A self-learning system for detection of anomalous SIP messages

Konrad Rieck, Stefan Wahl, Pavel Laskov, Peter Domschitz, Klaus Muller

Research output: Chapter in Book/Report/Conference proceedingConference contribution

27 Citations (Scopus)

Abstract

Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages90-106
Number of pages17
Volume5310 LNCS
DOIs
Publication statusPublished - 2008 Dec 15
Externally publishedYes
Event2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008 - Heidelberg, Germany
Duration: 2008 Jul 12008 Jul 2

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5310 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008
CountryGermany
CityHeidelberg
Period08/7/108/7/2

Fingerprint

Computer worms
Session Initiation Protocol
Self-learning
Learning Systems
Anomalous
Telecommunication
Learning systems
Infrastructure
Telecommunication Network
IP Networks
Worm
Experiments
Countermeasures
Feature Space
False Positive
Normality
Manipulation
Deviation
Attack
Traffic

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Rieck, K., Wahl, S., Laskov, P., Domschitz, P., & Muller, K. (2008). A self-learning system for detection of anomalous SIP messages. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5310 LNCS, pp. 90-106). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5310 LNCS). https://doi.org/10.1007/978-3-540-89054-6-5

A self-learning system for detection of anomalous SIP messages. / Rieck, Konrad; Wahl, Stefan; Laskov, Pavel; Domschitz, Peter; Muller, Klaus.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5310 LNCS 2008. p. 90-106 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5310 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Rieck, K, Wahl, S, Laskov, P, Domschitz, P & Muller, K 2008, A self-learning system for detection of anomalous SIP messages. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 5310 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5310 LNCS, pp. 90-106, 2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008, Heidelberg, Germany, 08/7/1. https://doi.org/10.1007/978-3-540-89054-6-5
Rieck K, Wahl S, Laskov P, Domschitz P, Muller K. A self-learning system for detection of anomalous SIP messages. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5310 LNCS. 2008. p. 90-106. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-89054-6-5
Rieck, Konrad ; Wahl, Stefan ; Laskov, Pavel ; Domschitz, Peter ; Muller, Klaus. / A self-learning system for detection of anomalous SIP messages. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5310 LNCS 2008. pp. 90-106 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{61638b8ec6454f189f82692a465db8a6,
title = "A self-learning system for detection of anomalous SIP messages",
abstract = "Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.",
author = "Konrad Rieck and Stefan Wahl and Pavel Laskov and Peter Domschitz and Klaus Muller",
year = "2008",
month = "12",
day = "15",
doi = "10.1007/978-3-540-89054-6-5",
language = "English",
isbn = "354089053X",
volume = "5310 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "90--106",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - A self-learning system for detection of anomalous SIP messages

AU - Rieck, Konrad

AU - Wahl, Stefan

AU - Laskov, Pavel

AU - Domschitz, Peter

AU - Muller, Klaus

PY - 2008/12/15

Y1 - 2008/12/15

N2 - Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

AB - Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

UR - http://www.scopus.com/inward/record.url?scp=57349174533&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=57349174533&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-89054-6-5

DO - 10.1007/978-3-540-89054-6-5

M3 - Conference contribution

AN - SCOPUS:57349174533

SN - 354089053X

SN - 9783540890539

VL - 5310 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 90

EP - 106

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -