Academy of Computer Education VoIP Cloud Emerging Threats and Countermeasures Analysis Review and summarize the attached journal article within 5 pages (do

Academy of Computer Education VoIP Cloud Emerging Threats and Countermeasures Analysis Review and summarize the attached journal article within 5 pages (does not include Title page, abstract conclusion and reference page). Do not use outside sources “only this article”. You may use the article review template to guide you, however, your submission must be in full APA format. Requirements Article to review, attached – 81980-160599-1-PB.pdf (838.102 KB)Article review template – Article Review Template.docx (15.677 KB), to summarize APA Format 7th editionNo plagiarismPage length – 5 (not including Abstract, Title page, Conclusion and References) Indian Journal of Science and Technology, Vol 9(6), DOI: 10.17485/ijst/2016/v9i6/81980, February 2016
ISSN (Print) : 0974-6846
ISSN (Online) : 0974-5645
A Comprehensive Survey of Security Issues and
Defense Framework for VoIP Cloud
Ashutosh Satapathy* and L. M. Jenila Livingston
School of Computing Science and Engineering, VIT University, Chennai – 600127, Tamil Nadu, India;
ashutosh.satapathy2013@vit.ac.in, jenila.lm@vit.ac.in
Abstract
Voice over Internet Protocol (VoIP) is an advanced telecommunication technology which transfers the voice/video over
high speed network that provides advantages of flexibility, reliability and cost efficient advanced telecommunication
features. Still the issues related to security are averting many organizations to accept VoIP cloud environment due to
security threats, holes or vulnerabilities. So, the novel secured framework is absolutely necessary to prevent all kind of
VoIP security issues. This paper points out the existing VoIP cloud architecture and various security attacks and issues
in the existing framework. It also presents the defense mechanisms to prevent the attacks and proposes a new security
framework called Intrusion Prevention System (IPS) using video watermarking and extraction technique and Liveness
Voice Detection (LVD) technique with biometric features such as face and voice. IPSs updated with new LVD features
protect the VoIP services not only from attacks but also from misuses.
Keywords: Defense Mechanisms, Liveness Voice Detection, VoIP Cloud, Voice over Internet Protocol, VoIP Security Issues
1. Introduction
The rapid progress of VoIP over traditional services is
led to a situation that is common to many innovations
and new technologies such as VoIP cloud and peer to
peer services like Skype, Google Hangout etc. VoIP is the
technology that supports sending voice (and video) over
an Internet protocol-based network1,2. This is completely
different than the public circuit-switched telephone network. Circuit switching network allocates resources to
each individual call and path is permanent throughout
the call from start to end. Traditional telephony services
are provided by the protocols/components such as SS7, T
carriers, Plain Old Telephone Service (POTS), the Public
Switch Telephone Network (PSTN), dial up, local loops
and anything under International Telecommunication
Union. IP networks are based on packet switching and
each packet follows different path, has its own header and
is forwarded separately by routers. VoIP network can be
constructed in various ways by using both proprietary
protocols and protocols based on open standards.
*Author for correspondence
1.1 VoIP Layer Architecture
VoIP communication system typically consist of a front
end platform (soft-phone, PBX, gateway, call manager),
back end platform (server, CPU, storage, memory, network) and intermediate platforms such as VoIP protocols,
database, authentication server, web server, operating systems etc. It is mainly divided into five layers as shown in
Figure1.
1.2 VoIP Cloud Architecture
VoIP cloud is the framework for delivering telephony
services in which resources are retrieved from the
cloud data center through web applications and software, instead of a direct link to server3. Information and
applications are stored on cloud servers in a distributed
fashion. Apart from cloud computing characteristics
such as on demand service, resource pooling, optimize resource allocation, pay as you go, elasticity and
scalability4,5, VoIP cloud contains mainly six ­components
as shown in Figure 2.
etty G. Biometric liveness detection based on cross modal fusion. IEEE 12th International
nference on Information Fusion (FUSION). Seattle: WA; 2009. p. 2255–62.
A Comprehensive Survey of Security Issues and Defense Framework for VoIP Cloud
1.2.2 DHCP Server
It is used for dynamically distributing network configuration parameters such as Internet Protocol (IP) address,
address of TFTP server etc.
1.2.3 Application Server
These servers are designed to install, host and ­operate
applications and provide services to end users, IT
­industries and organizations.
1.2.4 Time Server
The main principle of time server is to maintain synchronization over the network. The actual time from
server clock is distributed to its clients using a computer
­network.
1.2.5 TFTP Server
Figure 1. VoIP layer architecture.
