New method for evaluating anti-SPIT in VoIP networks

3rd International Conference on Computer and Knowledge Engineering (ICCKE 2013), October 31 & November 1, 2013, Ferdowsi University of Mashhad

New method for evaluating anti-SPIT in VoIP networks Mina Amanian Dept. of Computer engineering Imam Reza International University of Mashhad, Iran [email protected]

Dept. of Engineering Ferdowsi University of Mashhad Mashhad, Iran [email protected]

Abstract— Unsolicited bulk email or Spam is a menace to the usability of Internet email. The possibility of cheap Voice over IP (VoIP) services have introduced the threat of Spam over Internet Telephony (SPIT). In order to detect SPIT efficiently we need to extract some features which help us in categorizing the incoming calls. In recent researches various features have been introduced but some of these features have less effect in detecting SPIT. In this paper we propose an approach that assigns weight to features and determines which feature is more important than the others in classification of suspicious incoming calls. Once we select the best features, we can detect SPIT efficiently in less time. Keywords; PSTN; SPIT; SIP; VoIP; Caller; Callee;

I. INTRODUCTION VoIP is a promising technique which uses existing data networks to establish voice sessions via transferring voice streams replaced into data packets. Nowadays voice transmission via internet has become an essential tool for business market which yields in development and efflorescence of it. VoIP is a transformation of traditional networks or PSTNs (Public Switched Telephone Networks) proposed in Data Network environment. The main reason of VoIP development is that it reduces telephony costs, produces higher availability and provides easy convergence to PSTN. We must perform mechanisms to support real-time delivery for voice packets and also signaling protocols for handling the communicational negotiations between different VoIP devices. Threats and vulnerabilities of internet protocols make VoIP potentially insecure, for example an attacker can send numerous simultaneous advertisement calls or messages to other users with low cost. SIP (Session Initiation Protocol) is the most applied protocol in current VoIP implementations. SIP is a signaling protocol for initiating, managing and terminating voice and video sessions across packet networks. SIP sessions involve one or more participants and can use for unicast or multicast communication [3]. Attackers attempt to establish bulk unsolicited multimedia sessions which are called Spam calls [4]. This type of Spam calls in VoIP environment is named SPIT (Spam Over internet telephony). Although SPIT is essentially similar to Spam but we expect that SPIT has more destructive effect on user [4, 13]. Due to the expensive and end to end nature of PSTN, generating

978-1-4799-2093-8/13/$31.00 ©2013 IEEE

Hossein Khosravi Roshkhari IP-PBX Laboratory, Dept. of Engineering Ferdowsi University of Mashhad Mashhad, Iran [email protected]

Mohammad Hossein Yaghmaee Moghaddam

Spam calls are less attractive to attackers in such networks [1]. Basically attackers use specific software (which is assumed as soft phone client) named bot. The attacker may set up Virus or Trojan on various computers to distribute the Caller identity. First report took place in 2006 that many advertisement calls with marketing purpose showed up in Skype. Spam detection approaches are not extendable to SPIT due to the real time nature of it. Moreover, Email content plays a big role in detection mechanism which is not applicable for VoIP content [1]. The similarity of SPIT and Spam is that both of them use internet to achieve their purposes. Due to the wide deployment of VoIP networks, we assume that SPIT will be a serious problem in the near future. This paper is organized as follows. In section II we survey the related works on Anti-SPIT methods in details. Section III describes the background, section IV discusses the proposed scheme, section V contains evaluation and finally the conclusion is presented.

II.

RELATED WORKS

Black lists and white lists are ordinarily lists of addresses of suspicious and safe users respectively. These lists are preserved by certain organization and can be queried by the servers. There are a few hundred black lists that they are different in their scope and providers of black lists can collect address of suspected Spammers in various ways. Gray list is a complementary mechanism to black and white list. At the time of a call received by server from a sender that is neither listed on a white nor on a black list, then the call is impermanently rejected. Gray listing is based on the supposition that SPIT software is rather simple and is optimized to send a lot of calls but does not care about retransmission [3]. One of the approaches uses DNS black list for detecting SPIT and it shows that 80% of all Spam-messages come from IP addresses, which were blocked by at least one DNSBL (DNS black list), therefore DNSBL might be a survivable solution for Spam from bot nets [5], but this approach is not suitable for SPITTERS that change their IP and escape from lists. As the SPIT threat raised to research area, some researchers tried to use similar techniques to email Spam detection such as content filtering. These sort of approaches analyze the content of calls or messages.


