A Self-learning System for Detection of Anomalous SIP Messages

Authors:
Konrad Rieck;Stefan Wahl;Pavel Laskov;Peter Domschitz;Klaus-Robert Müller
Affiliations:
Fraunhofer Institute FIRST, Intelligent Data Analysis, Berlin, Germany;Bell Labs Germany, Alcatel-Lucent, Stuttgart, Germany;Fraunhofer Institute FIRST, Intelligent Data Analysis, Berlin, Germany and University of Tübingen, Wilhelm-Schickard-Institute, Germany;Bell Labs Germany, Alcatel-Lucent, Stuttgart, Germany;Fraunhofer Institute FIRST, Intelligent Data Analysis, Berlin, Germany and Dept. of Computer Science, Technical University of Berlin, Germany
Venue:
Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks
Year:
2008

Citing 21
Cited 5

Support vector domain description

Pattern Recognition Letters - Special issue on pattern recognition in practice VI
Service specific anomaly detection for network intrusion detection

Proceedings of the 2002 ACM symposium on Applied computing
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Anomaly detection of web-based attacks

Proceedings of the 10th ACM conference on Computer and communications security
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments

DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
VoIP Intrusion Detection Through Interacting Protocol State Machines

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
A framework for protecting a SIP-based infrastructure against malformed message attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Incremental Support Vector Learning: Analysis, Implementation and Applications

The Journal of Machine Learning Research
Holistic VoIP intrusion detection and prevention system

Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
VoIP defender: highly scalable SIP-based security architecture

Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
KiF: a stateful SIP fuzzer

Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding

Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Linear-Time Computation of Similarity Measures for Sequential Data

The Journal of Machine Learning Research
Casting out Demons: Sanitizing Training Data for Anomaly Sensors

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Detecting unknown network attacks using language models

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Anagram: a content anomaly detector resistant to mimicry attack

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Survey of security vulnerabilities in session initiation protocol

IEEE Communications Surveys & Tutorials
Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms

IEEE Network: The Magazine of Global Internetworking

Using game theory to configure P2P SIP

Proceedings of the 3rd International Conference on Principles, Systems and Applications of IP Telecommunications
A Survey of Voice over IP Security Research

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
SIP CLF: a common log format (CLF) for the session initiation protocol (SIP)

SLAML'10 Proceedings of the 2010 workshop on Managing systems via log analysis and machine learning techniques
Software-based serverless endpoint video combiner architecture for high-definition multiparty video conferencing

Journal of Network and Computer Applications
Outbound SPIT filter with optimal performance guarantees

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.