new approach to recognition of voip attacks from honeypots · • dos attacks and anomalies...

Miroslav Voznak, Jakub Safarikvoznak@ieee.org

Campus network monitoring and security workshop

Prague, April 24-25, 2014

New Approach to Recognition of VoIP

Attacks from Honeypots

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Introduction

• honeypots and usability tests

• DoS attacks and anomalies detection in SIP infrastructure

• Honeypot network concept

• MLP Neural network

• Practical Implementation

• Conclusion

2

Artemisa

• Artemisa plays a role of a regular SIP phone

•The programme connects to SIP proxy with the extensionsdefined in a configuration file.

3

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Artemisa

• Once the call is established on one of Artemisaextensions, the honeypot simply answers the call.

• At the same time, it starts to examine the incoming SIPmessages. Artemisa then classifies the call and saves theresult for a further review by the security administrator

• Artemisa looks for fingerprints of well-known attack tools

4

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Artemisa

• Then it checks domain names and SIP ports on theattacker side.

• There is also a similar check for media ports.

• Requested URI are also checked.

• Finally, Artemisa checks the received RTP stream –(audio can be stored in a WAV format).

5

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Artemisa• The result is then shownin a console and can besaved into a pre-definedfolder or sent by e-mail.

• Once the call has beenexamined, a series of bashscripts is executed (withpre-defined arguments.

• Artemisa can launchsome countermeasures against the incoming attacks.

6

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Dianoea

• Dionaea belongs to a multi-service oriented honeypotwhich can simulate many services at a time

• simply waits for any SIP message and tries to answer it.

• all SIP requests from RFC 3261 (REGISTER, INVITE,ACK, CANCEL, BYE, OPTIONS), multiple SIP sessions andRTP audio streams (data from stream can be recorded).

• logs are saved in plain-text files and in sqlite database.

7

DoS attacks on application level• register and invite flood (silent killers, CPU depletion)

Impact of SSI (Snort, SnortSAM, IPtables)• register and invite flood (silent killers, CPU depletion)

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Detection of SIP infrastructure attack

• some methods rely on IDS systems as SNORT and itsfeatures (exceeding thresholds), fingerprints of attacks

• and statistical methods such as Hellinger-Distance

p – distribution of data within training periodq - distribution of data within short period

Test on similarity of both distributions

10

( )22

1

1( , )

2

n

i ii

H P Q p q=

= −∑

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Anomalies Detection in SIP infrastructure

• or detection of anomaly using predictive model such asHolt-Winters model

L (level), P (trend) and S (seasonal) components

• or Brutlag method (predicted deviation) and

• or Moving avarage, where k is numberof measurements in time series

11

Ttttt SPLy −−− ++= 11

⌢

maxty⌢

minty⌢

k

yy

t

i

t

∑−

==

1

k-ti⌢

Anomalies Detection in SIP traffic• Snort.AD, preprocessor http://www.anomalydetection.info

12

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Honeypot Network Concept

The proposed design of a distributed honeypot network

centralized server for datagathering, analysis andhoneypot monitoring

the main part of distributednetwork concept is honeypotimage

13

MLP Neural Network

• MLP neural network was used for VoIP attackclassifications.

• It consists of several layers, each containing the specificnumber of neurons called perceptron.

• perceptrons in one layer areInterconnected to each otherin the following layer (synapse)

14

Campus network monitoring and security workshop

Prague, April 24-25, 2014

MLP Neural Network

• each neuron in the input layer has a value based on inputparameters, the same number of neurons as there areparameters in the input set.

• output layer has the same number of neurons as thenumber of attack classes, so each neuron is then a singleclass of learned attack

• Number of neurons inside hidden layers depends onneural network configuration (typically higher than thenumber of neurons in input or output layers).

15

Campus network monitoring and security workshop

Prague, April 24-25, 2014

MLP Neural Network

• output of neuron 0 means inhibition and 1 excitation• activation function (sigmoid)• z : output from previous layerneuron x and multiplies bycorresponding connectionweight wc represents a skewness of the function, higher values bringthe skewness of a sigmoid closer to a step function

memory of neural network is saved in connection weights.learning mechanism – backpropagation is used to acquirethese values.

16

1

1 czy

e−=+

1

n

i ii

z w x=

=∑

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Practical Implementation• 10 input layer neurons, two hidden layers contain 30 and24 neurons, the last and output layer 8 neurons

• All attack information is gathered through multi-serviceoriented honeypot application Dionaea

• events are stored in sqlite internal database (SIPmessage, IP addresses, ports or specific SIP headervalues)

• All data for final classification are aggregated fromselected tables to an array with 10 attributes.

17

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Practical Implementation• 10 attributes serve as an attack vector (NN input).• aggregation depends on attack origin and also time of lastmessage occurrence (there is 5 minute sliding window afterlast message detection): attack time duration; connectioncount; REGISTER message count; INVITE msg. count;ACK msg. count; BYE msg. count; CANCEL msg.count; OPTIONS msg. count; SUBSCRIBE msg. count;connection rate.• The connection count attribute holds the number of

connection from a single source on honeypot. Theconnection rate is the ratio of all received SIP messagesto connection count.

18

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Practical Implementation• SIP attack classification MLP network is evaluated aslearned, if there correctly identify more than 95% of items inthe training set• After specific number of iteration cycles (100) isautomatically checked successfulness of classification.• restart after 2 500 000 backpropagation cycles.

• Result of analyses with MLP networks has followingsuccessfulness: 94.94%; 79.85% and 97.54%.

• The lowest classification precision 79.85% was caused bynew call attack, which was not included in the training set.

19

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Conclusion• The proposal distributed honeypot network in combinationwith neural network classifiers serves as another securitylevel.

• With the possibility to change firewall rules or networkrouting., whole system can prepare precaution mechanismsagainst attacks.

• Classification by human is very precise, but timeconsuming and expensive. Automatic classificationmechanism brings a solution for VoIP classification andsimplifies the analysis of attacks.

20

Campus network monitoring and security workshop

Prague, April 24-25, 2014

Thank you for your attention

Q&A

21