On the Use of SVMs to Detect Anomalies in a Stream of SIP Messages

Ferdous, Raihana; Cigno, Renato Lo; Zorat, Alessandro

doi:10.1109/icmla.2012.109

Cited by 13 publications

(7 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…firewalls) [18], learning techniques [19], and/or identification of deviations from a priori statistics [9]. In [10] supportvector-machine classifiers were adopted to label incoming SIP messages as good or bad. A SIP message lexical analysis was developed to filter the messages that are not formed according to the standard and in a second stage a semantic filter was applied to the stream of the surviving messages to remove syntactic errors.…”

Section: B Sip Vulnerabilitiesmentioning

confidence: 99%

“…Machine learning has also being adopted in the telecommunications arena [7], [8], as it can bring many advantages in the processing of bulks of data that are generated by a plethora of different sources. Multiple tools have already been proposed to prevent SIP attacks caused by SIP message payload tampering [9], [10], and SIP message flooding [11], [12]. However, the attacks caused by SIP message flow tampering, a.k.a.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

2021

View full text Add to dashboard Cite

In this paper, we propose a machine learning methodology for prediction of signaling sessions established with the Session Initiation Protocol (SIP). Given the increasing importance of predicting and detecting abnormal sequences of SIP messages to avoid SIP signaling-based attacks, we first propose a Bayesian inference method capable of representing the statistical relation between a SIP message, observed by a SIP user agent or a SIP server, and prior trustworthy SIP dialogs. The Bayesian inference method, a Hidden Markov Model (HMM) enriched with n−gram Markov observations, is updated over time, so the inference can be used in real-time. The HMM is then used for predicting and detecting SIP dialogs through a lightweight implementation of Viterbi algorithm for sparse state spaces. Experimental results are also reported, where a SIP dataset representing prior information collected by a SIP user agent and/or a SIP server is used to predict or detect if a received sequence of SIP messages is legitimate according to similar SIP dialogs already observed. Finally, we discuss the results obtained for a dataset of abnormal SIP sequences, not observed during the inference stage, showing the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time.

show abstract

Section: B Sip Vulnerabilitiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

2021

View full text Add to dashboard Cite

show abstract

“…Tang et al [21] also use the Hellinger distance in conjunction with the sketch data structure to detect flooding attacks. Ferdous et al [11] present a two-stage filter wherein the first stage runs a lexical analyzer to determine the validity of the SIP message and the second stage identifies messages that differ in structure or content from previously known good messages.…”

Section: Related Workmentioning

confidence: 99%

Cognitive Security

Jagadeesan

Bride

Gurbani

et al. 2015

Proceedings of the Principles, Systems and Applications on IP Telecommunications

View full text Add to dashboard Cite

Virtualized networks offer the potential to dynamically reconfigure themselves in real-time. Coupled with automated real-time analytics, these capabilities can be leveraged to enable such networks to automatically detect security threats in real-time, dynamically reconfigure themselves to protect against these threats, and automatically immunize themselves against evolving threats. We present an approach that combines real-time analytics with autonomics -using anomaly detection to identify potential security threats, in combination with autonomics to enable dynamic network reconfigurations to mitigate against these threats. A key challenge is to distinguish "good anomalies" arising from legitimate increases in network traffic, for example due to natural disasters, flash mobs, or other unexpected events, from "bad anomalies" arising from potential security attacks, as the autonomic actions may widely vary: e.g., dynamic increase of network resources for increases in legitimate traffic, instantiation of virtual security functions in the face of security attacks. We present a combination of machine learning based detection with temporal logic based analysis that provides a foundation for distinguishing these anomalies and enabling dynamic network autonomics in response. We illustrate our approach through a case study on distributed denial of service attacks on SIP-based virtualized networks.

show abstract

“…However, the features used in these systems will not detect mimicry attacks launched by carefully crafted anomalous SIP messages of the form we study in this paper. Ferdous et al [19] use support vector machines to classify SIP messages, but their definition of anomalous messages consists of fairly coarse deviations from normal messages such that IDS are capable of filtering such anomalous messages. As we show in Section III, our anomalous messages bypass intrusion detection systems.…”

Section: Related Workmentioning

confidence: 99%

Mitigating Mimicry Attacks Against the Session Initiation Protocol

Marchal

Mehta

Gurbani³

et al. 2015

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

The US National Academies of Science's Board on Science, Technology and Economic Policy estimates that the Internet and voice-over-IP (VoIP) communications infrastructure generates 10% of US economic growth. As market forces move increasingly towards Internet and VoIP communications, there is proportional increase in Telephony Denial of Service (TDoS) attacks. Like Denial of Service (DoS) attacks, TDoS attacks seek to disrupt business and commerce by directing a flood of anomalous traffic towards key communication servers. In this work, we focus on a new class of anomalous traffic that exhibits a mimicry TDoS attack. Such an attack can be launched by crafting malformed messages with small changes from normal ones. We show that such malicious messages easily bypass Intrusion Detection Systems (IDS) and degrade the goodput of the server drastically by forcing it to parse the message looking for the needed token. Our approach is not to parse at all; instead, we use Multiple Classifier Systems (MCS) to exploit the strength of multiple learners to predict the true class of a message with high probability (98.50% ≤ p ≤ 99.12%). We proceed systematically by first formulating an optimization problem of picking the minimum number of classifiers such that their combination yields the optimal classification performance. Next, we analytically bound the maximum performance of such a system and empirically demonstrate that it is possible to attain close to the maximum theoretical performance across varied datasets. Finally, guided by our analysis we construct an MCS appliance that demonstrates superior classification accuracy with O(1) runtime complexity across varied datasets.

show abstract

On the Use of SVMs to Detect Anomalies in a Stream of SIP Messages

Cited by 13 publications

References 10 publications

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

Cognitive Security

Mitigating Mimicry Attacks Against the Session Initiation Protocol

Contact Info

Product

Resources

About