Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 97
Chapter 8
Adaptive Intrusion Detection System
In this era of globalization, enterprises find VoIP system to be the cheapest and most preferred
option. However enterprises are unaware of how vulnerable they are to the ever increasing threats
on the internet. Being a real-time service, VoIP is more susceptible to Denial-of-Service (DoS).
These DoS attack has been costing many high profile organization millions of dollars. It is
necessary to identify nature/behavior of these attacks for future protection of VoIP system. In
following section, we have discussed some of the DoS attack.
8.1 DoS attack on VoIP system
The easiest way to launch Denial of Service (DoS) attacks on a SIP proxy server is to flood it
with a large number of unwanted call requests. As a result, its resources – internal memory buffers,
CPU and bandwidth are exhausted and it is unable to provide service even to the legitimate users.
The requirements of resources are dependent on the fact whether SIP server is configured for
stateless or stateful mode and is using authentication or not [56].
Moreover, SIP is also prone to malformed message attack in which attackers generate non-
standard SIP messages that are intelligently crafted to exploit vulnerabilities in the SIP parser or
poor implementation of a SIP server. An imposter can, using a malformed packet, overflow the
specific string buffers, add large number of token characters and modify fields in an illegal fashion.
As a result, a server is tricked to reach an undefined state, which can lead to call processing delays,
an unauthorized access and a complete denial of service. We also show how an intelligently crafted
single malformed message and flooded message can crash a server. We call it Invite of Death [57].
In next section, we have discussed various DoS attack on VoIP system.
8.1.1 Invite Flooding
Overwhelming a victim’s capacities by flooding it with malicious traffic is the most basic and
probably also the most difficult to handle DoS attack. The potential attacker can generate flooding
attacks with SIP Invite messages to quickly exhaust the victim’s resources. Different SIP proxy
implementations vary in the processing speed of crucial tasks, including message parsing, verifying
values of MD5 hashes in the authentication procedure and additional communications with other
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 98
server like DNS servers. Thus, a SIP proxy with slower request processing capabilities is naturally
more predisposed for brute force attacks. All SIP flooding attacks can be done from one source or
many source like DDoS, where multiple zombie target to single victim. By using a fast stream of
INVITE messages with different session identifiers such as To, From or Call-Id there is a
possibility to exhaust the memory of the attacked proxy. Figure 8.1 demonstrate SIP Invite Flood.
Figure 8.1 Invite Flooding Attack
8.1.2 BYE Attack
VoIP calls are terminated by one of the call participants sending a SIP BYE request. Many
VoIP application servers and clients will process a BYE request without requiring authentication.
This means that it is easy to construct a BYE request and send it to the application server, which
will then terminate the call. The user agent that receives the faked BYE message will immediately
stop sending RTP packets, whereas the other user agent will continue sending its RTP packets. BYE
attack is common in VoIP environments and is considered as a Denial of Service (DoS) attack [58].
Malformed BYE message is sent during RTP exchange to terminate call. Figure 8.2 shows SIP
BYE attack.
UA1 Proxy Server UA2
Invite
Invite
Invite
Invite
Invite
Ringing
Ok
Ok
Invite
Ringing
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 99
Figure 8.2 SIP Bye Attack
8.1.3 Cancel Attack
During the call setup UA1(User 1) and UA2 (User 2), an attacker sends a crafted SIP packet
with a “CANCEL” request to the proxy2, which in turn cancels UA1 “INVITE” request, ceasing the
call set up process [59]. This attack is generated during session initiation. Figure 8.3 shows SIP
cancel attack.
