Voice over IP SDRS: A Voice-over-IP Spam Detection and Reaction System An expected surge in spam over Internet telephony (SPIT) requires a solution that incorporates multiple detection methods and reaction mechanisms, enabling greater flexibility and customization. BERTRAND n general, “spam” describes information, often (For more on ex- MATHIEU dubious in nature, sent to numerous recipients isting detection Orange Labs without their prior consent. Although the term schemes, see the “Related Work in Fighting VoIP typically refers to emails about hot stocks, revo- Spam” sidebar on p. 57.) The SPIT Detection and Re- SAVERIO Ilutionary medicine, or adult content, spam can apply action System (SDRS) also takes into account users’ NICCOLINI to all kinds of messages. Examples range from tele- and operators’ preferences. NEC Europe marketing calls and short message service texts to bulk mail and faxes. Email vs. VoIP Spam DORGHAM Since the first incident in the early ’90s, Internet Why the expected surge in SPIT? Compared with SISALEM spam has increased significantly. Of all exchanged email, using voice calls offers spammers a wider range Tekelec mail, spam’s portion has risen from less than 10 per- of use scenarios: cent in 2001 to more than 80 percent today, accord- ing to statistics from antispam organizations such as • Passive marketing. Most spam email offers fall into Spam-O-Meter.com. this category. With SPIT, a prerecorded voice or Session Initiation Protocol (SIP)1 has established voice/video message presents the sales pitch. Once a itself as the de facto standard for voice-over IP (VoIP) recipient accepts a call, the system delivers the con- services in fixed and mobile environments. From a tent as a media stream. technological viewpoint, SIP-based VoIP services • Interactive marketing. These are the standard telemar- show a greater resemblance to email than to tradi- keting calls in which a live caller tries to sell goods tional telephony systems. Hence, with SIP services or services, such as insurance or financial services, gaining in popularity, spammers likely will misuse to a callee. services as they do email—a practice known as spam • Call back. In this method of fraud common to mobile over Internet telephony (SPIT). networks, the fraudster calls a mobile phone number This probable exponential increase in spam re- but hangs up just before the callee answers. Out of quires mitigating SPIT in its early stages. Solutions curiosity, the callee returns the call, unaware that it’s a are even more critical because of SPIT’s threat to us- premium phone number, and incurs a hefty charge. ers’ trust in VoIP in general. Lack of confidence in secure and trusted infrastructures would slow down Although spammers can conduct these types of un- VoIP adoption. solicited calls using traditional public switched telephone Our solution framework combines well-known network (PSTN) telephony services, SIP offers advan- detection schemes, such as blacklists and white lists, tages in cost, scope, identity hiding, and regulation. with methods based on statistical traffic analysis, such The difference between per-minute costs for VoIP as the number and duration of calls a user conducts. and PSTN is vanishing in some countries, such as Ger- 52 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/08/$25.00 © 2008 IEEE ■ IEEE SECURITY & PRIVACY Voice over IP many and the US, but the cost gap in many regions is 1 still significant. That said, even with equal per-minute prices, a spammer using a flat-rate DSL line with 2 0.9 Mbits can conduct about 30 calls in parallel using 0.8 VoIP. For PSTN, this level of efficiency would gener- 0.7 ally require more expensive PSTN lines. Furthermore, SPIT can use software running on off-the-shelf PCs, ) 0.6 whereas PSTN requires special hardware. 0.5 Cost benefits also affect scope. Launching an in- ternational spam campaign using PSTN can be rather People (% 0.4 expensive. With VoIP, however, a spammer can sub- 0.3 scribe to a flat-rate service abroad at costs similar to a national campaign. A spammer in Germany, for ex- 0.2 ample, can use a US VoIP service. 0.1 SIP-based services also make it easier to conceal a spammer’s identity. Using open-relay servers and 0 100 101 102 103 104 forging headers makes identity hiding in email rather simple. High bandwidth usage when sending mil- Number of calls per month lions of messages over the same Internet access would probably alert the ISP to possible misuse. However, Figure 1. Number of calls during a one-month period. An excessive number to avoid arousing suspicion, a spammer can distrib- of calls from one user can indicate a possible spitter. ute the load by using a botnet comprising thousands of bots.2 With spam over PSTN, disguising this high call volume is more difficult. Although the spammer The average number of calls per user was about can anonymize calls, the operator can trace the calls’ two and