Skip to main content
SpringerLink
Log in

A Self-learning System for Detection of Anomalous SIP Messages

  • Conference paper
Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks (IPTComm 2008)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 5310))

Abstract

Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abdelnur, H., Festor, O., State, R.: KiF: A statefule SIP fuzzer. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 47–56 (2007)

    Google Scholar 

  2. Apte, V., Wu, Y.-S., Garg, S., Singh, N.: SPACEDIVE: A distributed intrusion detection system for voice-over-ip environments. In: Abstract Paper at International Conference on Dependable Systems and Networks (DSN) (2006)

    Google Scholar 

  3. Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEESP (to appear, 2008)

    Google Scholar 

  4. Fiedler, J., Kupka, T., Ehlert, S., Magedanz, T., Sisalem, D.: VoIP Defender: Highly scalable SIP-based security architecture. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 11–17 (2007)

    Google Scholar 

  5. Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., Sisalem, D.: Survery of security vulnerabilities in session initial protocol. IEEE Communications Surverys & Tutorials 8(3), 68–81 (2006)

    Article  Google Scholar 

  6. Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Computer Networks 51(10), 2580–2593 (2007)

    Article  MATH  Google Scholar 

  7. Handley, M., Jacobson, V., Perkins, C.: SDP: Session Description Protocol. RFC 4566 (Proposed Standard) (July 2006)

    Google Scholar 

  8. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2008)

    Google Scholar 

  9. Kloft, M., Laskov, P.: A poisoning attack against online anomaly detection. In: NIPS Workshop on Machine Learning in Adversarial Environments for Computer Security (2007)

    Google Scholar 

  10. Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. of ACM Symposium on Applied Computing, pp. 201–208 (2002)

    Google Scholar 

  11. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proc. of 10th ACM Conf. on Computer and Communications Security, pp. 251–261 (2003)

    Google Scholar 

  12. Laskov, P., Gehl, C., Krüger, S., Müller, K.R.: Incremental support vector learning: Analysis, implementation and applications. Journal of Machine Learning Research 7, 1909–1936 (2006)

    MathSciNet  MATH  Google Scholar 

  13. Lee, W., Stolfo, S., Mok, K.: A data mining framework for building intrusion detection models. In: Proc. of IEEE Symposium on Security and Privacy, pp. 120–132 (1999)

    Google Scholar 

  14. Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proc. of ACM Symposium on Applied Computing, pp. 346–350 (2003)

    Google Scholar 

  15. Nassar, M., Niccolini, S., State, R., Ewald, T.: Holistic VoIP intrusion detection and prevention system. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 1–9 (2007)

    Google Scholar 

  16. Nassar, M., State, R., Festor, O.: Intrusion detection mechanisms for VoIP applications. In: Proc. of VoIP Security Workshop (VSW) (2006)

    Google Scholar 

  17. Nassar, M., State, R., Festor, O.: VoIP honeypot architecture. In: Proc. of IEEE Symposium on Integrated Network Management (IM), pp. 109–118 (2007)

    Google Scholar 

  18. Niccolini, S.: VoIP security threats. Draft of IETF Working Group Session Peering for Multimedia Interconnect (SPEERMINT) (2006)

    Google Scholar 

  19. Niccolini, S., Garroppo, R., Giordano, S., Risi, G., Ventura, S.: SIP intrusion detection and prevention: recommendations and prototype implementation. In: Proc. of IEEE Workshop on VoIP Management and Security, pp. 47–52 (2006)

    Google Scholar 

  20. Paxson, V.: The bro 0.8 user manual. Lawrence Berkeley National Laboratroy and ICSI Center for Internet Research (2004)

    Google Scholar 

  21. Reynolds, B., Ghosal, D.: Secure IP telephony using multi-layered protection. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2003)

    Google Scholar 

  22. Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 74–90. Springer, Heidelberg (2006)

    Google Scholar 

  23. Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2(4), 243–256 (2007)

    Article  Google Scholar 

  24. Rieck, K., Laskov, P.: Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research 9, 23–48 (2008)

    MATH  Google Scholar 

  25. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of USENIX Large Installation System Administration Conference LISA, pp. 229–238 (1999)

    Google Scholar 

  26. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916 (June 2002)

    Google Scholar 

  27. Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Fast detection of denial of service attacks on ip telephony. In: Proc. of International Workshop on Quality of Service (IWQoS), pp. 199–208 (2006)

    Google Scholar 

  28. Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: VoIP intrusion detection through interacting protocol state machines. In: Proc. of International Conference on Dependable Systems and Networks (DSN), pp. 393–402 (2004)

    Google Scholar 

  29. Sisalem, D., Kuthan, J., Ehlert, S.: Denial of service attacks targeting a SIP VoIP infrastructure: Attack scenarios and prevention mechanisms. IEEE Networks Magazine 20(5) (2006)

    Google Scholar 

  30. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proc. of USENIX Security Symposium (2002)

    Google Scholar 

  31. Tax, D., Duin, R.: Support vector domain description. Pattern Recognition Letters 20(11–13), 1191–1199 (1999)

    Article  Google Scholar 

  32. Truong, P., Nieh, D., Moh, M.: Specification-based intrusion detection for H.232-based voice over IP. In: Proc. of IEEE Symposium on Signal Processing and Information Technology (ISSPIT), pp. 387–392 (2005)

    Google Scholar 

  33. VoIPSA. Voip security and privacy threat taxonomy. Report of Voice over IP Security Alliance (2005)

    Google Scholar 

  34. Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226–248 (2006)

    Google Scholar 

  35. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), pp. 203–222 (2004)

    Google Scholar 

  36. Wu, Y.-S., Bagchi, S., Garg, S., Singh, N.: SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-ip environments. In: Proc. of International Confernce on Dependable Systems and Neteworks (DSN), pp. 433–442 (2004)

    Google Scholar 

  37. Zhang, G., Ehlert, S., Magedanz, T., Sisalem, D.: Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM) (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer Institute FIRST, Intelligent Data Analysis, Berlin, Germany

    Konrad Rieck, Pavel Laskov & Klaus-Robert Müller

  2. Bell Labs Germany, Alcatel-Lucent, Stuttgart, Germany

    Stefan Wahl & Peter Domschitz

  3. University of Tübingen, Wilhelm-Schickard-Institute, Germany

    Pavel Laskov

  4. Dept. of Computer Science, Technical University of Berlin, Germany

    Klaus-Robert Müller

Authors
  1. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Wahl
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pavel Laskov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peter Domschitz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Klaus-Robert Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Columbia, 1214 Amsterdam Avenue, NY 10027-7003, New York, USA

    Henning Schulzrinne

  2. Centre de Recherche INRIA Nancy, Grand Est 615, rue du jardin botanique, Villers-les-Nancy, France

    Radu State

  3. NEC Laboratories Europe, Network Research Division, Kurfürstenanlage 36, 69115, Heidelberg, Germany

    Saverio Niccolini

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rieck, K., Wahl, S., Laskov, P., Domschitz, P., Müller, KR. (2008). A Self-learning System for Detection of Anomalous SIP Messages. In: Schulzrinne, H., State, R., Niccolini, S. (eds) Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks. IPTComm 2008. Lecture Notes in Computer Science, vol 5310. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89054-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89054-6_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89053-9

  • Online ISBN: 978-3-540-89054-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation