SIP Malformed Msg Detection
Traffic Analysis and user behavior modeling
VoIP Traffic Generator
SIP message Generator
SIP messages can be considered as "good" or "bad" depending on
whether this structure and content are deemed acceptable or not.
A "good" message is simply a valid
SIP message that can be correctly interpreted by its recipient.
While, "bad" SIP messages can be divided into three groups : malformed,
crooked, and malicious messages. Malformed messages are
those that simply are syntactically wrong. Crooked messages
are those that, while syntactically correct, have no meaning,
cannot be interpreted, are ambiguous, or lead to a deadlock,
etc. Finally, malicious messages, are those that are correct
and meaningful, but will harm the system: normally these
are forged on purpose, but they can also be the outcome of
malfunctioning devices, badly implemented instances of the
protocol or, more likely, of its extensions. We have implemented "SIP_LEX", a classifier, to detect "bad" SIP messages. Details about the classifier is found below.
SIP_LEX - Message level SIP Anomaly Detection System
SIP_LEX (SIP Malformed Message Detection System) is capable of achieving high detecting accuracy with low processing overhead.
The system includes:
- SIP-Parser - A stand alone application which represents SIP messages into parse tree structures. After representation of incoming SIP messages into tree structure, SIP-Parser
applies tree kernel methods over parse trees and represents structured SIP messages into feature vectors.
- Classifier- After representing incoming SIP messages into feature vectors using SIP-Parser, classification algorithm is used for categorizing SIP messages into malformed and well-formed groups. Support Vector Machines are very efficient for classification. Here, we have used LibSVM, an widely used support vector machine library which ensures efficient and fast classification of input data.
SIP Malformed Message Detection System can be found below:
Download & Install SIP_LEX
The compressed file Malformed-Message-Detection.tar.gz contains :
- Script 'SIP-Malformed-Msg-Detection.sh'
- Jar file of SIP-Parser 'TreeKernel-SIPmalformedmsgdetection.jar'. Input of SIP-Parser is a .txt file named with SIP messages. A sample text file named 'SIP_MSG.txt' is available under folder 'Incoming SIP Message'. Output of this application is 'Test_Data.dat' which contains the vectors of SIP messages of input file 'SIP_MSG.txt'. Output file 'Test_Data.dat' is found in the same directory where the .jar file exists and each line of the output file indicates a SIP message.
- Support Vector Library LibSVM 'libsvm-3.11.tar.gz', training data 'Training_Data.dat' for learning the classifier.
After downloading Malformed-Message-Detection.tar.gz, users need to untar it.
Malformed message classification can be done by running the script "SIP_Malformed_Msg_Det.sh". Output of the script is 'SIP-Output.dat' which contains the classification results.
The running steps:
- Before running script 'SIP_Malformed_Msg_Det.sh', users need to set path variable for compiling svm tool, LibSVM : export PATH=$PATH:"...../SIP-Malformed-Msg-Detection/libsvm-3.11"
- Set PATH variable for SIP-Parser : PATH=$PATH:"..../SIP-Malformed-Msg-Detection"
- Set PATH variable - export PATH=$PATH:"Location of the script"
- Define access : chmod 744 SIP_Malformed_Msg_Det.sh
- Run script : ./SIP_Malformed_Msg_Det.sh