detecting denial of service message flooding attacks in sip based services

increasing the popularity of sip based services (voip, iptv, ims infrastructure) lead to concerns about its ‎security. the main signaling protocol of next generation networks and voip systems is session initiation protocol ‎‎(sip). inherent vulnerabilities of sip, misconfiguration of its related components and also its implementation ‎deficiencies cause some security concerns in sip based infrastructures. new attacks are developed that target ‎directly the underlying sip protocol in these related sip setups. to detect such kinds of attacks we combined ‎anomaly-based and specification-based intrusion detection techniques. we took advantages of the sip state machine ‎concept (according to rfc 3261) in our proposed solution. we also built and configured a real test-bed for sip ‎based services to generate normal and assumed attack traffics. we validated and evaluated our intrusion detection ‎system with the dump traffic of this real test-bed and we also used another specific available dataset to have a more ‎comprehensive evaluation. the experimental results show that our approach is effective in classifying normal and ‎anomaly traffic in different situations. the receiver operating characteristic (roc) analysis is applied on final ‎extracted results to select the working point of our system (set related thresholds). ‎