Introduction (VoIP)

11.1
Voice over Internet Protocol (VoIP) allows users to make phone calls over the Internet, or any other IP network, using the packet switched network as a transmission medium rather than the traditional circuit transmissions of the Public Switched Telephone Network (PSTN). The maturity of VoIP standards such as SIP [1] and quality of service (QoS) on IP networks opens up new possibilities for carriers as well as enterprises. Consolidation of voice and data on one network maximizes network efficiency, streamlines the network architecture, reduces capital and operational costs, and opens up new service opportunities. At the same time, VoIP enables new multimedia service opportunities, such as Web-enabled multimedia conferencing, unified messaging, while being much cheaper.
Voice over Internet Protocol offers compelling advantages but it also presents a security paradox. The very openness and ubiquity that make IP networks such powerful infrastructures also make them a liability. Risks include Denial of Service (DoS), Service Theft, Unauthorized Call Monitoring, Call Routing Manipulation, Identity Theft, and Impersonation, among others. Not only does VoIP inherit all data security risks, it also introduces new vehicles for threats related to the plethora of new emerging VoIP protocols that have yet to undergo detailed security analysis and scrutiny. There have been several reported incidents and many alerts regarding VoIP attacks or vulnerabilities (e.g., [2,3]). It is therefore imperative for VoIP service operators to deploy scalable monitoring and defense systems to effectively shield their VoIP infrastructure and protect their services and users against potential attacks. In addition, problem diagnosis is also essential to ensure the robustness of VoIP services.
Despite the importance of VoIP problem diagnosis and security, relatively little research has been carried out on analysis of behavior characteristics of SIP traffic—the critical control flow of VoIP services—to help design effective problem diagnosis tools and attack detection mechanisms. This topic is the first attempt at understanding SIP traffic behavior based on traces from an operational VoIP service. In particular, we develop a novel multilevel profiling methodology for characterizing SIP traffic behavior, with the objective identifying behavior anomalies for problem diagnosis and attack detection. Our methodology characterizes VoIP service activities by extracting and profiling a large variety of traffic features and metrics at three different levels in a progressively refined manner: (i) SIP server host characterization, which provides a broad view of their behavior by monitoring and keeping statistics related to only the message types (request vs response) and user activity diversity; (ii) server entity characterization, which provides a functional analysis of server activities by separating their logical roles into registrar, call proxy, and so
forth; and (iii) individual user characterization, which maintains more detailed profiles of individual user activities. Depending on their needs/requirements, VoIP service operators may choose to profile server/user activities at different levels. In other words, our methodology allows us to balance the speed of profiling, the resource consumption, the desired sophistication of behavior characteristics, and finally the level of security to be offered, based on the specific objectives and needs of the VoIP service operator. Using real-network SIP traffic traces, we illustrate the characteristics of SIP-based VoIP traffic behavior in an operational network and demonstrate the effectiveness of our general profiling methodology. Moreover, we show how our profiling methodology can help identify performance anomalies through a case study. We also develop a profiling-based anomaly detection algorithm and demonstrate its efficacy in detecting potential VoIP attacks in real-time through testbed experimentation.
Related Work While there is a considerable volume of white papers and surveys regarding various vulnerabilities and security threats toward VoIP services (see e.g. [4]), there is relatively few research studies on these topics. Most focus on defense against specific attacks, for example, malformed SIP message format attacks [5,6], DoS and other call disruption attacks [7,8,9], and voice spams [10], albeit these studies are not based on real-network SIP traces. To the best of our knowledge our study is the first analysis of SIP traffic from an operational VoIP service and the first attempt at profiling SIP-based VoIP traffic behavior based on real-network traces.
topic Organization Section 11.2 provides some background on SIP, and briefly describes the problem setting and data sets. In Section 11.3, we first introduce a heuristic for discovering SIP servers from passively monitored SIP traffic, and then present our general multilevel profiling methodology for characterizing SIP traffic behavior. Section 11.4 applies our methodology to analyze the SIP traffic behavior using the real-network SIP traces. In Section 11.5, we first use a case study to illustrate how our methodology can help detect performance anomalies; we then present a profiling-based anomaly detection algorithm and demonstrate its efficacy through testbed experimentation. The topic is concluded in Section 11.6.