a half per working day (Monday through Fri- origin and block them. In this regard, SIP-based ser- day) and about two per weekend day. The maximum vices are more like email services. The spammer can number of calls for a single user was about 20 per use botnets for distributing the load and relay the SIP day, a figure still small enough to fall into the normal request over SIP proxies, which relay requests without range for users such as teenagers. For a telemarketing authenticating them first. service, the number of calls would be higher. System If a spammer’s identity is discovered, VoIP offers administrators could therefore specify a maximum ac- a way around government regulations and steep pen- ceptable value for the number of calls (for example, alties. Although the number of telemarketing calls more than 30) before classifying the caller as a spit- that can be classified as spam is still relatively small ter. Furthermore, the average call duration is roughly compared with email spam, most countries have some six minutes per call. So, administrators could classify regulations outlawing unsolicited marketing calls. frequent calls that are, for example, only one minute Spammers would be subject to such regulations and long as SPIT. risk heavy penalties. Due to the high costs of interna- Figure 1 shows a distribution of the number of tional calls, telemarketers usually restrict their activi- calls per user over one month. Although the maxi- ties to their domestic markets. By reducing the costs mum number of calls by one user during the entire for conducting spam abroad, VoIP lets spammers work month is about 500, half of the users initiate fewer across borders, thus falling outside the jurisdiction of than 40 calls per month (or just over one a day). Figure such regulations. 2 shows the distribution of the total duration of user The advantages that VoIP has over email for spam- calls during the same month. Half of the users called mers could result in an alarming increase in SPIT lev- for about three hours (or 10,000 seconds) per month. els, hence the need for our solution. The maximum was roughly 30 hours per month. Finally, checking call destination, we observed VoIP Traffic Characteristics that more than 90 percent of the calls that French us- One of the approaches our SDRS solution uses to ers initiated stayed within France, as Figure 3 shows. detect SPIT is based on identifying anomalies in the Numerous calls from a single user to a foreign country number or duration of calls a user conducts and the could indicate a spitter. percentage of failed calls. We first classified normal Although these results are valuable in fine-tuning user behavior, such as that of nonspammers. To do so, a detection system, they’re most likely only of limited we monitored and analyzed the VoIP traffic of 8,700 scope. Traffic characteristics for different networks France Telecom VoIP users, capturing usage in nine will depend on customer type (such as enterprise or locations in France over a one-month period. private), age, habits, and nationality, as well as the www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 53 Voice over IP 1 mitigating SPIT with only one of these methodolo- gies would be impossible. Considering SPIT’s various 0.9 forms, different user preferences, and spam’s ever- 0.8 changing characteristics, an efficient anti-SPIT solu- tion should incorporate several detection methods 0.7 weighted according to user preferences and adapted to ) 0.6 traffic characteristics. As Figure 4 illustrates, SDRS comprises three main 0.5 parts: user classification, SPIT detection, and reaction. People (% 0.4 By monitoring users’ sending behavior, SDRS classifies users as malicious (such as spitters) or normal. SDRS 0.3 also collects recipient preferences. The system then uses 0.2 this data as input for the detection and reaction compo- nents. Next, SDRS combines detection methods that 0.1 enable the system to classify a call as SPIT both during 0 session establishment and after the call has been estab- 10–2 100 102 104 106 108 lished. Finally, SDRS implements various reactions to Calls duration per month SPIT calls, such as rejecting suspicious calls and limit- ing suspected spitters’ call-generation rate. Figure 2. Call duration during a one-month period. Frequent but brief calls To align SDRS’s capacity with increased VoIP and can indicate a possible spitter. SPIT volume, we developed SDRS as a distributed system. The detection and reaction components can be either collocated or implemented on different hosts. 1% The SPIT reaction system then can be collocated with 2% France the detection systems. Alternatively, it can be located US remotely in a centralized server serving other mul- Unknown 5% tiple detection systems (for example, for investment Other reduction) or in a peripheral part of the network to accommodate user-specific preferences (for example, the user terminal).