securing ims against novel threats -...
TRANSCRIPT
Securing IMS against Novel Threats
Stefan Wahl1, Konrad Rieck2, Pavel Laskov2, Peter Domschitz1, Klaus-Robert Müller3
1 Bell-Labs Germany, Alcatel-Lucent Deutschland AG, Lorenzstrasse 10, 70435 Stuttgart, Germany2 Fraunhofer Institute FIRST, Intelligent Data Analysis, Kekulestrasse 7, 12489 Berlin, Germany3 Technical University of Berlin, Machine Learning Group, Franklinstr. 28/29, 10587 Berlin, Germany
This is a preprint of an article published in the Bell Labs Technical Journal, 14(1), p.243–257, 2009.http://www.interscience.wiley.com
Abstract
Fixed mobile convergence (FMC) based on the 3GPPIP Multimedia Subsystem (IMS) is considered one ofthe most important communication technologies ofthis decade. Yet this all-IP-based network technol-ogy brings about the growing danger of security vul-nerabilities in communication and data services. Pro-tecting IMS infrastructure servers against maliciousexploits poses a major challenge due to the hugenumber of systems that may be affected. We ap-proach this problem by proposing an architecturefor an autonomous and self-sufficient monitoringand protection system for devices and infrastructureinspired by network intrusion detection techniques.The crucial feature of our system is a signature-lessdetection of abnormal events and zero-day attacks.These attacks may be hidden in a single messageor spread across a sequence of messages. Anoma-lies identified at any of the network domain’s in-gresses can be further analyzed for discriminativepatterns that can be immediately distributed to alledge nodes in the network domain.
1 Introduction
The IP Multimedia Subsystem (IMS) “is a global,access-independent and standards-based InternetProtocol (IP) connectivity and service control archi-tecture that enables various types of multimedia ser-vices to end users using common Internet-based pro-tocols” [15]. It was originally standardized by the3rd Generation Partnership Project (3GPP1) and later
13GPP is a trademark of the European TelecommunicationsStandards Institute.
adopted and extended by the European Telecommu-nications Standards Institute (ETSI) Telecommuni-cations and Internet converged Services and Proto-cols for Advanced Networking (TISPAN). A convergedfixed mobile convergence (FMC) network [23] distin-guishes three planes, as shown in Figure 1. The IMSplane performs the control/signaling layer functions;it has open interfaces to the IP transport plane, andto the service and application plane. IMS technol-ogy relies on principles and protocols of the InternetEngineering Task Force (IETF). The Session InitiationProtocol (SIP) plays the key role in controlling diversemultimedia services. The SIP protocol enables oneto embed conversational services into numerous newapplications for end users across multiple mobile andfixed access networks.
From the security point of view, the FMC architec-ture must be protected against threats from multiplecommunication domains and protocols including SIP,Media Streaming Real Time Transport Protocol (RTP),and Internet Protocol (IP). The focus of this paperlies on SIP layer security. All of the three classic se-curity goals—authenticity, availability, and integrity—can be attacked by exploiting vulnerabilities in the SIPstack implementations running on IMS edge or corenodes. By compromising an IMS node, an attackermay carry out an array of further attacks on IMS ser-vices, ranging from the loss of confidentiality to grossmonetary abuse, e.g., by assuming a false identity andtampering with the call accounting information. Ma-jor damage to availability can be inflicted by crashingSIP stacks using irregular protocol requests.
The above mentioned risks inherent to a wide-scaledeployment of IMS technology require a careful andmulti-faceted consideration of security issues. These
2 Wahl et al.
Accessindependent
MGW
3G mobile
PSTN
IP transport
IMS platformWLANWiMAX
DSLFiber
Ethernet
Applications Other IMSoperator
Figure 1: IP-based FMC architecture. Abbreviations 3G–Third generation, DSL–Digital subscriver line, FMC–Fixedmobile convergence, IMS–IP Multimedia Subsystem, IP–Internet Protocol, MGW–Media gateway, PSTN–Publicswitched telephone network, WiMAX–Worldwide Interoperability for Microwave Access, WLAN–Wire local areanetwork.
issues necessarily encompass preventive as well asreactive instruments. Preventive tools, such as en-cryption, authentication, and integrity control, repre-sent fundamental building blocks without which se-cure operation of IMS is unthinkable. While they areimportant design factors, these methods alone, how-ever, cannot fully guarantee the security of IMS in-frastructures. Implementation errors, configurationproblems, and subtle semantic vulnerabilities are in-evitable in such infrastructures due to their complex-ity. To prevent malicious exploitation of IMS, preven-tive techniques should be complemented by reactivemechanisms whose goal is to provide an adequate re-sponse to security problems that cannot be solved bydesign alone.
Most of the previous work on SIP security hasfocused either on preventive measures or on theresponse to known threats. It is, however, clearthat in view of the exploding variability of cur-rently observed malicious software, IMS infrastruc-tures must be equipped with a capability to detectpreviously unknown attack variants. Such capabil-ity can only be provided by self-learning compo-nents which capture characteristics of observed nor-mal data to flag anomalies as malicious events. Suchmethods have been previously proposed for general-purpose intrusion detection systems for IP networks,e.g., [8,10,16,17,26]. The peculiarities of the networkprotocols used in IMS, for example the Session Initia-tion Protocol, necessitate the development of special-ized intrusion detection techniques tailored to theirsemantics.
