Transcript Spammer

Detection and Mitigation of Spam in IP
Telephony Networks using Signaling
Protocol Analysis
MacIntosh, R Vinokurov, D
Advances in Wired and Wireless Communication, 2005
IEEE/Sarnoff Symposium on
April 18-19, 2005
Outline
 Introduction
 Problem description


Voice Spam specifics
Anonymity
 SPIT scenarios and implications for signaling
 Statistics for signaling
 Conclusion
 Reference
2
Introduction
 The proposed approach is based on the
simple analysis of the VoIP signaling
messages (set-up and termination requests).
 Once implemented on the call server, the
method enables service providers or
enterprises to block external spam sources
targeting their voice networks.
3
Problem description
Voice Spam specifics
 Spam over IP Telephony (SPIT)
 Unsolicited voice messages
 Combination of a telemarketing call and an email spam
message
 Consists of two parts: signaling and media data
 Analyzing data content may be not only impractical
but also not legal in many case
 Detect the call as spam before the actual call happen.

ie: during signaling exchange stage.
4
Anonymity
 VoIP technology provides freedom for aliases
and anonymity services.
 The incoming calls can be anonymous in that
fact the recipient is unable to determine the
actual caller.
5
Via: ncnu.edu
Via: sell.com
Contact: [email protected]
Anonymity (cont)
Contact:
[email protected]
No CallerID, Contact:B2BUA
Regular Header Field
Via: sell.com
From: random
Contact: [email protected]
From: random
alias
Spammer
B2BUA
Proxy1
Proxy2
Contact:
Session counterpart
User
From: anonymized or
non-displayed
No CallerID,
From: GW2, Contact: GW2
No CIN
Via: gw2.carrier.net
SGW1
SGW2
From: [email protected]
SS7
6
SPIT scenarios and implications for
signaling
 The detection of spam is based on three main
constituent:



Signaling routing data of the voice spam.
Spam calls are unidirectional.
Spam calls termination behavior is statistically
consistent.
 Each call’s time and destination must be kept
for further analysis
7
SPIT scenarios and implications for
signaling (cont)
 Five states:
 Persistent telemarketer
 Call setup request go from the spammer to recipients,
whereas termination request flow from recipients to
the spammer.
 ie: Telephone polls
 Timer-conscious spammer
 The telemarketer tries to cover as many recipients as
possible, and hangs up when he figures out that his
offer is unlikely to be accepted.
 Call setup and termination requests go the same
direction from the spammer to recipients
 Ue:Fax broadcasting falls into this category.
8
SPIT scenarios and implications for
signaling (cont)
 Prerecorded message
 SPIT is being distributed by an automated
calling engine as a played message.
 call setup and termination requests go the
same direction from the spammer to recipients.
 Message deposited to the voice mailbox
 Can either leave the message or terminate the
session as soon as presence of voice mailbox
is detected.
 setup and termination requests go from the
spammer to the recipient’s side
9
SPIT scenarios and implications for
signaling (cont)
 Calls set by third party
10
Statistics for signaling
 Every VoIP signaling protocol has its specific
session setup and termination requests.

For SIP, these are INVITE and BYE
respectively
 Detection statistics
 Reaction to detected SPIT
 Limitations of the identity-based statistics
11
Detection statistics
 Monitor the VoIP signaling traffic on the
recipients’ access domain Call Server (CS)
Local
monitoring
module
Spammer
Call
server
Monitored
network user
user
12
Detection statistics (cont)
 Maintain four stateless counters for the
number of times that set-up (SET) and
termination (TER) requests passed out and
into the monitored network for the calls
13
Detection statistics (cont)
9
8
conut (hundred)
7
6
5
Sx
4
Tx
3
2
1
0
1
2
3
4
5
6
second
14
Reaction to detected SPIT
 Warning

display the text warning on the phone, use
special ringing tone
 Call delay

switch the caller to the recipient’s voice mail,
reject the request and report the callerID and
the call at a later time as a missed one
 Call cancellation

drop the call setup on behalf of recipient
15
Limitations of the identity-based
statistics
 Spammer can try to hide his real identity from the
recipient.
 Spammer could be a temporarily assumed username.
 An assumption that could be made is that spammer
is constant for a reasonable time period; however this
is the most serious limitation for any approach based
on statistics per user.
16
Conclusion
 The SPIT detection and blocking method
presented in this paper has a number of
technological advantages.
 It relies exclusively on the local policy of the
service provider or enterprise protecting its
voice network, and can be implemented as a
stand-alone module in various elements of
the voice network.
17
Reference
 Signaling system 7 (SS7)

Encyclopedia of Technology Terms
 RFC 3515

The Session Initiation Protocol (SIP) Refer Method
 RFC 3398
 Integrated Services Digital Network (ISDN) User Part (ISUP) to
Session Initiation Protocol (SIP) Mapping
 B2BUA (draft-marjou-sipping-b2bua-00)
 Requirements for a Session Initiation Protocol (SIP) Transparent
Back- To-Back User-Agent (B2BUA)
18