Unsolicited Communication / SPIT / multimedia-SPAM

Ｐage <date> 1 ETSI Security Workshop

Unsolicited Communication / SPIT / multimedia-SPAM

overview of this topic in different SDOs

Thilo EwaldNGN Group,

NEC Laboratories EuropeNEC Europe Ltd., Heidelberg, Germany

[email protected]

© NEC Corporation 2006(200604)ETSI Security WorkshopJan 08 - 2

Overview• Problem statement

– Definition of “Unsolicited communication”– Forecast of next generation SPAM?– Classification on identifying UC– Classification on reacting on UC– Possible Deployment scenarios

• Ongoing work– IETF– ITU– 3GPP– TISPAN– Other..

• NEC’s VoIP SEAL– Demonstrator of feasibility to identify and prevent UC for VoIP

• AOB


Problem statement• SMS/MMS SPAM, SPIT, multimedia-SPAM, etc …

– Similar wording for the same problemUnsolicited communication

• Social threat– More stress at home and in office, – Reduced performance at work– More difficult to establish communication

e.g. phone switched off to prevent it from ringing– Voice mailbox filling with voice spam messages– no means to distinguish spam from good voice messages, information lost

• Business– Market will develop more slowly– Customers will be disappointed by new technology (NGN)

Good call

Riiing...Riiing...

SPITcalls


Forecast of next generation SPAM?• NGN devices will become ubiquitous as em@il accounts nowadays are

– Number of VoIP subscribers will increase dramatically within the NGN

– Residential VoIP subscribers growing linearly already since year 2000

• Today em@il SPAM keeps on increasing– 3600 spam messages per day for a small enterprise– 100 SPAM messages per day for a end users

• Voice SPAM over PSTN in Germany– 2 calls per week per residential subscriber

• Conclusion – SPIT is ~ 1000 time cheaper than voice spam over PSTN

2000 SPIT calls per week per residential subscriber!


Classification on identifying UC• Non-intrusive test

– Blacklisting / white listing – Message/Call rate analysis– Simultaneous call analysis– Call behavior analysis– Statistically analysis– ...

• Caller Interactions – touring test– ...

• FB before call – buddy list integration– consent-based communications– ...

• FB during call – SPIT hang-up button– …

• FB after call – service center– …

Stage 1: non-intrusive

Stage 2:caller interaction

Stage 3:feedback before call

Stage 4:feedback during call

Stage 5:feedback after call

know

ledg

e ba

se

callee

callee

system

system

feedback

system General & Personalized

Personalized


Classification on Reacting on UC

• Legal aspect– No operator is allowed to intercept communication attempts – Only with contractual power operators are allowed to react in behalf

of the customer to communication attempts

• Technical means– Block– Re-route (i.e. mailbox)– Indicate


Possible Deployment scenarios

• UC detection in the NGN network– Legacy device

Caller (SPITer)Callee (Bob)

Core network

Identify

mark

prevent

Access network

Access node

Core border

Identify

mark

Bordergateway

User profiles

Identify

mark

(Optional) (Optional)

Caller (SPITer)Callee (Bob)

Core network

Identify

mark

prevent

Access network

Access node

Core border

Identify

mark

Bordergatewa

y

Identify

mark

Identify

mark• UC detection in the NGN network– IMS device


Ongoing work in the SDOs

IETF, ITU, 3GPP, TISPANOther..


UC in the IETF (SPIT)• Draft-ietf-sipping-spam-03 “The Session Initiation Protocol (SIP)

and SPAM”• draft-niccolini-sipping-spitstop

– Signalling TO Prevent SPIT (SPITSTOP) Reference Scenario• draft-niccolini-sipping-feedback-spit

– SIP Extensions for SPIT identification• draft-jung-sipping-authentication-spit

– Authentication between the Inbound Proxy and the UAS for Protecting SPIT in the Session Initiation Protocol (SIP)

• draft-schwartz-sipping-spit-saml– SPAM for Internet Telephony (SPIT) Prevention using the Security