Figure 8.3: SIP Cancel Attack
1: INVITE
3: TRYING (100)
2: INVITE
5: TRYING (100) 4: INVITE
After receiving Cancel Message by UA1 session is
terminated
Proxy1 UA 1 Proxy2 Attacker UA 2
CANCLE
CANCLE CANCLE
1:INVITE
3: TRYING (100)
2: INVITE
5: TRYING (100) 4: INVITE
6: RINGING (180)
7: RINGING (180) 8: RINGING (180)
10: OK (200) 9: OK (200 )
11: OK (200)
12: ACK
RTP Session
Proxy1 UA 1 Proxy2 Attacker
BYE Message
UA 2
After receiving BYE Message VoIP session is terminated
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 100
8.2 Types of IDS
IDS are categories in two types Host-base and Network base. Host-base IDS which monitor,
audit, log and generate alert for attack on individual system while Network-base IDS have sensors
throughout the network [60]. Based on detection mechanism IDS is further classified as misuse
detection and anomaly detection [60, 61].
8.2.1 Misuse detection
It is based on the characteristics of known attacks or system vulnerabilities, which are also
called signatures. Any action that matches the signature is considered intrusive [60]. The main
issues in misuse detection are how to build signatures that include possible signatures of attacks or
build a signature that includes all possible variations of the relevant attack to avoid false negatives.
8.2.2 Anomaly detection
It is based on the normal behavior of a subject (e.g., a user or a system), any action that
significantly deviates from the normal behavior is considered intrusive or rather suspicious [60].
The most significant strength of the anomaly detection approach is non requirement of the prior
knowledge of the security flaws of the target systems. Thus, it is able to detect not only known
intrusion but also unknown intrusion [62, 61]. Consequence of this, suspicious intrusive activities of
legitimate users or masquerades are easily detected without breaking security policy [60].
Approaches for anomaly detection
Anomaly Detection in IDS is developed using either or combination of the following
approaches:
Threshold detection: detecting abnormal activity on server or network, for example
abnormal consumption of the CPU for one server [63].
Statistical measures: Statistical models are employed in this type of IDS to learn from
historical values. Some of the statistical models uses are mean and standard deviation [63].
Rule-based measures: Rule-Based analysis relies on sets of predefined rules that are provided
by an administrator, automatically created by the system, or both [63]. Expert systems are the
most common form of rule-based intrusion detection approaches.
Non-linear algorithm: Here soft computing techniques such as neural networks and genetic
algorithms are used [64].
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 101
8.3 Proposed IDS
During literature survey, we have identified that signature based, rule based or known pattern
based IDS are working on fixed pattern, these IDS are non adaptive in nature. These IDS are more
prone to false positive and false negative. To detect the DoS attacks in VoIP system, we have
proposed an IDS with fusion of Artificial Neural Network (ANN) and Fuzzy logic, our proposed
IDS is adaptive in nature.
A salient feature of ANN is their learning ability. They learn by adaptively updating the
synaptic weights that characterize the strength of the connections. The weights are updated
according to the information extracted from new training patterns. Here we have listed out few
reasons of using ANN and Fuzzy approach.
A neural network would be capable of analyzing the data from the network, even if the data is
incomplete or unclear. Similarly, the network would possess the ability to conduct an analysis
with data in a non-linear fashion [40].
Some attacks may be launched in coordinated fashion from multiple sources, the neural
network has the ability to process data from multiple sources in a non-linear fashion [40].
It is highly scalable compared to other IDS techniques [65].
It supports to reduce the false positive error and false negative error rate. False positive rate
counts of false alarms and false negative counts missed intrusions [66].
As compared to other detection technique NN approach provides better result to unseen and
noise input.
In proposed solution fuzzy logic help us to decide severity of attack.
Neural Network is used to learn about new threats while Fuzzy System decides the severity of
attack. A combination approach of Neural Network and Fuzzy approximation will greatly reduce
the false alarms. Our Proposed IDS system will reside on a proxy server.
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 102
Figure 8.4 Architecture of Proposed Framework
As given in Figure 8.4 all session initiation messages are passed through proxy. Details
architecture of proposed IDS is given in Figure 8.5.
Figure 8.5 Architecture of ANN based IDS
The proposed IDS components are explain as below.
8.3.1 Dataset for training/testing
In proposed IDS, training/testing dataset is generated by using various attacking tools.
