Detecting Flood-based Attacks against SIP Proxy Servers and Clients using Engineered Feature Sets

Session Initiation Protocol (SIP) is the main signaling protocol of the next generation networks. The security issues of SIP-based entities (i.e. proxy servers and clients) have a direct impact on the perceived quality of experience of end users in multimedia sessions. In this paper, our focus is on the S IP flooding attacks including denial of service and distributed denial of service attacks. After classifying various types of SIP attacks based on their sources, we extract four feature sets based on the specification of its attack group, as well as the normal behavior of the SIP state machine specified in RFC 3261. We then minimize the number of derived features in each set to reduce the computational complexity of our proposed approach. This facilitates employing the engineered feature sets in embedded S IP-based devices such as cell phones and smart TVs. We evaluate the performance of the proposed feature sets in detecting SIP attack sequence. For this, we design and implement a real test-bed for SIP-based services to generate normal and attack traffics. The experimental results confirm that the engineered feature sets perform well in terms of detection accuracy and false alarm rates in classifying benign and anomaly traffic in various attack scenarios.