Skip to main content
SpringerLink
Log in

An intrusion detection and prevention system for IMS and VoIP services

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The Voice Over IP (VoIP) environments and the most contemporary ones such as the IP Multimedia Subsystem (IMS) are deployed in order to provide cheap and at the same time high quality services to their users. Video calls, conferences, and applications can be provided to mobile devices with the lowest possible delay, while the Quality of Service (QoS) remains as the top priority for users and providers. Toward this objective, these infrastructures utilize the Session Initiation Protocol (SIP) for signaling handshakes since it is the most flexible and lightweight protocol available. However, according to many researches, it happens to be vulnerable to many attacks that threaten system’s security and availability. In this paper, we introduce a cross-layer mechanism that is able to mitigate in real-time spoofing attacks such as SIP signaling, identity theft, masquerading, and Man in the middle, and also single and distributed source flooding. It consists of three components: the policy enforcer which acts as a black list, and the spoofing and flooding modules. We also introduce a classification of SIP flooding attacks for better representation of the detection coverage. To the best of our knowledge, the proposed detection system is the most complete and accurate in terms of the attack range that is able to deter. Concerning its performance, it does not require computational expensive calculations nor resource demanding security protocols, thus being a lightweight mechanism. The experimental results have demonstrated high detection rates with false alarm rates approaching zero. Finally, it is platform independent and transparent to networks’ operations and thus can be deployed in both VoIP and IMS environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. 3GPP: TS 23.228: IP Multimedia Subsystems (IMS). Third Generation Partnership Project, Technical Specification Group Services and System Aspects (2011)

  2. Rosenberg, J., et al.: RFC 3261: SIP: Session Initiation Protocol (2002)

  3. Tanase, M.: IP spoofing: an introduction. Secur. Focus 11 (2003). Available at:http://www.securityfocus.com/infocus/1674

  4. Wagner, R.: Address resolution protocol spoofing and man-in-the-middle attacks. The SANS Institute (2001). Available at:http://rr.sans.org/threats/address.php

  5. Geneiatakis, D., et al.: Survey of security vulnerabilities in session initiation protocol. IEEE Commun. Surv. Tutor. 8, 68–81 (2006)

    Google Scholar 

  6. Park, Y., Park, T.: A survey of security threats on 4G networks. In: IEEE Globecom Workshops, Washington, DC, pp. 1–6 (2007)

  7. Keromytis, A.: A survey of voice over IP security research. In: Prakash, A., Sen Gupta, I. (eds.) Information Systems Security, vol. 5905, pp. 1–17. Springer, Berlin (2009)

    Chapter  Google Scholar 

  8. 3GPP: TS 33.203: 3G security; Access security for IP-based services (Release 10). Third Generation Partnership Project, Technical Specification Group Services and System Aspects (2010)

  9. Franks, J., et al.: RFC 2617: HTTP authentication: basic and digest access authentication. Internet Eng. Task Force (1999). Available at:http://www.ietf.org/rfc/rfc2617.txt

  10. Wu, Y., et al.: Intrusion detection in voice over IP environments. Int. J. Inf. Secur. 8, 153–172 (2009)

    Article  Google Scholar 

  11. Wu, Y., et al.: Scidive: A stateful and cross protocol intrusion detection architecture for voice-over-ip environments. In: Proceedgins of the 2004 International Conference on Dependable Systems and Networks (DSN 2004), Firenze, Italy, pp. 433–442 (2004)

  12. Sengar, H., et al.: Detecting VoIP floods using the Hellinger distance. IEEE Trans. Parallel Distrib. Syst. 794–805 (2008)

  13. Geneiatakis, D., et al.: Utilizing bloom filters for detecting flooding attacks against SIP based services. Compu. Secur. 28, 578–591 (2009)

    Article  Google Scholar 

  14. Wan, X.Y., et al.: A SIP DoS flooding attack defense mechanism based on priority class queue. In: IEEE International Conference on Wireless Communications, Networking and Information Security (WCNIS), Beijing, China, 25–27 June, pp. 428–431 (2010)

  15. Srinivasan, R., et al.: Authentication of Signaling in VoIP Applications. In: Asia-Pacific Conference on, Communications. pp. 530–533 (2005)

  16. Argyroudis, P.G., et al.: Performance analysis of cryptographic protocols on handheld devices. In: Third IEEE International Symposium on Network Computing and Applications (NCA 2004), pp. 169–174 (2004)

  17. Shen, C., et al.: The impact of TLS on SIP server performance. In: IPTComm 2010: 4th Conference on Principles, Systems and Applications of IP Telecommunications Principles, Systems and Applications of IP Telecommunications, Munich, pp. 59–70 (2010)

  18. Geneiatakis, D., et al.: SIP Security Mechanisms: A state-of-the-art review. In: Proceedings of Fifth International Network Conference, Samos, Greece, pp. 147–155 (2005)

