Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Unwanted Traffic and Information Disclosure in VoIP Networks: Threats and Countermeasures
Karlstad University, Faculty of Economic Sciences, Communication and IT, Department of Computer Science.
2012 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The success of the Internet has brought significant changes to the telecommunication industry. One of the remarkable outcomes of this evolution is Voice over IP (VoIP), which enables realtime voice communications over packet switched networks for a lower cost than traditional public switched telephone networks (PSTN). Nevertheless, security and privacy vulnerabilities pose a significant challenge to hindering VoIP from being widely deployed. The main object of this thesis is to define and elaborate unexplored security and privacy risks on standardized VoIP protocols and their implementations as well as to develop suitable countermeasures. Three research questions are addressed to achieve this objective:

Question 1:  What are potential unexplored threats in a SIP VoIP network with regard to availability, confidentiality and privacy by means of unwanted traffic and information disclosure?

Question 2:  How far are existing security and privacy mechanisms sufficient to counteract these threats and what are their shortcomings?

Question 3:  How can new countermeasures be designed for minimizing or preventing the consequences caused by these threats efficiently in practice?

Part I of the thesis concentrates on the threats caused by "unwanted traffic", which includes Denial of Service (DoS) attacks and voice spam. They generate unwanted traffic to consume the resources and annoy users. Part II of this thesis explores unauthorized information disclosure in VoIP traffic. Confidential user data such as calling records, identity information, PIN code and data revealing a user's social networks might be disclosed or partially disclosed from VoIP traffic. We studied both threats and countermeasures by conducting experiments or using theoretical assessment. Part II also presents a survey research related to threats and countermeasures for anonymous VoIP communication.

Place, publisher, year, edition, pages
Karlstad: Karlstads universitet, 2012. , 32 p.
Series
Karlstad University Studies, ISSN 1403-8099 ; 2012:28
Keyword [en]
SIP, VoIP, security, Denial of Service, Vulnerability analysis, timing attacks, Spam, DTMF, SIP, RTP
National Category
Computer Systems
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-13408ISBN: 978-91-7063-432-1 (print)OAI: oai:DiVA.org:kau-13408DiVA: diva2:529268
Public defence
2012-09-14, 1 B 306, Universitetsgatan 2, Karlstad, 10:15 (English)
Opponent
Supervisors
Available from: 2012-08-28 Created: 2012-05-29 Last updated: 2012-08-28Bibliographically approved
List of papers
1. Analyzing Key-Click Patterns of PIN Input for Recognizing VoIP Users
Open this publication in new window or tab >>Analyzing Key-Click Patterns of PIN Input for Recognizing VoIP Users
2011 (English)In: Future Challenges in Security and Privacy for Academia and Industry / [ed] Camenisch, J.; Fischer-Hübner, S.; Murayama, Y.; Portmann, A.; Rieder, C., Springer-Verlag New York, 2011, 247-258 p.Conference paper, Published paper (Refereed)
Abstract [en]

Malicious intermediaries are able to detect the availability of VoIP conversation flows in a network and observe the IP addresses used by the conversation partners. However, it is insufficient to infer the calling records of a particular user in this way since the linkability between a user and a IP address is uncertain: users may regularly change or share IP addresses. Unfortunately, VoIP flows may contain human-specific features. For example, users sometimes are required to provide Personal identification numbers (PINs) to a voice server for authentication and thus the key-click patterns of entering a PIN can be extracted from VoIP flows for user recognition. We invited 31 subjects to enter 4-digital PINs on a virtual keypad of a popular VoIP user-agent with mouse clicking. Employing machine learning algorithms, we achieved average equal error rates of 10-29% for user verification and a hitting rate up to 65% with a false positive rate around 1% for user classification.

