tel500-voice communications sip-based voip traffic behavior profiling and its application devesh...
Post on 03-Jan-2016
215 Views
Preview:
TRANSCRIPT
TEL500-Voice Communications
SIP-based VoIP Traffic Behavior Profiling and Its Application
Devesh Mendiratta & Sameer DeshmukhMS-Telecommunication
State University of New York Institute of Technology
Introduction to Paper
SIP based VOIP Traffic Behavior at levels like SIP server entity SIP server host Individual user levels
Security of VOIP – Attacks & vulnerability Paper claims : Little research As of now
1st attempt to understand SIP traffic behavior
for Attack Detection
Outline
SIP Overview Identifying SIP servers Profiling SIP sever & User Behaviors Characteristics of Behavior Applications Conclusion
SIP Based VoIP Service SIP servers and clients
SIP REGISTER
Call Proxy
Request-Response
Method field
FROM and TO fields
Identifying IP Address
Observation of SIP servers Large No. of SIP messages Large No. of distinct FROM and TO fields
Profiling SIP Server Behaviors
Multilevel Profiling
Three Levels: Server host level: maintain only aggregate features and metrics by examining only the message types into and out of a SIP server Server entity level: separate the role of a SIP server into register and call proxy User level: attribute the SIP messages to individual users and maintain statistic and features to characterized individual user behaviors
Server Host Level Characterization
Count the number of request and response messages received and sent by each SIP server over a given period of time T
Count the number of unique users seen in the FROM and TO fields of SIP request messages, and compute an aggregate user activity diversity from the distribution of data over T
Overall Server Level Characteristics
No. of message types User activities diversity(Metric)
Registrar Behavior Characteristics
Period of registration updates Requests inter-arrival times
Call Proxy/User Call Behavior Characteristics
Calls made vs. received Call types
Applications
Conclusion
VOIP traffic consists of stable characteristics Well captured by statistics & features of profile we
use Profiling – to help identify the attack detection
?Thank You
Any Questions Undergrad ???
top related