Social Behavior Analysis of VoIP Users and its application to Malicious Users Detection (Extended Version – V1.0)

IP Telephony has become very popular and Session Initiation Protocol (SIP)-based telephony systems are almost substituting the traditional PSTN systems. Being so widespread and ubiquitous, the protocol’s resilience and security in presence of incorrect, malformed or malicious messages is fundamental for the correct management of a network. This is of particular importance for the session-based applications since they appear to be much more sensitive very sensitive not only to malicious attacks, but also to errors, and even incorrect interpretation of the standard. To have an in-depth knowledge about the net-work behavior is primary requirement to design and tune any attack or anomaly detection system. In the context of VoIP, traffic analysis plays a very significant role due to the fact that SIP based VoIP traffic does not follow any generic model to describe its characteristics like traditional telephony. To this end, we have performed a thorough analysis on SIP traces captured from the VoIP network of our institution. Here, we use social network analysis techniques to capture the relationship behavior of users and to explore distinct behavioral patterns of users inside the VoIP network. Knowledge about the normal behavior of the system and users gained from the traffic analysis is helpful in detecting intrusion and anomalies. In this paper, we also present an anomaly detection architecture where we train an automated machine with the normal behavioral pattern of the users. The machine, thus trained, is capable of identifying malicious users.