdue Univ., West Lafayette, IN, USA
fYear
2004
fDate
28 June-1 July 2004
Firstpage
433
Lastpage
442
Abstract
Voice-over-IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. As the popularity of VoIP systems increases, they are being subjected to different kinds of intrusions some of which are specific to such systems and some of which follow a general pattern. VoIP systems pose several new challenges to intrusion detection system (IDS) designers. First, these systems employ multiple protocols for call management (e.g., SIP) and data delivery (e.g., RTP). Second, the systems are distributed in nature and employ distributed clients, servers and proxies. Third, the attacks to such systems span a large class, from denial of service to billing fraud attacks. Finally, the systems are heterogeneous and typically under several different administrative domains. In this paper, we propose the design of an intrusion detection system targeted to VoIP systems, called SCIDIVE (pronounced "Skydive"). SCIDIVE is structured to detect different classes of intrusions, including, masquerading, denial of service, and media stream-based attacks. It can operate with both classes of protocols that compose VoIP systems - call management protocols (CMP), e.g., SIP, and media delivery protocols (MDP), e.g., RTP. SCIDIVE proposes two abstractions for VoIP IDS - stateful detection and cross-protocol detection. Stateful detection denotes assembling state from multiple packets and using the aggregated state in the rule-matching engine. Cross protocol detection denotes matching rules that span multiple protocols. SCIDIVE is demonstrated on a sample VoIP system that comprises SIP clients and SIP proxy servers with RTP as the data delivery protocol. Four attack scenarios are created and the accuracy and the efficiency of the system evaluated with rules meant to catch these attacks.
Keywords
IP networks; Internet telephony; client-server systems; data communication; protocols; security of data; IP networks; SCIDIVE; SIP proxy servers; VoIP systems; billing fraud attacks; call management protocols; cross-protocol detection; data delivery; denial-of-service intrusion; intrusion detection; masquerading intrusion; media delivery protocols; media stream-based attacks; rule-matching engine; stateful detection; voice traffic transmition; voice-over-IP; Computer architecture; Computer crime; Computer networks; IP networks; Internet telephony; Intrusion detection; Protocols; Streaming media; Sun; Telecommunication traffic;
fLanguage
English
Publisher
ieee
Conference_Titel
Dependable Systems and Networks, 2004 International Conference on
Print_ISBN
0-7695-2052-9
Type
conf
DOI
10.1109/DSN.2004.1311913
Filename
1311913
Link To Document