An Approach to Resisting Malformed and Flooding Attacks on SIP Servers

Transcription

1 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY An Approach to Resisting Malformed and Flooding Attacks on SIP Servers Ming-Yang Su* and Chen-Han Tsai Department of Computer Science and Information ngineering, Ming Chuan University, Taoyuan, Taiwan *Corresponding author, mail: Abstract As a result of its low costs and high degree of integration with other services, Voice over Internet Protocol (VoIP has become very widely used, while Session Initiation Protocol (SIP is one of the most important protocols for providing the VoIP service. Since SIP is an open source code with a simple structure and high expansibility, SIP servers are more vulnerable to attack by SIP messages malformed in order to stunt the server, or by a flood of SIP messages causing server congestion or shutdown. The system proposed in this paper therefore has two functions; one is to filter malformed messages that conflict with the SIP protocol, and the other is to determine whether an SIP server is under flooding attack. This study used the Chisquare test, usually applied in statistics, to identify flooding attacks. The proposed system can automatically modify an SIP server s blacklist to deter an attacker s subsequent attempts. Index Terms Session Initiation Protocol (SIP; malformed SIP messages; flooding SIP messages; Chi-square test I. INTRODUCTION As network technology continues to develop, voice over Internet protocol (VoIP has fast become widely used in many applications. VoIP is implemented over TCP/IP, so any TCP/IP security weakness could pose a threat to VoIP services, including most common flooding attacks. Session Initiation Protocol (SIP [1-3] is an open source code defined on the application layer of the OSI model, with the main purpose of establishing, modifying and interrupting multimedia sessions. The VoIP service basically contains user agents (UA and servers. UAs refer to end user devices; they can be software applications or hardware, like SIP telephones. User agent clients (UAC are the parties that initialize the connection, namely the caller, while user agent servers (UAS are the callees. very UA must register with an SIP server via a Register message. If a UA is authorized, the server will respond with a 00-OK message. In general, a server may start a validation procedure by responding with a 401-Unauthorized message with a nonce value in the header field of the message. The UA uses this nonce value to generate an encrypted digest and put it in the header field, and then re-transmits the Register message. Upon receiving the message, the server will compare the encrypted digest with the original digest and send the 00-OK response to the UA if no error is found. The registration procedure is shown in Fig. 1. Figure 1. SIP registration procedure An SIP connection is established as shown in Fig.. The UAC sends an Invite message to the SIP server, which passes the request to the UAS. Upon reception, the UAS begins a ring notification, while at the same time responding to the UAC through the SIP server with a 180-Ringing message. As the UAS answers the request, it sends a 00-OK message to the UAC, and the UAC then returns an Ack (acknowledgement to the UAS. All SIP messages pass through an SIP server. Once the SIP connection is built, subsequent Real-Time Transport Protocol (RTP connection establishment and voice packet transmissions will not be made through the SIP server. When either the UAC or the UAS hangs up the phone, they will send a Bye message to the SIP server to indicate that the connection has been terminated. The SIP server will transmit the Bye message to the other party, and then forward a responding 00-OK message. Manuscript received June 18, 014; revised August 8, 014; accepted August 4, 014. Figure. SIP connection diagram 015 ACADMY PUBLISHR doi: /jnw

