Thilo Ewald ppt

Information about Thilo Ewald ppt

Published on September 13, 2007

Author: Belly

Source: authorstream.com

Content

Holistic VoIP Intrusion Detection and Prevention System:  Holistic VoIP Intrusion Detection and Prevention System Mohamed Nassar, Saverio Niccolini, Radu State, Thilo Ewald joint work of Loria-Inria and NEC Laboratories Europe VoIP Security:  VoIP Security We are experiencing the migration from circuit switched (PSTN) to packet switched (VoIP) telephony Next Generation Networks (NGN) Today’s VoIP is an insecure technology Not sufficiently prepared for defense against attacks New threat models and attacks Security is very important when VoIP gets deployed massively like in Next Generation Networks (NGN) Lack of secure solutions threatens to significantly reduce VoIP business Providing secure solutions is required for continuing strong growth there will not be THE solution VoIP Security Threats:  VoIP Security Threats VoIP protocols are vulnerable to attacks Interruption of Service attacks (Denial of Service, DoS) Attacks against infrastructures and terminals Social attacks (SPam over Internet Telephony, SPIT) Disturbances and interruptions of work by ringing phone for unsolicited calls Interception and Modification Conversations may be intercepted (lack of confidentiality) Private information can be learnt (caller ID, DTMF password/accounts, etc.) Conversations/signaling may be modified (lack of integrity) Abuse of Service (Fraud) Unauthorized or unaccountable resource utilization, fake identity, impersonation, session replay (bank session), etc. SIP server SIP server Media proxy Accounting andamp; Charging server (D)DoS attack Wire tapping Fraud SPIT Intrusion detection and prevention: Architecture:  Intrusion detection and prevention: Architecture Divide and conquer: distributed approach for countering different threats Honey-pot to detect sources of malicious attacks and unsolicited calls Network-based Intrusion Detection System (NIDS) to detect attack patterns Event correlation framework to detect distributed signatures Anomaly detection based on user profiles to detect abuse of services Assembling complementary solutions in one holistic in depth approach Honey-pot:  Honey-pot A Honey-pot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems Generally consists of a computer, data or a network site appears to be part of a network but is actually isolated and protected seems to contain information or a resource that would be of value to attackers Honey-pots are used as surveillance and early-warning tools Honey-pots masquerade as systems of the types abused by spammers to send spam. for example, using domain names that attract interest (www.nec-bank.com) or covering all unused IP addresses of a range owned by an enterprise. Ordinary e-mail never comes to a Honey-pot They can categorize the material they trap 100% accurately: it is all illicit, no further checking required Honey-pots are used as attack detection systems and for attack analysis VoIP Honey-pot:  VoIP Honey-pot How to use Honey-pot:  How to use Honey-pot Step 1: make Honey-pot users a target publish virtual SIP URLs and phone numbers at public places that are scanned by address search engines easy to be detected by engines, but invisible for regular users (e.g. white font on white background of a web page) host these published addresses at one or more Honey-pots properly route calls to Honey-pot users Step 2: store all callers using these addresses by calling the Honey-pot Step 3: analyze the received calls/messages to gather more information voice recognition, speaker recognition match caller ID and source IP address (spoofing detection) statistical analysis identification of individual machines or entire bot networks Step 4: use gathered information as input for prevention systems add frequent callers (URL or IP address) to black list increase malicious rating for calls/messages that have properties similar to calls observed at Honeypot VoIP: the need for Event Correlation:  VoIP: the need for Event Correlation Example: Malicious Gateway MGCP Call Agent Gateway SIP phone PSTN Internet SS7 SIP PCM RTP-RTCP VoIP: the need for Event Correlation:  MGCP Call Agent Gateway SIP phone PSTN Internet DLCX 200 OK RTP flow still received !! VoIP: the need for Event Correlation Example: Malicious Gateway VoIP: the need for Event Correlation:  MGCP Call Agent Gateway SIP phone PSTN Internet t: 'OK is received' andgt; t: 'RTP is still received' ALARM VoIP: the need for Event Correlation Example: Malicious Gateway Event Correlation in two layers:  Event Correlation in two layers Events : examples:  Events : examples Log files (e.g. Asterisk) Call log (CDR’s) Message log Oct 13 17:41:46 NOTICE[15410]: Registration from ‘'mohamed' andlt;sip:[email protected];’ failed for ‘1.2.3.4’ Protocol Messages e.g. RTP Events modeling and generation:  Events modeling and generation Threading Example 1 : threading signaling messages in one call record Example 2 : threading repeated events in one dense event Temporal restrictions Scheduling restrictions Event A has to occur at time t Inter-arrival time Event B has to occur after Event A in a time window of T VoIP Event correlation done using SEC (Security Event Correlation): Open source and platform independent Lightweight online monitoring tool Middle-way between homegrown and commercial event correlation Proven efficiency in several application domains (network management, intrusion detection, system monitoring, fraud detection) Written in Perl and based on Perl regular expressions thanks to Risto Vaarandi Powerful and extensible with medium effort Event correlation: Misuse detection:  Event correlation: Misuse detection Rule set to detect broken handshaking flooding PairWithWindow PairWithWindow Window = 2s SingleWithThreshold Threshold = 10 Shellcmd notify.sh 'broken handshaking DoS' event INVITE-200OK event broken handshaking INVITE 200 OK ACK PairWithWindow Single Cond = INVITE PairWithWindow Window = 5s Shellcmd notify.sh 'broken handshaking DoS' event INVITE-200OK event INVITE-200OK-BYE INVITE 200 OK BYE Rule set to detect BYE-CANCEL Attack RTP Diagram of SEC Rule sets Anomaly detection (using events):  Anomaly detection (using events) User behavior, Group of users behavior, Software behavior, Traffic model User behavior : Stationary : Bin = one hour (different level of aggregation) Event = call Metric = number of calls, number of different recipients, duration of a call Defining long and short terms Long term profile = one month Short term profile = one day Distance = Euclidean, Quadratic, etc. Non stationary : Comparing changing of a distribution to detect sudden bursts of changes= Distribution of calls over callees, shape of the callee list size over all dialed calls Implementation:  Implementation 'tosec' module in OpenSER server acting as a FIFO queue towards the SEC engine Graphical interface with a round robin database to update traffic shape Implementing misuse detection rule sets of well known signatures Detection of a DoS pitch Conclusion and Future works:  Conclusion and Future works

Related presentations


Other presentations created by Belly

Capital budgeting
28. 04. 2008
0 views

Capital budgeting

Nice pics slides
17. 09. 2007
0 views

Nice pics slides

perceptron 2 4 2008
30. 04. 2008
0 views

perceptron 2 4 2008

pham07
18. 04. 2008
0 views

pham07

FC STONE GREAT WALL1
17. 04. 2008
0 views

FC STONE GREAT WALL1

Sauter Nuts Bolt ETFs
16. 04. 2008
0 views

Sauter Nuts Bolt ETFs

UnivOfGuelphNov26th
14. 04. 2008
0 views

UnivOfGuelphNov26th

fujiwara
13. 04. 2008
0 views

fujiwara

Week 08 Finance
10. 04. 2008
0 views

Week 08 Finance

Lct1
09. 04. 2008
0 views

Lct1

outlook
19. 06. 2007
0 views

outlook

Microsoft Windows Vista
19. 06. 2007
0 views

Microsoft Windows Vista

2004 presentation
13. 09. 2007
0 views

2004 presentation

Australian
13. 09. 2007
0 views

Australian

NBB
13. 09. 2007
0 views

NBB

20031216 NASANIH presentation
05. 10. 2007
0 views

20031216 NASANIH presentation

mna presentation
17. 10. 2007
0 views

mna presentation

lect29 groupwords
18. 10. 2007
0 views

lect29 groupwords

Essential Q Imperialism 2
22. 10. 2007
0 views

Essential Q Imperialism 2

p puska
07. 09. 2007
0 views

p puska

Productivity
07. 09. 2007
0 views

Productivity

honeyPots
13. 09. 2007
0 views

honeyPots

NDB Bensouda
23. 10. 2007
0 views

NDB Bensouda

181105
24. 10. 2007
0 views

181105

METO200Lect19 20
05. 10. 2007
0 views

METO200Lect19 20

oksupercompsymp2006 talk matrow
17. 10. 2007
0 views

oksupercompsymp2006 talk matrow

mareyes
25. 10. 2007
0 views

mareyes

2 01 3
29. 10. 2007
0 views

2 01 3

Online Class Evaluations 8
30. 10. 2007
0 views

Online Class Evaluations 8

1 3Grand father Journey
02. 11. 2007
0 views

1 3Grand father Journey

TuijaKuisma
07. 09. 2007
0 views

TuijaKuisma

Metallsektor
14. 11. 2007
0 views

Metallsektor

insects in out
13. 09. 2007
0 views

insects in out

oasen
16. 11. 2007
0 views

oasen

Unit 10 Scent Theory
17. 11. 2007
0 views

Unit 10 Scent Theory

SPEAR 2004
21. 11. 2007
0 views

SPEAR 2004

danse macabre
22. 11. 2007
0 views

danse macabre

kmutt
13. 09. 2007
0 views

kmutt

NCUR SDT 4 19 05
04. 01. 2008
0 views

NCUR SDT 4 19 05

gerber colloq UICtop feb2002
15. 10. 2007
0 views

gerber colloq UICtop feb2002

Lioi Altered Version
07. 01. 2008
0 views

Lioi Altered Version

Five Halloween Pumpkins audacity
02. 11. 2007
0 views

Five Halloween Pumpkins audacity

smime
07. 10. 2007
0 views

smime

CdF BEC
20. 11. 2007
0 views

CdF BEC

WEB C Schumacher
23. 10. 2007
0 views

WEB C Schumacher

bsb
13. 09. 2007
0 views

bsb

2006052213550876705
03. 01. 2008
0 views

2006052213550876705

1 11
19. 02. 2008
0 views

1 11

Ukraine
20. 02. 2008
0 views

Ukraine

truck tmp1002
27. 02. 2008
0 views

truck tmp1002

ace program plan
29. 02. 2008
0 views

ace program plan

takala
07. 09. 2007
0 views

takala

464 TM12
14. 12. 2007
0 views

464 TM12

ICEBP presentation for ANZCP A
10. 03. 2008
0 views

ICEBP presentation for ANZCP A

aionescu cmc dec06
30. 10. 2007
0 views

aionescu cmc dec06

creationtalk
11. 03. 2008
0 views

creationtalk

Data Mining 2
12. 03. 2008
0 views

Data Mining 2

Omaha Pres for NAP web2
29. 12. 2007
0 views

Omaha Pres for NAP web2

sustainable development part1
26. 03. 2008
0 views

sustainable development part1

Schrage
31. 08. 2007
0 views

Schrage

IHYJP Kickoff Poster
09. 10. 2007
0 views

IHYJP Kickoff Poster

020703 DHCAL
31. 08. 2007
0 views

020703 DHCAL

Vimpel Com
31. 08. 2007
0 views

Vimpel Com

Overland vista uib itforum
19. 06. 2007
0 views

Overland vista uib itforum

OS Notes
19. 06. 2007
0 views

OS Notes

NVIDIA OpenGL on Vista
19. 06. 2007
0 views

NVIDIA OpenGL on Vista

NonAdmin Pilot
19. 06. 2007
0 views

NonAdmin Pilot

New Mexico NETUG WPF
19. 06. 2007
0 views

New Mexico NETUG WPF

nercomp SIG
19. 06. 2007
0 views

nercomp SIG

MSAM Launch Vista Final Updated
19. 06. 2007
0 views

MSAM Launch Vista Final Updated

MOSS WF Talk
19. 06. 2007
0 views

MOSS WF Talk

More Online Games
19. 06. 2007
0 views

More Online Games

MHay Wireless
19. 06. 2007
0 views

MHay Wireless

Marl WSUS3
19. 06. 2007
0 views

Marl WSUS3

mail list news
19. 06. 2007
0 views

mail list news

Lenovo UofU
19. 06. 2007
0 views

Lenovo UofU

Lecture II
19. 06. 2007
0 views

Lecture II

Smith F09
13. 10. 2007
0 views

Smith F09

35508
26. 02. 2008
0 views

35508

pinar
19. 06. 2007
0 views

pinar

pgp
19. 06. 2007
0 views

pgp

pessner
19. 06. 2007
0 views

pessner

Overview Presentation
19. 06. 2007
0 views

Overview Presentation

North Dakota Annuity Deck
19. 06. 2007
0 views

North Dakota Annuity Deck

Rutland Presentation plenary4
31. 08. 2007
0 views

Rutland Presentation plenary4

NAMI NC 112707
07. 01. 2008
0 views

NAMI NC 112707

finland poster
07. 09. 2007
0 views

finland poster

sample
27. 09. 2007
0 views

sample

dtk
13. 09. 2007
0 views

dtk

Phenotyping Oxford
17. 10. 2007
0 views

Phenotyping Oxford

dog breeding
19. 11. 2007
0 views

dog breeding

5th trondhiem
29. 11. 2007
0 views

5th trondhiem

policies regs
28. 12. 2007
0 views

policies regs

GetuHailu
13. 09. 2007
0 views

GetuHailu

genealogy
01. 10. 2007
0 views

genealogy

net info 050928
19. 06. 2007
0 views

net info 050928

chap7
15. 10. 2007
0 views

chap7

Rafael Guillen CCAD SIAM mar06
22. 10. 2007
0 views

Rafael Guillen CCAD SIAM mar06

na3 Russia
31. 08. 2007
0 views

na3 Russia

Sois Global Programs3 12 04
31. 08. 2007
0 views

Sois Global Programs3 12 04

sacha
31. 08. 2007
0 views

sacha

amm pres valdez lacnic
22. 10. 2007
0 views

amm pres valdez lacnic

nwnt
19. 06. 2007
0 views

nwnt

STAR shielding 2
13. 11. 2007
0 views

STAR shielding 2

voiceline overview
17. 10. 2007
0 views

voiceline overview

gross PPT
07. 04. 2008
0 views

gross PPT

WP1a
15. 10. 2007
0 views

WP1a

Microarray Data Standard
07. 11. 2007
0 views

Microarray Data Standard

Lim Badejo Dell Presentation 1
19. 06. 2007
0 views

Lim Badejo Dell Presentation 1

HongKong Punkka Salo
07. 09. 2007
0 views

HongKong Punkka Salo

Dvoretsky
31. 08. 2007
0 views

Dvoretsky

qm1 web
03. 01. 2008
0 views

qm1 web

IAPS
07. 09. 2007
0 views

IAPS

yalestudy
28. 09. 2007
0 views

yalestudy

digvlsideslec1
12. 10. 2007
0 views

digvlsideslec1

mead
13. 09. 2007
0 views

mead

bashmakov
31. 08. 2007
0 views

bashmakov