EP1803279A1 - Dispositif de securisation d un autocommutateur - Google Patents
Dispositif de securisation d un autocommutateurInfo
- Publication number
- EP1803279A1 EP1803279A1 EP05812485A EP05812485A EP1803279A1 EP 1803279 A1 EP1803279 A1 EP 1803279A1 EP 05812485 A EP05812485 A EP 05812485A EP 05812485 A EP05812485 A EP 05812485A EP 1803279 A1 EP1803279 A1 EP 1803279A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- server
- communication
- switch
- analyzer
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/38—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0148—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/20—Automatic or semi-automatic exchanges with means for interrupting existing connections; with means for breaking-in on conversations
- H04M3/205—Eavesdropping prevention - indication of insecurity of line or network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2218—Call detail recording
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/42—Systems providing special services or facilities to subscribers
- H04M3/42314—Systems providing special services or facilities to subscribers in private branch exchanges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M7/00—Arrangements for interconnection between switching centres
- H04M7/12—Arrangements for interconnection between switching centres for working between exchanges having different types of switching equipment, e.g. power-driven and step by step or decimal and non-decimal
- H04M7/1205—Arrangements for interconnection between switching centres for working between exchanges having different types of switching equipment, e.g. power-driven and step by step or decimal and non-decimal where the types of switching equipement comprises PSTN/ISDN equipment and switching equipment of networks other than PSTN/ISDN, e.g. Internet Protocol networks
- H04M7/126—Interworking of session control protocols
Definitions
- the present invention relates to the field of telecommunications and network security.
- the present invention more particularly relates to a system and method for securing an enterprise switch by call control.
- the corporate PBX is the gateway to a company network.
- security must be strongly present, particularly since the convergence of circuit-mode network management and packet mode networks. Too many abuses are currently taking place on branch exchanges where communications are diverted by outsiders to make calls at lower cost.
- the invention consists in controlling and realizing access between terminals of an enterprise to a plurality of sites and their respective circuits in the public switched network.
- the system and method may include: a discrete line sensor within the sites to determine the nature of the calls, the line sensor not interfering with existing communications.
- the line sensor may include: a pair of relays for routing the data through the line sensor without altering the data, a pair of transceivers and a processing unit for routing the data through the line sensor by storing and copying the data and transmitting the new data through the sensor line.
- the system may also include: a PBX in the sites and connected to the line sensor; a central switch connected to the line sensor and the PBX; and a firewall management server.
- a PBX in the sites and connected to the line sensor
- a central switch connected to the line sensor and the PBX
- a firewall management server The entirety of known systems for securing enterprise telecommunications networks and more particularly private branch exchanges reproduces an architecture similar to that described in FIG. 1. Namely, an analyzer (sensor 13) is placed on the trunk. (11) between the switched network (10) and the private branch exchange (14). This sensor analyzes the nature of the calls sent to / from the peripherals (16) of the private network (15), then confronts the information obtained with security rules contained in a server (17).
- the communication analyzers deliver the following information:
- the communication analyzer does not deliver all the functionalities that have been implemented nor their chaining.
- the following two examples show the limitations of such a system in detecting "fraudulent" actions.
- a call from an outside call A to a workstation of the company B can listen to the conversation with a caller C by activating the "unobtrusive entry" feature. Again the communication analyzer will detect only two separate and authorized communications.
- VoIP voice-over-IP
- the present invention intends to remedy at least one drawback of the prior art by proposing a system and a method for securing a switch, either in switched or mixed "switched-IP” mode, on the basis of an analysis of the "low” (call nature) and “high” layers (PBX features used) implemented during calls.
- the method performs, on the one hand, an analysis of the incoming or outgoing calls to determine their nature, and on the other hand, receives information emitted by the switch, information indicating, among other things, the functionalities implemented during the operation. 'call.
- a comparison is made with a set of network security rules (or scenarios), the method then making it possible to respond to the call or to terminate it.
- the system of the invention has a communication analyzer somewhat similar in functional terms to those described in the aforementioned patents, and associated with a server as well as a second server analyzing the information transmitted by the switch. on current calls.