The main contribution of this paper is a new se-curity architecture for IMS containing mechanisms
for detection and response to unknown attacks. Theheart of this architecture is an anomaly detectioncomponent, which is deployed alongside the typicalcomponents of a SIP stack. The anomaly detectioncomponent assesses the irregularity of incoming SIPmessages, the rationale being that unusual events re-quire more careful treatment in the remaining pro-cessing chain than normal ones. Anomaly scores gen-erated in our architecture can be used for intelligentscheduling of SIP messages as well as for generationof signatures for anomalous events. Such signaturescan be further deployed on a domain scale in or-der to share information between various edge nodes.Experimental evaluation of SIP traffic obtained fromseveral real next-generation network (NGN) labora-tories, and synthetic attacks generated by a popu-lar fuzzer developed by Codenomicon, has demon-strated that the proposed architecture can reliably de-tect (with up to 99 percent accuracy) previously un-known attacks at IMS infrastructures.
2 Attack Categories andState-of-the-Art Solutions
A large variety of potential attacks are threateningIMS core networks. This section concentrates mainlyon threats that are addressing the IMS control layer,specifically different types of call session controlfunction (CSCF), as well as the application servers(AS) above the control layer. When categorizing thedifferent types of attacks and threats, it is useful todistinguish between time dependent and time inde-pendent attacks [22].
Time dependent attacks aim to exhaust resources
Securing IMS against Novel Threats 3
at different layers, from link bandwidth up to thecomputational resources at IMS control and AS.Flooding attacks are specialized time dependent at-tacks and can occur on different layers. TCP/SYNflooding, Smurf attacks, and SIP message flooding areexamples of flooding attacks. The SIP message flood-ing attacks detailed below aim to overwhelm IMS con-trol layer functions in the following ways:
– REGISTER flooding attacks generate a hugenumber of REGISTER messages with differentspoofed and faked source addresses which canoverwhelm the IMS control layer functions.
– INVITE flooding attacks are similar to REGISTERflooding, but these attacks try to break the IMSauthentication process.
– INVITE and REGISTER response flooding attacksattempt to obtain valid authentication or autho-rization credentials.
Time independent attacks belong to the secondcategory of attacks. These attacks insert their threatswith each message, thus affecting their victim in-stantly. Structured query language (SQL) injectionand time independent SIP message flow attacks areassigned to this category.
– SQL attacks try to perform data modificationsand may even disturb database services.
– Time independent SIP message flow attacks try toeither tear down sessions (BYE attack), terminatepending sessions (CANCEL attacks), modify ses-sions (Re-INVITE attacks), or eavesdrop on ses-sions (REFER attacks).
In the future, time independent attacks may be en-visioned which are only visible if multiple messagesare taken into account. Besides the IMS threats listedabove, the following attacks must also be taken intoaccount:
– Eavesdropping and password guessing. This ap-proach tries to obtain session information togenerate hijacking-style attacks
– Registration and session hijacking. Here, an at-tacker tries to register on another user’s behalfand forward a session via the attacker’s device.
– Man-in-the-middle. These attacks involve inter-ception and modification of message flows.
3GPP standard has specified security solutions forIMS which consist of authentication and key agree-ment as well as integrity and confidentiality mecha-nisms to secure SIP messages. Still, these function-alities do not completely secure the IMS core and/orapplication servers against SIP message flooding, SIPmessage flow, fuzzing, and SQL injection. To furtherimprove the protection against application layer at-tacks, intrusion detection/prevention solutions havebeen introduced. These intrusion detection and pre-vention solutions perform anomaly detection or mis-use detection. In the case of anomaly detection, theyare applying algorithms that investigate the normalbehavior of computer systems. This method has theadvantage of detecting unknown attacks but suffersfrom high false-positive results. In the case of the mis-use detection mechanism, the detection algorithmis supplied with all known attack descriptions. Thismethod therefore has a very low false positive rate,but it can only detect previously described attacks.
3 IMS Network Environment andBasic Architecture
A typical deployment scenario of an NGN foresees theplacement of session border controllers (SBCs) at theborder of the core network towards the access net-works as well as to peering networks, as shown in Fig-ure 2. With the advancement towards IMS/TISPANnetworks, SBCs are available on the market which of-fer selected IMS functionality, for example, a proxycall session control function [14].
To fulfill enhanced security, availability, and in-tegrity requirements, it is desirable that a major partof the security functionality is located at the ingressports of the domain, and herewith at the ingress portsof the border nodes (SBC). The goal is to shield thecore IMS functions from any signaling threats comingfrom the outside. The detailed security architecturesdiscussed in the following sections are located at theingress ports of these SBCs.
The basic SIP reactive security subsystem consistsof multiple processing stages, each performing dedi-cated functions at different layers. A combination ofstateless and stateful functionalities performs identi-fication for different kinds of misuse. Figure 3 showsthe four-step pipeline processing of this basic secu-rity architecture whereby the processing layer stepsup from left—the layer 3 and layer 4 (L3/L4) firewall
