Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,"— Presentation transcript:

1 Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary

2 Outline IP Telephony and Security Threats Flooding DoS Attacks Related Work Observation of Protocol Behaviors Design of vFDS Performance Evaluation Conclusion

3 IP Telephony Marriage of IP with traditional Telephony VoIP uses multiple protocol for call control and data delivery

4 SIP-based IP Telephony

5 Threats Device mis-configuration Improper usage of signaling messages DoS attacks (towards SIP Proxy server or SIP UAs) SIP UA may issue multiple simultaneous requests VoIP telephony is plagued by known Internet Vulnerabilities (e.g., worms, Viruses, DoS attacks etc.) as well as threats specific to VoIP.

6 Our Focus Denial of Service Attacks due to Flooding TCP-based SIP entities are prone to SYN flooding attack At the application layer :  INVITE Flooding (SIP Proxy or SIP UA)  RTP Flooding to SIP UA

7 Based on Sequential Change Point Detection Scheme SYN-Dog ALAS (Application Layer Attack Sensor) TLAS (Transport Layer Attack Sensor) Observes the difference between two attributes {SYN, SYN-ACK} or {SYN, FIN} {INVITE, 200 OK} Shortcomings: 1)Does not present a holistic view of protocol behavior 2)RTP stream does not have any attribute pair Previous Work

8 TCP Protocol Behavior (I) Front Range GigaPoP, November 1, 2005

9 TCP Protocol Behavior (II) Digital Equipment Corporation, March 8, 1995

10 SIP Protocol Behavior

11 RTP Traffic Behavior G.711 Codec (50 packets per second)

12 Observations In spite of traffic diversity, at any instant of time, there is strong correlation among protocol attributes Gaps between Attributes remain relatively stable In RTP:  Derived Attributes :

13 Challenges Is it possible to compare and quantify the gap between a number of attributes (taken at a time), observed at two different instants of time ? Determine whether two instants of time are similar (or dissimilar) with respect to protocol attributes behavior

14 Detection Scheme Hellinger Distance Distance satisfies the inequality of The distance is 0 when P = Q. Disjoint P and Q shows a maximum distance of 1. P and Q (each with N attributes) are two probability measures with and

15 Distance Measurement :

16 Hellinger Distance of TCP Attributes P is an array of normalized frequencies over the training data set Q is an array of normalized frequencies over the testing data set Distance between P and Q at the end of (n+1)th time period

17 Hellinger Distance of TCP Attributes :

18 Hellinger Distance of SIP Attributes INVITE, 200 OK, ACK and BYE

19 Hellinger distance of RTP Attributes

20 Estimation of the threshold distance is an instance of Jacobson’s Fast algorithm for RTT mean and variation Gives a dynamic threshold Detection Threshold Setup Threshold Hellinger Distance

21 Detection of SYN Flooding Attack

22 Detection of INVITE Flooding

23 Detection of RTP Flooding Attack

24 Detection Accuracy and Time High Detection Probability (> 80%) Varies between 1-2 observation periods Detection resolution and sensitivity depends upon Value of observation time period Low value is better but at the cost of computational resources

25 Conclusion vFDS utilizes Hellinger distance for online statistical flooding detection Holistic view of protocol behaviors Simple and efficient High accuracy with short detection time

26 Questions

Download ppt "Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,"

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.

 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 VOIP Network Threats Let the subscribers beware Gerard Wilkes October 24, 2006.

1 VOIP Network Threats Let the subscribers beware Gerard Wilkes October 24, 2006.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Similar presentations

Ads by Google