International Journal of Information Security

, Volume 11, Issue 2, pp 121–135 | Cite as

Formal analysis for robust anti-SPIT protection using model checking

  • Dimitris Gritzalis
  • Panagiotis Katsaros
  • Stylianos Basagiannis
  • Yannis Soupionis
Regular Contribution


Anti-SPIT policies counter the SPam over Internet Telephony (SPIT) by distinguishing bots launching unsolicited bulks of VoIP calls from human beings. We propose an Anti-SPIT Policy Management mechanism (aSPM) that detects spam calls and prevents VoIP session establishment by the Session Initiation Protocol (SIP). The SPIN model checker is used to formally model and analyze the robustness of the aSPM mechanism in execution scenarios with parallel SIP sessions. In case of a possible design flaw, the model checker provides a trace of the caught unexpected behavior (counterexample), that can be used for the revision of the mechanism’s design. Our SPIN model is parameterized, based on measurements from experiments with VoIP users. Non-determinism plays a key role in representing all possible anti-SPIT policy decisions, in terms of the SIP messages that may be exchanged. The model checking results provide evidence for the timeliness of the parallel SIP sessions, the absence of deadlocks or livelocks, and the fairness for the VoIP service users. These findings ensure robust anti-SPIT protection, meaning that the aSPM mechanism operates as expected, despite the occurrence of random SPIT calls and communication error messages. To the best of our knowledge, this is the first analysis for exhaustively searching security policy flaws, due to complex interactions between anti-SPIT measures and the SIP protocol services.


