Skip to main content
SpringerLink
Log in

Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade

  • Conference paper
  • First Online:
Network and System Security (NSS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9955))

Included in the following conference series:

Abstract

Over the last decade, VoIP services and more especially the SIP-based ones, have gained much attention due to the low-cost and simple models they offer. Nevertheless, their inherently insecure design make them prone to a plethora of attacks. This work concentrates on the detection of resource consumption attacks targeting SIP ecosystems. While this topic has been addressed in the literature to a great extent, only a handful of works examine the potential of Machine Learning (ML) techniques to detect DoS and even fewer do so in realtime. Spurred by this fact, the work at hand assesses the potential of 5 different ML-driven methods in nipping SIP-powered DDoS attacks in the bud. Our experiments involving 17 realistically simulated (D)DoS scenarios of varied attack volume in terms of calls/sec and user population, suggest that some of the classifiers show promising detection accuracy even in low-rate DDoS incidents. We also show that the performance of ML-based detection in terms of classification time overhead does not exceed 3.5 ms in average with a mean standard deviation of 7.7 ms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Mohr, C.: Report: global voip services market to reach 137 billion by 2020, November 2014. http://www.tmcnet.com/channels/hosted-softswitch/articles/393593-report-global-voip-services-market-reach-137-billion.htm

  2. Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: SIP message tampering: the SQL code injection attack. In: Proceedings of 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia (2005)

    Google Scholar 

  3. Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, K., Sisalem, D.: Survey of security vulnerabilities in session initiation protocol. IEEE Commun. Surv. Tutorials 8(3), 68–81 (2006)

    Article  Google Scholar 

  4. Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Commun. Netw. 51(10), 2580–2593 (2007). Elsevier

    Article  MATH  Google Scholar 

  5. Kambourakis, G., Kolias, C., Gritzalis, S., Park, J.H.: DoS attacks exploiting signaling in UMTS and IMS. Comput. Commun. 34(3), 226–235 (2011). http://www.sciencedirect.com/science/article/pii/S014036641000085X

    Article  Google Scholar 

  6. Shtern, M., Sandel, R., Litoiu, M., Bachalo, C., Theodorou, V.: Towards mitigation of low and slow application DDoS attacks. In: 2014 IEEE International Conference on Cloud Engineering (IC2E), pp. 604–609, March 2014

    Google Scholar 

  7. Ehlert, S., Zhang, G., Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Markl, J., Sisalem, D.: Two layer denial of service prevention on SIP VoIP infrastructures. Comput. Commun. 31(10), 2443–2456 (2008)

    Article  Google Scholar 

  8. Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., Keromytis, A.D.: An efficient and easily deployable method for dealing with DoS in SIP services. Comput. Commun. 57, 50–63 (2015)

    Article  Google Scholar 

  9. Ehlert, S., Geneiatakis, D., Magedanz, T.: Survey of network security systems to counter SIP-based denial-of-service attacks. Comput. Secur. 29(2), 225–243 (2010)

    Article  Google Scholar 

  10. Tsiatsikas, Z., Fakis, A., Papamartzivanos, D., Geneiatakis, D., Kambourakis, G., Kolias, C.: Battling against DDoS in SIP - is machine learning-based detection an effective weapon? In: Proceedings of the 12th International Conference on Security and Cryptography, pp. 301–308 (2015)

    Google Scholar 

  11. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: session initiation protocol. Internet Requests for Comments, June 2002. http://www.rfc-editor.org/rfc/rfc3261.txt

  12. Keromytis, A.D.: A comprehensive survey of voice over IP security research. IEEE Commun. Surv. Tutorials 14(2), 514–537 (2012)

    Article  Google Scholar 

  13. SIPVicious. (2016) Sipvicious. http://blog.sipvicious.org/

  14. C.S. Advisory Cisco SIP Phone 3905 resource limitation denial of service vulnerability (2015). https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151202-sip

  15. Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G.: Research project scype: Software modules. https://scype.samos.aegean.gr/tzisis/scype_5179_software/

  16. Kamailio The Open Source SIP Server (2014). http://www.kamailio.org/w/

  17. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The Weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)

    Article  Google Scholar 

  18. Gordon, R.: Essential JNI: Java Native Interface. Prentice-Hall Inc, Upper Saddle River (1998)

    Google Scholar 

  19. Oracle: Crashing JVM (2016). http://docs.oracle.com/cd/E15289_01/doc.40/e15059/crash.htm#i1010768

  20. SIPp, Free open source test tool/traffic generator for the sip protocol. http://sipp.sourceforge.net/index.html

  21. Ohlmeier, N.: SIP swiss army knife. http://sipsak.org/

  22. Stanek, J., Kencl, L.: SIPp-DD: SIP DDoS flood-attack simulation tool. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–7, July 2011

    Google Scholar 

  23. Krishnamurthy, R., Rouskas, G.: Evaluation of SIP proxy server performance: packet-level measurements and queuing model. In: 2013 IEEE International Conference on Communications (ICC), pp. 2326–2330, June 2013

    Google Scholar 

  24. Witten, I.H., Frank, E., Hall, M.A.: Data mining: practical machine learning tools and techniques. 3rd edn. Morgan Kaufmann, Burlington (2011). http://www.sciencedirect.com/science/book/9780123748560

    Google Scholar 

  25. Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)

    Article  MathSciNet  Google Scholar 

  26. Nikulin, M.: Hellinger distance. Encyclopeadia of Mathematics (2001)

    Google Scholar 

  27. Bouzida, Y., Mangin, C.: A framework for detecting anomalies in VoIP networks. In: Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 204–211. IEEE (2008)

    Google Scholar 

  28. Akbar, M.A., Farooq, M.: Application of evolutionary algorithms in detection of SIP based flooding attacks. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 1419–1426. ACM (2009)

    Google Scholar 

  29. Nassar, M., State, R., Festor, O.: Monitoring SIP traffic using support vector machines. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 311–330. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  30. Akbar, M.A., Farooq, M.: Securing SIP-based VoIP infrastructure against flooding attacks and spam over IP telephony. Knowl. Inf. Syst. 38(2), 491–510 (2014)

    Article  Google Scholar 

  31. Rafique, M.Z., Khan, Z.S., Khan, M.K., Alghatbar, K.: Securing IP-multimedia subsystem (IMS) against anomalous message exploits by using machine learning algorithms. In: 2011 Eighth International Conference on Information Technology: New Generations (ITNG), pp. 559–563. IEEE (2011)

    Google Scholar 

Download references

Acknowledgements

This paper is part of the 5179 (SCYPE) research project, implemented within the context of the Greek Ministry of Development-General Secretariat of Research and Technology funded program Excellence II/Aristeia II, co-financed by the European Union/European Social Fund - Operational program Education and Life-long Learning and National funds.

Author information

Authors and Affiliations

  1. Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, Greece

    Zisis Tsiatsikas, Georgios Kambourakis & Stefanos Gritzalis

  2. Electrical and Computer Engineering Department, Aristotle University of Thessaloniki, 541 24, Thessaloniki, Greece

    Dimitris Geneiatakis

Authors
  1. Zisis Tsiatsikas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dimitris Geneiatakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Georgios Kambourakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefanos Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zisis Tsiatsikas .

Editor information

Editors and Affiliations

  1. Central China Normal University , Wuhan, China

    Jiageng Chen

  2. Università degli Studi di Milano , Crema (CR), Italy

    Vincenzo Piuri

  3. Osaka University , Osaka, Japan

    Chunhua Su

  4. Columbia University , New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., Gritzalis, S. (2016). Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46298-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46297-4

  • Online ISBN: 978-3-319-46298-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation