Performance analysis of VoIP spoofing attacks using classification algorithms

G. Vennila, N. Supriya Shalini, Department of Electronics and Communication

Engineering, Thiagarajar College of Engg., Madurai, India vennilatg@tce.edu, nsupriyashalini@gmail.com

MSK. Manikandan,

Department of Electronics and Communication Engineering, Thiagarajar College of Engg., Madurai, India

manimsk@tce.edu

Abstract-Voice over Internet Protocol (VoIP) is an emerging

trend of applications on the internet today. As with any recent technology, VoIP also introduces both fortuity and problems. Existing VoIP honeypot experimental set ups based on SIP (Session Initiation Protocol) deals with the basic attacks like DoS (Denial of Service), enumeration detection, signature collection and SPIT (Spam over Internet Telephony). These VoIP service abuse attacks cause discrepancy between the services offered to the VoIP users and service providers. We executed successive attempts with different sets of attributes and sample subsets to collect exact traffic records used for detecting and categorizing the attack packets using honeypot. Finally, a comparison of both the algorithms with its true and false positive rates is evaluated. For result analysis, we propose a test-bed using Zoiper (SIP clients), Asterisk server, Artemisa honeypot and Wireshark as network analyzer. The test-bed demonstrates how the honeypot effectively works in improvising the robustness of the VoIP security system from billing attacks and toll frauds.

Keywords -VoIP Honeypot, VoIP Service abuse attack, Registration hijacking, Invite replay attack, Bye Delay Attack, Fake Busy attack

I. INTRODUCTION

The tremendous growth of VoIP is driven by its several fundamental benefits over traditional Public Switched Telephone Network (PSTN). Even if VoIP offers lesser expenditure and superior flexibility, it also introduces major risks and vulnerabilities [1]. There remains a great deal of research, which still needs to be carried out into the particular problems which need to be solved for VoIP networks to be a technical and commercial success. The non-deterministic nature of the Internet, and the impact, which this specifically has on voice traffic, is one major area of concern. Inherent problems with security due to the open standard of public IP networks are also of equal importance. Current VoIP applications tackle this problem by introducing new algorithm and tool.

This paper focuses on the challenges and impact of employing security services into VoIP networks by using honeypot. The honeypot detects the incoming packets, categorizes them after feature extraction phase. In this paper we compare two decision algorithms- Naive Bayes’ and C4.5 Decision tree classifier evaluates the performance with their true/false positive rates. In the remaining of this paper, section II gives a related work. Section III gives brief overview of

VoIP architecture. Section IV summarizes the VoIP threat model. Section V deals with the experimental setup and section VI with performance analysis of the classifier algorithms. Section VII concludes the paper.

II. RELATED WORK

A numeral of credulous susceptibilities in SIP can influence invoice records in various ways, illustrating their relevancy against genuine mercantile VoIP providers. The main focus is primarily on attacks that create invoice inconsistencies. Four kinds of billing attacks are focused by Ruishan Zhang that may perhaps result in charges for the calls that the users have not made. They may also result in over charges that the user has made. The paper concludes with a set of subscribers that are susceptible to these kinds of billing attacks [1]. S.Niccolini proposed a prototype using Snort - an Intrusion Detection and Prevention System (IDPS). The proposed architecture extends the functionality of snort by introducing pre-processing features to analyze protocols over TCP/UDP. This proposed prototype increases QoS by forwarding the voice traffic without delay of service [2]. The use of SIP specific honeypots to catch targeting the internet telephony system, protocols and application presented in [3].

The design and implementation of such honeypot system explore the use of a statistical engine for indentifying attacks and other misbehavior based on training on legitimate traces of SIP traffic. The working model depends on Bayesian inference and motivates the need for a VoIP honeypot by introducing functional scenarios to bring realistic benefits. A honeyphone which controls a rich set of network tools with an application programming interface is used. The AVISPA Tool is a push-button tool used to identify a protocol level vulnerability in the way SIP handles authentication [4] [5]. AVISPA is a model checker for validating security protocol and applications using high level protocol specification and language that gets compiler into an intermediate format that can be consumed by a number of lower level checkers. Attacks are possible with the SIP digest authentication, whereby an adversary can reuse another party credential to obtain unauthorized access to SIP or PSTN services. This attack is possible since authentication may be demanded in response to an INVITE message at any time during a call, and

���������� �������������� ���������������� ����������

��� � ���� !��� !"��"#!�$���%������&&& ��!

the responder may issue an INVITE message during a call either automatically or all the way through a user action. While the solution is simple, it requires changes possibly to all end device SIP implementation.

