If you want to find out who is using VoIP on your network, you need to consider different techniques. There are two main types of detection: pattern-based and statistical analysis. Both of these methods are based on the standard protocol, but they can be inefficient due to their complexity.
Pattern-based methods use a combination of human intelligence and statistical analysis. They analyze the packet headers to extract details. Some of these methods also examine signaling and media traffic. The difference between these two types of detection is that statistical analysis focuses on patterns rather than the actual signaling and media traffic. It is difficult to distinguish the signals from the media and signaling data when they are encrypted, and therefore, it is more efficient to employ a pattern-based technique.
Statistical analysis uses a combination of different metrics to determine whether a traffic pattern is indicative of a DoS attack. A DoS attack involves the introduction of malicious packets that can disrupt or terminate a VoIP service. In addition to identifying DoS attacks, the proposed system also detects malicious VoIP traffic. However, it does not detect all VoIP flows and does not detect all attacks. This results in a low detection rate and a high false positive rate. To reduce this, we propose a new scheme.
Our method uses five factors to identify VoIP flows: the Call Recipient, the number of Call Rejections, the amount of DoS traffic, the Call Duration, and the average packet duration. It also calculates the position of the Call Rejections count over a normal distribution. For a large dataset, we can use this information to improve our detection rates.
Flow-level behavior (FLB) is another method that utilizes packet energy in the time domain. Researchers have used this method for voice activity detection. The packet energy value is based on the jitter and transmission delay of the VOIP detection VoIP traffic. These values are highly sensitive to quality of service requirements.
Compared with other methods, the proposed method is less inefficient, and has the potential to identify VoIP flows with greater accuracy. The method includes an increase in the block rate, which has the ability to detect more calls. However, it requires a large number of packets to pass the attack for a sufficient period of time. Moreover, this method is only able to detect the first 60 packets. This limit is a result of the complex protocols used in the signaling and media sessions.
Flows are identified within 5 seconds, which is an average detection time for different VoIP applications. Gtalk and Skype take longer than this. However, MSN, Yahoo, and Skype take under five seconds. Nevertheless, the overall efficiency of this method is expected to be comparable to other systems. Regardless of the technique, it is important to monitor the traffic to ensure the security of the network.
As part of the testing, we measured the time required to detect VoIP flows on different applications. Fig. 4(d) shows the average detection times for voice flows. We find that VoIP traffic is detected within five seconds for MSN, Yahoo, and Skype, but it takes more than five seconds for Gtalk and Gmail.