Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Slides:

Advertisements

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

Firewalls and Intrusion Detection Systems

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

SIP Security Matt Hsu.

 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Design and Implementation of SIP-aware DDoS Attack Detection System.

An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.

By: Christopher Henderson.  What is VoIP?  How is it being used?  VoIP’s main Security Threats.  Availability of Service  Integrity of Service 

Is Apple’s iMac Operating System Secure under flooding Attacks? by aditya chintala.

FIREWALL Mạng máy tính nâng cao-V1.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

VoIP security : Not an Afterthought. OVERVIEW What is VoIP? Difference between PSTN and VoIP. Why VoIP? VoIP Security threats Security concerns Design.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

4 Intrusion Detection Systems in VoIP Selected Topics in Information Security – Bazara Barry.

1 A high grade secure VoIP using the TEA Encryption Algorithm By Ashraf D. Elbayoumy 2005 International Symposium on Advanced Radio Technologies Boulder,

A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

This document is for informational purposes only, and Tekelec reserves the right to change any aspect of the products, features or functionality described.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

Hemant Sengar, George Mason University

Transmission Control Protocol TCP. Transport layer function.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

E Multimedia Communications Anandi Giridharan Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia.

Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering.

Strong Cache Consistency Support for Domain Name System Xin Chen, Haining Wang, Sansi Ren and Xiaodong Zhang College of William and Mary, Williamsburg,

Presented By Team Netgeeks SIP Session Initiation Protocol.

TEL500-Voice Communications SIP-based VoIP Traffic Behavior Profiling and Its Application Devesh Mendiratta & Sameer Deshmukh MS-Telecommunication State.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.

Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College.

NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY VOICE OVER INTERNET PROTOCOL SHREETAM MOHANTY [1] VOICE OVER INTERNET PROTOCOL SHREETAM MOHANTY ROLL # EC

Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal.

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Omar A. Abouabdalla Network Research Group (USM) SIP – Functionality and Structure of the Protocol SIP – Functionality and Structure of the Protocol By.

Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

A Cost-Based Framework for Analysis of Denial of Service in Networks Author: Catherine Meadows Presenter: Ajay Mahimkar.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Presenter: Kuei-Yu Hsu Advisor: Dr. Kai-Wei Ke 2013/4/29 Detecting Skype flows Hidden in Web Traffic.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

SIP Performance Benchmarking draft-ietf-bmwg-sip-bench-term-01 draft-ietf-bmwg-sip-bench-meth-01 March 22, 2010 Prof. Carol Davids, Illinois Inst. of Tech.

Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,

SCTP: A new networking protocol for super-computing Mohammed Atiquzzaman Shaojian Fu Department of Computer Science University of Oklahoma.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

© 2002, Cisco Systems, Inc. All rights reserved..

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

1 Implementation of IMS-based S-CSCF with Presence Service Jenq-Muh Hsu and Yi-Han Lin National Chung Cheng University Department of Computer Science &

VoIP ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts.

IP Telephony (VoIP).

VoIP over Wireless Networks

Neha Jain Shashwat Yadav

DHCP Starvation Attack and its Detection

網際網路電話系統期中考重點整理.

Presentation transcript:

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary

Outline IP Telephony and Security Threats Flooding DoS Attacks Observation of Protocol Behaviors Design of vFDS Performance Evaluation Conclusion

IP Telephony Marriage of IP with traditional Telephony VoIP uses multiple protocol for call control and data delivery

SIP-based IP Telephony

Threats Device mis-configuration Improper usage of signaling messages DoS attacks (towards SIP Proxy server or SIP UAs) SIP UA may issue multiple simultaneous requests VoIP telephony is plagued by known Internet Vulnerabilities (e.g., worms, Viruses, etc.) as well as threats specific to VoIP.

Our Focus Denial of Service Attacks due to Flooding TCP-based SIP entities are prone to SYN flooding attack At the application layer :  INVITE Flooding (SIP Proxy or SIP UA)  RTP Flooding to SIP UA

TCP Protocol Behavior (I) Front Range GigaPoP, November 1, 2005

TCP Protocol Behavior (II) Digital Equipment Corporation, March 8, 1995

SIP Protocol Behavior

RTP Traffic Behavior G.711 Codec (50 packets per second)

Observations In spite of traffic diversity, at any instant of time, there is strong correlation among protocol attributes Gaps between Attributes remain relatively stable In RTP:  Derived Attributes :

Challenges Is it possible to compare and quantify the gap between a number of attributes (taken at a time), observed at two different instants of time ? Determine whether two instants of time are similar (or dissimilar) with respect to protocol attributes behavior

Detection Scheme Hellinger Distance Distance satisfies the inequality of The distance is 0 when P = Q. Disjoint P and Q shows a maximum distance of 1. P and Q (each with N attributes) are two probability measures with and

Distance Measurement :

Hellinger Distance of TCP Attributes P is an array of normalized frequencies over the training data set Q is an array of normalized frequencies over the testing data set Distance between P and Q at the end of (n+1)th time period

Hellinger Distance of TCP Attributes :

Hellinger Distance of SIP Attributes INVITE, 200 OK, ACK and BYE

Hellinger distance of RTP Attributes

Estimation of the threshold distance is an instance of Jacobson’s Fast algorithm for RTT mean and variation Gives a dynamic threshold Detection Threshold Setup Threshold Hellinger Distance

Detection of SYN Flooding Attack

Detection of INVITE Flooding

Detection of RTP Flooding Attack

Detection Accuracy and Time High Detection Probability (> 80%) Varies between 1-2 observation periods Detection resolution and sensitivity depends upon Value of observation time period Low value is better but at the cost of computational resources

Conclusion vFDS utilizes Hellinger distance for online statistical flooding detection Holistic view of protocol behaviors Simple and efficient High accuracy with short detection time

Questions