Detecting SIP Flooding Attacks Against IMS Network
Author:
Affiliation:

  • Article
  • | |
  • Metrics
  • |
  • Reference [27]
  • |
  • Related [20]
  • |
  • Cited by [2]
  • | |
  • Comments
    Abstract:

    To detect the SIP (session initiation protocol) flooding attack against the IP Multimedia Subsystem of 3G core network, this study proposes a double sampling and a variable sampling interval detection approach. Based on the Counting Bloom Filter for the statistical detection of characteristic information, this approach divides the detection space into five areas, namely, the normal range, interesting range, detection range, precise detection range, and attack range, and detects the statistic data falling in each of the different ranges. Simulation experimental results show that this approach has a good detection performance.

    Reference
    [1] Rosenberg J, Schulzrinne H, Camanilo G. SIP: Session initiation protocol. Internet RFC 3261, 2002.
    [2] Si DF, Han XH, Long Q, Pan AM. A survey on the core technique and research development in SIP standard. Journal of Software, 2005,16(2):239?250 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/16/239.htm
    [3] Gupta P, Shmatikov V. Security analysis of voice-over-IP protocols. In: Proc. of the IEEE Computer Security Foundations Symp. Venice: Institute of Electrical and Electronics Engineers Computer Society, 2007. 49?63. http://www.dsi.unive.it/CSF20/ [doi: 10.1109/CSF.2007.31]
    [4] Geneiatakis D, Kambourakis G, Lambrinoudakis C, Dagiuklas T, Gritzalis S. A framework for protecting a SIP-based infrastructure against malformed message attacks. Computer Networks, 2007,51(10):2580?2593. [doi: 10.1016/j.comnet.2006.11.014]
    [5] Wu YS, Bagchi S, Garg S, Singh N, Tsai T. SCIDIVE: A stateful and cross protocol intrusion detection architecture for voice-over- IP environments. In: Proc. of the Int’l Conf. on Dependable Systems and Networks. Florence: Institute of Electrical and Electronics Engineers Computer Society, 2004. 433?442. http://2004.dsn.org/ [doi: 10.1109/DSN.2004.1311913]
    [6] Rebahi Y, Sher M, Magedanz T. Detecting flooding attacks against IP multimedia subsystem (IMS) networks. In: Proc. of the 6th IEEE/ACS Int’l Conf. on Computer Systems and Applications (AICCSA 2008). Doha: Institute of Electrical and Electronics Engineers Computer Society, 2008. 848?851. http://www3.cs.queensu.ca/trl/aiccsa08/ [doi: 10.1109/AICCSA.2008.4493627]
    [7] Sher M. Secure service provisioning (SSP) framework for IP multimedia subsystem (IMS) [Ph.D. Thesis]. Berlin: Technical University Berlin, 2007.
    [8] Awais A, Farooq M, Javed MY. Attack analysis bio-inspired security framework for IP multimedia subsystem. In: Proc. of the 10th Annual Conf. on Genetic and Evolutionary Computation 2008 (GECCO 2008). Atlanta: Association for Computing Machinery, 2008. 161?162. http://www.sigevo.org/gecco-2008/papers.html [doi: 10.1145/1389095.1389119]
    [9] Akbar MA, Tariq Z, Farooq M. A comparative study of anomaly detection algorithms for detection of sip flooding in IMS. In: Proc. of the 2nd Int’l Conf. on Internet Multimedia Services Architecture and Application (IMSAA 2008). Bangalore: Institute of Electrical and Electronics Engineers Computer Society, 2008. http://www.imsaa.org/imsaa2008/ [doi: 10.1109/IMSAA.2008.4753934]
    [10] Sher M, Magedanz T. Mobile multimedia broadcasting vulnerability threats, attacks and security solutions. In: Proc. of the 9th Int’l Conf. on Mobile and Wireless Communications Networks (MWCN 2007). Cork: Institute of Electrical and Electronics Engineers Computer Society, 2007. 56?60. http://www.aws.cit.ie/mwcn2007/papers.html
    [11] Chen EY. Detecting DoS attacks on SIP systems. In: Proc. of the 1st IEEE Workshop on VoIP Management and Security (VoIP MaSe 2006). Vancouver: Institute of Electrical and Electronics Engineers Computer Society, 2006. 51?56. http://voipsa.org/pipermail/voipsec_voipsa.org/2005-December/001054.html [doi: 10.1109/VOIPMS.2006.1638123]
    [12] Sengar H, Wang H, Wijesekera D, Jajodia S. Fast detection of denial-of-service attacks on IP telephony. In: Proc. of the IEEE Int’l Workshop on Quality of Service (IWQoS). New Haven: Institute of Electrical and Electronics Engineers Inc., 2006. 199?208. http://www.ietf.org/mail-archive/web/nsis/current/msg05899.html [doi: 10.1109/IWQOS.2006.250469]