2 78 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY 015 very SIP message contains a command line, a header and a body. The command line is used to confirm the type of message. There are six types of requests, and six types of responses. The six types of request message include Invite, Bye, Ack, Options, Cancel and Register, while the six types of response message are usually represented by codes including 1XX (notification response, for example 180-Ring, XX (success response, such as 00-OK, 3XX (call forward response, 4XX (call failed, such as 401-Unauthorized, 5XX (server failure and 6XX (global failure. The Invite message also contains information for performing Session Description Protocol (SDP [4], which includes the caller s media format, address, port, etc. The callee can accept or reject the connection request. SIP has a simple structure with high expansibility; however, SIP servers are vulnerable to malformed SIP messages and flooding SIP messages. Therefore, the system proposed in this paper has two main functions. One is to exclude malformed SIP messages from the SIP server that conflict with the SIP protocol and the other is to determine whether the SIP server is under flooding SIP message attack. This paper is an ension of the preliminary research work presented in [5], where a prototype of SIP flooding detection was addressed. In this paper, the proposed system is meant to be installed in the SIP server, and applies the RFC 361 [3] SIP standard format as the basis for identifying malformed packets. Moreover, if the amounts of SIP Invite/Cancel/Bye messages are greater than the normal SIP message thresholds, the system will invoke Chi-square test [6] to determine whether the SIP server is under flooding attack. In other words, the proposed system aims to identify any user who sends malformed SIP messages or floods a large number of Invite/Cancel/Bye to the SIP server. Whenever an attacker is identified, the system will update the blacklist in the SIP server in order to reject the caller s future connection requests. The remainder of this paper is organized as follows. In Section, related works and the Chi-square test technology are introduced. In Section 3, the details of the proposed system are presented. In Section 4, experiment results and comparisons with other studies are shown. Finally, in Section 5 conclusions are given. II. BACKGROUND This section introduces attacks using malformed SIP messages and SIP message flooding, and describes the Chi-square test technology used in this study. A. Related Research In a malformed message attack, an attacker modifies SIP messages into anomalous forms and sends them to an SIP server. As the server cannot process such malformed messages, the result could be resource depletion or server shutdown. In Fig. 3, the left hand side shows a normal Invite message, while the right hand side shows a malformed Invite message where the Invite field should not be Null. As in the methods proposed in [7-10], when the received SIP packet is inconsistent with the norms stipulated in RFC361 [3], it will be regarded as an attack. (a Normal (b Abnormal Figure 3. SIP Invite message (a normal format (b abnormal format. Today, the most common SIP attacks take the form of flooding attacks, in which a large number of SIP Invite/Cancel/Bye messages are sent to the SIP server, intended to slow or even shut the server down. Based on the facts that UAs must frequently register with a server in order to update their location, and that the server should respond with an OK message, Chen et al. [11] established a white-list to prevent attacks from unregistered users. The authors in [1-14] used finite state machines to simulate the various states of the SIP protocol; when repetitions of a certain state are beyond the set threshold, this could indicate a flooding attack. Zhou et al. [15] focused on protecting SIP register servers from CPU-exhausting DoS attacks, because register servers must perform identity confirmation and decryption/encryption computation. When connection requests increase considerably, the proposed mechanism will check the record of previous legitimate calls. If the suspect UAC is not in the list of legitimate calls, it will be regarded as an attacker, and the services will be blocked. The authors in [15] applied the Bloom filter algorithm [16, 17] to record and check users' IP addresses. The Bloom filter is a lightweight algorithm that consumes very little CPU resources. Geneiatakis et al. [18, 19] also applied the Bloom filter algorithm to determine whether an SIP server is under a DoS attack. They used the Bloom filter algorithm to count the number of Invite messages, and corresponding responses. If the Invite messages and the response messages differ significantly in number, it is regarded as a flooding attack. Akbar et al. [0] compared the three algorithms, i.e., the adaptive threshold algorithm [1], the cumulative sum algorithm [1] and the Hellinger distance algorithm []. According to the experiment results in [0], the Hellinger distance algorithm exhibited the best performance in dealing with INVIT flooding. B. Chi-square test This section briefly introduces the Chi-square test [6] adopted in this study to implement the SIP message flooding detection function. In statistics, there are two types of data, quantitative and categorical. One of the main techniques for processing categorical data is the 015 ACADMY PUBLISHR