Figure 1. VoIP layer architecture.
It helps to update the network configuration used by the
phones, routers, firewalls and perhaps provide a setting
file that might contain operational parameters for VoIP
network. e.g., software updates, codec used in a particular
region. 16
1.2.6 Intrusion Prevention System (IPS)
It monitors networks and systems behavior for ­malicious
instances. The major roles of intrusion prevention systems are to find out suspicious instances and their log
information, try to block/stop them and report to concern admin.
2. Literature Review
VoIP technology was started in February 1995 by
Vocaltec, Inc. in Israel. It transfers the voice over high
speed network, cheaper comparing to PSTN and reachable to everywhere through internet by loon developed by
Google with 4G LTE speed6.
Figure
2. VoIP
cloud architecture.
Figure 2. VoIP
cloud
architecture.
1.2.1 Call Server
Phones are registered with this component. It handles
security and admission control while connecting the
phones. The Voice data of a call carried by the transport
protocol may or may not flow through the call server.
2
Vol 9 (6) | February 2016 | www.indjst.org
2.1 VoIP Security Issues
VoIP transfers the voice over the data network through
different network elements such as switches and routers. Connecting PSTN to internet i.e. VoIP as a carrier
for voice/video traffic, the security problems are not only
common in circuit switch network (PSTN, POTS) such
as eavesdropping (tapping) and toll fraud attack but also
Indian Journal of Science and Technology
Ashutosh Satapathy and L. M. Jenila Livingston
problems related to IP network. Security issues in VoIP
are broadly classified into three categories.
2.1.1 Real Time Issues
From last decade onwards, VoIP is used for several ­illegal
activities such as hacking, terrorism, match fixing etc.
Recently in October 2014, phone Hackers had broken
into the phone network of the company, Foreman Seeley
Fountain Architecture and routed $166, 000 worth of
calls from the firm to premium rate telephone numbers
in Gambia, Somalia and Maldives. It would have taken
34 years for the firm to run of those charges legitimately,
based on its typical phone bill.
2.1.2 Network Related Issues
Attacks related to destroy, block, expose, alter, disable,
steal or gain unauthorized access to information in VoIP
network (e.g. threats include social, denial of service, service abuse, physical access, interruption of service etc.) are
listed in Table 1 followed by different types of attacks7,8.
2.1.3 Voice Related Issues
As VoIP system carries voice traffic, so victim’s voice can
be mimicked by an attacker/intruder. A talking and singing robot that mimics human vocalization, developed
by M. Kitani, Kagawa University is vulnerable to VoIP
­communication9.
2.2 VoIP Attacks
This section deals with different types of VoIP attacks.
2.2.1 Physical Attacks
The attacker performs this attack by stealing, breaking
network equipment or direct control over equipment by
getting unauthorized access to prohibited area for seeking
of information. Some of the physical attacks are dumpster
diving, shoulder surfing, hardware key logger and overt
access etc. It can be prevented by keeping the documents
and records safely inside locker and electronic equipment
must be password protected. At last, outer layer security
can be provided by deploying security guards at enter and
exit points.
2.2.2 MAC Spoofing
The technique of masking a MAC address upon actual
MAC address through software emulation is known as
Vol 9 (6) | February 2016 | www.indjst.org
Table 1.
VoIP network threats classification
Threat Type
Social threats
Description
These threats point straight against
individuals such as misconfigurations,
security holes or defective protocol
implementation in VoIP system. (e.g.,
Phishing, Theft of identity or Service,
Social engineering, Spam etc.)
Eavesdropping,
interception
and
modification
threats
These threats include illegal/ Unauthorization access and modification
of signaling and transport message.
(e.g., Call rerouting, interception of RTP
sessions etc.)
Denial of
service threats
DoS threats repudiate individual access to
VoIP services. DDOS attacks strike all of
user’s or business transmission potentials.
(e.g., SYN/UDP floods, ICMP floods, etc.)
Service abuse
threats
These threats cause inappropriate utilization
of VoIP services when those facilities are
provided for business purposes. (e.g., toll
fraud and billing avoidance etc.)
Physical access These threats are illegal physical access to
VoIP devices or physical layer of the VoIP
threats
network. (e.g., Hardware key logger, theft
of media, retrieval of discarded stuffs etc.)
Interruption of These threats cause VoIP services/
services threats facilities to unviable and unavailable.
(e.g., power loss due to bad climate,
resource consumption due to over
purchase/ extra subscription, issues that
degenerate call quality etc.)