Decision under uncertainty is made using probability theory. It is a great issue to classify raw data logically to reduce the expected hazard with the help of Bayes’ rule. It is based on the past and future data. In K- nearest neighbor the result of new instance query is handled. Review of Naive Bayes’ and K- nearest neighbor classifier is done and its performance is observed [6]. Intrusion detection speed and computational cost is another major vital role, because datasets are huge and impact of the attacker varies day to day. Bayes’ and KNN classifier is a simple and fast feature selection method. It eradicates features with no helpful information on them which results in faster learning process of redundant feature omission [7]. Information regarding possible confidentiality violating rules can consequently be used to alter the IDS rule sets to reduce the estimated amount of data confidentiality destructions at some point in normal operation is discussed in [8]. Data mining algorithms are being applied in building IDS to protect computing resources against unauthorized access. Most of the solution is used to detect and further classify into four categories such as Denial of Service (DoS), U2R (User to Root), R2L (Remote to Local), probe and to reduce the false alarm rate of IDS [9]. The experimental results using the KDD99 data set shows that while Naive Bayes' is one of the most efficient classifier, decision trees are more attractive as far as the detection of new attacks [10].

In general, the normal way of detecting the attacks by using different types of tools that provide alert to the administrators. But most of the attackers normally escape from those tools because they are mostly rule-based [11]. Nowadays the need of enhanced attack detection techniques became a vital role for the VoIP network. SIP based VoIP system has many security problems and effects relate to confidentiality, integrity and availability. The attacks on the SIP system, such as registration hijacking, impersonating a proxy, DoS and spam are conferred in [12]. Authentication mechanisms are established for hop-hop and end to end security to protect the attacks from registration hijacking. This attack allows performing toll fraud and calling hijacking [13]. In the proposed system uses the labeled data set from honeypot and not any pre-defined data set as in existing IDS. Thus the honeypot data are more valuable than that of the signature based collection algorithms.

III. PROPOSED VOIP SYSTEM ARCHITECTURE

The VoIP architecture is composed of Zoiper clients, SIP proxy server (Asterisk), gateways, and VoIP honeypots as shown in Fig.1.VoIP has been employed with a variety of protocols such as SIP, Real time Transport Protocol (RTP), and Session Description Protocol (SDP) etc. VoIP systems make use of session control and signaling protocols to have power over the signaling, set-up and tear-down of calls. The fundamental operation of VoIP is to transmit the voice signal

into digital form in packets rather than that of signals in PSTN. To transfer audio, video streams over IP networks RTP protocol is used.

Fig.1 Proposed VoIP architecture with honeypot

When the voice packets of VoIP calls are distributed and interpreted to the unsecured public network, the VoIP packets are easier to be endangered by the attacker. Therefore, the aim of this paper is to detect and classify the occurrence of service abuse attacks using honeypot. Honeypot are traps set to the attacker. In a honeypot system the first entity to communicate with the attacker is the honeypot rather than the server itself. The honeypot gathers all the useful credentials from the attacker and the attack patterns or methodologies. The proposed architecture consists of ten clients with a server and a honeypot connected to the internet. In this paper the honeypot uses two kinds of algorithms to classify the attack packets and compares the performance of two algorithms based on attributes collected by it.

IV. VOIP THREATS

The most significant defenselessness in the VoIP network is the service abuse attack that makes calls with no permission or put off the length of call. Resulting in either, charge on the calls the VoIP users not made or overprices on the VoIP calls the users have made. The following sub sections summarize how VoIP service abuse threats are generated in the proposed VoIP system architecture.

A. Registration Hijacking A SIP registration hijacks implemented by an attacker by

hindering a legitimate SIP client registration and replacing it with the attacker IP address instead. This allows the attacker to interrupt incoming calls and reroute, replay or terminate calls as they desire. In the proposed method, the SIP registration method permits a User agent to discover it to the registrar server at which the user is sited. The registrar assesses the identity in the FROM header field of a REGISTER message to determine whether this request will be capable of modifying the contact addresses associated with the address in the TO

���

header field. The FROM field of a SIP requestby chance by the real User Agent, and this opemalicious registrations. This results in attackeability to place calls over the VoIP system legitimate class to a malicious user’s device.