- the system also proposes a server called "audit" to establish security rules according to the specificities of the network and the switch.
- the invention respond particularly well to the expectations of companies whose private networks are too many times hacked by the use of one of the 400 or more functions of the switch (for example, the call in conference or conference call).
- the invention relates in its most general sense to a firewall system for securing an enterprise branch exchange connected, on the one hand, to at least one switched mode communication network, of the PSTN type, and, on the other hand, to a set of communication and / or application server peripherals, said system comprising a low layer communication (1 to 3) of the OSI model of circuit and analog digital communications.
- a firewall server connected to said analyzer characterized in that: said system further comprises a supervision server connected to the "water line" output of the switch for the analysis of the communication tickets and the application of safety rules for the OSI model layers (4 to 7).
- said switch is further connected to a packet mode communication network of the Internet type; said communication analyzer is placed in parallel lines between the switch and the switched networks and in packet mode; said communication analyzer further analyzes the information of the lower layers of the packet mode communications (incoming and outgoing) of the switch.
- said analyzer is a DSP for detecting digital circuit, digital packet and analog communications.
- said supervision server comprises an expert system for learning security rules in the case of an unknown scenario.
- said supervision server comprises a database for storing the information sent by said communication analyzer and information relating to the analysis of said tickets.
- said system further comprises an audit server connected to the supervision server able to analyze the functionalities of the switch, the system architecture and to establish a set of call scenarios.
- said audit server comprises an expert system for establishing said scenarios.
- said firewall server is connected to a plurality of communications analyzers located on various enterprise sites.
- said system further comprises an encrypted backup server of the configurations of the automatic switch.
- said system further comprises a call-back modem connected to the remote maintenance port of said automatic switch.
- the invention also relates to a method for securing an enterprise switch connected, on the one hand, to at least one switched mode communication network, of the PSTN type, and, on the other hand, to a set of peripherals communications and / or application servers, the method comprising a step of analyzing low layers (layers OSI 1 to 3) communications by a communication analyzer and application of security rules to terminate illegal calls, characterized in that it further comprises: - a recovery step by a communication ticket supervision server issued by the switch, a step of confronting the information contained in said tickets with the security rules containing in the supervision server, a step of applying the security rules according to the information contained therein in said tickets.
- a step of analyzing low layers (layers OSI 1 to 3) communications by a communication analyzer and application of security rules to terminate illegal calls characterized in that it further comprises: - a recovery step by a communication ticket supervision server issued by the switch, a step of confronting the information contained in said tickets with the security rules containing in the supervision server, a step of
- said method further comprises a step of reporting call information and decisions taken from said communication analyzer to said supervisory server.
- said method further comprises a step of self-learning by an expert system in the supervision server scenarios not managed by the security rules.
- said method comprises, beforehand, a step of determining the possible scenarios by an audit server and a step of establishing the security rules by selecting said scenarios.
- said scenario determination step comprises:
- the invention also relates to a computer program element comprising computer program code means arranged to perform the steps of the method.
- FIG. 1 represents the standard architecture of the systems securing PBX on a switched telephone network (prior art);
- Figure 2 illustrates the architecture of the present invention;
- Figure 3 illustrates the functional structure of the communication analyzer;
- Fig. 4 is a logic diagram showing the operation of the communication analyzer;
- Fig. 5 is a logic diagram illustrating the establishment of the security rules according to the present invention;
- FIG. 6 illustrates the different initial data tables retrieved by the expert analysis system;
- FIG. 7 illustrates an example of a matrix of correspondences between the threats and the vulnerabilities of a system of the automatic switch type;
- FIG. 1 represents the standard architecture of the systems securing PBX on a switched telephone network (prior art);
- Figure 3 illustrates the functional structure of the communication analyzer;
- Fig. 4 is a logic diagram showing the operation of the communication analyzer;
- Fig. 5 is a logic diagram illustrating the establishment of the security rules according to the present invention;
- FIG. 6 illustrates the different initial data tables
- FIG. 8 illustrates an example matrix of correspondences between the threats and the functionalities provided by a switch
- Fig. 9 logically illustrates the audit and countermeasure module according to the present invention
- Figure 10 schematically shows the inference engine for system auditing
- FIG. 11 schematically represents the module for establishing countermeasures
- FIG. 12 represents a logic diagram of the operation of the security according to the invention
- Figure 13 illustrates an example of packet mode communication.
