Abstract
We propose a novel online monitoring approach to distinguish between attacks and normal activity in SIP-based Voice over IP environments. We demonstrate the efficiency of the approach even when only limited data sets are used in learning phase. The solution builds on the monitoring of a set of 38 features in VoIP flows and uses Support Vector Machines for classification. We validate our proposal through large offline experiments performed over a mix of real world traces from a large VoIP provider and attacks locally generated on our own testbed. Results show high accuracy of detecting SPIT and flooding attacks and promising performance for an online deployment are measured.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
VoIPSA: VoIP security and privacy threat taxonomy. Public Realease 1.0 (October 2005), http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf
Endler, D., Collier, M.: Hacking Exposed VoIP: Voice Over IP Security Secrets and Solutions. McGraw-Hill Professional Publishing, New York (2007)
Vapnik, V.N.: The nature of statistical learning theory. Springer, New York (1995)
Vapnik, V.: Statistical Learning Theory, New York (1998)
Guyon, I., Weston, J., Barnhill, S., Vapnik, V.: Gene selection for cancer classification using support vector machines. Mach. Learn. 46(1-3), 389–422 (2002)
Romano, R.A., Aragon, C.R., Ding, C.: Supernova recognition using support vector machines. In: ICMLA 2006: Proceedings of the 5th International Conference on Machine Learning and Applications, Washington, DC, USA, pp. 77–82. IEEE Computer Society, Los Alamitos (2006)
Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection: Support vector machines and neural networks. The IEEE Computer Society Student Magazine 10(2) (2002)
Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines (2001), http://www.csie.ntu.edu.tw/~cjlin/libsvm
Abdelnur, H.J., State, R., Festor, O.: KiF: a stateful SIP fuzzer. In: IPTComm 2007: Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications, pp. 47–56. ACM, New York (2007)
Quittek, J., Niccolini, S., Tartarelli, S., Stiemerling, M., Brunner, M., Ewald, T.: Detecting SPIT calls by checking communication patterns. In: IEEE International Conference on Communications (ICC 2007) (June 2007)
Balasubramaniyan, V.A., Ahamad, M., Park, H.: CallRank: Combating SPIT using call duration, social networks and global reputation. In: Fourth Conference on Email and Anti-Spam (CEAS 2007). Mountain View, California (2007)
Shin, D., Shim, C.: Progressive multi gray-leveling: A voice Spam protection algorithm. IEEE Network 20
Yan, H., Sripanidkulchai, K., Zhang, H., Shae, Z.Y., Saha, D.: Incorporating active fingerprinting into SPIT prevention systems. In: Third annual security workshop (VSW 2006), June 2006, ACM Press, New York (2006)
Reynolds, B., Ghosal, D.: Secure IP Telephony using Multi-layered Protection. In: Proceedings of The 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA (February 2003)
Chen, E.: Detecting DoS attacks on SIP systems. In: Proceedings of 1st IEEE Workshop on VoIP Management and Security, San Diego, CA, USA, April 2006, pp. 53–58 (2006)
Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Detecting VoIP Floods using the Hellinger Distance. Transactions on Parallel and Distributed Systems (acepted for future publication, September 2007)
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)
Denning, D.E.: An intrusion-detection model. In: IEEE Symposium on Security and Privacy, April 1986, pp. 118–133. IEEE Computer Society Press, Los Alamitos (1986)
Krügel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: SAC 2002: Proceedings of the 2002 ACM symposium on Applied computing, pp. 201–208. ACM Press, New York (2002)
Ning, P., Jajodia, S.: Intrusion Detection in Distributed Systems: An Abstraction-Based Approach. Springer, Heidelberg (2003)
Maloof, M.: Machine Learning and Data Mining for Computer Security: Methods and Applications. Springer, Heidelberg (2005)
Kang, H.J., Zhang, Z.L., Ranjan, S., Nucci, A.: Sip-based voip traffic behavior profiling and its applications. In: MineNet 2007: Proceedings of the 3rd annual ACM workshop on Mining network data, pp. 39–44. ACM, New York (2007)
Nassar, M., State, R., Festor, O.: Intrusion detections mechanisms for VoIP applications. In: Third annual security workshop (VSW 2006), June 2006. ACM Press, New York (2006)
Nassar, M., State, R., Festor, O.: VoIP honeypot architecture. In: Proc. of 10 th. IEEE/IFIP Symposium on Integrated Management. (June 2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nassar, M., State, R., Festor, O. (2008). Monitoring SIP Traffic Using Support Vector Machines. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-87403-4_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87402-7
Online ISBN: 978-3-540-87403-4
eBook Packages: Computer ScienceComputer Science (R0)