Browse > Article

A Flow-based Detection Method for VoIP Anomaly Traffic  

Son, Hyeon-Gu (충남대학교 컴퓨터공학과)
Lee, Young-Seok (충남대학교 컴퓨터공학과)
Publication Information
Journal of KIISE:Information Networking / v.37, no.4, 2010 , pp. 263-271 More about this Journal
Abstract
SIP/RTP-based VoIP services are being popular. Recently, however, VoIP anomaly traffic such as delay, interference and termination of call establishment, and degradation of voice quality has been reported. An attacker could intercept a packet, and obtain user and header information so as to generate an anomaly traffic, because most Korean VoIP applications do not use standard security protocols. In this paper, we propose three VoIP anomaly traffic generation methods for CANCEL;BYE DoS and RTP flooding, and a detection method through flow-based traffic measurement. From our experiments, we showed that 97% of anomaly traffic could be detected in real commercial VoIP networks in Korea.
Keywords
VoIP; Flow; Anomaly traffic; IPFIX; detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Rosenberg and H. Schulzrinne, An Offer/Answer Model with the Session Description Protocol (SDP), IETF RFC 3264.
2 D. Geneiatakis, T. Daguklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, K. S. Ehlert, D. Sisalem, "Survey of Security Vulnerabilities in Session Initiation Protocol," IEEE Communications Surveys & Tutorials, vol.8 no.3, pp.68-81, 2006.   DOI
3 H. Son, Y. Lee, "An Anomaly Traffic Detection Method for VoIP Applications using Flow Data," PAM 2009 Student Workshop, Apr. 2009.
4 J. Quittek, T. Zseby, B. Claise, and S. Zander, "Requirements for IP Flow Information Export (IPFIX)," IETF RFC3917, Oct. 2004.
5 C. Lee, H. Kim, K. Ko, J. Kim, H. Jeong, "A VoIP Traffic Monitoring System based on NetFlow v9," International Journal of Advanced Science and Technology, vol.4, pp.1-9 Mar. 2009.
6 K. Darilion, "Analysis of a VoIP Attack," IPCom, Oct. 2008.
7 S. Anderson, S. Niccolini, D. Hogrefe, "SIPFIX: A Scheme For Distributed SIP Monitoring," IEEE IM, pp.382-389, June 2009.
8 http://www.asiae.co.kr/news/view.htm?idxno=2009093011543343825.
9 정재훈, "인터넷전화(VoIP) 보안위협 및 대책", KTOA(한국통신사업자연합회), 통신연합 47호, 2008. 11.
10 http://kr.ahnlab.com/company/pr/comIntroKoNDView.ahn?B_SEQ=143229.
11 M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman, "The Secure Real-time Transport Protocol(SRTP)," IETF RFC 3711, Mar. 2004.
12 S. Kent, R. Atkinson, "Security Architecture for the Internet Protocol," IETF RFC 2401, Nov.
13 mysql, http://www.mysql.com/.
14 J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, SIP:Session Initiation Protocol, IETF RFC 3261, June 2002.
15 H. Schulzrinne, S. Casner, R. Frederick and V. Jacobson, RTP: A Transport Protocol for Real- Time Applications, IETF RFC 1889, Jan. 1996.
16 F. Guo, and T. Chiueh, "Sequence Number-based MAC Address Spoof Detection," in Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection(RAID 2005), Sep. 2005.
17 A. Lahmadi, O. Festor, "SecSip: A Stateful Firewall for SIP-based Networks," IEEE IM, pp.172-179, June 2009.
18 H. Sengar, H. Wang, D. Wijesekera, S. Jajodia, "Detecting VoIP Floods Using the Hellinger Distance," IEEE Transactions on Parallel and Distributed systems, vol.19, no.6, pp.794-805, June 2008.
19 L. Deri, "nProbe: an Open Source NetFlow Probe for Gigabit Networks," TERENA Networking Conference, 2003.
20 libipfix, http://ants.fokus.fraunhofer.de/libipfix/.
21 C. Goutte and E. Gaussier, "A probabilistic Interpretation of Precision, Recall and F-score, with Implication for Evaluation," ECIR, LNCS 3408, pp. 345-359, 2005.
22 T. Dierks, E. Rescorla, "The Transport Layer Security (TLS) Protocol," IETF RFC 5246, Aug. 2008.