Detecting more SIP attacks on VoIP services by combining rule matching and state transition models

Dongwon Seo, Heejo Lee, Ejovi Nuwere

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) service because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP service basically has two main security issues, malformed SIP message attack and SIP flooding attack. In this paper, we propose a novel mechanism for SIP-based VoIP system utilizing rule matching algorithm and state transition models. It detects not only two main attacks, but also covers more SIP attacks. Instead of simply combining rule comparison and counting number of SIP messages, we develop secure RFC 3261 rules based on existing RFC 3261 rules, so that proposed mechanism shows 26% higher detection rate for malformed attack. Moreover, we utilize session information and define the features of each state in order to detect abnormal situations including SIP flooding. As the result, it is shown that the proposed mechanism provides not only higher accuracy, but also covering more SIP attacks including two main attacks.

Original languageEnglish
Title of host publicationIFIP International Federation for Information Processing
Pages397-411
Number of pages15
Volume278
DOIs
Publication statusPublished - 2008 Aug 4

Publication series

NameIFIP International Federation for Information Processing
Volume278
ISSN (Print)15715736

Fingerprint

Attack
Flooding
Rule-based
Security issues
Simplicity

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Seo, D., Lee, H., & Nuwere, E. (2008). Detecting more SIP attacks on VoIP services by combining rule matching and state transition models. In IFIP International Federation for Information Processing (Vol. 278, pp. 397-411). (IFIP International Federation for Information Processing; Vol. 278). https://doi.org/10.1007/978-0-387-09699-5_26

Detecting more SIP attacks on VoIP services by combining rule matching and state transition models. / Seo, Dongwon; Lee, Heejo; Nuwere, Ejovi.

IFIP International Federation for Information Processing. Vol. 278 2008. p. 397-411 (IFIP International Federation for Information Processing; Vol. 278).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Seo, D, Lee, H & Nuwere, E 2008, Detecting more SIP attacks on VoIP services by combining rule matching and state transition models. in IFIP International Federation for Information Processing. vol. 278, IFIP International Federation for Information Processing, vol. 278, pp. 397-411. https://doi.org/10.1007/978-0-387-09699-5_26
Seo D, Lee H, Nuwere E. Detecting more SIP attacks on VoIP services by combining rule matching and state transition models. In IFIP International Federation for Information Processing. Vol. 278. 2008. p. 397-411. (IFIP International Federation for Information Processing). https://doi.org/10.1007/978-0-387-09699-5_26
Seo, Dongwon ; Lee, Heejo ; Nuwere, Ejovi. / Detecting more SIP attacks on VoIP services by combining rule matching and state transition models. IFIP International Federation for Information Processing. Vol. 278 2008. pp. 397-411 (IFIP International Federation for Information Processing).
@inproceedings{b1b5b705e72340c1b1183000b2b45144,
title = "Detecting more SIP attacks on VoIP services by combining rule matching and state transition models",
abstract = "The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) service because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP service basically has two main security issues, malformed SIP message attack and SIP flooding attack. In this paper, we propose a novel mechanism for SIP-based VoIP system utilizing rule matching algorithm and state transition models. It detects not only two main attacks, but also covers more SIP attacks. Instead of simply combining rule comparison and counting number of SIP messages, we develop secure RFC 3261 rules based on existing RFC 3261 rules, so that proposed mechanism shows 26{\%} higher detection rate for malformed attack. Moreover, we utilize session information and define the features of each state in order to detect abnormal situations including SIP flooding. As the result, it is shown that the proposed mechanism provides not only higher accuracy, but also covering more SIP attacks including two main attacks.",
author = "Dongwon Seo and Heejo Lee and Ejovi Nuwere",
year = "2008",
month = "8",
day = "4",
doi = "10.1007/978-0-387-09699-5_26",
language = "English",
isbn = "9780387096988",
volume = "278",
series = "IFIP International Federation for Information Processing",
pages = "397--411",
booktitle = "IFIP International Federation for Information Processing",

}

TY - GEN

T1 - Detecting more SIP attacks on VoIP services by combining rule matching and state transition models

AU - Seo, Dongwon

AU - Lee, Heejo

AU - Nuwere, Ejovi

PY - 2008/8/4

Y1 - 2008/8/4

N2 - The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) service because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP service basically has two main security issues, malformed SIP message attack and SIP flooding attack. In this paper, we propose a novel mechanism for SIP-based VoIP system utilizing rule matching algorithm and state transition models. It detects not only two main attacks, but also covers more SIP attacks. Instead of simply combining rule comparison and counting number of SIP messages, we develop secure RFC 3261 rules based on existing RFC 3261 rules, so that proposed mechanism shows 26% higher detection rate for malformed attack. Moreover, we utilize session information and define the features of each state in order to detect abnormal situations including SIP flooding. As the result, it is shown that the proposed mechanism provides not only higher accuracy, but also covering more SIP attacks including two main attacks.

AB - The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) service because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP service basically has two main security issues, malformed SIP message attack and SIP flooding attack. In this paper, we propose a novel mechanism for SIP-based VoIP system utilizing rule matching algorithm and state transition models. It detects not only two main attacks, but also covers more SIP attacks. Instead of simply combining rule comparison and counting number of SIP messages, we develop secure RFC 3261 rules based on existing RFC 3261 rules, so that proposed mechanism shows 26% higher detection rate for malformed attack. Moreover, we utilize session information and define the features of each state in order to detect abnormal situations including SIP flooding. As the result, it is shown that the proposed mechanism provides not only higher accuracy, but also covering more SIP attacks including two main attacks.

UR - http://www.scopus.com/inward/record.url?scp=48249136517&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48249136517&partnerID=8YFLogxK

U2 - 10.1007/978-0-387-09699-5_26

DO - 10.1007/978-0-387-09699-5_26

M3 - Conference contribution

SN - 9780387096988

VL - 278

T3 - IFIP International Federation for Information Processing

SP - 397

EP - 411

BT - IFIP International Federation for Information Processing

ER -