Hassan Asgharian - Computer Engineering, Iran University of Science and Technology, Tehran, Iran
Ahmad Akbari - Computer Engineering, Iran University of Science and Technology, Tehran, Iran
Bijan Raahemi - School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Canada

Session Initiation Protocol (SIP) is the main signaling protocol of next generation networks (NGN). SIP based applications are usually deployed over the Internet, for which their text-based nature and internal stateful operation make them vulnerable to different types of attacks. The real-time functionality of SIP based applications make their related security systems more complex. On the other hand, automatic response to intrusions is one of the most important issues in securing different applications. The current state of intrusion detection systems (IDS) is that they often generate too many same or similar alerts for one intrusion which makes the function of response system unreliable. In this paper, we propose a security framework for automatic intrusion response in SIP environments. Our framework consists of specific firewall, detection engine and response part. The SIP firewall works based on URIs (universal reference identifier), and filters the incoming packets in the edge of network. Input packets are directed to the specification based detection engine which works based on the proposed exactly engineered features. The output of this system and the current state of the SIP proxy (e.g. call completion rate, call rejection rate and etc.) are fed to the response system to make a final decision. A prepared test bed is used for analyzing the performance of the proposed response system, measuring its performance using three distinct datasets. The experimental results show the performance of the proposed response system in terms of detection rates.

SIP IDS, flooding attacks, NGN and IMS security, Intrusion Response System