Input
Training
/Testing
Processing
Neural
Network
Fuzzy
System
Fuzzy Rule
Attack Severity
Feedback
Analysis
Proxy Sever
IDS
Session Initiation
Message
Caller(UA1)
Callee(UA2)
RTP
Session Initiation
Message
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 103
We have attack on VoIP system by using Invite Flooder attacking tool. This tools changes field
values ( the Via branch tag, the From tag, the Call-ID ) of SIP message. A change in these values
influence the targeted UA server to interpret each INVITE message as an independent call dialog
initiation event.
Teardown tool is used to generate malformed message like SIP BYE, SIP CANCEL message
by modifying SIP payload. These tools carry out said attacks by obtaining source IP address,
source port no , destination IP address and port no. After gathering necessary information SIP
request is constructed, in SIP request Via branch tag, the From tag, the To Tag, the Call-ID is
added and send it to victim machine.
For capturing the packets in real time environment, we have used JPCAP and WINPCAP tool
JPCAP provides facilities to:
Capture raw packets live from the wire.
Save captured packets to an offline file, and read captured packets from an offline file.
Automatically identify packet types and generate corresponding Java objects
Filter the packets according to user-specified rules before dispatching them to the application.
Send raw packets to the network
WINPCAP is the industry-standard tool which allows applications to capture and transmit
network packets bypassing the protocol stack, and has additional useful features, including kernel-
level packet filtering, a network statistics engine and support for remote packet capture. The
recoded set extracted by tool is store into database which is used to train our proposed system.
8.3.2 Preprocessing
This section describes how the data set is used for our experiment. The data set is preprocessed
before giving input to developed system. During preprocessing data set consists of numeric and
symbolic features of fields which are converted into numeric form so that it can be act as inputs to
our neural network. Proposed IDS extracted 14 features from attack generated traffic, after that
numeric value is assigned to them. Now this modified data set is ready to be used as training and
testing of the neural network.
8.3.3 Determining Neural Network
The architecture of our proposed feed forward neural network (FFNN) is given in Figure 8.6.
Proposed system is based on ANN, it is composed of interconnected processing elements (neurons)
working with each other to detect abnormal activity at Proxy Server [67].
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 104
Figure 8.6 Feed Forward Neural Network
A salient feature of Artificial Neural Networks (ANN) is their learning ability. They learn by
adaptively updating the synaptic weights to characterize the strength of the connection. The weights
are updated according to the information extracted from training patterns. Initial weights were
decided and the learning rate was maintained at 0.8. Pproposed FFNN have 4 layer architecture,
where input layer consist 14 neurons and two hidden layer contain 9 and 6 neurons respectively
while output layer contains 1 neurons. There is no accurate formula for the selection of hidden
layers and it is decided based on experiment [68].
8.3.4 Training the system
During the training phase of the systems, FFNN uses Backpropogation algorithms which work
in two passes: forward pass and backward pass.
During forward pass, each node in hidden layer gets input from all the nodes from input layer,
which are multiplied with appropriate weights and then summed. The output of the hidden node is
the nonlinear transformation of this resulting sum. Similarly each node in output layer gets input
from all the nodes of the hidden layer, which are multiplied with appropriate weights and then
summed. The output values of the output layer are compared with the target output values. The
target output values are used to teach network. The error between actual output values and target
output values is calculated and propagated back toward hidden layer. This is called the backward
Input Hidden Layer1 Hidden Layer2
Hidden
Output
Output
(Attack)
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 105
pass of the Backpropagation algorithm. The error is used to update the connection strengths
between nodes (weight matrices between input-hidden layers and hidden-output layers are updated).
In order to achieve forward phase of Backpropagation algorithm, input value (field value
extracted from dataset) and weights are assigned to the neuron then weighted sum of all input is
computed. Mathematically, the inputs and the corresponding weights of vectors are represented as
(x1, x2... xn) and (w1, w2... wn). The total input signal is the dot, or inner, product of these two
vectors. Output is represented as below
n-1
Output= ∑ xiwi+wn
i=0
The above equation takes input values named x, and multiplies them by the weight w, Wn
represents weight matrix threshold. The output of above operation is passes through sigmoid
activation function. Output of activation function is compared with targeted output value which
gives error values, according to error value neurons weight is adjusted. The activation function is
defined as follows:
f(x)=1/(1+e-x)
To train the neural network, error must be minimized. To achieve it, neuron connection
weights and thresholds is modified. We have used the gradient descent method to evaluate the
derivative of the error. Then, using these derivatives, we find weights and thresholds that will
minimize the error function.
