chapter 8 - shodhganga.inflibnet.ac.inshodhganga.inflibnet.ac.in/bitstream/10603/11760/12/12_chapter...

Analysis and Deterrence of Threats on SIP

Narendra M.Shekokar Page 97

Chapter 8

Adaptive Intrusion Detection System

In this era of globalization, enterprises find VoIP system to be the cheapest and most preferred

option. However enterprises are unaware of how vulnerable they are to the ever increasing threats

on the internet. Being a real-time service, VoIP is more susceptible to Denial-of-Service (DoS).

These DoS attack has been costing many high profile organization millions of dollars. It is

necessary to identify nature/behavior of these attacks for future protection of VoIP system. In

following section, we have discussed some of the DoS attack.

8.1 DoS attack on VoIP system

The easiest way to launch Denial of Service (DoS) attacks on a SIP proxy server is to flood it

with a large number of unwanted call requests. As a result, its resources – internal memory buffers,

CPU and bandwidth are exhausted and it is unable to provide service even to the legitimate users.

The requirements of resources are dependent on the fact whether SIP server is configured for

stateless or stateful mode and is using authentication or not [56].

Moreover, SIP is also prone to malformed message attack in which attackers generate non-

standard SIP messages that are intelligently crafted to exploit vulnerabilities in the SIP parser or

poor implementation of a SIP server. An imposter can, using a malformed packet, overflow the

specific string buffers, add large number of token characters and modify fields in an illegal fashion.

As a result, a server is tricked to reach an undefined state, which can lead to call processing delays,

an unauthorized access and a complete denial of service. We also show how an intelligently crafted

single malformed message and flooded message can crash a server. We call it Invite of Death [57].

In next section, we have discussed various DoS attack on VoIP system.

8.1.1 Invite Flooding

Overwhelming a victim’s capacities by flooding it with malicious traffic is the most basic and

probably also the most difficult to handle DoS attack. The potential attacker can generate flooding

attacks with SIP Invite messages to quickly exhaust the victim’s resources. Different SIP proxy

implementations vary in the processing speed of crucial tasks, including message parsing, verifying

values of MD5 hashes in the authentication procedure and additional communications with other



server like DNS servers. Thus, a SIP proxy with slower request processing capabilities is naturally

more predisposed for brute force attacks. All SIP flooding attacks can be done from one source or

many source like DDoS, where multiple zombie target to single victim. By using a fast stream of

INVITE messages with different session identifiers such as To, From or Call-Id there is a

possibility to exhaust the memory of the attacked proxy. Figure 8.1 demonstrate SIP Invite Flood.

Figure 8.1 Invite Flooding Attack

8.1.2 BYE Attack

VoIP calls are terminated by one of the call participants sending a SIP BYE request. Many

VoIP application servers and clients will process a BYE request without requiring authentication.

This means that it is easy to construct a BYE request and send it to the application server, which

will then terminate the call. The user agent that receives the faked BYE message will immediately

stop sending RTP packets, whereas the other user agent will continue sending its RTP packets. BYE

attack is common in VoIP environments and is considered as a Denial of Service (DoS) attack [58].

Malformed BYE message is sent during RTP exchange to terminate call. Figure 8.2 shows SIP

BYE attack.

UA1 Proxy Server UA2

Invite

Invite

Invite

Invite

Invite

Ringing

Ok

Ok

Invite

Ringing



Figure 8.2 SIP Bye Attack

8.1.3 Cancel Attack

During the call setup UA1(User 1) and UA2 (User 2), an attacker sends a crafted SIP packet

with a “CANCEL” request to the proxy2, which in turn cancels UA1 “INVITE” request, ceasing the

call set up process [59]. This attack is generated during session initiation. Figure 8.3 shows SIP

cancel attack.

