A hybrid, stateful and cross-protocol intrusion detection system for converged applications

Authors:
Bazara I. A. Barry;H. Anthony Chan
Affiliations:
Departmernt of Electrical Engineering, Univesity of Cape Town;Departmernt of Electrical Engineering, Univesity of Cape Town
Venue:
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Year:
2007

Citing 10
Cited 0

Specification-based anomaly detection: a new approach for detecting network intrusions

Proceedings of the 9th ACM conference on Computer and communications security
Reachability and Recurrence in Extended Finite State Machines: Modular Vector Addition Systems

CAV '93 Proceedings of the 5th International Conference on Computer Aided Verification
NetSTAT: A Network-Based Intrusion Detection Approach

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
STAT -- A State Transition Analysis Tool For Intrusion Detection

STAT -- A State Transition Analysis Tool For Intrusion Detection
A Stateful Intrusion Detection System for World-Wide Web Servers

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Confirming Configurations in EFSM Testing

IEEE Transactions on Software Engineering
SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments

DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
VoIP Intrusion Detection Through Interacting Protocol State Machines

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Practical VoIP Security

Practical VoIP Security
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Quantified Score

Hi-index	0.00

Visualization

Abstract

Although sharing the same physical infrastructure with data networks makes convergence attractive, it also makes Voice over Internet Protocol (VoIP) networks and applications inherit all the security weaknesses of IP protocol. In addition, VoIP converged networks come with their own set of security concerns. Voice traffic on converged networks is packet switched and vulnerable to interception with the same techniques used to sniff other traffic on a LAN or WAN. Denial of Service (DoS) attacks are one of the most critical threats to VoIP due to the disruption of service and loss of revenue they cause. VoIP systems are supposed to provide the same level of security provided by traditional PSTN networks, although more functionality and intelligence are distributed to the endpoints, and more protocols are involved to provide better service. All these factors make a new design and techniques in Intrusion Detection highly needed. In this paper we propose a novel host based intrusion detection architecture for converged VoIP applications. Our architecture uses the Communicating Extended Finite State Machines formal model to provide both stateful and cross-protocol detection. In addition, it combines signaturebased and specification-based detection techniques alongside combining protocol syntax and semantics anomaly detection. A variety of attacks are implemented on our test bed, and the intrusion detection prototype shows promising efficiency. The accuracy of the prototype detection is discussed and analyzed.