3 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY Chi-square test. The goodness-of-fit test of the Chisquare test is to figure out the approximation of observed frequency and expected frequency of the null hypothesis H0 in order to determine whether it meets a specific distribution. In other words, it finds the differences between the observed frequency obtained and the expected frequency assuming the null hypothesis H 0 is supported. The chi-square value of the Chi-square test, say x, is calculated as follows: x k ( Oi i (1 i1 where O i and i (= n p i are the observed frequency and expected frequency of sample group i, respectively; k is the number of categories, n is the number of samples, and p i is the probability of categories i. When O i and i differ significantly, the chi-square value denoted by x i km 1, will increase, indicating that the sample data is unable to support null hypothesis H 0, and thus H 0 should be rejected. That is, if x > xkm 1,, then reject H 0 ; otherwise, accept H 0. For the Chi-square critical value, i.e., xkm 1,, the subscript k m-1 is called the degree of freedom (short for df and the α presents the error tolerance. Since no population parameter should be estimated in advance, i.e., m = 0 and thus df is simplified to k - 1. Moreover, α was set to 0.05 in this study because α is set to 0.05 as well in general situations, representing a 5% tolerance of error. The Chi-square critical values x km 1, can be found from Table I with different settings of df and α. For examples, if df = and α = 0.05, the Chi-square critical value x is 5.99; if df = 5 and α = 0.05, the value of,0.05 x 5,0.05 is known that there are six faces, and each expectably has the same probability. The number of categories k is 6, so df = k - m - 1 = k - 1 = 5. Under the error tolerance rate α set to 0.05, from Table I, the Chi-square critical value x km 1, = x = Therefore H 0 is acceptable 5,0.05 because < TABL II. COMPUTATION OF CHI-SQUAR VALU Term No O P (O- / / = / = / = / = / = / = III. PROPOSD SYSTM A. System Framework Fig. 4 shows the system architecture. Basically, the proposed system is able to drop malformed SIP messages and deter Invite/Cancel/Bye flooding. Any incoming SIP message must first pass the Malformed Message Detection module. Once a message is determined to be malformed, the proposed system will update the black-list in the SIP server to block further connections from that user. The SIP message then passes the Chi-square test module, which determines whether the SIP server is under flooding attack. Similarly, if the module determines a flooding attack is taking place, it will store the relevant user information in the database and update the black-list in the SIP server to block further connections by that user. TABL I. CHI-SQUAR CRITICAL VALUS [6] Figure 4. System framework One application of the Chi-square test is given, for example, as follows. Consider tossing a dice 300 times. The frequencies of each point from 1 to 6 are 40, 60, 60, 45, 45 and 50, respectively. Is the dice a fair one? The null hypothesis H 0 here is that it is a fair dice. According to q. (1, chi-square value computation in detail is as shown in Table II, and the final chi-square value is In this case, no population parameter must be estimated in advance, i.e., m = 0 because it is The Malformed Message Detection module is implemented according to the principles stipulated in RFC 361 [3], also shown in Appendix A. If the format of the incoming SIP message is inconsistent with the norms, it is regarded as a malformed attack. This function is mainly conducted by string comparison. This section thus focuses on the second module for detecting flooding attacks by Chi-square test. The basic principle is that if the numbers of different types of SIP messages are consistent with the expected proportional distribution, the connection is regarded as normal; otherwise, it is regarded as abnormal. 015 ACADMY PUBLISHR

