Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,"— Presentation transcript:

1 Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems, George Mason University And Haining Wang Department of Computer Science, College of William and Mary

2 Outline IP Telephony and Security Threats Flooding DoS Attacks Observation of Protocol Behaviors Design of vFDS Performance Evaluation Conclusion

3 IP Telephony Marriage of IP with traditional Telephony VoIP uses multiple protocol for call control and data delivery

4 SIP-based IP Telephony

5 Threats Device mis-configuration Improper usage of signaling messages DoS attacks (towards SIP Proxy server or SIP UAs) SIP UA may issue multiple simultaneous requests VoIP telephony is plagued by known Internet Vulnerabilities (e.g., worms, Viruses, etc.) as well as threats specific to VoIP.

6 Our Focus Denial of Service Attacks due to Flooding TCP-based SIP entities are prone to SYN flooding attack At the application layer :  INVITE Flooding (SIP Proxy or SIP UA)  RTP Flooding to SIP UA

7 TCP Protocol Behavior (I) Front Range GigaPoP, November 1, 2005

8 TCP Protocol Behavior (II) Digital Equipment Corporation, March 8, 1995

9 SIP Protocol Behavior

10 RTP Traffic Behavior G.711 Codec (50 packets per second)

11 Observations In spite of traffic diversity, at any instant of time, there is strong correlation among protocol attributes Gaps between Attributes remain relatively stable In RTP:  Derived Attributes :

12 Challenges Is it possible to compare and quantify the gap between a number of attributes (taken at a time), observed at two different instants of time ? Determine whether two instants of time are similar (or dissimilar) with respect to protocol attributes behavior

13 Detection Scheme Hellinger Distance Distance satisfies the inequality of The distance is 0 when P = Q. Disjoint P and Q shows a maximum distance of 1. P and Q (each with N attributes) are two probability measures with and

14 Distance Measurement :

15 Hellinger Distance of TCP Attributes P is an array of normalized frequencies over the training data set Q is an array of normalized frequencies over the testing data set Distance between P and Q at the end of (n+1)th time period

16 Hellinger Distance of TCP Attributes :

17 Hellinger Distance of SIP Attributes INVITE, 200 OK, ACK and BYE

18 Hellinger distance of RTP Attributes

19 Estimation of the threshold distance is an instance of Jacobson’s Fast algorithm for RTT mean and variation Gives a dynamic threshold Detection Threshold Setup Threshold Hellinger Distance

20 Detection of SYN Flooding Attack

21 Detection of INVITE Flooding

22 Detection of RTP Flooding Attack

23 Detection Accuracy and Time High Detection Probability (> 80%) Varies between 1-2 observation periods Detection resolution and sensitivity depends upon Value of observation time period Low value is better but at the cost of computational resources

24 Conclusion vFDS utilizes Hellinger distance for online statistical flooding detection Holistic view of protocol behaviors Simple and efficient High accuracy with short detection time

25 Questions

Download ppt "Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,"

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.

Michele Pagano – A Survey on TCP Performance Evaluation and Modeling 1 Department of Information Engineering University of Pisa Network Telecomunication.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.

Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
SIP Security Matt Hsu.

SIP Security Matt Hsu.
 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.

 3G is the third generation of tele standards and technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.

Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
An Effective Defense Against Email Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.

An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
By: Christopher Henderson.  What is VoIP?  How is it being used?  VoIP’s main Security Threats.  Availability of Service  Integrity of Service 

By: Christopher Henderson.  What is VoIP?  How is it being used?  VoIP’s main Security Threats.  Availability of Service  Integrity of Service 

Similar presentations

Ads by Google