# VOIP Enterprise - Attack Dataset Analysis

* **Author:** Patrik Goldschmidt (igoldschmidt@fit.vut.cz)
* **Project:** Network Intrusion Datasets: A Survey, Limitations, and Recommendations
* **Date:** 2024

In [2]:
# Supposes we have already merged files from each scenario to determine dataset duration
PATH = '/data/voip-enterprise/processed'

In [3]:
import os

In [4]:
# List all dataset files
ALL_FILES = [os.path.join(PATH, fname) for fname in os.listdir(PATH)]
ALL_FILES

['/data/voip-enterprise/processed/bye_a_hosts.pcap',
 '/data/voip-enterprise/processed/invite_a.pcap',
 '/data/voip-enterprise/processed/sipsak.pcap',
 '/data/voip-enterprise/processed/register_hijack_a.pcap',
 '/data/voip-enterprise/processed/register_hijack_b.pcap',
 '/data/voip-enterprise/processed/bye_a_attacker.pcap',
 '/data/voip-enterprise/processed/invite_b.pcap',
 '/data/voip-enterprise/processed/rtpf_a.pcap',
 '/data/voip-enterprise/processed/rtpf_b.pcap',
 '/data/voip-enterprise/processed/spit.pcap',
 '/data/voip-enterprise/processed/bye_b_hosts.pcap',
 '/data/voip-enterprise/processed/bye_b_attacker.pcap']

In [5]:
# Measure files capture durations to determine the capture length
for file in ALL_FILES:
    !capinfos -u $file

File name:           /data/voip-enterprise/processed/bye_a_hosts.pcap
Capture duration:    734.168354 seconds
File name:           /data/voip-enterprise/processed/invite_a.pcap
Capture duration:    1013.857646 seconds
File name:           /data/voip-enterprise/processed/sipsak.pcap
Capture duration:    1019.951040 seconds
File name:           /data/voip-enterprise/processed/register_hijack_a.pcap
Capture duration:    1024.256731 seconds
File name:           /data/voip-enterprise/processed/register_hijack_b.pcap
Capture duration:    1067.504594 seconds
File name:           /data/voip-enterprise/processed/bye_a_attacker.pcap
Capture duration:    322.619373 seconds
File name:           /data/voip-enterprise/processed/invite_b.pcap
Capture duration:    1022.451182 seconds
File name:           /data/voip-enterprise/processed/rtpf_a.pcap
Capture duration:    1043230.035390 seconds
File name:           /data/voip-enterprise/processed/rtpf_b.pcap
Capture duration:    1047729.447956 seconds
Fil

Apparently, RTP Flood captures take too long time, therefore, there must be a gap between the scenario's captures.

In [6]:
# Analyze RTP Flood capinfos durations
RTPF_DIR = '/data/voip-enterprise/rtp_flood'
RTPF_FILES = [os.path.join(RTPF_DIR, fname) for fname in os.listdir(RTPF_DIR)]
RTPF_FILES

['/data/voip-enterprise/rtp_flood/RTP_A_Host_Asterisk_IP-PBX.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_A_Host_Client2.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Client2.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Client3.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_A_Host_Client4.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Client1.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_A_Host_Client3.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Asterisk_IP-PBX.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Client4.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_B_Host_Attacker.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_A_Host_Attacker.pcap',
 '/data/voip-enterprise/rtp_flood/RTP_A_Host_Client1.pcap']

In [8]:
for rtpf_file in sorted(RTPF_FILES):
    !capinfos -a -e $rtpf_file

File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Asterisk_IP-PBX.pcap
First packet time:   2020-08-16 10:54:19.775853
Last packet time:    2020-08-16 11:11:00.418120
File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Attacker.pcap
First packet time:   2020-08-16 10:54:19.575910
Last packet time:    2020-08-16 11:11:51.842283
File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Client1.pcap
First packet time:   2020-08-16 10:55:07.035600
Last packet time:    2020-08-16 11:11:07.191101
File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Client2.pcap
First packet time:   2020-08-04 09:24:41.806893
Last packet time:    2020-08-04 09:45:00.757702
File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Client3.pcap
First packet time:   2020-08-16 10:54:31.261114
Last packet time:    2020-08-16 11:11:03.729486
File name:           /data/voip-enterprise/rtp_flood/RTP_A_Host_Client4.pcap
First packet time:   2020-08-16 10:54:06.374536
L

Apparently, the client 3 is not in-line with other traffic -- adding to time discontiguousness of the capture and finding the root of the problem. Fix in normal terminal.