New misuse detection algorithm for SIP faked response attacks

Transcription

1 New misuse detection algorithm for SIP faked response attacks Dahham Allawi 1, Alaa Aldin Rohiem 2, Ali El-moghazy 3, and Ateff Zakey Ghalwash 4 1,2,3 Military Technical College, Cairo, Egypt 4 Helwan University, Cairo, Egypt Abstract: Session Initiation Protocol (SIP) today is considered the standard protocol for multimedia signaling, and the result is a very generic protocol. SIP is specified by the IETF in RFC From a structural and functional perspective, SIP is application layer signaling text-based protocol used for creating, modifying, and terminating multimedia communications sessions among Internet endpoints. Unfortunately, SIP-based application services can suffer from various security threats as denial of service (DoS) attacks. The existing security solutions of IP network (IPsec, TLS, ) cannot detect new SIP specified network attacks because they do not reflect characteristics of SIP. In this paper we present a new misuse detection algorithm, which detects large number of SIP faked response attacks. The proposed algorithm is tested using multimedia network, and compared with a three well known misuse detection algorithms. The test results show that the new algorithm has high detection accuracy and excellent completeness. Keywords: Session Initiation Protocol (SIP), Denial of Service (DoS), Intrusion Detection System (IDS), SIP faked response attacks. 1. INTRODUCTION SIP-based systems are gaining in popularity as the technology for transmitting voice and video traffic over IP networks. SIP is used for many session-oriented applications, such as calls, multimedia distributions, video conferencing, and instant messaging. The deployment of various SIP-based systems services raises much security challenges, they are being subjected to different kinds of intrusions, some of which are specific to such systems, and some of which follow a general pattern of attacks against an IP infrastructure. SIP can be used to attack systems, denial of service (DoS) attacks are the main concerns causing loss of SIP-based systems availability. DoS attacks can consume memory, CPU, and network resources and damage or shut down the operation of the resource under attack (victim). The aim of a DoS attack is to steal network resources, or to degrade the service perceived by users, where this attack focuses on rendering a network of service unavailable. Cross protocol detection technique was presented in [10]- [11] to detect some types of SIP signaling attacks. This technique is based on observing the SIP messages to extract the session information, then, it investigates media traffic after observing BYE message. If RTP traffic is observed after BYE message, it could be highly considered that this is BYE attack. The retransmission detection scheme was used in [12] to detect deregistration, BYE, and CANCEL attacks. When SIP server receives one of the mentioned attack's messages, the detection algorithm asks the user to retransmit its last message that is sent to the server. If the retransmitted message is identical to the message that the server had received, it is recognized as normal message. Otherwise, the server knows that the message was sent from an unauthorized user. Conflict Based Attack Detection Algorithm (CBADA) is proposed in [13], it is relying on state conflict and message conflict to detect some of SIP signaling attack (deregistration, BYE, call hijacking attack, and CANCEL attack). This paper introduces new misuse algorithm to SIP faked response attacks. Section 2 presents SIP overview. Section 3 addresses the possible DoS attacks against SIP-based systems. Section 4 focuses on SIP faked response attacks. Section 5 presents the proposed algorithm to detect SIP faked response attacks, while section 6 concludes the paper and gives some of pointers about future work. 2. SIP OVERVIEW SIP is an application-layer protocol designed to support the setup of bidirectional communication sessions. It is text-based, has a request-response structure, and uses a user authentication mechanism based on the HTTP Digest Authentication. It can operate over UDP, TCP, and SCTP [1] although it is more commonly operating over UDP. SIP is a client-server protocol, the main SIP entities are endpoints (soft phones or physical devices), a proxy server, a registrar, a redirect server, and a location server. Endpoints communicate with a registrar to indicate their presence. This information is stored in the location server. All SIP messages are either requests from a client or responses to the request from the server [1]. For each request SIP server generates SIP response to indicate the status of the request. IETF in RFC 3261 defines the essential six SIP methods Volume 2, Issue 2 March April 2013 Page 201

