[asterisk-security] Seeking Collaboration in Development and Validation of an Anomaly Detection System for Asterisk
Hira Agrawal
hira at research.telcordia.com
Tue Jun 10 16:16:18 CDT 2008
We are currently doing research and development on an open-source
runtime application monitoring system for Asterisk. This system is aimed
at detecting and mitigating problems or vulnerabilities that arise from
residual errors--whether unintentional or malicious--either in the
application code or in its configuration or usage patterns. It can, for
example, be used to detect and prevent various security, performance,
and availability problems resulting from latent errors in Asterisk code
or, more importantly, in the dialplans it is configured with for
handling all calls that go through it.
Our approach involves examining "events" that get generated as a side
effect of normal call processing and analyzing them, or some appropriate
transformations of those events, against "normal", expected application
behavior. Certain expected behaviors may be specified explicitly by
system experts, while others may be "learned" implicitly by the
monitoring system from "training" data that represents the target
Asterisk PBX's normal, intended usage modes. In many instances, problems
detected by the monitoring system may also be addressed automatically if
the target system also provides appropriate control interfaces. In the
case of Asterisk, for example, the Asterisk Manager Interface (AMI) API
may be used for both--obtaining application events as well as performing
certain mitigation actions. System logs generated by Asterisk may also
act as additional sources of application events.
We would like to make the resulting monitoring software available as an
open source system for others to use, enhance, and experiment with.
To do an effective job, however, we would like to partner with some
large, existing Asterisk users, who can help us gather real life
examples of Asterisk usage against which we can test and evaluate our
techniques. This can, obviously, be done in a manner that addresses the
privacy and confidentiality concerns of all parties involved. Any names,
phone numbers, and URIs, for example, may be masked appropriately in all
data that is shared with others.
Please let us know if you would like to participate in this effort or if
you have any questions in this regard.
Any related help/suggestions/pointers would also be greatly appreciated.
Thanks.
-- Hira Agrawal
Telcordia Technologies
hira at research.telcordia.com
More information about the asterisk-security
mailing list