B. INVITE Replay attack Invite Replay billing attacks endeavor

unregistered calls by replaying the interrumethod. This kind of billing attacks takes bexecution errors of the default funcacknowledgement is sent in return) of SIP Even if the INVITE methods are shielauthentication it could be successful.

B. Fake Busy Attack

Fake Busy billing attack purposely seizes intended VoIP subscribers and controls th(duration). The call attempted by the VoIP subsshort, and yet the VoIP subscriber will be duration determined by the attacker. AccordinMITM sends fake BUSY method to the actual incharge of the transaction and starts communicserver as if it is the actual user.

Fig. 2 Service abuse attack

C. Bye Delay Attack

Bye Delay billing attack hunts for evideduration of established calls linking targeted Voby interrupting the BYE messages. Here, MITMBYE message when a caller or callee commuserver and sends back a 200 OK message. Thiscaller or callee an impression of successfully eactually the call is in the hands of the man Thereby the user will be charged for the call thhas planned for.

D. BYE Drop attack

Bye Drop billing attack lengthens theestablished calls by introducing anonymous BY

t is customized ens the door to ers gaining the

or redirecting

to construct upted INVITE benefit of the

ctionality (no authentication. lded by SIP

VoIP calls of he call length scriber may fall charged for a

ng to Fig.2 the user and takes

cating with the

ently extended oIP subscribers M intercept the unicates its SIP s may give the ended call. But in the middle.

hat the attacker

e duration of YE messages in

the communication among user aganalogous with the previously discusattack. The attacker drops fake transaction thereby deceiving the serhas ended.

V. EXPERIMENTAL

In our experimental test bed Artemas honeypot and SIP clients who areSIP server as shown in Fig.3. To shotraffic result we have been analyzinvolume, call transfer and call hold timthe attack analysis of our experiment, pinpoint us the packet flow in VOIemphasis on the SIP packet flow.

Fig. 3 ExperimenAs a result we have at last take

nodes and monitor their whole transaserver using Wireshark.

A. Data Collection Collecting an accurate dataset for

analysis is a tedious task. Data colleoften consume majority of the time experiment, the honeypot is monitoweek which assists in detailed performthe attributes.

B. Feature Extraction

The data captured from honeypot is shown in table I. Feature extraction deand category of attack to be detecteperforms tricks on system or service production itself. The fundamental aimthe behavior of intruders who interacThe honeypot analyses the data origAccording to the proposed scripting ru

gents. Its mechanism is ssed Bye delay spoofing BYE messages in the rver as if the transaction

L SET-UP

misa and Zoiper are used e registered with Asterisk wcase the accurate voice

ng them on basis of call me. To get in depth about

Wireshark is used which IP networks. It also lays

ntal Test Bed n into account about 10

action and that of the SIP

performing decision tree ection and pre-processing

in our research. For the red for a period of one

mance analysis to classify

extracted for labeling as epends on the data source ed. Artemisa is bait that without being part of the m of honeypot is to study cts with the SIP servers. ginated in the SIP logs. ules in Artemisa, features

��'

are extracted and labeled. Features are classified into three types,

• Fundamental features related to connection • Type of protocol used, call duration, via,

From IP, To IP, etc., • Traffic features related to conflicts from normal

secure setup

• No. of calls from same IP, no. of unregistered calls, no. of failed packets, etc.,

• Misconception features related to SIP session status codes

• 4xx Client error, 5xx Server error, 3xx redirection, etc.,

These attributes are used in detecting any discrepancies in the VoIP environment.

TABLE I. COLLECTION OF LABELED ATTRIBUTES

Duration of the call Time of call answered/ended Failed_for packets

Request/ Response method

Timeout packets BUSY methods

Source / Destination IP packet count

Status of the call (COMPLETED / ANSWERED/ REJECTED/ CANCELLED/ BUSY)

INVITE methods

Timestamp between the packets

Protocol used BYE methods

Packets per day Registered users Registration request per day

Registration_Failed packets

Not Matching peer found packets

Via

unauthorized IP's Bytes per seconds Caller ID Packet rate Average packet size Contact Packet inter arrival time

Forwarded calls Forbidden messages

C. Proposed algorithm

This paper considers two classifier algorithms namely Naive Bayes’ and C4.5 Decision tree algorithm for performance analysis of VoIP service abuse attacks.

1) Naive Bayes’ classifier A Naive Bayesian classifier is a simple and powerful

classifier with independent assumptions. The incoming packets from Artemisa classify and assume a set of monitored attributes for instance���. The proposed algorithm estimates the posterior probability that an attack packet is classified under ���� with each class A1 - Registration Hijacking, A2 - Invite Replay, A3 - Fake Busy and A4 - Bye Delay as stated in Eq.1.

� �� � �� �������

���� (1)

Where,

� �� � = probability of instance B being in class Aj,

� ����� = probability of generating instance B given class Aj,

����� = probability of occurrence of class Aj, ���� = probability of instance B occurring

Our experimental results for Service abuse attack are computed from Eq.2. Naive Bayes’ classifiers assume attributes have independent distributions, and thereby estimate

� �����= � ������ � � ������*..….*�� ����� � (2)

Where,

� ����� = probability of class Aj generating attack instance B

� ����� � = probability of class Aj generating the observed

value for attribute B1, B2….Bn. When the honeypot receives the voice packets, it decides the incoming packets are of a Fake_BUSY attack when the probabilities of attributes like no. of unregistered calls, no. of fake BUSY methods, no. of unauthorized IPs, packet inter arrival time and no. of forwarded calls are HIGH as mentioned in Eq.3.

p(Fake_BUSY_attack /Aj) = p(no_of_ Fake_ BUSY_packets= HIGH/Aj)* p(no_of _Unauthorized _IPs =HIGH /Aj) * p(no_of_fwd_calls= HIGH/Aj )* p(packet_inter_arrival_time= HIGH/Aj) (3)

2) C4.5 Decision Tree algorithm The C4.5 model divide samples or training data on basis

of the collected features as listed in table I. The procedure will prolong until the sample subset cannot be split. At last, examine the least possible level split and those samples that don’t comprise noteworthy input to the model will be discarded. C4.5 algorithm makes decision from Artemisia result which consists of a set of labelled data.

The training data is a set !�" !�"" !#$ $ $ !% of previously classified samples. Every sample ti consists of a p-dimensional vector &�"%�&�"%" &#"% ' where Vi stands for attributes or features of the sample over and above the class in which ti falls. The algorithm chooses the attribute that most efficiently splits the set of samples into small subsets supplementing in one class or the other at each node of the proposed VoIP set-up. The feature with the highest normalized information gain is preferred to formulate the decision. The C4.5 algorithm then recurses on the minor subsets [14].

VI.PERFORMANCE ANALYSIS OF THE PROPOSED CLASSIFIER

ALGORITHM In this section, we recapitulate our experimental results to

identify the VoIP service abuse threats for intrusion detection. Experimental results are presented in terms of the true positive, false positive, true negative and false negative for incoming packets. This accomplishes the good level of

��(

inequity from normal data in the honeypot. classification increases the accuracy of true posi

The flow graph shown in Fig.4 representmodel of the proposed technique and the procedure is illustrated as follows,

1. The Artemisa honeypot setup will be the iniproposed test bed that communicates with

bound voice packets and identifies the malic

Fig.4 Flow graph for proposed system

2. Feature extraction phase proposed in the hoincludes ,

a. Creating labelled data set from the packets like call_duration, registration_failed_packets, unauthetc.,

b. Discovering attribute subsets for ainstances.

c. Identify and analyze relevant attribclassification of VoIP threats mentsection IV.

3. The infected packets are then sent to classifier algorithm. Our proposed methodoidentify and trap the attacker and also classpackets.

4. Then performance analyses with the two cladone and the results are charted.

The proposed itive rates. ts the working corresponding

itial unit of our all the inward cious incomes.

m

oneypot which

received

horized_ip,

analogous

butes for tioned in

the proposed ology will now sifies the attack

assifiers are

Fig. 5 Detection rates of classifi

Figure.5 emphasis the detectclassification algorithms. The classifwith the help of received packets onINVITE replay frames, fake BUSYmessages.