2 (requests) and the six classes of responses. The exchanged SIP message and its corresponding responses between client and server are called transaction. For each request SIP server generates SIP response to indicate the status of the request. Each response message is identified by a numeric status code, table (1) summarize these responses. Table 1: SIP responses [13] Seq. Response Description 1 1xx Informational Request received, continuing to (provisional) process the request. 2 2xx Success The action was successfully (final) received, understood, and accepted. 3 3xx Redirection Further action needs to be taken (final) in order to complete the request. 4 4xx Client Error The request contains bad syntax (final) or cannot be fulfilled at this server. 5 5xx Server Error The server failed to fulfill an (final) apparently valid request. 6 6xx Global Failure The request cannot be fulfilled at (final) any server. Figure (1) shows SIP multimedia connection establishment. -Flooding message attacks: Server is overloaded with a high amount of processing and computation of requests generated by the attacker, which result in making the system unavailable for requests from other users. If the targeted system is able to continue to process requests, it can become too slow, that applications cease to function correctly [3]. - Malformed message attacks: These attacks rely on sending large numbers of malformed message to a SIP application server. At best, the server s resources are tied up in processing these bogus messages, at worst; the message triggers a failure in the server or leaves it in an unstable state [4]. - Distributed denial of service (DDoS) attacks: These attacks utilize multiple compromised network hosts to conduct a coordinated DoS attack in order to amplify its effect [5]. - Spoofed message attacks: These attacks happens during call establishment, where, SIP agents exchange series of message, an attacker can impersonate himself as legal SIP client to modify, deny, or hijack SIP-multimedia calls. In this category, we can see six types of attacks, as shown in figure (2): Figure 1 SIP multimedia connection establishment 3. SIP DENIAL OF SERVICE (DOS) ATTACKS SIP-multimedia connection is susceptible to DoS as other IP network services. Moreover, since it is a real-time service, it is even more susceptible to DoS attacks that impact delivery of audio and video. SIP creates a number of potential opportunities for DoS attacks since SIP entities open themselves to the public Internet in order to receive requests from worldwide IP hosts. DoS can take various forms, but generally involves an attack that prevents users from effectively using the targeted service. SIP DoS attack mechanisms differ according to attack type, some attacks exploit vulnerabilities in SIP protocol implementation, another utilize drawbacks existing in RFC protocol specification, where the others are resources consuming such as network bandwidth or agent processing capability [2]. SIP DoS attacks are divided into four categories: Spoofed message attacks, flooding message attacks, malformed message attacks, and distributed DoS (DDoS). Figure 2 Important SIP spoofed message attacks In this paper we focus on the detection of the SIP faked response attacks for three seasons: - These attacks have a big effectiveness on SIP session establishment. They instantly terminate the call progress without any sense by legal user. - Attacker can easily launch such attacks, where the legal user considers any incoming response by server is authenticated. - Little number of researches is done in this type of attacks, most of researchers are interested in known SIP spoofed attacks (for example: BYE attack, CANCEL attack, and Deregistration attack). The following sections handle in more details this kind of attacks along with the proposed misuse detection algorithm. 4. SIP FAKED RESPONSE ATTACKS SIP authentication is applied only to SIP messages from the client to the servers, and it leaves all the SIP messages from the SIP servers to client unprotected [3]. Attacker can easily exploit this vulnerability to send a faked response to client, deny him from completing his call, or redirect the call to another callee. We will divide this type of attack into six classes according to server responses, as shown in figure (3). Volume 2, Issue 2 March April 2013 Page 202

3 Figure 3 SIP faked response attacks 4.1 SIP 1xx faked response attacks Zero, one or multiple provisional responses may arrive before one or more final responses are received. Provisional responses for an INVITE request can create "early dialogs". The early dialog will only be needed if the UAC (User Agent Client) needs to send a request to its peer within the dialog before the initial INVITE transaction completes [1]. An attacker can monitor an INVITE request sent to the server and impersonate the server by sending 1xx SIP faked response. For example, attacker can easily send 180 RINGING attack to legal user after capturing INVITE request to prevent him from completing his call, as shown in figure (4). 4.2 SIP 2xx faked response attacks Multiple 2xx responses may arrive at the UAC (User Agent Client) for a single INVITE request due to a forking proxy [1]. 