Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
Index Terms-Session initiation protocol, SD-key, flooding attack, multi-dimensional sketch, Hellinger distance.
I. INTRODUCTION
The Voice over IP (VoIP) is becoming
prevailing, not just a supplement of the traditional
public switched telephone network (PSTN), due to
various benefits such as cost-efficient deployment,
plenty of features, and convenience
for service
integration. However, since the Internet Protocol (IP)
network is an open transport infrastructure, the security
issues (for ex- ample the flooding attack) become a
major concern, although such network anomalies are
considered minimal in PSTN. Moreover, VoIP services
depend on the Session Initiation Protocol (SIP) [1] to
establish, manage and terminate sessions. The open and
transactional nature of SIP makes VoIP suffer more
from flooding attacks since resources will be exhausted
easily [9]. This paper addresses the important issue on
how to timely and accurately detect the SIP flooding
attack. Generally, there are two major approaches for
anomaly detection, namely, signature based and
behavior based. The signature based approach profiles
known network anomalies as signatures. Detection
systems in this approach raise alert if the on-going
traffic patterns match the profiled signatures. It can
accurately identify known attacks but is not able to
detect new anomalies. Rather than profiling known
attacks, the behavior based approach builds models that
represent normal behaviors on the network.
Sheik mohideen is currently pursuing masters
degree program in computer science and engineering,
MAR College of Engineering and Technology, India,
E-mail: sheikmohideen.h@gmail.com
Alarms are raised if the observed by the model. The
main advantage of the behavior based approach is that
new anomalies can be detected. Our SIP flooding
IJSER 2015
http://www .ijser.org
552
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
on the sketch data, rather than directly on the physical
attributes. Thus, our scheme is fully effective to the
multi-attribute attacks. Moreover, we develop an
estimation freeze scheme that can protect the HD
threshold estimation from being impacted by the
attacks. A side benefit of the estimation freeze scheme
is that the duration of attacks can be traced.
II. SYSTEM MODEL
A. VoIP with SIP
SIP is a text-based application layer signaling
protocol to establish, manage and terminate VoIP calls.
User Agent Client (UAC), User Agent Server (UAS)
and SIP proxy/server are three basic components in a
SIP environment. To establish a VoIP call, UAC sends
a SIP INVITE message to UAS through a SIP proxy.
The SIP address of the calling UAC is encoded at the
first line of the INVITE. After UAS answers the call,
two additional messages, 200 OK and ACK are then
exchanged to accomplish the procedure of call
establishment. The termination of a SIP call is indicated
by a BYE message sent from either UAC or UAS after
hanging up.
B. Threat Model
SIP is vulnerable to network anomalies such as
the IN- VITE flooding attack. Such attacks can be
easily mounted by utilizing various SIP traffic
generators openly available on the Internet, for
example, SIPp [4]. SIP proxies or servers will be
overwhelmed by thousands of INVITE messages just
within a short period of time. Moreover, being a
transactional protocol, SIP may require the proxies to
maintain a state for each INVITE message for some
time when it is expecting the associated 200 OK. The
resources of SIP proxies will be exhausted in nearly real
time if the attack rate is high enough. Thus the SIP
INVITE flooding attack is deteriorating to the VoIP
network. We focus our discussion on the INVITE
flooding case first. Attacks utilizing other SIP attributes
can be addressed in a similar way and will be further
discussed in Section IV.
C. Sketch Technique
The sketch data structure is a probabilistic data
summary technique. It randomly aggregates high
dimensional data streams into smaller dimensions. In
the data model used by sketch, each data item ai
= (ki , vi) consists of a key ki and its associated
value vi . When a new data item arrives, its value will
be added to an entry with the same key in the model. In
our scheme, we use SIP address as the key and the
number of INVITE from the address as the related
value.
A sketch is basically an H K table, each row of
which is associated with a hash function [7] and all the
hash functions are independent from each other.
Thus sketch can also be interpreted as an array of H
hash tables of size K. suppose the original data set has a
high dimension of X, applying a hash function to the
IJSER 2015
http://www .ijser.org
553
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
The sketch can set a target sketch distribution,
which is independent of the hash function and kept as
confidential secrets to the SIP server. When a normal
user applies for the SIP service, an SD-key will be
calculated to bond the hash output together with the
confidential sketch distribution. Later when a normal
user makes a SIP call, it needs to offer its SD-key to
the server based on which its sketch entry is calculated.
III. DETECTION SCHEME DESIGN
Our detection scheme is based on integrating
the two techniques introduced in Section II, sketch and
Hellinger distance.
A. Training and Estimation
Let SIP messages in a VoIP network be the input
stream to the detection system. Time is divided into
discrete intervals and each interval is of a fixed length
t. In each detection cycle, we organize the data being
analyzed into a training set and a test set. The training
period consists of n consecutive time intervals and the
test period is the interval right after.
Assumedly there is no attack in the initial training set.
