Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town.

Published byMaud Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town."— Presentation transcript:

1 A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town Bazara Barry and H. Anthony Chan

2 UCT-COE Seminar 000 Page 2 October 3, 2015 Contents  Introduction  Formal model  System Architecture  Related Work  Implementation and Experiment  Future Work

3 UCT-COE Seminar 000 Page 3 October 3, 2015 Intrusion Detection Systems  Set of techniques and methods to detect suspicious activities at the network or host level  Two main categories of IDS exist: –Knowledge-based (misuse) –Behavior-based (anomaly)  A relatively new approach in Behavior-based detection is Specification-based anomaly detection.

4 UCT-COE Seminar 000 Page 4 October 3, 2015 Intrusion Detection Systems Specification-based detection can be classified into two categories:  Syntax anomaly detection. (checks if messages are well-formed)  Semantics anomaly detection. (monitors the sequence of commands) Specifications are developed based on standards approved by organizations such as IETF.

5 UCT-COE Seminar 000 Page 5 October 3, 2015 Convergence  Convergence in networks refers to the structures and processes that result from design and implementation of a common networking infrastructure that accommodates data, voice, and multimedia communications [1].  Convergence in applications refers to the building of applications that span over different protocols/specifications [2].

6 UCT-COE Seminar 000 Page 6 October 3, 2015 Convergence  Sharing the same physical infrastructure with data networks makes convergence inherit all the security weaknesses of IP protocol.  VoIP standards separate signaling and media on different channels.  Standardized on Open Technologies: SIP, H.323, and thus vulnerable to attacks.

7 UCT-COE Seminar 000 Page 7 October 3, 2015 Session Initiation Protocol (SIP)  An application layer protocol that is used for establishing, modifying and terminating multimedia sessions in an IP network [3].  SIP is susceptible to Denial of Service, Eavesdropping, Tearing down sessions, Registration Hijacking, and Session Hijacking.

8 UCT-COE Seminar 000 Page 8 October 3, 2015  A Finite State Machine (FSM) is a model of behavior Composed of a finite number of states, transitions between those states, and actions.  An FSM extended with parameters, variables, predicates, and operations is what is understood by an Extended FSM (EFSM). Communicating Extended Finite State Machines Model

9 UCT-COE Seminar 000 Page 9 October 3, 2015 attack 0 2 1 In_Packet() 0 / Out_packet() 0 0 2 1 In_Packet() 1 / Out_packet() 1 In_Packet() 0 / Out_packet() 0 In_Packet() 1 / Out_packet() 1 Network protocol 1Network protocol 2 Communicating Extended Finite State Machines Model

10 UCT-COE Seminar 000 Page 10 October 3, 2015 System Architecture

11 UCT-COE Seminar 000 Page 11 October 3, 2015 Advantages of System Architecture  Stateful Detection.  Cross-Protocol Detection.  Knowledge-based and Behavior-based detection.  Syntax and Semantics Anomaly Detection.

12 UCT-COE Seminar 000 Page 12 October 3, 2015 StatefulCross- protocol Knowledge- based Semantics anomaly detection Syntax anomaly detection STAT[4] NetSTAT[5] WebSTAT [6] SCIDIVE[7] vIDS[8] Our proposed IDS Related Work

13 UCT-COE Seminar 000 Page 13 October 3, 2015 Implementation and Experiment  The system is developed based on SIP servlet programming model and the SIP servlet API. The SIP servlet specification allows applications to perform a fairly complete set of SIP signaling based on SIP standards (e.g. RFC 3261).  The API gives the developer full control to handle SIP messages by allowing full access to headers and body, responding to or rejecting requests, and initiate requests.

14 UCT-COE Seminar 000 Page 14 October 3, 2015 Implementation and Experiment Five attacks are implemented to test the system:  BYE Attack  Re-INVITE Attack  REGISTER flooding Attack  CANCEL Attack  Buffer Overflow Attack

15 UCT-COE Seminar 000 Page 15 October 3, 2015 Future Work  Currently we are investigating the runtime impact of the system on VoIP applications.  The efficiency of the system will be improved by developing more abstract modules in the packet verifier and the Behavior observer to reduce the number of false positives.  A possible extension is to adopt the standard of (IDWG) for message exchange to turn it into a distributed system.

16 UCT-COE Seminar 000 Page 16 October 3, 2015 References 1.T. Porter, Practical VoIP Security (Syngress Press, 2006), p.6. 2.N. Khan, “The SIP Servlet Programming Model, ” Technology white paper, 31st January 2007, Available at: http://dec2dev.bea.com. [2007 April]. 3.SIP RFC (3261). 4.P. Porras, “STAT -- A State Transition Analysis Tool For Intrusion Detection,” Technical Report: TRCS93-25, University of California at Santa Barbara, 1993. 5.G. Vigna and R. Kemmerer. NetSTAT: A Network-based Intrusion Detection Approach. In Proceedings of the 14th Annual Computer Security Application Conference (ACSAC 1998), Scottsdale, Arizona, December 1998. 6.G. Vigna, W. Robertson, V. Kher, and R. Kemmerer. A Stateful Intrusion Detection System for World-Wide Web Servers. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), pages 34–43, Las Vegas, NV, December 2003. 7.Y. Wu, S. Bagchi, S. Garg, N. Singh, T. Tsai, “ SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” In Proceedings of the 2004 International Conference on Dependable Systems and Networks (DSN’04). 8.Hemant Sengar, Duminda Wijesekera, Haining Wang, and Sushil Jajodia, “VoIP Intrusion Detection Through Interacting Protocol State Machines,” In the proceedings of Dependable Systems and Networks, 2006. DSN 2006, Sheraton Society Hill, Philadelphia, PA, USA

17 Questions

Download ppt "A Hybrid, Stateful, and Cross- Protocol Intrusion Detection System for Converged Applications Department of Electrical Engineering University of Cape Town."

Similar presentations

The Mobile Grid Concept Vicente Olmedo Technical University of Madrid.

The Mobile Grid Concept Vicente Olmedo Technical University of Madrid.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.

Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.
A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.

A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.
Introduction to the Application Layer Computer Networks Computer Networks Spring 2012 Spring 2012.

Introduction to the Application Layer Computer Networks Computer Networks Spring 2012 Spring 2012.
1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.

1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.
SIP Programming : SIP has texture encoding feature. [1] SIP allows third parties or user to program SIP follows HTTP programming model.

SIP Programming : SIP has texture encoding feature. [1] SIP allows third parties or user to program SIP follows HTTP programming model.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Voice and Data Integration over IP An analytical overview of voice-over-IP Prabhu Sivarja Wichita State University, Wichita, KS Spring 2003.

Voice and Data Integration over IP An analytical overview of voice-over-IP Prabhu Sivarja Wichita State University, Wichita, KS Spring 2003.
Introduction to SIP Speaker: Min-Hua Yang Advisor: Ho-Ting Wu Date:2005/3/29.

Introduction to SIP Speaker: Min-Hua Yang Advisor: Ho-Ting Wu Date:2005/3/29.

Similar presentations

Ads by Google