200 OK is agreement response at the beginning of conversation, it is considered an indication to call success. In the same way, the attacker can succeed for attacking legal client by 200 OK attack, as shown in figure (5). In this attack, the attacker tricks the legal user by faked 200 OK, the client receives this response and prepares himself to conversation, but the server will discard his final ACK. As a result, the legal user is prevented from conversation. Figure 5 SIP 200 OK attack Figure 4 SIP 180 RINGING attack In figure (4), user1 wants to call with user 2, client (user1) sends INVITE1 request to SIP server, SIP server asks the client authentication information by 407 PROXY AUTHENTICATION REQUIRED response, then user1 acknowledges this response by ACK1 signal and calculates authentication information, then he sends INVITE2 request with information authentication to SIP server, SIP server handles this request and sends it to user2 if this request is right. In this moment, attacker captures INVITE2 request and extracts all important session parameters from it, then attacker response to INVITE2 request is 180 RINGING (faked), this response includes all session parameters, except the tag in TO header field, the attacker sets it a random value to complete the opened dialog. The client will discard all responses (180 RINGING, 200 OK) that do not match the current dialog. The client will complete the current transaction at client side by sending final ACK2 to server. The server will discard the final ACK, and the current transaction does not complete at server side. As a result, the legal user cannot do the conversation with its peer. 4.3 SIP 3xx faked response attacks 3xx responses give information about the user's new location, or about alternative services that might be able to satisfy the call [1]. 3xx responses include many types, we will examine two of them for attack as examples. A- SIP 305 Use Proxy attack: The requested resource is accessed through the proxy given the Contact field. The Contact field gives the URI (Uniform Resource Identifier) of the proxy. The recipient is expected to repeat this single request via the proxy. 305 Use Proxy responses must only be generated by UASs (User Agent Servers) [1]. Attacker can use this response as faked response attack. Figure (6) illustrates SIP 305 USE PROXY attack. Figure 6 SIP 305 USE PROXY attack B- SIP 300 Multiple Choices attack: The address in the request resolved to several choices, each with its own specific location, and the user (or UA) can select a preferred communication end point and redirect its request to that location. The response may include a message body containing a list of resource Volume 2, Issue 2 March April 2013 Page 203

4 characteristics and location(s) from which the user or UA can choose the most appropriate one [1]. Figure (7) illustrates SIP 300 multiple choices attack. As a result, the client is prevented from service, and must repeat his registration again. Figure 9 SIP 401 UNAUTHORIZED attack Figure 7 SIP 300 MULTIPLE CHOESIS attack 4.4 SIP 4xx faked response attacks 4xx responses are failure responses from a particular server. The client should not retry the same request without modification [1] (for example, adding appropriate authorization). However, the same request to a different server might be successful. 4xx responses include many responses, we will present six of them for attack. A- SIP 400 Bad Request attack: The request could not be understood due to malformed syntax. The Reason-Phrase should identify the syntax problem in more detail [1], for example, "Missing Call- ID header field". Attacker can use this response as faked response attack. Figure (8) illustrates SIP 400 BAD REQUEST attack, where attacker responses to INVITE2 request by 400 BAD REQUEST (faked), this response includes all session parameters, except the tag in TO header field, the attacker sets it a random value to complete the opened dialog. The client will discard all responses that do not match the current dialog. The client will complete the current transaction at client side by sending final ACK2 to server. The server will discard the final ACK, and the current transaction does not complete at server side. As a result, the legal user is prevented from conversation with its peer. C- SIP 404 Not Found attack: The server has confirmed information that the user does not exist at the domain specified in the Request-URI. This status is also returned if the domain in the Request-URI does not match any of the domains handled by the recipient of the request [1]. Figure (10) illustrates SIP 404 NOT FOUND attack. As a result, the client is prevented from service. Figure 10 SIP 401 NOT FOUND attack D- SIP 408 Request Timeout attack: The server could not produce a response within a suitable amount of time [1]. Attacker can use this response as faked response attack. Figure (11) illustrates SIP 408 REQUEST TIMEOUT attack. As a result, the client will is prevented from service, and will believe that the other party does not answer. Figure 8 SIP 400 BAD REQUEST attack B- SIP 401 Unauthorized attack: The request requires user authentication. This response is issued by UASs (User Agent Servers) and registrars [1]. Attacker can use this response as faked response attack. Figure (9) illustrates SIP 401 UNAUTHORIZED attack. Figure 11 SIP 408 REQUEST TIMEOUT attack E- SIP 480 Temporarily Unavailable attack: The callee's end system was contacted successfully but the callee is currently unavailable (for example, is not logged in, logged in but in a state that precludes communication with the callee, or has activated the "do not disturb" Volume 2, Issue 2 March April 2013 Page 204

