Abstract
Telephony over IP has been widely deployed, supported by the standardization of VoIP signalling and media transfer protocols. This deployment has also led to the emergence of several security threats, including attacks inherited from the IP layer and attacks specific to the application layer. A large variety of security mechanisms has been proposed for addressing them, but these mechanisms may seriously degrade such a critical service. We propose in this paper an online risk management strategy for protecting VoIP infrastructures. The objective is to minimize the network exposure to security attacks while maintaining the quality of service, through the dynamic application of countermeasures. We describe our approach from the formalization of a dedicated risk model to its proof-of-concept implementation into an Asterisk VoIP server. We detail a portfolio of countermeasures and evaluate the performance of our solution with respect to different criteria, including the number of countermeasures, the risk threshold and the size of attack signatures.
Similar content being viewed by others
Notes
Voice over IP.
Session initiation protocol.
Packet switched telephone network.
Internet private branch exchange.
Receiver operating characteristic.
Asterisk gateway interface.
Dual tone multi-frequency.
voipbot.gforge.inria.fr.
Spam over IP telephony.
Open vulnerability and assessment language.
References
Voice over IP Security Alliance: VoIP Security and Privacy Threat Taxonomy. http://www.voipsa.org/Activities/taxonomy.php (2005)
Thermos, P., Takanen, A.: Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures. Addison-Wesley Professional, Reading (2007)
Gehani, A., Kedem, G.: RheoStat: real time risk management. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID’04). Springer, Berlin (2004)
Dabbebi, O., Badonnel, R., Festor, O.: A broad-spectrum strategy for runtime risk management in VoIP entreprise architectures. In: Proceedings of the 12th IFIP/IEEE international Symposium on Integrated network Management (IM 2011) (2011)
Nassar, M., Dabbebi, O., Badonnel, R., Festor, O.: Risk management in VoIP architectures using support vector machines. In: Proceedings of the 6th IFIP/IEEE International Conference on Network and Service Management (CNSM’10) (2010)
Dantu, R., Kolan, P., Cangussu, J.W.: Network risk management using attacker profiling. Secur. Commun. Netw. 2(1), 83–96 (2009)
Shin, D., Shim, C.: Progressive multi gray-leveling: a voice spam protection algorithm. IEEE Netw. Mag. 20, 18–24 (2006)
Bunini, M., Sicari, S.: Assessing the risk of intercepting VoIP calls. Comput. Netw. 52, 2432–2446 (2008)
Bedford, T., Cooke, R.: Probabilistic Risk Analysis: Foundations and Methods. Cambridge University Press, Cambridge (2001)
d’Heureuse, N., Seedorf, J., Niccolini, S., Ewald, T.: Protecting SIP-based networks and services from unwanted communications. In: Proceedings of the IEEE Global Telecommunications Conference (IEEE GLOBECOM’08) (2008)
ISO/IEC 27005: Information Security Risk Management. http://www.iso.org
Dabbebi, O., Badonnel, R., Festor, O.: Automated runtime risk management for voice over IP networks and services. In: Proceedings of the 12th IEEE/IFIP network operations and management symposium (NOMS 2010) (2010)
Rosenberg, J., Schulzrinne, H.: Registration Hijacking, Section 26.1.1, IETF Request for Comments 3261 (2002)
Dabbebi, O., Badonnel, R., Festor, O.: Econometric feedback for runtime risk management in VoIP architectures. In: Proceedings of the IFIP Conference on Autonomous Infrastructure, Management and Security (IFIP AIMS11) (2011)
Laskov, P., Rieck, K., Schafer, C., mller, K.-R.: Visualization of Anomaly Detection Using Prediction Sensitivity. Sicherheit, Germany (2005)
Chang, C., Lin, C.: LIBSVM: A Library for Support Vector Machines. Software available http://www.csie.ntu.edu.tw/cjlin/libsvm (2001)
Kuhn, D.R., Walsh, T.J., Fries, S.: Security Considerations for Voice Over IP Systems. National Institute of Standards and Technology. http://csrc.nist.gov/publications/ (2005)
Wickboldt, J.A., Bianchin, L.A., Lunardi, R.C., Granville, L.Z., Gaspary, L.P., Bartolini, C.: A framework for risk assessment based on analysis of historical information of workflow execution in IT systems. Comput. Netw. 55(13), 2954–2975 (2011)
Keller, A., Hellerstein, J.L., Wolf, J.L., Wu, K.L., Krishnan, V.: The CHAMPS system: change management with planning and scheduling. In: Proceedings of the IEEE/IFIP network operations and management symposium (NOMS’04) (2004)
Hagen, S., da Costa Cordeiro, W.L., Gaspary, L.P., Granville, L.Z., Seibold, M., Kemper, A.: Planning in the large: efficient generation of IT change plans on large infrastructures. In: Proceedings of the 8th IEEE International Conference on Network and Service Management (IEEE CNSM’12) (2012)
Becker, S., State, R., Engel, T.: Using game theory to configure P2P SIP. In: Proceedings of the 3rd International Conference on Principles, Systems and Applications of IP Telecommunications (IPTComm09) (2009)
Olsson, T.: Assessing security risk to a network using a statistical model of attacker community competence. In: Proceedings of the Eleventh International Conference on Information and Communications Security (ICICS 2009), p. 17. Beijing, China, (2009)
Dabbebi, O., Badonnel, R., Festor, O.: Dynamic exposure control in P2PSIP networks. In: Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS’12) (2012)
Quittek, J., Niccolini, S., Tartarelli, S., Stiemerling, M., Brunner, M., Ewald, T.: Detecting SPIT Calls by checking human communication patterns. In: IEEE International Conference on Communications (ICC 2007) (2007)
Schlegel, R., Niccolini, S., Tartarelli, S., Brunner, M.: Spam over internet telephony (SPIT) prevention framework. In: Proceedings of the IEEE Global Communications Conference (IEEE GLOBECOM’06), San Francisco, USA (2006)
Quinten, V.M., van de Meent, R., Pras, A.: Analysis of techniques for protection against spam over internet telephony . In: Proceedings of 13th Open European Summer School EUNICE 2007 (2007)
Chapelle, O., Vapnik, V., Bousquet, O., Mukherjee, S.: Choosing multiple parameters for support vector machines. J. Mach. Learn. 46(1), 131–159 (2002)
Hellerstein, J., Diao, Y., Parekh, S., Tilbury, D.: Feedback Control of Computing Systems. Wiley, New York (2004)
Grossman, L.: Computer Literacy Tests: Are You Human? Times Magazine, New York (2008)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dabbebi, O., Badonnel, R. & Festor, O. An Online Risk Management Strategy for VoIP Enterprise Infrastructures. J Netw Syst Manage 23, 137–162 (2015). https://doi.org/10.1007/s10922-013-9282-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-013-9282-4