skip to main content
10.1145/2108616.2108707acmconferencesArticle/Chapter ViewAbstractPublication PagesicuimcConference Proceedingsconference-collections
research-article

A SIP-TRW algorithm for DDoS attack detection in SIP environments

Published: 14 January 2010 Publication History

Abstract

While there are many ongoing research efforts for Denial-of-Service (DoS) attacks in the general Internet environment, there is insufficient research on voice networks. In this paper, we present the design and evaluation of a SIP-TRW algorithm for detection of DDoS attack traffic in VoIP networks.
We analyzed existing TRW algorithms for detection of DDoS attacks in the Internet. In order to apply existing algorithms to voice networks, we designed connection establishment and release processes, and defined the probability function.
In order to verify the proposed algorithm, we determined the threshold value and defined the variables for the virtual traffic and the environment. Numerical results from the equation showed that there is 70% probability that the connection will break. It also showed that attacks will be detected within 1.2 seconds when the rate of attack is 10 packets per second. The detection time is within 0.5 seconds when the rate is 20 packets per second.
We used NS-2 simulators to measure detection ratio by attack traffic type, and the detection time by attack speed. The results showed that detection took 4.3 seconds when one INVITE packet was sent every 0.1 seconds. The proposed algorithm detected 13280 out of 15000 different attack types, resulting in an 89% detection ratio.

References

[1]
Kyoung-Min Yoo, Sang-Heon Sim, Kyeong-Eun Han, Won-Ho So, Young-Sun Kim, Young-Chon Kim, "Efficient Bloom Filter Based Destination Address Monitoring Scheme for DDoS Attack Detection," The Journal of Korea Information and Communications Society, Vol.33, No.3, pp. 152 ~ 158, Mar, 2003.
[2]
Yong-Hee Jeon, Jong-Soo Jang, Jintae Oh, "DDoS attack and confrontation technique classification," The Journal of the Korea Institute of Information Security & Cryptology, Vol.19, No.3, pp. 46~57, Jun, 2009.
[3]
J. Y. Jung, S. Schechter, and Arthur W. Berger, "Fast Detection of Scanning Worm Infections," RAID 2004, Sophia Antipolis French, Sep. 2004.
[4]
Xuan Chen and John Heidemann, "Detecting Early Worm Propagation through Packet Matching," ISI Tech. Report 2004--585, Feb. 2004.
[5]
Cliff Changchun Zou, Weibo Gong, and Don Towsly, "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense," ACM WORMS '03, Washington DC, USA, Oct. 2003.
[6]
Jaedeok Choi, Taewoon Jung, Souhwan Jung, Younghan Kim, "Implementation of a Secure VoIP System based on SIP," The Journal of Korea Information and Communications Society, Vol.29, No.9B, pp. 799~807, 9. 2004.
[7]
Kyoung Ho Choi, Eul Gyu Im, "User Authentication Mechanism for SIP Call Signaling," The Journal of Korean Institute of Informaion Scientists and Engineers, Vol.35, No.1, pp. 110~115, 6. 2008.
[8]
Mihui Kim, Hyunjung Na, Kijoon Chae, Hyochan Bang, Jungchan Na, "Data Mining Approaches for DDoS Attack Detection," The Journal of Korean Institute of Informaion Scientists and Engineers, Vol.32, No.3, pp. 279~290, 6. 2005.
[9]
Young-Baek Kim, Heung Youl Youm, "A New Bot Disinfection Method Based on DNS Sinkhole," The Journal of Korean Institute of Informaion Scientists and Engineers, Vol.18, No.6, pp. 107~114, 12. 2008.
[10]
Paul J. Criscuolo, "Distributed Denial of Service - Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht," CIAC-2319, Feb. 2000.
[11]
Je-Gyeong Jo, Hyung-Woo Lee, Yeoung-Joon Park, "Wireless DDoS Attack Detection and Prevention Mechanism using Packet Marking and Traffic Classification on Integrated Access Device," The Journal of Korea Contents Association, Vol. 8, No. 6, pp. 54~65, 6. 2008.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ICUIMC '10: Proceedings of the 4th International Conference on Uniquitous Information Management and Communication
January 2010
550 pages
ISBN:9781605588933
DOI:10.1145/2108616
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 January 2010

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DDoS
  2. SIP
  3. SIP-TRW
  4. detection
  5. voice network

Qualifiers

  • Research-article

Funding Sources

Conference

ICUIMC '10
Sponsor:

Acceptance Rates

Overall Acceptance Rate 251 of 941 submissions, 27%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 153
    Total Downloads
  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media