4 80 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY 015 Figure 5. SIP message flooding detection framework Fig. 5 illustrates the VoIP flooding detection framework. The Chi-square test module first checks whether the number of packets of Invite/Cancel/Bye sent by a specified user is beyond the normal thresholds or not. If it is beyond the normal thresholds, the system will invoke the Chi-square test procedure to statistically count the numbers of Invite/Cancel/Bye messages and compute their Chi-square values by q.(1 for each time unit. If any one of these values is beyond the Chi-square critical value, by checking Table I, the module will regard it as a flooding attack and update the SIP server's built-in blacklist to block that specific user. For example, assuming the normal number of SIP Invite message in a time unit is 0, the system will count the number of SIP Invite messages for every time unit and only invoke the Chi-square test procedure if the number is larger than 0. The implementation of the Chi-square test module consists of three elements: feature selection, thresholds for normal SIP messages, and the Chi-square test procedure. The first two parts need to be performed in advance, i.e. in the training phase. First, in feature selection, the module needs to decide what kinds of features derived from SIP messages can be used to help identify flooding attacks. Second, the module must determine SIP feature threshold numbers for every time unit, i.e., threshold numbers below which there is no suspicion of flooding attack. Since the Chi-square value computation takes time to perform, if SIP messages do not outnumber these normal thresholds, the proposed system will not start the computation. Third, the module accumulates the numbers of SIP features for every time unit. If the numbers are below the thresholds, it concludes that there is no flooding, otherwise, the module applies the Chi-square test for further examination. Detailed descriptions of these three phases are given below. B. Feature Selection All features applied in the proposed system are given in Table III. As a caller initializes an Invite message, the callee may respond with a message, depending on their status. If the callee is online, they will respond to the caller via the SIP server with the Ringing message. If the callee is offline, the SIP Server will send a Code183 message to notify the caller, and the caller will then respond to the SIP server with an Ack message. If the callee is online \ut busy, the callee will respond to the SIP sever with a Code468 message, and the SIP server will then sends a Code183 to the caller, who will respond with an Ack message. A Cancel message ends the connection initiated by either communication party, and Code487 followed by OK are the SIP server's responses after receiving the Cancel message. Bye is sent by the communication party who wants to end the connection, and OK is the system response message. The proposed system must count the number of SIP features for every time unit. Only if the numbers are greater than the thresholds will the system enable the Chisquare test function. Basically, the thresholds are the number of hourly calls based on normal weekday call rates, including the number of Invite, Cancel and Bye messages. By adding summing the call numbers over the same period each day, the average μ and standard deviation σ are obtained by q.( and q.(3, respectively. This study sets the threshold of each hour as μ + 3σ, which has been broadly used in the statistics field [6]. TABL III. FATURS OF SIP MSSAGS AND THIR RSPONSS Message Message Feature from Response message Invite Caller Ringing System Invite Code183 System Invite/Code468 Ack Caller Code468 Cancel Caller Code487 System Cancel OK System Cancel Bye Caller Bye System Bye(Caller OK System Bye C. Thresholds for Normal SIP Traffic The call number counting in this study is accumulated, i.e., the threshold of the first hour is computed by the number of Invite/Cancel/Bye messages during the period from 0:00 am ~ 1:00 am, the threshold of the second hour is computed by the number of Invite/Cancel/Bye messages in the period from 0:00 am ~ :00 am, and so forth. It is noted that all users have their own thresholds. So, for every user, there are 4 thresholds in one day. In operation, the proposed system will use the corresponding threshold value according to the time of the detection event. day1 day day3 day4 day5 ( 5 1 (day1 (day (day3 (day4 (day5 5 During the online test stage, the proposed system counts the number of each feature in every time unit, 3 (3 015 ACADMY PUBLISHR

