Vous êtes sur la page 1sur 6


Performance analysis of VoIP spoofing attacks using

classification algorithms
G. Vennila, N. Supriya Shalini, MSK. Manikandan,
Department of Electronics and Communication Department of Electronics and Communication
Engineering, Thiagarajar College of Engg., Madurai, India Engineering, Thiagarajar College of Engg., Madurai, India
vennilatg@tce.edu, nsupriyashalini@gmail.com manimsk@tce.edu

Abstract-Voice over Internet Protocol (VoIP) is an emerging VoIP architecture. Section IV summarizes the VoIP threat
trend of applications on the internet today. As with any recent model. Section V deals with the experimental setup and
technology, VoIP also introduces both fortuity and problems. section VI with performance analysis of the classifier
Existing VoIP honeypot experimental set ups based on SIP algorithms. Section VII concludes the paper.
(Session Initiation Protocol) deals with the basic attacks like DoS
(Denial of Service), enumeration detection, signature collection
and SPIT (Spam over Internet Telephony). These VoIP service II. RELATED WORK
abuse attacks cause discrepancy between the services offered to
the VoIP users and service providers. We executed successive A numeral of credulous susceptibilities in SIP can influence
attempts with different sets of attributes and sample subsets to invoice records in various ways, illustrating their relevancy
collect exact traffic records used for detecting and categorizing against genuine mercantile VoIP providers. The main focus is
the attack packets using honeypot. Finally, a comparison of both primarily on attacks that create invoice inconsistencies. Four
the algorithms with its true and false positive rates is evaluated. kinds of billing attacks are focused by Ruishan Zhang that
For result analysis, we propose a test-bed using Zoiper (SIP
may perhaps result in charges for the calls that the users have
clients), Asterisk server, Artemisa honeypot and Wireshark as
network analyzer. The test-bed demonstrates how the honeypot not made. They may also result in over charges that the user
effectively works in improvising the robustness of the VoIP has made. The paper concludes with a set of subscribers that
security system from billing attacks and toll frauds. are susceptible to these kinds of billing attacks [1]. S.Niccolini
proposed a prototype using Snort - an Intrusion Detection and
Keywords -VoIP Honeypot, VoIP Service abuse attack, Registration Prevention System (IDPS). The proposed architecture extends
hijacking, Invite replay attack, Bye Delay Attack, Fake Busy attack the functionality of snort by introducing pre-processing
features to analyze protocols over TCP/UDP. This proposed
prototype increases QoS by forwarding the voice traffic
The tremendous growth of VoIP is driven by its several without delay of service [2]. The use of SIP specific honeypots
fundamental benefits over traditional Public Switched to catch targeting the internet telephony system, protocols and
Telephone Network (PSTN). Even if VoIP offers lesser application presented in [3].
expenditure and superior flexibility, it also introduces major The design and implementation of such honeypot system
risks and vulnerabilities [1]. There remains a great deal of explore the use of a statistical engine for indentifying attacks
research, which still needs to be carried out into the particular and other misbehavior based on training on legitimate traces
problems which need to be solved for VoIP networks to be a of SIP traffic. The working model depends on Bayesian
technical and commercial success. The non-deterministic inference and motivates the need for a VoIP honeypot by
nature of the Internet, and the impact, which this specifically introducing functional scenarios to bring realistic benefits. A
has on voice traffic, is one major area of concern. Inherent honeyphone which controls a rich set of network tools with an
problems with security due to the open standard of public IP application programming interface is used. The AVISPA Tool
networks are also of equal importance. Current VoIP is a push-button tool used to identify a protocol level
applications tackle this problem by introducing new algorithm vulnerability in the way SIP handles authentication [4] [5].
and tool. AVISPA is a model checker for validating security protocol
This paper focuses on the challenges and impact of and applications using high level protocol specification and
employing security services into VoIP networks by using language that gets compiler into an intermediate format that
honeypot. The honeypot detects the incoming packets, can be consumed by a number of lower level checkers.
categorizes them after feature extraction phase. In this paper Attacks are possible with the SIP digest authentication,
we compare two decision algorithms- Naive Bayes’ and C4.5 whereby an adversary can reuse another party credential to
Decision tree classifier evaluates the performance with their obtain unauthorized access to SIP or PSTN services. This
true/false positive rates. In the remaining of this paper, section attack is possible since authentication may be demanded in
II gives a related work. Section III gives brief overview of response to an INVITE message at any time during a call, and