4 Wahl et al.
Border node
SIP/IMS basedcore network
AN
Peering
S-CSCFAS
HSS
MRFC
I-CSCF
MRFP
MGCF
BGCF
Border node
Border node Border
node
Border node
Border node
Protectedarea
RACS
AF
SPDF
BGFRCEF
BTF
x-RACF
NASSe4
RqRr
Rd‘,Ri‘
IaRe
Gq‘
Transport
processing functions
AF: P- CSCF
C-BGF
IP-Edge
ETSI/TISPAN
Figure 2: Core network with border nodes at the edges. Abbreviations: AF–Application function, AN–Accessnetwork, BGCF–Border gateway control function, BGF–Border gateway function, C-BGF–Core-BGF, CSCF–Callsession control function, ETSI–European Telecommunications Standard Institute, HSS–Home subscriber server,I-CSCF–Interrogative CSCF, IMS–IP Multimedia Subsystem, IP–Internet Protocol, MGCF–Media gateway controlfunction, MRFC–Media resource function controller, MRFP–Media resource function processor, NASS–Network at-tachement subsystem, P-CSCF–Proxy CSCF, RACF–Resource and admission control function, RACS–Resource andadmission control subsystem, RCEF–Resource control enforcement function, S-CSCF–Serving CSCF, SIP–SessionInitiation Protocol, SPDF–Service-based polidy decision function, TISPAN–Telecommunications and Interner con-verged Services and Protocols for Advanced Networking.
function—to right—the SIP stack at the applicationlayer. The computational effort spent per SIP mes-sage increases in line with the degree of semanticmessage comprehension from left to right. Feedbacklinks from higher layer to lower layer processing stepshave been introduced to empower higher layer func-tional blocks, which are capable of identifying moresubtle attacks, to control the behavior of the preced-ing functions. In the case of identified misuse, one ofthe higher layer processing steps can initiate an earlyand selective blocking or dropping on a per message,session, client, or IP address/port basis. As a result,the offered SIP message load can be controlled beforereaching the SIP stacks and thus fulfilling stringent re-quirements on computational performance.
The first functional block of the architecture afterthe ingress port is a firewall. On one hand, its majortask is to protect the subsequent functional modulesof the border node from any kind of well-known layer3 and layer 4 attacks, such as IP packet fragmentation,time dependent layer 3 and layer 4 attacks, e.g., In-ternet ICMP/TCP/UDP floods, smurf attacks, or de-nial of service (DoS) attacks. On the other hand, the
SIP stack and/or the session queue unit can controlthe firewall to open or close dedicated firewall portsfor a specific time period. Herewith massive SIP mes-sage attacks can be discriminated compared to well-behaving clients.
The firewall forwards a signaling message to a SIPpre-processing unit, which performs first SIP con-formance validation, applying, for example, an aug-mented Backus-Naur form (ABNF) checker. Afterprotocol conformance is verified, the sorting of theheader fields is performed. The sorting order is de-termined by a typical usage frequency by the differ-ent CSCFs and application servers, so that none ofthe CSCF and AS have to scan the entire SIP mes-sage to gather all the relevant information [3,27]. An-other important pre-processing function normalizesvariations of allowed header field names into a con-sistent name (e.g., “FrOm” or “F” or “FRoM” or oth-ers into “FROM”). A complementary design of the SIPpre-processing, session queuing, and parsing sub-function of the SIP stack leads to a further increasein throughput. Hereby, the components make useof a shared memory with a clearly specified mes-
Securing IMS against Novel Threats 5
Firewall(5-tuple)
SIP pre-processing- Conformance validation- Message normalization
Session queuing- Rate limiting- Priority processing (credential based) - Session state controlled
SIP stack/P-CSCF- SIP protocol processing- Identification of misbehavior- Control of- Session queues- Firewall- Lean stack due to SIP pre-processing
Session/client based overflow protection- Next allowed SIP methods indication- Priority credentials
Layer 3/4 protection(controlled whiteand black list)
Ingressport
Media pathDrop
DropDrop
Border node
Figure 3: Basic SIP reactive security system. Abbreviations: CSCF–Call session control function, P-CSCF–ProxyCSCF, SIP–Session Initiation Protocol.
sage map of the messages. The SIP pre-processingunit stores the major headers of the SIP message ata specified location in a message memory map. Assoon as the SIP pre-processing has extracted charac-teristic message headers, it indicates this to the ses-sion state management and message rate supervisionwithin the session queuing unit. The session queuingunit provides early feedback on whether the sessionqueue will drop the current message. In that case,the SIP pre-processing unit would receive a drop indi-cation, and would immediately stop any further pre-processing activity and release the allocated memory.
The tasks of session queuing are manifold. The firstpriority is to manage all the sessions for this ingressport within logical queues. This includes instantia-tions, releases of session queues, and the supervisionof the instantiation rate, but it also includes the mes-sage rate supervision per individual queue, wherebythe message rate depends on several aspects. Theseaspects are determined by the session activity of theclients and the overall system load.
After the SIP stack has processed a SIP message, itprovides feedback information to the session queu-ing module indicating whether the message was com-pliant (through compliance certificates) according tothe session state; additionally, it indicates the set ofsubsequent message types allowed. The compliancecertificates are used by the session queues to priori-tize all correctly-behaving clients in high load situa-tions. A message-selective gatekeeper function at theentrance of the session queues ensures that the onlymessage types accepted are those allowed access ac-
cording to the feedback information. The above de-scribed functionalities guarantee that only syntacti-cally correct, rate supervised, and session state con-forming SIP messages can allocate the valuable appli-cation layer processing of the SIP stack(s).
The session queuing module and multiple paral-lel running SIP stack processes create a single queuemultiple server system. The next free SIP stack pro-cess will receive the next waiting message. This isachieved by providing the SIP stack at task start withmemory pointers into the message record as well asinto the session state memory. During SIP messageprocessing, the SIP stack modifies the session statememory and can change the message record.
