Unsolicited Communication / SPIT / multimedia-spam overview of this topic in different SDOs Thilo Ewald NGN Group, NEC Laboratories Europe NEC Europe Ltd., Heidelberg, Germany ewald@nw.neclab.eu Page <date> 1
Jan 08-2 Overview Problem statement Definition of Unsolicited communication Forecast of next generation SPAM? Classification on identifying UC Classification on reacting on UC Possible Deployment scenarios Ongoing work IETF ITU 3GPP TISPAN Other.. NEC s VoIP SEAL Demonstrator of feasibility to identify and prevent UC for VoIP AOB
Jan 08-3 Problem statement SMS/MMS SPAM, SPIT, multimedia-spam, etc Similar wording for the same problem Unsolicited communication Social threat More stress at home and in office, Reduced performance at work More difficult to establish communication e.g. phone switched off to prevent it from ringing Voice mailbox filling with voice spam messages no means to distinguish spam from good voice messages, information lost Business Market will develop more slowly Customers will be disappointed by new technology (NGN) Good call Riiing... Riiing... SPIT calls
Jan 08-4 Forecast of next generation SPAM? NGN devices will become ubiquitous as em@il accounts nowadays are Number of VoIP subscribers will increase dramatically within the NGN Residential VoIP subscribers growing linearly already since year 2000 Today em@il SPAM keeps on increasing 3600 spam messages per day for a small enterprise 100 SPAM messages per day for a end users Voice SPAM over PSTN in Germany 2 calls per week per residential subscriber Conclusion SPIT is ~ 1000 time cheaper than voice spam over PSTN 2000 SPIT calls per week per residential subscriber!
Jan 08-5 Classification on identifying UC knowledge base feedback system system callee system callee Stage 1: non-intrusive Stage 2: caller interaction Stage 3: feedback before call Stage 4: feedback during call Stage 5: feedback after call Non-intrusive test Blacklisting / white listing Message/Call rate analysis Simultaneous call analysis Call behavior analysis Statistically analysis... Caller Interactions touring test... FB before call buddy list integration consent-based communications... FB during call SPIT hang-up button FB after call service center General & Personalized Personalized
Jan 08-6 Classification on Reacting on UC Legal aspect No operator is allowed to intercept communication attempts Only with contractual power operators are allowed to react in behalf of the customer to communication attempts Technical means Block Re-route (i.e. mailbox) Indicate
Jan 08-7 Possible Deployment scenarios Caller (SPITer) (Optional) Identify mark Access node Access network (Optional) Identify mark Core border Core network Identify mark prevent Border gateway User profiles Callee (Bob) UC detection in the NGN network Legacy device UC detection in the NGN network IMS device Caller (SPITer) Identify mark Access node Access network Identify mark Core border Core network Identify mark Border gatewa y Callee (Bob) Identify mark prevent
Ongoing work in the SDOs IETF, ITU, 3GPP, TISPAN Other.. Page <date> 8
Jan 08-9 UC in the IETF (SPIT) Draft-ietf-sipping-spam-03 The Session Initiation Protocol (SIP) and SPAM draft-niccolini-sipping-spitstop Signalling TO Prevent SPIT (SPITSTOP) Reference Scenario draft-niccolini-sipping-feedback-spit SIP Extensions for SPIT identification draft-jung-sipping-authentication-spit Authentication between the Inbound Proxy and the UAS for Protecting SPIT in the Session Initiation Protocol (SIP) draft-schwartz-sipping-spit-saml SPAM for Internet Telephony (SPIT) Prevention using the Security Assertion Markup Language (SAML) draft-froment-sipping-spit-authz-policies Authorization Policies for Preventing SPIT
Jan 08-10 UC in the ITU (multimedia SPAM) The ITU is working on the thread Countering spam by technical means in the ITU-T Study Group 17 - Question 17/17 (Study Period 2005-2008). X.ocsip Overview of countering SPAM for IP multimedia application - TD 2499 Rev.1 This Recommendation specifies basic concepts, characteristics, and effects of Spam in IP multimedia applications such as IP Telephony, instant messaging, multimedia conference, etc. It provides technical issues, requirements for technical solutions, and applicability of countering mechanism of email spam into IP multimedia spam. It provides basis and guideline for developing further technical solutions on countering Spam. X.fcsip Technical Framework of Countering IP Multimedia SPAM TD 2498 This Recommendation will specify general architecture of countering spam system on IP multimedia applications such as IP Telephony, instant messaging, multimedia conference, etc. It will provide functional blocks of necessary network entities to counter spam and their functionalities, and describe interfaces among the entities. To build secure session against spam attack, User Terminals and Edge Service Entities such as proxy server or application servers will be extended to have spam control functions. We will also show interfaces between these extended peer entities, and interfaces with other network entities which can involve for countering spam. X.csreq Requirement on countering SPAM TD 2496 Requirements on countering spam are clarified in this recommendation. There are many types of spam, such as email spam, Mobile messaging spam and IP multimedia spam. Various types of spam may have both common and specific requirements on countering it. For one type of spam, the requirement in different entities should also be clarified.
Jan 08-11 UC in 3GPP (SMS/MMS SPAM) ETSI TR 141 031 V6.0.0 / ETSI TS 122 031 V6.0.0. / ETSI TS 123 031 V6.0.0 Fraud Information Gathering System (FIGS) FIGS provides the means for the HPLMN to monitor a defined set of subscriber activities. The aim is to enable service providers/network operators to a service to limit their financial exposure to large unpaid bills produced on subscriber accounts whilst the subscriber is roaming 3GPP TR XXX XXX Protection against SMS, MMS and IMS SPAM; Study of Different SPAM Protection Mechanisms This TR studies existing and new mechanisms to enable to limit the effects of the SPAM. The following services are considered into the scope of this TR: SMS, MMS, IMS messaging/presence/call and also email messages. The scope is indeed large and ambitious, but as the trend is too converge all medias, the anti SPAM solution has to be adapted to this concept. Investigation based on the 3GPP architecture regarding SMS/MMS/IM SPAM were done Potential solution to counter this threat were analyzed and defence mechanisms were proposed
Jan 08-12 UC in TISPAN (unsolicited communication) ETSI TS 183 016 - MCID (Malicious call identification) This service enables the callee to indicate that an incoming communication is considered to be malicious and it should be identified and registered. ETSI TS 186 006-1 - OIR (Originating Identification Restriction ) The OIR service enables the originating party to prevent presentation of any network-provided identity to the terminating party, and is applicable to all session-based services of the NGN. The OIR supplementary service is described in. ETSI EN 300 798 - ACR (Anonymous Communication Rejection) This service ACR allows a user to reject incoming communications when the caller is anonymous. ETSI TS 183 011- ICB (Incoming Communication Barring) ICB allows a user to block incoming communications based on the identity of the caller. TR WI07025 UC (Feasibility study of preventing unsolicited communication in the NGN) The document WI07025 reports on the feasibility of counteracting the occurrence of Unsolicited Communications (UC) in the NGN. It also addresses the methodologies on preventing the terminating party from receiving UC. The report takes the form of a TVRA and quantifies the likelihood and impact of UC in the NGN where UC is initiated in a variety of forms. A definition of the term unsolicited communication and its context is given as used in NGN. Relevant objectives and requirements are extracted for the NGN architecture, signalling and security.
Jan 08-13 UC in other SDOs GSMA Mobile Spam Code of Practice Code of conduction within GSM network OMA OMA has drafted a set of requirements and architecture for Categorization Based Content Screening (CBCS) suggesting among other things usage of ICAP protocol to transfer content categorization information. Content Screening is defined as the act of blocking, allowing or amending content, thereby, it also includes malware. It is suggested that the OMA requirements and architecture are considered for the unsolicited communication study as appropriate. The current OMA work can be found in the following specifications: Categorization Based Content Screening Framework Requirements, Candidate Version 1.0 11 July 2006 (a newer one may already exist), Open Mobile Alliance OMA-RD-CBCS-V1_0-20060711-C The document describes Use Cases for categorization based content screening and high level requirements on the functionality of such a system. Categorization-based Content Screening Framework Architecture, Draft Version 1.0 28 Aug 2006, Open Mobile Alliance OMA-AD-CBCS-V1_0-20060828-D The document presents an architectural model for a two-tier solution of a CBCS Enabler. The CBCS Enabler evaluates and/or enforces Screening Rules.
VoIP SEAL (VoIP SEcure Application Layer Firewall) NEC s demonstrator for identifying, analyzing and preventing UC in the environment of VoIP VoIP SEAL Page <date> 14
Jan 08-15 NEC VoIP SEAL : Characteristics Covers multiple aspects of VoIP Security Provide protection against wide range of attacks Key issues Flexible protection technology is required Encryption and authentication will not be enough No single method of protection Solution VoIP SEcure Application Level firewall (VoIP SEAL) Modular and extensible platform prevention of SPIT and (D)DoS attacks Multiple different VoIP protection modules cooperate On-line plug-and-play integration of new modules On-line configuration of modules On-line update of modules Good call Good call SPIT calls SPIT calls SIP Proxy SIP Proxy with additional modules VoIP SEAL now with NEC solution
Jan 08-16 Building Blocks for SPIT Prevention (Classification) No Interactions With Call Participants black/white-listing call-rate analysis Caller-side Interactions Turing test Feedback from callee before call Import buddy-list Specify personal black/whitelist Feedback from callee during call Special hang-up button Feedback from callee After Call IVM-system Special number (i.e. #7748) Web-frontend knowledge base feedback system system callee system callee Stage 1: non-intrusive Stage 2: caller interaction Stage 3: feedback before call Stage 4: feedback during call Stage 5: feedback after call
VoIP SEAL: Characteristics Covers multiple aspects of VoIP Security Provide protection against wide range of attacks Standard-based SIP-based for Next Generation Networks (NGN) SIP extensions currently entering the standardization process (D)DoS attacker Phone Proxy Server Application Server VoIP SEAL Firewall Peering Point (SBC) SPIT caller Jan 08-17 Good caller
Jan 08-18 VoIP SEAL: Internal Architecture VoIP SEAL covers different stages with different modules mix of open and closed loops Stage 1 modules are combined using a scoring system Stage 2 modules are combined based on the output of the previous stage Stage 3/4/5 use the information coming from feedbacks to work in collaboration with Stage 1 modules Module 1 Module 2... Module n + + + Scoring System Module 1 Module 2... Module n Dispatcher Stage 1 accept / reject Stage 2 accept / reject VoIP SEAL Feedback Processing Terminals Stage 3/4/5
Jan 08-19 Advanced SPIT Prevention Mechanisms analyze signaling messages voice signal energy interact with caller caller VoIP SEAL callee 0 time 0 ringing greeti ng & ques tion answer time calling bob@nec.de suspicious caller: additional tests 1. Energy level of conversation during greeting/question? unknown@somewhere.com Too high SPIT block the call Close to zero: process further or accept the call
Jan 08-20 Screenshot of Prototype GUI
Jan 08-21 AOB Question & Answers