Raihana Ferdous

Home      |      Research Activity      |      Publications      |      Contact
Research Projects

SIP Malformed Msg Detection    |    Traffic Analysis and user behavior modeling    |    VoIP Traffic Generator    |    SIP message Generator

SIP messages

SIP messages can be considered as "good" or "bad" depending on whether this structure and content are deemed acceptable or not. A "good" message is simply a valid SIP message that can be correctly interpreted by its recipient. While, "bad" SIP messages can be divided into three groups : malformed, crooked, and malicious messages. Malformed messages are those that simply are syntactically wrong. Crooked messages are those that, while syntactically correct, have no meaning, cannot be interpreted, are ambiguous, or lead to a deadlock, etc. Finally, malicious messages, are those that are correct and meaningful, but will harm the system: normally these are forged on purpose, but they can also be the outcome of malfunctioning devices, badly implemented instances of the protocol or, more likely, of its extensions. We have implemented "SIP_LEX", a classifier, to detect "bad" SIP messages. Details about the classifier is found below.

SIP_LEX - Message level SIP Anomaly Detection System

SIP_LEX (SIP Malformed Message Detection System) is capable of achieving high detecting accuracy with low processing overhead. The system includes:

  1. SIP-Parser - A stand alone application which represents SIP messages into parse tree structures. After representation of incoming SIP messages into tree structure, SIP-Parser applies tree kernel methods over parse trees and represents structured SIP messages into feature vectors.
  2. Classifier- After representing incoming SIP messages into feature vectors using SIP-Parser, classification algorithm is used for categorizing SIP messages into malformed and well-formed groups. Support Vector Machines are very efficient for classification. Here, we have used LibSVM, an widely used support vector machine library which ensures efficient and fast classification of input data.

    SIP Malformed Message Detection System can be found below:

    Name Description Download
    SIP_LEXSIP Parser, LibSVM library & Sample DataMalformed-Message-Detection.tar.gz
    Documentation SIP_LEXDocumentationSIP Malformed Msg Detection.pdf
    SIP-Malformed-Msg-Detection.shScript for detecting Malformed messagesSIP-Malformed-Msg-Detection.sh
    Sample Data FileSample SIP messagesSample.tar.gz

    Download & Install SIP_LEX

    The compressed file Malformed-Message-Detection.tar.gz contains :

    1. Script 'SIP-Malformed-Msg-Detection.sh'
    2. Jar file of SIP-Parser 'TreeKernel-SIPmalformedmsgdetection.jar'. Input of SIP-Parser is a .txt file named with SIP messages. A sample text file named 'SIP_MSG.txt' is available under folder 'Incoming SIP Message'. Output of this application is 'Test_Data.dat' which contains the vectors of SIP messages of input file 'SIP_MSG.txt'. Output file 'Test_Data.dat' is found in the same directory where the .jar file exists and each line of the output file indicates a SIP message.
    3. Support Vector Library LibSVM 'libsvm-3.11.tar.gz', training data 'Training_Data.dat' for learning the classifier.

    After downloading Malformed-Message-Detection.tar.gz, users need to untar it.

    Run Script

    Malformed message classification can be done by running the script "SIP_Malformed_Msg_Det.sh". Output of the script is 'SIP-Output.dat' which contains the classification results. The running steps:

    1. Before running script 'SIP_Malformed_Msg_Det.sh', users need to set path variable for compiling svm tool, LibSVM : export PATH=$PATH:"...../SIP-Malformed-Msg-Detection/libsvm-3.11"
    2. Set PATH variable for SIP-Parser : PATH=$PATH:"..../SIP-Malformed-Msg-Detection"
    3. Set PATH variable - export PATH=$PATH:"Location of the script"
    4. Define access : chmod 744 SIP_Malformed_Msg_Det.sh
    5. Run script : ./SIP_Malformed_Msg_Det.sh