Assertion Markup Language (SAML)• draft-froment-sipping-spit-authz-policies

– Authorization Policies for Preventing SPIT


UC in the ITU (multimedia SPAM)• The ITU is working on the thread Countering spam by technical means in the ITU-T

Study Group 17 - Question 17/17 (Study Period 2005-2008). • X.ocsip

– Overview of countering SPAM for IP multimedia application - TD 2499 Rev.1This Recommendation specifies basic concepts, characteristics, and effects of Spam in IP multimedia applications such as IP Telephony, instant messaging, multimedia conference, etc. It provides technical issues, requirements for technical solutions, and applicability of countering mechanism of email spam into IP multimedia spam. It provides basis and guideline for developing further technical solutions on countering Spam.

• X.fcsip– Technical Framework of Countering IP Multimedia SPAM – TD 2498

This Recommendation will specify general architecture of countering spam system on IP multimedia applications such as IP Telephony, instant messaging, multimedia conference, etc. It will provide functional blocks of necessary network entities to counter spam and their functionalities, and describe interfaces among the entities. To build secure session against spam attack, User Terminals and Edge Service Entities such as proxy server or application servers will be extended to have spam control functions. We will also show interfaces between these extended peer entities, and interfaces with other network entities which can involve for countering spam.

• X.csreq– Requirement on countering SPAM – TD 2496

Requirements on countering spam are clarified in this recommendation. There are many types of spam, such as email spam, Mobile messaging spam and IP multimedia spam. Various types of spam may have both common and specific requirements on countering it. For one type of spam, the requirement in different entities should also be clarified.


UC in 3GPP (SMS/MMS SPAM)• ETSI TR 141 031 V6.0.0 / ETSI TS 122 031 V6.0.0. / ETSI TS 123 031 V6.0.0

Fraud Information Gathering System (FIGS)– FIGS provides the means for the HPLMN to monitor a defined set of

subscriber activities. The aim is to enable service providers/network operators to a service to limit their financial exposure to large unpaid bills produced on subscriber accounts whilst the subscriber is roaming

• 3GPP TR – XXX XXXProtection against SMS, MMS and IMS SPAM; Study of Different SPAM Protection Mechanisms – This TR studies existing and new mechanisms to enable to limit the effects

of the SPAM. The following services are considered into the scope of this TR: SMS, MMS, IMS messaging/presence/call and also email messages. The scope is indeed large and ambitious, but as the trend is too converge all medias, the anti SPAM solution has to be adapted to this concept.

Investigation based on the 3GPP architecture regarding SMS/MMS/IM SPAM were donePotential solution to counter this threat were analyzed and defence mechanisms were proposed


UC in TISPAN (unsolicited communication)

• ETSI TS 183 016 - MCID (Malicious call identification)– This service enables the callee to indicate that an incoming communication is considered to

be malicious and it should be identified and registered. • ETSI TS 186 006-1 - OIR (Originating Identification Restriction )

– The OIR service enables the originating party to prevent presentation of any network-provided identity to the terminating party, and is applicable to all session-based services of the NGN. The OIR supplementary service is described in.

• ETSI EN 300 798 - ACR (Anonymous Communication Rejection)– This service ACR allows a user to reject incoming communications when the caller is

anonymous.• ETSI TS 183 011- ICB (Incoming Communication Barring)

– ICB allows a user to block incoming communications based on the identity of the caller .

• TR WI07025 – UC (Feasibility study of preventing unsolicited communication in the NGN)– The document WI07025 reports on the feasibility of counteracting the occurrence of

Unsolicited Communications (UC) in the NGN. It also addresses the methodologies on preventing the terminating party from receiving UC. The report takes the form of a TVRA and quantifies the likelihood and impact of UC in the NGN where UC is initiated in a variety of forms.

A definition of the term unsolicited communication and its context is given as used in NGN.Relevant objectives and requirements are extracted for the NGN architecture, signalling and security.