Although they appear to be inefficient for SPIT calls due to its processing requirement [20].

protocol is published as IETF RFC 2543 and currently has the status of a proposed standard.

Some other approaches are based on challenge and response, these approaches are specifically designed to recognize and identify human against computer [1, 8]. Since SPITTER is always computer software, server is attempting to challenge the Caller with human-intelligible questions and determine the unanswered call as SPIT [9]. Using Turing test and analyzing the human behavioral pattern showed to be useful in some other methods.

Signaling in SIP is based on (ASCII compatible) text messages. A message is composed of a message header and an optional message body. Messages are either requests or responses. Request messages are sent from the client to the server and response messages are sent from the server to the client [2].

To decrease the number of calls received by users, instant call system ask the user to give her consent before forwarding a call from unknown sender. If a sender is neither on white or black list of the receiver, the call will not be forwarded to the receiver unless the receiver explicitly agrees [3].

TABLE I. Method

INVITE Request Methods

Using community signals is one of other mechanisms that share SPIT information between networks and each user in the network is responsible for SPIT problem and fight with it by reporting SPIT once received [6]. Some other techniques have implemented different modules [7, 11] and by a so called voting process, determine the call must be rejected or allowed. Scoring system that uses Naive Bayes and call patterns [15] has been proposed for detecting unwanted communication Callers. A user-behavior-aware filtering [16] that uses adaptive training decides to detect or block SPIT. Trust based mechanism is another approach to detect SPIT [10, 21]. It considers trust of the Caller and compares it with a threshold and if it is below the threshold, the call can pass. Some other approaches use anomaly and ontology for detecting SPIT [12, 13]. Sip Spam labeling system [17] does not use sip extension and uses SIP INVITE message to establish SIP session for the insertion of Spam indicator. Another research collects features of internet telephony [18] then executes k-Nearest neighbor classification and analyses that the user is suspicious or not, this approach immediately updates black list. III.

BACKGROUND

A. SIP SIP is a peer-to peer protocol with the following entities: User Agents (UA), Proxy Servers, Redirect Servers, Location Servers and Redirect Servers. In a sample session establishment between two UAs, after registration of the two users, UAA sends an INVITE request to the Proxy Server. Proxy Server looks up A’s IP address and passes the message to UAB. After UAB has confirmed the request by phone pick up, UAA requests a Media session. The established call could be terminated if any of the UAs sends a BYE request to the other UA [3]. SIP is being developed by the SIP Working Group, within the Internet Engineering Task Force (IETF). The

978-1-4799-2093-8/13/$31.00 ©2013 IEEE

ACK BYE

Description

Initiates a call, changes call parameters. Confirms a final response for INVITE. Terminates a call.

CANCEL

Cancels searches and “ringing”

OPTIONS

Queries the capabilities of the other side.

TABLE II. Method

Response Methods

Description

Register

Registers with the Location Service.

ACK

Sends mid-session information that does not modify the state.

Response messages contain numeric response codes. The SIP response code set is partly based on HTTP response codes [19]. B. SPIT The term Spam, which is usually used to describe unwanted email, can be expanded to describe any unsolicited message (with positive appearance) in a sample communication. In VoIP networks, this term, which we name SPIT, determines any unsolicited call or message which usually contains commercial data. Different type of Spam in VoIP networks can be categorized as follows [3]: 

Spam over Internet Telephony (SPIT)



Spam over Instant Messaging (SPIM)



Spam over Presence Protocol (SPPP)

SPIT as is generally known, refers to unsolicited calls which usually play pre-recorded audio files for target Callee. C. PCA and LDA There are many possible techniques for classification of data. Principal Component Analysis (PCA) and Linear Discriminant Analysis (LDA), both of them are two commonly used techniques for data classification and dimension reduction. Linear Discriminant Analysis easily handles the case where the within-class frequencies are unequal and their performances have been examined on randomly generated test data. This method maximizes the


ratio of between-class variance to the within-class variance in any particular data set thereby guaranteeing maximal separability. The main difference between LDA and PCA is that PCA does more of feature classification and LDA does data classification. In PCA, the shape and location of the original data sets changes when transformed to a different space whereas LDA doesn’t change the location but only tries to provide more class separability and draw a decision region between the given classes. This method also helps to better understand the distribution of the feature data. LDA has two different approaches, Data sets can be transformed and test vectors can be classified in the transformed space by two different approaches.

