Abstract
Flow monitoring helps to discover many network security threats targeted to various applications or network protocols. In this paper, we show usage of the flow data for analysis of a Voice over IP (VoIP) traffic and a threat detection. A traditionally used flow record is insufficient for this purpose and therefore it was extended by application-layer information. In particular, we focus on the Session Initiation Protocol (SIP) and the type of a toll-fraud in which an attacker tries to exploit poor configuration of a private branch exchange (PBX). The attacker’s motivation is to make unauthorized calls to PSTN numbers that are usually charged at high rates and owned by the attacker. As a result, a successful attack can cause a significant financial loss to the owner of PBX. We propose a method for stream-wise and near real-time analysis of the SIP traffic and detection of the described threat. The method was implemented as a module of the Nemea system and deployed on a backbone network. It was evaluated using simulated as well as real attacks.
Chapter PDF
Similar content being viewed by others
Keywords
- Session Initiation Protocol
- Session Initiation Protocol Server
- Monitoring Probe
- Session Initiation Protocol Message
- Real Attack
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bartos, V., Zadnik, M., Cejka, T.: Nemea: Framework for stream-wise analysis of network traffic. Tech. rep., CESNET (2013)
CESNET: Nemea, https://www.liberouter.org/nemea/
Claise, B., et al.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. RFC 7011 (September 2013)
Communications Fraud Control Association: 2013 CFCA Global Fraud Loss Survey. Press release (October 2013), http://www.cfca.org/pdf/survey/CFCA2013GlobalFraudLossSurvey-pressrelease.pdf
El-moussa, F., Mudhar, P., Jones, A.: Overview of SIP attacks and countermeasures. In: Weerasinghe, D. (ed.) ISDF 2009. LNICST, vol. 41, pp. 82–91. Springer, Heidelberg (2010)
Gauci, S.: SIPVicious. Tools for auditing sip based voip systems (2012), https://code.google.com/p/sipvicious/
Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: A Flow-Based SSH Intrusion Detection System. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86–97. Springer, Heidelberg (2012)
Hoffstadt, D., Marold, A., Rathgeb, E.: Analysis of SIP-Based Threats Using a VoIP Honeynet System. In: Proccedings of the 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 541–548 (June 2012)
Hofstede, R., Celeda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., Pras, A.: Flow monitoring explained: From packet capture to data analysis with netflow and ipfix. IEEE Communications Surveys Tutorials 16(4), 2037–2064 (2014)
INVEA-TECH a.s.: FlowMon Probe – High-performance NetFlow Probe up to 10 Gbps, http://www.invea-tech.com/products-and-services/flowmon/flowmon-probes
KaplanSoft: SipCLI, http://www.kaplansoft.com/sipcli/
Keromytis, A.D.: A comprehensive survey of voice over ip security research. IEEE Communications Surveys & Tutorials 14(2), 514–537 (2012)
Ohlmeier, N.: SIP Swiss Army Knife (Sipsak), http://sourceforge.net/projects/sipsak.berlios/
Velan, P., Čeleda, P.: Next generation application-aware flow monitoring. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 173–178. Springer, Heidelberg (2014)
VoP Security: SiVuS (SiP Vulnerability Scanner) – User Guide v1.07, http://www.voip-security.net/pdfs/SiVuS-User-Doc1.7.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cejka, T., Bartos, V., Truxa, L., Kubatova, H. (2015). Using Application-Aware Flow Monitoring for SIP Fraud Detection. In: Latré, S., Charalambides, M., François, J., Schmitt, C., Stiller, B. (eds) Intelligent Mechanisms for Network Configuration and Security. AIMS 2015. Lecture Notes in Computer Science(), vol 9122. Springer, Cham. https://doi.org/10.1007/978-3-319-20034-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-20034-7_10
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20033-0
Online ISBN: 978-3-319-20034-7
eBook Packages: Computer ScienceComputer Science (R0)