SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree

Dongwon Seo, Heejo Lee, Ejovi Nuwere

Research output: Contribution to journalArticlepeer-review

22 Citations (Scopus)


Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

Original languageEnglish
Pages (from-to)562-574
Number of pages13
JournalComputer Communications
Issue number5
Publication statusPublished - 2013 Mar 1


  • Flooding attacks
  • Malformed messages
  • SIP anomaly detection
  • VoIP security

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree'. Together they form a unique fingerprint.

Cite this