Intrusion Detection in IMS: Experiences with a Hellinger Distance-Based Flooding Detector

With the imminent roll-out of the 3GPP IP Multimedia Subsystem (IMS), IMS-specific security threats and corresponding counter-mechanisms are gaining increasing attention. One of the most promising recent intrusion detection approaches dealing with unforeseen anomalies caused by flooding attacks is based on a specific metric for the distance between two empirical probability distributions, the so-called Hellinger distance. In this paper, we discuss the application of this concept for IMS networks as well as the resulting implementation of a flooding detector, and describe some practical experiences based utilizing different traffic generation tools. The results show that shorter analysis cycles and precise parameterization in general trigger higher detection rates.

[1]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[2]  Gonzalo Camarillo,et al.  The 3G IP Multimedia Subsystem (IMS) , 2008 .

[3]  Radu State,et al.  Holistic VoIP intrusion detection and prevention system , 2007, IPTComm '07.

[4]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[5]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[6]  Jon Peterson,et al.  A Privacy Mechanism for the Session Initiation Protocol (SIP) , 2002, RFC.

[7]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[9]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[10]  Hans Hahn,et al.  Über die Integrale des Herrn Hellinger und die Orthogonalinvarianten der quadratischen Formen von unendlich vielen Veränderlichen , 1912 .

[11]  Jin Cao,et al.  Internet Traffic Tends Toward Poisson and Independent as the Load Increases , 2003 .

[12]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[13]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[14]  Moses Garuba,et al.  Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[15]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[16]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[17]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[18]  Joachim Fabini,et al.  Practical Experiences with an IMS-aware Location Service Enabler on Top of an Experimental Open Source IMS Core Implementation , 2006, J. Mobile Multimedia.