%0 Conference Proceedings %T Using Application-Aware Flow Monitoring for SIP Fraud Detection %+ CESNET [Prague] %+ Brno University of Technology [Brno] (BUT) %+ Faculty of Information Technology [Prague] (FIT CTU) %A Cejka, Tomas %A Bartos, Vaclav %A Truxa, Lukas %A Kubatova, Hana %Z Part 3: Security, Privacy, and Measurements %< avec comité de lecture %( Lecture Notes in Computer Science %B 9th Autonomous Infrastructure, Management, and Security (AIMS) %C Ghent, Belgium %Y Steven Latré %Y Marinos Charalambides %Y Jérôme François %Y Corinna Schmitt %Y Burkhard Stiller %I Springer %3 Intelligent Mechanisms for Network Configuration and Security %V LNCS-9122 %P 87-99 %8 2015-06-22 %D 2015 %R 10.1007/978-3-319-20034-7_10 %Z Computer Science [cs] %Z Computer Science [cs]/Networking and Internet Architecture [cs.NI]Conference papers %X Flow monitoring helps to discover many network security threats targeted to various applications or network protocols. In this paper, we show usage of the flow data for analysis of a Voice over IP (VoIP) traffic and a threat detection. A traditionally used flow record is insufficient for this purpose and therefore it was extended by application-layer information. In particular, we focus on the Session Initiation Protocol (SIP) and the type of a toll-fraud in which an attacker tries to exploit poor configuration of a private branch exchange (PBX). The attacker’s motivation is to make unauthorized calls to PSTN numbers that are usually charged at high rates and owned by the attacker. As a result, a successful attack can cause a significant financial loss to the owner of PBX. We propose a method for stream-wise and near real-time analysis of the SIP traffic and detection of the described threat. The method was implemented as a module of the Nemea system and deployed on a backbone network. It was evaluated using simulated as well as real attacks. %G English %Z TC 6 %Z WG 6.6 %2 https://hal.science/hal-01410154/document %2 https://hal.science/hal-01410154/file/978-3-319-20034-7_10_Chapter.pdf %L hal-01410154 %U https://hal.science/hal-01410154 %~ IFIP-LNCS %~ IFIP %~ IFIP-TC %~ IFIP-TC6 %~ IFIP-AIMS %~ IFIP-WG6-6 %~ IFIP-LNCS-9122