Abstract
The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) service because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP service basically has two main security issues, malformed SIP message attack and SIP flooding attack. In this paper, we propose a novel mechanism for SIP-based VoIP system utilizing rule matching algorithm and state transition models. It detects not only two main attacks, but also covers more SIP attacks. Instead of simply combining rule comparison and counting number of SIP messages, we develop secure RFC 3261 rules based on existing RFC 3261 rules, so that proposed mechanism shows 26% higher detection rate for malformed attack. Moreover, we utilize session information and define the features of each state in order to detect abnormal situations including SIP flooding. As the result, it is shown that the proposed mechanism provides not only higher accuracy, but also covering more SIP attacks including two main attacks.
Chapter PDF
Similar content being viewed by others
Keywords
- Intrusion Detection
- Session Initiation Protocol
- Rule Match
- State Transition Model
- Session Initiation Protocol Message
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Chen, E.: Detecting DoS attacks on SIP systems. In: Proc. of VoIP Management and Security (2006)
Computer Engineering Laboratory, University of Oulu: PROTOS Test-Suite:c07-sip (2005). URL http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html
Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Lambrinoudakis, C., Gritzalis, S.: A framework for detecting malformed messages in SIP networks. In: Proc. of Local and Metropolitan Area Networks (LANMAN) (2005)
Handley, M., Jacobson, V.: RFC2327: Session description protocol (SDP) (1998)
Hung, P., Vargas Martin, M.: Security issues in VoIP applications. In: Proc. of Electrical and Computer Engineering, Canadian Conference (2006)
Ilgun, K., Kemmerer, R., Porras, P.: State transition analysis: A rule-based intrusion detection approach. IEEE Trans. on Software Engineering (1995)
McGann, S., Sicker, D.: An analysis of security threats and tools in SIP-based VoIP systems. In: Proc. of the 2nd Workshop on Securing Voice over IP, Cyber Security Alliance (2005)
MyVoIPProvider.com: Rank and Compare the Worlds Top 100 VoIP Providers (2007). URL http://www.myvoipprovider.com/
Packetizer, Inc.: H.323 versus SIP: A comparison (2007). URL http://www.packetizer.com/voip/h323 vs sip
Sengar, H.,Wijesekera, D.,Wang, H., Jajodia, S.: VoIP intrusion detection through interacting protocol state machines. In: Proc. of Int’l Conf. on Dependable Systems and Networks (DSN) (2006)
Sisalem, D., Kuthan, J., Ehlert, S.: Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms. IEEE Network (2006)
Vigna, G., Kemmerer, R.: NetSTAT: A network-based intrusion detection approach. In: Proc. of the 14th Annual Computer Security Application Conference (ACSAC) (1998)
Vigna, G., Robertson, W., Kher, V., Kemmerer, R.: A stateful intrusion detection system for world-wide web servers. In: Proc. of the Annual Computer Security Applications Conference (ACSAC) (2003)
Voice over Packet Security Forum: SiVuS: the VoIP Vulnerability Scanner (2006). URL http://www.vopsecurity.org/html/downloads.html
Walsh, T., Kuhn, D.: Challenges in securing voice over IP. IEEE Security & Privacy (2005)
Wu, Y.S., Bagchi, S., Garg, S., Singh, N.: SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments. In: Proc. of Int’l Conf. on Dependable Systems and Networks (DSN) (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Seo, D., Lee, H., Nuwere, E. (2008). Detecting More SIP Attacks on VoIP Services by Combining Rule Matching and State Transition Models. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_26
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_26
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)