the responder may issue an INVITE message during a call into digital form in packets rather than that of signals in
either automatically or all the way through a user action. PSTN. To transfer audio, video streams over IP networks RTP
While the solution is simple, it requires changes possibly to all protocol is used.
end device SIP implementation.
Decision under uncertainty is made using probability
theory. It is a great issue to classify raw data logically to
reduce the expected hazard with the help of Bayes’ rule. It is
based on the past and future data. In K- nearest neighbor the
result of new instance query is handled. Review of Naive
Bayes’ and K- nearest neighbor classifier is done and its
performance is observed [6]. Intrusion detection speed and
computational cost is another major vital role, because
datasets are huge and impact of the attacker varies day to day.
Bayes’ and KNN classifier is a simple and fast feature
selection method. It eradicates features with no helpful
information on them which results in faster learning process of
redundant feature omission [7]. Information regarding possible
confidentiality violating rules can consequently be used to
alter the IDS rule sets to reduce the estimated amount of data
confidentiality destructions at some point in normal operation
Fig.1 Proposed VoIP architecture with honeypot
is discussed in [8]. Data mining algorithms are being applied
in building IDS to protect computing resources against
unauthorized access. Most of the solution is used to detect and When the voice packets of VoIP calls are distributed and
further classify into four categories such as Denial of Service interpreted to the unsecured public network, the VoIP packets
(DoS), U2R (User to Root), R2L (Remote to Local), probe and are easier to be endangered by the attacker. Therefore, the aim
to reduce the false alarm rate of IDS [9]. The experimental of this paper is to detect and classify the occurrence of service
results using the KDD99 data set shows that while Naive abuse attacks using honeypot. Honeypot are traps set to the
Bayes' is one of the most efficient classifier, decision trees are attacker. In a honeypot system the first entity to communicate
more attractive as far as the detection of new attacks [10]. with the attacker is the honeypot rather than the server itself.
In general, the normal way of detecting the attacks by The honeypot gathers all the useful credentials from the
using different types of tools that provide alert to the attacker and the attack patterns or methodologies. The
administrators. But most of the attackers normally escape from proposed architecture consists of ten clients with a server and
those tools because they are mostly rule-based [11]. Nowadays a honeypot connected to the internet. In this paper the
the need of enhanced attack detection techniques became a honeypot uses two kinds of algorithms to classify the attack
vital role for the VoIP network. SIP based VoIP system has packets and compares the performance of two algorithms
many security problems and effects relate to confidentiality, based on attributes collected by it.
integrity and availability. The attacks on the SIP system, such
as registration hijacking, impersonating a proxy, DoS and IV. VOIP THREATS
spam are conferred in [12]. Authentication mechanisms are
established for hop-hop and end to end security to protect the The most significant defenselessness in the VoIP network is
attacks from registration hijacking. This attack allows the service abuse attack that makes calls with no permission or
performing toll fraud and calling hijacking [13]. In the put off the length of call. Resulting in either, charge on the
proposed system uses the labeled data set from honeypot and calls the VoIP users not made or overprices on the VoIP calls
not any pre-defined data set as in existing IDS. Thus the the users have made. The following sub sections summarize
honeypot data are more valuable than that of the signature how VoIP service abuse threats are generated in the proposed
based collection algorithms. VoIP system architecture.


A SIP registration hijacks implemented by an attacker by
The VoIP architecture is composed of Zoiper clients, SIP hindering a legitimate SIP client registration and replacing it
proxy server (Asterisk), gateways, and VoIP honeypots as with the attacker IP address instead. This allows the attacker to
shown in Fig.1.VoIP has been employed with a variety of interrupt incoming calls and reroute, replay or terminate calls
protocols such as SIP, Real time Transport Protocol (RTP), as they desire. In the proposed method, the SIP registration
and Session Description Protocol (SDP) etc. VoIP systems method permits a User agent to discover it to the registrar
make use of session control and signaling protocols to have server at which the user is sited. The registrar assesses the
power over the signaling, set-up and tear-down of calls. The identity in the FROM header field of a REGISTER message to
fundamental operation of VoIP is to transmit the voice signal determine whether this request will be capable of modifying
the contact addresses associated with the address in the TO

header field. The FROM field of a SIP requestt is customized the communication among user ag gents. Its mechanism is
by chance by the real User Agent, and this opeens the door to analogous with the previously discusssed Bye delay spoofing
malicious registrations. This results in attackeers gaining the attack. The attacker drops fake BYE messages in the
ability to place calls over the VoIP system or redirecting transaction thereby deceiving the serrver as if the transaction
legitimate class to a malicious user’s device. has ended.