The basic architecture described provides a keyfunctionality to ensure reliable operation of an IMSedge node under various load conditions. This func-tionality allows detection of many forms of knownmisuse, e.g., flooding or other well-known attacks.But with the increasing dissemination of VoIP andIMS systems, the number of security threats and theoccurrence of new and unknown threats will greatlyincrease. Therefore, an additional functionality is re-quired to handle new and unknown attacks. The fol-lowing section presents an anomaly detection com-ponent for IMS edge nodes that is capable of detect-ing novel attacks with convincingly low false-positiverates. After presenting the basic anomaly detectioncomponent and the results of its experimental evalu-ation, additional features of the component, such asautomatic signature generation, are described.
6 Wahl et al.
4 Anomaly Detection
Anomaly detection methods aim at identifying abnor-mal events based on a learned model of normality.The majority of anomaly detection methods are de-fined for vectorial data, and thus are not directly suit-able for application to IMS protection. To address thisissue, we derive a technique for embedding SIP mes-sages in a vector space, which reflects typical charac-teristics of observed traffic patterns.
4.1 Feature Extraction
The anomaly detection approach builds on the vec-tor space model, a generic method for feature em-bedding commonly used in the domain of informa-tion retrieval [6,20]. A document—in this case a SIPmessage—is characterized by occurrence frequenciesof contained feature strings, S. Given a string s ∈ Sand a SIP message x , one determines the number ofoccurrences of s in x and thus obtains a frequencyvalue f (x , s ). The frequency of s acts as a measure ofits importance in x , e.g., f (x , s ) = 0) indicates no im-portance, while f (x , s )> 0 reflects the specific contri-bution of s to x . An embedding function m is derivedby mapping SIP messages to an |S|-dimensional vec-tor space spanned by the frequencies of all strings inS. The function m is defined as
m : X →R|S| with m (x ) 7→�
f (x , s )�
s∈S
where X denotes the set of all possible SIP messagesand R|S| a vector space over the real numbers. In con-trast to textual documents, however, we cannot definea feature set S a priori, as patterns of unknown andnovel attacks are impossible to determine in advance.To solve this problem the set of feature strings S is de-fined implicitly using the definitions of “tokens” and“n-grams”.
In an implicit view, tokens correspond to all possi-ble strings separated by specific delimiter symbols. Ifwe denote all byte values by B and define D as delim-iter symbols, a set S referred to as tokens is given byS := (B\D)∗, where * is the Kleene closure correspond-ing to all possible concatenations. The granularity ofthis feature extraction can be controlled using the de-limiter set D. The fewer delimiters are defined, themore specific are the extracted tokens. The followingexample illustrates how a SIP message is mapped to avector space using the notion of tokens, where the setof delimiters is D = {�,@,:,/}.
m ( BYE�SIP:JOHN@DOE�SIP/2.0 ) 7→
12111
BYE
SIP
JOHN
DOE
2.0
Tokens are intuitive and expressive to the hu-man analyst, yet they may not always identify novelthreats, due to the definition of delimiter symbols inadvance. An alternative technique for implicit defini-tion of feature strings S is the extraction of n-grams.Feature strings are extracted by moving a sliding win-dow of length n over the SIP message. At each po-sition, a substring of length n is considered and itsoccurrences are counted. Formally, the set of featurestrings S referred to as n-grams is defined as S := B n ,where B n corresponds to all possible strings of lengthn from the set B . For example, if n = 4 we obtain 4-grams, which for a simplified SIP message yields thefollowing feature vector
m ( BYE�SIP:JOHN@DOE�SIP/2.0 ) 7→
1122...
BYE�YE�SE�SI�SIP
...
The vector space induced by tokens and n-grams ishigh-dimensional, e.g., for n = 4 there exist 2564 dif-ferent dimensions. Computing and comparing vec-tors in such high-dimensional spaces seems infeasi-ble at a first glance. However, for both types of fea-tures, the number of feature strings contained in asingle SIP message is linear in its length. This sparserepresentation of the embedding can be exploited toderive linear-time methods for extraction and com-parison of feature vectors [18], which ultimately en-ables efficient anomaly detection over embedded SIPmessages.
4.2 Anomaly Detection
The proposed embedding function m maps SIP mes-sages into a vector space in which various learning al-gorithms can be applied for anomaly detection. Weherein concentrate on two simple methods based ongeometric models of normality: a global and a lo-cal anomaly detection. The basis for such geometric
Securing IMS against Novel Threats 7
Figure 4.Geometric anomaly detection.
(a) Global model (b) Local model
Figure 4: Global and local anomaly detection.
learning models is a distance function d , which as-sesses the dissimilarity of two messages x and z byd (x , z ) = ||m (x ) −m (z )|| and corresponds to a Eu-clidean distance in the vector space. Messages orig-inating from a similar context yield small distancesand lie close to each other, while messages from dif-ferent contexts result in greater distances.