Voice over IP (VoIP) Anti-SPIT security policies Robustness analysis Model checking 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Walsh T., Kuhn D.: Challenges in securing voice over IP. IEEE Secur. Priv. 3(3), 44–49 (2005)CrossRefGoogle Scholar
  2. 2.
    Sawda, S., Urien, O.: SIP security attacks and solutions: a state-of-the-art review. In: Proceedings of the IEEE International Conference on Information and Communication Technologies: From Theory to Applications (ICTTA ’06), vol. 2, pp. 3187–3191 (2006)Google Scholar
  3. 3.
    Rosenberg, J., Jennings, C.: The session initiation protocol and spam. Network Working Group, RFC 5039 (2008)Google Scholar
  4. 4.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: Session Initiation Protocol (SIP), RFC 3261 (2002)Google Scholar
  5. 5.
    Marias, G., Dritsas, S., Theoharidou, M., Mallios, Y., Gritzalis, D.: SIP vulnerabilities and antiSPIT mechanisms assessment. In: Proceedings of the 16th IEEE International Conference on Computer Communications and Networks (ICCCN 2007), USA, pp. 597–604 (2007)Google Scholar
  6. 6.
    Gritzalis D., Mallios Y.: A SIP-based SPIT management framework. Comput. Secur. 27(5–6), 136–153 (2008)CrossRefGoogle Scholar
  7. 7.
    Dritsas S., Soupionis Y., Theoharidou M., Mallios J., Gritzalis D. et al.: SPIT identification criteria implementations: effectiveness and lessons learned. In: Samarati, P. (eds) Proceedings of the 23rd International Information Security Conference (SEC-2008), pp. 381–395. Springer, Berlin (2008)Google Scholar
  8. 8.
    Quittek, J., Niccolini, S., Tartarelli, S., Stiemerling, M., Brunner, M., Ewald, T.: Detecting SPIT calls by checking human communication patterns. In: Proceedings of IEEE International Conference on Communications (ICC’07), pp. 1979–1984 (2007)Google Scholar
  9. 9.
    Graham-Rowe, D.: A Sentinel to screen phone calls technology, Technology review ( (2006). Accessed 8 Nov 2010)
  10. 10.
    Winslett, M.: Policy-driven distributed authorization: status and prospects. In: Proceedings of the 8th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 12–18 (2007)Google Scholar
  11. 11.
    Soupionis Y., Dritsas S., Gritzalis D.: An adaptive policy-based approach to SPIT management. In: Lopez, J., Jajodia, S. (eds) Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS 2008), pp. 446–460. Springer, Berlin (2008)Google Scholar
  12. 12.
    Soupionis, Y., Basagiannis, S., Katsaros, P., Gritzalis, D.: A formally verified mechanism for countering SPIT. In: Xenakis C., Wolthusen S. (eds.) Proceedings of the 5th International Conference on Critical Information Infrastructure Security (CRITIS-2010), pp. 128–139, Springer (2010)Google Scholar
  13. 13.
  14. 14.
    Quittek J., Niccolini S., Tarterelli S., Schlegel R.: Prevention of Spam over IP Telephony (SPIT). NEC Tech. J. 1(2), 114–119 (2006)Google Scholar
  15. 15.
    Agrawal, D., Giles, J., Lee, K.-W., Voruganti, K., Filali-Adib, K.: Policy-based validation of san configuration. In: Proceedings of International Workshop on Policies for Distributed Systems and Networks (2004)Google Scholar
  16. 16.
    Agrawal, D., Calo, S., Giles, J., Lee, K.-W. Verma, D.: Policy management for networked systems and applications. In: Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (2005)Google Scholar
  17. 17.
    Baralis E., Widom J.: An algebraic approach to static analysis of active database rules. ACM Trans. Database Syst. 25(3), 269–332 (2000)CrossRefGoogle Scholar
  18. 18.
    Sloman M., Lupu E.: Security and management policy specification. IEEE Network Special Issue on Policy-Based Networking 16(2), 10–19 (2002)Google Scholar
  19. 19.
    Gama, P., Ferreira P.: Obligation policies: an enforcement platform. In: Proceedings of the 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY ’05) (2005)Google Scholar
  20. 20.
    Basagiannis, S., Katsaros, P., Pombortsis, A.: Intrusion attack tactics for the model checking of e-Commerce security guarantees. In: Proceedings of the 26th International Conference on Computer Safety, Reliability and Security (SAFECOMP ’07), pp. 238–252, Springer, Berlin (2007)Google Scholar
  21. 21.
    BasagiannisS. Katsaros S., Katsaros P., Pombortsis A.: Synthesis of attack actions using model checking for the verification of security protocols. Secur. Commun. J. 4(2), 147–161 (2011)Google Scholar
  22. 22.
    Lowe G., Roscoe A.: Using CSP to detect errors in the TMN protocol. IEEE Trans. Softw. Eng. 23(10), 659–669 (1997)CrossRefGoogle Scholar
  23. 23.
    Holzmann G.: The model-checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–295 (1997)MathSciNetCrossRefGoogle Scholar
  24. 24.
    The SPIN model checker website ( (2011). Accessed 23 May 2011
  25. 25.
    Holzmann G.: The SPIN Model Checker—Primer and Reference Manual. Addison-Wesley, Reading, MA (2003)Google Scholar
  26. 26.
    ITU-T Recommendation H.323, Packet-based multimedia communications systems (2009)Google Scholar
  27. 27.
    Zave, P.: Understanding SIP through model-checking. In: Proceedings of the 2nd International Conference on Principles, Systems and Applications of IP Telecommunications, pp. 256–279, Springer, Berlin (2008)Google Scholar
  28. 28.
    Liu, L.: Verification of the SIP transaction using colored petri nets. In: Proceedings of the 32nd Australasian Computer Science Conference, pp. 63–72 (2009)Google Scholar
  29. 29.
    Schaeffer-Filho, A., Lupu, E., Sloman, M., Eisenbach, S.: Verification of policy-based self-managed cell interactions using alloy. In: Proceedings of the 10th IEEE International Symposium on Policies for Distributed Systems and Networks (Policy-2009), pp.37–40 (2009)Google Scholar
  30. 30.
    IEEE, IEEE Standard Glossary of Software Engineering Terminology, IEEE Standard 610.12-1990 (1990)Google Scholar
  31. 31.
    Saad-Khorchef, F., Rollet, A., Castanet, R.: A framework and a tool for robustness testing of communicating software. In: Proceedings of the ACM Symposium on Applied Computing (SAC), pp. 1461–1466 (2007)Google Scholar
  32. 32.
    Yin X., Wang Z., Jing C., Wu J.: A formal approach to robustness testing of network protocol with time constraints. Secur. Commun. Netw. 4(6), 622–632 (2011)CrossRefGoogle Scholar
  33. 33.
    Belli, F., Hollmann, A., Eric Wong, W.: Towards scalable robustness testing. In: Proceedings of the 4th International Conference on Secure Software Integration and Reliability Improvement, pp. 208–216 (2010)Google Scholar
  34. 34.
    Laranjeiro, N., Vieira, M., Madeira, H.: Robustness validation in service-oriented architectures. In: Architecting Dependable Systems VI, pp. 98–123, LNCS 5835, Springer, Berlin (2009)Google Scholar
  35. 35.
    Cisco Systems, Session Initiation Protocol gateway call flows and compliance information SIP messages and methods over- view ( (2011). Accessed 07 August 2011
  36. 36.
    Cisco Systems, “SIP Messages and Methods Overview”. ( (2011). Accessed 07 August 2011
  37. 37.
    SER Server, ver. 2.0 ( (2011). Retrieved 22 May 2011
  38. 38.
    SIPp traffic generator for the SIP protocol ( (2010). Accessed 17 August 2010
  39. 39.
  40. 40.
    Völzer, H., Varacca, D., Kindler, E.: Defining fairness. In: Proceedings of 15th International Conference on Concurrency Theory (CONCUR), pp. 458–472, Springer, Berlin (2005)Google Scholar
  41. 41.
    Sistla A.: Safety, liveness, and fairness in temporal logic. Formal Aspects Comput. 6, 495–511 (1994)MATHCrossRefGoogle Scholar
  42. 42.
    Soupionis, Y., Gritzalis, D.: ASPF: an adaptive anti-SPIT policy-based framework. In: Pernul G., et al. (ed.) Proceedings of the 6th International Conference on Availability, Reliability and Security (ARES-2011), pp. 153–160, Austria (2011)Google Scholar

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  • Dimitris Gritzalis
    • 1
  • Panagiotis Katsaros
    • 2
  • Stylianos Basagiannis
    • 2
  • Yannis Soupionis
    • 1
  1. 1.Information Security and Critical Infrastructure Protection Research Laboratory, Department of InformaticsAthens University of Economics and Business (AUEB)AthensGreece
  2. 2.Dependability and Security Group, Department of InformaticsAristotle University of Thessaloniki (AUTh)ThessalonikiGreece

Personalised recommendations