skip to main content
10.1145/1806565.1806587acmconferencesArticle/Chapter ViewAbstractPublication PagesmmsysConference Proceedingsconference-collections
research-article

RTP-miner: a real-time security framework for RTP fuzzing attacks

Published: 02 June 2010 Publication History

Abstract

Real-time Transport Protocol (RTP) is a widely adopted standard for transmission of multimedia traffic in Internet telephony (commonly known as VoIP). Therefore, it is a hot potential target for imposters who can launch different types of Denial of Service (DoS) attacks to disrupt communication; resulting in not only substantive revenue loss to VoIP operators but also undermining the reliability of VoIP infrastructure. The major contribution of this paper is an online framework -- RTP-Miner -- that detects RTP fuzzing attacks in realtime; as a result, it is not possible to deny access to legitimate users. RTP-Miner can detect both header and payload fuzzing attacks. Fuzzing in the header of RTP packets is detected by combining well known distance measures with a decision tree based classifier. In comparison, payload fuzzing is detected through a novel Markov state space model at the receiver. We evaluate RTP-Miner on a realworld RTP traffic dataset. The results show that RTP-Miner detects fuzzing in RTP header with more than 98% accuracy and less than 0.1% false alarm rate even when only 3% fuzzing is introduced. For the same fuzzing rate, it detects payload fuzzing -- a significantly more challenging problem -- with more than 80% accuracy and less than 2% false alarm rate. RTP-Miner has low memory and processing overheads that makes it well suited for deployment in real world VoIP infrastructure.

References

[1]
H.J. Abdelnur et al. KiF: a stateful SIP fuzzer. In IPTCOMM'07, pages 19--20, 2007.
[2]
M.A. Akbar et al. Application of evolutionary algorithms in detection of SIP based flooding attacks. In GECCO'09, pages 1419--1426. ACM, 2009.
[3]
Asterisk-Dev. Asterisk crashes when receiving malformed RTP packets, 2004. http://www.mail-archive.com/[email protected]/msg03417.html.
[4]
Ubuntu Bugs. Wireshark crash when analysing one RTP stream, 2008. https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/238486.
[5]
I. Dacosta et al. Security Analysis of an IP Phone: Cisco 7960G. In IPTCOMM, page 255. Springer, 2008.
[6]
M. Fannes et al. The mutual affinity of random measures. Periodica Mathematica Hungarica, 47(1):51--71, 2003.
[7]
GTISC. Emerging Cyber Threats Report for 2009, 2008. http://www.gtiscsecuritysummit.com/pdf/CyberThreatsReport2009.pdf.
[8]
D. Hoffman et al. RTP Payload Format for MPEG1/MPEG2 Video. RFC 2250, 1998.
[9]
Ipoque. Internet Study 2007. http://www.ipoque.com/resources/internet-studies/internet-study-2007.
[10]
J.G. Kemeny. Finite markov chains. Springer, 1976.
[11]
M. Nassar et al. Monitoring SIP Traffic Using Support Vector Machines. In RAID'08, pages 311--330. Springer, 2008.
[12]
C. Perkins et al. Options for Repair of Streaming Media. RFC 2354, 1998.
[13]
J.R. Quinlan. C 4.5: Programs for machine learning. Morgan Kaufmann Publishers, USA, 1993.
[14]
Secunia Advisory SA12478. mpg123 Mpeg Layer-2 Audio Decoder Buffer Overflow Vulnerability, 2004. http://secunia.com/advisories/12478/.
[15]
SANS-Institute. SANS Top-20 2007 Security Risks, 2007. http://www.sans.org/top20/.
[16]
H. Schulzrinne et al. RTP: A transport protocol for real-time applications. RFC 1889, 1996.
[17]
Mu Security. Multiple buffer overflows in Asterisk {MU-200803-01}, 2008. http://labs.mudynamics.com/advisories/MU-200803-01.txt.
[18]
H. Sengar et al. VoIP intrusion detection through interacting protocol state machines. In DSN'06, 2006.
[19]
H. Sengar et al. Detecting VoIP Floods using the Hellinger Distance. IEEE Trans. on Parallel and Distributed Sys., 19(6):794--805, 2008.
[20]
Dug Song. dsniff -- Collection of tools for network auditing and penetration testing, 2001. http://www.monkey.org/~dugsong/dsniff/.
[21]
S.M. Tabish et al. Malware detection using statistical analysis of byte-level file content. In ACM CSI-KDD'09, pages 23--31. ACM, 2009.
[22]
The-VoIP-Network. VoIP Market Trends, 2008. http://www.the-voip-network.com/voipmarket.html/.
[23]
VOIPSA. Voip Security Tool List, 2010. http://www.voipsa.org/Resources/tools.php.
[24]
C. Wieser et al. Security analysis and experiments for Voice over IP RTP media streams. In SSI'06, pages 8--10, 2006.
[25]
Wireshark-bugs. Wireshark crashes when trying to play RTP stream, 2009. http://www.wireshark.org/lists/wireshark-bugs/200910/msg00227.html.
[26]
Y. Wu et al. SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments. DSN'04, 2004.

Cited By

View all
  • (2017)SulleyEX: A Fuzzer for Stateful Network ProtocolNetwork and System Security10.1007/978-3-319-64701-2_26(359-372)Online publication date: 26-Jul-2017
  • (2012)A Comprehensive Survey of Voice over IP Security ResearchIEEE Communications Surveys & Tutorials10.1109/SURV.2011.031611.0011214:2(514-537)Online publication date: Oct-2013

Index Terms

  1. RTP-miner: a real-time security framework for RTP fuzzing attacks

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    NOSSDAV '10: Proceedings of the 20th international workshop on Network and operating systems support for digital audio and video
    June 2010
    138 pages
    ISBN:9781450300438
    DOI:10.1145/1806565
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 June 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. denial of service
    2. fuzzing attacks
    3. machine learning
    4. real-time transport protocol
    5. stochastic models
    6. voip

    Qualifiers

    • Research-article

    Conference

    NOSSDAV '10
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 118 of 363 submissions, 33%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)4
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 26 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2017)SulleyEX: A Fuzzer for Stateful Network ProtocolNetwork and System Security10.1007/978-3-319-64701-2_26(359-372)Online publication date: 26-Jul-2017
    • (2012)A Comprehensive Survey of Voice over IP Security ResearchIEEE Communications Surveys & Tutorials10.1109/SURV.2011.031611.0011214:2(514-537)Online publication date: Oct-2013

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media