Based on this notion of a distance for SIP messagesX = {x1, . . . ,xn }, a global model for anomaly detec-tion is defined by placing a hypersphere around a setof given SIP messages embedded into a vector space.In particular, one seeks the smallest representation ofX corresponding to the hypersphere with minimumvolume, which can be determined by solving the fol-lowing optimization problem:
µ∗ = argminµ
max1≤i≤n||m (x i )−µ||,
where µ∗ is the center of the optimal hypersphere.Figure 4 depicts global anomaly detection. As anexample, Figure 4(a) shows a set of points enclosedby a two-dimensional sphere with minimum volume.Anomalies lie outside the sphere due to their largedistance from the center. Unfortunately, unknown at-tacks in X may spoil this process and lead to hyper-spheres with larger volume. This problem is alleviatedby the technique of regularization, which âAIJsoften-sâAI the margin of the hypersphere, such that outliersand unknown attacks can be compensated. An intro-duction to this regularized learning model is providedin [9] and [25], which cover the respective theory aswell as the efficient computation.
Once the center µ∗ of the smallest hypersphere hasbeen found, the deviation g from this global modelof normality is determined by computing the distance
of an incoming SIP message z from µ∗. Formally, thisdistance is defined using the vectors µ∗ and m (z ) inthe feature space spanned by frequencies of n-gramsor tokens as follows
g (z ) = ||m (z )−µ∗||.
Application of the learned model requires comput-ing only a single distance value for each incomingmessage, as µ∗ is fully determined from X during theprior learning phase.
If the SIP traffic monitored at a network node isinherently heterogeneous, e.g., at a large gateway, aglobal model of normality might not suffice for detec-tion of unknown and novel attacks. To detect anoma-lies in such settings, we introduce a local anomalydetection scheme which assesses deviation of a mes-sage by considering only a fraction of messages in thetraining data. The model is derived using the notionof k -nearest neighbors. We define the neighbors of avector M (z ) using a permutation p of X , such that theembedded message m (xp [i ]) is the i -th nearest neigh-bor to z in terms of distance. The local deviation l isthen computed by
l (z ) =1
k
k∑
i=1
||m (z )−m (xp [i ])||
−1
k 2
k∑
i=1
k∑
j=1
||m (xp [j ])−m (xp [i ])||.
Messages strongly deviating from their k -nearestneighbors yield a large average distance, while mes-sages close to their neighbors get a low deviationscore. In particular, the first term emphasizes points
8 Wahl et al.
that lie far away from its neighbors, whereas the sec-ond term discounts abnormality of points in wideneighborhood regions. Figure 4(b) illustrates localanomaly detection, where the anomalies are identi-fied by a large distance to neighboring points. Incontrast to the global model, local anomaly detec-tion requires determining several distance values. Foreach incoming message O(nk 2) distance computa-tions need to be performed for finding the k -nearestneighbors and calculating l .
To demonstrate the capabilities of the proposed de-tection methods, we conducted experiments on real-istic SIP traffic and attacks. For our experiments wegenerated an evaluation data set comprising 4,428 SIPmessages and 10,000 attacks. These SIP traces con-tain contiguous and interleaved SIP dialogs recordedat a network edge ingress. The messages originatedfrom several NGN test labs and research setups wheremultiple services and inter-working tests are per-formed. In the absence of a large collection of SIPattacks, we conducted our experiments using artifi-cially generated attacks. A VoIP version of the secu-rity and syntax testing tool, Codenomicon Defensics2
was applied to produce several thousand anomalousSIP messages—covering syntactical anomalies as wellas security probes for boundary condition, formatstring, and input validation vulnerabilities. The gen-erated attacks are post-processed to eliminate any re-maining redundancy by permuting the sequence ofthe header fields and randomizing certain header andparameter values.
Figure 5 depicts the detection performance ofthe anomaly detection methods averaged over in-dependent samples of the evaluation data using 2-grams, 4-grams, and tokens as string features. Fig-ure 5(a) shows results for the global anomaly detec-tion method and Figure 5(b) for the local anomalydetection method. The performance is presented asreceiver operating characteristic (ROC) curves, whichshow the false positive rate of a method on the x-axis,and the true positive rate on the y-axis for differentthresholds. High detection accuracy is reflected in thetop left of a ROC curve, while random detection cor-responds to a diagonal line.
The local anomaly detection method yields signif-icantly higher detection accuracy in comparison tothe global detection method. In particular, for alltypes of feature strings a true-positive rate over 97
2Defensics is a trademark of Codenomicon, Inc.
percent is achieved with no false positives. More-over, for the 4-grams features, over 99 percent of theattacks are detected—even though all attacks wereunknown to the system during application. For theglobal anomaly detection method only the 4-gramfeatures enable similar accuracy and in contrast, thetoken features provide a very poor performance. Theembedding to a vector space using 4-grams hence en-ables a very effective discrimination of normal trafficand attacks by capturing particular substrings relatedto normal or anomalous messages.
4.3 Signature Generation
An additional step towards integration of anomalydetection methods into practice is inter-linkage withexisting signature-based detection systems. Once anovel attack has been identified by anomaly detec-tion, a further step is to automatically generate acorresponding attack signature and distribute it tosignature-based detection systems in the IMS do-main. However, deriving a signature from a sin-gle anomaly is cumbersome and thus, as a pre-processing step, detected anomalous messages aregrouped into attack clusters using algorithms suchas linkage clustering or k-means [5]. By averagingthe vectors of all anomalies in a cluster and prun-ing dimensions that occur in single or few instancesonly, we can construct a general vectorial model A foreach attack cluster. The vector A comprises the av-erage frequencies of prevalent feature strings in theconsidered attack cluster. We refer to the set of fea-ture strings associated with A as a unilateral signa-ture. Similarly, we can average and prune vectors ofnormal SIP messages to a vectorial model N . By com-puting B = A −N we obtain a bilateral signature, B ,that indicates malicious strings through large positivevalues and normal patterns by negative values [17].Both types of signatures—unilateral and bilateral—can be represented as sets of strings and thus dis-tributed to the majority of available signature-basedsystems. While unilateral signatures correspond toregular signatures as deployed in most systems, bilat-eral signatures improve attack detection by also incor-porating traffic patterns characteristic for the partic-ular IMS domain, such as typical SIP headers, whoseabsence also indicates anomalous activity.