Simultaneous Calls: Occurrence of simultaneous calls, precisely determines the suspicious behavior of a Caller. Diversity of Callers: A SPITTER attempts to cover a large amount of different Callees in a short time, while normal users generally call repetitive contacts and it is very rare that SPITTERS call repetitive contacts. Call Duration: Duration of SPIT calls (Distance between INVITE and BYE packet) are usually short, although normal users have long duration. Error Rate: SPITTERS encounter high volume of SIP errors including CANCEL packet and 404 errors. In figure 1 to 4 some of data samples are presented for both normal and SPIT calls.

Class-dependent transformation: This type of approach involves maximizing the ratio of between class variance to within class variance. The main objective is to maximize this ratio so that adequate class separability is obtained. The class-specific type approach involves using two optimizing criteria for transforming the data sets independently. Class-independent transformation: This approach involves maximizing the ratio of overall variance to within class variance. This approach uses only one optimizing criterion to transform the data sets and hence all data points irrespective of their class identity are transformed using this transform. In this type of LDA, each class is considered as a separate class against all other classes. Principal component analysis (PCA) is a well-known feature extraction method, in which the principal components of the input vector relative to the mean vector are extracted by orthogonal transformation. Similarly kernel PCA extracts principal components in the feature space [14]. We call them kernel principal components.

Figure 1.

Call Rate

Figure 1 shows Call Rate for normal and SPIT users, it is obvious that SPITTERS have higher Call Rate than normal users since SPITTERS try to generate more calls in less time.

D. SVDD The original SVDD classification technique is a powerful one-class classifier inspired by the SVM (Support Vector Machines) which is able to form a decision boundary around the training data without any particular knowledge about other data outside the boundary. SVDD tries to obtain a description of a set of training data which should reject all other possible objects [22]. IV. PROPOSED SCHEME Many features can be exploited from VoIP packet which helps us in SPIT detection. In our proposed scheme we selected six important features of the call that are easy to implement and fast to extract, they can be exploited directly from SIP header, which are presented as follows: Call Rate: Most SPITTERS spend their maximum efforts to take advantage of time and bandwidth effectively, thus their call rate is generally high. Call Interval: the intertime distance for the calls generated by a SPITTER usually follows a regular scheme. Hence, their calls have a low variance to mean ratio of previous intertimes.

978-1-4799-2093-8/13/$31.00 ©2013 IEEE

Figure 2. Call Duration

Call Duration of SPIT and normal users is shown in figure 2. When users answer a suspicious call, they immediately hang it up, since they find out that it is not a normal call, on the other hand we will have more duration for normal calls.


detected to be normal is called True Positive, the number of normal users incorrectly detected to be SPIT is called False Negative. In order to simulate a proposed framework we have evaluated PCA and LDA on a pseudo-real database which is originally a combination of real call detail record from a VoIP company and six simulated SPITTERS with different complexity. As shown in table 3 PCA and LDA have both changed the feature weights within an almost wide range. Both algorithms are deployed in MATLAB. Figure 3. Diversity of Calles

Diversity of Callees for normal and abnormal users is compared in figure 3, SPITTERS randomly create a list of users and they commonly tend to call a huge number of different users while normal users tend to call specific users hence SPITTERS have more diversity of Caller than normal users.

Figure 4. Call Interval

Call interval is another feature for SPIT detection exactly inherited from [22]. The intertime distance for the calls generated by a SPITTER, usually follows a regular scheme (Especially for beginner SPITTERS). Hence, their calls have a low variance to mean ratio of previous Intertimes. In figure 4 we consider call interval for normal and SPIT users. SPITTERS usually call variety of users in a short time so they have very short regular distance between their calls while normal users show more irregular pattern between their calls. In SPIT detecting some features have more effect on recognizing SPIT hence we will try to allocate weight to each of them. This weight represents the importance of that feature compared to others. As discussed, we apply PCA and LDA techniques to analyze. Initially we may think all features have the same weight however we will show that some features become more valuable for us.

