Honeypot software for VoIP networks

Artemisa is an open source VoIP/SIP-specific honeypot software designed to connect to a VoIP enterprise domain as a user-agent backend in order to detect malicious activity at an early stage. Moreover, the honeypot can play a role in the real-time adjustment of the security policies of the enterprise domain where it is deployed.

Artemisa should work as a conventional user-agent of a VoIP/SIP domain. To achieve this, it provides modular configuration files where the administrator can set up the connection parameters as well as the Artemisa’s behavior.

The SIP registrar server of the domain should be also configured in order to let Artemisa be registered with a set of extensions (e.g. 5 extensions from 401 to 405). Once Artemisa is configured and launched, which is suggested to do it on a separate machine or virtual machine, it keeps listening and waiting for SIP activity. Normally, it’s expected NOT to see SIP activity on the honeypot, such as a call, since the honeypot doesn’t represent a human being. Thus, any call or message which reach the honeypot is suspicious and is analyzed.

The analysis involves the usage of different techniques and third-party tools to determine and classify the nature of the message. When the message is classified and a conclusion is obtained, Artemisa reports that in several ways such as running user-configurable scrits and sending an e-mail report. The user-configurable scripts allow the administrator to give Artemisa the enough power to adjust the domain policies in real-time.