The technique for embedding SIP messages toa vector space and measuring similarity of objectsintroduced in this section provides a generic in-
Securing IMS against Novel Threats 9
0 0.002 0.004 0.006 0.008 0.010
0.2
0.4
0.6
0.8
1
Tru
e p
osi
tive r
ate
False positive rate
2!grams4!gramsTokens
0 0.002 0.004 0.006 0.008 0.010
0.2
0.4
0.6
0.8
1
Tru
e p
osi
tive r
ate
False positive rate
2!grams4!gramsTokens
Figure 5.Global and local ROC curves.
(a) Global anomaly detection method (b) Local anomaly detection method
ROC—Receiver operating characteristicFigure 5: Global and local detection performance.
strument for learning with SIP traffic, even beyondanomaly detection and signature generation [12]. Forinstance, embedded messages can also be processedusing classification methods (e.g., for identificationand categorization of unsolicited content such asspam over Internet telephony (SPIT)) and clusteringalgorithms (e.g., for identification of common groupsof regular messages). Moreover, analysis of embed-ded messages may also help in identifying trends anddeviations in SIP traffic as induced by temporal or lo-cal events, e.g., through learning methods for identi-fication of principle and independent components indata [21].
5 Advanced Architecture
We are now ready to present the advanced archi-tecture of the SIP reactive security subsystem, il-lustrated in Figure 6. Two new and major compo-nents are introduced into the architecture: SIP sig-nature analysis and SIP anomaly detection. Here,the SIP pre-processing module initially shown in Fig-ure 3 is separated into two sub-modules. The SIPABNF checker sub-module remains in its original po-sition, whereas the SIP normalization sub-functionprocesses the SIP messages after the SIP signatureanalysis and the anomaly detection have been per-formed. The SIP ABNF checker can be designed withvery high throughput and is therefore inserted di-rectly into the SIP message path. A SIP ABNF checkerimplementation by Bell Labs’ Alan Jeffrey proofed this
high efficiency (high throughput by low processing ef-fort used). The theoretical background of the appliedalgorithm is explained in [2].
The SIP signature analysis module uses signaturesto identify known anomalies within SIP messagestreams. This module also can be inserted into thedata stream as it does not hinder the throughput. Thekey difference from previous approaches to SIP secu-rity is that the set of signatures can be updated withnew signatures which are derived from the loop con-sisting of SIP anomaly detection and the protectionoverlay.
The SIP anomaly detection as explained in the pre-vious section is not inserted directly into the SIP mes-sage data path due to a relatively high computationaleffort per SIP message, especially for local anomalydetection techniques. The session queue module de-cides for current session and/or client states whichSIP message has to be analyzed by the anomaly detec-tion module. Based on the results from this module,the session queue module can forward the messageeither to one of the SIP stacks, or to a secure SIP stackrunning in a sandbox, so that a malicious messagedoes not disturb the operating throughput of the bor-der node. If the SIP anomaly detection module iden-tifies any message anomaly, it reports this anomalytowards the protection overlay where further offlineprocessing can be performed.
The current SIP anomaly detection module pro-cesses single SIP messages and makes a decision oneach individual SIP message without being aware of
10 Wahl et al.
SIPstack
processFirewalllayer 3/4
SIPsignatureanalysis
SIPmessage
andsessionqueuing
SIPanomalydetection
SIP
normalizationpre-processing
Priority
-schedule
r
SIPstack
process
SecuredSIP
stackprocess
-Sandbox
SIPABNF
checkerpre-processing
Drop Drop
SIP message
SIP message records/session state memory/queuing state memory
Result
Newsignature
SIP anomalyreport
Normalized SIP message
HighLow
IP/transport(flooding, DoS)
HighLow
SIP(SIP syntax)
HighLow
SIP(SIP anomalies)
LowHigh
SIP(SIP zero dayattacks; on
request)
HighMedium
SIP
HighLow
Messageand sessionrate control
Medium, variablehigh
SIP applicationlayer
Throughput
Processing effort
Layer task
Legend
Protection overlay (across border nodes)
Drop
Start
Drop
Figure 6: Advanced SIP security architecture. Abbreviations: ABNF–Augmented Backus-Naur form, DoS–Denialof service, IP–Internet Protocol, SIP–Session Initiation Protcol.
any sessions, clients, or history in general. But it mayhappen that application layer attacks may not be visi-ble by investigating single SIP messages or a sequenceof SIP messages without being aware of any states orhistory. The applied machine learning algorithm usedby the SIP anomaly detection module allows the mod-ule to be “trained” by using enhanced SIP messageswhere additional proprietary header fields for sessioncontext are appended, as shown in Figure 7. Thesefields may contain supplementary session state in-formation or more generic and higher layer informa-tion on client, node, or domain states. The anomalydetection inserts the additional header fields gener-ated using a context database referenced by a client orsession identifier (ID) from the original SIP message.The resulting extended SIP message is not standards-compliant, but the anomaly detection module wastrained with these extended messages. The succes-sive module receives the decision of the anomaly de-tection module and adds these results to the contextdatabase, which may in turn effect the decisions ofthe messages to come.
