Recently Voice over IP (VoIP) is experiencing a phenomenal growth. Being a time sensitive service, VoIP is even more susceptible to malicious attacks than regular Internet services. Moreover, VoIP uses multiple protocols for call control and data delivery, making it vulnerable to various attacks at different protocol layers. The already-known security solutions for data networks fall short of defending VoIP applications because of the differences of cross protocol interactions and the way in which the different handshakes effect the distributed service elements and consequently the end user quality of service (QoS) of VoIP. This project seeks to develop a series of intrusion detection techniques suitable for VoIP and experimentally verify their commercial viability. Overall objective is to detect known and unknown attacks in an accurate and timely manner, without incurring a noticeable delay in call setup times.
The research plan consists of two major components: Protocol-state-machine (PSM) based mechanism for detecting known attacks, and Hellinger-distance based (HD) mechanism for detecting unknown attacks. The incorporation of the communication between protocol state machines is particularly suited for intrusion detection in VoIP, because call control and media delivery protocols are synchronized by exchanging synchronization messages for critical events throughout the established sessions. The core of HD detection scheme is based on using the Hellinger distance to measure the deviation from normal network protocol behaviors. To have the detection mechanism insensitive to site and traffic pattern, a dynamic self-regulating threshold is used, thus making the detection mechanism robust, widely applicable, and easier to deploy. Research results of the project will be broadly disseminated through publication, web pages, and technology transfer to industry.