Place, publisher, year, edition, pages
Springer-Verlag New York, 2011
Series
IFIP Advances in Information and Communication Technology, 354
National Category
Computer Systems
Identifiers
urn:nbn:se:kau:diva-11962 (URN)10.1007/978-3-642-21424-0_20 (DOI)000302988300020 ()978-3-642-21423-3 (ISBN)978-3-642-21424-0 (ISBN)
Conference
26th IFIP TC 11 International Information Security Conference, SEC 2011, Lucerne, Switzerland, June 7-9, 2011
Available from: 2012-03-02 Created: 2012-03-02 Last updated: 2013-10-10Bibliographically approved
2. Detecting Near-Duplicate SPITs in Voice Mailboxes Using Hashes
Open this publication in new window or tab >>Detecting Near-Duplicate SPITs in Voice Mailboxes Using Hashes
2011 (English)In: Proceedings of the 14th international conference on Information security ISC'11, Berlin: Springer Berlin/Heidelberg, 2011, 152-167 p.Conference paper, Published paper (Refereed)
Abstract [en]

Spam over Internet Telephony (SPIT) is a threat to the use of Voice of IP (VoIP) systems. One kind of SPIT can make unsolicited bulk calls to victims' voice mailboxes and then send them a prepared audio message. We detect this threat within a collaborative detection framework by comparing unknown VoIP flows with known SPIT samples since the same audio message generates VoIP flows with the same flow patterns (e.g., the sequence of packet sizes). In practice, however, these patterns are not exactly identical: (1) a VoIP flow may be unexpectedly altered by network impairments (e.g., delay jitter and packet loss); and (2) a sophisticated SPITer may dynamically generate each flow. For example, the SPITer employs a Text-To-Speech (TTS) synthesis engine to generate a speech audio instead of using a pre-recorded one. Thus, we measure the similarity among flows using local-sensitive hash algorithms. A close distance between the hash digest of flow x and a known SPIT suggests that flow x probably belongs the same bulk of the known SPIT. Finally, we also experimentally study the detection performance of the hash algorithms

Place, publisher, year, edition, pages
Berlin: Springer Berlin/Heidelberg, 2011
Series
Lecture Notes in Computer Science, ISSN 1611-3349 ; 7001
National Category
Computer Systems
Identifiers
urn:nbn:se:kau:diva-11964 (URN)10.1007/978-3-642-24861-0_11 (DOI)000306719400011 ()978-3-642-24860-3 (ISBN)
Conference
14th international conference on Information security (ISC'11), 26-29 October, Xi’an, China
Available from: 2012-03-02 Created: 2012-03-02 Last updated: 2012-08-28Bibliographically approved
3. Peer-to-Peer VoIP Communications Using Anonymisation Overlay Networks
Open this publication in new window or tab >>Peer-to-Peer VoIP Communications Using Anonymisation Overlay Networks
2010 (English)In: Communications and Multimedia Security: Proceedings of the 11th IFIP TC 6/TC 11, CMS2010, international conference on Communications and Multimedia Security / [ed] De Decker, Bart; Schaumüller-Bichl, Ingrid, Berlin: Springer , 2010, 130-141 p.Conference paper, Published paper (Refereed)
Abstract [en]

Nowadays, Voice over Internet Protocol (VoIP) which enables voice conversation remotely over packet switched networks gains much attentions for its low costs and flexible services. However, VoIP calling anonymity, particularly to withhold who called whom, is difficult to achieve since VoIP infrastructures are usually deployed in an open networking environment (e.g., the Internet). Our work studies an anonymisation overlay network (AON) based solution to prevent surveillance from external attackers, who are able to wiretap the communication channels as well as to manipulate voice packets in the channels. However, it has been demonstrated that the VoIP combined with traditional AONs are vulnerable to two attacks, namely watermark attack and complementary matching attack. Taking these two attacks into account, we investigate the defensive dropping method in VoIP: A VoIP user-agent sends packets to an AON in a constant rate, but packets during periods of silence are marked. Then, the AON drops some silence packets and forwards the remaining ones to their destinations. The result of our experiments shows that the dropping rate must be carefully selected to counteract both of the two attacks. Finally, we discuss further threats in terms of this solution