6 Domain-Wide Protection Solution
One of the important features of the advanced secu-rity architecture of a border node is the interface to
the protection overlay. The protection overlay pro-vides additional non-real time functionality for hard-ening the security of border nodes. This functionalityalso contributes to acceleration of processing on a SIPpath because any occurrence of a zero-day attack(s)at any border node can immediately be taken into ac-count without a need to resort to a relatively complexanomaly detection unit. The main functionality of theprotection overlay is to derive an appropriate signa-ture from the anomaly reports (as explained earlier)and to distribute it as soon as possible to all bordernodes connected to the protection overlay. Hereby,the protection overlay may span all border nodes be-longing to the same domain, but in principle couldeven be expanded across border nodes of the samemanufacturer deployed in different domains.
In order to ensure a high quality of generated signa-tures, various verification functions are carried out bythe protection overlay, such as testing for false pos-itives on clean data and incorporation of advanceddiagnostic information from hardened SIP stacks. Ageneral architecture of the domain-wide protectionfunctionality is shown in Figure 8.
Securing IMS against Novel Threats 11
FWL3/L4
Anomalydetectionmodule
ABNFcheck
Insertionof
additionalsessioncontext
Executionof
anomalydetectiondecision
Sessionaddressing
Client/session context database
Gettingsessioncontext
Decisionfeedback
Signaturecheck
SIPstack
OriginalSIP
message
OriginalSIP
message
ExtendedSIP
message:adding session
context
Session context
Trained fordetectinganomalies
in extended SIP messages
SIPanomaly
detection
Figure 7: Extended anomaly detection by taking session context into account. Abbreviations: ABNF–AugmentedBackus-Naur form, FW–Firewall, L3/L4–Layer 3/Layer 4, SIP–Session Initiation Protocol.
Border node
SIP/IMS basedcore network
AN
S-CSCF
AS
HSS
MRFC
I-CSCF
MRFP
MGCF
BGCF
Border node
Border node Border
node
Border node
Border node
Protection overlay (across border nodes)Zero-dayanomalydetected
Newsignature
SIPanomaly
report
1 2
3
4 4 4
4
Figure 8: Protection Domain. Abbreviations: AN–Access network, AS–Application server, BGCF–Border gatewaycontrol function, HSS–Home subscriber server, I-CSCF–Interrogative CSCF, IMS–IP Mulimedia Subsystem, MGCF–Media gateway control function, MRFC–Media resource function controller, Media resource function processor,S-CSCF–Serving CSCF, SIP–Session Initiation Protocol.
12 Wahl et al.
7 Conclusion
The capability to detect previously unknown attacksis essential for the security of IMS infrastructures,especially in view of the long deployment horizonof such systems. The proposed architecture for en-hanced protection of IMS edge nodes against novelattacks introduces an anomaly detection componentthat can effectively identify malicious anomalies inSIP traffic. The advanced architecture further extendsthis component with automatic signature generationthat can be used for site-wide or domain-wide deploy-ment. Experimental evaluation of the proposed archi-tecture on real SIP traffic has verified excellent (up to99 percent) detection accuracy for the system.
The principles underlying the proposed anomalydetection system—embedding of SIP messages ina high-dimensional features space and similarity-based operations—can be used for a number of otherpotential applications in the context of the IMS sys-tem. With the help of advanced machine-learningtechniques, the proposed technology can be used foridentifying clusters of related signaling patterns, find-ing unsolicited messages (SPIT), or performing ad-vanced load balancing in the SIP stack. Future workwill address the fine-grain incorporation of semanticinformation from all stages of SIP processing into thelearning algorithms for further performance and ac-curacy improvements.
8 References
[1] H. Abdelnur, R. State, I. Chrisment, and C. Popi, “As-sessing the Security of VoIP Services”, Proc. 10th IFIP/IEEEInternat. Symposium on Integrated Network Management(IM ’07) (Munich, Ger., 2007), pp. 373–382.
[2] M. Benedikt, A. Jeffrey, and R. Ley-Wild, “Stream Fire-walling of XML Constraints”, Proc. ACM SIGMOD Internat.Conf. on Management of Data (SIGMOD ’08) (Vancouver,BC, Can., 2008), pp. 487–498.
[3]M. Cortes, J. R. Ensor, and J. O. Esteban, “On SIP Perfor-mance”, Bell Labs Tech. J., 9:3 (2004), 155–172.
[4]T. Dagiuklas, D. Geneiatakis, G. Kambourakis, D. Sisalem,S. Ehlert, J. Fiedler, J. Markl, M. Rokos, O. Botron, J. Ro-driguez, and J. Liu, General Reliability and Security Frame-work for VoIP Infrastructures, SNOCER Tech. Report D2.2,2005, <http://www.snocer.org/>.
[5] R. O. Duda, P. E. Hart, and D. G. Stork, Pattern Classifica-tion, 2nd ed., John Wiley & Sons, New York, 2001.
[6] T. Joachims, Learning to Classify Text Using Support Vec-tor Machines, Kluwer Academic Pub., Boston, MA, 2002.
[7] H. Kaplan and D. Wing, “The SIP IdentityBaiting Attack”, IETF Internet Draft, Feb. 2008,<http://tools.ietf.org/id/draft-kaplan-sip-baiting-attack-02.txt>.
