Raihana Ferdous

Home      |      Research Activity      |      Publications      |      Contact
Research Projects

SIP Anomaly Detection    |    Traffic Analysis and user behavior modeling    |    SIP message Generator    |    VoIP Traffic Generator

Message Level SIP Anomaly Detection

The Session Initiation Protocol (SIP) is at the root of many sessions-based applications such as VoIP and media streaming that are used by a growing number of users and organizations. The increase of the availability and use of such applications calls for careful attention to the possibility of transferring malformed, incorrect, or malicious SIP messages as they can cause problems ranging from relatively innocuous disturbances to full blown attacks and frauds. To this end, SIP messages are analyzed to be classified as "good" or "bad" depending on whether this structure and content are deemed acceptable or not. A classifier of SIP messages is developed that is based on a two stage filter. The first stage uses a straightforward lexical analyzer to detect and remove all messages that are lexically incorrect with reference to the grammar that is defined by the protocol standard. The second stage uses a machine learning approach based on a Support Vector Machine (SVM) to analyze the structure of the remaining syntactically correct messages in order to detect semantic anomalies which are deemed a strong indication of a possibly malicious message.

Details about SIP Malformed Message Detection System is found here.

Traffic Analysis and user behavior modeling

To have an in-depth knowledge about the network behavior is primary requirement to design and tune any attack or anomaly detection system. In the context of VoIP, traffic analysis plays a very significant role. Considering this we have analyzed traces captured from a reliable SIP -based VoIP network. Machine learning techniques are used to classify the trace.

Details about trafic analysis and classification is found here.

SIP message Generator

Performance evaluation of our SIP Anomaly Detection system relies on large scale of SIP traces (individual SIP request/response messages engaged in a session). But reliable real world VoIP traces are not always available as VoIP providers are not willing to distribute their data due to user privacy agreements. Moreover, VoIP traces with attack information are not so frequent. Considering this situation, we developed a Synthetic generator 'SIP-Msg-Gen' for generating SIP traces.

Details about SIP message Generator is found here.

VoIPTG-VoIP Traffic Generator

VoIP Traffic Generator is a flexible and generic synthetic traffic generator. It is capable to generate traffic following all the possible models of VoIP system with special attention to characterize the more sophisticated user behavior in the system. VoIPTG is able to emulate the real world VoIP traffic including both normal and attack traces.

Details about VoIPTG is found here.