Abstract
Over the last decade, VoIP services and more especially the SIP-based ones, have gained much attention due to the low-cost and simple models they offer. Nevertheless, their inherently insecure design make them prone to a plethora of attacks. This work concentrates on the detection of resource consumption attacks targeting SIP ecosystems. While this topic has been addressed in the literature to a great extent, only a handful of works examine the potential of Machine Learning (ML) techniques to detect DoS and even fewer do so in realtime. Spurred by this fact, the work at hand assesses the potential of 5 different ML-driven methods in nipping SIP-powered DDoS attacks in the bud. Our experiments involving 17 realistically simulated (D)DoS scenarios of varied attack volume in terms of calls/sec and user population, suggest that some of the classifiers show promising detection accuracy even in low-rate DDoS incidents. We also show that the performance of ML-based detection in terms of classification time overhead does not exceed 3.5 ms in average with a mean standard deviation of 7.7 ms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Mohr, C.: Report: global voip services market to reach 137 billion by 2020, November 2014. http://www.tmcnet.com/channels/hosted-softswitch/articles/393593-report-global-voip-services-market-reach-137-billion.htm
Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: SIP message tampering: the SQL code injection attack. In: Proceedings of 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia (2005)
Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, K., Sisalem, D.: Survey of security vulnerabilities in session initiation protocol. IEEE Commun. Surv. Tutorials 8(3), 68–81 (2006)
Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Commun. Netw. 51(10), 2580–2593 (2007). Elsevier
Kambourakis, G., Kolias, C., Gritzalis, S., Park, J.H.: DoS attacks exploiting signaling in UMTS and IMS. Comput. Commun. 34(3), 226–235 (2011). http://www.sciencedirect.com/science/article/pii/S014036641000085X
Shtern, M., Sandel, R., Litoiu, M., Bachalo, C., Theodorou, V.: Towards mitigation of low and slow application DDoS attacks. In: 2014 IEEE International Conference on Cloud Engineering (IC2E), pp. 604–609, March 2014
Ehlert, S., Zhang, G., Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Markl, J., Sisalem, D.: Two layer denial of service prevention on SIP VoIP infrastructures. Comput. Commun. 31(10), 2443–2456 (2008)
Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., Keromytis, A.D.: An efficient and easily deployable method for dealing with DoS in SIP services. Comput. Commun. 57, 50–63 (2015)
Ehlert, S., Geneiatakis, D., Magedanz, T.: Survey of network security systems to counter SIP-based denial-of-service attacks. Comput. Secur. 29(2), 225–243 (2010)
Tsiatsikas, Z., Fakis, A., Papamartzivanos, D., Geneiatakis, D., Kambourakis, G., Kolias, C.: Battling against DDoS in SIP - is machine learning-based detection an effective weapon? In: Proceedings of the 12th International Conference on Security and Cryptography, pp. 301–308 (2015)
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: session initiation protocol. Internet Requests for Comments, June 2002. http://www.rfc-editor.org/rfc/rfc3261.txt
Keromytis, A.D.: A comprehensive survey of voice over IP security research. IEEE Commun. Surv. Tutorials 14(2), 514–537 (2012)
SIPVicious. (2016) Sipvicious. http://blog.sipvicious.org/
C.S. Advisory Cisco SIP Phone 3905 resource limitation denial of service vulnerability (2015). https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151202-sip
Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G.: Research project scype: Software modules. https://scype.samos.aegean.gr/tzisis/scype_5179_software/
Kamailio The Open Source SIP Server (2014). http://www.kamailio.org/w/
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The Weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)
Gordon, R.: Essential JNI: Java Native Interface. Prentice-Hall Inc, Upper Saddle River (1998)
Oracle: Crashing JVM (2016). http://docs.oracle.com/cd/E15289_01/doc.40/e15059/crash.htm#i1010768
SIPp, Free open source test tool/traffic generator for the sip protocol. http://sipp.sourceforge.net/index.html
Ohlmeier, N.: SIP swiss army knife. http://sipsak.org/
Stanek, J., Kencl, L.: SIPp-DD: SIP DDoS flood-attack simulation tool. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–7, July 2011
Krishnamurthy, R., Rouskas, G.: Evaluation of SIP proxy server performance: packet-level measurements and queuing model. In: 2013 IEEE International Conference on Communications (ICC), pp. 2326–2330, June 2013
Witten, I.H., Frank, E., Hall, M.A.: Data mining: practical machine learning tools and techniques. 3rd edn. Morgan Kaufmann, Burlington (2011). http://www.sciencedirect.com/science/book/9780123748560
Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)
Nikulin, M.: Hellinger distance. Encyclopeadia of Mathematics (2001)
Bouzida, Y., Mangin, C.: A framework for detecting anomalies in VoIP networks. In: Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 204–211. IEEE (2008)
Akbar, M.A., Farooq, M.: Application of evolutionary algorithms in detection of SIP based flooding attacks. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 1419–1426. ACM (2009)
Nassar, M., State, R., Festor, O.: Monitoring SIP traffic using support vector machines. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 311–330. Springer, Heidelberg (2008)
Akbar, M.A., Farooq, M.: Securing SIP-based VoIP infrastructure against flooding attacks and spam over IP telephony. Knowl. Inf. Syst. 38(2), 491–510 (2014)
Rafique, M.Z., Khan, Z.S., Khan, M.K., Alghatbar, K.: Securing IP-multimedia subsystem (IMS) against anomalous message exploits by using machine learning algorithms. In: 2011 Eighth International Conference on Information Technology: New Generations (ITNG), pp. 559–563. IEEE (2011)
Acknowledgements
This paper is part of the 5179 (SCYPE) research project, implemented within the context of the Greek Ministry of Development-General Secretariat of Research and Technology funded program Excellence II/Aristeia II, co-financed by the European Union/European Social Fund - Operational program Education and Life-long Learning and National funds.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., Gritzalis, S. (2016). Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-46298-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46297-4
Online ISBN: 978-3-319-46298-1
eBook Packages: Computer ScienceComputer Science (R0)