IETF Logo Mail Archive

[Sipping] RE: [spitstop] Spit Score Semantics

"Saverio Niccolini" <Saverio.Niccolini@nw.neclab.eu> Thu, 22 November 2007 19:44 UTC

Return-path: <sipping-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IvHyM-00044x-OE; Thu, 22 Nov 2007 14:44:26 -0500
Received: from sipping by megatron.ietf.org with local (Exim 4.43) id 1IvHyL-00044k-UJ for sipping-confirm+ok@megatron.ietf.org; Thu, 22 Nov 2007 14:44:25 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IvHyL-00044b-Kk for sipping@ietf.org; Thu, 22 Nov 2007 14:44:25 -0500
Received: from smtp0.netlab.nec.de ([195.37.70.40]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IvHyE-0004KG-H6 for sipping@ietf.org; Thu, 22 Nov 2007 14:44:25 -0500
Received: from localhost (atlas1.office [127.0.0.1]) by smtp0.netlab.nec.de (Postfix) with ESMTP id 08CF428000303; Thu, 22 Nov 2007 20:44:18 +0100 (CET)
X-Virus-Scanned: Amavisd on Debian GNU/Linux (atlas1.office)
Received: from smtp0.netlab.nec.de ([127.0.0.1]) by localhost (atlas1.office [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnS0wcHNLEkk; Thu, 22 Nov 2007 20:44:17 +0100 (CET)
Received: by smtp0.netlab.nec.de (Postfix, from userid 1001) id DDFDF28000350; Thu, 22 Nov 2007 20:44:17 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on atlas1.office
X-Spam-Level:
X-Spam-Status: No, score=-2.4 required=5.0 tests=ALL_TRUSTED, BAYES_00, BIZ_TLD autolearn=ham version=3.1.7
Received: from mx1.office (mx1.office [10.1.1.23]) by smtp0.netlab.nec.de (Postfix) with ESMTP id AB92928000303; Thu, 22 Nov 2007 20:43:55 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 22 Nov 2007 20:43:54 +0100
Message-ID: <5F6519BF2DE0404D99B7C75607FF76FF317B28@mx1.office>
In-Reply-To: <136AA3EA-D480-4EDA-BDFF-4D75F7EAC02B@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [spitstop] Spit Score Semantics
Thread-Index: AcgtOMtm0UnNWL1BSeuohWZz0b0IbgABdSqw
References: <113091BD57179D4491C19DA7E10CD6960193DBB7@mx1.office> <136AA3EA-D480-4EDA-BDFF-4D75F7EAC02B@cisco.com>
From: Saverio Niccolini <Saverio.Niccolini@nw.neclab.eu>
To: Signaling TO Prevent SPIT <spitstop@listserv.netlab.nec.de>, Jan Seedorf <Jan.Seedorf@nw.neclab.eu>
X-Sanitizer: This message has been sanitized!
X-Spam-Score: 0.4 (/)
X-Scan-Signature: 7268a2980febc47a9fa732aba2b737ba
Cc: sipping@ietf.org, jon.peterson@neustar.biz
Subject: [Sipping] RE: [spitstop] Spit Score Semantics
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Errors-To: sipping-bounces@ietf.org

Hi Cullen,

all we were trying to do was to answer the question about semantics
raised by Henning some time ago. He was arguing that without semantics
the spam score has no meaning and that is why we answered to it (after
thinking quite some time...).

As you know some examples of architecture are out already together with a
reference scenario (draft expired):
http://tools.ietf.org/html/draft-tschofenig-sipping-framework-spit-reduction-02
http://tools.ietf.org/id/draft-niccolini-sipping-spitstop-00.txt

Moreover some reference architecture for prototypes/products exist as
well (we demonstrated at last IETF our demo to interested people)
and there are scientific results in the literature that would justify
the semantics we are reporting here.

