Embed Size (px)
Citation preview
Detection and Mitigation of Spam in IP Telephony Networks using Signaling Protocol Analysis
MacIntosh, R Vinokurov, DAdvances in Wired and Wireless Communication, 2005 IEEE/Sarnoff Symposium onApril 18-19, 2005
2
Outline
Introduction Problem description
Voice Spam specifics Anonymity
SPIT scenarios and implications for signaling Statistics for signaling Conclusion Reference
3
Introduction
The proposed approach is based on the simple analysis of the VoIP signaling messages (set-up and termination requests).
Once implemented on the call server, the method enables service providers or enterprises to block external spam sources targeting their voice networks.
4
Problem description Voice Spam specifics
Spam over IP Telephony (SPIT) Unsolicited voice messages Combination of a telemarketing call and an email spam
message Consists of two parts: signaling and media data
Analyzing data content may be not only impractical but also not legal in many case
Detect the call as spam before the actual call happen. ie: during signaling exchange stage.
5
Anonymity
VoIP technology provides freedom for aliases and anonymity services.
The incoming calls can be anonymous in that fact the recipient is unable to determine the actual caller.
6
Anonymity (cont)
Spammer
Proxy1 Proxy2
User
SGW1 SGW2
B2BUA
SS7
Regular Header Field No CallerID, Contact:B2BUA
From: random alias
Contact:Session counterpart
From: anonymized or non-displayed
No CIN
No CallerID, From: GW2, Contact: GW2
Via: ncnu.edu
Contact: [email protected]
Via: sell.com
From: random
Contact: [email protected]
Via: sell.com
Contact: [email protected]
Via: gw2.carrier.net
From: [email protected]
7
SPIT scenarios and implications for signaling
The detection of spam is based on three main constituent: Signaling routing data of the voice spam. Spam calls are unidirectional. Spam calls termination behavior is statistically
consistent. Each call’s time and destination must be kept
for further analysis
8
SPIT scenarios and implications for signaling (cont)
Five states: Persistent telemarketer
Call setup request go from the spammer to recipients, whereas termination request flow from recipients to the spammer.
ie: Telephone polls Timer-conscious spammer
The telemarketer tries to cover as many recipients as possible, and hangs up when he figures out that his offer is unlikely to be accepted.
Call setup and termination requests go the same direction from the spammer to recipients
Ue:Fax broadcasting falls into this category.
9
SPIT scenarios and implications for signaling (cont)
Prerecorded message SPIT is being distributed by an automated
calling engine as a played message. call setup and termination requests go the
same direction from the spammer to recipients. Message deposited to the voice mailbox
Can either leave the message or terminate the session as soon as presence of voice mailbox is detected.
setup and termination requests go from the spammer to the recipient’s side
10
SPIT scenarios and implications for signaling (cont)
Calls set by third party
11
Statistics for signaling
Every VoIP signaling protocol has its specific session setup and termination requests. For SIP, these are INVITE and BYE
respectively Detection statistics Reaction to detected SPIT Limitations of the identity-based statistics
12
Detection statistics
Monitor the VoIP signaling traffic on the recipients’ access domain Call Server (CS)
Spammer
Local monitoring
module
Monitored
networkCall server
user
user
13
Detection statistics (cont)
Maintain four stateless counters for the number of times that set-up (SET) and termination (TER) requests passed out and into the monitored network for the calls
14
0
1
2
3
4
5
6
7
8
9
1 2 3 4 5 6
second
conut (h
undre
d)
Sx
Tx
Detection statistics (cont)
15
Reaction to detected SPIT
Warning display the text warning on the phone, use spe
cial ringing tone Call delay
switch the caller to the recipient’s voice mail, reject the request and report the callerID and the call at a later time as a missed one
Call cancellation drop the call setup on behalf of recipient
16
Limitations of the identity-based statistics
Spammer can try to hide his real identity from the recipient.
Spammer could be a temporarily assumed username.
An assumption that could be made is that spammer is constant for a reasonable time period; however this is the most serious limitation for any approach based on statistics per user.
17
Conclusion
The SPIT detection and blocking method presented in this paper has a number of
technological advantages.
It relies exclusively on the local policy of the service provider or enterprise protecting its voice network, and can be implemented as a stand-alone module in various elements of the voice network.
18
Reference
Signaling system 7 (SS7) Encyclopedia of Technology Terms
RFC 3515 The Session Initiation Protocol (SIP) Refer Method
RFC 3398 Integrated Services Digital Network (ISDN) User Part (ISUP) to
Session Initiation Protocol (SIP) Mapping
B2BUA (draft-marjou-sipping-b2bua-00) Requirements for a Session Initiation Protocol (SIP) Transparent
Back- To-Back User-Agent (B2BUA)
