Statistical Analysis of Self-Similar Session Initiation Protocol (SIP) Messages for Anomaly Detection

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, widespread usage over UDP, limited use of encryption), it becomes relatively easy to attack the protocol at the message level to launch denial of service attacks. To mitigate this, self- learning systems have been proposed to detect anomalous SIP messages and filter them. However, previous works use datasets with large differences between the normal and anomalous message. This gives high performance for existing classification systems, including those based on Euclidean distances. We present our analysis on a new dataset that has minimal difference between normal and anomalous messages. Our findings indicate that existing classification schemes behave unsatisfactorily on our dataset. We demonstrate why this is the case by statistical analysis of our dataset, and furthermore, present feature reduction techniques to enhance the classification performance of existing classification schemes on our dataset.

[1]  Vijay K. Gurbani,et al.  On the inefficacy of Euclidean classifiers for detecting self-similar Session Initiation Protocol (SIP) messages , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[2]  Peter Martini,et al.  Detecting VoIP based DoS attacks at the public safety answering point , 2008, ASIACCS '08.

[3]  Michael Scharf,et al.  Measurement of the SIP Parsing Performance in the SIP Express Router , 2007, EUNICE.

[4]  Xinmiao Zhang,et al.  Wireless Security and Cryptography: Specifications and Implementations , 2007 .

[5]  Klara Nahrstedt,et al.  Protecting SIP Proxy Servers from Ringing-Based Denial-of-Service Attacks , 2008, 2008 Tenth IEEE International Symposium on Multimedia.

[6]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[7]  Henning Schulzrinne,et al.  Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems , 2008, IPTComm.

[8]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[9]  Thomas Magedanz,et al.  Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding , 2007, IPTComm '07.

[10]  Klaus-Robert Müller,et al.  A Self-learning System for Detection of Anomalous SIP Messages , 2008, IPTComm.

[11]  Muhammad Ali Akbar,et al.  Evaluating DoS Attacks against Sip-Based VoIP Systems , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[12]  Zhi-Li Zhang,et al.  SIP-based VoIP traffic behavior profiling and its applications , 2007, MineNet '07.

[13]  E.Y. Chen,et al.  Detecting DoS attacks on SIP systems , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[14]  Mauricio Cortes,et al.  On SIP performance , 2004, Bell Labs Technical Journal.

[15]  Radu State,et al.  Monitoring SIP Traffic Using Support Vector Machines , 2008, RAID.

[16]  S. Ehlert,et al.  Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[17]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[18]  Ravi Vaidyanathan,et al.  A Dynamic Channel Selection Strategy for Dense-Array ERP Classification , 2009, IEEE Transactions on Biomedical Engineering.

[19]  Muhammad Ali Akbar,et al.  Application of evolutionary algorithms in detection of SIP based flooding attacks , 2009, GECCO '09.

[20]  Chi Zhou,et al.  Sketch-Based SIP Flooding Detection Using Hellinger Distance , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.