Invite Replay billing attacks endeavor to construct
unregistered calls by replaying the interruupted INVITE In our experimental test bed Artem misa and Zoiper are used
method. This kind of billing attacks takes bbenefit of the as honeypot and SIP clients who aree registered with Asterisk
execution errors of the default funcctionality (no SIP server as shown in Fig.3. To showcase the accurate voice
acknowledgement is sent in return) of SIP authentication. traffic result we have been analyzinng them on basis of call
Even if the INVITE methods are shiellded by SIP volume, call transfer and call hold tim
me. To get in depth about
authentication it could be successful. the attack analysis of our experiment, Wireshark is used which
pinpoint us the packet flow in VOIIP networks. It also lays
B. Fake Busy Attack emphasis on the SIP packet flow.
Fake Busy billing attack purposely seizes VoIP calls of
intended VoIP subscribers and controls thhe call length
(duration). The call attempted by the VoIP subsscriber may fall
short, and yet the VoIP subscriber will be charged for a
duration determined by the attacker. Accordinng to Fig.2 the
MITM sends fake BUSY method to the actual user and takes
incharge of the transaction and starts communiccating with the
server as if it is the actual user.

Fig. 3 Experimen
ntal Test Bed
As a result we have at last taken into account about 10
nodes and monitor their whole transaaction and that of the SIP
server using Wireshark.

A. Data Collection
Fig. 2 Service abuse attack Collecting an accurate dataset for performing decision tree
analysis is a tedious task. Data colleection and pre-processing
C. Bye Delay Attack
often consume majority of the time in our research. For the
Bye Delay billing attack hunts for evideently extended experiment, the honeypot is monitored for a period of one
duration of established calls linking targeted VooIP subscribers week which assists in detailed performmance analysis to classify
by interrupting the BYE messages. Here, MITM M intercept the the attributes.
BYE message when a caller or callee commuunicates its SIP
server and sends back a 200 OK message. Thiss may give the B. Feature Extraction
caller or callee an impression of successfully eended call. But The data captured from honeypot is extracted for labeling as
actually the call is in the hands of the man in the middle. shown in table I. Feature extraction deepends on the data source
Thereby the user will be charged for the call thhat the attacker and category of attack to be detecteed. Artemisa is bait that
has planned for. performs tricks on system or service without being part of the
production itself. The fundamental aim m of honeypot is to study
D. BYE Drop attack the behavior of intruders who interaccts with the SIP servers.
Bye Drop billing attack lengthens thee duration of The honeypot analyses the data origginated in the SIP logs.
established calls by introducing anonymous BY
YE messages in According to the proposed scripting ru ules in Artemisa, features

are extracted and labeled. Features are classified into three Where,

  = probability of instance B being in class Aj,

• Fundamental features related to connection 
• Type of protocol used, call duration, via,  = probability of generating instance B given class Aj,

From IP, To IP, etc.,  = probability of occurrence of class Aj,
• Traffic features related to conflicts from normal  = probability of instance B occurring
Our experimental results for Service abuse attack are
secure setup
computed from Eq.2. Naive Bayes’ classifiers assume
• No. of calls from same IP, no. of attributes have independent distributions, and thereby estimate
unregistered calls, no. of failed packets,
  =      *..….*  (2)
• Misconception features related to SIP session status
codes Where,
• 4xx Client error, 5xx Server error, 3xx 
  = probability of class Aj generating attack instance B
redirection, etc., 
These attributes are used in detecting any discrepancies in   = probability of class Aj generating the observed

