Detecting Denial of Service Message Flooding Attacks inSIP based Services

Increasing the popularity of sip based services (voip, iptv, ims infrastructure) lead to concerns about its security. the main signaling protocol of next generation networks and voip systems is session initiation protocol (sip). inherent vulnerabilities of sip, misconfiguration of its related components and also its implementation deficiencies cause some security concerns in sip based infrastructures. new attacks are developed that target directly the underlying sip protocol in these related sip setups. to detect such kinds of attacks we combined anomaly-based and specification-based intrusion detection techniques. we took advantages of the sip state machine concept (according to rfc 3261) in our proposed solution. we also built and configured a real test-bed for sip based services to generate normal and assumed attack traffics. we validated and evaluated our intrusion detection system with the dump traffic of this real test-bed and we also used another specific available dataset to have a more comprehensive evaluation. the experimental results show that our approach is effective in classifying normal and anomaly traffic in different situations. the receiver operating characteristic (roc) analysis is applied on final extracted results to select the working point of our system (set related thresholds)