Figure 8.3: SIP Cancel Attack

1: INVITE

3: TRYING (100)

2: INVITE

5: TRYING (100) 4: INVITE

After receiving Cancel Message by UA1 session is

terminated

Proxy1 UA 1 Proxy2 Attacker UA 2

CANCLE

CANCLE CANCLE

1:INVITE

3: TRYING (100)

2: INVITE

5: TRYING (100) 4: INVITE

6: RINGING (180)

7: RINGING (180) 8: RINGING (180)

10: OK (200) 9: OK (200 )

11: OK (200)

12: ACK

RTP Session

Proxy1 UA 1 Proxy2 Attacker

BYE Message

UA 2

After receiving BYE Message VoIP session is terminated



8.2 Types of IDS

IDS are categories in two types Host-base and Network base. Host-base IDS which monitor,

audit, log and generate alert for attack on individual system while Network-base IDS have sensors

throughout the network [60]. Based on detection mechanism IDS is further classified as misuse

detection and anomaly detection [60, 61].

8.2.1 Misuse detection

It is based on the characteristics of known attacks or system vulnerabilities, which are also

called signatures. Any action that matches the signature is considered intrusive [60]. The main

issues in misuse detection are how to build signatures that include possible signatures of attacks or

build a signature that includes all possible variations of the relevant attack to avoid false negatives.

8.2.2 Anomaly detection

It is based on the normal behavior of a subject (e.g., a user or a system), any action that

significantly deviates from the normal behavior is considered intrusive or rather suspicious [60].

The most significant strength of the anomaly detection approach is non requirement of the prior

knowledge of the security flaws of the target systems. Thus, it is able to detect not only known

intrusion but also unknown intrusion [62, 61]. Consequence of this, suspicious intrusive activities of

legitimate users or masquerades are easily detected without breaking security policy [60].

Approaches for anomaly detection

Anomaly Detection in IDS is developed using either or combination of the following

approaches:

Threshold detection: detecting abnormal activity on server or network, for example

abnormal consumption of the CPU for one server [63].

Statistical measures: Statistical models are employed in this type of IDS to learn from

historical values. Some of the statistical models uses are mean and standard deviation [63].

Rule-based measures: Rule-Based analysis relies on sets of predefined rules that are provided

by an administrator, automatically created by the system, or both [63]. Expert systems are the

most common form of rule-based intrusion detection approaches.

Non-linear algorithm: Here soft computing techniques such as neural networks and genetic

algorithms are used [64].



8.3 Proposed IDS

During literature survey, we have identified that signature based, rule based or known pattern

based IDS are working on fixed pattern, these IDS are non adaptive in nature. These IDS are more

prone to false positive and false negative. To detect the DoS attacks in VoIP system, we have

proposed an IDS with fusion of Artificial Neural Network (ANN) and Fuzzy logic, our proposed

IDS is adaptive in nature.

A salient feature of ANN is their learning ability. They learn by adaptively updating the

synaptic weights that characterize the strength of the connections. The weights are updated

according to the information extracted from new training patterns. Here we have listed out few

reasons of using ANN and Fuzzy approach.

A neural network would be capable of analyzing the data from the network, even if the data is

incomplete or unclear. Similarly, the network would possess the ability to conduct an analysis

with data in a non-linear fashion [40].

Some attacks may be launched in coordinated fashion from multiple sources, the neural

network has the ability to process data from multiple sources in a non-linear fashion [40].

It is highly scalable compared to other IDS techniques [65].

It supports to reduce the false positive error and false negative error rate. False positive rate

counts of false alarms and false negative counts missed intrusions [66].

As compared to other detection technique NN approach provides better result to unseen and

noise input.

In proposed solution fuzzy logic help us to decide severity of attack.

Neural Network is used to learn about new threats while Fuzzy System decides the severity of

attack. A combination approach of Neural Network and Fuzzy approximation will greatly reduce

the false alarms. Our Proposed IDS system will reside on a proxy server.



Figure 8.4 Architecture of Proposed Framework

As given in Figure 8.4 all session initiation messages are passed through proxy. Details

architecture of proposed IDS is given in Figure 8.5.

Figure 8.5 Architecture of ANN based IDS

The proposed IDS components are explain as below.

8.3.1 Dataset for training/testing

In proposed IDS, training/testing dataset is generated by using various attacking tools.

