DNS server

1. 18.23 • Probability distribution of DTW values Securely installed by S 6.65 A B 24.88 AP • Attack flows V.S. legitimate flows • Expect a separation between them. Aggressive flow SIP flood and spoofing / theft-of-service / authentication attack 6.25 Mobile VoIP phone Throttle for S 0.22 0.22 DNS server INVITE sip:john.lui@cuhk.edu.hk To S INVITE sip:john.lui@cuhk.edu.hk 14.1 180 Ringing 200 OK User registration RTS(A) 200 OK 180 Ringing Proxy / redirect server 15.51 SIP signaling / TLS / TCP 0.01 59.9 threshold CTS(A) CTS(A) ACK 6.25 Server Server Wireless attack, jamming, RTS / CTS attack 17.73 RTS(A) Media Stream Throttle for S’ IP network To S’ 6.25 1.40 17.73 VoIP phone BYE 20.53 0.61 Media: RTP/RTCP/UDP defer Media eavesdropping, UDP / RTP flood, encryption attack, faked ToS (theft-of-service) 200 OK 0.95 Media gateway CTS(A) CTS(A) Device Threats Virus, misconfiguration, compromise (phone) TLS flood, authentication / encryption (proxy) RTP port starvation (media gateway) POTS Deployment router Legacy phone time 0.61 0.95 Samplethe traffic Filter the noise Extract the signature • Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. (Autocorrelation can also mask the difference of time shift S) • Unbiased normalizationM: length of input sequencem: index of autocorrelation Pattern match Robustness of Detection Towards a Scalable and Secure VoIP InfrastructureLab for Advanced Networking SystemsDirector: David K . Y. Yau Algorithm of Detection • 1. Security Challenges: • Traditional telephone network • Highly reliable, voice specific, closed and physically secure system • VoIP network • Unpredictable/open transport, data/voice convergent, publicly connected (intelligent but untrusted/malicious systems) • Security should not be an afterthought • Media, signaling, infrastructure attacks Case 2. Low-rate DoS Attack on TCP Flow • Sample recent instantaneous throughput at a constant rate • Each time of detection consists of a sequence of instantaneous throughput • Normalization is necessary Avg BW= lR/T • The background noise of samples need to be filtered • Background noise(UDP flows and other TCP flows that less sensitive to attack) • For simplicity, a threshold filter can be used. • Sufficiently large attack burst • Packet loss at congested router • TCP time out & retransmit after RTO • Attack period = RTOof TCP flow, • TCP continually incurs loss & achieves zero or very low throughput. 2. VoIP Network Architecture Protocol Stack • Similarity between the template and input should be calculated. • We use the Dynamic Time Warping (DTW). • (The detail algorithm of DTW is provided in our research work) • The smaller the DTW value, the more similar they are. • DTW values will be clustered; threshold can be set to distinguish them. Session Initiation Protocol (SIP) Case 1. Flooding Attack 3. SIP: Security Issues • SIP requires: Proxy server, Redirection Server, Firewall …etc • These servers can be subjected to (1) DDoS attack (2) Low-Rate TCP attack (3) Jamming attack • If not handled carefully, VoIP won’t fly. Case 3. Wi-Fi Jamming • Wireless VoIP using 802.11 • Wi-Fi Security problems: • Common Jamming • Low-rate attack on the control plane • Exploiting the protocol :RTS-CTS RTS-CTSJamming Example Max-min Rates (L=18, H=22) Solution: Router Throttle 4. Conclusion • Security solutions • Initial focus will be on denial-of-service, considering security protocols like SRTP, TLS, S/MIME, SSL, etc • Protocol design and analysis (solutions must be scalable despite encryption, authentication, etc) • Seek experimental evaluation • Realistic testbed network • Hope to evolve into international scope: Bell Labs (NJ), Purdue (IN), Chinese University (Hong Kong), …