Presentation on theme: "A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department."— Presentation transcript:
A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department of Electrical Engineering University of Cape Town Bazara Barry and H. Anthony Chan
Contents Introduction Threat model Research Approach Comparison with related works. System Design Implementation and Experiment Attacks and Performance Evaluation Questions and Comments
Intrusion Detection Systems An intrusion attempt is the potential possibility of a deliberate unauthorized attempt to: 1. Access information, 2. Manipulate information, or 3. Render a system unreliable or unusable.
Intrusion Detection Systems Three main detection approaches: 1.Signature-based (detects known attacks but ineffective against previously unseen ones). 2.Anomaly-based (detects unknown attacks with a high false alarm rate). 3.Specification-based (detects any deviation from system specifications but ineffective against DoS and network probing attacks).
Intrusion Detection Systems Desirable features: 1.Protocol-syntax and Protocol-semantics anomaly detection. 2.Stateful detection 3.Cross-protocol and cross-layer detection.
VoIP Voice over IP (VoIP) is emerging as a standard that benefits from convergence and replaces older PSTN systems. VoIP networks and applications are less expensive than two separate telecommunications infrastructures.
VoIP Security Challenges Sharing the same physical infrastructure with data networks makes convergence inherit all the security weaknesses of IP protocol. VoIP distributes applications and services throughout the network. Standard VoIP protocols do not provide adequate or standardized call party authentication or end-to-end call confidentiality and integrity.
Threat Model SIP is susceptible to Denial of Service, Eavesdropping, Tearing down sessions, Session Hijacking. RTP is susceptible to voice injection and flooding. Protocols at lower layers such as IP and TCP are vulnerable to spoofing and Denial of Service.
Research Approach Hybrid intrusion detection that combines Signature-based and Specification-based approaches. Cross-protocol and Stateful detection. Syntax and Semantics-awareness for the monitored protocols.
Comparison With Related Work StatefulCross- protocol Signature- based Semantics anomaly detection Syntax anomaly detection STAT NetSTAT WebSTAT  SCIDIVE vIDS Our proposed IDS
State Transition Analysis
Extended Finite State Machines
Implementation & Simulation OMNeT++ Simulator with MMSim module are used to implement the design and attacks. The simulator is used to generate background traffic and attacks are injected in the traffic randomly. Attacks are chosen to be diverse and with various targets.
Attack NameProtocols InvolvedEffect BYE AttackSIP, RTPSession Tear down Re-INVITESIP,RTPSession Hijacking CANCELSIPDenial of Service Malformed MessagesAll ProtocolsDenial of Service REGISTER FloodingSIPDenial of Service Voice InjectionRTPPlaying Artificial Stream UDP StormUDPDenial of Service LANDIP, TCPDenial of Service BlatIP, TCPDenial of Service SmurfICMPDenial of Service Stealthy ProbingTCPIdentifying OS Ping of DeathICMPDenial of Service NeptuneTCPDenial of Service TeardropIPDenial of Service TCP SessionIP, TCPSession Hijacking
Publications Bazara Barry and H. Anthony Chan, "Intrusion Detection Systems: Classifications, Implementation Approaches, Testing Methods, and Evaluation Techniques," Book chapter in Handbook on Communications and Information Security, edited by Peter Stavroulakis, to be published by Springer in Bazara Barry and H. Anthony Chan, “A Signature Database for Intrusion Detection Systems Targeting Voice over Internet Protocol,” Accepted to Appear In Proceedings of the 2008 IEEE Military Communications Conference (MILCOM’08), San Diego, CA, November Bazara Barry and H. Anthony Chan, “On the Performance of A Hybrid Intrusion Detection Architecture for Voice over IP Systems,” In Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm’08), Istanbul, Turkey, September Bazara Barry and H. Anthony Chan, “A Hybrid, Stateful, and Cross-protocol Intrusion Detection System for Converged Applications,” Springer LNCS, vol. 4804, OTM 2007, Part II, pp , November Bazara Barry and H. Anthony Chan, "A Cross-protocol approach to detect TCP Hijacking attacks," In Proceedings of 2007 IEEE International Conference on Signal Processing and Communications (ICSPC07), Dubai, United Arab Emirates (UAE), November Bazara Barry and H. Anthony Chan, “Towards Intelligent Cross-Protocol Intrusion Detection in the Next Generation Networks Based on Protocol Anomaly Detection,” In Proceedings of the 9th International Conference on Advanced Communication Technology (ICACT2007), Phoenix Park, Gangwon-Do, Korea, February 2007.