Abstract
Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Abdelnur, H., Festor, O., State, R.: KiF: A statefule SIP fuzzer. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 47–56 (2007)
Apte, V., Wu, Y.-S., Garg, S., Singh, N.: SPACEDIVE: A distributed intrusion detection system for voice-over-ip environments. In: Abstract Paper at International Conference on Dependable Systems and Networks (DSN) (2006)
Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEESP (to appear, 2008)
Fiedler, J., Kupka, T., Ehlert, S., Magedanz, T., Sisalem, D.: VoIP Defender: Highly scalable SIP-based security architecture. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 11–17 (2007)
Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., Sisalem, D.: Survery of security vulnerabilities in session initial protocol. IEEE Communications Surverys & Tutorials 8(3), 68–81 (2006)
Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Computer Networks 51(10), 2580–2593 (2007)
Handley, M., Jacobson, V., Perkins, C.: SDP: Session Description Protocol. RFC 4566 (Proposed Standard) (July 2006)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2008)
Kloft, M., Laskov, P.: A poisoning attack against online anomaly detection. In: NIPS Workshop on Machine Learning in Adversarial Environments for Computer Security (2007)
Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. of ACM Symposium on Applied Computing, pp. 201–208 (2002)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proc. of 10th ACM Conf. on Computer and Communications Security, pp. 251–261 (2003)
Laskov, P., Gehl, C., Krüger, S., Müller, K.R.: Incremental support vector learning: Analysis, implementation and applications. Journal of Machine Learning Research 7, 1909–1936 (2006)
Lee, W., Stolfo, S., Mok, K.: A data mining framework for building intrusion detection models. In: Proc. of IEEE Symposium on Security and Privacy, pp. 120–132 (1999)
Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proc. of ACM Symposium on Applied Computing, pp. 346–350 (2003)
Nassar, M., Niccolini, S., State, R., Ewald, T.: Holistic VoIP intrusion detection and prevention system. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 1–9 (2007)
Nassar, M., State, R., Festor, O.: Intrusion detection mechanisms for VoIP applications. In: Proc. of VoIP Security Workshop (VSW) (2006)
Nassar, M., State, R., Festor, O.: VoIP honeypot architecture. In: Proc. of IEEE Symposium on Integrated Network Management (IM), pp. 109–118 (2007)
Niccolini, S.: VoIP security threats. Draft of IETF Working Group Session Peering for Multimedia Interconnect (SPEERMINT) (2006)
Niccolini, S., Garroppo, R., Giordano, S., Risi, G., Ventura, S.: SIP intrusion detection and prevention: recommendations and prototype implementation. In: Proc. of IEEE Workshop on VoIP Management and Security, pp. 47–52 (2006)
Paxson, V.: The bro 0.8 user manual. Lawrence Berkeley National Laboratroy and ICSI Center for Internet Research (2004)
Reynolds, B., Ghosal, D.: Secure IP telephony using multi-layered protection. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2003)
Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 74–90. Springer, Heidelberg (2006)
Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2(4), 243–256 (2007)
Rieck, K., Laskov, P.: Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research 9, 23–48 (2008)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of USENIX Large Installation System Administration Conference LISA, pp. 229–238 (1999)
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916 (June 2002)
Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Fast detection of denial of service attacks on ip telephony. In: Proc. of International Workshop on Quality of Service (IWQoS), pp. 199–208 (2006)
Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: VoIP intrusion detection through interacting protocol state machines. In: Proc. of International Conference on Dependable Systems and Networks (DSN), pp. 393–402 (2004)
Sisalem, D., Kuthan, J., Ehlert, S.: Denial of service attacks targeting a SIP VoIP infrastructure: Attack scenarios and prevention mechanisms. IEEE Networks Magazine 20(5) (2006)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proc. of USENIX Security Symposium (2002)
Tax, D., Duin, R.: Support vector domain description. Pattern Recognition Letters 20(11–13), 1191–1199 (1999)
Truong, P., Nieh, D., Moh, M.: Specification-based intrusion detection for H.232-based voice over IP. In: Proc. of IEEE Symposium on Signal Processing and Information Technology (ISSPIT), pp. 387–392 (2005)
VoIPSA. Voip security and privacy threat taxonomy. Report of Voice over IP Security Alliance (2005)
Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226–248 (2006)
Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), pp. 203–222 (2004)
Wu, Y.-S., Bagchi, S., Garg, S., Singh, N.: SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-ip environments. In: Proc. of International Confernce on Dependable Systems and Neteworks (DSN), pp. 433–442 (2004)
Zhang, G., Ehlert, S., Magedanz, T., Sisalem, D.: Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM) (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rieck, K., Wahl, S., Laskov, P., Domschitz, P., Müller, KR. (2008). A Self-learning System for Detection of Anomalous SIP Messages. In: Schulzrinne, H., State, R., Niccolini, S. (eds) Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks. IPTComm 2008. Lecture Notes in Computer Science, vol 5310. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89054-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-89054-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89053-9
Online ISBN: 978-3-540-89054-6
eBook Packages: Computer ScienceComputer Science (R0)