We then build an H K sketch from the set for the
INVITE messages. As described in Section II, we use
the SIP addresses of the senders of the INVITEs as the
hash keys. For messages hashed to the same position in
a sketch table, the total number of them will be the
value of that entry. Similarly, a H K sketch is built
for the messages in the test set as well. The
resultant two sketches will be the input to calculate the
Hellinger distance. For the H K table of the training
set, we obtain a probability distribution P1 from the
first row of it. In order to achieve this, suppose the
values of the K entries are n1 , n2 , , nK , we
add them up and get a number N . Then we define the
distribution P1
IJSER 2015
http://www .ijser.org
554
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
probability distribution obtained from the current test
set sketch. Thus the Hellinger distance between the
first rows of the two sketches, H D1 will become
larger than the threshold and anomaly detection is
registered. Note that no attack alarm is raised yet at
this point.
We then perform an estimation freeze scheme that
consists of two actions. First, we freeze the current
training set and only proceed the test set to the next
time interval. As a result, in the next cycle the
Hellinger distance will be between the frozen normal
training set and the proceeded current test set. This
one freezing one proceeding action will keep on
until H D1 goes below the threshold. The purpose for
doing this is to keep H D1 high during attack. Second,
we freeze the threshold and will not update it
according to equations (5), (6), (7) and (8) until H D1
drops below it. This can protect the threshold from
being impacted by the flooding attacks and make it
stable during attack. As a side effect, these two
actions together determine the duration of a registered
anomaly because H D1 is above the threshold all
through the attack and goes down right afterwards.
When the detected anomaly is over, we will include
the next normal test set into the training set, move
forward the training set for one time interval
accordingly and update the threshold. The traffic
during attacking intervals will never be included in the
training set.
Similar actions are taken between every two
related rows in the two sketches if they also detect
significant changes in traffic and each of them will
register anomaly independently. Note that every two
related rows maintain their own independent evolving
threshold as well.
Random aggregation in sketch brings information
loss in each row. Thus in one time interval certain rows
may detect changes where as others may not. As
mentioned above, to increase detection confidence
and assure high accuracy, we apply a voting
procedure: if at least z rows out of H register
anomalies, an attack alarm is finally raised.
IJSER 2015
http://www .ijser.org
555
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
we can see that H D 1 remains high and threshold
keeps constant during attack. They together precisely
determine the duration of an attack, which lasts for 3
time intervals. Both the HD and threshold evolve with
the dynamic of the traffic and thus preserve the
ability to detect attack online. Whereas in [3], the
threshold does not react accordingly under attack and
remain low as if it is always predicted from normal
condition. We think this approach does not accurately
reflect the online traffic situation.
We repeat the experiment for several times and
change the attack rates accordingly. The detection
results are shown in Table I. We can see that even the
attack rate is as low as 35 per second, our scheme can
still identify it with the accuracy of 100 percent.
Table I
Detection Result
35
50
30
100%
75
30
100%
100
30
100%
500
30
100%
Flooding Rate
IJSER 2015
http://www .ijser.org
556
International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May- 2015
ISSN 2229-5518
flooding target is a proxy or server. This is because
SIP messages can be sent to one proxy or server no
matter what address is in the SIP destination header
field. Hence destination SIP address here does not
make sense.
Schemes presented in [15], [16] work effectively to
detect the SIP flooding DoS attacks. SIP
transactional models are built to detect deviations
from normal behaviors. However, these schemes are
customized specifically to the SIP protocol and cannot
be easily generalized to be applied in other
flooding detection case. In our scheme, we can use
attributes in protocols other than SIP as key to profile
traffic and thus have a generic method to detect other
flooding attacks.
VI. CONCLUSION
Flooding attack is a severe threat in a VoIP
network. In this paper, we propose an online VoIP
flooding detection scheme by integrating two
techniques, sketch and Hellinger distance. We first
utilize sketch to build fixed-size compact summaries
of the SIP signaling message flows. The random
aggregation property of sketch provides flexibility to
summarize high dimensional user data into much lower
dimensions. Hellinger distance is used to profile
normal traffic behaviors and detect attacks based on
probability distributions defined from the sketch
tables. The estimation freeze scheme presented shows
its ability to both protect the threshold estimation from
being impacted by the attacks and determine the
durations of the attacks. Finally, a voting procedure is
applied to assure the detection accuracy. Since we
define distributions based on single SIP attributes, our
scheme is fully effective to the multi- attribute attack.
Performance evaluation shows that the scheme
preserves high detection accuracy even when the attack
rate is very low. In our future work, we will further
develop our scheme to improve its attack prevention
rate against large scale DDoS attacks and more
comprehensively evaluate the scheme using extensive
VoIP traffic traces. Also, we will further address the
issue of quickly and accurately detecting the stealthy
flooding attack based on the idea of wavelet analysis.
REFERENCES
[1] J. Rosenberg, H. Schulzrinne and G. Camarillo,
SIP: Session Initiation Protocol, IETF RFC 3261,
June 2002.
[2] G. Yang and L. Le Cam, Asymptotics in Statistics:
Some Basic Concepts, second edition, Wiley, March
2006.
[3] H. Sengar, H. Wang, D. Wijesekera and S. Jajodia,
Detecting VoIP Floods Using the Hellinger Distance,
IEEE Transactions on Parallel and Distributed Systems,
vol. 19, no. 6, pp. 794-805, June 2008.
[4] SIPp, [Online:]http://sipp.sourceforge.net/.
[5] A. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan
and M. Strauss, Quicksand: Quick Summary and
IJSER 2015
http://www .ijser.org