V. EVALUATION We select six features of call and apply two classification algorithms to evaluate the weight of each feature. We aim to decrease False Negative and increase True Positive. The number of normal users that truly

978-1-4799-2093-8/13/$31.00 ©2013 IEEE

TABLE III. Features

PCA weights

LDA weights

Call Interval

0.0511

0.4483

Simultaneous Calls

0.0189

1.4892

Diversity of Callees

0.4186

12.0658

Error Rate

0.2741

11.1254

Call Duration

0.4599

6.6659

Call Rate

0.7316

1.086

The results show that Call Rate and Diversity of Callees have the highest weight compared to other features by applying PCA and LDA respectively. We apply the calculated weights to original data and then apply SVDD classification to determine which weighting scheme has the best effect in SPIT detection. We gain False Negative and True Positive for PCA, LDA and original data that is shown in table4. TABLE IV. Original data

PCA

LDA

False Negative

1.5343562374

0.1000667111

0.7338225483

True Positive

99.969905923

99.998037342

99.9856071807

The results of table 4 show that PCA has less False Negative and higher True Positive compared to LDA hence PCA is more effective than LDA. Also Call Rate is a more important feature than the others. Our framework considers weaknesses of other techniques and efficiently improves them. Using access lists plays an important role in SPIT detection since they are faster than other approaches and are easy to implement. In our framework, we firstly check the incoming call within the lists. This will increase the detection speed by bypassing the feature extraction module which takes more time. We consider the decision made by the lists as deterministic, so updating it has to be performed with extra accuracy.


After checking the lists we extract the features of incoming call then we multiply the weights that are gained by PCA or LDA approach to features and calculate a total value. This value should be compared with a threshold. If it is greater than the threshold, the call is suspicious and needs more analysis hence we play the CAPTCHA for him in order to answer a question. If the answer is wrong, black list is updated and the call is dropped .On the other hand if number is below the threshold or he answers the CAPTCHA correctly, the call is sent to Callee. Figure 5 shows the framework. Figure 6 PCA

In figure 7 we applied LDA and gained these total values. The result shows that SPITTERS have higher total value than normal users and LDA correctly separates them.

Incoming call

Yes Check black list

Drop

No

No No Check gray list

Check white list Yes

Figure 7 LDA

Feature extraction Yes Yes Multiple the weights and features then calculate them

No If SPITTER?

Yes If is bigger than the threshold?

CAPTCHA

No Send call

Figure 5. Proposed Framework

After performing PCA and LDA we calculate total value for Caller. It is calculated according to the following formula:

VI. CONCLUSION SPIT (Spam over Internet Telephony) is one of the major concerns in VoIP networks. Different detection solutions have been widely discussed in previous researches. Many of them categorized the incoming calls based on the extractable features in SIP headers but none of them has focused on the effective evaluation of these features. In this paper, we have tried to perform a deeper survey into the different SPIT detection mechanisms. This has been illustrated by evaluating the features which help the detection frameworks in classification techniques. Two weighting approaches (PCA and LDA) are applied and the results show that some features are less effective in the detection procedure. Results show that Call Rate is the most important feature. Moreover, a comprehensive framework is proposed which applies lists and classification and the CAPTHCA.

Total = weight (1)*feature (1) + weight (2)*feature (2) +…+ weight (n)* feature (n) After gaining total value for every Caller we compare this value to the threshold value. We demonstrate these values obtained from different users in figure 6 and 7. The result shows that classification approach properly separates SPITTERS from normal users. Figure 6 shows total values for different users after applying PCA approach.

REFERENCES [1]

[2] [3] [4]

978-1-4799-2093-8/13/$31.00 ©2013 IEEE

J. Quittek, S. Niccolini, S. Tartarelli, M. Stiemerling, M. Brunner, and T. Ewald, "Detecting SPIT calls by checking human communication patterns," in Communications, 2007. ICC'07. IEEE International Conference on, 2007, pp. 1979-1984. J. Seedorf, "Security challenges for peer-to-peer SIP," Network, IEEE, vol. 20, pp. 38-45, 2006. D. Sisalem, J. Floroiu, J. Kuthan, U. Abend, and H. Schulzrinne, SIP security: Wiley, 2009 D. Gritzalis and Y. Mallios, "A sip-oriented spit management framework," computers & security, vol. 27, pp. 136-153, 2008.