UC in other SDOs

• GSMA – “Mobile Spam Code of Practice” Code of conduction within GSM network

• OMA– OMA has drafted a set of requirements and architecture for Categorization

Based Content Screening (CBCS) suggesting among other things usage of ICAP protocol to transfer content categorization information. Content Screening is defined as the act of blocking, allowing or amending content, thereby, it also includes malware. It is suggested that the OMA requirements and architecture are considered for the unsolicitedcommunication study as appropriate.

– The current OMA work can be found in the following specifications:Categorization Based Content Screening Framework Requirements, Candidate Version 1.0 – 11 July 2006 (a newer one may already exist), Open Mobile Alliance OMA-RD-CBCS-V1_0-20060711-CThe document describes Use Cases for categorization based content screening and high level requirements on the functionality of such a system.Categorization-based Content Screening Framework Architecture, Draft Version 1.0 – 28 Aug 2006, Open Mobile Alliance OMA-AD-CBCS-V1_0-20060828-DThe document presents an architectural model for a two-tier solution of a CBCS Enabler. The CBCS Enabler evaluates and/or enforces Screening Rules.


VoIP SEAL (VoIP SEcure Application Layer Firewall)

VoIP SEAL

NEC’s demonstrator for identifying, analyzing and preventing

UC in the environment of VoIP


NEC VoIP SEAL™: Characteristics• Covers multiple aspects of VoIP

Security– Provide protection against wide range

of attacks• Key issues

– Flexible protection technology is required

– Encryption and authentication will not be enough

– No single method of protection• Solution

– VoIP SEcure Application Level firewall (VoIP SEAL)

Modular and extensible platformprevention of SPIT and (D)DoSattacks

Multiple different VoIP protection modules cooperateOn-line plug-and-play integrationof new modulesOn-line configuration of modulesOn-line update of modules

Good call

SPIT calls

Good call

SIP Proxy

SIP Proxy withadditional modules

SPITcalls

VoIP SEAL

now

withNEC solution


Building Blocks for SPIT Prevention(Classification)

• No Interactions With Call Participants– black/white-listing– call-rate analysis– …

• Caller-side Interactions– Turing test– …

• Feedback from callee before call– Import buddy-list– Specify personal black/whitelist– …

• Feedback from callee during call– Special hang-up button– …

• Feedback from callee After Call– IVM-system– Special number (i.e. #7748)– Web-frontend – …

Stage 1: non -intrusive

Stage 2:caller interaction

Stage 3:feedback before call

Stage 4:feedback during call

Stage 5:feedback after call

know

ledg

e ba

se

callee

callee

system

system

feedback

system


VoIP SEAL: Characteristics• Covers multiple aspects of

VoIP Security– Provide protection against wide

range of attacks• Standard-based

– SIP-based for Next Generation Networks (NGN)

– SIP extensions currently entering the standardizationprocess VoIP SEAL

ProxyServer

Firewall

Phone

ApplicationServer

PeeringPoint(SBC)

SPITcaller

(D)DoS attacker

Good caller


VoIP SEAL: Internal Architecture• VoIP SEAL covers different stages

with different modules– mix of open and closed loops

• Stage 1 modules are combined using a scoring system

• Stage 2 modules are combined based on the output of the previous stage

• Stage 3/4/5 use the information coming from feedbacks to work in collaboration with Stage 1 modules

Mod

ule

1

Mod

ule

2

Mod

ule

n

...

Scoring System+ + +

Stage 1

Module 1

Module 2

Module n

... Dis

patc

her

Stage 2

accept /reject

accept /reject

Feedback ProcessingStage 3/4/5

TerminalsVoIP SEAL


Advanced SPIT Prevention Mechanismsinteract with calleranalyze signaling messages

VoIP SEAL

[email protected]

[email protected]

suspicious caller:additional tests

voicesignal energy

time

caller

time

callee

0

0

ringing greeti ng & ques tion answer

Too high SPITblock the call

Close to zero:process further

oraccept the call

1. Energy level of conversationduring greeting/question?


Screenshot of Prototype GUI


AOB

Question & Answers

Unsolicited Communication / SPIT / multimedia-SPAM

Documents

Transcript of Unsolicited Communication / SPIT / multimedia-SPAM