SFADS

A SIP flooding attack detection scheme with the internal and external detection features in IMS networks

Qibo Sun, Shangguang Wang, Ning Lu, Kok Seng Wong, Myung Ho Kim

Research output: Contribution to journalArticle

Abstract

IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting lowrate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal detection feature. Then we use the improved cumulative sum control chart algorithm to analyze the two detection features. Finally, we take the analysis data as inputs and adopt Fuzzy Logic to detect SIP flooding attacks. To investigate the detection performance of the proposed SFADS, we conduct simulations with the prototype implement in an IMS network testbed. Simulation results show the performance of the proposed SFADS is better than that of other schemes.

Original languageEnglish
Pages (from-to)1327-1338
Number of pages12
JournalJournal of Internet Technology
Volume17
Issue number7
DOIs
Publication statusPublished - Jan 1 2016

Fingerprint

Network protocols
Testbeds
Fuzzy logic
Recovery

Keywords

  • Cumulative sum control chart
  • Detection feature
  • Fuzzy logic
  • IMS network
  • SIP flooding attacks

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

SFADS : A SIP flooding attack detection scheme with the internal and external detection features in IMS networks. / Sun, Qibo; Wang, Shangguang; Lu, Ning; Wong, Kok Seng; Kim, Myung Ho.

In: Journal of Internet Technology, Vol. 17, No. 7, 01.01.2016, p. 1327-1338.

Research output: Contribution to journalArticle

@article{175170497aef4f4d9269567c78252f78,
title = "SFADS: A SIP flooding attack detection scheme with the internal and external detection features in IMS networks",
abstract = "IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting lowrate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal detection feature. Then we use the improved cumulative sum control chart algorithm to analyze the two detection features. Finally, we take the analysis data as inputs and adopt Fuzzy Logic to detect SIP flooding attacks. To investigate the detection performance of the proposed SFADS, we conduct simulations with the prototype implement in an IMS network testbed. Simulation results show the performance of the proposed SFADS is better than that of other schemes.",
keywords = "Cumulative sum control chart, Detection feature, Fuzzy logic, IMS network, SIP flooding attacks",
author = "Qibo Sun and Shangguang Wang and Ning Lu and Wong, {Kok Seng} and Kim, {Myung Ho}",
year = "2016",
month = "1",
day = "1",
doi = "10.6138/JIT.2016.17.7.20141009",
language = "English",
volume = "17",
pages = "1327--1338",
journal = "Journal of Internet Technology",
issn = "1607-9264",
publisher = "Taiwan Academic Network Management Committee",
number = "7",

}

TY - JOUR

T1 - SFADS

T2 - A SIP flooding attack detection scheme with the internal and external detection features in IMS networks

AU - Sun, Qibo

AU - Wang, Shangguang

AU - Lu, Ning

AU - Wong, Kok Seng

AU - Kim, Myung Ho

PY - 2016/1/1

Y1 - 2016/1/1

N2 - IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting lowrate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal detection feature. Then we use the improved cumulative sum control chart algorithm to analyze the two detection features. Finally, we take the analysis data as inputs and adopt Fuzzy Logic to detect SIP flooding attacks. To investigate the detection performance of the proposed SFADS, we conduct simulations with the prototype implement in an IMS network testbed. Simulation results show the performance of the proposed SFADS is better than that of other schemes.

AB - IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting lowrate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal detection feature. Then we use the improved cumulative sum control chart algorithm to analyze the two detection features. Finally, we take the analysis data as inputs and adopt Fuzzy Logic to detect SIP flooding attacks. To investigate the detection performance of the proposed SFADS, we conduct simulations with the prototype implement in an IMS network testbed. Simulation results show the performance of the proposed SFADS is better than that of other schemes.

KW - Cumulative sum control chart

KW - Detection feature

KW - Fuzzy logic

KW - IMS network

KW - SIP flooding attacks

UR - http://www.scopus.com/inward/record.url?scp=85010650777&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85010650777&partnerID=8YFLogxK

U2 - 10.6138/JIT.2016.17.7.20141009

DO - 10.6138/JIT.2016.17.7.20141009

M3 - Article

VL - 17

SP - 1327

EP - 1338

JO - Journal of Internet Technology

JF - Journal of Internet Technology

SN - 1607-9264

IS - 7

ER -