Distributed intrusion detection scheme for next generation networks

https://doi.org/10.1016/j.jnca.2019.102422Get rights and content

Abstract

IP Multimedia Subsystem (IMS) is a next generation network that provides the hypermedia services as data, voice and video to users. Due to high level requirements for IMS services, new kinds of network attacks are endlessly emerging. Thus, it is of paramount importance to protect the networks from attacks. Consequently, the Intrusion Detection Systems (IDS) are quickly becoming a popular requirement in building a network security infrastructure. Securing service and signalization is a vital feature in the IMS network. Signaling is generally based on Session Initiation Protocol (SIP) which offers numerous challenges regarding security which causes issues in IMS network. This work presents a study of SIP protocol and discovers the critical security vulnerabilities in the course of registration phase. We focused on DDoS attacks on IMS server using SIP particularly with REGISTER message and proposed a scheme based on multi agent systems for intrusion detection which takes the advantage of the distributed paradigm to implement an efficient distributed system, as well as the integration of existing techniques, i.e., the well-known IDS SNORT.

Introduction

IP Multimedia Subsystem (IMS) is one of the most recent themes in the telecommunications industry for the provision of distinct network services like voice, data and video using a sole platform. It is one of the congregated visions of 3rd Generation Partnership Project's (3GPP) (Garcia-Martin et al., 2002) using the Internet and cellular architectures and is also an attractive choice for the service providers who want to update their infrastructure. These days, it is turning out to be a prevalent method of using IMS as a part of the core telecommunication network for the provision of continuous multimedia services.

The idea of IMS (Rahnema, 2008) is to assimilate voice communication and Internet technologies. It is the set of core network functional entities and interfaces used by service providers to provide services based on Session Initiation Protocol (SIP) (Rosenberg et al., 2002). Basically IMS is built on protocols of IETF1 with the enhancements of providing a complete robust multimedia system. It supports IP interoperability for real-time services between different types of networks. The key feature to accelerate the end user adoption is the integration and transparency of services. IMS promises to provide multi-services, miscellaneous access networks, IP based secure and reliable network (Zhuang et al., 2003).

A brief architecture of the IMS network is mentioned in Fig. 1. It is divided into three core areas; (1) IP Back bone, (2) IMS service framework and (3) IMS core network. IP backbone contains all-IP based networks which are responsible for overall connectivity of this system. It is a combination of distributed and open architectures that is used for accessing services, information and all the available resources inside the network (De Sousa et al., 2018). Apart from all these functions, this open architecture also serves as a gateway for many malicious users who can launch various sorts of attacks on IMS network.

IMS service framework comprises of application ser-ver (AS) and home subscriber server (HSS) (Bellavista et al., 2009). AS is responsible for the service execution and control environment for IMS. It is also used for obtaining the client profile information with the coordination of HSS. Apart from this, number translation, call forwarding are the type of telephony services that are supported by AS. HSS basically functions as a database for handling calls, user profiles and their authorization and authentication related information.

Inside the IMS core, there are several entities. Call Session Control Function (CSCF) is the main functionality of IMS that is further divided into proxy, interrogating and serving functions. They bring together with other network components to control resource sharing, channeling and session features (Lee and Urrutia-Valdés, 2008). Serving CSCF (S-CSCF) handles the session state in network and connected to gateways of media server and application servers. It is the main session control point of network for end user to create and terminate the sessions. S-CSCF acts as SIP registrar to accept the SIP registration request from users and carries out the functions of SIP session control for registered users and monitors the session description protocol to make sure that the session is inside the boundaries of user profile.

Interrogating CSCF (I-CSCF) is the starting contact point from other networks to home network of IMS and directly associated to HSS. I-CSCF allocates the S-CSCF to a user equipment (UE) at the registration time and conceals that from the external network. Proxy CSCF (P-CSCF) is the initial connecting point for user equipment to the IMS network which forwards the SIP massages between user equipment and network. It performs the SIP stateful proxy functions of forwarding the SIP registration request from user equipment to interrogating CSCF in home network.

Subscription Locator Function (SLF) is an IMS entity that acts as front-end for distributed HSS and makes available the information about HSS linked with a specific subscriber profile. Breakout gateway control function (BGCF) is a logical unit in IMS which is responsible for routing the telephony sessions initiated from IMS and also determining the breakout occurrences in the circuit switched networks. The breakout occurrence in BGCF home network gets the selection of media gateway function providing reliable inter-networking with PSTN ,2 but in case the breakout occurs in other than home network, the signaling session is forwarded to the communicating BGCF of MGCF depending on the formation.