MAC spoofing. Here the hacker’s system is taken over
MAC address of one of the node which is already configured and permitted as VoIP end device by disconnecting
or turning off it from rest of the network. It can be prevented by number of ways10. When ARP packet arrives,
direct extraction of MAC address from LAN card and
from OS registry; Compare the MAC address of LAN
card with OS. If it doesn’t match, then delete the entry
from OS registry. Lock down the system by registering its
MAC address with a DHCP IP address. At last secure the
communication channel by encrypting it.
2.2.3 ARP Spoofing
Hacker spreads forgery Address Resolution Protocol
(ARP) packets inside VoIP network by modifying ARP
buffer. Here, attacker binds own system MAC address
with IP address of genuine server which causes the traffic
imply for server is diverted to attacker. It advances hacker
Indian Journal of Science and Technology
3
A Comprehensive Survey of Security Issues and Defense Framework for VoIP Cloud
not only listen to VoIP calls but also reply and terminate
the VoIP calls intended for other. ARP poisoning followed
by denial service threats or eavesdropping, interception or
modification threats which cause severe damages to victim. So, Enhanced ARP can be implemented to ­prevent
ARP spoofing11.
2.2.4 IP Spoofing
Attacker gets into the VoIP network by tricking the IP
address of any authorized machine which helps him to
spread malicious message inside the network. IP spoofing
helps attacker to launch further attacks such as DoS attack,
theft of services, toll fraud etc. by impersonating authorized host inside VoIP network. Basically IP spoofing can
be prevented with maximum probabilities by configuring
broader gateway router. First, router disallows incoming packets for destination address coming from source
address within one network. Second, router disallows to
send packets from local network to another; those don’t
have source addresses within that local address range.
Y. Ma developed an effective trace route based method
for counter measure against IP spoofing and it is worked
with trusted adjacent nodes information i.e. acceptance of
packets for a node is completely depends upon trace route
result from its adjacent nodes12.
2.2.5 ICMP Flood
Internet Control Message Protocol (ICMP) is one of the
network layer protocols that carry error and query messages sent by either intermediate nodes or end node.
Attacker tries to overflow the receiver cache by flood the
respective node with ICMP packets. It forces the node to
drop successive ICMP packets until free space available
at node’s cache even if request packets come from genuine node. Routers are configured to set optimum points
for traffic coming from different networks. It will help the
routers to not only block unnecessary ICMP packets by
matching ICMP requests and responses but also prevent
cache overflow. The VoIP system must be configured separate VLAN for packets originating within a single network
which are monitored by firewall. Barbhuiya et al. have
developed an error detection framework to identify different types of ICMP attack13. It consists of two modules.
Verification module verifies origination of ICMP packets
and Congestion check module extracts bandwidth utilization information using Simple Network Management
Protocol (SNMP).
4
Vol 9 (6) | February 2016 | www.indjst.org
2.2.6 TCP/ UDP Floods
In TCP flooding attack, hacker creates huge number of SYN
packets with abnormal source IP addresses and sends to
receiver. Receiver node allocates space in its Transmission
Control Buffer (TCB) to each SYN requests. In response
to SYN packets, receiver sends SYN+ACK packets and
waiting for ACK packets. The SYN+ACK packets carry
abnormal IP addresses cause failure to receive ACK
packets which prevents receiver node to clear TCP SYN
requests from buffer and buffer to overflow later. Attacker
can use TCP flood attack against VoIP signaling protocol
such as H.323 and SIP; as both are connection oriented
protocols. Haris et al. have succeed to detect TCP flood
attack in communication by analyzing payload and unusable area of the HTTP protocol (e.g., port, flags, source IP,
header length)14.
In UDP flood attack, large number of UDP packets
are created with arbitrary source addresses and port numbers and then sends to victim node. Receiver node will
check whether any processes are running on those ports
and find most of the ports are closed. In reply, receiver
node creates large number of destination unreachable
packets. Increase the number of ICMP packets causes
the victim node and the network to overflow. The UDP
flood attack prevents genuine nodes to communicate the
victim node at a particular span of time. Attacker can
use UDP flood attack against VoIP transport protocol
such as RTP and RTCP; as both are connection less protocol. Bardas et al. proposed a proportional packet rate
assumption technique to differentiate UDP traffic for
detecting forge IP addresses responsible for UDP flood
attacks15.
2.2.7 TCP/ UDP Replay
First, attacker tries to obtain network sensitive ­information
such as session cookies, password, voice data, signaling data. The information captured by sniffing tools can
be used by attacker to take over the ongoing session.
Sometime victim’s voice can be impersonated by directly
playing back recorded voice data or slightly modifying
voice data and send to destination which helps the hacker
to retrieve more information between caller and callee.
Encrypt the sessions is the best way to stop penetration.
Ali et al. proposed an enhanced port knocking technique
to block TCP replay and port scanning attacks16. It is
worked on source port sequences authentication instead
of destination port sequence number.
Indian Journal of Science and Technology
Ashutosh Satapathy and L. M. Jenila Livingston
2.2.8 SIP Registration Hijacking
VoIP phones use SIP or other signaling protocols to
­register own MAC and IP addresses with call server. In
the reply, each phone will get unique call ID which allows
it to make or receive VoIP call. Attacker tries to capture
registration packets and replaces MAC address from
the packets with own MAC address. It helps the rogue
node to register with victim IP address which causes call
intending for victim node will be forwarded to attacker.
SIP registration hijacking allows burglars to track, block
and manipulate voice traffic. As end node registration is
based on TCP connection, attack will be prevented by
implementing SSL/TLS security policies 17.
2.2.9 Malformed Packets
The hacker creates malicious packets and forwards them
to nodes inside VoIP networks with the help of networking
protocols. The target node processes those packets, causes
open unnecessary ports and processes which degrade performance of the nodes to handle VoIP traffic. New patches
and software will be installed to maintain the node up-todate and shutdown the security holes which are vulnerable
to attack. New generation firewalls must be installed to
provide protection against vulnerable packets by filtering
packets based on inbound rules, outbound rules and connection security rules. Geneiatakis et al. have succeeded
in developing a framework that provides defense against
malformed packets for VoIP infrastructure18. The detection mechanism is based on signature detection which
consists of two parts. First one, general signature detection (e.g., SIP METHOD, SIP URI, HEADERS) applicable
to all the packets and second one is method specific (e.g.,
CALL-ID, Content-Type, INVITE _METHOD) differ
from packets to packets.
2.2.10 SIP Message Modification
In message modification attack, by running network
­sniffing tools (e.g.,Wireshark), attacker penetrates traffic
and tries to modify signaling message for better control over
the VoIP network. Suppose a user initiates a call to victim’s
phone by sending SIP message to call server. Modification
of SIP messages confuses and forces the server to connect
rogue phone. User knows that he is connected to one user
but actually the traffic is routed to attacker. SIP message
modification is carried out by performing MITM attack
such as MAC spoofing, IP spoofing or ARP poisoning. As
SIP and RTP packets transmission are taken place over
Vol 9 (6) | February 2016 | www.indjst.org
TCP and UDP connection; VoIP traffic must be encrypted
by implementing SSL/TLS to prevent this attack17.
2.2.11 SIP Cancel/ Bye Attack
Host (zombie) must be configured in promiscuous mode
to lunch attack into VoIP network by sending SIP Cancel
or Bye packets. Abnormal packets are created and sent
to an IP phone from its connected IP phone by spoofing
its IP address which will proceed to terminate the ongoing call. Attacker can perform this attack continuously
for certain period of time by spoofing more than one IP
addresses which causes denial of service attack. As both
signaling and transport protocols use no authentication
prior to data transmission, so, this attack can be prevented
by encrypt the communication channels. Second, provide
authentication between end device and call server and at
last verification of authenticity of signaling message by
end devices before processing 19.
2.2.12 SIP Malformed Command
In web based VoIP communication (e.g. Facebook,
Google Hangout), Hyper Text Markup Language (HTML)
plays a major role as it carries all the signaling information/ command in its body. Parsing SIP command within
HTML code for all possible input is really a headache.
Attacker tries to inject malformed SIP command in input
field and send to server for processing as like SQL injection. In response either it breaks the server authentication
or degrades the performance of server and end devices.
In counter measure, whether packets are coming from
genuine user or not will be confirmed by call server by
verifying authenticity of SIP message before processing.
Dictionary and fuzzy tests must be performed on HTML
code that filtered tricky SIP malformed packets used to
exploit server. M. Su and C. Tsai propose two functions
to resists malformed SIP packets and flooding attack on
call servers20. First function filters malformed packets
and second one uses Chi-square test to measure flooding
attack on SIP server.
2.2.13 SIP Redirect
Call server cache maintains data structure of Phone’s
caller ID, corresponding MAC and IP address. Attacker
manipulates call server cache to confuse the call server
for call redirection. So, SIP packets coming for receiver
are redirected to attacker specified number. Attacker can
perform DoS and DDo…
Purchase answer to see full
attachment