Abstract:
Session Initiation Protocol (SIP) is vulnerable to a wide variety of Denial of Service
(DoS) attacks, flooding is the most common, effective and the easiest to generate one.
In this paper we present an evaluation study to four well-known anomaly detection
algorithms, namely: Adaptive Threshold, Cumulative sum (CUSUM), Non
Parametric Cumulative Sum (NP-CUSUM), and Hellinger Distance (HD). The
evaluation is assisted using simulated traffic dataset. We show that these algorithms
suffer from two main problems, the first is called attack masking and the second is
adaptation with attack. In the attack masking, attacker sends preamble followed by
the attack. The preamble changes the tuned parameters of the detection algorithm,
these changes mask the attack and keep it undetected. Attacker in the second problem
deviates the detection algorithm parameters gradually, in such a way the attack is
considered as normal traffic. The paper also shows that NP-CUSUM and HD
algorithms, which utilize the protocol behavior to detect intrusion, suffer from third
problem, and they are very simple to con. Attacker simply follows the same protocol
behavior, and its related traffic is considered as normal, and cannot be detected.