Media servers are also one of the important parts of the IMS core network. Multimedia resource functions (MRF) is responsible for processing media stream such as video conferencing, speech recognition, playback and audio recording, broadcasting, etc. for network services. Interpretation of application server or SIP endpoint information is performed by MRF controller. IMS-Media Gateway Function (IMS-MGW) provides the connection between user plans in circuit switched networks such as PSTN and GSM3 and for terminating the connection IMS-MGW dismisses the bearer channels from circuit switched crosswise and end the media streams from IMS networks. Media Gateway Control Function (MGCF) and IMS-MGW being the controller bridge between IMS and circuit switched domain for supporting inter-networking between the users of IMS and circuit switched networks.

IMS inhibits an open, distributed and overlapping architecture over the ever existing TCP/IP suite as described in section 1.1 which makes it vulnerable to distinct types of attacks. Circuit switching environments are closed in nature which makes them less prone to security threats. IMS is actually a service delivery entity for IP networks whose main aim is to control and manage the multimedia traffic. Besides many advantages of the IMS, it is important to mention here that being an overlapping architecture on top of IP, it may also inherit almost all the security vulnerabilities of IP systems like malicious activities, spam messaging, and protocol attacks that SIP and RTP4 (Perkins, 2003) are facing due to openness of IMS. In this work, we have taken into consideration the issues which are related to SIP, and RTP is out of the scope of this work.

Apart from these, denial of service (DoS) and distributed DoS (DDoS) attacks can very conveniently be launched by flooding the IMS with call and stealth attacks. Primary aim of such activities is to consume critical network resources like bandwidth, system memory and CPU load, etc. which ultimately affect the computational capacity and performance of the genuine IMS users (Geneiatakis et al., 2006; Sisalem et al., 2006). This happens by exploiting the less secure parts of SIP during Voice over IP (VoIP) communication sessions. This communication takes place using the standard network servers that use the Internet and are based on open-source technologies in most of the cases. Attackers can launch an attack by sending several voice calls, using the Internet, that may overburden the network. Thus, authentic users may need to either wait for their communication or get a denial of the service. Scenario is worsened when attackers generate such attacks from multiple sites called as DDoS (Bullot et al., 2008) which overload the servers at an even higher rate.

In this work, we present a thorough investigation of the SIP protocol with respect to IMS and try to discover the crucial security aspects like flooding during the call registration phase. As we know that SIP is proposed to establish or terminate sessions between two partners and it has set itself as a de-facto standard mechanism for voice communication in all-IP and future generation systems. We mainly focus on DDoS attacks due to flooding on IMS server using SIP particularly with REGISTER message and propose a multi-agent systems based scheme for intrusion detection which takes the advantages of distributed paradigm to implement an efficient distributed system, as well as the integration of existing techniques, i.e., the well-known IDS SNORT. This work is organized as follows. In the next section, we discuss some of the existing solutions that tackle DoS and/or DDoS attacks in order to highlight the gap in existing solutions. Section 3 presents our multi-agent oriented scheme using snort. We have devised some agent types that perform various tasks to optimize the performance of IDS. In section 4, we evaluate the performance of our proposed scheme using a testbed and finally, we conclude this work with some perspectives.

Section snippets

Related work

SIP is a transactional protocol (Rosenberg et al., 2002) and it has a specific mechanism of sending control messages using its attributes. This is the key reason that makes it vulnerable to some extremely rigorous types of attacks, out of which SIP flooding is one of the most common and harsh attacks. This sort of attack not only disrupts the expected quality of service (QoS) but also leads to denial of service (DoS) which can be hazardous for running services in the network (Li and Batten, 2009

Multi-agent based IDS protocol

The main contribution of this work is to provide a hybrid distributed intrusion detection system based on multi-agent technology (Ahmed et al., 2011). The proposed intrusion detection system is based on passive snort where we have deployed our agents. It not only works as an IDS but also performs the packet filtering for the incoming network traffic. Apart from these, our proposed agent based scheme is generic and it does not require any specific architecture to be deployed on. It consists of

Testbed and performance evaluation

In order to evaluate our proposed algorithm and measure its performance we used an LTE client, IDS server and for IMS core, we used the testbed of FOKUS (Magedanz et al., 2005). LTE client is connected with the EPS and has the conventional bearer which is stimulated for VoLTE access point. Registration is an important process because the user cannot interact with any other user and/or may not be able to avail the IMS services without being registered.

FOKUS open IMS framework is deployed and

Conclusive remarks and perspectives

This work is focused on DDoS attacks on IMS server with SIP predominantly with REGISTER message. Registration flooding occurs when simply SIP REGISTER messages are employed. Such kind of attack is of a great concern for the reason that it leads to an extra CPU processing overhead. The proposed mechanism presents an intermediary IDS server among IMS core that is used to filter out attacks. A novel distributed intrusion detection system is introduced that integrates the necessary features of

Jamila Manan completed her BS and MS in computer science from SBK Women’s University Pakistan. Currently, she is serving as a lecturer in the same institution. Her research interests include intrusion detection systems, internet of things, NGN and quality of service.

