The Effects of SIP Register Flood Attack and Detection by Using Kullback–Leibler Distance
Subject Areas : electrical and computer engineeringS. R. Chogan 1 * , M. Fathy 2 , M. Ramezani 3
1 - University of Science and Technology
2 -
3 -
Keywords: Detection register flood, Kullback–Leibler distance, SIP register flood attack, VoIP security.,
Abstract :
Voice communications through internet uses VOIP which includes several protocols while its secrecy is very important issue. SIP is the most important signaling protocol whose attack detection may help system immunization. This paper is dedicated to the issue of SIP registration flood attacks. Attackers can send registration signals which have several dangers for registration server. In this paper, SIP register flood attacks is investigated by details and the effects of attack over registration server is illustrated. Finally, the effects of attack, regarding the ratios compared with a regular situation of the network, are evaluated in experiments done in a real network. Moreover, instead of Hellinger distance, Kullback–Leibler distance is used for register flood attacks detection and corresponding ROC curves show this approach has better performance.
[1] P. Drew, "Next-generation VoIP network architecture," MSF Technical Report, vol. 1, pp. 3-4, 2003.
[2] Nacico, VoIP and IP Telephony: Planning for Cconvergence in State Government, Representing Chief Information Officers of the States, vol. 1, pp. 1-18, 2005.
[3] P. Park, "Voice over IP security," Cisco Systems, vol. 1, Ver. 6.0, pp. 20-104, 2008.
[4] H. Sengar and D. Wijesekera, "Detecting VoIP floods using the hellinger distance," IEEE Trans. on Parallel and Distributed Systems, vol. 19, no. 6, pp. 794-805, Jun. 2008.
[5] S. Ehlert, D. Geneiatakis, and T. Magedanz, "Survey of network security systems to counter SIP-based denia-of-service attacks," Computers & Security, vol. 29, no. 2, pp. 225-243, 2010.
[6] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, "VoIP intrusion detection through interacting protocol state machines," in Proc. Int. IEEE Conf. on Dependable Systems and Networks, pp. 393-402, 25-28 Jun. 2006.
[7] M. Voznak and J. Safarik, "DoS attacks targeting SIP server and improvements of robustness," Int. J. of Mathematics and Computers in Simulation, vol. 6, no. 1, pp. 177-184, 2012.
[8] J. Davidson and J. Peters, "Voice over IP fundamentals," Cisco Press, 2nd Ed., pp. 223-311, 2006.
[9] A. Kumar, "A novel approach for evaluating and detecting low rate SIP flooding attack," Int. J. of Computer Applications, vol. 26, no. 1, pp. 31-36, Jul. 2011.
[10] J. Tang, Y. Cheng, and C. Zhou, "Sketch-based SIP flooding detection using hellinger distance," in Proc. of the IEEE Global Telecommunications Conf., GLOBECOM'09, 6 pp., 30 Nov.- 4 Dec. 2009.
[11] M. A. Akbar, Z. Tariq, and M. Farooq, "A comparative study of anomaly detection algorithms for detection of sip flooding in IMS," in Proc. 2nd Int. Conf. on Internet Multimedia Services Architecture and Applications, 6 pp., Dec. 2008.
[12] C. Hecht, P. Reichl, A. Berger, O. Jung, and I. Gojmerac, "Intrusion detection in IMS: experiences with a hellinger distance-based flooding detector," in Proc. IEEE 1st Int. Conf. on Evolving Internet Conf., INTERNET'09, pp. 65-70, 2009.
[13] M. N. Do and M. Vetterli, "Wavelet-based texture retrieval using generalized Gaussian density and Kullback-Leibler distance," IEEE Trans. on Image Processing, vol. 11, no. 2, pp. 146-158, Feb. 2002.
[14] 3CX: http://www.3cx.com/
[15] M. Voznak and J. Rozhon, "SIP infrastructure performance testing," in Proc. 9th WSEAS Int. Conf. on Telecommunications and Informaticspp. 153-158, Catania, 2010.
[16] J. A. Hanley, "Characteristic (ROC) Curvel," Radiology 743, pp. 29-36, 1982.