Place, publisher, year, edition, pages
Berlin: Springer, 2010
Series
Lecture Notes on Computer Science, 6109
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-9971 (URN)10.1007/978-3-642-13241-4_13 (DOI)9783642132407 (ISBN)
Conference
11th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security (CMS2010), Linz, Austria
Available from: 2012-02-08 Created: 2012-02-08 Last updated: 2012-08-28Bibliographically approved
4. Timing Attacks on PIN Input in VoIP Networks: Short paper
Open this publication in new window or tab >>Timing Attacks on PIN Input in VoIP Networks: Short paper
2011 (English)In: Detection of Intrusions and Malware, and Vulnerability Assessment: 8th International Conference, DIMVA 2011 / [ed] Holz, Thorsten; Bos, Herbert, Berlin: Springer Berlin/Heidelberg, 2011, 75-84 p.Conference paper, Published paper (Refereed)
Abstract [en]

To access automated voice services, Voice over IP (VoIP) users sometimes are required to provide their Personal Identification Numbers (PIN) for authentication. Therefore when they enter PINs, their user-agents generate packets for each key pressed and send them immediately over the networks. This paper shows that a malicious intermediary can recover the inter-keystroke time delay for each PIN input even if the standard encryption mechanism has been applied. The inter-keystroke delay can leak information of what has been typed: Our experiments show that the average search space of a brute force attack on PIN can be reduced by around 80%.

Place, publisher, year, edition, pages
Berlin: Springer Berlin/Heidelberg, 2011
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 6739
Keyword
authorisation - cryptography - delays - Internet telephony
National Category
Computer Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-11963 (URN)10.1007/978-3-642-22424-9_5 (DOI)000303367200005 ()978-3-642-22423-2 (ISBN)
Conference
DIMVA 2011, The 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
Note

Ingår i projekt1?

Ingår i projekt

Om publikationen ingår i ett projekt, ange projektets namn. För att ange flera projekt, klicka på Ytterligare projekt.

x

Available from: 2012-03-02 Created: 2012-03-02 Last updated: 2016-02-22Bibliographically approved
5. Timing Attacks on a Centralized Presence Model
Open this publication in new window or tab >>Timing Attacks on a Centralized Presence Model
2011 (English)In: IEEE International Conference on Communications 2011, IEEE Press, 2011, 1-5 p.Conference paper, Published paper (Refereed)
Abstract [en]

Presence information (PI) represents the updated status, context and willingness of communication partners in Voice over IP systems. For instance, the action that Alice switches her status (e.g., from "idle" to "busy") will trigger PI messages to notify her buddies this change. In a centralized presence service system, presence communications are managed by a presence server based on users' buddylists. The privacy concern in this paper is that networking intermediaries, as adversaries, might be able to profile the buddy-relationship among the users by utilizing message arrival time. We found that the threat cannot be totally eliminated even if the server processes messages in batches. Attackers might observe the traffic in several rounds and thus profile the results. In this paper, we introduce the attacks and discuss potential countermeasures.

Place, publisher, year, edition, pages
IEEE Press, 2011
Keyword
Electronic mail, IEEE Communications Society, Privacy, Protocols, Security, Servers, Timing
National Category
Computer Systems
Identifiers
urn:nbn:se:kau:diva-11961 (URN)10.1109/icc.2011.5962453 (DOI)000296057100044 ()978-1-61284-231-8 (ISBN)
Conference
ICC 2011
Available from: 2012-03-02 Created: 2012-03-02 Last updated: 2016-10-15Bibliographically approved
6. Hidden VoIP Calling Records from Networking Intermediaries
Open this publication in new window or tab >>Hidden VoIP Calling Records from Networking Intermediaries
2010 (English)Conference paper, Published paper (Refereed)
Abstract

While confidentiality of telephone conversation contents has recently received considerable attention in Internet telephony (VoIP), the protection of the caller--callee relation is largely unexplored. From the privacy research community we learn that this relation can be protected by Chaum's mixes. In early proposals of mix networks, however, it was reasonable to assume that high latency is acceptable. While the general idea has been deployed for low latency networks as well, important security measures had to be dropped for achieving performance. The result is protection against a considerably weaker adversary model in exchange for usability. In this paper, we show that it is unjustified to conclude that low latency network applications imply weak protection. On the contrary, we argue that current Internet telephony protocols provide a range of promising preconditions for adopting anonymity services with security properties similar to those of high latency anonymity networks. We expect that implementing anonymity services becomes a major challenge as customer privacy becomes one of the most important secondary goals in any (commercial) Internet application.

