Nemea-Detectors/voip_fraud_detection at master · CESNET/Nemea-Detectors

History

Name		Name	Last commit message	Last commit date
parent directory ..
AUTHORS		AUTHORS
ChangeLog		ChangeLog
Makefile.am		Makefile.am
NEWS		NEWS
README		README
bootstrap.sh		bootstrap.sh
cache_node_no_attack.c		cache_node_no_attack.c
cache_node_no_attack.h		cache_node_no_attack.h
configuration.h		configuration.h
country.c		country.c
country.h		country.h
data_structure.c		data_structure.c
data_structure.h		data_structure.h
doxygen.conf		doxygen.conf
mainpage.dox		mainpage.dox
output.c		output.c
output.h		output.h
prefix_examination.c		prefix_examination.c
prefix_examination.h		prefix_examination.h
voip_fraud_detection.c		voip_fraud_detection.c
voip_fraud_detection.h		voip_fraud_detection.h

README

voip_fraud_detection module
============================================================================
Author: Lukas Truxa <truxaluk@fit.cvut.cz>, 2014

Module detecting fraud in VoIP telephony - in SIP communication.

Firstly, it detects testing prefix enumeration in telephone numbers.
Secondly, it stores information about countries to which individual IP
address calling. Module warnings, if is detected calling to different
country.

Optional parameters:
--------------------
   -l  : path to log file
   -e  : event_id file (it can be "disabled")
   -c  : countries file (it can be "disabled")
   -m  : maximum prefix length
   -d  : minimum length of called number
   -s  : detection interval in seconds
   -t  : prefix examination detection threshold
   -o  : disable detection of calling to different country
   -a  : set learning mode for detection of calling to different
         country for defined period in seconds
   -w  : disable saving new country after calling to different
         country (every new calling will be reported repeatedly)
   -p  : detection pause after attack in seconds
   -q  : limit of maximum item in prefix tree for one IP address
   -x  : time in seconds after it will be clear data without
         communication
   -n  : path to prefix examination statistic file

Interfaces:
-----------
   Inputs: 1 (UniRec template: <COLLECTOR_FLOW>,<VOIP>)
   Outputs: 1 (UniRec template: <VOIP_FRAUD_ALERT>)

A) When prefix enumeration attack is detected, module sends message to output
   interface with fields:

   EVENT_ID, EVENT_TYPE (=EVT_T_VOIP_PREFIX_GUESS), SRC_IP, DETECTION_TIME,
   TIME_FIRST, VOIP_FRAUD_SIP_TO, VOIP_FRAUD_USER_AGENT,
   VOIP_FRAUD_PREFIX_LENGTH, VOIP_FRAUD_INVITE_COUNT,
   VOIP_FRAUD_PREFIX_EXAMINATION_COUNT, VOIP_FRAUD_SUCCESSFUL_CALL_COUNT

B) Warning message about calling to different country contains fields:

   EVENT_ID, EVENT_TYPE (=EVT_T_VOIP_CALL_DIFFERENT_COUNTRY), SRC_IP, DST_IP,
   DETECTION_TIME, VOIP_FRAUD_SIP_TO, VOIP_FRAUD_SIP_FROM,
   VOIP_FRAUD_USER_AGENT, VOIP_FRAUD_COUNTRY_CODE

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

voip_fraud_detection

voip_fraud_detection

README

Files

voip_fraud_detection

Directory actions

More options

Directory actions

More options

Latest commit

History

voip_fraud_detection

Folders and files

parent directory

README