Fast Detection of Denial-of-Service Attacks on IP Telephony

Recently voice over IP (VoIP) is experiencing a phenomenal growth. Being a real-time service, VoIP is more susceptible to denial-of-service (DoS) attacks than regular Internet services. Moreover, VoIP uses multiple protocols for call control and data delivery, making it vulnerable to various DoS attacks at different protocol layers. An attacker can easily disrupt VoIP services by flooding TCP SYN packets, UDP-based RTP packets, or SIP-based INVITE messages, which pose a critical threat to IP telephony. In this paper, we present an online statistical detection mechanism, called vFDS, to detect DoS attacks in the context of VoIP. The core of vFDS is based on Hellinger distance method, which computes the variability between two probability measures. Using Hellinger distance, we characterize normal protocol behaviors and then detect the traffic anomalies caused by flooding attacks. Our experimental results show that vFDS achieves fast and accurate detection of DoS attacks

[1]  Armann Ingolfsson,et al.  Markov chain models of a telephone call center with call blending , 2007, Comput. Oper. Res..

[2]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[3]  R. Wilder,et al.  Wide-area Internet traffic patterns and characteristics , 1997, IEEE Netw..

[4]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[5]  Michèle Basseville,et al.  Detection of Abrupt Changes: Theory and Applications. , 1995 .

[6]  Ger Koole,et al.  Managing uncertainty in call centres using Poisson mixtures , 2001 .

[7]  W. Richard Stevens Tcp/ip illustrated- volume 1 , 1994 .

[8]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[9]  Alan F. Karr,et al.  Data Swapping: A Risk-Utility Framework and Web Service Implementation , 2003, DG.O.

[10]  Dipak Ghosal,et al.  Secure IP Telephony using Multi-layered Protection , 2003, NDSS.

[11]  Salvatore J. Stolfo,et al.  Detecting Viral Propagations Using Email Behavior Profiles , 2003 .

[12]  Mark Handley,et al.  SDP: Session Description Protocol , 1998, RFC.

[13]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[14]  Pascal Spincemaille,et al.  The mutual affinity of random measures , 2003, Period. Math. Hung..

[15]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[16]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[17]  A. Koutsoyiannis,et al.  Regression and Analysis of Variance , 1977 .

[18]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.