Efficient Detection of Attacks in SIP Based VoIP Networks Using Linear l1-SVM Classifier


  • Waleed Nazih
  • Yasser Hifny
  • Wail Elkilani
  • Tamer Abdelkader
  • Hossam Faheem


Machine learning, Support Vector Machines (SVMs), Session Initiation Protocol (SIP), VoIP attacks


The Session Initiation Protocol (SIP) is one of the most common protocols that are used for signaling function in Voice over IP (VoIP) networks. The SIP protocol is very popular because of its flexibility, simplicity, and easy implementation, so it is a target of many attacks. In this paper, we propose a new system to detect the Denial of Service (DoS) attacks (i.e. malformed message and invite flooding) and Spam over Internet Telephony (SPIT) attack in the SIP based VoIP networks using a linear Support Vector Machine with l1 regularization (i.e. l1-SVM) classifier. In our approach, we project the SIP messages into a very high dimensional space using string based n-gram features. Hence, a linear classifier is trained on the top of these features. Our experimental results show that the proposed system detects malformed message, invite flooding, and SPIT attacks with a high accuracy. In addition, the proposed system outperformed other systems significantly in the detection speed.


Akbar, A.; Basha, S.M.; Sattar, S.A. et al. (2016). An intelligent SIP message parser for detecting and mitigating DDoS attacks, Int. J. Innov. Eng. Technol, 7(2), 1-7, 2016.

Akbar, M. A.; Farooq, M. (2014). Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony, Knowledge and information systems, 38(2), 491-510, 2014. https://doi.org/10.1007/s10115-012-0595-5

Asgharian, H.; Akbari, A.; Raahemi, B. (2015). Feature engineering for detection of Denial of Service attacks in session initiation protocol, Security and Communication Networks, 8(8), 1587-1601, 2015. https://doi.org/10.1002/sec.1106

Cortes, C.; Vapnik, V. (1995). Support-vector networks, Machine learning, Springer, 20(3), 273-297, 1995. https://doi.org/10.1007/BF00994018

Cover, T. M. (1965). Geometrical and statistical properties of systems of linear inequalities with applications in pattern recognition, IEEE transactions on electronic computers, 3, 326- 334, 1965. https://doi.org/10.1109/PGEC.1965.264137

Fan, R.-E.; Chang, K.-W.; Hsieh, C.-J. et al. (2008). LIBLINEAR: A library for large linear classification, Journal of machine learning research, 1871-1874, 2008.

Ferdous, R. (2012). SIP-Msg-Gen : SIP Message Generator, [Online]. Available: https://github.com/rferdous/SIP-Msg-Gen, Accessed on 8 May 2019.

Friedman, J.; Hastie, T.;Tibshirani, R. (2001). The elements of statistical learning, Springer series in statistics New York, 1(10), 2001. https://doi.org/10.1007/978-0-387-21606-5_1

Hosseinpour, M.; Hosseini Seno, S.A.; Yaghmaee Moghaddam, M.H. et al. (2016). An anomaly based VoIP DoS attack detection and prevention method using fuzzy logic, Telecommunications (IST), 2016 8th International Symposium on. IEEE, 713-718, 2010. https://doi.org/10.1109/ISTEL.2016.7881916

Hsu, C.-W.; Chang, C.-C.; Lin, C.-J. et al. (2003). A practical guide to support vector classification, National Taiwan University, Taipei, 2003 (last updated 2016).

Jurafsky, D.; Martin, J. H. (2014). Speech and language processing, Pearson London, 3-ed, 2019.

Kurt, B. et al. (2018). A Bayesian change point model for detecting SIP-based DDoS attacks, Digital Signal Processing, Elsevier, 77, 48-62, 2018. https://doi.org/10.1016/j.dsp.2017.10.009

Li, H.; Yildiz, C.; Ceritli, T.Y. et al. (2018). A Machine Learning Approach To Prevent Malicious Calls Over Telephony Networks, arXiv preprint arXiv:1804.02566, 2018. https://doi.org/10.1109/SP.2018.00034

Nassar, M.; State, R.; Festor, O. (2008). Monitoring SIP traffic using support vector machines, International Workshop on Recent Advances in Intrusion Detection, Springer, 311- 330, 2008. https://doi.org/10.1007/978-3-540-87403-4_17

Nassar, M.; State, R.; Festor, O. (2010). Labeled VoIP data-set for intrusion detection evaluation, Meeting of the European Network of Universities and Companies in Information and Communication Engineering, 97-106, 2010. https://doi.org/10.1007/978-3-642-13971-0_10

Packetizer, I. (2011). H. 323 versus SIP: A Comparison, [Online]. Available: http://www.packetizer.com/ipmc/h323_vs_sip, Accessed on December 2018.

