Knowledge and Information Systems

, Volume 38, Issue 2, pp 491–510 | Cite as

Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony

  • Muhammad Ali Akbar
  • Muddassar Farooq
Regular Paper


Security of session initiation protocol (SIP) servers is a serious concern of Voice over Internet (VoIP) vendors. The important contribution of our paper is an accurate and real-time attack classification system that detects: (1) application layer SIP flood attacks that result in denial of service (DoS) and distributed DoS attacks, and (2) Spam over Internet Telephony (SPIT). The major advantage of our framework over existing schemes is that it performs packet-based analysis using a set of spatial and temporal features. As a result, we do not need to transform network packet streams into traffic flows and thus save significant processing and memory overheads associated with the flow-based analysis. We evaluate our framework on a real-world SIP traffic—collected from the SIP server of a VoIP vendor—by injecting a number of application layer anomalies in it. The results of our experiments show that our proposed framework achieves significantly greater detection accuracy compared with existing state-of-the-art flooding and SPIT detection schemes.


SIP Intrusion detection VoIP security SPAM Over IP Telephony  Denial of service 



This work is supported by the National ICT R&D Fund, Ministry of Information Technology, Government of Pakistan. The information, data, comments, and views detailed herein may not necessarily reflect the endorsements of views of the National ICT R&D Fund.


