Abstract
In this chapter, we first address the stealthy attack, where intelligent attackers can afford a long time to attack the system, and only incur minor changes to the system within each sampling period. To identify such attacks in the early stage for timely responses, we propose a detection scheme based on the signal processing technique wavelet, which is able to quickly expose the changes induced by the attacks. Then, we address the malformed message attack identified by us, which manipulates both the “Session-Expires” header in the SIP message and openness of wireless protocols to severely drain the network resources. We develop a detection method based on the Anderson–Darling test to deal with such attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
T. Anderson and D. Darling, “Asymptotic Theory of Certain “Goodness-of-Fit” Criteria Based on Stochastic Processes,” Annals of Mathematical Statistics, 1952.
G. Carl, R. Brooks and S. Rai, “Wavelet Based Denial-of-Service detection,” Computers & Security, vol. 25, no. 8, pp. 600–615, Nov. 2006.
I. M. Chakravarti, R. G. Laha, and J. Roy, Handbook of Methods of Applied Statistics, Volume I, John Wiley and Sons, pp. 392–394, 1967.
E. Chen, “Detecting DoS Attacks on SIP Systems,” in Proc. 1st IEEE Workshop on VoIP Management and Security, 2006, pp. 53–58.
G. Cormode and S. Muthukrishnan, “An Improved Data Stream Summary: The Count-Min Sketch and its Applications,” J. Algorithms, 2004.
I. Daubechies, Ten Lectures on Wavelets, Philadelphia, PA: SIAM, 1992.
S. Donovan, and J. Rosenberg, “Session Timers in the Session Initiation Protocol (SIP),” IETF RFC 4028, Apr. 2005.
S. Elhert, C. Wang, T. Magedanz and D. Sisalem, “Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks,” in Proc. 3rd IEEE International Conference on Internet Monitoring and Protection, 2008, pp. 59–66.
D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis and S. Gritzalis, “SIP Security Mechanism: A State-of-the-Art Review,” in Proc. 5th International Network Conference, 2005, pp. 147–155.
D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, K. S. Ehlert and D. Sisalem, “Survey of Security Vulnerabiliteis in Session Initiation Protocol,” IEEE Communication Surveys & Tutorials, vol. 8, no. 3, pp. 68–81, 2006.
A. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan and M. Strauss, “Quicksand: Quick Summary and Analysis of Network Data,” DIMACS Technical Report 2001–43, 2001.
F. Gustafson and M. Lindahl, “Evaluation of statistical distributions for VoIP traffic modelling,” University Essay from University West, Department of Economics and IT, 2009.
C. Huang, S. Thareja and Y. Shin, “Wavelet-Based Real Time Detection of Network Traffic Anomalies,” in Proc. Securecomm and Workshops, 2006.
B. Krishnamurthy, S. Sen, Y. Zhang and Y. Chen, “Sketch-based Change Detection: Methods, Evaluation, and Applications,” in Proc. ACM SIGCOMM IMS, 2003.
A. Lakhina, M. Crovella and C. Diot, “Diagnosing Network-Wide Traffic Anomalies,” in Proc. ACM SIGCOMM, 2004.
A. Lakhina, M. Crovella and C. Diot, “Mining Anomalies Using Traffic Feature Distribution,” in Proc. ACM SIGCOMM, 2005.
X. Li, F. Bian, M. Crovella and C. Diot, “Detection and Identification of Network Anomalies Using Sketch Subspaces,” in Proc. ACM IMS, 2006.
W. Lu, M. Tavallaee and A. Ghorbani, “Detecting Network Anomalies Using Different Wavelet Basis Functions,” in Proc. Communication Networks and Services Research Conference, 2008.
J. Rosenberg, H. Schulzrinne and G. Camarillo, “SIP: Session Initiation Protocol,” IETF RFC 3261, Jun. 2002.
R. Schweller, Z. Li, Y. Chen, Y. Gao, A. Gupta, Y. Zhang, P. Dinda, M. Kao and G. Memik “Reverse Hashing for High-Speed Network Monitoring: Algorithms, Evaluation, and Applications” in Proc. IEEE INFOCOM, 2006.
H. Sengar, H. Wang, D. Wijesekera and S. Jajodia, “Detecting VoIP Floods Using the Hellinger Distance,” IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 6, pp. 794–805, Jun. 2008.
SIP Express Router, [Online.] Available: http://www.iptel.org/ser/.
D. Sisalem, J. Kuthan and S. Ehlert, “Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms,” IEEE Network, vol. 20, no. 5, pp. 26–31, 2006.
M. Stephens, “EDF Statistics for Goodness of Fit and Some Comparisons,” Journal of the American Statistical Association, vol. 69, pp. 730–737, 1974.
VoIPSA, “VoIP Security and Privacy Threat Taxonomy,” Public Release 1.0, 2005.
S. Vuong and Y. Bai, “A Survey of VoIP Intrusion and Intrusion Detection System,” in Proc. IEEE 6th International Conference on Advanced Communication Technology, 2004, pp. 317–322.
G. Yang and L. Le Cam, Asymptotics in Statistics: Some Basic Concepts, second edition, Wiley, Mar. 2006.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2013 The Author(s)
About this chapter
Cite this chapter
Tang, J., Cheng, Y. (2013). SIP Stealthy Attack Detection and Resource-Drained Malformed Message Attack Detection. In: Intrusion Detection for IP-Based Multimedia Communications over Wireless Networks. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-8996-2_5
Download citation
DOI: https://doi.org/10.1007/978-1-4614-8996-2_5
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-8995-5
Online ISBN: 978-1-4614-8996-2
eBook Packages: Computer ScienceComputer Science (R0)