SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree

Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, mal-formed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP–VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones. As the Internet is becoming more popular, Voice over IP (VoIP), also called Internet telephony, has become a promising communication medium owing to its economical rates and additional features such as video conversation, SMS, and messenger services. At the same time, VoIP services are facing both known and unknown security threats, as indicated by several studies on VoIP security [1–3]. Two main VoIP session protocols, SIP and H.323, are typically used to establish and terminate a call. SIP is mostly chosen due to its simpler connection process and easier implementation for the Internet [4]. Because of its ease of implementation, the number of SIP–VoIP applications available for mobile phones (e.g., Android and iPhone applications) is rapidly increasing, so that Juniper Research [5] forecasts that the number of mobile VoIP users will reach 640 million by 2016. While SIP–VoIP services are getting popular, they are also becoming attractive targets …