Input

Training

/Testing

Processing

Neural

Network

Fuzzy

System

Fuzzy Rule

Attack Severity

Feedback

Analysis

Proxy Sever

IDS

Session Initiation

Message

Caller(UA1)

Callee(UA2)

RTP

Session Initiation

Message



We have attack on VoIP system by using Invite Flooder attacking tool. This tools changes field

values ( the Via branch tag, the From tag, the Call-ID ) of SIP message. A change in these values

influence the targeted UA server to interpret each INVITE message as an independent call dialog

initiation event.

Teardown tool is used to generate malformed message like SIP BYE, SIP CANCEL message

by modifying SIP payload. These tools carry out said attacks by obtaining source IP address,

source port no , destination IP address and port no. After gathering necessary information SIP

request is constructed, in SIP request Via branch tag, the From tag, the To Tag, the Call-ID is

added and send it to victim machine.

For capturing the packets in real time environment, we have used JPCAP and WINPCAP tool

JPCAP provides facilities to:

Capture raw packets live from the wire.

Save captured packets to an offline file, and read captured packets from an offline file.

Automatically identify packet types and generate corresponding Java objects

Filter the packets according to user-specified rules before dispatching them to the application.

Send raw packets to the network

WINPCAP is the industry-standard tool which allows applications to capture and transmit

network packets bypassing the protocol stack, and has additional useful features, including kernel-

level packet filtering, a network statistics engine and support for remote packet capture. The

recoded set extracted by tool is store into database which is used to train our proposed system.

8.3.2 Preprocessing

This section describes how the data set is used for our experiment. The data set is preprocessed

before giving input to developed system. During preprocessing data set consists of numeric and

symbolic features of fields which are converted into numeric form so that it can be act as inputs to

our neural network. Proposed IDS extracted 14 features from attack generated traffic, after that

numeric value is assigned to them. Now this modified data set is ready to be used as training and

testing of the neural network.

8.3.3 Determining Neural Network

The architecture of our proposed feed forward neural network (FFNN) is given in Figure 8.6.

Proposed system is based on ANN, it is composed of interconnected processing elements (neurons)

working with each other to detect abnormal activity at Proxy Server [67].



Figure 8.6 Feed Forward Neural Network

A salient feature of Artificial Neural Networks (ANN) is their learning ability. They learn by

adaptively updating the synaptic weights to characterize the strength of the connection. The weights

are updated according to the information extracted from training patterns. Initial weights were

decided and the learning rate was maintained at 0.8. Pproposed FFNN have 4 layer architecture,

where input layer consist 14 neurons and two hidden layer contain 9 and 6 neurons respectively

while output layer contains 1 neurons. There is no accurate formula for the selection of hidden

layers and it is decided based on experiment [68].

8.3.4 Training the system

During the training phase of the systems, FFNN uses Backpropogation algorithms which work

in two passes: forward pass and backward pass.

During forward pass, each node in hidden layer gets input from all the nodes from input layer,

which are multiplied with appropriate weights and then summed. The output of the hidden node is

the nonlinear transformation of this resulting sum. Similarly each node in output layer gets input

from all the nodes of the hidden layer, which are multiplied with appropriate weights and then

summed. The output values of the output layer are compared with the target output values. The

target output values are used to teach network. The error between actual output values and target

output values is calculated and propagated back toward hidden layer. This is called the backward

Input Hidden Layer1 Hidden Layer2

Hidden

Output

Output

(Attack)



pass of the Backpropagation algorithm. The error is used to update the connection strengths

between nodes (weight matrices between input-hidden layers and hidden-output layers are updated).

In order to achieve forward phase of Backpropagation algorithm, input value (field value

extracted from dataset) and weights are assigned to the neuron then weighted sum of all input is

computed. Mathematically, the inputs and the corresponding weights of vectors are represented as

(x1, x2... xn) and (w1, w2... wn). The total input signal is the dot, or inner, product of these two

vectors. Output is represented as below

n-1

Output= ∑ xiwi+wn

i=0

The above equation takes input values named x, and multiplies them by the weight w, Wn

represents weight matrix threshold. The output of above operation is passes through sigmoid

activation function. Output of activation function is compared with targeted output value which

gives error values, according to error value neurons weight is adjusted. The activation function is

defined as follows:

f(x)=1/(1+e-x)

To train the neural network, error must be minimized. To achieve it, neuron connection

weights and thresholds is modified. We have used the gradient descent method to evaluate the

derivative of the error. Then, using these derivatives, we find weights and thresholds that will

minimize the error function.

∆who =(do-yo)yh

Where ∆who= differentiable activation function

do= desired output

yo= obtained output, yh= gradient

Increment in weight = ∆who* inputi-1*weight

8.3.5 Testing the System

Once the IDS are trained completely, the weights of the neural networks are frozen and IDS

performance is evaluated.

Testing of the neural networks is carried out in two steps i.e verification step and recall (or

generalization) step. In verification step, neural networks are tested against the data which are used

in training. Aim of the verification step is to test how well trained neural networks learned the


Narendra M.Shekokar 6

training patterns in the training dataset. If a neural network is trained successfully, outputs produced

by the neural network would be similar to the actual outputs.

In recall or generalization step, testing is conducted with the data which is not used in training.

Aim of the generalization step is to measure generalization ability of the trained network. Once

attack is detected it is given to fuzzy system to decide severity of attack. We have tested our IDS

using verification as well as generalization methods.

8.3.6 Fuzzy Approximation technique

Recently, several researchers focused on fuzzy rule learning for effective intrusion detection.

By taking into consideration these motivational thoughts, we have used a fuzzy rule based system to

decide severity of attack which are detected by ANN system.

Fuzzy logic is a form of many-valued logic derived from fuzzy set theory to deal

with reasoning that is approximate rather than fixed and exact. In contrast with "crisp logic",

where binary sets have two-valued logic, fuzzy logic variables may have a truth value that ranges in

degree between 0 and 1.

The attack detected by the neural system can be provided to the fuzzy logic controller which

processes user-defined rules governing the system to identify the severity of the attack like trivial,

warning and lethal. A rule set for each of the attack types is defined by us in separate rule file. We

have obtained defuzzified value for each attack and compared with the range and accordingly

severity of attack is decided.

if(s>=0 && s<5)

severity ="trivial";

if(s>=5 && s<10)

severity ="warning"; if(s>=10 && s<15) severity ="lethal";

8.4 Result Analysis and Conclusion

We have deployed proposed IDS system on a Proxy server. Initially, we will train our system

by preparing dataset from real time traffic generating using attacking tools

For experimental evaluation, we have tested the system with same dataset which is used during

training of system. First we have attempted INVITE Flooding attack on system and IDS is tested in

four round of operation with increasing record sets. Table 8.1 shows detection ratio, false positive



and false negative on Invite flooding attack, based on table reading graph is plot which is shown in

Figure 8.7.

Table 8.1 Experimental result during INVITE Flooding are given as below

94.5

95

95.5

96

96.5

97

97.5

98

98.5

1st Itr. 2nd Itr. 3rd Itr. 4th Itr

Detection Ratio

Figure 8.7: Detection ratio (%) on INVITE Flood Attack

Average detection ratio on Invite flooding attack is 96.88, while average false positive and

average false negative is 1.44, 1.67 respectively.

Similarly we have tested Bye, Cancel attack on same dataset, experimental results are given in

Tables 8.2 and Table 8.3 and according to table value graph is plotted which is shown in Figure 8.8

and 8.9.

Table 8.2 Experimental result during Bye Attack are given as below

Iteration No Iteration 1 Iteration 2 Iteration 3 Iteration 4

Record Set 300 350 400 450

Detection Ratio (%) 95.69 96.52 97.86 97.98

False Positive (%) 2.33 1.49 0.91 1.04

False Negative (%) 1.98 2.49 1.23 0.98


Record Set 300 350 400 450

Detection Ratio (%) 97.45 97.52 98.34 97.06

False Positive (%) 0.89 2.23 1.40 0.62

False Negative (%) 1.66 0.25 0.26 2.32



96

96.5

97

97.5

98

98.5


Detection Ratio

Figure 8.8 Detection ratio (%) on BYE Attack

Average detection ratio on BYE attack is 97.59, while average false positive and average false

negative is 1.28, 1.12 respectively.

Table 8.3 Experimental result during CANCEL Attack are given as below

Figure 8.9 Detection ratio (%) on Cancel Attack


Record Set 300 350 400 450

Detection Ratio (%) 98.40 96.20 97.50 98.90

False Positive (%) 0.12 0.78 1.40 0.09

False Negative (%) 1.48 3.02 1.1 1.01



Average detection ratio on Cancel attack is 97.75, while average false positive and average

false negative is 0.59, 1.65 respectively.

In second approach, we have tested our proposed IDS by capturing traffic generated using INVITE

flood and teardown tools, based on this obtained result system performance is evaluated.

Table 8.4 shows detection ratio, false positive and false negative on Invite flooding attack, based on

result detection ratio graph is plotted which is shown in Figure 8.10.

Table 8.4 Experimental result during INVITE Flooding are given as below

Figure 8.10 Detection ratio (%) on Invite Flood Attack

Average detection ratio on Invite flooding attack is 95.04, while average false positive and

average false negative is 2.39, 2.02 respectively.

Similarly we have tested BYE, CANCEL attack on new dataset. Experimental results are listed

in the Table 8.5, 8.6 and according to reading detection ratio graph on BYE attack is plotted and

shown in Figure 8.11, 8.12.


Record Set 300 350 400 450

Detection Ratio (%) 94.23 95.77 95.34 94.82

False Positive (%) 2.74 3.02 2.12 3.86

False Negative (%) 3.03 1.21 2.54 1.32



Table 8.5 Experimental result during BYE Attack are given as below

93

93.5

94

94.5

95

95.5

96

96.5

97

97.5

98

98.5


Detection Ratio

Figure 8.11 Detection ratio (%) on BYE Attack

Average detection ratio on BYE attack is 96.71, while average false positive and average false

negative is 1.41, 1.86 respectively.

Table 8.6 Experimental result during CANCEL Attack are given as below


Record Set 300 350 400 450

Detection Ratio (%) 96.23 94.98 97.66 98.00

False Positive (%) 1.34 2.01 1.98 0.34

False Negative (%) 2.43 3.01 0.36 1.66


Record Set 300 350 400 450

Detection Ratio (%) 96.80 96.20 96.50 97.00

False Positive (%) 3.00 2.32 1.40 1.76

False Negative (%) 0.20 1.48 2.1 1.24



95.8

96

96.2

96.4

96.6

96.8

97

97.2


Detection Ratio

Figure 8.12 Detection ratio (%) on CANCEL Attack

Average detection ratio on Cancel attack is 96.62, while average false positive and average

false negative is 2.12, 1.25 respectively.

Using adaptive ANN-Fuzzy system, we have successfully detected DoS attack on VoIP

system. Initially we have tested our proposed system on dataset which are used to train our system.

Based on above reading average detection ratio, false positive ratio, false negative ratio on both

dataset is shown in Table 8.7.

Table 8.7 Average detection, false positive and false negative on both dataset is given as below.

Attack Type Detection Technique Training Dataset New Dataset

Invite Flooding

Average Detection Ratio (%) 96.88 95.04

Average False Positive (%) 1.44 2.39

Average False Negative (%) 1.67 2.02

BYE Attack




Cancel Attack






From above reading it has been clear that in Invite Flooding and BYE attack, Adaptive IDS

gives better detection ratio on training dataset as compare to new dataset but increases in false

positive and false negative detection is also notice.

In Cancel attack detection ratio and false negative ratio is improved, while false positive

detection ratio is degraded as compared to training dataset.

chapter 8 - shodhganga.inflibnet.ac.inshodhganga.inflibnet.ac.in/bitstream/10603/11760/12/12_chapter...

Documents