MAIDS for VoIP: A Mobile Agents-based Intrusion Detection System for Voice over Internet Protocol

Compared to traditional (PSTN) voice networks, a Voice over Internet Protocol network is a convergence of a signaling network and a data network using Internet Protocol (IP). The use of shared media by VoIP systems opens the door to some uncertainty as to the source of a call. While in the traditional voice networks one has to tap into a specific circuit to eavesdrop, in an IP network any equipment connected to the target LAN can identify, store and playback the VoIP packets that traverse that LAN. Unlike traditional voice networks which have only “dumb” end nodes (i.e. simple telephone receivers), VoIP must, by its very nature, deploy intelligent end point devices such as computers and/or IP phones, which are connected to open public networks. An unprotected, unauthenticated IP network makes VoIP susceptible to hostile use, such as call hijacking, connection tear down, denial of service, or sending computer viruses over the network. In this thesis, we perform a series of attacks against a commercial VoIP application, and prove that they succeed with nothing more than a couple of identity tokens captured from the network traffic as prerequisites. We then leverage the mobile agent-based framework introduced by APHIDS to design an Intrusion Detection System implementing a gradual attack-response procedure, destined to inform and protect the End-Users of the Application Under Test when specific, internet telephony attacks do occur, and ultimately to block the capability of the attack perpetrator to induce further damage.