    [13] Ehlert S, Wang C, Magedanz T, Sisalem D. Specification-Based denial-of-service detection for SIP voice-over-IP networks. In: Proc. of the 3rd Int’l Conf. on Internet Monitoring and Protection (ICIMP 2008). Bucharest: Institute of Electrical and Electronics Engineers Computer Society, 2008. 59?66. http://www.iaria.org/conferences2008/ICIMP08.html [doi: 10.1109/ICIMP.2008.14]
    [14] Farooqi AH, Munir A. Intrusion detection system for IP multimedia subsystem using K-nearest neighbor classifier. In: Proc. of the 12th IEEE Int’l Multitopic Conf. (INMIC 2008). Karachi: Institute of Electrical and Electronics Engineers Computer Society, 2008. 423?428. http://www.conferencealerts.com/seeconf.mv?q=ca1x3ms6 [doi: 10.1109/INMIC.2008.4777775]
    [15] Wang ZB, Lucent A. IMS security framework. 3GPP2 S.S0086-B, 2008.
    [16] Bloom BH. Space/Time trade-offs in hash coding with allowable errors. Communications of the ACM, 1970,13(7):422?426. [doi: 10.1145/362686.362692]
    [17] Kim Y, Lau WC, Chuah MC, Chao HJ. PacketScore: Statistics-Based overload control against distributed denial-of-service attacks. In: Proc. of the IEEE INFOCOM. Hongkong: Institute of Electrical and Electronics Engineers Inc., 2004. 2594?2604. http://www.ieee-infocom.org/2004/ [doi: 10.1109/INFCOM.2004.1354679]
    [18] Abdelsayed S, Glimsholt D, Leckie C, Ryan S, Shami S. An efficient filter for denial-of-service bandwidth attacks. In: Proc. of the IEEE Global Telecommunications Conf. (GLOBECOM). San Francisco: Institute of Electrical and Electronics Engineers Inc., 2003. 1353?1357. http://www.globecom2003.com/ [doi: 10.1109/GLOCOM.2003.1258459]
    [19] Snoeren AC. Hash-Based IP traceback. In: Proc. of the Computer Communication Review. San Diego: Association for Computing Machinery, 2001. 3?14. http://conferences.sigcomm.org/sigcomm/2001/
    [20] Sun C, Hu C, Zhou Y, Xiao X, Liu B. A more accurate scheme to detect SYN flood attacks. In: Proc. of the IEEE INFOCOM. Rio de Janeiro: Institute of Electrical and Electronics Engineers Inc., 2009. http://www.ieee-infocom.org/2009/ [doi: 10.1109/INFCOMW.2009.5072099]
    [21] Xie K, Wen JG, Zhang DF, Xie GG. Bloom filter query algorithm. Journal of Software, 2009,20(1):96?108 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/3458.htm [doi: 10.3724/SP.J.1001.2009.00096]
    [22] Fan L, Cao P, Almeida J, Broder AZ. Summary cache: A scalable wide-area Web cache sharing protocol. IEEE/ACM Trans. on Networking, 2000,8(3):281?293. [doi: 10.1109/90.851975]
    [23] Carot V, Jabaloyes JM, Carot T. Combined double sampling and variable sampling interval X chart. Int’l Journal of Production Research, 2002,40(9):2175?2186. [doi: 10.1080/00207540210128260]
    [24] Torng CC, Lee PH, Liao NY. An economic-statistical design of double sampling over(X,?) control chart. Int’l Journal of Production Economics, 2009,120(2):495?500. [doi: 10.1016/j.ijpe.2009.03.013]
    [25] Lin HH, Chou CY, Lai WT. Economic design of variable sampling intervals over(X) charts with AL switching rule using genetic algorithms. Expert Systems with Applications, 2009,36(2 PART 2):3048?3055. [doi: 10.1016/j.eswa.2007.10.005]
    [26] Vignesh KM, Prateek S. Building an IMS client test bed with open source tools. In: Proc. of the 1st Int’l Conf. on IP Multimedia Subsystems Architecture and Applications (IMSAA 2007). Bangalore: Institute of Electrical and Electronics Engineers Computer Society, 2007. http://www.imsaa.org/imsaa2007/ [doi: 10.1109/IMSAA.2007.4559105]
    [27] Lee PPC, Bu T, Woo T. On the detection of signaling DoS attacks on 3G wireless networks. In: Proc. of the IEEE INFOCOM. Anchorage: Institute of Electrical and Electronics Engineers Inc., 2007. 1289?1297. http://www.ieee-infocom.org/2007/ [doi:10.1109/INFCOM.2007.153]
    Comments
    Comments
    分享到微博
    Submit
Get Citation

王尚广,孙其博,杨放春. IMS 网络中的SIP 洪泛攻击检测.软件学报,2011,22(4):761-772

Copy
Share
Article Metrics
  • Abstract:6216
  • PDF: 8585
  • HTML: 0
  • Cited by: 0
History
  • Received:May 05,2009
  • Revised:January 05,2010
You are the first2035245Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063