  19. Geneiatakis, D., et al.: SIP message tampering: the SQL code injection attack. In: Proceedings of 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia (2005)

  20. Bremler-Barr, A., et al.: Unregister attacks in SIP. In: 2nd Workshop on Secure Network Protocols, NPSec, pp. 32–37 (2006)

  21. Abdelnur, H., et al.: Abusing SIP authentication. In: ISIAS’ 08: Fourth International Conference on Information Assurance and Security, pp. 237–242 (2008)

  22. Klein, A.: BIND 9 DNS cache poisoning. Available:http://www.trusteer.com/docs/bind9dns.html (2007)

  23. Vrakas, N., et al.: A call conference room interception attack and its detection. In: Presented at the 7th International Conference on Trust, Privacy and Security in Digital Business, Bilbao, Spain, (2010)

  24. Asokan, N., et al.: Man-in-the-middle in tunnelled authentication protocols. Lecture Notes in Computer Science, vol. 3364, p. 28 (2005)

  25. Xia, H., Brustoloni, J.: Hardening web browsers against man -in-the-middle and eavesdropping attacks. In: Proceedings of the 14th International Conference on World Wide Web, Chiba, Japan, pp. 498–498 (2005)

  26. Zhang, R., et al.: On the feasibility of launching the man -in-the-middle attacks on VoIP from remote attackers. In: Presented at the 4th ACM Symposium on Information, Computer and Communications Security, Sydney, Australia, March (2009)

  27. Callegari, C., et al.: A novel method for detecting attacks towards the SIP protocol. In: International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), pp. 268–273 (2009)

  28. Sisalem, D., et al.: SIP Security: Wiley (2009)

  29. Vrakas, N., Lambrinoudakis, C.: A cross layer spoofing detection mechanism for multimedia communication services. Int. J. Inf. Technol. Syst. Approach (IJITSA) 4, 32–47 (2011)

    Google Scholar 

  30. Postel, J.: RFC 793: TCP: transmission Control Protocol. (1980)

  31. Bellovin, S.: Security problems in the TCP/IP protocol suite. ACM SIGCOMM Comput. Commun. Rev. 19, 48 (1989)

    Article  Google Scholar 

  32. 3GPP: TR 33.978 Security aspects of early IP Multimedia Subsystem (IMS). Third Generation Partnership Project, Technical Specification Group Services and System Aspects (2008)

  33. ETSI: TS 187.003: Telecommunications and internet converged services and protocols for advanced networking (TISPAN): Security Architecture. (2008)

  34. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)

    Article  MATH  Google Scholar 

  35. Udhayan, J., Hamsapriya, T.: Statistical segregation method to minimize the false detections during DDoS attacks. Int. J. Netw. Secur. 13, 152–160 (2011)

    Google Scholar 

  36. OpenIMS: Fraunhofer Fokus. Available: http://www.openimscore.org

  37. Fawcett, T.: An introduction to ROC analysis. Pattern Recognit. Lett. 27, 861–874 (2006)

  38. Chen, E.Y., Itoh, M.: A whitelist approach to protect SIP servers from flooding attacks. In: IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR), Vancouver, BC, 8–10 June, pp. 1–6 (2010)

  39. Nassar, M., Niccolini, S.: Holistic VoIP intrusion detection and prevention system. In: Bond, G.W., Schulzrinne, H., Sisalem, D. (eds.) Principles, Systems andApplications of IP Telecommunications (IPTComm 2007). New York, USA, pp. 1–9 (2007)

  40. Takahara, H., Nakamura, M.: Enhancement of SIP Ssgnaling for integrity verification. In: 10th IEEE/IPSJ International Symposium on Applications and the Internet (SAINT), pp. 289–292 (2010)

  41. Balasubramaniyan, V.A., et al.: PinDr0p: using single-ended audio features to determine call provenance. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 109–120 (2010)

  42. Vrakas, N., et al.: IS IP MULTIMEDIA SUBSYSTEM AFFECTED BY ‘MALFORMED MESSAGE’ ATTACKS? An Evaluation of OpenIMS. In: SECRYPT 2011, the International Joint Conference on e-Business and Telecommunications, Seville, Spain, 18–21 July (2011)

Download references

Author information

Authors and Affiliations

  1. Department of Digital Systems, University of Piraeus, 150 Androutsou St., Piraeus, 18532, Greece

    Nikos Vrakas & Costas Lambrinoudakis

Authors
  1. Nikos Vrakas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Costas Lambrinoudakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Costas Lambrinoudakis.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Vrakas, N., Lambrinoudakis, C. An intrusion detection and prevention system for IMS and VoIP services. Int. J. Inf. Secur. 12, 201–217 (2013). https://doi.org/10.1007/s10207-012-0187-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0187-0

Keywords

Search

Navigation