If an architecture needs to be defined then let's define it, let's
have this work started, it seems there is enough interest around the
topic and people willing to work on it :-)

Looking forward to meeting you in Vancouver.

Cheers,
Saverio

============================================================
Dr. Saverio Niccolini
Senior Researcher
NEC Laboratories Europe, Network Research Division	
Kurfuerstenanlage 36, D-69115 Heidelberg
Tel.     +49 (0)6221 4342-118
Fax:     +49 (0)6221 4342-155
e-mail:  saverio.niccolini@nw.neclab.eu <-- !!! NEW ADDRESS !!!
============================================================
NEC Europe Limited Registered Office: NEC House, 1 Victoria
Road, London W3 6BL Registered in England 2832014
 
  

> -----Original Message-----
> From: spitstop-bounces@listserv.netlab.nec.de 
> [mailto:spitstop-bounces@listserv.netlab.nec.de] On Behalf Of 
> Cullen Jennings
> Sent: Thursday, November 22, 2007 7:51 PM
> To: Jan Seedorf
> Cc: Eric Rescorla; jon.peterson@neustar.biz; 
> sipping@ietf.org; spitstop@listserv.netlab.nec.de
> Subject: Re: [spitstop] Spit Score Semantics
> 
> 
> This is a questions of architecture and without an 
> architecture it s pretty hard to decide what to do. If your 
> architecture requires the combination of two scores generated 
> by two different sources - then you need them to mean 
> something more than an ordinal value. Negative log 
> probabilities are pretty popular in the bayesian world but 
> there are many other things such as bounded error rates that 
> could work too. If on the other hand the number is generated 
> by one source and it the only thing is to execute a threshold 
> on it, then it could just be an arbitrary range. Anyways, 
> before we understand what the basic architecture is, it seems 
> hard to sort out the semantics we need.
> 
> 
> On Nov 22, 2007, at 3:17 AM, Jan Seedorf wrote:
> 
> > Dear all,
> >
> > We (Saverio Niccolini and Jan Seedorf) believe there is a need to 
> > signal SPIT scores (as calculated with various methods at single 
> > signalling hops) along the signalling path to protect against SPIT.
> > In order to make such a signalling of SPIT scores compatible among 
> > heterogeneous system, it must be standardised in some way. The 
> > draft-wing-sipping-spam-score addresses this issue by proposing 
> > additional headers/values for SPIT scores that could be 
> passed along 
> > the downstream (and possibly upstream) signalling path. One 
> question 
> > is whether it makes sense to have a SPIT score ranging from 
> 0-100. The 
> > concern raised by Henning Schulzrinne on the SPITSTOP 
> mailing list was 
> > that a scale from 0-100 has no clear semantics defined for values 
> > other than 0 ("I am sure this is not
> > SPIT") and 100 ("I am sure this is SPIT"). We thought about how to 
> > define semantics for SPIT scores and would like to receive 
> feedback on 
> > our thoughts.
> >
> > First, we believe there are SPIT detection methods resulting in a 
> > binary score (0="not SPIT",1="SPIT"). For such methods with 
> a binary 
> > result range it is quite easy to come up with well-defined 
> semantics. 
> > For instance, for methods like "whitelist" or "blacklist", 
> it could be 
> > defined that "0" means "not on list" and "1" means "on 
> list". Similar, 
> > for a CAPTCHA-test you can image "0"
> > for passed (i.e., not SPIT according to this test) and "1" 
> for failed 
> > (i.e., SPIT according to this test).
> >
> > Second, we believe it is also possible to come up with 
> semantics for 
> > statistical methods (which generally do not produce 0/1 results), 
> > resulting in a score between 0 and 100. For anomaly-based 
> statistical 
> > methods, the semantics of a score x could be that x percent of 
> > previous messages where below/above (depending on the
> > method) the result for this method compared to the current 
> message.  
> > For instance, think of a call-rate detection method that checks how 
> > many calls are initiated from a particular SIP-URI (or IP-address) 