5 feature). The response may indicate a better time to call in the Retry-After header field. The user could also be available elsewhere (unknown to this server). The reason phrase should indicate a more precise cause as to why the callee is unavailable [1]. Attacker can use this response as faked response attack. Figure (12) illustrates SIP 480 TEMPORARILY UNAVAILABLE attack. As a result, the client is prevented from service, and will believe that the other party is not available. [1]. Figure (14) illustrates SIP 500 SERVER INTERNAL ERROR attack. As a result, the client is prevented from service, and will believe that the server cannot answer his request. Figure 14 SIP 500 SEVER INTERNAL ERROR attack Figure 12 SIP 480 TEMPORARILY UNAVAILABLE attack F- SIP 486 Busy Here attack: The callee's end system was contacted successfully, but the callee is currently not willing or able to take additional calls at this end system. The response may indicate a better time to call in the Retry-After header field [1]. Attacker can use this response as faked response attack. Figure (13) illustrates SIP 486 BUSY HERE attack. As a result, the client is prevented from service, and will believe that the destination is busy. B- SIP 501 Not Implemented attack: The server does not support the functionality required to fulfill the request. This is the appropriate response when a UAS (User Agent Server) does not recognize the request method and is not capable of supporting it for any user (Proxies forward all requests regardless of method) [1]. Attacker can use this response as faked response attack. Figure (15) illustrates SIP 501 NOT IMPLEMENTED attack. As a result, the client is prevented from service, and will believe that the server cannot answer his request. Figure 15 SIP 501 NOT IMPLEMENTED attack Figure 13 SIP 486 BUSY HERE attack 4.5 SIP 5xx faked response attacks 5xx responses are failure responses given when a server itself has erred [1] (the error in server). 5xx responses include many types, we will present three of them for faked attack. A- SIP 500 Server Internal Error attack: The server encountered an unexpected condition that prevented it from fulfilling the request. The client may display the specific error condition and may retry the request after several seconds. If the condition is temporary, the server may indicate when the client may retry the request using the Retry-After header field. Attacker can use this response as faked response attack C- SIP 504 Server Time-out attack: The server did not receive a timely response from an external server used in attempting to process the request [1]. Attacker can use this response as faked response attack. Figure (16) illustrates SIP 504 SERVER TIME OUT attack. As a result, the client is prevented from service, and will believe that the server cannot answer his request. Volume 2, Issue 2 March April 2013 Page 205

6 Figure 16 SIP 504 SERVER TIME OUT attack 4.6 SIP 6xx faked response attacks 6xx responses indicate that a server has confirmed information about a particular user, not just the particular instance indicated in the Request-URI [1]. 6xx responses include many responses, we will present one of them for attack, this response is 606 Not Acceptable: In this response, the user's agent was contacted successfully but some aspects of the session description such as the requested media, bandwidth, or addressing style were not acceptable. A 606 (Not Acceptable) response means that the user wishes to communicate, but cannot adequately support the session described. The 606 (Not Acceptable) response MAY contain a list of reasons in a Warning header field describing why the session described cannot be supported. Attacker can use this response as faked response attack. Figure (17) illustrates SIP 606 NOT ACCEPTABLE attack. As a result, the client is prevented from service, and will believe that his request contain an error. Figure 17 SIP 606 NOT ACCEPTABLE attack 5. THE PROPOSED MISUSE DETECTION ALGORITHM Intrusion Detection System (IDS) is an important security tool that is used as a countermeasure to preserve data integrity and system availability from attacks [6]-[7]. The goal of IDS is to detect malicious traffic. In order to accomplish this, the IDS monitors all incoming and outgoing traffic. There are several approaches in implementation of an IDS. Among those, two are the most popular (anomaly and misuse detection), as follows: Anomaly detection technique is based on the detection of traffic anomalies. The deviation of the monitored traffic from the normal profile is measured. Misuse or signature detection technique looks for patterns and signatures of already known attacks in the network traffic. A constantly updated database is usually used to store the signatures of known attacks [8]. In this section we present new misuse algorithm to detect SIP faked response attacks, where in next subsection we will extract the main session parameters, create signature for these attacks, and evaluate the proposed algorithm. 