Efficient Detection of Attacks in SIP Based VoIP Networks Using Linear l1-SVM Classifier

Waleed Nazih, Yasser Hifny, Wail Elkilani, Tamer Abdelkader, Hossam Faheem


The Session Initiation Protocol (SIP) is one of the most common protocols that are used for signaling function in Voice over IP (VoIP) networks. The SIP protocol is very popular because of its flexibility, simplicity, and easy implementation, so it is a target of many attacks. In this paper, we propose a new system to detect the Denial of Service (DoS) attacks (i.e. malformed message and invite flooding) and Spam over Internet Telephony (SPIT) attack in the SIP based VoIP networks using a linear Support Vector Machine with l1 regularization (i.e. l1-SVM) classifier. In our approach, we project the SIP messages into a very high dimensional space using string based n-gram features. Hence, a linear classifier is trained on the top of these features. Our experimental results show that the proposed system detects malformed message, invite flooding, and SPIT attacks with a high accuracy. In addition, the proposed system outperformed other systems significantly in the detection speed.


Machine learning, Support Vector Machines (SVMs), Session Initiation Protocol (SIP), VoIP attacks

Full Text:



Akbar, A.; Basha, S.M.; Sattar, S.A. et al. (2016). An intelligent SIP message parser for detecting and mitigating DDoS attacks, Int. J. Innov. Eng. Technol, 7(2), 1-7, 2016.

Akbar, M. A.; Farooq, M. (2014). Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony, Knowledge and information systems, 38(2), 491-510, 2014.

Asgharian, H.; Akbari, A.; Raahemi, B. (2015). Feature engineering for detection of Denial of Service attacks in session initiation protocol, Security and Communication Networks, 8(8), 1587-1601, 2015.

Cortes, C.; Vapnik, V. (1995). Support-vector networks, Machine learning, Springer, 20(3), 273-297, 1995.

Cover, T. M. (1965). Geometrical and statistical properties of systems of linear inequalities with applications in pattern recognition, IEEE transactions on electronic computers, 3, 326- 334, 1965.

Fan, R.-E.; Chang, K.-W.; Hsieh, C.-J. et al. (2008). LIBLINEAR: A library for large linear classification, Journal of machine learning research, 1871-1874, 2008.

Ferdous, R. (2012). SIP-Msg-Gen : SIP Message Generator, [Online]. Available: https://github.com/rferdous/SIP-Msg-Gen, Accessed on 8 May 2019.

Friedman, J.; Hastie, T.;Tibshirani, R. (2001). The elements of statistical learning, Springer series in statistics New York, 1(10), 2001.

Hosseinpour, M.; Hosseini Seno, S.A.; Yaghmaee Moghaddam, M.H. et al. (2016). An anomaly based VoIP DoS attack detection and prevention method using fuzzy logic, Telecommunications (IST), 2016 8th International Symposium on. IEEE, 713-718, 2010.

Hsu, C.-W.; Chang, C.-C.; Lin, C.-J. et al. (2003). A practical guide to support vector classification, National Taiwan University, Taipei, 2003 (last updated 2016).

Jurafsky, D.; Martin, J. H. (2014). Speech and language processing, Pearson London, 3-ed, 2019.

Kurt, B. et al. (2018). A Bayesian change point model for detecting SIP-based DDoS attacks, Digital Signal Processing, Elsevier, 77, 48-62, 2018.

Li, H.; Yildiz, C.; Ceritli, T.Y. et al. (2018). A Machine Learning Approach To Prevent Malicious Calls Over Telephony Networks, arXiv preprint arXiv:1804.02566, 2018.

Nassar, M.; State, R.; Festor, O. (2008). Monitoring SIP traffic using support vector machines, International Workshop on Recent Advances in Intrusion Detection, Springer, 311- 330, 2008.

Nassar, M.; State, R.; Festor, O. (2010). Labeled VoIP data-set for intrusion detection evaluation, Meeting of the European Network of Universities and Companies in Information and Communication Engineering, 97-106, 2010.

Packetizer, I. (2011). H. 323 versus SIP: A Comparison, [Online]. Available: http://www.packetizer.com/ipmc/h323_vs_sip, Accessed on December 2018.

Pougajendy, J. and Parthiban, A. R. K. (2017). Detection of SIP-Based Denial of Service Attack Using Dual Cost Formulation of Support Vector Machine, The Computer Journal, Oxford University Press, 60(12), 1770-1784, 2017.

Rieck, K.; Wahl S.; Laskov, P.; Domschitz, P. et al.(2008) A self-learning system for detection of anomalous SIP messages, Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks, Springer, 90-106, 2008.

Rosenberg, J. (2002). SIP: Session Initiation Protocol, IETF RFC 3261, 2002.

Sasaki, Y. (2007). The truth of the F-measure, Teach Tutor mater, 1-5, 2007.

Semerci, M.; Cemgil, A. T.; Sankur, B. (2018). An intelligent cyber security system against DDoS attacks in SIP networks, Computer Networks, Elsevier, 136, 137-154, 2018.

Sparks, R.; Hawrylyshen, A.; Johnston Avaya, A. et al. (2006). Session initiation protocol (SIP) torture test messages, 2006.

Su, M.-Y.: Tsai, C.-H. (2015). Using data mining approaches to identify voice over IP spam, International Journal of Communication Systems, Wiley Online Library, 28(1), 187-200, 2015.

