One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).
Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.
To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.
An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.
In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.
If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.