Application of Visual Analysis to Detect and Analyze Patterns in VoIP Attack Traffic

Voice over IP (VoIP) based on SIP is rapidly replacing classical telephony services as providers worldwide migrate their services to IP-based platforms. However, apart from the benefits for providers and customers, telephony is becoming "just another" Internet application which is vulnerable to multiple - both well known and novel - attack and misuse scenarios. We focus in this paper on the attempts to compromise SIP accounts in order to misuse them at the expense of the legitimate owner (Toll-Fraud). Such misuse occurs globally and massively and caused significant damage already. Our study is based on real SIP attack data collected over several years and our long standing expertise in analyzing this data by using standard methods. We show in this paper, that the visual analytics approach by using a node-link visualization diagram tool can provide new insights into attacker behavior, particularly with respect to distributed and coordinated attacks from different sources and specific properties of different popular attack tools. This analysis also revealed the usage of SIP INVITE packets for previously not known purposes in multi-stage attacks. Therefore, this approach provides a valuable and useful addition to the approaches used so far, which are based on statistical analysis or rule-based clustering.