Distributed Stateful Intrusion Detection for Voice Over IP
First Claim
1. A method comprising generating a signal that indicates a potential intrusion when a protocol fails to enter a first state at a first node within δ
- seconds of said protocol entering a second state at a second node, wherein δ
is a positive real number.
26 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.
-
Citations
20 Claims
-
1. A method comprising generating a signal that indicates a potential intrusion when a protocol fails to enter a first state at a first node within δ
- seconds of said protocol entering a second state at a second node, wherein δ
is a positive real number. - View Dependent Claims (2, 3, 4, 5, 19, 20)
- seconds of said protocol entering a second state at a second node, wherein δ
-
6. A method comprising generating a signal that indicates a potential intrusion when a protocol enters a first state at a first node within δ
- seconds of said protocol entering a second state at a second node, wherein δ
is a positive real number. - View Dependent Claims (7, 8, 9, 10)
- seconds of said protocol entering a second state at a second node, wherein δ
-
11. A method comprising generating a signal that indicates a potential intrusion when a protocol is in a first state at a first node within δ
- seconds of said protocol being in a second state at a second node, wherein δ
is a positive real number. - View Dependent Claims (12, 13, 14, 15)
- seconds of said protocol being in a second state at a second node, wherein δ
-
16. A method comprising:
-
establishing a timeout when a protocol enters a first state at a first node; and generating a signal that indicates a potential intrusion when said timeout expires prior to an indication that said protocol enters a second state at a second node. - View Dependent Claims (17, 18)
-
Specification