[asterisk-security] Seeking Collaboration in Development and Validation of an Anomaly Detection System for Asterisk

Hira Agrawal hira at research.telcordia.com
Tue Jun 10 16:16:18 CDT 2008


We are currently doing research and development on an open-source 
runtime application monitoring system for Asterisk. This system is aimed 
at detecting and mitigating problems or vulnerabilities that arise from 
residual errors--whether unintentional or malicious--either in the 
application code or in its configuration or usage patterns. It can, for 
example, be used to detect and prevent various security, performance, 
and availability problems resulting from latent errors in Asterisk code 
or, more importantly, in the dialplans it is configured with for 
handling all calls that go through it.

Our approach involves examining "events" that get generated as a side 
effect of normal call processing and analyzing them, or some appropriate 
transformations of those events, against "normal", expected application 
behavior. Certain expected behaviors may be specified explicitly by 
system experts, while others may be "learned" implicitly by the 
monitoring system from "training" data that represents the target 
Asterisk PBX's normal, intended usage modes. In many instances, problems 
detected by the monitoring system may also be addressed automatically if 
the target system also provides appropriate control interfaces. In the 
case of Asterisk, for example, the Asterisk Manager Interface (AMI) API 
may be used for both--obtaining application events as well as performing 
certain mitigation actions. System logs generated by Asterisk may also 
act as additional sources of  application events.

We would like to make the resulting  monitoring software available as an 
open source system for others to use, enhance, and experiment with.

To do an effective job, however, we would like to partner with some 
large, existing Asterisk users, who can help us gather real life 
examples of Asterisk usage against which we can test and evaluate our 
techniques. This can, obviously, be done in a manner that addresses the 
privacy and confidentiality concerns of all parties involved. Any names, 
phone numbers, and URIs, for example, may be masked appropriately in all 
data that is shared with others.

Please let us know if you would like to participate in this effort or if 
you have any questions in this regard.

Any related help/suggestions/pointers would also be greatly appreciated.

Thanks.

-- Hira Agrawal
   Telcordia Technologies
   hira at research.telcordia.com




More information about the asterisk-security mailing list