Problems of SIP Flooding Attacks Anomaly Detection Algorithms
Al-Allouni, H., Rohiem, A., Hashem, M., El-moghazy, A. (2010). Problems of SIP Flooding Attacks Anomaly Detection Algorithms. EKB Journal Management System, 7(7th International Conference on Electrical Engineering ICEENG 2010), 1-14. doi: 10.21608/iceeng.2010.33241
H. Al-Allouni; A. Rohiem; M. Hashem; A. El-moghazy. "Problems of SIP Flooding Attacks Anomaly Detection Algorithms". EKB Journal Management System, 7, 7th International Conference on Electrical Engineering ICEENG 2010, 2010, 1-14. doi: 10.21608/iceeng.2010.33241
Al-Allouni, H., Rohiem, A., Hashem, M., El-moghazy, A. (2010). 'Problems of SIP Flooding Attacks Anomaly Detection Algorithms', EKB Journal Management System, 7(7th International Conference on Electrical Engineering ICEENG 2010), pp. 1-14. doi: 10.21608/iceeng.2010.33241
Al-Allouni, H., Rohiem, A., Hashem, M., El-moghazy, A. Problems of SIP Flooding Attacks Anomaly Detection Algorithms. EKB Journal Management System, 2010; 7(7th International Conference on Electrical Engineering ICEENG 2010): 1-14. doi: 10.21608/iceeng.2010.33241

Problems of SIP Flooding Attacks Anomaly Detection Algorithms

The International Conference on Electrical Engineering
Article 80, Volume 7, 7th International Conference on Electrical Engineering ICEENG 2010, May 2010, Page 1-14  XML PDF (465.47 K)
Document Type: Original Article
DOI: 10.21608/iceeng.2010.33241
View on SCiNiTO View on SCiNiTO
Authors
H. Al-Allouni1; A. Rohiem2; M. Hashem3; A. El-moghazy2
1Syrian Armed Forces.
2Egyptian Armed Forces.
3Ain Shams University, Cairo, Egypt.
Abstract
Abstract:
Session Initiation Protocol (SIP) is vulnerable to a wide variety of Denial of Service
(DoS) attacks, flooding is the most common, effective and the easiest to generate one.
In this paper we present an evaluation study to four well-known anomaly detection
algorithms, namely: Adaptive Threshold, Cumulative sum (CUSUM), Non
Parametric Cumulative Sum (NP-CUSUM), and Hellinger Distance (HD). The
evaluation is assisted using simulated traffic dataset. We show that these algorithms
suffer from two main problems, the first is called attack masking and the second is
adaptation with attack. In the attack masking, attacker sends preamble followed by
the attack. The preamble changes the tuned parameters of the detection algorithm,
these changes mask the attack and keep it undetected. Attacker in the second problem
deviates the detection algorithm parameters gradually, in such a way the attack is
considered as normal traffic. The paper also shows that NP-CUSUM and HD
algorithms, which utilize the protocol behavior to detect intrusion, suffer from third
problem, and they are very simple to con. Attacker simply follows the same protocol
behavior, and its related traffic is considered as normal, and cannot be detected.
Keywords
Session initiation protocol; flooding attacks; denial of service; Anomaly detection; Adaptive Threshold; cumulative sum; non parametric cumulative sum; Hellinger distance
Statistics
Article View: 101
PDF Download: 177