References (31)

  • P.R. De Sousa et al.

    Future internet and scalability techniques in mobile crowdsourcing

  • M. Garcia-Martin et al.

    RFC 3455: Private Header (P-Header) Extensions to the Session Initiation Protocol (SIP) for the 3rd-generation Partnership Project (3GPP)

    (2002)
  • D. Geneiatakis et al.

    Survey of security vulnerabilities in session initiation protocol

    IEEE Commun. Surv. Tutor.

    (2006)
  • Y. Huang et al.

    Real-time detection of false data injection in smart grid networks: an adaptive cusum method and analysis

    IEEE Syst. J.

    (2016)
  • I. Hussain et al.

    Strategy based proxy to secure user agent from flooding attack in sip

  • Cited by (0)

    Jamila Manan completed her BS and MS in computer science from SBK Women’s University Pakistan. Currently, she is serving as a lecturer in the same institution. Her research interests include intrusion detection systems, internet of things, NGN and quality of service.

    Pr. Atiq Ahmed completed his MS and PhD from the University of Technology of Troyes, France in 2007 and 2010, respectively. Currently, he is working as an associate professor at the Department of Computer Science and IT in University of Balochistan (Pakistan). He has also served as the Director of the office of Research, Innovation and Commercialization (ORIC) in the same institution from 2012-14. He has published his research works in several well renowned conferences and journals like IEEE LCN, AICT, IEEE Communication Surveys & Tutorials, Annals of Telecommunication, etc. He has participated in several projects funded by Agence Nationale de la Recherche, European Union, British Council, ICT R&D and HEC. He has served as a reviewer for various journals and conferences like Computer Networks, IEEE Globecom, ICC, VTC, Journal of information Technology, IEEE AICT, IEEE AICSAA, IEEE MASS, SRJ, AMRJ... His research interests include Internet of Things, service continuity in wireless networks, autonomic networks, SDN and 5G networks, wireless sensor networks, network intelligence with the multi-agent systems, intrusion detection, quality of service, TMN and cloud computing.

    Pr. Ihsan Ullah received his PhD degree from University of Technology of Troyes, France in 2011. He received his MS degree from the same university in 2008. Currently, he is working as Assistant Professor in department of Computer Science & IT, University of Balochistan. He has published his research works in several well renowned conferences and journals such as IFIP/IEEE IM, CNSM, AIMS, IEEE Communication Surveys & Tutorials, Signal processing: Image communication, etc. His research interests include autonomic management, Quality of Service issues in video streaming networks and security.

    Pr. Leïla Merghem-Boulahia received an engineering degree in computer science from the University of Sétif, Algeria, in 1998, an M.S. degree in artificial intelligence and a Ph.D. in computer science from the University of Paris 6, France, in 2000 and 2003, respectively. She received the “Habilitation à diriger des recherches” degree in Computer Science from the University of Compiègne in 2010. She is a full professor at the University of Technology of Troyes (UTT) in France. Her main research topics include multi-agent systems, quality of service management, autonomic networks, cognitive and sensor networks, smart grids and IoT. Pr. Merghem-Boulahia authored or co-authored more than 90 international journals and conference papers. She received the best paper award of the IFIP WMNC’2009 and GIIS’2013. She also acted as a TPC member of many conferences and workshops (IEEE Globecom, IEEE ICC, IEEE WCNC...) and has served as a reviewer for internationally well-known journals (IEEE Communications letters, IEEE Transactions on Industrial Informatics Review, Communication Networks, Computer and Communications Networks, International Journal of Network Management.).

    Pr. Dominique Gaıti received the Ph.D. and the “Habilitation `a diriger des recherches” degrees in Computer Science from the University of Paris VI and Paris IX on 1991 and 1995 respectively. She is currently a professor at the University of Technology in Troyes (France), a member of the Institute Charles Delaunay (ICD). Before this, she was a research scientist at the University of Columbia (New York- USA), 1992-1994 and a researcher at the University of Paris 6, member of the LIP6 laboratory (Paris - France), 1996-1997. She is the leader of the team ”autonomic networking” in this institute. She was the chairperson of the IFIP WG 6.7 on ”smart networks” for 6 years. Her research interests include the smart networks, the intelligence in networks, and the control and management (through intelligent agents) in all types of networks. Her research has led to one book, several proceedings and over 100 publications. She is the co-founder of a start-up company on the autonomy in networks.

    View full text