A Novel Protocol Design and Collaborative Forensics Mechanism for VoIP Services Hsien-Ming Hsu, Feng-Yu Lin, Yeali S. Sun Dept. of Information Management, National Taiwan University, Taipei, Taiwan Email: {d94002, d95003, sunny}@im.ntu.edu.tw Meng Chang Chen Institute of Information Science, Academia Sinica, Taipei, Taiwan Email: mcc@iis.sinica.edu.tw Abstract—The simplicity and low cost of Voice over Internet Protocol (VoIP) services has made these services increasingly popular as the Internet has grown. Unfortunately, these advantages of VoIP are attractive to both legitimate and nefarious users, and VoIP is often used by criminals to communicate and conduct illegal activities (such as fraud or blackmail) without being intercepted by Law Enforcement Agencies (LEAs). However, VoIP can also increase the efficiency of law enforcement and forensic collaboration. Currently, VoIP researchers have only proposed a framework for this type of partnership, and have yet to provide a common protocol for forensic Internet collaboration. As a result, Internet-based collaboration between agencies is not widespread. Building from the Collaborative Forensics Mechanism (CFM) and the procedures of collaborative forensics work, this paper designs a novel application-layer Collaborative Forensics Protocol (CFP) to overcome the current framework-protocol gap. Here, CFP can exchange collaborative request and response messages between collaborative forensics region centers (CFRCs) to acquire collaborative forensics information. We present a procedure for collaborative forensics and discuss the details of protocol design. In addition, we discuss the defense of PKI working with CFM against various types of attacks and analyze the features of CFP. Index Terms—SIP, VoIP, Security, Collaborative Forensics, Mechanism, Protocol Design, Traceback I. INTRODUCTION Over the last several decades, the Public Switched Telephone Network (PSTN) has dominated voice communications. Due to their simplicity and low cost, network telephony systems, especial VoIP services, have become popular as the Internet has grown and may one day even replace the Public Switched Telephone Network (PSTN). While VoIP services have brought many desirable communication features to the general public, they have also become a medium through which criminals communicate and conduct illegal activities (fraud and blackmail) without being intercepted by law enforcement agencies (LEAs). As a SIP-based telephony system (Session Initiation Protocol) [1] that uses packet- switched technology, VoIP shares the same major drawbacks as many services using Internet Protocol (IP) [2], particularly their vulnerability to security threats. In an effort to offer convenient and secure networking services, researchers have proposed various defensive mechanisms over the past few years, such as intrusion detection systems (IDSs) [3], [4], [5], [6] and prevention mechanisms (PMs) [7], [8], [9], [10]. These mechanisms however, are inadequate for today’s Internet. While they prevent illegal activity before or during criminal acts, both types of mechanisms require prior indications of the kind of attack taking place in order for them to provide proper security. Unfortunately, attacks are often conducted without any forewarning, so these defense mechanisms do not completely secure networks. In light of the shortcomings of these aforementioned defensive mechanisms, our previous work [11] proposed a collaborative forensics framework, named SKYEYE, that can automatically collect, associate, manage, and link information in order to reconstruct criminal acts. By correlating related events, we can determine how a network incident (i.e., crime/attack) occurred, including the origin, the method used, and the people responsible. In [12], we extend SKYEYE as a collaborative forensics mechanism (CFM) to enhance the detection and defensive ability of IPs for preventing attacks. CFMs serve as complements to IDSs, PMs, and traceback mechanisms. While PMs prevent attacks, IDSs detect attacks, and traceback mechanisms trace the identities and geo-locations of the perpetrators, CFMs figure out how the attacks were conducted and recover the indications of the attacks. These attack indications may then be used by IDSs and PMs to enhance the detection and defensive ability of the network. In addition, CFMs produce local events (LEvs) for potential forensic investigations without forging header field values (HFVs). Required cross layers are recorded using the components Manuscript received October 31, 2010; revised June 3, 2011; accepted August 9, 2011. This research was partly supported by NSC Taiwan under grant NSC98-2221-E-001-005-MY3. 132 JOURNAL OF COMMUNICATIONS, VOL. 7, NO. 2, FEBRUARY 2012 © 2012 ACADEMY PUBLISHER doi:10.4304/jcm.7.2.132-142