[8] C. Krügel, T. Toth, and E. Kirda, “Service SpecificAnomaly Detection for Network Intrusion Detection”, Proc.ACM Symposium on Applied Comput. (SAC ’02) (Madrid,Sp., 2002), pp. 201–208.
[9] P. Laskov, C. Gehl, S. Krüger, and K.-R. Müller, “Incre-mental Support Vector Learning: Analysis, Implementationand Applications”, J. Mach. Learn. Res., 7 (Sept. 2006),1909–1936.
[10] W. Lee, S. J. Stolfo, and K. W. Mok, “A Data Min-ing Framework for Building Intrusion Detection Models”,Proc. IEEE Symposium on Security and Privacy (S&P âAZ99)(Oakland, CA, 1999), pp. 120–132.
[11] M. V. Mahoney, “Network Traffic Anomaly DetectionBased on Packet Bytes”, Proc. ACM Symposium on AppliedComput. (SAC ’03) (Melbourne, FL, 2003), pp. 346–350.
[12] K.-R. Müller, S. Mika, G. Rätsch, K. Tsuda, and B.Schölkopf, “An Introduction to Kernel-Based Learning Algo-rithms”, IEEE Trans. Neural Networks, 12:2 (2001), 181–201.
[13]M. Nassar, R. State, and O. Festor, “Intrusion DetectionMechanisms for VoIP Applications”, Proc. 3rd Annual VoIPSecurity Workshop (VSW ’06) (Berlin, Ger., 2006).
[14] K. Oberle, S. Wahl, T. Strauss, S. Braun, and C. Pena,Flexible Multi-Service Edge Router, MUSE Report D B1.10v01, Dec. 21, 2006,
[15]M. Poikselkä, G. Mayer, H. Khartabil, and A. Niemi, TheIMS: IP Multimedia Concepts and Services, John Wiley &Sons, Chichester, Eng., Hoboken, NJ, 2006.
[16] K. Rieck and P. Laskov, “Detecting Unknown NetworkAttacks Using Language Models”, Proc. 3rd Conf. on Detec-tion of Intrusions and Malware & Vulnerability Assessment(DIMVA ’06) (Berlin, Ger., 2006), pp. 74–90.
[17] K. Rieck and P. Laskov, “Language Models for Detectionof Unknown Attacks in Network Traffic”, J. Comput. Virol-ogy, 2:4 (2007), 243–256.
[18] K. Rieck and P. Laskov, “Linear-Time Computation ofSimilarity Measures for Sequential Data”, J. Mach. Learn.Res., 9 (Jan. 2008), 23–48.
[19] J. Rosenberg and C. Jennings, “The Session Initia-tion Protocol (SIP) and Spam”, IETF RFC 5039, Jan. 2008,<http://www.ietf.org/rfc/rfc5039.txt>.
[20] G. Salton, A. Wong, and C. S. Yang: “A Vector SpaceModel for Automatic Indexing”, Commun. ACM, 18:11(1975), 613–620.
Securing IMS against Novel Threats 13
[21] B. Schölkopf, A. Smola, and K.-R. Müller, “NonlinearComponent Analysis as a Kernel Eigenvalue Problem”, Neu-ral Computation, 10:5 (1998), 1299–1319.
[22] M. Sher, Secure Service Provisioning (SSP) Frameworkfor IP Multimedia Subsystem (IMS), Ph.D. Dissertation,Technical University Berlin, Dec. 2007.
[23] M. Siebert, B. Xu, M. Grigat, E. Weiss, N. Bayer, D.Sivchenko, T. R. Banniza, K. Wünstel, S. Wahl, R. Sigle, R.Keller, A. Dekorsy, M. Bauer, M. Söllner, J. Eichinger, C. Fan,F. Pittmann, R. Kühne, M. Schläger, I. Baumgart, R. Bless,and S. Stefanov, “ScaleNet – Converged Networks of the Fu-ture”, IT – Inform. Technol., 48:5 (2006), 253–263.
[24] D. Sisalem, S. Ehlert, D. Geneiatakis, G. Kambourakis,T. Dagiuklas, J. Markl, M. Rolos, O. Botron, J. Rodriguez,and J. Liu, Towards a Secure and Reliable VoIP In-frastructure, SNOCER Tech. Report D2.1, May 2005,<http://www.snocer.org/>.
[25] D. M. J. Tax and R. P. W. Duin, “Support Vector DomainDescription”, Pattern Recognition Lett., 20:11-13 (1999),1191–1199.
[26] K. Wang, J. Parekh, and S. Stolfo, “Anagram: A ContentAnomaly Detector Resistant to Mimicry Attack”, Proc. 9thInternat. Symposium on Recent Advances in Intrusion De-tection (RAID ’06) (Hamburg, Ger., 2006), pp. 226–248.
[27] S. Wanke, M. Scharf, S. Kiesel, and S. Wahl, "Mea-surement of the SIP Parsing Performance in the SIP Ex-press Router," Proc. 13th Open Eur. Summer School andIFIP TC6.6 Workshop (EUNICE ’07) (Enschede, Neth., 2007),published in Dependable and Adaptable Networks and Ser-vices, Lecture Notes in Comput. Sci. (LNCS 4606) (A. Prasand M. van Sinderen, eds.), Springer, Berlin, Heidelberg,New York, 2007, pp. 103–110.