Place, publisher, year, edition, pages
Munich, Germany: ACM, 2010
Keyword
anonymity, voip, mix networks
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-11443 (URN)
Conference
Principles, System and Applications of IP Telecommunications (IPTCOMM2010)
Available from: 2012-02-08 Created: 2012-02-08 Last updated: 2014-11-25Bibliographically approved
7. SIP Proxies: New Reflectors? Attacks and Defenses
Open this publication in new window or tab >>SIP Proxies: New Reflectors? Attacks and Defenses
2010 (English)Conference paper, Published paper (Refereed)
Abstract

To mitigate identity theft in SIP networks, an inter-domain authentication mechanism based on certificates is proposed in RFC 4474 [10]. Unfortunately, the design of the certificate distribution in this mechanism yields some vulnerabilities. In this paper, we investigate an attack which exploits SIP infrastructures as reflectors to bring down a web server. Our experiments demonstrate that the attacks can be easily mounted. Finally, we discuss some potential methods to prevent this vulnerability

Place, publisher, year, edition, pages
Linz, Austria: Springer, 2010
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-9972 (URN)9783642132407 (ISBN)
Conference
11th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security (CMS'2010)
Available from: 2012-02-08 Created: 2012-02-08 Last updated: 2013-06-12Bibliographically approved
8. Blocking attacks on SIP VoIP proxies caused by external processing
Open this publication in new window or tab >>Blocking attacks on SIP VoIP proxies caused by external processing
2010 (English)In: Telecommunications Systems, ISSN 1018-4864, E-ISSN 1572-9451, Vol. 45, no 1, 61-76 p.Article in journal (Refereed) Published
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-4076 (URN)10.1007/s11235-009-9234-1 (DOI)
Available from: 2009-05-20 Created: 2009-05-20 Last updated: 2017-12-13Bibliographically approved
9. Revealing the calling history on SIP VoIP systems by timing attacks
Open this publication in new window or tab >>Revealing the calling history on SIP VoIP systems by timing attacks
2009 (English)In: Proceedings of the 4th International Conference on Availability, Reliability and Security (ARES 2009), IEEE Press, IEEE Computer Society, 2009, 135-142 p.Conference paper, Published paper (Refereed)
Abstract [en]

Many emergent security threats which did not exist in the traditional telephony network are introduced in SIP VoIP services. To provide high-level security assurance to SIP VoIP services, an inter-domain authentication mechanism is defined in RFC 4474. However, this mechanism introduces another vulnerability: a timing attack which can be used for effectively revealing the calling history of a group of VoIP users. The idea here is to exploit the certificate cache mechanisms supported by SIP VoIP infrastructures, in which the certificate from a caller's domain will be cached by the callee's proxy to accelerate subsequent requests. Therefore, SIP processing time varies depending whether the two domains had been into contact beforehand or not. The attacker can thus profile the calling history of a SIP domain by sending probing requests and observing the time required for processing. The result of our experiments demonstrates that this attack can be easily launched. We also discuss countermeasures to prevent such attacks

Place, publisher, year, edition, pages
IEEE Computer Society, 2009
Keyword
VoIP services, security
National Category
Information Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-4079 (URN)10.1109/ARES.2009.129 (DOI)978-1-4244-3572-2 (ISBN)
Conference
International Conference on Availability, Reliability and Security (ARES)
Available from: 2009-05-22 Created: 2009-05-22 Last updated: 2017-12-06Bibliographically approved

Open Access in DiVA

fulltext(368 kB)3247 downloads
File information
File name FULLTEXT01.pdfFile size 368 kBChecksum SHA-512
f4c543c3ee20a53a48c6fd6751bf46b5c0779e96e3f82e5758c280052e045e10cf388221d16f07f2f39a8ea59c3a2b0f5ad8b3416f443a1becb585d1cdae84e5
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Zhang, Ge
By organisation
Department of Computer Science
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 3247 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 441 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf