SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree

Dongwon Seo, Heejo Lee, Ejovi Nuwere

Research output: Contribution to journalArticle

20 Citations (Scopus)

Abstract

Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

Original languageEnglish
Pages (from-to)562-574
Number of pages13
JournalComputer Communications
Volume36
Issue number5
DOIs
Publication statusPublished - 2013 Mar 1

Fingerprint

Data structures
Inspection
Smartphones
Launching
Economics
Costs

Keywords

  • Flooding attacks
  • Malformed messages
  • SIP anomaly detection
  • VoIP security

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

SIPAD : SIP-VoIP Anomaly Detection using a Stateful Rule Tree. / Seo, Dongwon; Lee, Heejo; Nuwere, Ejovi.

In: Computer Communications, Vol. 36, No. 5, 01.03.2013, p. 562-574.

Research output: Contribution to journalArticle

Seo, Dongwon ; Lee, Heejo ; Nuwere, Ejovi. / SIPAD : SIP-VoIP Anomaly Detection using a Stateful Rule Tree. In: Computer Communications. 2013 ; Vol. 36, No. 5. pp. 562-574.
@article{3417ac5119ab4807a0ecc7a492faea60,
title = "SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree",
abstract = "Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.",
keywords = "Flooding attacks, Malformed messages, SIP anomaly detection, VoIP security",
author = "Dongwon Seo and Heejo Lee and Ejovi Nuwere",
year = "2013",
month = "3",
day = "1",
doi = "10.1016/j.comcom.2012.12.004",
language = "English",
volume = "36",
pages = "562--574",
journal = "Computer Communications",
issn = "0140-3664",
publisher = "Elsevier",
number = "5",

}

TY - JOUR

T1 - SIPAD

T2 - SIP-VoIP Anomaly Detection using a Stateful Rule Tree

AU - Seo, Dongwon

AU - Lee, Heejo

AU - Nuwere, Ejovi

PY - 2013/3/1

Y1 - 2013/3/1

N2 - Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

AB - Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

KW - Flooding attacks

KW - Malformed messages

KW - SIP anomaly detection

KW - VoIP security

UR - http://www.scopus.com/inward/record.url?scp=84873993241&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84873993241&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2012.12.004

DO - 10.1016/j.comcom.2012.12.004

M3 - Article

AN - SCOPUS:84873993241

VL - 36

SP - 562

EP - 574

JO - Computer Communications

JF - Computer Communications

SN - 0140-3664

IS - 5

ER -