SIP Stealthy Attack Detection and Resource-Drained Malformed Message Attack Detection

  • Jin Tang
  • Yu Cheng
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)


In this chapter, we first address the stealthy attack, where intelligent attackers can afford a long time to attack the system, and only incur minor changes to the system within each sampling period. To identify such attacks in the early stage for timely responses, we propose a detection scheme based on the signal processing technique wavelet, which is able to quickly expose the changes induced by the attacks. Then, we address the malformed message attack identified by us, which manipulates both the “Session-Expires” header in the SIP message and openness of wireless protocols to severely drain the network resources. We develop a detection method based on the Anderson–Darling test to deal with such attacks.


Discrete Wavelet Transform Exponential Weight Move Average Proxy Server Attack Detection Session Timer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    T. Anderson and D. Darling, “Asymptotic Theory of Certain “Goodness-of-Fit” Criteria Based on Stochastic Processes,” Annals of Mathematical Statistics, 1952.Google Scholar
  2. 2.
    G. Carl, R. Brooks and S. Rai, “Wavelet Based Denial-of-Service detection,” Computers & Security, vol. 25, no. 8, pp. 600–615, Nov. 2006.CrossRefGoogle Scholar
  3. 3.
    I. M. Chakravarti, R. G. Laha, and J. Roy, Handbook of Methods of Applied Statistics, Volume I, John Wiley and Sons, pp. 392–394, 1967.Google Scholar
  4. 4.
    E. Chen, “Detecting DoS Attacks on SIP Systems,” in Proc. 1st IEEE Workshop on VoIP Management and Security, 2006, pp. 53–58.Google Scholar
  5. 5.
    G. Cormode and S. Muthukrishnan, “An Improved Data Stream Summary: The Count-Min Sketch and its Applications,” J. Algorithms, 2004.Google Scholar
  6. 6.
    I. Daubechies, Ten Lectures on Wavelets, Philadelphia, PA: SIAM, 1992.CrossRefzbMATHGoogle Scholar
  7. 7.
    S. Donovan, and J. Rosenberg, “Session Timers in the Session Initiation Protocol (SIP),” IETF RFC 4028, Apr. 2005.Google Scholar
  8. 8.
    S. Elhert, C. Wang, T. Magedanz and D. Sisalem, “Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks,” in Proc. 3rd IEEE International Conference on Internet Monitoring and Protection, 2008, pp. 59–66.Google Scholar
  9. 9.
    D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis and S. Gritzalis, “SIP Security Mechanism: A State-of-the-Art Review,” in Proc. 5th International Network Conference, 2005, pp. 147–155.Google Scholar
  10. 10.
    D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, K. S. Ehlert and D. Sisalem, “Survey of Security Vulnerabiliteis in Session Initiation Protocol,” IEEE Communication Surveys & Tutorials, vol. 8, no. 3, pp. 68–81, 2006.CrossRefGoogle Scholar
  11. 11.
    A. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan and M. Strauss, “Quicksand: Quick Summary and Analysis of Network Data,” DIMACS Technical Report 2001–43, 2001.Google Scholar
  12. 12.
    F. Gustafson and M. Lindahl, “Evaluation of statistical distributions for VoIP traffic modelling,” University Essay from University West, Department of Economics and IT, 2009.Google Scholar
  13. 13.
    C. Huang, S. Thareja and Y. Shin, “Wavelet-Based Real Time Detection of Network Traffic Anomalies,” in Proc. Securecomm and Workshops, 2006.Google Scholar
  14. 14.
    B. Krishnamurthy, S. Sen, Y. Zhang and Y. Chen, “Sketch-based Change Detection: Methods, Evaluation, and Applications,” in Proc. ACM SIGCOMM IMS, 2003.Google Scholar
  15. 15.
    A. Lakhina, M. Crovella and C. Diot, “Diagnosing Network-Wide Traffic Anomalies,” in Proc. ACM SIGCOMM, 2004.Google Scholar
  16. 16.
    A. Lakhina, M. Crovella and C. Diot, “Mining Anomalies Using Traffic Feature Distribution,” in Proc. ACM SIGCOMM, 2005.Google Scholar
  17. 17.
    X. Li, F. Bian, M. Crovella and C. Diot, “Detection and Identification of Network Anomalies Using Sketch Subspaces,” in Proc. ACM IMS, 2006.Google Scholar
  18. 18.
    W. Lu, M. Tavallaee and A. Ghorbani, “Detecting Network Anomalies Using Different Wavelet Basis Functions,” in Proc. Communication Networks and Services Research Conference, 2008.Google Scholar
  19. 19.
    J. Rosenberg, H. Schulzrinne and G. Camarillo, “SIP: Session Initiation Protocol,” IETF RFC 3261, Jun. 2002.Google Scholar
  20. 20.
    R. Schweller, Z. Li, Y. Chen, Y. Gao, A. Gupta, Y. Zhang, P. Dinda, M. Kao and G. Memik “Reverse Hashing for High-Speed Network Monitoring: Algorithms, Evaluation, and Applications” in Proc. IEEE INFOCOM, 2006.Google Scholar
  21. 21.
    H. Sengar, H. Wang, D. Wijesekera and S. Jajodia, “Detecting VoIP Floods Using the Hellinger Distance,” IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 6, pp. 794–805, Jun. 2008.CrossRefGoogle Scholar
  22. 22.
    SIP Express Router, [Online.] Available:
  23. 23.
    D. Sisalem, J. Kuthan and S. Ehlert, “Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms,” IEEE Network, vol. 20, no. 5, pp. 26–31, 2006.CrossRefGoogle Scholar
  24. 24.
    M. Stephens, “EDF Statistics for Goodness of Fit and Some Comparisons,” Journal of the American Statistical Association, vol. 69, pp. 730–737, 1974.CrossRefGoogle Scholar
  25. 25.
    VoIPSA, “VoIP Security and Privacy Threat Taxonomy,” Public Release 1.0, 2005.Google Scholar
  26. 26.
    S. Vuong and Y. Bai, “A Survey of VoIP Intrusion and Intrusion Detection System,” in Proc. IEEE 6th International Conference on Advanced Communication Technology, 2004, pp. 317–322.Google Scholar
  27. 27.
    G. Yang and L. Le Cam, Asymptotics in Statistics: Some Basic Concepts, second edition, Wiley, Mar. 2006.Google Scholar

Copyright information

© The Author(s) 2013

Authors and Affiliations

  • Jin Tang
    • 1
  • Yu Cheng
    • 2
  1. 1.AT&T LabsWarrenvilleUSA
  2. 2.Department of Electrical and Computer EngineeringIllinois Institute of TechnologyChicagoUSA

Personalised recommendations