  1. 1.
    Akbar M, Farooq M (2009) Application of evolutionary algorithms in detection of sip based flooding attacks. In: Proceedings of the 11th annual conference on genetic and evolutionary computation. ACM, pp 1419–1426Google Scholar
  2. 2.
    Akbar M, Tariq Z, Farooq M (2008) A comparative study of anomaly detection algorithms for detection of SIP flooding in IMS. In: International conference on IP multimedia subsystem architecture and applicationsGoogle Scholar
  3. 3.
    Branch J, Giannella C, Szymanski B, Wolff R, Kargupta H (2012) In-network outlier detection in wireless sensor networks. Knowl Inf Syst, pp 1–32. doi: 10.1007/s10115-011-0474-5
  4. 4.
    Chaisamran N, Okuda T, Blanc G, Yamaguchi S (2011) Trust-based voip spam detection based on call duration and human relationships. In: Applications and the internet (SAINT), 2011 IEEE/IPSJ 11th international symposium on. IEEE, pp 451–456Google Scholar
  5. 5.
    Chen Z, Wen W, Yu D (2012) Detecting sip flooding attacks on ip multimedia subsystem (ims). In: Computing, networking and communications (ICNC), 2012 international conference on. IEEE, pp 154–158Google Scholar
  6. 6.
    Ehlert S, Rebahi Y, Magedanz T (2009) Intrusion detection system for denial-of-service flooding attacks in sip communication networks. Int J Secur Netw 4(3):189–200CrossRefGoogle Scholar
  7. 7.
    Fawcett T (2004) ROC graphs: notes and practical considerations for researchers. Mach Learn 31:1–38Google Scholar
  8. 8.
    Geneiatakis D, Vrakas N, Lambrinoudakis C (2009) Performance evaluation of a flooding detection mechanism for voip networks. In: Systems, signals and image processing, 2009. IWSSIP 2009. 16th international conference on. IEEE, pp 1–5Google Scholar
  9. 9.
    Gundecha P, Barbier G, Liu H (2011) Exploiting vulnerability to secure user privacy on a social networking site. In: Proceedings of the 17th ACM SIGKDD international conference on knowledge discovery and data mining. ACM, pp 511–519Google Scholar
  10. 10.
  11. 11.
    Jung T, Martin S, Ernst D, Leduc G (2012) Sprt for spit: using the sequential probability ratio test for spam in voip prevention. Dependable Netw Serv 7279:74–85Google Scholar
  12. 12.
    Keromytis A (2011) A comprehensive survey of voice over ip security research. Commun Surv Tutor IEEE (99):1–24Google Scholar
  13. 13.
    Kumar G, Rahul A, Joonuthula K (2011) Voip flood detection using jacobson fast and hellinger distance algorithms. J Commun Comput 8(5):347–353Google Scholar
  14. 14.
    Liu L (2011) Uncovering sip vulnerabilities to dos attacks using coloured petri nets. In: Trust, security and privacy in computing and communications (TrustCom), 2011 IEEE 10th international conference on. IEEE, pp 29–36Google Scholar
  15. 15.
    Maron M, Kuhns J (1960) On relevance, probabilistic indexing and information retrieval. J Assoc Comput Mach 7:216–244CrossRefGoogle Scholar
  16. 16.
    McCue C (2011) Operational security analytics: doing more with less. In: Proceedings of the 17th ACM SIGKDD international conference on knowledge discovery and data mining. ACM, pp 782–782Google Scholar
  17. 17.
    McGann S, Sicker D (2005) An analysis of security threats and tools in SIP-based VoIP systems. In: Second VoIP security workshopGoogle Scholar
  18. 18.
    Nassar M, State R, Festor O (2008) Monitoring sip traffic using support vector machines. In: RAID ’08: Proceedings of the 11th international symposium on recent advances in intrusion detection. Springer, Berlin, Heidelberg, pp 311–330Google Scholar
  19. 19.
    Ono K, Schulzrinne H (2009) Have i met you before?: using cross-media relations to reduce spit. In: Proceedings of the 3rd international conference on principles, systems and applications of IP telecommunications. ACM, p 3Google Scholar
  20. 20.
    Ormazabal G, Nagpal S, Yardeni E, Schulzrinne H (2008) Secure SIP: a scalable prevention mechanism for DoS attacks on SIP based VoIP systems. In: Principles, systems and applications of IP telecommunications. Services and security for next generation networks, vol 5310. Springer, Heidelberg, pp 107–132Google Scholar
  21. 21.
    Packet vs flow-based anomaly detection (n.d.). Whitepaper, ESPHION Network Disaster ProtectionGoogle Scholar
  22. 22.
    Pham D-S, Saha B, Phung D, Venkatesh S (2012) Detection of cross-channel anomalies. Knowl Inf Syst, pp 1–27. doi: 10.1007/s10115-012-0509-6
  23. 23.
    Quinlan J (1993) C4.5: programs for machine learning. Morgan Kaufmann, Los AltosGoogle Scholar
  24. 24.
    Quittek J, Niccolini S, Tartarelli S, Schlegel R (2006) Prevention of Spam over IP Telephony (SPIT). NEC Tech J 1(2):114–119Google Scholar
  25. 25.
    Radermacher T (2005) Spam prevention in voice over IP networks. University of Salzburg, SalzburgGoogle Scholar
  26. 26.
    Rafique M, Ali Akbar M, Farooq M (2009) Evaluating dos attacks against sip-based voip systems. In: Global telecommunications conference, 2009. GLOBECOM 2009, IEEE. IEEE, pp 1–6Google Scholar
  27. 27.
    SANS-Institute (2007) SANS Top-20 2007 security risks.
  28. 28.
    Sengar H, Wang H, Wijesekera D, Jajodia S (2006) Fast detection of denial-of-service attacks on ip telephony. In: Quality of service, 2006. IWQoS 2006. 14th IEEE international workshop on. IEEE, pp 199–208Google Scholar
  29. 29.
    Sengar H, Wang H, Wijesekera D, Jajodia S (2008) Detecting VoIP floods using the Hellinger distance. IEEE Trans Parallel Distrib Syst 19(6):794–805CrossRefGoogle Scholar
  30. 30.
    Sengar H, Wang X, Nichols A (2011) Thwarting spam over internet telephony (spit) attacks on voip networks. In: Quality of Service (IWQoS), 2011 IEEE 19th international workshop on. IEEE, pp 1–3Google Scholar
  31. 31.
    Sisalem D, Kuthan J, Ehlert S, Fokus F (2006) Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms. IEEE Netw 20(5):26–31CrossRefGoogle Scholar
  32. 32.
    Tang J, Cheng Y, Zhou C (2009) Sketch-based sip flooding detection using hellinger distance. In: Global telecommunications conference, 2009. GLOBECOM 2009, IEEE. IEEE, pp 1–6Google Scholar
  33. 33.
    Thandeeswaran R, Asha A et al (2012) Novel survey on detection of ddos attack using traceback technique in voip networks. Int J Math Arch (IJMA) 2(12):2712–2720Google Scholar
  34. 34.
    The-VoIP-Network (2008) VoIP market trends.
  35. 35.
    Vaidya J, Yu H, Jiang X (2008) Privacy-preserving svm classification. Knowl Inf Syst 14:161–178. doi: 10.1007/s10115-007-0073-7 Google Scholar
  36. 36.
    Witten I, Frank E (2005) Data mining: practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, Los AltosGoogle Scholar
  37. 37.
    Wu Y, Bagchi S, Singh N, Wita R (2009) Spam detection in voice-over-ip calls through semi-supervised clustering. In: Dependable systems & networks, 2009. DSN’09. IEEE/IFIP international conference on. IEEE, pp 307–316Google Scholar
  38. 38.
    Yang B, Sato I, Nakagawa H (2011) Secure clustering in private networks. In: Data mining (ICDM), 2011 IEEE 11th international conference on. IEEE, pp 894–903Google Scholar

Copyright information

© Springer-Verlag London 2012

Authors and Affiliations

  1. 1.Next Generation Intelligent Networks Research Center (nexGIN RC)National University of Computer & Emerging Sciences (FAST-NUCES)IslamabadPakistan

Personalised recommendations