the VoIP environment. value for attribute B1, B2….Bn.
When the honeypot receives the voice packets, it decides
TABLE I. COLLECTION OF LABELED ATTRIBUTES the incoming packets are of a Fake_BUSY attack when the
probabilities of attributes like no. of unregistered calls, no. of
Duration of the call Time of call answered/ended Failed_for fake BUSY methods, no. of unauthorized IPs, packet inter
packets arrival time and no. of forwarded calls are HIGH as
Request/ Response Timeout packets BUSY
method methods
mentioned in Eq.3.
Source / Destination Status of the call INVITE
IP packet count (COMPLETED / methods p(Fake_BUSY_attack /Aj) =
ANSWERED/ REJECTED/ p(no_of_ Fake_ BUSY_packets= HIGH/Aj)*
CANCELLED/ BUSY) p(no_of _Unauthorized _IPs =HIGH /Aj) *
Timestamp between Protocol used BYE methods
the packets
p(no_of_fwd_calls= HIGH/Aj )*
Packets per day Registered users Registration p(packet_inter_arrival_time= HIGH/Aj) (3)
request per
day 2) C4.5 Decision Tree algorithm
Registration_Failed Not Matching peer found Via The C4.5 model divide samples or training data on basis
packets packets
unauthorized IP's Bytes per seconds Caller ID
of the collected features as listed in table I. The procedure will
Packet rate Average packet size Contact prolong until the sample subset cannot be split. At last,
Packet inter arrival Forwarded calls Forbidden examine the least possible level split and those samples that
time messages don’t comprise noteworthy input to the model will be
discarded. C4.5 algorithm makes decision from Artemisia
C. Proposed algorithm result which consists of a set of labelled data.
This paper considers two classifier algorithms namely The training data is a set ! " !" " !# $ $ $ !% of previously
Naive Bayes’ and C4.5 Decision tree algorithm for classified samples. Every sample ti consists of a p-dimensional
performance analysis of VoIP service abuse attacks. vector &"% &"% " &#"% ' where Vi stands for attributes or features
of the sample over and above the class in which ti falls. The
1) Naive Bayes’ classifier algorithm chooses the attribute that most efficiently splits the
A Naive Bayesian classifier is a simple and powerful set of samples into small subsets supplementing in one class or
classifier with independent assumptions. The incoming the other at each node of the proposed VoIP set-up. The
packets from Artemisa classify and assume a set of monitored feature with the highest normalized information gain is
attributes for instance. The proposed algorithm estimates preferred to formulate the decision. The C4.5 algorithm then
the posterior probability that an attack packet is classified recurses on the minor subsets [14].
under  with each class A1 - Registration Hijacking, A2 -
Invite Replay, A3 - Fake Busy and A4 - Bye Delay as stated in VI.PERFORMANCE ANALYSIS OF THE PROPOSED CLASSIFIER
In this section, we recapitulate our experimental results to

 identify the VoIP service abuse threats for intrusion detection.
 (1) Experimental results are presented in terms of the true
positive, false positive, true negative and false negative for
incoming packets. This accomplishes the good level of

inequity from normal data in the honeypot. The proposed
classification increases the accuracy of true posiitive rates.
The flow graph shown in Fig.4 representts the working
model of the proposed technique and the corresponding
procedure is illustrated as follows,
1. The Artemisa honeypot setup will be the iniitial unit of our
proposed test bed that communicates with all the inward
bound voice packets and identifies the maliccious incomes.

Fig. 5 Detection rates of classification algorithm

Figure.5 emphasis the detection rates of the two

classification algorithms. The classiffication algorithm works
with the help of received packets on n Registration hijacking,
INVITE replay frames, fake BUSY Y attacks and fake BYE

Fig.4 Flow graph for proposed system


2. Feature extraction phase proposed in the hooneypot which

includes ,
a. Creating labelled data set from the received
packets like call_duration,
registration_failed_packets, unauthhorized_ip,
Fig. 6 Packet classification of serrvice abuse attack
b. Discovering attribute subsets for analogous
instances. Figure.6 shows the number ppackets identified under
c. Identify and analyze relevant attribbutes for service abuse attacks. Out of 19,821
1 packets received at the
classification of VoIP threats menttioned in SIP server for a period of one weeek 2,161 packets were
categorized under the number of unreegistered calls protruding
section IV.
the SIP server. 12,038 packets weree categorized under fake
3. The infected packets are then sent to the proposed BUSY/BYE/CANCEL methods 2,68 80 packets under failed
classifier algorithm. Our proposed methodoology will now category and remaining 2,942 packetss include other factors for
identify and trap the attacker and also classsifies the attack service abuse attacks.
4. Then performance analyses with the two claassifiers are
done and the results are charted.

