An intrusion is when an unauthorized user (e.g., a “hacker,” etc.) attempts to break into or misuse (e.g., steal confidential data, etc.) a computer system. An intrusion-detection system (IDS) monitors messages (e.g., packets, etc.) incoming to a computer system and outgoing from the computer system, and based on these messages tries to determine whether an intrusion is being attempted. An intrusion-detection system might conclude that an intrusion attempt is in progress when an atypical or suspicious sequence of messages occurs, or when a sequence of messages matches a known “intrusion signature.”
FIG. 1 depicts a schematic diagram of telecommunications system 100 in accordance with the prior art. As shown in FIG. 1, telecommunications system 100 comprises internal network 101 (e.g., a corporate metropolitan-area network, a residential local-area network, etc.), which receives messages via an external network (e.g., the Internet, etc.) and sends messages via the external network to external data-processing systems.
FIG. 2 depicts a schematic diagram of the elements of internal network 101, in accordance with the prior art. As shown in FIG. 2, internal network 101 comprises: intrusion-detection system 202, firewall 203, and computer systems 204-1 through 204-N, where N is a positive integer, interconnected as shown.
Each computer system 204-n, where nε1, 2, . . . , N, might be a personal computer, a server, a laptop computer, a personal digital assistant (PDA) with wireless local-area network communication capability, etc.
An incoming message that is directed to computer system 204-n, where nε1, 2, . . . , N, first passes through firewall 203, which inspects the message and decides whether to block the message from reaching its destination or to let the message through based on rules in a rule set. Examples of rules include: block all messages from domain badguys.com; block all messages except those of a certain protocol type; etc.
If firewall 203 lets the incoming message through, then intrusion-detection system 202 subsequently receives the message and inspects it. Intrusion-detection system 202 provides an additional layer of security by detecting intrusion attempts that comprise one or more messages that are allowed through firewall 203. For example, firewall 203 might restrict external access to a web server in internal network 101 to port 80, but without an intrusion-detection system, it might be possible to attack the web server itself via legitimate traffic through port 80 due to bugs in the web server software (e.g., ColdFusion, Apache, etc.). As an analogy, firewall 203 acts as a “fence” around internal network 101. A fence provides security but does not have the ability to detect when someone is trying to break in (e.g., by digging an underground tunnel, etc.). Intrusion-detection system 202, however, is able to recognize some break-in attempts that firewall 203 cannot detect.
Voice over Internet Protocol (VoIP) systems transmit voice traffic over packet-switched Internet Protocol (IP) data networks in lieu of circuit-switched telephony networks (e.g., the Public Switched Telephone Network, etc.). Typically, Voice over Internet Protocol systems are based one of two main protocols: H323 and Session Initiation Protocol (SIP). In both types of systems, VoIP user agents at the calling and called telecommunications terminals (e.g., hardphones, softphones, etc.) send and receive packets that contain encoded voice signals in accordance with the Real-time Transport Protocol (RTP). In addition, a VoIP gateway might employ a media management protocol such as the Media Gateway Control Protocol (MGCP) or MEGACO/H.248 in order to translate traffic transparently between an IP-based network and a non-IP-based network (e.g., between a PSTN phone and an IP phone, etc.).
A major advantage of VoIP is that it enables the convergence of voice and data networks. By migrating voice traffic to data networks, however, the voice network becomes vulnerable to intrusions and other attacks (e.g., denial-of-service attacks, authentication attacks, etc.) that compromise privacy, quality of service, and accurate billing. Furthermore, due to characteristics of Voice over Internet Protocol systems, some intrusion-detection systems of the prior art provide inadequate security against intrusions that employ VoIP packets (i.e., VoIP-based intrusions).
What is needed is an intrusion-detection system that is able to detect VoIP-based intrusion attempts, as well as some other kinds of intrusion attempts that exhibit some of the same characteristics as VoIP-based intrusions.