> > within a time-frame. A result of 85 for such a test would mean that 
> > the call-rate for the SIP-URI in the From-header of the SIP 
> message in 
> > the time-frame is higher than 84% of all calls monitored in 
> the past. 
> > Note, as Henning pointed out, this implies nothing directly on the 
> > SPIT probability for that message. It is simply a way to precisely 
> > define the semantics for the score of anomaly-based statistical 
> > modules.
> >
> > For statistical modules the score could also be based on user- 
> > feedback. Then the semantics of score x would be that in the past x 
> > percent of messages with the same method-result were marked 
> as SPIT by 
> > users (using some user-feedback mechanism). This has probably more 
> > relation to a SPIT probability. However, this is not important. The 
> > point is that the score is well-defined.
> >
> > In general, we think that for EACH method it needs to be (publicly) 
> > well-defined what the corresponding score means. This score 
> does NOT 
> > (necessarily) imply a SPIT-probability. Instead, it has a 
> per- method 
> > semantic. Then, for each method it is clearly defined what the 
> > signalling of corresponding SPIT-scores means and any SPIT- 
> prevention 
> > device can make a local policy decision on these scores at its own 
> > discretion. In particular, whether the SPIT-prevention device using 
> > scores from previous hops makes arithmetic calculations on these 
> > scores or how it combines them to a final 0/1 decision is 
> out of the 
> > scope of standardisation. In addition, any hop can express its 
> > accumulated result for the single values in a total score. 
> This total 
> > is based on this hops calibrated algorithm on SPIT detection and is 
> > either 0="not SPIT" or 1="SPIT".
> >
> > To give an example (based on the current draft-wing-sipping-spam- 
> > score, whether the Via header is the correct place for SPIT-score 
> > signalling or not is a different issue and not part of this
> > discussion):
> >
> >        Via: SIP/2.0/UDP biloxi.com;branch=z9hG4bKnashds8
> >          ;received=192.0.2.1
> >   -->    ;spam-detail="callrate-anomaly=30;iprange- 
> > userfeedback=45;whitelist=0;blacklist=1"
> >   -->    ;spam=1
> >
> > This would imply that proxy biloxi.com calculated a 
> callrate value of 
> > 30 for this message, based on anomaly detection, meaning 30 
> percent of 
> > all previous messages had a lower or equal call-rate, 
> meaning nothing 
> > more and nothing less. Also, the iprange method for this message 
> > resulted in a score of 45, based on user-feedback.
> > This means that 45% of all times the result of the iprange 
> method for 
> > this message was marked as SPIT by users. The message was 
> not on the 
> > whitelist of the proxy but on its blacklist. With its own 
> (proprietary 
> > and secret) algorithm, the proxy would aggregate these scores to a 
> > "this is SPIT" decision.
> >
> > We are looking forward to receiving comments from others 
> how they view 
> > the problem of assigning semantics to SPIT scores and on 
> our thoughts 
> > towards a solution. We are thinking of writing these 
> thoughts into a 
> > separate draft or inside the draft-wing-sipping- spam-score to have 
> > the semantic of SPIT scores defined.
> >
> >  - Jan & Saverio
> >
> > ============================================================
> > Jan Seedorf
> > Research Scientist
> > NEC Europe Ltd., NEC Laboratories Europe, Network Division	
> > Kurfuerstenanlage 36, D-69115 Heidelberg
> > Tel.     +49 (0)6221 4342-221
> > Fax:     +49 (0)6221 4342-155
> > e-mail:  jan.seedorf@nw.neclab.eu
> > ============================================================
> > NEC Europe Limited Registered Office: NEC House,
> > 1 Victoria Road, London W3 6BL Registered in England 2832014
> _______________________________________________
> spitstop mailing list
> spitstop@listserv.netlab.nec.de
> https://listserv.netlab.nec.de/mailman/listinfo/spitstop
> 


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email