SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree

Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

[1]  S. McGann An Analysis of Security Threats and Tools in SIP-Based VoIP Systems , 2005 .

[2]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[3]  Xuxian Jiang,et al.  On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers , 2009, ASIACCS '09.

[4]  Xuxian Jiang,et al.  On the billing vulnerabilities of SIP-based VoIP systems , 2010, Comput. Networks.

[5]  E.Y. Chen,et al.  Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[6]  Georgios Kambourakis,et al.  Two layer Denial of Service prevention on SIP VoIP infrastructures , 2008, Comput. Commun..

[7]  Thomas Magedanz,et al.  Survey of network security systems to counter SIP-based denial-of-service attacks , 2010, Comput. Secur..

[8]  Thomas Magedanz,et al.  Intrusion Detection System for Denial-of-Service flooding attacks in SIP communication networks , 2009, Int. J. Secur. Networks.

[9]  Nikos Vrakas,et al.  Utilizing bloom filters for detecting flooding attacks against SIP based services , 2009, Comput. Secur..

[10]  Angelos D. Keromytis,et al.  A Comprehensive Survey of Voice over IP Security Research , 2012, IEEE Communications Surveys & Tutorials.

[11]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[12]  Olivier Festor,et al.  SecSip: A stateful firewall for SIP-based networks , 2009, 2009 IFIP/IEEE International Symposium on Integrated Network Management.

[13]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[14]  Heejo Lee,et al.  Detecting More SIP Attacks on VoIP Services by Combining Rule Matching and State Transition Models , 2008, SEC.

[15]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[16]  Costas Lambrinoudakis,et al.  A framework for detecting malformed messages in SIP networks , 2005, 2005 14th IEEE Workshop on Local & Metropolitan Area Networks.

[17]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[18]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[19]  D. Richard Kuhn,et al.  Challenges in securing voice over IP , 2005, IEEE Security & Privacy Magazine.

[20]  D. Sisalem,et al.  SIP Spam Detection , 2006, International Conference on Digital Telecommunications (ICDT'06).

[21]  Robert Cole,et al.  Computer Communications , 1982, Springer New York.

[22]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[23]  Costas Lambrinoudakis,et al.  An ontology description for SIP security flaws , 2007, Comput. Commun..

[24]  Yan Bai,et al.  A survey of VoIP intrusions and intrusion detection systems , 2004, The 6th International Conference on Advanced Communication Technology, 2004..

[25]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[26]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[27]  Patrick C. K. Hung,et al.  Security Issues in VOIP Applications , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.