detection and prevention of sip flooding attacks in voice over ip networks
DESCRIPTION
Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks. Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering Illinois Institute of Technology ,IEEE INFOCOM 2012 報告人 : 徐裕量 2013/1/29. Outline. Introduction System Model Performance Evaluation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/1.jpg)
Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks
Jin Tang, Yu Cheng and Yong HaoDepartment of Electrical and Computer Engineering
Illinois Institute of Technology ,IEEE INFOCOM 2012報告人 : 徐裕量 2013/1/29
![Page 2: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/2.jpg)
Outline
Introduction System Model Performance Evaluation Discussion Conclusion
![Page 3: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/3.jpg)
Introduction
Compared to the traditional public switched telephone network (PSTN), voice over IP (VoIP) is a much more economic technology.
But with the tradeoff of more security concerns due to its open infrastructure mainly based on the session initiation protocol (SIP) and the Internet protocol (IP).
![Page 4: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/4.jpg)
Introduction (cont.)
The SIP flooding attack is among the most severe of all because it is easy to launch and capable of quickly draining the resources of both networks and nodes.
![Page 5: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/5.jpg)
System Model VoIP utilizes SIP as the application-layer
signaling protocol to establish. At the transport layer, SIP normally favors the
user datagram protocol (UDP) over the transmission control protocol (TCP) due to the simplicity of UDP and the connection oriented nature of SIP itself.
![Page 7: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/7.jpg)
System Model (cont.)
![Page 8: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/8.jpg)
System Model (cont.) 1) INVITE Flooding: In this attack, thousands of
INVITE messages are generated and transmitted to the victim proxy servers which can barely support all of them.
2) BYE Flooding: Therefore it can be utilized by the attackers to bring down ongoing VoIP phone calls.
3) Multi-Attribute Flooding: Intelligent attackers can launch different forms of SIP flooding attacks together to the victim proxy servers in a distributed manner.
![Page 9: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/9.jpg)
System Model (cont.) 1) Sketch: The sketch data structure is a
probabilistic data summarization technique.
![Page 10: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/10.jpg)
System Model (cont.) 2) Hellinger Distance: To compute HD, suppose that we have two
histogram distributions on the same sample space, namely, P = (p1,p2, ,pn⋅ ⋅ ⋅ ) and Q = (q1,q2, , qn⋅ ⋅ ⋅ ). The HD between the two distributions is defined as follow
![Page 11: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/11.jpg)
System Model (cont.)
![Page 12: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/12.jpg)
System Model (cont.)
![Page 13: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/13.jpg)
System Model (cont.)
![Page 14: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/14.jpg)
Performance Evaluation In the normal condition, the average call
generating rate is uniformly distributed from 25 to 75 per second with a mean of 50. The senders of the messages are chosen from 100,000 users.
![Page 15: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/15.jpg)
Performance Evaluation (cont.)
![Page 16: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/16.jpg)
Performance Evaluation (cont.)
![Page 17: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/17.jpg)
Performance Evaluation (cont.)
![Page 18: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/18.jpg)
Performance Evaluation (cont.)
![Page 19: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/19.jpg)
Performance Evaluation (cont.) when K increases, the prevention rate
increases accordingly. As K becomes larger than the attacker number 300, we achieve almost 100% accuracy.
![Page 20: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/20.jpg)
Performance Evaluation (cont.)
![Page 21: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/21.jpg)
Discussion Under stealthy attack circumstances,
intelligent and patient attackers start with no rush from a low initial rate.
This stealthy attack does not cause sudden directly observable changes in traffic.
![Page 22: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/22.jpg)
Discussion (cont.) To effectively detect the stealthy flooding
attack, we should quickly identify the deviation from normal traffic brought by the attack.
Such thoughts inspire us to resort to wavelet analysis, a signal processing technique which is able to decompose the observed traffic measures into different levels and enable observations on these more detailed levels to identify the deviation.
![Page 23: Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks](https://reader036.vdocuments.us/reader036/viewer/2022081517/5681637c550346895dd45b31/html5/thumbnails/23.jpg)
Conclusion It propose an online VoIP flooding detection
and prevention scheme by integrating two techniques, sketch and Hellinger distance.
The “estimation freeze mechanism” presented shows its ability to both maintain the information about normal behavior under attack and determine the durations of the flooding attacks.