![Page 1: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/1.jpg)
Miroslav Voznak, Jakub [email protected]
Campus network monitoring and security workshop
Prague, April 24-25, 2014
New Approach to Recognition of VoIP
Attacks from Honeypots
![Page 2: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/2.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Introduction
• honeypots and usability tests
• DoS attacks and anomalies detection in SIP infrastructure
• Honeypot network concept
• MLP Neural network
• Practical Implementation
• Conclusion
2
![Page 3: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/3.jpg)
Artemisa
• Artemisa plays a role of a regular SIP phone
•The programme connects to SIP proxy with the extensionsdefined in a configuration file.
3
![Page 4: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/4.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Artemisa
• Once the call is established on one of Artemisaextensions, the honeypot simply answers the call.
• At the same time, it starts to examine the incoming SIPmessages. Artemisa then classifies the call and saves theresult for a further review by the security administrator
• Artemisa looks for fingerprints of well-known attack tools
4
![Page 5: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/5.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Artemisa
• Then it checks domain names and SIP ports on theattacker side.
• There is also a similar check for media ports.
• Requested URI are also checked.
• Finally, Artemisa checks the received RTP stream –(audio can be stored in a WAV format).
5
![Page 6: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/6.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Artemisa• The result is then shownin a console and can besaved into a pre-definedfolder or sent by e-mail.
• Once the call has beenexamined, a series of bashscripts is executed (withpre-defined arguments.
• Artemisa can launchsome countermeasures against the incoming attacks.
6
![Page 7: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/7.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Dianoea
• Dionaea belongs to a multi-service oriented honeypotwhich can simulate many services at a time
• simply waits for any SIP message and tries to answer it.
• all SIP requests from RFC 3261 (REGISTER, INVITE,ACK, CANCEL, BYE, OPTIONS), multiple SIP sessions andRTP audio streams (data from stream can be recorded).
• logs are saved in plain-text files and in sqlite database.
7
![Page 8: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/8.jpg)
DoS attacks on application level• register and invite flood (silent killers, CPU depletion)
![Page 9: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/9.jpg)
Impact of SSI (Snort, SnortSAM, IPtables)• register and invite flood (silent killers, CPU depletion)
![Page 10: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/10.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Detection of SIP infrastructure attack
• some methods rely on IDS systems as SNORT and itsfeatures (exceeding thresholds), fingerprints of attacks
• and statistical methods such as Hellinger-Distance
p – distribution of data within training periodq - distribution of data within short period
Test on similarity of both distributions
10
( )22
1
1( , )
2
n
i ii
H P Q p q=
= −∑
![Page 11: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/11.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Anomalies Detection in SIP infrastructure
• or detection of anomaly using predictive model such asHolt-Winters model
L (level), P (trend) and S (seasonal) components
• or Brutlag method (predicted deviation) and
• or Moving avarage, where k is numberof measurements in time series
11
Ttttt SPLy −−− ++= 11
⌢
maxty⌢
minty⌢
k
yy
t
i
t
∑−
==
1
k-ti⌢
![Page 12: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/12.jpg)
Anomalies Detection in SIP traffic• Snort.AD, preprocessor http://www.anomalydetection.info
12
![Page 13: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/13.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Honeypot Network Concept
The proposed design of a distributed honeypot network
centralized server for datagathering, analysis andhoneypot monitoring
the main part of distributednetwork concept is honeypotimage
13
![Page 14: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/14.jpg)
MLP Neural Network
• MLP neural network was used for VoIP attackclassifications.
• It consists of several layers, each containing the specificnumber of neurons called perceptron.
• perceptrons in one layer areInterconnected to each otherin the following layer (synapse)
14
![Page 15: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/15.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
MLP Neural Network
• each neuron in the input layer has a value based on inputparameters, the same number of neurons as there areparameters in the input set.
• output layer has the same number of neurons as thenumber of attack classes, so each neuron is then a singleclass of learned attack
• Number of neurons inside hidden layers depends onneural network configuration (typically higher than thenumber of neurons in input or output layers).
15
![Page 16: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/16.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
MLP Neural Network
• output of neuron 0 means inhibition and 1 excitation• activation function (sigmoid)• z : output from previous layerneuron x and multiplies bycorresponding connectionweight wc represents a skewness of the function, higher values bringthe skewness of a sigmoid closer to a step function
memory of neural network is saved in connection weights.learning mechanism – backpropagation is used to acquirethese values.
16
1
1 czy
e−=+
1
n
i ii
z w x=
=∑
![Page 17: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/17.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Practical Implementation• 10 input layer neurons, two hidden layers contain 30 and24 neurons, the last and output layer 8 neurons
• All attack information is gathered through multi-serviceoriented honeypot application Dionaea
• events are stored in sqlite internal database (SIPmessage, IP addresses, ports or specific SIP headervalues)
• All data for final classification are aggregated fromselected tables to an array with 10 attributes.
17
![Page 18: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/18.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Practical Implementation• 10 attributes serve as an attack vector (NN input).• aggregation depends on attack origin and also time of lastmessage occurrence (there is 5 minute sliding window afterlast message detection): attack time duration; connectioncount; REGISTER message count; INVITE msg. count;ACK msg. count; BYE msg. count; CANCEL msg.count; OPTIONS msg. count; SUBSCRIBE msg. count;connection rate.• The connection count attribute holds the number of
connection from a single source on honeypot. Theconnection rate is the ratio of all received SIP messagesto connection count.
18
![Page 19: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/19.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Practical Implementation• SIP attack classification MLP network is evaluated aslearned, if there correctly identify more than 95% of items inthe training set• After specific number of iteration cycles (100) isautomatically checked successfulness of classification.• restart after 2 500 000 backpropagation cycles.
• Result of analyses with MLP networks has followingsuccessfulness: 94.94%; 79.85% and 97.54%.
• The lowest classification precision 79.85% was caused bynew call attack, which was not included in the training set.
19
![Page 20: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/20.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Conclusion• The proposal distributed honeypot network in combinationwith neural network classifiers serves as another securitylevel.
• With the possibility to change firewall rules or networkrouting., whole system can prepare precaution mechanismsagainst attacks.
• Classification by human is very precise, but timeconsuming and expensive. Automatic classificationmechanism brings a solution for VoIP classification andsimplifies the analysis of attacks.
20
![Page 21: New Approach to Recognition of VoIP Attacks from Honeypots · • DoS attacks and anomalies detection in SIP infrastructure • Honeypot network concept ... result for a further review](https://reader033.vdocuments.site/reader033/viewer/2022060421/5f17dbeec024d116153ed837/html5/thumbnails/21.jpg)
Campus network monitoring and security workshop
Prague, April 24-25, 2014
Thank you for your attention
Q&A
21