5.1 Main session parameters During call initialization between two end points, we can see three objects: Session, transaction, and dialog. Session is created by client when he asks the server a service. Also, it is terminated by final ACK message from client. Session is identified by CALL-ID field and tag in FROM field. It can include one transaction or more. The first transaction is created along with the session. Transaction includes set of exchanged messages (requests and responses). It ends by sub ACK message by client. It is identified by branch in VIA field. The first message of transaction is called half dialog (tag in FROM field). The normal transaction must end simultaneously at client side and server side. But, we note that effectiveness of SIP faked response attacks is ending the transaction at client side, while it does not end at server side. Dialog completes when server responds to half dialog message by final response (tag in TO field). After dialog complete, the dialog between the request and response must be the same within one transaction. SIP faked responses attacks set a random value in tag subfield within TO field. Therefore, we note a difference in dialog between the faked response and regular responses as result to attack. 5.2 Creation a signature of faked response attack From our study and analysis we saw effectiveness of SIP faked response attacks is prevention of service in first degree, this effectiveness takes two main forms: The first form is ending current transaction at client side, while still opened at server side. The second form is the difference in dialog between the faked response and other messages in the transaction. Figure (19) shows this effectiveness on main session parameters. Figure 19 Main session parameters during SIP faked responses attacks In figure (19), attacker captures INVITE2 request and extracts all important session parameters from it (method, CALL-ID field, branch, tag of TO field, tag of FROM field), then attacker creates faked response to INVITE2 request, this faked response includes all session parameters, except the tag in TO header field, the attacker sets it a random value (false) to complete the Volume 2, Issue 2 March April 2013 Page 206

7 opened dialog. The client will discard all true dialogresponses (180 RINGING, 200 OK, ) that sent by server and do not match the current dialog. The client will complete the current transaction at client side by sending final ACK2 (included same all parameters of faked response) to server. The server will discard the final ACK due to it does not belong to its transaction, and the current transaction does not end at server side. We can summaries effectiveness of these attacks as following: The user who receives the faked response sends back an acknowledgment and discards the other true responses signals. The server discards the acknowledgment. The call at the user side is in failure state, but its state at the server side is in initiation phase state. According to this effectiveness, and from figure (19) we can form signature of SIP faked responses attack as follows: Different dialog - based faked response to INVITE request ends the transaction at client side, after that, the server sends to client a true response (s) belong to same transaction. Figure (20) shows this signature. The test results show that this signature is valid for all SIP faked response attacks. Figure 20 Signature of SIP faked responses attacks 5.3 The Detection Procedure Depending on signature of SIP faked responses attacks which we obtained it in previous subsection, we can forge detection procedure of proposed algorithm as shown in figure (21). Which is based on: Monitoring of INVITE request followed by faked response, this response includes some parameters differ from parameters of response sent from server after final ACK. Figure (22) shows the block diagram for detection method. Figure 22 Block diagram for detection method 5.4 Comparative study In this subsection we compare our proposed algorithm with three misuse detection algorithms used to detect SIP spoofed message attacks, these algorithms are: Cross protocol algorithm [10], Retransmission algorithm [12], and Conflict Based Attack Detection algorithm [13], notify that: - Cross protocol detection technique monitors two traffics in network (RTP and SIP traffic) to detect BYE attack. While, our proposed algorithm monitors SIP traffic only. - The retransmission detection scheme asks the user to retransmit its last message that is sent to the server. To do this, the user must store the last SIP message and retransmit it when it is requested from the server. While, our proposed algorithm does not require any retransmission, it monitors SIP traffic only. - Conflict Based Attack Detection Algorithm (CBADA) requires sending some of legal SIP messages particular party to check state conflict or message conflict, while, our proposed algorithm does not require sending any message, it depends on monitoring SIP traffic only. 5.5 Proposed detection algorithm evaluation To evaluate effect of SIP faked response attacks on SIPbased system, we used test bed which consists of: SIP faked response generator, Wireshark program, 3CX SIP server, and two 3CX clients [9], as shown in figure (23). Figure 23 SIP test bed Figure 21 Detection procedure of proposed misuse algorithm Using SIP faked response generator, we generated eighteen SIP faked response attacks, and we saw that these attacks have similar effectiveness on SIP- based system, this effectiveness is: Call deny, transaction in progress phase at server side, and transaction is terminated at client side. To detect SIP faked response attacks that are generated by attacker, we wrote C# program its core is the proposed Volume 2, Issue 2 March April 2013 Page 207