∆who =(do-yo)yh
Where ∆who= differentiable activation function
do= desired output
yo= obtained output, yh= gradient
Increment in weight = ∆who* inputi-1*weight
8.3.5 Testing the System
Once the IDS are trained completely, the weights of the neural networks are frozen and IDS
performance is evaluated.
Testing of the neural networks is carried out in two steps i.e verification step and recall (or
generalization) step. In verification step, neural networks are tested against the data which are used
in training. Aim of the verification step is to test how well trained neural networks learned the
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 106
training patterns in the training dataset. If a neural network is trained successfully, outputs produced
by the neural network would be similar to the actual outputs.
In recall or generalization step, testing is conducted with the data which is not used in training.
Aim of the generalization step is to measure generalization ability of the trained network. Once
attack is detected it is given to fuzzy system to decide severity of attack. We have tested our IDS
using verification as well as generalization methods.
8.3.6 Fuzzy Approximation technique
Recently, several researchers focused on fuzzy rule learning for effective intrusion detection.
By taking into consideration these motivational thoughts, we have used a fuzzy rule based system to
decide severity of attack which are detected by ANN system.
Fuzzy logic is a form of many-valued logic derived from fuzzy set theory to deal
with reasoning that is approximate rather than fixed and exact. In contrast with "crisp logic",
where binary sets have two-valued logic, fuzzy logic variables may have a truth value that ranges in
degree between 0 and 1.
The attack detected by the neural system can be provided to the fuzzy logic controller which
processes user-defined rules governing the system to identify the severity of the attack like trivial,
warning and lethal. A rule set for each of the attack types is defined by us in separate rule file. We
have obtained defuzzified value for each attack and compared with the range and accordingly
severity of attack is decided.
if(s>=0 && s<5)
severity ="trivial";
if(s>=5 && s<10)
severity ="warning"; if(s>=10 && s<15) severity ="lethal";
8.4 Result Analysis and Conclusion
We have deployed proposed IDS system on a Proxy server. Initially, we will train our system
by preparing dataset from real time traffic generating using attacking tools
For experimental evaluation, we have tested the system with same dataset which is used during
training of system. First we have attempted INVITE Flooding attack on system and IDS is tested in
four round of operation with increasing record sets. Table 8.1 shows detection ratio, false positive
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 107
and false negative on Invite flooding attack, based on table reading graph is plot which is shown in
Figure 8.7.
Table 8.1 Experimental result during INVITE Flooding are given as below
94.5
95
95.5
96
96.5
97
97.5
98
98.5
1st Itr. 2nd Itr. 3rd Itr. 4th Itr
Detection Ratio
Figure 8.7: Detection ratio (%) on INVITE Flood Attack
Average detection ratio on Invite flooding attack is 96.88, while average false positive and
average false negative is 1.44, 1.67 respectively.
Similarly we have tested Bye, Cancel attack on same dataset, experimental results are given in
Tables 8.2 and Table 8.3 and according to table value graph is plotted which is shown in Figure 8.8
and 8.9.
Table 8.2 Experimental result during Bye Attack are given as below
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 95.69 96.52 97.86 97.98
False Positive (%) 2.33 1.49 0.91 1.04
False Negative (%) 1.98 2.49 1.23 0.98
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 97.45 97.52 98.34 97.06
False Positive (%) 0.89 2.23 1.40 0.62
False Negative (%) 1.66 0.25 0.26 2.32
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 108
96
96.5
97
97.5
98
98.5
1st Itr. 2nd Itr. 3rd Itr. 4th Itr
Detection Ratio
Figure 8.8 Detection ratio (%) on BYE Attack
Average detection ratio on BYE attack is 97.59, while average false positive and average false
negative is 1.28, 1.12 respectively.
