A Self-learning System for Detection of Anomalous SIP Messages

  • Konrad Rieck
  • Stefan Wahl
  • Pavel Laskov
  • Peter Domschitz
  • Klaus-Robert Müller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5310)


Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.


Intrusion Detection Session Initiation Protocol Intrusion Detection System Network Intrusion Detection Session Initiation Protocol Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdelnur, H., Festor, O., State, R.: KiF: A statefule SIP fuzzer. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 47–56 (2007)Google Scholar
  2. 2.
    Apte, V., Wu, Y.-S., Garg, S., Singh, N.: SPACEDIVE: A distributed intrusion detection system for voice-over-ip environments. In: Abstract Paper at International Conference on Dependable Systems and Networks (DSN) (2006)Google Scholar
  3. 3.
    Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEESP (to appear, 2008)Google Scholar
  4. 4.
    Fiedler, J., Kupka, T., Ehlert, S., Magedanz, T., Sisalem, D.: VoIP Defender: Highly scalable SIP-based security architecture. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 11–17 (2007)Google Scholar
  5. 5.
    Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., Sisalem, D.: Survery of security vulnerabilities in session initial protocol. IEEE Communications Surverys & Tutorials 8(3), 68–81 (2006)CrossRefGoogle Scholar
  6. 6.
    Geneiatakis, D., Kambourakis, G., Lambrinoudakis, C., Dagiuklas, T., Gritzalis, S.: A framework for protecting a SIP-based infrastructure against malformed message attacks. Computer Networks 51(10), 2580–2593 (2007)CrossRefzbMATHGoogle Scholar
  7. 7.
    Handley, M., Jacobson, V., Perkins, C.: SDP: Session Description Protocol. RFC 4566 (Proposed Standard) (July 2006)Google Scholar
  8. 8.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2008)Google Scholar
  9. 9.
    Kloft, M., Laskov, P.: A poisoning attack against online anomaly detection. In: NIPS Workshop on Machine Learning in Adversarial Environments for Computer Security (2007)Google Scholar
  10. 10.
    Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. of ACM Symposium on Applied Computing, pp. 201–208 (2002)Google Scholar
  11. 11.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proc. of 10th ACM Conf. on Computer and Communications Security, pp. 251–261 (2003)Google Scholar
  12. 12.
    Laskov, P., Gehl, C., Krüger, S., Müller, K.R.: Incremental support vector learning: Analysis, implementation and applications. Journal of Machine Learning Research 7, 1909–1936 (2006)MathSciNetzbMATHGoogle Scholar
  13. 13.
    Lee, W., Stolfo, S., Mok, K.: A data mining framework for building intrusion detection models. In: Proc. of IEEE Symposium on Security and Privacy, pp. 120–132 (1999)Google Scholar
  14. 14.
    Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proc. of ACM Symposium on Applied Computing, pp. 346–350 (2003)Google Scholar
  15. 15.
    Nassar, M., Niccolini, S., State, R., Ewald, T.: Holistic VoIP intrusion detection and prevention system. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM), pp. 1–9 (2007)Google Scholar
  16. 16.
    Nassar, M., State, R., Festor, O.: Intrusion detection mechanisms for VoIP applications. In: Proc. of VoIP Security Workshop (VSW) (2006)Google Scholar
  17. 17.
    Nassar, M., State, R., Festor, O.: VoIP honeypot architecture. In: Proc. of IEEE Symposium on Integrated Network Management (IM), pp. 109–118 (2007)Google Scholar
  18. 18.
    Niccolini, S.: VoIP security threats. Draft of IETF Working Group Session Peering for Multimedia Interconnect (SPEERMINT) (2006)Google Scholar
  19. 19.
    Niccolini, S., Garroppo, R., Giordano, S., Risi, G., Ventura, S.: SIP intrusion detection and prevention: recommendations and prototype implementation. In: Proc. of IEEE Workshop on VoIP Management and Security, pp. 47–52 (2006)Google Scholar
  20. 20.
    Paxson, V.: The bro 0.8 user manual. Lawrence Berkeley National Laboratroy and ICSI Center for Internet Research (2004)Google Scholar
  21. 21.
    Reynolds, B., Ghosal, D.: Secure IP telephony using multi-layered protection. In: Proc. of Network and Distributed System Security Symposium (NDSS) (2003)Google Scholar
  22. 22.
    Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 74–90. Springer, Heidelberg (2006)Google Scholar
  23. 23.
    Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2(4), 243–256 (2007)CrossRefGoogle Scholar
  24. 24.
    Rieck, K., Laskov, P.: Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research 9, 23–48 (2008)zbMATHGoogle Scholar
  25. 25.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of USENIX Large Installation System Administration Conference LISA, pp. 229–238 (1999)Google Scholar
  26. 26.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916 (June 2002)Google Scholar
  27. 27.
    Sengar, H., Wang, H., Wijesekera, D., Jajodia, S.: Fast detection of denial of service attacks on ip telephony. In: Proc. of International Workshop on Quality of Service (IWQoS), pp. 199–208 (2006)Google Scholar
  28. 28.
    Sengar, H., Wijesekera, D., Wang, H., Jajodia, S.: VoIP intrusion detection through interacting protocol state machines. In: Proc. of International Conference on Dependable Systems and Networks (DSN), pp. 393–402 (2004)Google Scholar
  29. 29.
    Sisalem, D., Kuthan, J., Ehlert, S.: Denial of service attacks targeting a SIP VoIP infrastructure: Attack scenarios and prevention mechanisms. IEEE Networks Magazine 20(5) (2006)Google Scholar
  30. 30.
    Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time. In: Proc. of USENIX Security Symposium (2002)Google Scholar
  31. 31.
    Tax, D., Duin, R.: Support vector domain description. Pattern Recognition Letters 20(11–13), 1191–1199 (1999)CrossRefGoogle Scholar
  32. 32.
    Truong, P., Nieh, D., Moh, M.: Specification-based intrusion detection for H.232-based voice over IP. In: Proc. of IEEE Symposium on Signal Processing and Information Technology (ISSPIT), pp. 387–392 (2005)Google Scholar
  33. 33.
    VoIPSA. Voip security and privacy threat taxonomy. Report of Voice over IP Security Alliance (2005)Google Scholar
  34. 34.
    Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226–248 (2006)Google Scholar
  35. 35.
    Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), pp. 203–222 (2004)Google Scholar
  36. 36.
    Wu, Y.-S., Bagchi, S., Garg, S., Singh, N.: SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-ip environments. In: Proc. of International Confernce on Dependable Systems and Neteworks (DSN), pp. 433–442 (2004)Google Scholar
  37. 37.
    Zhang, G., Ehlert, S., Magedanz, T., Sisalem, D.: Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding. In: Proc. of International Conference on Principles, Systems and Applications of IP Telecommunications (IPTCOMM) (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Konrad Rieck
    • 1
  • Stefan Wahl
    • 2
  • Pavel Laskov
    • 1
    • 3
  • Peter Domschitz
    • 2
  • Klaus-Robert Müller
    • 1
    • 4
  1. 1.Fraunhofer Institute FIRSTIntelligent Data AnalysisBerlinGermany
  2. 2.Bell Labs GermanyAlcatel-LucentStuttgartGermany
  3. 3.University of Tübingen, Wilhelm-Schickard-InstituteGermany
  4. 4.Dept. of Computer ScienceTechnical University of BerlinGermany

Personalised recommendations