5 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY seconds for example. If any feature number, i.e., Invite/Cancel/Bye, is greater than its threshold as defined above, the system will start the Chi-square test module to perform further investigation. If its chi-square value is greater than the Chi-square critical value, the caller will be regarded as a flooding attacker, and the system will update the SIP server's built-in black-list automatically in order to block that user. The Invite/Cancel/Bye Chisquare tests are illustrated as follows. D. Invite Message s Chi-Square Value Computation There are three types of messages related to the Invite message, #Invite, (#Code183 + #Ringing, and (#Ack + #Ringing. In the Chi-square test, the number of categories k is three, which means the degree of freedom (df is k - 1 =. Under the hypothesis of the 5% error tolerance, i.e., α=0.05, the Chi-square critical value, from Table I, is x = df, x = Therefore, the proposed,0.05 system will count the number of the three SIP related messages from the network flow for one time unit, and compute the Chi-square critical value by q.(1. If the value is smaller than or equal to 5.99, it concludes that there is no Invite flooding attack. Otherwise, if the value is greater than 5.99, it concludes that an Invite flooding attack is underway. In the computation of the chi-square value, this study sets = (#Invite + (#Code183 + #Ringing + (#Ack + #Ringing - # (Code #(Ack 486 1/3, as the callee may be in one of the three possible states. If the callee is online, the SIP server sends a Ringing message to the caller, resulting in #Invite: (#Ringing: (#Ringing = 1: 1: 1, then = (#Invite + (#Ringing + (#Ringing 1/3. If the callee is offline, the SIP server sends a Code183 message to the caller, which sends Ack to the SIP server, resulting in #Invite: (#Code183: (#Ack = 1: 1: 1, then, = (#Invite + (#Code183 + (#Ack 1/3. Finally, if the callee is busy, the SIP server sends a Ringing message to the caller, resulting in (#Invite: (#Ringing: (#Ringing = 1: 1: 1. In addition, the callee will send a Code486 message to the SIP server, and the SIP server will send Code183 to the caller, which sends Ack to the SIP server. Since Code486 triggers Code183 and Ack, for ease of distinction they are presented as (Code and (Ack 486. In summary of the above three cases, we have #Invite: (#Code183 + #Ringing: (#ACK + #Ringing = 1: 1: 1, and = (#Invite + (#Code183 + #Ringing + (#Ack + #Ringing - #(Code #(Ack 486 1/3. Therefore, when performing the Invite Chi-square test, by counting the number of SIP related messages including #Invite, (#Code183 + #Ringing, and (#Ack + #Ringing in one time unit, it is possible to compute the chi-square value x as follows: x (# INVIT ((# Code183 # Ringing ((# ACK # Ringing If x x,0.05 = 5.99, it is considered normal. Otherwise, it is considered an Invite flooding attack, and the current #Invite is set as the threshold of that user in order to prevent the continuous increase of the chi-square value due to the number of Invites increasing.. Cancel Message s Chi-Square Value Computation As with the computation of the Invite Chi-square value, three types of Cancel-related messages are considered: Cancel, Code487, and OK. In general, (#Cancel: (#Code487: (#OK = 1: 1: 1, = ((#Cancel + (#Code487 + (#OK 1/3, the computation of Chisquare value x is as shown in: (# CANCL ((# Code487 x ((# OK Similarly, if x x,0.05 = 5.99, it is considered normal. Otherwise, it is considered a Cancel flooding attack and the current #Cancel is set as the Cancel threshold of that user. F. Bye message s Chi-Square Value Computation The method here is similar to the above two cases, using three Bye-related messages: Bye (caller sends, OK, and Bye (SIP-server sends. In general, #Bye: #OK: #Bye = 1: 1: 1, = ((#Bye + (#Bye + (#OK 1/3, the Chi-square value x is computed as follows: (# BY (# OK( System x ((# BY( System Similarly, if x x,0.05 = 5.99, it is considered normal; otherwise it is considered a Bye flooding attack, and the current number of #Byes is set as the Bye threshold of that user. IV. XPRIMNTS AND DATA ANALYSS Four computers were used to construct the experimental environment. One played the attacker, launching flooding attacks; one played the SIP server containing the proposed system, and the other two played the UAC and UAS. The attacker computer was installed with SIPp [8] and SiVuS [5] in order to produce necessary traffic; several researches have also used this software for the same purpose, e.g., SiVuS in [5-7] and SIPp in [15, 8-31]. lastix [3] was used for the VoIP server, and the proposed detection system was coded in JAVA and JNTPCAP [4]. JNTPCAP provides the online packet capturing function. The two computers simulating the UAC and UAS were installed with SIPp. First, the normal traffic flow of each user created by SIPp was collected. The SIPp tool simulated 50 users as UACs, and each user supposedly called 10 to 30 times, randomly, in a day. The number of calls during every hour for each user was recorded in order to set the normal thresholds. 015 ACADMY PUBLISHR

