Managing Risks at Runtime in VoIP Networks and Services

  • Oussema Dabbebi
  • Remi Badonnel
  • Olivier Festor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6155)


IP telephony is less confined than traditional PSTN telephony. As a consequence, it is more exposed to security attacks. These attacks are specific to VoIP protocols such as SPIT, or are inherited from the IP layer such as ARP poisoning. Protection mechanisms are often available, but they may seriously impact on the quality of service of such critical environments. We propose to exploit and automate risk management methods and techniques for VoIP infrastructures. Our objective is to dynamically adapt the exposure of a VoIP network with regard to the attack potentiality while minimizing the impact for the service. This paper describes the challenges of risk management for VoIP, our runtime strategy for assessing and treating risks, preliminary results based on Monte-Carlo simulations and future work.


Risk Management Session Initiation Protocol Intrusion Detection System Security Attack Risk Avoidance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Thermos, P., Takanen, A.: Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures. Addison-Wesley Professional, Reading (2007)Google Scholar
  2. 2.
    Kuhn, D.R., Walsh, T.J., Fries, S.: Security Considerations for Voice Over IP Systems. National Institute of Standards and Technology (2005),
  3. 3.
    Dantu, R., Kolan, P., Cangussu, J.W.: Network risk management using attacker profiling. Security and Communication Networks 2(1), 83–96 (2009)CrossRefGoogle Scholar
  4. 4.
    Shin, D., Shim, C.: Progressive Multi Gray-Leveling: A Voice Spam Protection Algorithm. IEEE Network Magazine 20 (September 2006)Google Scholar
  5. 5.
    Bunini, M., Sicari, S.: Assessing the Risk of Intercepting VoIP Calls. Elsevier Journal on Computer Networks (May 2008)Google Scholar
  6. 6.
    Bedford, T., Cooke, R.: Probabilistic Risk Analysis: Foundations and Methods. Cambridge University Press, Cambridge (April 2001)CrossRefGoogle Scholar
  7. 7.
    D’Heureuse, N., Seedorf, J., Niccolini, S., Ewald, T.: Protecting SIP-based Networks and Services from Unwanted Communications. In: Proc. of IEEE/Global Telecommunications Conference (GLOBECOM 2008) (December 2008)Google Scholar
  8. 8.
    ISO/IEC 27005: Information Security Risk Management, International Organization for Standardization (June 2008),
  9. 9.
    Gehani, A., Kedem, G.: RheoStat: Real Time Risk Management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Dabbebi, O., Badonnel, R., Festor, O.: Automated Runtime Risk Management for Voice over IP Networks and Services. In: Proc. of the 12th IEEE/IFIP Network Operations and Management Symposium, NOMS 2010 (April 2010)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2010

Authors and Affiliations

  • Oussema Dabbebi
    • 1
  • Remi Badonnel
    • 1
  • Olivier Festor
    • 1
  1. 1.INRIA Nancy Grand Est - LORIATechnopôle de Nancy BraboisVandœuvre-lès-NancyFrance

Personalised recommendations