Fig. 6 Packet classification of ser

Figure.6 shows the number pservice abuse attacks. Out of 19,821SIP server for a period of one wecategorized under the number of unrethe SIP server. 12,038 packets wereBUSY/BYE/CANCEL methods 2,68category and remaining 2,942 packetsservice abuse attacks.

cation algorithm

ion rates of the two fication algorithm works n Registration hijacking,

Y attacks and fake BYE

rvice abuse attack

packets identified under 1 packets received at the eek 2,161 packets were egistered calls protruding e categorized under fake 80 packets under failed s include other factors for

���

TABLE II. DETECTION RATES OF CLASSIFIER ALGORITHM

Algorithm True Positive

(Normal)

True Positive (Attack)

False Positive

(Normal)

False Positive (Attack)

Naive Bayes’ 0.983 0.978 0.134 0.083

C4.5 Decision Tree

0.994 0.962 0.006 0.056

The data identified as attack packets make sure that it results in enhanced security of the SIP server to the maximum level. Table II depicts the performance comparison of the observed results for the two classification algorithm.

VII.CONCLUSION From the classified results, Asterisk server takes action

over the packets either to accept or drop using the suspicion algorithm. The suspicion technique proposed here is more predictive towards attacks. This paper analyzes and categorizes a large volume of honeypot data and compares the true and false positive rates of the two classification algorithms. Thus the proposed technique augments the robustness of the VoIP network with Artemisa by preventing service abuse attacks to a greater extent.

REFERENCES [1] R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing

Attacks on SIP-based VoIP Systems. In Proceedings of the 1st USENIX workshop on Offensive Technologies, pages 1–8, August2007.

[2] S. Niccolini, R. G. Garroppo, S. Giordano, G. Risi, and S. Ventura. SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation. In Proceedings of the 1st IEEE Workshop on VoIP Management and Security (VoIP MaSe), pages 47–52, April 2006.

[3] M. Nassar,R. State O. Festor. VoIP Honeypot Architecture. In Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management, pages 109–118,May 2007

[4] H Abdelnur, T Avanesov, M Rusinowitch, Abusing SIP Authentication, Fourth International Conference on Information Assurance and Security (ISIAS '08), pp. 237 - 242, 2008.

[5] R. State, O. Festor, H. Abdelanur, V. Pascual, J. Kuthan, R. Coeffic, J. Janak, and J. Floroiu SIP digest authentication relay attack. draft-state-sip-relay-attack-00, March 2009

[6] M.J Islam, Q.M. J Wu, M Ahmadi, M. A Sid-Ahmed, "Investigating the Performance of Naive- Bayes Classifiers and K- Nearest Neighbor Classifiers", International Conference on Convergence Information Technology, pp.1541 - 1546, 2007

[7] S. Parsazad,E. Saboori, A. Allahyar " Fast Feature Reduction in intrusion detection datasets", MIPRO, 2012 Proceedings of the 35th International Convention, pp.1023 - 1029, 2012

[8] M Ulltveit , V. Oleshchuk, Privacy Violation Classification of Snort Ruleset , 2010 18th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp.654 - 658, 2010

[9] H Om, A. Kundu, "A hybrid system for reducing the false alarm rate of anomaly intrusion detection system", 2012 1st International Conference on Recent Advances in Information Technology (RAIT), pp.131 - 136, March 2012.

[10] M. Panda, M.R Patra, M.R, A Comparative Study of Data Mining Algorithms for Network Intrusion Detection , ICETET '08 First International Conference on Emerging Trends in Engineering and Technology, pp. 504 - 507, July 2008.

[11] T Subbulakshmi, A.F Afroze, Multiple learning based classifiers using layered approach and Feature Selection for attack detection, International Conference on Emerging Trends in Computing, Communication and Nanotechnology (ICE-CCN), pp.308 - 314, March 2013.

[12] S Liancheng , J Ning, Research on Security Mechanisms of SIP-Based VoIP System, Ninth International Conference on Hybrid Intelligent Systems, pp. 408 - 410, Aug. 2009

[13] Si Duanfeng, Q Long , Han Xinhui, Zou Wei, Security mechanisms for SIP-based multimedia communication infrastructure, International Conference on Communications, Circuits and Systems (ICCCAS 2004), pp.575 - 578, June 2004

[14] R. Quinlan, “C4.5: Programs for Machine Learning,” Morgan Kaufmann Publishers, San Mateo, CA, 1993.

���