A Hybrid and CrossProtocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Det

1
A Hybrid and Cross-Protocol Architecture with
Semantics and Syntax Awareness to Improve
Intrusion Detection Efficiency in Voice over IP
Environments
Bazara Barry and H. Anthony Chan
Department of Electrical Engineering University
of Cape Town
2
Contents

• Introduction
• Threat model
• Research Approach
• Comparison with related works.
• System Design
• Implementation and Experiment
• Attacks and Performance Evaluation
• Questions and Comments

3
Intrusion Detection Systems

• An intrusion attempt is the potential possibility
  of a deliberate unauthorized attempt to
• Access information,
• Manipulate information, or
• Render a system unreliable or unusable.

4
Intrusion Detection Systems

• Three main detection approaches
• Signature-based (detects known attacks but
  ineffective against previously unseen ones).
• Anomaly-based (detects unknown attacks with a
  high false alarm rate).
• Specification-based (detects any deviation from
  system specifications but ineffective against DoS
  and network probing attacks).

5
Intrusion Detection Systems

• Desirable features
• Protocol-syntax and Protocol-semantics anomaly
  detection.
• Stateful detection
• Cross-protocol and cross-layer detection.

6
VoIP

• Voice over IP (VoIP) is emerging as a standard
  that benefits from convergence and replaces older
  PSTN systems.
• VoIP networks and applications are less expensive
  than two separate telecommunications
  infrastructures.

7
VoIP Security Challenges

• Sharing the same physical infrastructure with
  data networks makes convergence inherit all the
  security weaknesses of IP protocol.
• VoIP distributes applications and services
  throughout the network.
• Standard VoIP protocols do not provide adequate
  or standardized call party authentication or
  end-to-end call confidentiality and integrity.

8
Threat Model

• SIP is susceptible to Denial of Service,
  Eavesdropping, Tearing down sessions, Session
  Hijacking.
• RTP is susceptible to voice injection and
  flooding.
• Protocols at lower layers such as IP and TCP are
  vulnerable to spoofing and Denial of Service.

9
Research Approach

• Hybrid intrusion detection that combines
  Signature-based and Specification-based
  approaches.
• Cross-protocol and Stateful detection.
• Syntax and Semantics-awareness for the monitored
  protocols.

10
Comparison With Related Work
11
State Transition Analysis
12
Extended Finite State Machines
13
System Design
14
Implementation Simulation

• OMNeT Simulator with MMSim module are used to
  implement the design and attacks.
• The simulator is used to generate background
  traffic and attacks are injected in the traffic
  randomly.
• Attacks are chosen to be diverse and with various
  targets.

15
Network Topology
16
(No Transcript)
17
Performance Evaluation

• End-to-end delay.
• Call setup delay.
• Processing delay.
• Packet loss.
• Memory usage

18
Performance Evaluation
19
Performance Evaluation
20
Performance Evaluation
21
Publications

• Bazara Barry and H. Anthony Chan, "Intrusion
  Detection Systems Classifications,
  Implementation Approaches, Testing Methods, and
  Evaluation Techniques," Book chapter in Handbook
  on Communications and Information Security,
  edited by Peter Stavroulakis, to be published by
  Springer in 2009.
• Bazara Barry and H. Anthony Chan, A Signature
  Database for Intrusion Detection Systems
  Targeting Voice over Internet Protocol, Accepted
  to Appear In Proceedings of the 2008 IEEE
  Military Communications Conference (MILCOM08),
  San Diego, CA, November 2008.
• Bazara Barry and H. Anthony Chan, On the
  Performance of A Hybrid Intrusion Detection
  Architecture for Voice over IP Systems, In
  Proceedings of the 4th International Conference
  on Security and Privacy in Communication Networks
  (SecureComm08), Istanbul, Turkey, September
  2008.
• Bazara Barry and H. Anthony Chan, A Hybrid,
  Stateful, and Cross-protocol Intrusion Detection
  System for Converged Applications, Springer
  LNCS, vol. 4804, OTM 2007, Part II, pp.
  1616-1633, November 2007.
• Bazara Barry and H. Anthony Chan, "A
  Cross-protocol approach to detect TCP Hijacking
  attacks," In Proceedings of 2007 IEEE
  International Conference on Signal Processing and
  Communications (ICSPC07) , Dubai, United Arab
  Emirates (UAE), 24-27 November 2007.
• Bazara Barry and H. Anthony Chan, Towards
  Intelligent Cross-Protocol Intrusion Detection in
  the Next Generation Networks Based on Protocol
  Anomaly Detection, In Proceedings of the 9th
  International Conference on Advanced
  Communication Technology (ICACT2007), Phoenix
  Park, Gangwon-Do, Korea, February 2007.

22
Questions Comments