Detecting VoIP Floods Using the Hellinger Distance

Voice over IP (VoIP), also known as Internet telephony, is gaining market share rapidly and now competes favorably as one of the visible applications of the Internet. Nevertheless, being an application running over the TCP/IP suite, it is susceptible to flooding attacks. If flooded, as a time-sensitive service, VoIP may show noticeable service degradation and even encounter sudden service disruptions. Because multiple protocols are involved in a VoIP service and most of them are susceptible to flooding, an effective solution must be able to detect and overcome hybrid floods. As a solution, we offer the VoIP flooding detection system (vFDS)-an online statistical anomaly detection framework that generates alerts based on abnormal variations in a selected hybrid collection of traffic flows. It does so by viewing collections of related packet streams as evolving probability distributions and measuring abnormal variations in their relationships based on the Hellinger distance-a measure of variability between two probability distributions. Experimental results show that vFDS is fast and accurate in detecting flooding attacks, without noticeably increasing call setup times or introducing jitter into the voice streams.

[1]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[2]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[3]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[4]  Dipak Ghosal,et al.  Secure IP Telephony using Multi-layered Protection , 2003, NDSS.

[5]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[6]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[7]  Matthew Stafford,et al.  Session Description Protocol , 2009 .

[8]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[9]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[10]  Ger Koole,et al.  Managing uncertainty in call centres using Poisson mixtures , 2001 .

[11]  Henning Schulzrinne,et al.  Predicting Internet Telephony Call Setup Delay , 2000 .

[12]  Alan Johnston SIP: Understanding the Session Initiation Protocol, Second Edition , 2003 .

[13]  Alan B. Johnston,et al.  SIP: Understanding the Session Initiation Protocol , 2001 .

[14]  Armann Ingolfsson,et al.  Markov chain models of a telephone call center with call blending , 2007, Comput. Oper. Res..

[15]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[16]  R. Wilder,et al.  Wide-area Internet traffic patterns and characteristics , 1997, IEEE Netw..

[17]  E.Y. Chen Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[18]  Pascal Spincemaille,et al.  The mutual affinity of random measures , 2003, Period. Math. Hung..

[19]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[20]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[21]  Alan F. Karr,et al.  Data Swapping: A Risk-Utility Framework and Web Service Implementation , 2003, DG.O.

[22]  Salvatore J. Stolfo,et al.  Detecting Viral Propagations Using Email Behavior Profiles , 2003 .