1 A Privacy-Preserving Entropy-Driven Framework for Tracing DoS Attacks in VoIP Zisis Tsiatsikas * , Dimitris Geneiatakis † , Georgios Kambourakis * and Angelos D. Keromytis ‡ * Dept. of Inform. and Comm. Systems Engineering, University of the Aegean, Karlovassi, Greece Email:{tzisis,gkamb}@aegean.gr † Institute of the Protection and Security Citizen, Joint Research Center, Ispra, Italy Email: dimitrios.geneiatakis@jrc.ec.europa.eu ‡ Department of Computer Science, Columbia University, New York, USA Email: angelos@cs.columbia.edu Abstract—Network audit trails, especially those composed of application layer data, can be a valuable source of information regarding the investigation of attack incidents. Nevertheless, the analysis of log files of large volume is usually both complex (slow) and privacy-neglecting. Especially, when it comes to VoIP, the literature on how audit trails can be exploited to identify attacks remains scarce. This paper provides an entropy-driven, privacy- preserving, and practical framework for detecting resource con- sumption attacks in VoIP ecosystems. We extensively evaluate our framework under various attack scenarios involving single and multiple assailants. The results obtained show that the proposed scheme is capable of identifying malicious traffic with a false positive alarm rate up to 3.5%. Keywords—Session Initiation Protocol, Entropy, Abnormal Traf- fic, DoS, Anonymity. I. I NTRODUCTION Session Initiation Protocol (SIP) [1] is considered the pre- dominant signaling protocol in Voice over IP (VoIP) ecosys- tems. In fact, SIP follows the request/response model used in HTTP, thus making it easy to construct and decode its messages. This highly degree of freedom makes SIP services prone to a variety of attacks already covered in the literature in great detail [2]–[6]. In this context, various mechanisms have been proposed to shield the provided multimedia services from attacks and misuses. Nevertheless, in most cases, security eval- uation approaches do not take into account the existing audit trails, mainly due to the lack of appropriate tools for examining them. Consequently, it might be mistakenly assumed that the underlying services are secure, while in fact they are prone to several security attacks, e.g., resource consumption or other type of Denial of Service (DoS). These attacks may remain hidden - due to their low impact for example - but they do lurk in the provided service. Note that vulnerability assessment tools such as Nessus (www.nessus.org) and Retina (www.eeye. com) can be used to evaluate system security. However, these tools cannot be used in cases where it is required to prove that the systems are free from attacks. From time to time, various researchers, organizations, and expert groups have highlighted the merit of using audit trails in security analysis. For instance, the National Institute of Standards and Technology (NIST) in [7] mentions that in conjunction with appropriate tools and procedures, audit trail can assist in detecting security violations and flaws in applications. On the other hand, personal data contained in audit trails are subject to various legal restrictions and regulations. This is because the exposure of sensitive personal information contained in audit trails to unauthorized entities facilitates several malicious acts that clearly violate the users’ private sphere [8]–[11]. The most obvious is that an ill-motivated actor is able to obtain access to the user’s real identity and to observe which services are being accessed by them, thus violating the principle of user anonymity [12], [13]. In the long term, when this kind of information is systematically collected, the user can be profiled and sensitive information (e.g., preferred services) can be inferred. Various research works [14]–[18] have been dedicated to the identification of resource consumption attacks as a part of network Intrusion Detection Systems (IDS). However, very few focus on the analysis of VoIP audit trails to identify and distinguish uncommon or suspicious traffic. In this context, the potential of using entropy towards detecting attack incidents has not been totally neglected by the research community. For instance, an entropy based solution has been proposed in [19] to detect IP spoofing DoS attacks by monitoring the distribution of destination/source IP addresses. Similar methods can be also utilized in VoIP services to analyse audit trails (or real data traffic), but their scope is narrowed down to the IP level only. Nevertheless, data coming from the application layer is usually rich of information that can be processed towards identifying security incidents. As further explained in Section V the only published work that touches upon this subject is presented in [20]. In a nutshell, audit trails, especially those of large volume as in the case of multimedia services, are rarely utilized properly so as to prove service abuse. As already pointed out this is mainly due to privacy restrictions. Therefore, as a general rule, any solution focusing on digital forensic analysis should deduce services security level with respect to audit trails (as well), but it is important to do so without violating the privacy of the end-user. In this paper, we capitalize on the idea proposed in [21] and introduce an entropy-driven algorithm for audit trail analysis