TABLE II. DETECTION RATES OF CLASSIFIER ALGORITHM [7] S. Parsazad,E. Saboori, A. Allahyar " Fast Feature
Reduction in intrusion detection datasets", MIPRO, 2012
Proceedings of the 35th International Convention,
Algorithm True True False False pp.1023 - 1029, 2012
Positive Positive Positive Positive
(Normal) (Attack) (Normal) (Attack)
[8] M Ulltveit , V. Oleshchuk, Privacy Violation
Classification of Snort Ruleset , 2010 18th Euromicro
International Conference on Parallel, Distributed and
Network-Based Processing (PDP), pp.654 - 658, 2010
Naive Bayes’ 0.983 0.978 0.134 0.083
[9] H Om, A. Kundu, "A hybrid system for reducing the
false alarm rate of anomaly intrusion detection system",
C4.5 Decision 0.994 0.962 0.006 0.056 2012 1st International Conference on Recent Advances in
Tree Information Technology (RAIT), pp.131 - 136, March
The data identified as attack packets make sure that it [10] M. Panda, M.R Patra, M.R, A Comparative Study of Data
results in enhanced security of the SIP server to the maximum Mining Algorithms for Network Intrusion Detection ,
level. Table II depicts the performance comparison of the ICETET '08 First International Conference on Emerging
observed results for the two classification algorithm. Trends in Engineering and Technology, pp. 504 - 507,
July 2008.
VII.CONCLUSION [11] T Subbulakshmi, A.F Afroze, Multiple learning based
From the classified results, Asterisk server takes action classifiers using layered approach and Feature Selection
over the packets either to accept or drop using the suspicion for attack detection, International Conference on
algorithm. The suspicion technique proposed here is more Emerging Trends in Computing, Communication and
predictive towards attacks. This paper analyzes and Nanotechnology (ICE-CCN), pp.308 - 314, March 2013.
categorizes a large volume of honeypot data and compares the [12] S Liancheng , J Ning, Research on Security Mechanisms
true and false positive rates of the two classification of SIP-Based VoIP System, Ninth International
algorithms. Thus the proposed technique augments the Conference on Hybrid Intelligent Systems, pp. 408 - 410,
robustness of the VoIP network with Artemisa by preventing Aug. 2009
service abuse attacks to a greater extent. [13] Si Duanfeng, Q Long , Han Xinhui, Zou Wei, Security
REFERENCES mechanisms for SIP-based multimedia communication
[1] R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing infrastructure, International Conference on
Attacks on SIP-based VoIP Systems. In Proceedings of Communications, Circuits and Systems (ICCCAS 2004),
the 1st USENIX workshop on Offensive Technologies, pp.575 - 578, June 2004
pages 1–8, August2007. [14] R. Quinlan, “C4.5: Programs for Machine Learning,”
[2] S. Niccolini, R. G. Garroppo, S. Giordano, G. Risi, and S. Morgan Kaufmann Publishers, San Mateo, CA, 1993.
Ventura. SIP Intrusion Detection and Prevention:
Recommendations and Prototype Implementation. In
Proceedings of the 1st IEEE Workshop on VoIP
Management and Security (VoIP MaSe), pages 47–52,
April 2006.
[3] M. Nassar,R. State O. Festor. VoIP Honeypot
Architecture. In Proceedings of the 10th IFIP/IEEE
International Symposium on Integrated Network
Management, pages 109–118,May 2007
[4] H Abdelnur, T Avanesov, M Rusinowitch, Abusing SIP
Authentication, Fourth International Conference on
Information Assurance and Security (ISIAS '08), pp. 237
- 242, 2008.
[5] R. State, O. Festor, H. Abdelanur, V. Pascual, J. Kuthan,
R. Coeffic, J. Janak, and J. Floroiu SIP digest
authentication relay attack. draft-state-sip-relay-attack-00,
March 2009
[6] M.J Islam, Q.M. J Wu, M Ahmadi, M. A Sid-Ahmed,
"Investigating the Performance of Naive- Bayes Classifiers
and K- Nearest Neighbor Classifiers", International
Conference on Convergence Information Technology, pp.1541
- 1546, 2007