Battling Against DDoS in SIP - Is Machine Learning-based Detection an Effective Weapon?

Z. Tsiatsikas, A. Fakis, D. Papamartzivanos, D. Geneiatakis, G. Kambourakis, C. Kolias

2015

Abstract

This paper focuses on network anomaly-detection and especially the effectiveness of Machine Learning (ML) techniques in detecting Denial of Service (DoS) in SIP-based VoIP ecosystems. It is true that until now several works in the literature have been devoted to this topic, but only a small fraction of them have done so in an elaborate way. Even more, none of them takes into account high and low-rate Distributed DoS (DDoS) when assessing the efficacy of such techniques in SIP intrusion detection. To provide a more complete estimation of this potential, we conduct extensive experimentations involving 5 different classifiers and a plethora of realistically simulated attack scenarios representing a variety of (D)DoS incidents. Moreover, for DDoS ones, we compare our results with those produced by two other anomaly-based detection methods, namely Entropy and Hellinger Distance. Our results show that ML-powered detection scores a promising false alarm rate in the general case, and seems to outperform similar methods when it comes to DDoS.

References

  1. Akbar, M. A. and Farooq, M. (2009). Application of evolutionary algorithms in detection of sip based flooding attacks. In Proceedings of the 11th Annual conference on Genetic and evolutionary computation, pages 1419-1426. ACM.
  2. Akbar, M. A. and Farooq, M. (2014). Securing sip-based voip infrastructure against flooding attacks and spam over ip telephony. Knowledge and information systems, 38(2):491-510.
  3. Bouzida, Y. and Mangin, C. (2008). A framework for detecting anomalies in voip networks. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 204-211. IEEE.
  4. Eastlake, D. and Hansen, T. (2011). Us secure hash algorithms (sha and sha-based hmac and hkdf). Technical report, RFC 6234, May.
  5. Ehlert, S., Geneiatakis, D., and Magedanz, T. (2010). Survey of network security systems to counter sip-based denial-of-service attacks. Computers and Security, 29(2):225 - 243.
  6. Gates, C. and Taylor, C. (2007). Challenging the anomaly detection paradigm: A provocative discussion. In Proceedings of the 2006 Workshop on New Security Paradigms, NSPW 7806, pages 21-29, New York, NY, USA. ACM.
  7. Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, K., and Sisalem, D. (2006). Survey of security vulnerabilities in session initiation protocol. Communications Surveys Tutorials, IEEE, 8(3):68-81.
  8. Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., and Gritzalis, S. (2005). Sip message tampering: The sql code injection attack. In Proceedings of 13th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia.
  9. Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., and Gritzalis, S. (2007). A framework for protecting a sip-based infrastructure against malformed message attacks. Communications Networks, Elsevier, 51(10):2580-2593.
  10. Geneiatakis, D., Vrakas, N., and Lambrinoudakis, C. (2009). Utilizing bloom filters for detecting flooding attacks against SIP based services. Computers & Security, 28(7):578-591.
  11. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The WEKA data mining software: an update. SIGKDD Explor. Newsl., 11(1):10-18.
  12. Kamailio (2014). the open source sip server. http://www.kamailio.org/w/.
  13. Kambourakis, G., Kolias, C., Gritzalis, S., and Park, J. H. (2011). Dos attacks exploiting signaling in UMTS and IMS. Computer Communications, 34(3):226 - 235.
  14. Keromytis, A. D. (2011). Voice over IP Security - A Comprehensive Survey of Vulnerabilities and Academic Research., volume 1 of Springer Briefs in Computer Science. Springer.
  15. Keromytis, A. D. (2012). A comprehensive survey of voice over ip security research. IEEE Communications Surveys and Tutorials, 14(2):514-537.
  16. Krishnamurthy, R. and Rouskas, G. (2013). Evaluation of sip proxy server performance: Packet-level measurements and queuing model. In Communications (ICC), 2013 IEEE International Conference on, pages 2326- 2330.
  17. Mohr, C. (2014). Report: Global voip services market to reach 137 billion by 2020.
  18. Nassar, M., Festor, O., et al. (2008). Monitoring sip traffic using support vector machines. In Recent Advances in Intrusion Detection, pages 311-330. Springer.
  19. Nikulin, M. (2001). Hellinger distance. Encyclopeadia of Mathematics.
  20. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. (2002). Sip: Session initiation protocol. Internet Requests for Comments.
  21. Shannon, C. E. (2001). A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev., 5(1):3-55.
  22. Stanek, J. and Kencl, L. (2011). Sipp-dd: Sip ddos floodattack simulation tool. In Computer Communications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on, pages 1-7.
  23. Tang, J., Cheng, Y., Hao, Y., and Song, W. (2014). Sip flooding attack detection with a multi-dimensional sketch design. Dependable and Secure Computing, IEEE Transactions on, PP(99):1-1.
  24. Tsiatsikas, Z., Geneiatakis, D., Kambourakis, G., and Keromytis, A. D. (2015). An efficient and easily deployable method for dealing with dos in sip services. Computer Communications, 57(0):50 - 63.
  25. Tsiatsikas, Z., Kambourakis, G., and Geneiatakis, D. (2014). Exposing resource consumption attacks in internet multimedia services. In proceedings of 14th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Security Track, pages 1-6. IEEE Press.
  26. Witten, I. H. and Frank, E. (2005). Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
Download


Paper Citation


in Harvard Style

Tsiatsikas Z., Fakis A., Papamartzivanos D., Geneiatakis D., Kambourakis G. and Kolias C. (2015). Battling Against DDoS in SIP - Is Machine Learning-based Detection an Effective Weapon? . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 301-308. DOI: 10.5220/0005549103010308


in Bibtex Style

@conference{secrypt15,
author={Z. Tsiatsikas and A. Fakis and D. Papamartzivanos and D. Geneiatakis and G. Kambourakis and C. Kolias},
title={Battling Against DDoS in SIP - Is Machine Learning-based Detection an Effective Weapon?},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={301-308},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005549103010308},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Battling Against DDoS in SIP - Is Machine Learning-based Detection an Effective Weapon?
SN - 978-989-758-117-5
AU - Tsiatsikas Z.
AU - Fakis A.
AU - Papamartzivanos D.
AU - Geneiatakis D.
AU - Kambourakis G.
AU - Kolias C.
PY - 2015
SP - 301
EP - 308
DO - 10.5220/0005549103010308