6 8 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY 015 A. Malformed SIP Messages Detection Malformed messages are messages in violation of the SIP message format stipulated in RFC 361 [3]. Testing tools SiVuS and SIPp were applied to produce malformed messages and send them to the SIP server. In this study, the anomalous SIP message tests were conducted in four scenarios, as shown in Table IV. Scenario_1 used SIPp, with a background flow volume of 0, to send 500 malformed messages in 17 seconds, and the false positive (FP and false negative (FN detection results were both zero. Scenario_ used SIPp, with a background flow of 10 calls per second, to send 500 malformed messages in 17 seconds, and the FP and FN instance detection results were 0 and 87, respectively. Scenario_3 used SiVuS, with a background flow of 0, to send 500 malformed messages in 10 seconds, and the FP and FN detection results were both zero. Scenario_4 used SiVuS, with a background flow of 10 calls per second, to send 500 malformed messages in 10 seconds, and the FP and FN instance detection result were 0 and 11, respectively. gradient increase in Invite/Cancel/Bye message transmission, and the corresponding chi-square values are illustrated in Fig. 6(b. SIP message volume increases from 10 packets per second to 50 packets per second, while the chi-square value increases with the rising number of messages per second. When the chi-square value is beyond the critical value it is considered a flooding attack. In other words, chi-square value computation is a kind of statistical method to effectively reflect the sudden increase of SIP messages. On the other hand, Fig. 7(a shows the gradient decrease in Invite/Cancel/Bye message transmission, and the corresponding chi-square values are given in Fig. 7(b. SIP message volume decreases from 50 packets per second to 10 packets per second, while the chi-square value decreases with the decreasing number of messages per second. Fig. 8 shows that the chi-square values correspond to the situation when the transmission volume of Invite/Cancel/Bye messages remains high. TABL IV. MALFORMD MSSAG DTCTION PRFORMANC Scenarios Attack Background Malformed FP FN tool traffic messages Scenario_1 SIPp 0 500(17s 0 0 Scenario_ SIPp 10cps 500(17s 0 87 Scenario_3 SiVuS 0 500(10s 0 0 Scenario_4 SiVuS 10cps 500(10s 0 11 (a SIP message volumes (a SIP message volumes (b Invite/Cancel/Bye chi-square values Figure 7. In the case of SIP message gradients decreasing: (a SIP message volumes (b Invite/Cancel/Bye chi-square values (b Invite/Cancel/Bye chi-square values Figure 6. In the case of SIP message gradients increasing: (a SIP message volumes (b Invite/Cancel/Bye chi-square values B. SIP Message Flooding Detection Using SIPp to generate SIP Invite/Cancel/Bye message flooding, it is clear that the chi-square values increase as SIP message traffic increases. Fig. 6(a shows the (a SIP message volumes 015 ACADMY PUBLISHR

7 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY xtended experiments were conducted to show the effectiveness of the proposed system, and a comparison of inclusive functions with other studies has been provided. TABL VI. APPNDIX A RFC361 VOIP RULS (b Invite/Cancel/Bye chi-square values Figure 8. In the case of SIP messages remaining high: (a SIP message volumes (b Invite/Cancel/Bye chi-square values. C. Comparisons with other Researches This study concerns SIP servers facing malformed message attacks and flooding attacks. Malformed message detection uses the SIP format specifications in RFC 361 to determine whether an SIP message is anomalous. SIP flooding attack detection finds corresponding messages and proportional relationships by SIP protocol and uses the Chi-square test to determine whether the SIP server is under an Invite, Cancel, or Bye flooding attack. The comparisons of inclusive functions with other relevant studies are given in Table V. TABL V. FUNCTION COMPARISONS WITH RLVANT STUDIS No. description No linear whitespace (LWS is allowed in any of the 1 elements. The Request-URI MUST NOT contain unescaped spaces or control characters and MUST NOT be enclosed in "<>". 