SIP Flooding Attack Detection Using a Trust Model and Statistical Algorithms

The IP Multimedia Subsystem (IMS) has been constantly evolving to meet the tremendous rise in popularity of mobile services and Internet applications. Since IMS uses Session Initiation Protocol as the main protocol to control a signal, it inherits numerous known security vulnerabilities. One of the most severe issues is the Denial of Service attack. To address this problem, we introduce an anomaly-based detection system using the Tanimoto distance to identify deviations in the traffic. A modified moving average is applied to compute an adaptive threshold. To overcome a drawback of the adaptive threshold method, we present a momentum oscillation indicator to detect a gradually increasing attack. Generally, anomaly-based detection systems trigger many alarms and most of them are false positives that impact the quality of the detection. Therefore, we first present a false positive reduction method by using a trust model. A reliable trust value is calculated through the call activities and the human behavior of each user. The system performance is evaluated by using a comprehensive synthetic dataset containing various malicious traffic patterns. The experimental results show that this system accurately identified attacks and has the flexibility to deal with many types of attack patterns with a low false alarm.

[1]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[2]  amaguchi,et al.  Trust-based VoIP Spam Detection based on Calling Behaviors and Human Relationships , 2013 .

[3]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[4]  Mohamed Abid,et al.  Efficient identity-based authentication for IMS based services access , 2009, MoMM.

[5]  Jure Leskovec,et al.  Predicting positive and negative links in online social networks , 2010, WWW '10.

[6]  Ramanathan V. Guha,et al.  Propagation of trust and distrust , 2004, WWW '04.

[7]  Ivan Gojmerac,et al.  Intrusion Detection in IMS: Experiences with a Hellinger Distance-Based Flooding Detector , 2009, 2009 First International Conference on Evolving Internet.

[8]  Chi Zhou,et al.  Sketch-Based SIP Flooding Detection Using Hellinger Distance , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[9]  Haesun Park,et al.  CallRank: Combating SPIT Using Call Duration, Social Networks and Global Reputation , 2007, CEAS.

[10]  Georg Mayer,et al.  The IMS: IP Multimedia Concepts and Services , 2004 .

[11]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[12]  George Varghese,et al.  Detecting evasion attacks at high speeds without reassembly , 2006, SIGCOMM 2006.

[13]  David G. Stork,et al.  Pattern classification, 2nd Edition , 2000 .

[14]  Muhammad Sher,et al.  Detecting flooding attacks against IP Multimedia Subsystem (IMS) networks , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[15]  Trang Dinh Dang,et al.  Fractal analysis and modeling of VoIP traffic , 2004, 11th International Telecommunications Network Strategy and Planning Symposium. NETWORKS 2004,.

[16]  Miikka Poikselkä,et al.  The IMS Second Edition: IP Multimedia Concepts and Services , 2006 .

[17]  Jure Leskovec,et al.  Planetary-scale views on a large instant-messaging network , 2008, WWW.

[18]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[19]  Dipak Ghosal,et al.  Secure IP Telephony using Multi-layered Protection , 2003, NDSS.

[20]  Thomas M. Chen,et al.  Dempster-Shafer theory for intrusion detection in ad hoc networks , 2005, IEEE Internet Computing.