A comparative study of anomaly detection algorithms for detection of SIP flooding in IMS

The IP multimedia subsystem (IMS) framework uses session initiation protocol (SIP) for signaling and control of sessions. In this paper, we first demonstrate that SIP flooding attacks on IMS can result in denial of service to the legitimate users. Afterwards, we report our comparative study of three well-known anomaly detection algorithms, adaptive threshold, cumulative sum, and Hellinger distance for detection of flood attacks in IMS. We evaluate the accuracy of the algorithms using a comprehensive traffic dataset that consists of varying benign and malicious traffic patterns.

[1]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[2]  Pablo Vidales,et al.  The IMS service platform: a solution for next-generation network operators to be more than bit pipes , 2006, IEEE Communications Magazine.

[3]  Muhammad Sher,et al.  Detecting flooding attacks against IP Multimedia Subsystem (IMS) networks , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[4]  Henning Schulzrinne,et al.  SIPstone: Benchmarking SIP Server Performance , 2002 .

[5]  Muhammad Younus Javed,et al.  Attack analysis & bio-inspired security framework for IP multimedia subsystem , 2008, GECCO '08.

[6]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[7]  Georg Mayer,et al.  The IMS: IP Multimedia Concepts and Services , 2004 .

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  Dipak Ghosal,et al.  Secure IP Telephony using Multi-layered Protection , 2003, NDSS.