Section: New Results
Voice over IP monitoring
Participants : Rémi Badonnel, Mohamed Nassar, Olivier Festor [ contact ] .
We focus on designing solutions for the protection, detection and prevention of attacks against the IP multimedia communications (often referred to as VoIP). The security risks are quite numerous. In particular we address SPIT (Spam over Internet Telephony), flooding and fraud. We have proposed to monitor inbound/outbound traffic. We have developed a package for feature extraction from traces and mixed traces. We have also proposed to monitor the VoIP service infrastructure. Our approach is to reveal the state of a server (basically: normal vs. Alert status) using a number of probes or statistics that are provided in several cases by the server command interface or its management interface. The mathematical foundation of our approach is the theory of Support Vector Machines (SVM). We have also compared with other machine learning techniques such as Naive Bayesian Trees (Chapter 8- http://tel.archives-ouvertes.fr/tel-00376831/fr/ ). A script to monitor OpenSIPS using one-class SVM has been developped(http://www.loria.fr/~nassar/opensips_monitoring_scripts/monitoring_script_1.bash ). We have implemented this approach in several exemplary VoIP enterprise networks (e.g. based on Asterisk, or the triple OpenSIPS+MediaProxy+RADIUS). The normal traffic is provided by a number of VoIP bots that send and receive calls while respecting a statistical distribution (Poisson) and a social model. The malicious traffic is ensured by hacking tools(http://www.hackingvoip.com/sec_tools.html ) or also by unexpected behavior of bots (Chapter 7 - http://tel.archives-ouvertes.fr/tel-00376831/fr/ ). The experiments show that effective and real-time monitoring of servers is entirely possible. The selection and the visualization of statistics that contribute the most to the detection is necessary to reveal the real sources of the attack and to remove them. We tested several techniques of feature selection. Experiments demonstrate that the selection is important to increase the detection accuracy and performance. At the same time it is useful for attack characterization and classification. A quite manageable framework (tools and deployment models) is useful for researchers in this field in order to implement, test and compare their approaches, especially because the VoIP enterprises do not give access to their data and network traces for privacy reasons.