3 SIP-Version implementations MUST send upper-case. ach header field consists of a field name followed by a 4 colon (":" and the field value. A valid SIP request formulated by a UAC MUST, contain the 5 following header fields: To, From, CSeq,Call-ID, Max- Forwards,and Via; 6 A request outside of a dialog MUST NOT contain a To tag; 7 The From field MUST contain a new "tag" parameter. 8 Cseq MUST be less than 31 The protocol name and protocol version in the header field 9 MUST be SIP and.0 The Via header field value MUST contain a branch 10 parameter. The branch ID inserted by an element compliant with this 11 specification MUST always begin with the characters "z9hg4bk". If more than one Via header field value is present in a 1 response, the UAC SHOULD discard the message. The Contact header field MUST be present and contain 13 exactly one SIP or SIPS URI in request. The Call-ID header field of the response MUST equal the 14 Call-ID header field of the request. The CSeq header field of the response MUST equal the CSeq 15 field of the request. The Via header field values in the response MUST equal the 16 Via header field values in the request. If a request contained a To tag in the request, the To header 17 field in the response MUST equal that of the request. ACKNOWLDGMNT This work was partially supported by the National Science Council with contract and Ministry of Science and Technology with contract V. CONCLUSIONS This paper proposed a method enabling an SIP server to detect and further prevent malformed SIP message attacks and SIP message flooding attacks. The malformed SIP detection was based on the norms in RFC36, while the SIP flooding detection applied the Chi-square test to identify the caller launching an attack in every time unit. The Chi-square test is used to determine the proportional relationship of certain response messages when an SIP connection is established, and the goodness-of-fit test of the Chi-square test is used to check whether the monitored messages meet the expected distribution, in order to identify a flooding attack. xtended experiments were conducted to demonstrate the effectiveness of the proposed system. According to the experiment results, the proposed mechanism can detect malformed messages and any Invite/Cancel/Bye flooding attack. If an attack is identified, the proposed system is able to modify the SIP server s blacklist to stop future connections by that caller. RFRNCS [1] D. Butcher, et al., "Security Challenge and Defense in VoIP Infrastructures," Systems, Man, and Cybernetics, Part C: Applications and Reviews, I Transactions on, vol. 37, pp , 007. [] S. l Sawda and P. Urien, "SIP Security Attacks and Solutions: A state-of-the-art review," in Information and Communication Technologies, 006. ICTTA '06. nd, pp , 006. [3] J. Rosenberg, et al. SIP: Session Initiation Protocol, RFC 361. [4] M. Handley and V. Jacobson, "Session Description Protocol (SDP," in ITF,RFC37, April [5] Ming-Yang Su and Chung-Chun Chen, "Prevention of Anomalous SIP Messages," International Journal of Future Computer and Communication, vol., no. 5, pp , October 013. (Selected paper from the nd International Conference on Network and Computer Science, ICNCS 013 [6] P.. Greenwood and M.S. Nikulin, A guide to chi-squared testing. Wiley, New York. ISBN X, ACADMY PUBLISHR

8 84 JOURNAL OF NTWORKS, VOL. 10, NO., FBRUARY 015 [7] D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, T. Dagiuklas, and S. Gritzalis, "A framework for protecting a SIP-based infrastructure against malformed message attacks," Computer Networks, vol. 51, issue 10, pp , 007. [8] D. Geneiatakis and C. Lambrinoudakis, "An ontology description for SIP security flaws," Computer Communications, vol. 30, issue 6, pp , 007. [9] D. Geneiatakis, C. Lambrinoudakis, and G. Kambourakis, "An ontology-based policy for deploying secure SIP-based VoIP services," Computers & Security, vol. 7, issue 7-8, pp , 008. [10] S. hlert, Ge Zhang, D. Geneiatakis, G. Kambourakis, T. Dagiuklas, J. Markl, and D. Sisalem, "Two layer Denial of Service prevention on SIP VoIP infrastructures," Computer Communications, vol. 31, issue 10, pp , 008. [11]. Y. Chen and M. Itoh, "A whitelist approach to protect SIP servers from flooding attacks," I International Workshop Technical Committee on Communications Quality and Reliability (CQR, pp. 1-6, 010. [1] H. Sengar, et al., "VoIP Intrusion Detection Through Interacting Protocol State Machines," International Conference on Dependable Systems and Networks, pp , 006. [13]. Y. Chen, "Detecting DoS attacks on SIP systems," I Workshop on VoIP Management and Security, pp , 006. [14] C. Zhe and D. Rong, "The Formal Analyse of DoS Attack to SIP Based on the SIP xtended Finite State Machines," International Conference on Computational Intelligence and Software ngineering, pp. 1-4, 010. [15] C. V. Zhou, C. Leckie, and K. Ramamohanarao, "Protecting SIP Server from CPU-Based DoS Attacks using History-Based IP Filtering," I Communications Letters, vol. 13, no. 10, pp , 009. [16] B. H. Bloom, "Space/time trade-offs in hash coding with allowable errors", Communications of the ACM, vol. 13, issue 7, pp. 4 46, [17] Bloom Filter, [18] D. Geneiatakis, N. Vrakas, and C. Lambrinoudakis, "Utilizing bloom filters for detecting flooding attacks against SIP based services," Computers & Security, vol. 8, issue 7, pp , 009. [19] D. Geneiatakis, N. Vrakas1, and C. Lambrinoudakis, "Performance valuation of a Flooding Detection Mechanism for VoIP Networks," International Conference on Systems, Signals and Image Processing, pp. 1-5, 009. [0] M. A. Akbar, Z. Tariq and M. Farooq, "A comparative study of anomaly detection algorithms for detection of SIP flooding in IMS,", International Conference on Internet Multimedia Services Architecture and Applications, pp. 1-6, 008. [1] V. Siris and F. Papagalou, Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks, Computer Communications, vol. 9, no. 9, pp , 006. [] H. Sengar, H. Wang, D. Wijesekera, and S. Jajodia, Detecting VoIP Floods using the Hellinger Distance, I Transactions on Parallel and Distributed Systems, vol. 19, no. 6, pp , June 008. [3] lastix. Available: [4] jnetpcap OpenSource, [5] SiVuS. Available: database.com/toolswatch/sivus-voip-security-scanner-1-09.html [6] J. Kim, B.-hee Roh, M. Hong, S. Kang, "Autonomous defense against Flooding-based Denial of Service of a SIP system," I Applications and Technology Conference, 010 Long Island Systems, pp. 1-7, 010. [7] S. McGann and D. C. Sicker. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems. Available at [8] SIPp. Available at [9] W. A. Aziz, S. H. L-Ramly and M. M. Ibrahim, "IP- Multimedia Subsystem (IMS performance evaluation and benchmarking," I International Conference on Computational Technologies in lectrical and lectronics ngineering (SIBIRCON, pp , 010. [30] M. Z. Rafique, M. A. Akbar and M. Farooq, "valuating DoS Attacks against Sip-Based VoIP Systems," I Global Telecommunications Conference (GLOBCOM, pp. 1-6, 009. [31] J. Stanek and L. Kencl, "SIPp-DD: SIP DDoS Flood- Attack Simulation Tool," International Conference on Computer Communications and Networks (ICCCN, pp. 1-7, 011. [3] I. Hussain and F. Nait-Abdesselam, "Strategy based proxy to secure user agent from flooding attack in SIP," I International Wireless Communications and Mobile Computing Conference (IWCMC, pp , 011. [33] W. Li, W. Guo, X. Luo and Xiang Li, "On Sliding Window Based Change Point Detection for Hybrid SIP DoS Attack," I Asia-Pacific Services Computing Conference, pp , 010. [34] Z.-F. Fan et al., "A SIP DoS Flooding Attack Defense Mechanism Based on Custom Weighted Fair Queue Scheduling," International Conference on Multimedia Technology (ICMT, pp. 1-4, 010. [35] X.-Y. Wan, Z. Li, and Z.-F. Fan, "A SIP DoS flooding attack defense mechanism based on priority class queue," I International Conference on Wireless Communications, Networking and Information Security (WCNIS, pp , 010. [36] Z. Asgharian, H. Asgharian, A. Akbari and B. Raahemi, "A framework for SIP intrusion detection and response systems," International Symposium on Computer Networks and Distributed Systems (CNDS, pp , 011. [37] S. Hyeongu and L. Youngseok, "Detecting Anomaly Traffic using Flow Data in the real VoIP network," I/IPSJ International Symposium on Applications and the Internet (SAINT, pp , 010. Ming-Yang Su received his B.S. degree from the Department of Computer Science and Information ngineering of Tunghai University, Taiwan in 1989, and received his M.S. and Ph.D. degrees from the same department of the National Central University and National Taiwan University in 1991 and 1997, respectively. He is an I member, and currently a professor of the Department of Computer Science and Information ngineering at the Ming Chuan University, Taoyuan, Taiwan. His research interests include network security, intrusion detection/prevention, malware detection, mobile ad hoc networks, VoIP security and wireless sensor networks. Chung-Chun Chen received the M.S. degree in 011, from the Department of Computer Science and Information ngineering of Ming Chuan University, Taoyuan, Taiwan. His research interests are in the areas of network security, SIP security, and intrusion detection and prevention. 015 ACADMY PUBLISHR