Removing Ambiguities of IP Telephony Traffic Using Protocol Scrubbers

Network intrusion detection systems (NIDSs) face the serious challenge of attacks such as insertion and evasion attacks that are caused by ambiguous network traffic. Such ambiguity comes as a result of the nature of network traffic which includes protocol implementation variations and errors alongside legitimate network traffic. Moreover, attackers can intentionally introduce further ambiguities in the traffic. Consequently, NIDSs need to be aware of these ambiguities when detection is performed and make sure to differentiate between true attacks and protocol implementation variations or errors; otherwise, detection accuracy can be affected negatively. In this paper we present the design and implementation of tools that are called protocol scrubbers whose main functionality is to remove ambiguities from network traffic before it is presented to the NIDS. The proposed protocol scrubbers are designed for session initiation and data transfer protocols in IP telephony systems. They guarantee that the traffic presented to NIDSs is unambiguous by eliminating ambiguous behaviors of protocols using well-designed protocol state machines, and walking through packet headers of protocols to make sure packets will be interpreted in the desired way by the NIDS. The experimental results shown in this paper demonstrate the good quality and applicability of the introduced scrubbers.