- FIG. 2 represents an exemplary embodiment of the system according to the present invention, comprising a switch (200), a communication analyzer (100) and a set of servers (110, 120 and 130) for management. security policy.
- the enterprise-class switch (200) is a switch for real-time call processing and switching between private corporate (210) devices and the switched telephone network (300) and / or a network in the real-time mode. packets, for example the Internet (310).
- the switch (200) provides, in addition, features (sometimes more than four hundred) that can be implemented during calls: for example, the double call, the call forwarding, the conference, ... It presents two dedicated ports, on the one hand, to remote maintenance (198) and, on the other hand, the sending (199) of "tickets" used, among others, billing calls.
- the latter port (199) also called “over of water "is a serial port of data transmission, tickets.
- the essential functions of a switch are: switching, interfaces with terminals, telephone application.
- the switch (200) can be PBX (Private Branch eXchange) or PABX (Private Automatic Branch eXchange) dedicated only to a switched network, in which case the analysis of packet communications is not performed, or "mixed For example a centralized IP PBX in which all the functions are implemented except the switching performed by a network switch.
- PBX Primary Branch eXchange
- PABX Primary Automatic Branch eXchange
- the corporate network may be of the LAN (Local Network Area) type and is composed of the PABX (200), the peripherals (210) and the inner lines (220) connecting the peripherals to the PABX.
- LAN Local Network Area
- the peripherals are of the fax type (203), modem (202), telephone (204), IP telephone (205), cordless phone (206), for example DECT, application servers (208) for example voice mail server , billing server,
- the “telephony” servers (208) and (209) are furthermore connected to the PABX via an isolated IP network (230) dedicated solely to exchanging data between these various entities: controlling the PABX from the server. administration, for example.
- a communication analyzer (100) is placed in parallel with the lines networks (320) between the public switched / packet network (300, 310) and the PABX (200).
- a firewall server (110) is connected to the communication analyzer (100) and possibly to other analyzers (100 ', 100' ').
- the firewall server (HO) contains all the rules or scenarios to be applied on the network and transmits them to the communication analyzers. A more detailed description of such a server may be provided by one of US 6,687,353, US 6,226,372, US 6,760,421 and US 2004/0168686 mentioned above.
- the server 110 consolidates in real time all the information of all the communication analyzers of the various sites and manages the alerts related to possible malfunctions of these analyzers.
- a supervisory server (120) is connected to the PABX's "run-of-the-river" port (199), the firewall server (110), and a third audit server (130). This server (120) provides management of communication analyzers (100) and the management of security rules.
- the servers 110 and 120 must be physically different for reasons of real-time processing and operational safety.
- the audit server (130) hosts an expert system for establishing the security rules or scenarios, which it sends to the supervisory server (120) for application thereof.
- These different servers are, for example, dedicated computers, comprising a processor, RAM type RAM, an operating system, software for implementing the method of the invention, software executed on this operating system, and network connection means.
- the system also includes a backup device (112) and a call-back modem (114).
- the device (112) makes it possible to perform a backup, preferably encrypted by dynamic key, of the configurations of the automatic switch.
- the modem (114) provides protection for access to the remote maintenance port (198) by implementing call detection, identification and callback mechanisms depending on the identification. obtained.
- the communication analyzer (100) is implemented as DSP (Digital Signal Processing) with a suitable software. This allows, among other things, to easily coexist a circuit mode network analyzer (ISDN) and a packet network analyzer (IP).
- ISDN circuit mode network analyzer
- IP packet network analyzer
- the prior art knows these analyzers dedicated to switched networks.
- the analysis of the IP network is done by a filter retrieving the header of the transmitted packets.
- the communication analysis method is provided by FIG.
- the analyzer (100) receives digital calls in circuit mode (a), packet mode (b) and analog calls (c).
- a first module (106) identifies the type of call (voice, data, ...) • This module is based on the recovery of the headers of transmitted packets, on the signaling of the D channel of digital communications switched (ISDN TO and T2) or the carrier value for analogue links.
- the so-called acknowledged rules are the rules coming only from the server of audit (130) which is in charge of the consistency check of the set of rules.
- the default behavior allows calls that are not explicitly prohibited, and when one of the rules coincides with the current call, the rule applies.
- the set of rules that only involve the information collected by the communications analyzer (100) is resident therein for the site concerned; this is to ensure real-time processing (fast enough for the connection time of communications). These rules are stored either in Flash memory or on hard disk, depending on the number of links to be observed.
- the security rules are sent by the supervision server (120) via the server (110).
- An example of a communication analyzer (100) is one of the products of the "Wavetel" range.
- the firewall server (110) is the guarantor of the 1-2-3 layer rules and periodically checks the integrity of the data of the communication analyzers to prevent any malicious changes to them.
- a micro-relay cut is performed. The analysis is looped until the call has ended. Once this call is complete, the call information is sent back (6) to the firewall server (110) and sent through a "communications pipe" to the supervisory server (120) in real time.
- Example 1 Analysis of the H.323 protocol
- FIG. 13 illustrates, on the one hand, the layers on which the H.323 protocol is based and, on the other hand, the format of the Real-time Transfer Protocol (RTP) header used for voice over IP on the protocol.
- RTP Real-time Transfer Protocol
- the communication analyzer analyzes the RTP header contained in the UDP or TCP frame to determine the nature of the communication by taking into account in this header, the value "Payload Type". In the example provided, it is a G711 communication still called PCMA.
- the auditing server (130) makes it possible to set up the scenarios for securing the network, scenarios that will be chosen by a human operator for setting the security rules.
- a first step is performed before operating the system. It aims to determine the functional characteristics of the PABX (200) that change from one manufacturer to another (1010) and the specificities of the network architecture in place (1020). The operations described below are reproduced after an update of the PBX or after a modification of the network architecture (adding peripherals for example), which is why it is preferable for the audit server (130) not to does not share the same resources as the supervisory server (120).
- the server (130) is connected to the maintenance port V24 (198) of the PABX to obtain the circuit architecture files (1020) contained in the PABX as well as to the IP network (230) to obtain the system architecture information (1010).
- NESSUS-type application allows to get through the IP network (230) all the IP information of the network: VLANs, IP addresses, number of application servers, etc.
- the circuit architecture files mention the configurations of internal links (directory of telephone numbers) and external links (TO, T2, voice IP for voice).
- FIG. 6 represents an example of the configuration databases (1000) obtained by the audit server (130) after analysis of the system (1010) and circuits (1020).
- the system database informs: - the elements present (PBX, voicemail, billing server);
- the PABX features database provides: - phone numbers; - associated profiles or classes;
- a step is performed to define the attributes and the corresponding values implemented by the PABX (200) (depending on the manufacturer), for example: associated_services_values: mevo (voicemail), Svi, Acd, charging ...;
- Values_functionalities operator, intercom, multi Cco, multi-company, Disa, conference, recording, third-party entry, transfer, forwarding, listening, grouping, Sda ...;
- Restriction_values time, geographic, range numbers, priority access, logical locking ...
- the rules database (1110) contains, for its part, all the security rules applied by the system. This database is usually empty when the system is installed and is enriched at the end of this system audit phase.
- the rules are in the form:
- This example illustrates the risk of being wiretapped using the weaknesses of the system in automatically calling an outside number after the message is placed in voicemail.
- This example illustrates the diversion of communication traffic using the external reference of a communication made possible by obtaining the password constructor ...
- the EBIOS method makes it possible to establish, independently of the architecture of the corporate network, a matrix characterizing the dependencies between threats and vulnerabilities of the PABX (200), and a matrix characterizing the dependencies between the threats and the functionalities offered by the PABX.
- FIG. 7 shows an example of a "threats / vulnerabilities" matrix where the threats are of the industrial espionage or hijacking type, and the vulnerabilities may be the ability to directly access a station or the ability to delete or modify programs.
- FIG. 8 represents an example of a "threats / functionalities" matrix where the functionalities provided by the PABX (200) can be common abbreviated dialing, forwarding or grouping.
- These matrices can be filled manually, that is, dependencies are established based on hardware knowledge and network security.
- This expert system is contained in the server (130).
- Forward and backward chaining is performed between the threats and the system vulnerabilities (according to the previously defined matrix) by the SCN1 module (1120).
- Forward and backward chaining is understood to mean analyzing each of the threats (symmetric role of the vulnerabilities) in order to associate the dependent vulnerabilities with them and to complete this analysis by checking the determined vulnerabilities of the threat original.
- a sequential analysis of access vulnerabilities, creation / modification / deletion vulnerabilities, and recovery vulnerabilities helps identify potential risks to the system from this threat. These risks are stored in a database.
- a ranking of the risks makes it possible to determine the cases to be authorized, those to prohibit and finally those to authorize with restriction (time slot, geographical, ...): these are the scenarios.
- the risks are classified according to two criteria.
- a human intervention makes it possible to choose the countermeasures defining the security policy of the PABX (200): examples concerning the architectural vulnerabilities: to suppress the inactive links, to modify the numbers of remote maintenance if they meet the standards constructors, to reorganize the directory ... considering the proposals made by the expert system; examples concerning the functionalities provided by the PABX: the countermeasures relating to the risk scenarios are in the form of choices, since there can be no question of deleting all the open functionalities, by definition of the role of the PABX.
- rules databases (1110), vulnerabilities (1100) and countermeasures (1210) are updated when new scenarios are created.
- Example 3 Traffic diversion
- a hijacking can come from the combination of the following vulnerabilities:
- Vulnerability of access concerns the value_telemention (manufacturer's password, SDA number, no restriction)
- Vulnerability of "cms” relates to the value_features (external referral, no restrictions)
- the risk rule then established becomes: If value_telemaintenance (manufacturer password, number sda, no restriction) and value_functions (external reference) and value_architecture (external links, no restriction) then risk (diversion of traffic)
- This scenario can occur frequently because the external hacker can, through a "war-dialer" (program that allows from a series of telephone numbers to massively launch calls to identify a modem or fax carriers and allow entry into a computer or telecom system), identify the remote maintenance modem, use the Internet to find the manufacturer's passwords, access and activate the forwarding feature or divert the traffic to his account.
- a "war-dialer” program that allows from a series of telephone numbers to massively launch calls to identify a modem or fax carriers and allow entry into a computer or telecom system
- identify the remote maintenance modem use the Internet to find the manufacturer's passwords, access and activate the forwarding feature or divert the traffic to his account.
- the rules engine uses the correspondence matrices mentioned earlier to: - identify all the access vulnerabilities
- associated_services_values voicemail, standard password, nda
- Cms function_values (automatic callback after message delivery, external number),
- Associated_services_values voicemail, standard password, sda
- Operator_values automated callback after message delivery, external number
- value_architecture external links, no restriction
- the established rules are sorted according to their area of application: those concerning the "low layers” of communication (OSI layer 1-3) are transmitted to the database of the firewall server (110) via the supervision server (120), those concerning the "high layers” (OSI applications
- PABX they are therefore directly set in the PABX database, automatically and / or manually.
- the other rules are compared on the supervision server
- Each call generates a communication ticket with 128 bytes. These tickets are generally used for billing calls.
- the ticket provides, inter alia, the following information:
- a consistency check between the information contained in the ticket and the PABX database is carried out: an alert is raised in case of inconsistency, and the call can be terminated. This is, for example, the case when during a manual reconfiguration of the PABX, all the new parameters edited by the audit module were not introduced into the PABX (no updating of the directory, forgetting to forbid a feature for a position, etc.). This control makes it possible to limit the calls to the possibilities provided and authorized (the parameters) by the PABX.
- the data resulting from this analysis is sent together with the information of the communication tickets to the supervision server (120).
- the information about the current call is combined with the alerts sent from the firewall server (110) for OSI layer analysis (BDD firewall alerts) and compared to the security rules of the supervisory server (120). Further analysis can be performed; it confronts the data of the current call with a history of the last calls (Tempo File Attacks) to establish if there is an attack or a violation of the security policy (according to models of typical attacks).
- This history can be in the form of a file informing the last hundred calls processed by the PABX and their characteristics (called extension, ringing less than 4 shots, no answer, outside calling station, ).
- extension ringing less than 4 shots, no answer, outside calling station, .
- the purpose of this historization is to be able to determine repeated attacks.
- the real-time monitoring of the company's communication system is based on traffic ticket analysis, monitoring and monitoring of features implemented by a call and presenting vulnerabilities, monitoring and alerting in the case where a risk scenario is occurring, the self-learning of the scenarios not envisaged and which occur and finally the watch in detection of attacks by the reconciliation of information, for example: o Number of calls lower at 4 and hung up compared to the average. Analysis of the standard deviation with triggering threshold, o Number of calls as above and analysis if the phenomenon takes place in a sequential or random manner, with indication of the times between each call of this nature and triggering threshold, o Number of calls answered through voicemail and detected as modem calls.
- a weighting algorithm based on this information, will establish the presence or absence of an attack and will implement the alert and action procedure previously established.
- the decision may be made to cut off all outside links if the event occurs. happens during a period during which the business is closed (at night).
- the internal telephone number concerned may be inactivated.
- the PBX is reconfigured taking this risk into account.
- an expert system similar to the one described above, allows the self-learning of the system.
- a new risk is determined, scenarios possibly proposed and a human operator determines the scenarios corresponding to the security policy.
- This learning is done by fuzzy chaining: we analyze the closest scenarios. For example, a scenario with four out of five criteria identical to the current call is considered close.
- the system also allows statistical feedback allowing among others to know the number of completed calls, the number of fraudulent access attempts, ...
- the invention consists of a software running on a "Windows Server" operating system (business name) and the databases implemented are of SQL type and later on more sophisticated platforms such as Oracle (Business Name).
- EXAMPLE OF A SCENARIO is an example of fraudulent call scenario processing, from its origin to the countermeasures applied by the system.
- the logical communication port of the automatic switch is open and no VLAN configuration for the Ethernet network dedicated to the telephone servers,
- the Firewall Data authorizes the port ftp 80 which made it possible to enter the PABX of which this port is also to remain open,
- the attacker then creates a virtual station in the PABX with the open dialing function (this is a station where the interface has been activated without connecting a station physically and when it is requested dials the area code exit to the network and wait for the number to dial).
- the hacker has assigned the function DISA (function that allows a position outside the company to be perceived as a position of the company).
- cyclic grouping is a group of extensions that has a common generic internal number, which does not prevent these items from having an individual number, and who for each new call to this group directs it to the next free post belonging to the group).
- the hacking community has been notified of the numbers to dial.
- This community consists of 50 members, one of which has a voice server located in the Bahamas with a billing service ( € 1 per minute paid by the operator to an account in Switzerland).
- the hacker activated a group forwarding to the Bahamas voice server during non-business hours.
- the bill can be very salty for the company and the bleeding can not be stopped as easily because several actions have been conducted without a clear link.
- Vlan Prohibit the absence of Vlan
- Fictitious workstation limit the number of workstations that can be created and monitor the numbers authorized by the supervision software through the tickets and display them in the directory,
- Timed out call prohibit, Forward: prohibit outside forwarding for all items belonging to a group on the group number
- the "supervision” application will sort the rules and settings either to the firewall server (110) or to the PABX.
- the configuration of the PABX will be done manually because the PABX does not have interface API or IAE in our example: the operation setting up of a Vlan will execute by acquittement of the direction IT and its realization will be checked and noted during the next automatic audit.
- the firewall server no action planned because layers 1 to 3 of the OSI model managed by the communication analyzer are not requested in this example.
- the current call scenario will be compared with all the scenarios of the database to find a possible new scenario close or original.
