Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade

  • Zisis TsiatsikasEmail author
  • Dimitris Geneiatakis
  • Georgios Kambourakis
  • Stefanos Gritzalis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)


Over the last decade, VoIP services and more especially the SIP-based ones, have gained much attention due to the low-cost and simple models they offer. Nevertheless, their inherently insecure design make them prone to a plethora of attacks. This work concentrates on the detection of resource consumption attacks targeting SIP ecosystems. While this topic has been addressed in the literature to a great extent, only a handful of works examine the potential of Machine Learning (ML) techniques to detect DoS and even fewer do so in realtime. Spurred by this fact, the work at hand assesses the potential of 5 different ML-driven methods in nipping SIP-powered DDoS attacks in the bud. Our experiments involving 17 realistically simulated (D)DoS scenarios of varied attack volume in terms of calls/sec and user population, suggest that some of the classifiers show promising detection accuracy even in low-rate DDoS incidents. We also show that the performance of ML-based detection in terms of classification time overhead does not exceed 3.5 ms in average with a mean standard deviation of 7.7 ms.


VoIP SIP DoS DDoS Machine learning Evaluation 



This paper is part of the 5179 (SCYPE) research project, implemented within the context of the Greek Ministry of Development-General Secretariat of Research and Technology funded program Excellence II/Aristeia II, co-financed by the European Union/European Social Fund - Operational program Education and Life-long Learning and National funds.


  1. 1.
    Mohr, C.: Report: global voip services market to reach 137 billion by 2020, November 2014.
  2. 2.
    Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: SIP message tampering: the SQL code injection attack. In: Proceedings of 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia (2005)Google Scholar
  3. 3.
    Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, K., Sisalem, D.: Survey of security vulnerabilities in session initiation protocol. IEEE Commun. Surv. Tutorials 8(3), 68–81 (2006)CrossRefGoogle Scholar
  4. 4.
    Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Commun. Netw. 51(10), 2580–2593 (2007). ElsevierCrossRefzbMATHGoogle Scholar
  5. 5.
    Kambourakis, G., Kolias, C., Gritzalis, S., Park, J.H.: DoS attacks exploiting signaling in UMTS and IMS. Comput. Commun. 34(3), 226–235 (2011). CrossRefGoogle Scholar
  6. 6.
    Shtern, M., Sandel, R., Litoiu, M., Bachalo, C., Theodorou, V.: Towards mitigation of low and slow application DDoS attacks. In: 2014 IEEE International Conference on Cloud Engineering (IC2E), pp. 604–609, March 2014Google Scholar
  7. 7.
    Ehlert, S., Zhang, G., Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Markl, J., Sisalem, D.: Two layer denial of service prevention on SIP VoIP infrastructures. Comput. Commun. 31(10), 2443–2456 (2008)CrossRefGoogle Scholar
  8. 8.
    Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., Keromytis, A.D.: An efficient and easily deployable method for dealing with DoS in SIP services. Comput. Commun. 57, 50–63 (2015)CrossRefGoogle Scholar
  9. 9.
    Ehlert, S., Geneiatakis, D., Magedanz, T.: Survey of network security systems to counter SIP-based denial-of-service attacks. Comput. Secur. 29(2), 225–243 (2010)CrossRefGoogle Scholar
  10. 10.
    Tsiatsikas, Z., Fakis, A., Papamartzivanos, D., Geneiatakis, D., Kambourakis, G., Kolias, C.: Battling against DDoS in SIP - is machine learning-based detection an effective weapon? In: Proceedings of the 12th International Conference on Security and Cryptography, pp. 301–308 (2015)Google Scholar
  11. 11.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: session initiation protocol. Internet Requests for Comments, June 2002.
  12. 12.
    Keromytis, A.D.: A comprehensive survey of voice over IP security research. IEEE Commun. Surv. Tutorials 14(2), 514–537 (2012)CrossRefGoogle Scholar
  13. 13.
    SIPVicious. (2016) Sipvicious.
  14. 14.
    C.S. Advisory Cisco SIP Phone 3905 resource limitation denial of service vulnerability (2015).
  15. 15.
    Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G.: Research project scype: Software modules.
  16. 16.
    Kamailio The Open Source SIP Server (2014).
  17. 17.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The Weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10–18 (2009)CrossRefGoogle Scholar
  18. 18.
    Gordon, R.: Essential JNI: Java Native Interface. Prentice-Hall Inc, Upper Saddle River (1998)Google Scholar
  19. 19.
  20. 20.
    SIPp, Free open source test tool/traffic generator for the sip protocol.
  21. 21.
    Ohlmeier, N.: SIP swiss army knife.
  22. 22.
    Stanek, J., Kencl, L.: SIPp-DD: SIP DDoS flood-attack simulation tool. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–7, July 2011Google Scholar
  23. 23.
    Krishnamurthy, R., Rouskas, G.: Evaluation of SIP proxy server performance: packet-level measurements and queuing model. In: 2013 IEEE International Conference on Communications (ICC), pp. 2326–2330, June 2013Google Scholar
  24. 24.
    Witten, I.H., Frank, E., Hall, M.A.: Data mining: practical machine learning tools and techniques. 3rd edn. Morgan Kaufmann, Burlington (2011).
  25. 25.
    Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Nikulin, M.: Hellinger distance. Encyclopeadia of Mathematics (2001)Google Scholar
  27. 27.
    Bouzida, Y., Mangin, C.: A framework for detecting anomalies in VoIP networks. In: Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 204–211. IEEE (2008)Google Scholar
  28. 28.
    Akbar, M.A., Farooq, M.: Application of evolutionary algorithms in detection of SIP based flooding attacks. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 1419–1426. ACM (2009)Google Scholar
  29. 29.
    Nassar, M., State, R., Festor, O.: Monitoring SIP traffic using support vector machines. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 311–330. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Akbar, M.A., Farooq, M.: Securing SIP-based VoIP infrastructure against flooding attacks and spam over IP telephony. Knowl. Inf. Syst. 38(2), 491–510 (2014)CrossRefGoogle Scholar
  31. 31.
    Rafique, M.Z., Khan, Z.S., Khan, M.K., Alghatbar, K.: Securing IP-multimedia subsystem (IMS) against anomalous message exploits by using machine learning algorithms. In: 2011 Eighth International Conference on Information Technology: New Generations (ITNG), pp. 559–563. IEEE (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Zisis Tsiatsikas
    • 1
    Email author
  • Dimitris Geneiatakis
    • 2
  • Georgios Kambourakis
    • 1
  • Stefanos Gritzalis
    • 1
  1. 1.Department of Information and Communication Systems EngineeringUniversity of the AegeanKarlovassiGreece
  2. 2.Electrical and Computer Engineering DepartmentAristotle University of ThessalonikiThessalonikiGreece

Personalised recommendations