Pougajendy, J. and Parthiban, A. R. K. (2017). Detection of SIP-Based Denial of Service Attack Using Dual Cost Formulation of Support Vector Machine, The Computer Journal, Oxford University Press, 60(12), 1770-1784, 2017. https://doi.org/10.1093/comjnl/bxx052

Rieck, K.; Wahl S.; Laskov, P.; Domschitz, P. et al.(2008) A self-learning system for detection of anomalous SIP messages, Principles, Systems and Applications of IP Telecommunications. Services and Security for Next Generation Networks, Springer, 90-106, 2008. https://doi.org/10.1007/978-3-540-89054-6_5

Rosenberg, J. (2002). SIP: Session Initiation Protocol, IETF RFC 3261, 2002. https://doi.org/10.17487/rfc3261

Sasaki, Y. (2007). The truth of the F-measure, Teach Tutor mater, 1-5, 2007.

Semerci, M.; Cemgil, A. T.; Sankur, B. (2018). An intelligent cyber security system against DDoS attacks in SIP networks, Computer Networks, Elsevier, 136, 137-154, 2018. https://doi.org/10.1016/j.comnet.2018.02.025

Sparks, R.; Hawrylyshen, A.; Johnston Avaya, A. et al. (2006). Session initiation protocol (SIP) torture test messages, 2006. https://doi.org/10.17487/rfc4475

Su, M.-Y.: Tsai, C.-H. (2015). Using data mining approaches to identify voice over IP spam, International Journal of Communication Systems, Wiley Online Library, 28(1), 187-200, 2015. https://doi.org/10.1002/dac.2665

Tang, J.; Cheng, Y.; Hao, Y. (2012). Detection and prevention of SIP flooding attacks in voice over IP networks, INFOCOM, 2012 Proceedings IEEE, 1161-1169, 2012. https://doi.org/10.1109/INFCOM.2012.6195475

Tsiatsikas, Z.; Fakis, A.; Papamartzivanos, D. et al. (2015). Battling against DDoS in SIP: Is Machine Learning-based detection an effective weapon?, 12th International Joint Conference on e-Business and Telecommunications (ICETE), IEEE, 4, 301-308, 2015. https://doi.org/10.5220/0005549103010308

Tsiatsikas, Z., Geneiatakis, D.; Kambourakis, G. et al. (2016). Realtime DDoS Detection in SIP Ecosystems: Machine Learning Tools of the Trade, International Conference on Network and System Security, Springer, 126-139, 2016. https://doi.org/10.1007/978-3-319-46298-1_9

Tsiatsikas, Z.; Kambourakis, G.; Geneiatakis, D. et al. (2019). The Devil is in the Detail: SDP-Driven Malformed Message Attacks and Mitigation in SIP Ecosystems, IEEE Access, IEEE, 7, 2401-2417, 2019. https://doi.org/10.1109/ACCESS.2018.2886356

Vapnik, V. (2013). The nature of statistical learning theory, Springer science & business media, 2013.

Vennila, G.; Manikandan, M.; Aswathi, S. (2015). Detection of SIP signaling attacks using two-tier fine grained model for VoIP, TENCON 2015-2015 IEEE Region 10 Conference, IEEE, 1-7, 2015. https://doi.org/10.1109/TENCON.2015.7372954

Vennila, G.; Manikandan, M.; Suresh, M. (2017). Detection and prevention of spam over Internet telephony in Voice over Internet Protocol networks using Markov chain with incremental SVM, International Journal of Communication Systems, Wiley Online Library, 30(11), 2017. https://doi.org/10.1002/dac.3255

Wang, K.; Parekh, J.J.; Stolfo, S.J. (2006). Anagram: A content anomaly detector resistant to mimicry attack, International Workshop on Recent Advances in Intrusion Detection, Springer, 226-248, 2006. https://doi.org/10.1007/11856214_12

[Online]. Marchex. (2018). Spam Phone Calls Cost U.S. 2018 Small businesses half-billion dollars in lost productivity, Available: http://goo.gl/jTrgp3, Accessed on 10 March 2019.

[Online]. Nettitude. (2015). VoIP Attacks on the Rise, Available: https://www.nettitude.com/uk/, Accessed on December 2018.



Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.