1. Field
The present invention relates to computers and computer networks. More particularly, the present invention relates to SIP-based VoIP traffic behavior profiling method.
2. Description of Related Art
Voice over IP (VoIP) allows users to make phone calls over the Internet, or any other IP network, using the packet switched network as a transmission medium rather than the traditional circuit transmissions of the Public Switched Telephone Network (PSTN). VoIP has come a long way since its first rudimentary applications provided erratic yet free phone calls over the unmanaged Internet. VoIP technology has reached a point of being comparable in terms of grade voice quality with traditional PSTN yet consuming only a fraction of the bandwidth required by TDM networks. The maturity of VoIP standards and quality of service (QoS) on IP networks opens up new possibilities for carrier applications. Consolidation of voice and data on one network maximizes network efficiency, streamlines the network architecture, reduce capital and operational costs, and opens up new service opportunities. At the same time, VoIP enables new multimedia service opportunities, such as Web-enabled multimedia conferencing, unified messaging, etc, while being much cheaper.
The session initiation protocol (SIP) is the Internet standard signaling protocol for setting up, controlling, and terminating VoIP sessions. In addition to IP telephony, it can also be used for teleconferencing, presence, event notification, instant messaging, and other multimedia applications. SIP-based VoIP services require infrastructure support from entities such as SIP registrars, call proxies, and so forth which are collectively referred to as SIP servers. A SIP registrar associates SIP users, e.g., names or identities called SIP user resource indicators (URIs) with their current locations, e.g., IP addresses. A SIP call proxy assists users in establishing calls, called dialogs in the SIP jargon, by handling and forwarding signaling messages among users, and other SIP servers. In practice, a physical host (SIP server) may assume multiple logical roles, e.g., functioning both as registrars and call proxies.
SIP is a text-based request-response protocol, with a syntax very similar to HTTP, operating on the well-known ports such as tcp/udp 5060 (for the standard SIP) and 5061 (for the secure SIP, SIPs). Hence SIP messages are either of type request or response. The method field is used to distinguish between different SIP operations. The most common methods include REGISTER (for user registration), INVITE, ACK, BYE, CANCEL (these four used for call set-up or tear-down), SUBSCRIBE and NOTIFY (for event notification). Response messages contain a response code informing the results of the requested operations, e.g., 200 OK. The FROM and TO fields in an SIP message contains respectively the SIP URIs of the user where a request message is originated from (e.g., the caller of a call) or destined to (e.g., the callee of a call). In the case of a REGISTER message, both FROM and TO typically contains the SIP URI of the user where the request is originated. Other important fields include VIA and various identifiers and tags to string together various transactions and dialogs. More details can be found in Rosenberg et al., RFC 3261, June 2002 which is incorporated herein by reference.
VoIP offers compelling advantages but it also presents a security paradox. The very openness and ubiquity that make IP networks such powerful infrastructures also make them a liability. Risks include Denial of Service (DoS), Service Theft, Unauthorized Call Monitoring, Call Routing Manipulation, Identity Theft and Impersonation, among others. Not only does VoIP inherit all data security risks, but it introduces new vehicles for threats related to the plethora of new emerging VoIP protocols that have yet to undergo detailed security analysis and scrutiny. But just how serious are the threats posed to VoIP? Recently, there have been a string of attacks against either the VoIP infrastructure or end users. In one such incident, early June of 2006, two men were arrested for fraudulently routing approximately $500,000 worth of calls illegally over the VoIP network belonging to Net2Phone, a Newark, N.J., VoIP provider. Fifteen Internet phone companies were reported as the victims of this attack. More recently, ISS posted a report about a Denial-of-Service vulnerability in the IAX2 implementation of Asterisk, an open source software PBX. This vulnerability relates to the amount of time that a pending (but not yet authenticated) call is allowed to exist in memory on the server. New terms start to be coined over time just for VoIP attacks; “Vishing”, is now used for phishing attacks using VoIP technology, or “Spit”, now used for spam over VoIP. Hence it is imperative for Service Providers to widely deploy scalable monitoring systems with powerful tools across their entire infrastructures such as to robustly shield their VoIP infrastructure and protect their service. Passive packet monitoring and capturing devices may be deployed in the underlying network hosting VoIP services. In addition to capturing the standard layer-3 (IP) and layer-4 (TCP/UDP) header information, it may be desirable to also capture a portion of layer-7 payload containing appropriate application protocol (SIP) fields. The captured packet header and payload information is then processed and parsed for analysis and profiling. Unlike the layer 3/4 header fields which generally have well-defined and limited semantics, the layer-7 application protocol such as SIP has a variety of fields, with rich semantics that are often context-sensitive and sometimes even implementation-specific. For example, with the SIP protocol itself, the meaning of the same fields may depend on the method used. Hence a major challenge in performing layer-7 protocol analysis and behavior profiling is to determine how to judiciously incorporate application-specific semantics or “domain knowledge” to select appropriate set of key features to capture the essential behavior characteristics of the application in question.
Accordingly, there is a need for a general methodology for characterizing and profiling SIP-based VoIP traffic behavior.