- the call will be stored with its features in the waterwire database.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0452361A FR2876855B1 (fr) | 2004-10-19 | 2004-10-19 | Dispositif de securisation d'un autocommutateur |
PCT/FR2005/002601 WO2006042973A1 (fr) | 2004-10-19 | 2005-10-19 | Dispositif de securisation d’un autocommutateur |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1803279A1 true EP1803279A1 (fr) | 2007-07-04 |
Family
ID=34954135
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05812485A Withdrawn EP1803279A1 (fr) | 2004-10-19 | 2005-10-19 | Dispositif de securisation d un autocommutateur |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1803279A1 (fr) |
FR (1) | FR2876855B1 (fr) |
WO (1) | WO2006042973A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115705035B (zh) * | 2021-08-13 | 2024-05-28 | 中国石油天然气集团有限公司 | 无人站场阀室控制系统及无人站场阀室的控制方法 |
US12034758B2 (en) * | 2021-09-14 | 2024-07-09 | The Mitre Corporation | Optimizing network microsegmentation policy for cyber resilience |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6601048B1 (en) * | 1997-09-12 | 2003-07-29 | Mci Communications Corporation | System and method for detecting and managing fraud |
US6226372B1 (en) * | 1998-12-11 | 2001-05-01 | Securelogix Corporation | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities |
US7133511B2 (en) * | 1998-12-11 | 2006-11-07 | Securelogix Corporation | Telephony security system |
US6760420B2 (en) * | 2000-06-14 | 2004-07-06 | Securelogix Corporation | Telephony security system |
US6801607B1 (en) * | 2001-05-08 | 2004-10-05 | Mci, Inc. | System and method for preventing fraudulent calls using a common billing number |
-
2004
- 2004-10-19 FR FR0452361A patent/FR2876855B1/fr not_active Expired - Fee Related
-
2005
- 2005-10-19 EP EP05812485A patent/EP1803279A1/fr not_active Withdrawn
- 2005-10-19 WO PCT/FR2005/002601 patent/WO2006042973A1/fr active Application Filing
Non-Patent Citations (1)
Title |
---|
See references of WO2006042973A1 * |
Also Published As
Publication number | Publication date |
---|---|
FR2876855A1 (fr) | 2006-04-21 |
WO2006042973A1 (fr) | 2006-04-27 |
FR2876855B1 (fr) | 2007-02-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6760420B2 (en) | Telephony security system | |
US6226372B1 (en) | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities | |
US7653188B2 (en) | Telephony extension attack detection, recording, and intelligent prevention | |
US6700964B2 (en) | Encapsulation, compression and encryption of PCM data | |
US7133511B2 (en) | Telephony security system | |
US20020090073A1 (en) | Telephony security system | |
US6879671B2 (en) | Virtual private switched telecommunications network | |
EP1894350B1 (fr) | Securisation de la telephonie sur ip | |
WO2011083226A1 (fr) | Procédé de détection d'un détournement de ressources informatiques | |
US6718024B1 (en) | System and method to discriminate call content type | |
EP1193945A1 (fr) | Procédé et appareil pour contrôle d'accès dans un réseau | |
EP3104585B1 (fr) | Dispositif et procédé de traitement d'une communication | |
EP1803279A1 (fr) | Dispositif de securisation d un autocommutateur | |
US20050025302A1 (en) | Virtual private switched telecommunications network | |
FR3037465A1 (fr) | Dispositif et procede de traitement d'une communication | |
De Lutiis et al. | An innovative way to analyze large ISP data for IMS security and monitoring | |
Sharma | Implementation of Unified Communication and analysis of the Toll Fraud Problem | |
Androulidakis et al. | Confidentiality, Integrity, and Availability Threats in PBXs | |
Patton | A case study of Internet Protocol Telephony implementation at United States Coast Guard headquarters |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070511 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
111Z | Information provided on other rights and legal means of execution |
Free format text: AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR Effective date: 20080110 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: CHECKPHONE TECHNOLOGIES |
|
17Q | First examination report despatched |
Effective date: 20140210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20140503 |