[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14] [15]

[16]

[17]

[18] [19] [20]

[21]

[22]

M. Hirschbichler, C. Egger, O. Pasteka, and A. Berger, "Using EMail SPAM DNS Blacklists for Qualifying the SPAM-overInternet-Telephony Probability of a SIP Call," in Digital Society, 2009. ICDS'09. Third International Conference on, 2009, pp. 254259. S. Phithakkitnukoon and R. Dantu, "Defense against SPIT using community signals," in Intelligence and Security Informatics, 2009. ISI'09. IEEE International Conference on, 2009, pp. 232232. B. Mathieu, S. Niccolini, and D. Sisalem, "SDRS: A Voice-over-IP Spam Detection and Reaction System," Security & Privacy, IEEE, vol. 6, pp. 52-59, 2008. H. Hai, Y. Hong-Tao, and F. Xiao-Lei, "A SPIT Detection Method Using Voice Activity Analysis," in Multimedia Information Networking and Security, 2009. MINES'09. International Conference on, 2009, pp. 370-373. Y. Soupionis and D. Gritzalis, "Audio CAPTCHA: Existing solutions assessment and a new implementation for VoIP telephony," computers & security, vol. 29, pp. 603-618, 2010.Yannis M. A. Azad and R. Morla, "Multistage spit detection in transit voip," in Software, Telecommunications and Computer Networks (SoftCOM), 2011 19th International Conference on, 2011, pp. 1-9. J. Quittek, S. Niccolini, S. Tartarelli, and R. Schlegel, "On spam over internet telephony (SPIT) prevention," Communications Magazine, IEEE, vol. 46, pp. 80-86, 2008. H. Sengar, X. Wang, and A. Nichols, "Call Behavioral Analysis to Thwart SPIT Attacks on VoIP Networks," in Security and Privacy in Communication Networks, ed: Springer, 2012, pp. 501-510. S. Dritsas, V. Dritsou, B. Tsoumas, P. Constantopoulos, and D. Gritzalis, "OntoSPIT: SPIT management through ontologies," Computer Communications, vol. 32, pp. 203-212, 2009. S. Abe, Support vector machines for pattern classification: Springer, 2010. T. Kusumoto, E. Y. Chen, and M. Itoh, "Using call patterns to detect unwanted communication callers," in Applications and the Internet, 2009. SAINT'09. Ninth Annual International Symposium on, 2009, pp. 64-70. Y. Bai, X. Su, and B. Bhargava, "Adaptive voice spam control with user behavior analysis," in High Performance Computing and Communications, 2009. HPCC'09. 11th IEEE International Conference on, 2009, pp. 354-361. S. Y. Park and S. G. Kang, "Labeling System for Countering SIP spam," in Advanced Communication Technology, 2008. ICACT 2008. 10th International Conference on, 2008, pp. 1644-1646. M.-Y. Su and C.-H. Tsai, "A Prevention System for Spam over Internet Telephony," Appl. Math, vol. 6, pp. 579S-585S, 2012. M. Stiemerling, "SIP: Protocol Overview," ed: Radvision, 2001. A. Shahroudi, R. Khosravi, H. Mashhadi, and M. Ghorbanian, "Full survey on SPIT and prediction of how VoIP providers compete in presence of SPITTERS using game-theory," in Computer Applications and Industrial Electronics (ICCAIE), 2011 IEEE International Conference on, 2011, pp. 402-406. N. Chaisamran, T. Okuda, G. Blanc, and S. Yamaguchi, "Trustbased voip spam detection based on call duration and human relationships," in Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium on, 2011, pp. 451-456. H.khosravi,H.yaghmaee, "SIP Header Based Feature Extraction for SPIT Attacks and its application in a comprehensive Anti-SPIT framework," in IASTED Conference, Calgary, Canada, July 2011.

978-1-4799-2093-8/13/$31.00 ©2013 IEEE