Improved detection and correlation of multi-stage VoIP attack patterns by using a Dynamic Honeynet System

Security issues like service misuse and fraud are well-known problems of SIP-based networks. To develop effective countermeasures, it is important to know how these attacks are launched in reality. For gathering the required data, a specialized SIP Honeynet System has been running since January 2009 and has recorded over 58 million SIP messages. The analyses have shown that SIP-based misuse is typically performed as a multistage attack and the IP address of the attacker changes before the actual Toll Fraud calls. To be able to correlate all attack stages despite intermediate changes of the attacker´s IP address we developed the new Dynamic Honeynet System (DHS), which reacts according to the attackers´ behaviour and uses a dynamic Honeypot configuration in real-time to significantly improve the detection efficiency. We present the architecture and new features such as dynamic reconfiguration and demonstrate its attack correlation capabilities. We developed a Sensor component to realize this system. The Sensor provides active monitoring based on signatures to detect attacks in real-time and controls the dynamic Honeypot.