Problems of SIP Flooding Attacks Anomaly Detection Algorithms | ||||
The International Conference on Electrical Engineering | ||||
Article 80, Volume 7, 7th International Conference on Electrical Engineering ICEENG 2010, May 2010, Page 1-14 PDF (465.47 K) | ||||
Document Type: Original Article | ||||
DOI: 10.21608/iceeng.2010.33241 | ||||
View on SCiNiTO | ||||
Authors | ||||
H. Al-Allouni1; A. Rohiem2; M. Hashem3; A. El-moghazy2 | ||||
1Syrian Armed Forces. | ||||
2Egyptian Armed Forces. | ||||
3Ain Shams University, Cairo, Egypt. | ||||
Abstract | ||||
Abstract: Session Initiation Protocol (SIP) is vulnerable to a wide variety of Denial of Service (DoS) attacks, flooding is the most common, effective and the easiest to generate one. In this paper we present an evaluation study to four well-known anomaly detection algorithms, namely: Adaptive Threshold, Cumulative sum (CUSUM), Non Parametric Cumulative Sum (NP-CUSUM), and Hellinger Distance (HD). The evaluation is assisted using simulated traffic dataset. We show that these algorithms suffer from two main problems, the first is called attack masking and the second is adaptation with attack. In the attack masking, attacker sends preamble followed by the attack. The preamble changes the tuned parameters of the detection algorithm, these changes mask the attack and keep it undetected. Attacker in the second problem deviates the detection algorithm parameters gradually, in such a way the attack is considered as normal traffic. The paper also shows that NP-CUSUM and HD algorithms, which utilize the protocol behavior to detect intrusion, suffer from third problem, and they are very simple to con. Attacker simply follows the same protocol behavior, and its related traffic is considered as normal, and cannot be detected. | ||||
Keywords | ||||
Session initiation protocol; flooding attacks; denial of service; Anomaly detection; Adaptive Threshold; cumulative sum; non parametric cumulative sum; Hellinger distance | ||||
Statistics Article View: 101 PDF Download: 177 |
||||