8 algorithm. Then, we tested our proposed algorithm, where we generated number of different faked response attacks (18 attacks), and we observed that the proposed algorithm has detected all these attacks without any exception. We can say that the proposed algorithm has the ability to detect all SIP faked response attacks with high accuracy and excellent completeness. Table (2) shows the test results that we obtained it: Table 2: SIP faked response attacks detected by proposed algorithm Seq. SIP Faked Response Attack Type Detection RINGING YES OK YES MULTIPLE CHOISES YES USE PROXY YES BAD REQUEST YES MALFORMED YES UNAUTHORIZED YES NOT FOUND YES REQUEST TIMEOUT YES NOT AVAILABLE YES CALL/ TRANSACTION DOES NOT EXIST YES BUSY HERE YES REQUEST TERMINATED YES SERVER INTERNAL ERROR YES NOT IMPLEMENTED YES SERVER TIME OUT YES DECLINE YES NOT ACCEPTABLE YES To calculate accuracy and completeness of proposed algorithm, we generated all the previous attacks four times as dataset, and we applied the proposed algorithm on these attacks, as table (3). Where: Number of correct alarm, false alarm, and false rejection respectively. Table 3: Accuracy and Completeness of proposed algorithm Number of faked respons e attacks CA F A F R Accurac y Completenes s Our proposed algorithm has the following features: 1. It belongs to misuse detection algorithm family. 2. It is a simple algorithm. 3. It depends on SIP traffic monitoring only without any additional operation (as in some other algorithms). 4. Attacker has not any sense about the detection process, the reason is that the proposed algorithm monitors the SIP messages only. 5. The detection process does not require any modification in the standard, or any additional resources. 6. CONCLUSION The proposed detection algorithm is able to detect SIP faked response attacks with high accuracy and completeness. It belongs to misuse detection algorithm family, which have the ability to detect different types of SIP faked response attacks with high detection accuracy and excellent completeness. It is a misuse detection algorithm which utilizes several of messages parameters as signature to detect SIP faked response attacks. This signature addresses behavior of transaction between legal client and server when client is targeted by the faked response attacks. The proposed algorithm is simple algorithm and depends on traffic monitoring only without any additional operation. This work will be completed by implementing mechanisms to prevent intrusion. References [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard) (June 2002) Updated by RFCs 3265, 3853, [2] Al-Allouni H., Rohiem A., Abd El-Aziz M. H., and El-moghazy A., VoIP Denial of Service Attacks Classification and Implementation, Proceedings of 26th national radio science conference, Future University, Egypt, March, [3] Xianglin D., Chien-wei L., Security of VoIP SIP flooding and its Mitigation, Proceeding of The New Zealand Computer Science Research Student Conference, [4] D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, A. Dagiouklas, and S. Gritzalis, "A framework for protecting SIP-based infrastructure against Malformed Message Attacks", Science Direct - Computer Networks, Volume 3, No. 10, pp , Elsevier, [5] E. Chen, Detecting DoS attacks on SIP systems, in 1st IEEE Workshop on VoIP Management and Security, P 53 58, [6] Premkumar T. Devanbu, Philip, Stuart G. Stubblebine, "Technique for Trusted Software Engineering", Proceedings of the 20th international conference on Software engineering (ICSE), Pages: , [7] Chang-Tien Lu, Arnold P. Boedihardjo, Prajwal manalwar, "Exploiting Efficient Data Mining Techniques to Enhance Intrusion Detection Systems", Information Reuse and Integration Conference, Volume, Issue, 15-17, Volume 2, Issue 2 March April 2013 Page 208

9 [8] Mithcell Rowton, Introduction to Network Security Intrusion Detection, December [9] 3CX Phone System and client for Windows, 2008, Accessed March [10] Y. Wu, S. Bagchi, S. Garg, and N. Singh, SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments, Proceedings of the International Conference on Dependable Systems and Networks, p , July [11] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, VoIP Intrusion Detection Through Interacting Protocol State Machines, In Proceedgins of the 2006 International Conference on Dependable Systems and Networks (DSN 2006), June [12] Cha, H. et al, "Detection of SIP De-Registration and Call-Disruption Attacks Using a Retransmission Mechanism and a Countermeasure Scheme", IEEE International Conference on Signal Image Technology and Internet Based Systems, p 650, [13] Husam Al-Alouni, security of voice over internet protocol, PhD of science thesis, military technical college, Cairo, 2010 Volume 2, Issue 2 March April 2013 Page 209