Architecture and performance evaluation of a hybrid intrusion detection system for IP telephony

Abstract

Convergence in networks and applications enables carrying voice, video, and other data on the same IP-based infrastructure, and provides various services related to these kinds of data in a unified way. Such a scheme benefits businesses substantially considering the lesser cost of building and managing a single network infrastructure instead of two separate ones. However, the same scheme poses serious threats to security solutions in general, and intrusion detection systems (IDSs) in particular. Inherited flaws and vulnerabilities in TCP/IP protocols at lower layers make voice susceptible to risks it has never been subjected to before in public switched telephone networks (PSTNs). Signaling and data delivery protocols at application layer have their weaknesses too which make breaching of confidentiality and integrity relatively easy. In this paper, we present the design and implementation of a hybrid, host-based intrusion detection system that is suitable for converged environments. Our design is unique in terms of providing an efficient combination of specification-based and signature-based detection techniques. Specification-based and signature-based detection modules provide solid awareness of the semantics as well as the syntax of the protocols involved. Our solution goes beyond addressing the issues of application layer protocols to address transport and network layer protocols as well in a unified way. The feasibility of our design is proven through the excellent detection accuracy and reasonable performance evaluation figures we get from our experiment.