Tang, J.; Cheng, Y.; Hao, Y. (2012). Detection and prevention of SIP flooding attacks in voice over IP networks, INFOCOM, 2012 Proceedings IEEE, 1161-1169, 2012.

Tsiatsikas, Z.; Fakis, A.; Papamartzivanos, D. et al. (2015). Battling against DDoS in SIP: Is Machine Learning-based detection an effective weapon?, 12th International Joint Conference on e-Business and Telecommunications (ICETE), IEEE, 4, 301-308, 2015.

Tsiatsikas, Z., Geneiatakis, D.; Kambourakis, G. et al. (2016). Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade, International Conference on Network and System Security, Springer, 126-139, 2016.

Tsiatsikas, Z.; Kambourakis, G.; Geneiatakis, D. et al. (2019). The Devil is in the Detail: SDP-Driven Malformed Message Attacks and Mitigation in SIP Ecosystems, IEEE Access, IEEE, 7, 2401-2417, 2019.

Vapnik, V. (2013). The nature of statistical learning theory, Springer science & business media, 2013.

Vennila, G.; Manikandan, M.; Aswathi, S. (2015). Detection of SIP signaling attacks using two-tier fine grained model for VoIP, TENCON 2015-2015 IEEE Region 10 Conference, IEEE, 1-7, 2015.

Vennila, G.; Manikandan, M.; Suresh, M. (2017). Detection and prevention of spam over Internet telephony in Voice over Internet Protocol networks using Markov chain with incremental SVM, International Journal of Communication Systems, Wiley Online Library, 30(11), 2017.

Wang, K.; Parekh, J.J.; Stolfo, S.J. (2006). Anagram: A content anomaly detector resistant to mimicry attack, International Workshop on Recent Advances in Intrusion Detection, Springer, 226-248, 2006.

[Online]. Marchex. (2018). Spam Phone Calls Cost U.S. 2018 Small businesses half-billion dollars in lost productivity, Available: http://goo.gl/jTrgp3, Accessed on 10 March 2019.

[Online]. Nettitude. (2015). VoIP Attacks on the Rise, Available: https://www.nettitude.com/uk/, Accessed on December 2018.

DOI: https://doi.org/10.15837/ijccc.2019.4.3563

Copyright (c) 2019 Waleed Nazih, Yasser Hifny, Wail Elkilani, Tamer Abdelkader, Hossam Faheem

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

IJCCC is an Open Access Journal : CC-BY-NC.

Articles published in IJCCC user license are protected by copyright.

Users can access, download, copy, translate the IJCCC articles for non-commercial purposes provided that users, but cannot redistribute, display or adapt:

  • Cite the article using an appropriate bibliographic citation: author(s), article title, journal, volume, issue, page numbers, year of publication, DOI, and the link to the definitive published version on IJCCC website;
  • Maintain the integrity of the IJCCC article;
  • Retain the copyright notices and links to these terms and conditions so it is clear to other users what can and what cannot be done with the  article;
  • Ensure that, for any content in the IJCCC article that is identified as belonging to a third party, any re-use complies with the copyright policies of that third party;
  • Any translations must prominently display the statement: "This is an unofficial translation of an article that appeared in IJCCC. Agora University  has not endorsed this translation."

This is a non commercial license where the use of published articles for commercial purposes is forbiden. 

Commercial purposes include: 

  • Copying or downloading IJCCC articles, or linking to such postings, for further redistribution, sale or licensing, for a fee;
  • Copying, downloading or posting by a site or service that incorporates advertising with such content;
  • The inclusion or incorporation of article content in other works or services (other than normal quotations with an appropriate citation) that is then available for sale or licensing, for a fee;
  • Use of IJCCC articles or article content (other than normal quotations with appropriate citation) by for-profit organizations for promotional purposes, whether for a fee or otherwise;
  • Use for the purposes of monetary reward by means of sale, resale, license, loan, transfer or other form of commercial exploitation;

    The licensor cannot revoke these freedoms as long as you follow the license terms.

[End of CC-BY-NC  License for Website User]

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL (IJCCC), With Emphasis on the Integration of Three Technologies (C & C & C),  ISSN 1841-9836.

IJCCC was founded in 2006,  at Agora University, by  Ioan DZITAC (Editor-in-Chief),  Florin Gheorghe FILIP (Editor-in-Chief), and  Misu-Jan MANOLESCU (Managing Editor).

Ethics: This journal is a member of, and subscribes to the principles of, the Committee on Publication Ethics (COPE).

Ioan  DZITAC (Editor-in-Chief) at COPE European Seminar, Bruxelles, 2015:

IJCCC is covered/indexed/abstracted in Science Citation Index Expanded (since vol.1(S),  2006); JCR2018: IF=1.585..

IJCCC is indexed in Scopus from 2008 (CiteScore2018 = 1.56):

Nomination by Elsevier for Journal Excellence Award Romania 2015 (SNIP2014 = 1.029): Elsevier/ Scopus

IJCCC was nominated by Elsevier for Journal Excellence Award - "Scopus Awards Romania 2015" (SNIP2014 = 1.029).

IJCCC is in Top 3 of 157 Romanian journals indexed by Scopus (in all fields) and No.1 in Computer Science field by Elsevier/ Scopus.


 Impact Factor in JCR2018 (Clarivate Analytics/SCI Expanded/ISI Web of Science): IF=1.585 (Q3). Scopus: CiteScore2018=1.56 (Q2);

SCImago Journal & Country Rank

Editors-in-Chief: Ioan DZITAC & Florin Gheorghe FILIP.