Table 8.3 Experimental result during CANCEL Attack are given as below
Figure 8.9 Detection ratio (%) on Cancel Attack
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 98.40 96.20 97.50 98.90
False Positive (%) 0.12 0.78 1.40 0.09
False Negative (%) 1.48 3.02 1.1 1.01
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 109
Average detection ratio on Cancel attack is 97.75, while average false positive and average
false negative is 0.59, 1.65 respectively.
In second approach, we have tested our proposed IDS by capturing traffic generated using INVITE
flood and teardown tools, based on this obtained result system performance is evaluated.
Table 8.4 shows detection ratio, false positive and false negative on Invite flooding attack, based on
result detection ratio graph is plotted which is shown in Figure 8.10.
Table 8.4 Experimental result during INVITE Flooding are given as below
Figure 8.10 Detection ratio (%) on Invite Flood Attack
Average detection ratio on Invite flooding attack is 95.04, while average false positive and
average false negative is 2.39, 2.02 respectively.
Similarly we have tested BYE, CANCEL attack on new dataset. Experimental results are listed
in the Table 8.5, 8.6 and according to reading detection ratio graph on BYE attack is plotted and
shown in Figure 8.11, 8.12.
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 94.23 95.77 95.34 94.82
False Positive (%) 2.74 3.02 2.12 3.86
False Negative (%) 3.03 1.21 2.54 1.32
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 110
Table 8.5 Experimental result during BYE Attack are given as below
93
93.5
94
94.5
95
95.5
96
96.5
97
97.5
98
98.5
1st Itr. 2nd Itr. 3rd Itr. 4th Itr
Detection Ratio
Figure 8.11 Detection ratio (%) on BYE Attack
Average detection ratio on BYE attack is 96.71, while average false positive and average false
negative is 1.41, 1.86 respectively.
Table 8.6 Experimental result during CANCEL Attack are given as below
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 96.23 94.98 97.66 98.00
False Positive (%) 1.34 2.01 1.98 0.34
False Negative (%) 2.43 3.01 0.36 1.66
Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4
Record Set 300 350 400 450
Detection Ratio (%) 96.80 96.20 96.50 97.00
False Positive (%) 3.00 2.32 1.40 1.76
False Negative (%) 0.20 1.48 2.1 1.24
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 111
95.8
96
96.2
96.4
96.6
96.8
97
97.2
1st Itr. 2nd Itr. 3rd Itr. 4th Itr
Detection Ratio
Figure 8.12 Detection ratio (%) on CANCEL Attack
Average detection ratio on Cancel attack is 96.62, while average false positive and average
false negative is 2.12, 1.25 respectively.
Using adaptive ANN-Fuzzy system, we have successfully detected DoS attack on VoIP
system. Initially we have tested our proposed system on dataset which are used to train our system.
Based on above reading average detection ratio, false positive ratio, false negative ratio on both
dataset is shown in Table 8.7.
Table 8.7 Average detection, false positive and false negative on both dataset is given as below.
Attack Type Detection Technique Training Dataset New Dataset
Invite Flooding
Average Detection Ratio (%) 96.88 95.04
Average False Positive (%) 1.44 2.39
Average False Negative (%) 1.67 2.02
BYE Attack
Average Detection Ratio (%) 97.59 96.71
Average False Positive (%) 1.28 1.41
Average False Negative (%) 1.12 1.86
Cancel Attack
Average Detection Ratio (%) 97.75 96.62
Average False Positive (%) 0.59 2.12
Average False Negative (%) 1.65 1.25
Analysis and Deterrence of Threats on SIP
Narendra M.Shekokar Page 112
From above reading it has been clear that in Invite Flooding and BYE attack, Adaptive IDS
gives better detection ratio on training dataset as compare to new dataset but increases in false
positive and false negative detection is also notice.
In Cancel attack detection ratio and false negative ratio is improved, while false positive
detection ratio is degraded as compared to training dataset.