Detecting Anomaly Traffic using Flow Data in the real VoIP network

Abstract

As wireless LANs as well as the high-speed broadband Internet service are widely deployed, the VoIP service has become popular. Generally, a lot of commercial VoIP services use SIP and RTP for signaling and voice transport protocols. Most commercial VoIP service providers employ only simple security functions such as basic authentication without packet encryption because of fast implementation and deployment. Therefore, the VoIP service is highly vulnerable to several threats and attacks, because secure protocols for carrying VoIP packets are not fully utilized. For instance, unencrypted SIP packets including authentication messages could be easily forged to be exploited for generating anomaly traffic by malicious users. In this paper, we propose a flow-based VoIP anomaly traffic detection method that could find three representative VoIP anomaly attacks of SIP CANCEL, BYE DoS and RTP flooding that could be easily exploited in the real VoIP network. Our scheme uses the IETF IPFIX standard for monitoring VoIP calls in flow units. From the experiments with the commercial SIP phones in the real VoIP network, we show that SIP CANCEL, BYE DoS and RTP flooding attacks are easily generated and that they could be detected effectively by our proposed method.