An Intrusion Detection System for VoLTE\IMS User.

Humaira Ashraf1,2, Muhammad Sher1, Hafsa Javed1, Sumera Bibi1

1
Department of Computer Science and Software Engineering
International Islamic University, Islamabad, Pakistan.
2
Department of Computer Science
Sardar Bahadur Khan Women's University Quetta, Pakistan.

Abstract
IMS (IP Multimedia Subsystem) provides the basis of fixed-mobile convergence for
telecommunication. Compared to previous networks, IMS provides many advantages, especially
in terms of its ability to add variety of services. The Session Initiation Protocol (SIP) is used in
IMS to establish and manage sessions. It is easy for a hacker to attack IMS with flooding SIP
messages. However, IMS does not provide any functions to prevent such kind of attacks. In this
paper, we focus on the register flooding attack using SIP messages in IMS, and provide a
detecting and preventing framework using the non-parametric cumulative sum (CUSUM)and z-
score algorithm that can effectively detect register flooding and spoofing attacks. The results
shown that proposed framework can successfully detect and prevent register flooding attacks
whereas it also helps in minimizing delay by using a cooperative server.

1. Introduction

Information processing and usage of internet is decreases day by day because of it cyber fashion
going to be under threats so we have to make our own information processing system especially
for them whose data should be more secure from these threats such as military. For advance
network application the IDS is an important feature because an IDS collects the information from
a network and this information used in order to check the threats .IDS can divide in to two
categories misuse and anomaly detection techniques[9], in misuse systems already known
patterns are used to know attacks but misuse techniques can be ineffective for those attacks
which are different from the existing patterns[9] on the other hand anomaly techniques can work
on un known patterns but anomaly techniques detect the authenticated process as a false and
abnormal process [32]
The recent IDS are working in a hierarchical fashion the at the top monitoring and control
systems are presents; internal nodes are showing the information gathered of different units ; and
on leafs the sensors are working. These system are working from down to upper level the local
detections parts collects the information about locally and after analysis the results are handover
to upper level. The upper level components take inspection and take the refined information to
create the overall view of the system [14] but the current distributed has draw backs because
these systems are not purely distributed because only the higher levels are having centralized
data of local nodes. If one single part of the system affected the whole system suffer the problem

1
In addition, most IDS detect attacks by analyzing information from a single host, or a single
network interface, at many locations throughout the network. Thus, the designed feature of
communication and cooperation between an IDS component is badly missing. This fact hampers
the capability to efficiently detect large-scale distributed attacks [14]. Two dynamic research
areas are multi agents systems [42]and data mining[12] these two fields can be emerged and can
be separated and on the other hand, IDS should capable to detect the attacks and resist them and
should be fault tolerant it should be easy configurable[29]. These characteristics we can get by
multi agent and detection of these attacks will be improved[18], accurately and the system
security will be enhanced [19]. There are many several IDS which is working on multi agent
technologies [4, 22, 19, 29, 39]
Networks complexity increase day by day and saving the system from unknown attacks are big
issues to overcome this problem if we use data mining techniques in intrusion detection we will
get a good results[3, 8, 20, 24, 37].
The SIP protocol is utilized for session establishment and handling in IMS and in the majority of
VoIP infrastructures. The loose syntactic rules and the text-based format of the messages
comprise a lightweight and flexible protocol that succeeds high Quality of Service (QoS) with
low response times. Nevertheless, these features also render the protocol vulnerable to various
attacks and security breaches [18− 21]. The employment of a security mechanism such as HTTP
Digest [9] may deter the attacks originated from external attackers but not from internal
malicious users. The same applies to IMS infrastructures. The employment of an authentication
mechanism such as AKA with IPSec [8] can neither prevent threats originating from Internal
Attackers (IAs) since they can launch attacks through their legitimately established IPSec
tunnels. Moreover, a successful attack may involve the compromise of different layers of the in-
ternet protocol stack, such as the network or the data link layer. For instance, an attacker may
launch an ARP poisoning [22] attack in order to gather the Authentication Vectors (AV) from a
handshake, breaking the authentication mechanism [21] or intercepting the communication [23].

Threats in VoIP/IMS environments may involve the manipulation of layer 2, 3, or 5 messages.

For the application layer, the main attack categories are: SIP signaling manipulation,
masquerade, Man in the Middle (MitM), and replay attacks. In signaling attacks, the attacker
utilizes SIP protocols requests in order to cause DoS to the server or to a specific user. The
CANCEL and BYE requests are responsible for revoking or ter-minating multimedia sessions,
respectively. Spoofing the headers From and Call-id of such requests, an attacker can terminate a
session illegally. This

2
attack can be launched through the security tunnels by an IA especially in case of a weak parsers
implementation. Another DoS attack can be launched utilizing UPDATE or re-INVITE requests.
Specifically, the malicious user is able to mute a multimedia session or launch a hijacking attack
as described in [10]. Authentication and integrity mechanisms may deter the External Attack-ers
(EAs) but they do not always provide a comprehensive solution against malicious subscribers. In
masquerade attempts, an attackers objective is to impersonate a specific User Equipment (UE) or
even a user. These attacks are known as SIP spoofing or identity theft correspondingly. The
attacker includes a stolen IP Multimedia Public Identity (IMPU) (or private identity IMPI) to his
messages instead of his real one, in order to charge the provided services to victims identities.
Thus, the IA is charged only for the IP connectivity (during the IP allocation from the GGSN)
and not for the multimedia services provided by the IMS. The employment of authentication and
integrity mechanisms in messages or security tunnels cannot guarantee the discouragement of
such behaviors. A masquerade attack can also be applied in the third layer where the attacker
spoofs the 32-bit string of the source IP address header of the packet in order to bypass the SA-
SIP check: A correlation between the IP and the given public ID of the messages derived from
the SAs which have been established during the AKA in the registration handshake. This
procedure is executed by the S-CSCF (in VoIP architectures such checking procedure is not
implemented since is not described in the specifications). In aMitM attack, malicious users are
placed in the middle of the communication path between the user and the server [24,25,26]. In
this type of attack, the attacker bypasses both integrity and authenticity security requirements and
consequently is able not only to impersonate users or network elements, but also to gain
unauthorized access to the provided services, intercept the communication channel or even to
cause denial of service. These attacks can be launched by utilizing either ARP poisoning [4] (in
layer 2) or Domain Name System (DNS) poisoning (in layer 5) [22] techniques. The attacker
changes the IP-MAC or the domain-IP associations correspondingly in order to redirect the
traffic through him (acting as gateway) and gathers communication channels data. In fact, in
VoIP/IMS infrastructures, after an ARP or DNS poising attack follows a SIP-based attack where
the messages are manipulated, imposing further damage to the system. For instance, the attacker
may spoof the expires header of a registration request to zero causing an immediate
deregistration of the victim [27]. Another attack can be launched after a successful MitM by
downgrading the security level of the upcoming session (Fig. 1). Specifically, during the session
establishment handshake, the intermediate manipulates the header (security-client value in
authorization) that includes the available security suites and removes the stronger ones [28]. Thus
the SCSCF (or the SIP server) will in-evitably choose one of the weak security protocols that the
attacker has left available in the header. Usually, a different attack will follow since the attacker
will be able to break the employed security mechanism. Also a conference in-terception could be
the result of a MitM attack between the user and the MRFC/AS. An IA spoofs the header Refer-
to or Refer-by of the gathered

3
messages, in order to silently invite himself in a conference room [23]. Finally, a MitM can lead
to abuse of the authentication mechanism. As described in [21], the attacker acts as intermediate
between the proxy (or the P-CSCF in IMS environments) and the user, masquerading both of
them,managing to steal the AV in order to authenticate his messages. This attack concerns only
the SIP Digest authentication mechanism. In replay attacks, a malicious user initially simply
observes and captures the signaling data between a legitimate user and its home network. He
focuses on capturing authenticated messages in order to craft spoofed requests/responses that
include the authentication vector of a legitimate user and thus facilitating the attacker to
impersonate the legitimate user and get access to his services. More details on spoofing-based
attacks can be found at [29]. We propose a scheme that will detect and prevent both zero-
watermarking scheme, To secure detect IP spoofing attacks on IMS . Since watermark is not
actually embedded in the IP address itself; rather it is generated by using the characteristics of IP
address therefore huge number of comparison with previously stored IPs is avoided and the
resulting delay is minimized. The watermarking process involves two level: (1) embed-ding
algorithm and (2) extraction algorithm. Watermark embedding is done by the original author and
extraction done later by KMC to prove ownership. The KMC is a trusted authority is a must
requirement in this algorithm with whom, the original owner registers his watermark.

2. System Model and Problem Statement

IMS core entities are involved in registration and session management procedures as depicted in
fig.2, signaling protocol utilized for the management of multimedia sessions is SIP (Rosenberg et
al., 2002 ). SIP is a text based protocol that provides flexibility, which facilitate the developers to
easily in-corporate and implement new services [40]. SIP protocol is vulnerable to DOS and
DDOS attacks which make the IMS environment open to the threats and attackers in this paper
we focus on spoofing and register flooding attacks. In fig.2.signaling flow for registration is
shown it is regular process of registration. The UE must discover the IP address of P-CSCF be-
fore registration that can act as a proxy server for the UE. Then the user can send a register
request to discovered P-CSCF. The request contains the identity of UE and the domain name of
the home network. P-CSCF performs the DNS queries to locate I-CSCF in the home network. P-
CSCF send request to I-CSCF after addition some information. I-CSCF performs S-CSCF
selection procedure, and forward register request to the selected S-CSCF. S-CSCF finds that the
user is not authorized, so it requests the authentication data from HSS and sends a 401
unauthorized response to challenge the user. UE calculates the authentication response and send
another register request with the authentication information to P-CSCF. P-CSCF finds I-CSCF
again and I-CSCF finds S-CSCF in turn. S-CSCF checks the received challenge response. If
response is correct, the registration is accepted. The S-CSCF downloads the

4
 5

user profile from HSS, and sends a 200 OK response to UE indicating that registration is
successful.
The problem is that registration procedure is very lengthy and complex we can observe that a
only two register request are send from the user results into 20 messages within the network.
Therefore if any spoofed IP lunches flooding attack it will highly effect IMS environment (20)
We propose

Fig. 1 Total Registration messages

a zero-watermarking scheme, To secure detect IP spoofing attacks on IMS . Since watermark is

not actually embedded in the IP address itself; rather it is generated by using the characteristics
of IP address therefore huge number of comparison with previously stored IPs is avoided and the
resulting delay is minimized. The watermarking process involves two level: (1) embedding al-
gorithm and (2) extraction algorithm. Watermark embedding is done by the original author and
extraction done later by KMC to prove ownership. The KMC is a trusted authority is a must
requirement in this algorithm with whom, the original owner registers his watermark.

5
3. Related Work

M.voznak at al [6] defined number of attacks which include flooding, misuse, unintentional
attacks. To remove these attacks they proposed Intrusion pre-vention system (IPS) compose of
following three application:

1. Snort: It is main component of the IPS that identify harmful behavior in network [16]. It
consist of six steps packet decoder, Preprocessing, Detect-ing engine, Logging and alerting

2. Snortsam: This application run on client server model. It allows snort to add unrelated event
into iptables

3. Iptables: Used in Linux operating system. It is used to inspect, modify, forward, redirect or
drop ipv4 packet.

Zoha Asgharian [7] proposed IPS based specification base detection system long with anomaly
based detection. It is made up of five modules.

1. Event generator: Each traffic filtered, transformed and labeled. Labeled packet are presented
as sip dataset. Each packet arises an event in the state machine. In each state with entrance of
new packet, sip security engine extract and parse the sip header based on METHOD field
(make decision about next state). Each transaction add new entry to a proper table in data
base. They define four threshold on size of database.

2. Event collector and Message database: This phase collect all important messages put it into
database for further use and event collector take care of these.

3. Analysis engine: In this phase record is computed from database. Calcu-lated result is
compared with some defined threshold to inform about traffic status

4. Reaction management software: After identify traffic status, intruders are trapped by black
lists. Intruders are point out by sip header and normal traffic can go further.

Y.Chen et al [8] find solution of attack by adding whitelist transaction table in front of SIP
server. Whitelist cantain four columns UID, IP address, times-tamp, expiry. UID is primary key
column. When client is register, deregister or re-register server is updated with recent data. They
mention types of regis-tration ( bad authentication and good authentication). In REGISTER
(good auth) attack, SIP server is flooded with registration request that complete all process of
HTTP digest authentication. This type of attack comes in category of adaptive-nonce-based flood
defined by [15]. In REGISTER(bad auth) at-tack, client send REGISTER requests to server. It
complete all steps but with invalid user credential [15]. White list contain most recent
information of reg-istered innocent user. But only white list approach can not detect REGISTER
(good auth). For this they use PIKE module[16] in SIP server. PIKE module is installed with SIP
server. It keeps checking incoming SIP traffics IP and blocks one that exceeded some limit.
N.Varkas et al [9] proposed IDPS for IMS and also for VoIP services. This mechanism remove
internal and external flooding attacks from single source and from distributed source. This IDPS
based on the concept of cross correlation table. A table maintain information of user for every
registration request from layers 2, 3, and 5 of the protocol. The proposed model consist of two
modules registration and second is for other requests. The main concept is taken from cross-layer
6
table. Table have six values that can be gathered from layers 2, 3, and 5 of the network protocol
stack. They are IP address, SIP-IP address, MAC address, IMPI/IMPU, counter and attack type.
In module ONE two things are present, policy enforcer (black list for malicious user) and
checking of spoofed message. Every event passes through the spoof checking module which
decides whether the message is legitimate to forwarded to the second module or send to Policy
Enforcer (PE). In spoof checking module, where user record has to pass from number of
comparisons with cross correlation table’s each record, to check spoofing attack. The counter is
also added into a table, which count the number of requests came from the same source. Time
stamps, time, distance calculated between each incoming request in the cross correlation table.
Then it rises alarm when its value increases from threshold. This proposed model not only work
well in single source attack, but also in the distributed source attack. This method mainly
concerns with spoofing attacks and memory consumption of CPU. For memory they used bloom
filter. They are single cell register. In this mechanism they used two set of registers 2000 and
5000. Result show very small difference by using either of set of registers. Results also show
very small false positive rate by increasing attack traffic. In last author also compare their results
with a number of other proposed mechanisms, but it's good for all flooding and spoofing attacks.
One limitation of this mechanism is its spoofing module is very complicated and it takes too
much time to compare.

Nauris Paulins[10] proposed IDS. The main purpose of their research is to shield IMS core
component from attacks like flooding attacks, BYE attack by observing SIP server and making a
traffic control to safe the SIP server from DOS attacks. Though IMS provide a number of
security mechanism, but there is still venerability in IMS. His proposed mechanism with
Hellinger distance algorithm and anomaly detection method. Hellinger distance comprises of
training and testing phase. In training phase data is recorded with 500 calls.min 1 and testing
phase is experimented with attack intensity between 200 calls.s 1 to 500 calls.s−1. Whereas they
have not provide prevention method.

M.Zubair[11] et al proposed method anomaly detection method that ex-tract information for
each SIP message at P-CSCF of an IMS. Framework consist of four steps

1. Examine the byte distribution of each incoming message to P-CSCF.

2. Extract important information in the form of probability transition(probability of step up from

one state to another )[23]

3. Use feature selection method to remove useless information

4. Use machine learning algorithms to get final results.

The important point of this research paper is they are collecting their innocent data traffic from
the real world of their IMS region. They developed SIP logger and fixed it into P-CSCF to catch
traffic of more than 30 days. Malicious data are generated by SIP security evaluation tool. Every
incoming packet or message can be seen in form of byte. Now each packet is in form of sequence
of byte S= {s1,s2,s3,..sl} where l is message length. They treat every consecutive n byte as

7
8

classification input which is called n-gram[22]. Selection of n byte effect result. Probability is
calculated as how much particular byte is malicious. Probability can be calculated as
P = ΣP (Θsi, Θsi+1) (1)

Useless bytes are removed from messages to decrease the depth and breath of probability. Now
classify them by the formula of information gain(IG). IG value near to 1 is more near to normal
message and more accuracy. Number of algorithms used for classification are Support vector
machine

M.Asif [12] proposed a mechanism to cope with problem of buffer over-flow. This paper is
written for only IMS INVITE flooding attack. Scenario of this model is, when user send INVITE
request to server in return server sent UDP Wait message to client. Notify them that work is in
progress, so that client may not try to send more than one request to server. And when session
disconnected it send Go message to client in order to release all resources. They compare results
of their proposed mechanism with actual IMS results in Packet loss, Server availability, memory
consumption. But this mechanism needs more processing because every entry is saved in
database, when new request come it first check from database. Network simulator2(NS2) for this
model is used. It is perfect suitable for this mechanism. It is written in C++ and OTcl

M.Sher [13] proposed mechanism is to secure SIP application server because it is important
part of IMS. SIP server give valuable services to client. They also define the architecture of SIP
application server. Their proposed mechanism is based on two tier security module, which
consist of TSL and IDS. TSL is like tunnel from where every message has to pass to reach at
server. While passing from TSL, it remove malicious users. In some cases when attacks are not
detected by TSL, another module is placed between TSL and application server is called IDS.
IDS is combination of two detection method anomaly and misuse detection method. Result show
delay occur because of two tier mechanism used.

B. David [14], proposed mechanisms for securing SIP is called attack detection schema. This
schema is consist of two modules Open IMS core to analyze SIP perfection and and key
authentication module for traversing SIP packet The proposed system comprises of two modules
one is malformed massage detection that screens the distorted massages on SIP to determine the
flooding attack and other module uses Chi-square test to detect whether the SIP Server is facing
the Invite of death, cancel or by flooding attack or not, also determine the relative association of
response massages when the connection is established using SIP. It also updates the user
information in database and black list as well in order to block the user connections causing
flooding attacks. [15]
The proposed in [16] solution consists of two main methods: IPtables and fail2ban detection, to
protect the SIP resources exhaustion form low rate DDoS attacks. For protecting the servers from
unexpected flooding attack the IPtables-based admission control approach is used. Fail2bane
tackle the DDoS at initial phases and whitelist-based admission control effectively make a
distinction between the attack traffic from normal traffic and screens the attacker’s IP addresses
from band list. 8
Through call analysis the proposed scheme mitigate the flooding attacks on SIP. According to the
call analysis the legitimate user sent one or two times the INVITE request for making a call and
after that the user has to terminate the previous connection by sending a BYE massage to the SIP
server in order to make another call. However the attacker sends several INVITE massages with
disconnecting the previous sessions by using BYE request due to which attacker as well as the
attack can be detected. After the detection of attacker the system drops all the INVITE packets
and starts sending the BYE massages to attacker to release the channels engaged by attacker and
provide the services to new legitimate users. The advantage of the proposed approach is that it
doesn’t alter the massage structure as well as does not causes the bogus registration, termination
and distorted massage attacks. And the weakness of this approach is that it not responsible for the
security against these issues, voice tapping and does not encryption for SIP massages. The
system is inly capable of preventing from flooding attacks and vulnerable to phishing and replay
attacks.[17]
A secured multi-layer architecture for SIP based VoIP provide security on application layer,
network and transport layer and provide the confidentiality, Integrity and Availability as well
protect the SIP servers from fake registration and DDoS attacks. An effective security
mechanism is attained with the implementation of rule based priority queue policies in firewall in
substitution of pre-configured priority algorithm. The system also aim to provide an effective
secured communication with reduced communication delay and inhibit from zero day attacks by
taking advantage of method and updating the attack signatures in the data base of SNORT. The
OPNET simulator is used for measuring the quality of service of propose system. [18]
The author presented a hybrid algorithm for detecting the extensive range of flooding attack on
SIP. The proposed algorithm aimed to monitor the behavior of SIP server during processing
which is based on the concurrent shadowing of attack rate, served request percentage and
response time on average. The algorithm is capable of detecting the different type of flooding
attacks on SIP Server accurately and reduces the false alarm rate. It negates being affected by
attack masking, variation of attack and negative change and variation with the setting of
threshold problem.[19]
Keeping track of attacker and detection of attacks needs the network administrators to keep an
eye on SIP terrific on regular bases in network. Checking and following evaluation can devastate
security administrator of the network having a number of SIP servers and users. An instinctive
attack detection of VoIP attacks over Distributed network is proposed in [6] which analyzes the
collected data with a multilayer perceptron network also known as artificial neural networks
trained with number of attacks. The self-organizing map is used preprocess and authenticate the
attack data. The detection nodes of the network which comprises of honeypot application and the
scheme on traffic observation identify the malicious behavior of data. This automatic taxonomy
with low false positive rate on integrated server condense the attack detection resources cost.[20]
Most of the protocols involved in VoIP are more susceptible to flooding attacks, which may
degrade the services on VoIP, needs a fast and general detection scheme. The vFDS flooding
detection scheme consist of online anomaly detection structure that mainly focus on INVITE,
SYN and RTP-related floods. Different characteristics of the protocols are analyzed and the
network traffic is classified with respect to the intrinsic association between these characteristics.
The detection system uses Hellinger distance for variability measure between probability
distributions of collected data from network. According to the experimental results the detection
accuracy of vFDS is high in less time.[21]
A mathematical analysis model M/M/1/ (K/2) is 9proposed to analyze and defend INVITE of
DEATH flooding attack on SIP. It is based on queue theory that assimilates the advantages of
current defense mechanisms. Using the priority queue concept the INVITE requests are enqueued
in low significance queue and non-INVITE packets are enqueued in high significance queue. As
the SIP server practices on FIFO queue so the low significance queue massages will be processed
after the massage processing of high significance queue. On the bases of simulation results it is
proved as an effective approach to defend INVITE flooding attacks.[22]
In this paper a white list methodology framed based on SIP. The approach is about to keep up-to-
date information about SIP clients, containing the fields: user ID, last registration time stamp, IP
address and termination time of registration. As this methodology is not effective to handle the
botnet attacks from compromised hosts with authorized credentials. But its efficiency can be
increased to combine it with other blacklist mechanisms such as SIP Express Router (SER) or
PIKE.[23]
The automatic analysis and detection of flooding attacks is main aim of the proposed system
which comprises of two modules; observation of SIP massages and extraction of filtering rules is
done by an automatic analyzer and filter is used to block the malicious massages. It is light
weight, fast, low-cost and layer independent approach. To make a layer independent analysis
conceivable a simple SIP packets assessment of ASCII values and threshold based decision is
selected. According to the simulation results the proposed scheme is demonstrated as very
effective for deal with with SIP flooding attacks with no false positive and low false negative
rates.[24]
In [25] the author focused stream based analysis method to detect hybrid flood on SIP,
implementing Sliding window, comprised of several sampling periods, for mining the statistical
information using cumulative sum (CUSUM) algorithm. The proposed scheme is evaluated on
the basis of low intensive and high intensive flooding attacks. For low intensive attack the results
clearly Shows a flood of attack occurrence and the reduction in its vanishing. The suggested
scheme attains high precision, low false alarms and low latency for detecting flooding
attacks.[25]

The power of Wavelet analysis technique has been explored in for stealthy flooding detection,
which make use of coefficients distorted from original data traffic signal to isolate the deviation
induced by attacks. By using a wavelet signal processing technique the signals are decomposed at
different level to extract the information from raw stream of traffic. Another probabilistic data
categorization method used in the paper is sketch technique for creating a fixed-length hash table
of traffic summaries and make available them to wavelet analysis [26]
For achieving more flexible and affective scheme Sketch data structure is integrated with
Hellinger distance. To identify the deviation between preceding and current distributions of SIP
Request messages the author apply the Hellinger distance algorithm on sketch data structure
in[27].The Hellinger distance escalates up to one when the probability distributions deviates and
must be near to one in case of similarity between the distributions. Furthermore in their
experimental exploration they used the dynamic threshold.
Ehlert et al. counter flooding by providing a two layer security architecture in which the first
layer consist of Bastion host used to protect the network layer attacks (Like TCP SYN and SIP
Flooding). In second layer the SIP proxy is improved with security module, providing advanced
security features related to SIP. The module perform signature based detection of distorted
messages and protect against attacks concerning to SIP URIs with unviable DNS names. For
verification of model the system is employed in test-bed architecture but it is not cost affective
and working only on proxy servers [28].
In this paper the author focused on the issues of IMS1 networks by reason of denial of service
attack on SIP protocol. The three different machine 0 learning algorithm (CUSUM, Adaptive
threshold, and Hellinger distance) are compared and evaluated on the bases of their detection
accuracy for identifying the flooding on different data set containing nasty traffic. And concluded
that Hellinger Distance has a better detection accuracy, then other two algorithms and needs not
to rearrange its parameters and robust to deviation in attack traffic patterns. [29]
This paper is about a trust model based on a trust value which is computed between the source
(caller) and destination (callee) entity by the communication activity. According to the given
algorithm the trust value of authorized user must be greater than attacker which is calculated by
call duration and direction between users. For evaluation of the promised reduction in false
positive rate and improved accuracy rate the trust-based model is integrated with CUSUM,
Hellinger Distance and Tanimoto Distance and applied on mixed attack traffic. Although the
proposed model is effective in reducing false alarm rate but not able to prevent the attacker from
stealing the identity and trust score of legitimate user.[30]
Fiedler et al.[31] Proposed an exposed security architecture named VoIP Defender for observing
SIP traffic with main concentration on DDoS attacks. The given architecture consists of a
number of assimilated detection algorithms and some attack reduction and prevention techniques.
Its major concern comprises of a scalable, transparent, time efficient and extensible design. The
prototype implementation is entirely evaluated on the basis of performance measures. Similarly
[32]presented a security evaluation framework for analyzing the susceptibilities on SIP through
penetration testing and generating non-destructive attack for SIP. The proposed framework
consists of information modeling, processing, assessment and reporting module. The aim of
designing such framework is to be flexible and scalable for several attacks.
The presented work in [33] determines the feasibility of Multiple Classifier System against
mimicry attacks. According to the analysis, the misclassified SIP massages shows that the SIP
packets whose content-length header does not equivalent to the size of the SIP payload are
difficult to detect because these malformed messages needs proper indication to show a
relationship between the value of SIP header and the length of SIP payload. These massages are
considered as normal as they contain small changes from normal massages and can easily bypass
the IDS and forwarded to SIP server to degrade its performance. Such malformed massages can
be recognized by validating the payload length against header value. In the proposed approach
the Multiple Classifier System proves the higher taxonomy precision with O (1) runtime
complexity crosswise diverse data. Another contribution here is minimum detection measure
(MDM) the oracle based fitness function that bounds the maximum taxonomy performance of
system classifiers; in essence, MDM act as a valuable tool for measuring the effectiveness of the
system.
In [34] the author discusses the different anomaly detection schemes in SIP that uses the data
sets with too many dissimilarities between normal and anomalous packets that makes it easy to
detect the anomaly. Their exploration on using a dataset with slight differences shows that the
existing anomaly detection scheme are not well efficient. They present feature reduction scheme
to improve these anomaly detection schemes even while using the “trickier” data sets. The [35]
made evident the possibility of multiple classifiers to resists the parser based SIP attacks. And
proposed self-learning system based on multiple classifiers for detecting the abnormally formed
self-similar messages of SIP. A linear regression function is used in combination to analyze the
correlation between classifiers, refining their strength and classification precision and evading
their weakness. In the same way the author in [36] proved that why the Euclidean distance based
classifiers do not produce the satisfactory results against malformed packets that has a slight
difference from normal packets. 1
1
4. Proposed Intrusion detection System

The proposed Intrusion detection System will efficiently and effectively detect the spoofing and
register flooding attacks on IMS environment.The fig. shows proposed solution consist of two
modules a spoofing detection module based on zero water marking and a register flooding
detection and prevention module, it uses both the anomaly detection and rule based detection
approaches, fig 3 shows the complete structure of Intrusion detection System

Fig. 2 Components of Intrusion Detection System

Table 1 Notations

Symbols Description bandwidth

register request \gamma
bandwidth \beta
threshold \xi
re-register \zeta
re-registration list \eta
counter \varpi
P-CSCF Load \rho
registration allowed \theta
de-register \infty

1
2
Intrusion Detection Protocol

UE embed KIP;ID, UE→ KMC:K

UE→ KMC:γ KMC extract K:γ
IF EK==EBK UE→ FDPS:γ
ELSE ”invalid request”
IF γ β ≤ ξ
γ → BL ELSE
γ → AY ENDIF IFγ ≡ ζ
γ →η
ELSE γ → WL
ENDIF
IFγ∈ BL Γ ++
ELSE
IF γ ∈ WL STATEϖ++
IFϖ> 3 ∥ Γ <60
ϒ→ BL
ELSE
ϖ ≡ 1 ENDIF
IFρ ≥ ξ
MLM ← MRRMδ
IFδ ≡ positive inc Γ for BL
set max ϑ γ ∈ ζ ≡ 1 Set max θ ≡ 1
∞ γ whose Γ >1 ENDIF

To secure, detect IP spoofing attacks on IMS . Since watermark is not actually embedded in
the IP address it self; rather it is generated by using the characteristics of IP address. The
watermarking process involves two levels: (1) embedding algorithm and (2) extraction algorithm.
Watermark embedding is done by the original author and extraction done later by KMC to prove
ownership. The KMC is a trusted authority is a must requirement in this algorithm with whom,
the original owner registers his watermark. We propose to use zero water marking for the
encryption of IP address,

Embedding Algorithm

The embedding algorithm makes no change in the Register request. The watermark is
embedded logically and the information is contained in a key. The watermark embedding
process is shown in the figure where the watermark is a series of digits only, original object (O)
is the Register request containing user parameters separated by a period (,) partial key is the
key which contains
1 key is populated by embedding algorithm.
3 digit group size and 2 digit cipher attributes. The
3
The partial key constituents are shown in figure 4.4,
 3-digit group size indicates the number of digits to be included in one group. This watermark is
then registered with the KMC along with the original IMPU value, keyword, current date
and time.

Step 1-2 The algorithm first performs the pre-processing means all the especial character or are removed
from the register request parameter
Step 3 Each alphabet is converted to its equivalent numeric value i.e; zohaibim is converted to its
equivalent binary number
Step 4-7Create groups of 5 digits. In this step, the occurrence of each digit one (1) is counted in each
group and the maximum occurring one is identified in each group. An MDL (maximum digit
list) is formed that contains maximum occurring 1 in each group with a corresponding group
number.
Step8- 10The key (K) is generated as output by this algorithm, containing group size, complete list of
group numbers with corresponding number of 1's in it. Now the hash of complete key is
generated for multi-securit. Compress the original object and hash of the key.

Algorithm 1 Embedding Algorithm

1.Input IP, γ .
2.Preprocess inputs to IP, ID.
3.Each digit is converted into its equivalent binary number= B.
4.Count total number of digits(ND) in B
5.Read group size (gpsize) and make groups of B based on gpsizeNG (Number of groups) = ND/gpsize
7.Identify maximum occurring digit 1 in each group and stored in MDL
8. Generate Key.
9. Generate hash of complete key.
10. Compress γ and key.

Extraction Algorithm
The algorithm which extracts the watermark from the text is called extrac- tion algorithm. The
proposed extraction algorithm takes the register request and keyword as input. The text may
be attacked or un-attacked. The watermark is generated from the text by the extraction
algorithm and is then, compared with the original watermark registered with the KMC.
Multiple watermark registration with KMC can be resolved by keeping record of time and date.
The author having former registration entry will be re- garded as the original author. The
watermark will be accurately detectetBy this algorithm in the absence of attack on register
request, the request will be called authentic request without tampering. The watermark will
get distorted in the presence of tampering attacks with register request.
The algorithm is as follows:
Step1- 4 The first step is decompressing O and key.Hash is generated of O and Key for the comparison
1
then all the especial character or,. Are removed from the register request parame- ters. Each
4
alphabet is converted to its equivalent numeric value i.e; zohaibims converted to 26 then each
digit is converted to its equivalent binary number
Step 5-8Groups are formed based on group size obtained from keIn this step, the occurrence of each
numeric digit (1) counts in each group and the maximum occurring numeric digit 1 is identified
in each group. The key (K) is used to get watermark from the text. A watermark is obtained by
performing the reverse process of embedding and encryption as shown in the extraction
algorithm.

Algorithm 2 Extraction Algorithm

Input key (K) and attacked Register Request (γ)
1.Decompress γ and K
2. Calculate hash of K and compare with received hash
3. Preprocess Register request (γ).
4. Each digit is converted into its equivalent binary number.
5.Count total number of digits(ND) in B
6.Read group size (gpsize) and make groups of B based on gpsize i.e. NG (Number of groups) =
ND/gpsize
7.Identify maximum occurring digit 1 in each group and generate MDL.
8. Output extracted watermark (W).

Components of Intrusion Detection Server

White List (WL).

Analyzer (AY).
Re-Register List (RRL).
Bandwidth Monitoring Module (BMM).
CPU load Monitoring Module (CLMM).

Components of Cooperative Server

Black List (BL).

Monitoring Register Request Module (MPPM).

γ → IDS

As soon as, IDS starts receiving register requests, bandwidth monitoring module activates.

Bandwidth Monitoring Module:

Whenever, a user sends its parameters to get registered its bandwidth monitored. If thr bandwidth
used by any IP exceeds the threshold limit, the register request is considered as an intrusion and
user will be blocked. The threshold is selected on the basis of register message size of SIP, that is
225 bytes [6]. If the user exceeds this limit more than 280 it will be treated as an intrusion.
Therefore, the system will move this IP to blacklist 1 for the certain time, depending upon how
dangerous the attacker is. 5

IF γ β ≤ ξ invalid request
Analyzer

As register request is received after inspected by bandwidth monitoring module its nature is
observed. If it is re-register message it is forwarded to re-register list.

γ ≡ζ

γ →η

Re-Register List

Re-registered list contains re-registeration request counter for the already registered UE. It stores
the IP with the counter value for the number of times it is re-registered in a seconds

White List

Updating Deletion Time and Auto-Delete

When IP of an attacker is detected first time it will be added into the blacklist, and a deletion
time will be set against it. When the deletion time of some IP is completed it will be auto-deleted
from blacklist. In the same manner, if IP of attacker is detected again before completion of its
deletion time, then its deletion time will be updated and increased depending upon how
dangerous the attacker is. Process of updating of Deletion Time and Auto Delete from Blacklist

γ ∈ BL

Γ++

Suppose IP does not exists in BL it will be checked in WL, in case it is not present in it, then
added into WL and a counter value 1 is allotted to the counter.

γ → WL∥ Γ < 60

ϖ ≡1

If an already registered user forwards a register message for a three times in 60 seconds it will
be removed from the WL and kept in BL for a certain period of time. When an IP is malicious,
then the IDS will protect the system by checking the BL first. In case IP of attacker does not exist
in BL then it will be added into BL and a deletion time will also be set for it. If the IP of attacker
is already present in BL, it means that IP had tried to attack before. IDS will increase the deletion
time against that IP.
1
ϖ> 3 ∥ Γ <60 gamma → BL 6
CPU Usage Monitoring

This module focuses on monitoring the CPU load of P-CSCF used, if it exceeds the
threshold value then to confirm the information from CS server is requested.

ρ ≥ ξ Get δ

In case CS sends parameter δ with positive value, flooding attack is alarmed. Therefore
emergency rules are implemented.
Rules in emergency conditions:

1. If attack is detected then users are not allowed to send more than 1 Register and re-
register request within 60 seconds

2. All the users already in the WL are de-register if their critical number for registration is
more that 2 per second or if the re-registration value increases from 2 per second .

inc Γ for BL-γ set max ϑ γ ∈ ζ ≡ 1

Set max θ ≡ 1
∞ γ whose Γ >1
Monitoring Register Request Module

The MRRM monitors number of register request traversing P-CSCF that will increases
while the number of 200 OK responses decreases under flooding at-tack. The difference of
register request and 200 OK response is nearly zero

in normal behavior, will become very large. According to this feature, we can detect the register
flood by observing this difference. If the value of the difference is suddenly change (non
zero),indicates that a flooding attack happens therefore a positive value δ is send to IDS
γ > 200ok

δ → IDS

Intrusion Detection and Prevention Algorithm

AT User Equipment getIP(); A[n]=preprocess(IP,IMPI); convert A[n] in to binary equivalent

Detection Algorithm for Register flooding

In our approach CUSUM and z-score detection algorithm [17] is used to monitor the P-CSCF
traffic and detect the attack situation on MLM. The 1table:4 shows the values for normal, peek and
attack traffic calculated using CUSUM and z-score 7 detection algorithm for various number of
requests
 Normal Peak Attack
NMI Zn Traffic Traffic Traffic

30 9.34 60 80 200
50 11 100 140 261
100 16 200 300 400
500 19 1400 1500 2400
Table 2 Scenarios

In the first experiment, the legitimate user is registered in first time IMS through IMS client.
The IDS should forward this client after updating its record in WL to P-CSCF so that register
successfully. In this situation only one UE is active; therefore low CPU load on P-CSCF is
observed by CLMM. The successful registration is shown fig 6 shows the CPU load on P-CSCF
during the normal traffic.

1
8
Fig. 5 CPU load on P-CSCF
 In the second experiment 50 attackers try to forwards illegitimate register request. It leads to
60 requests per second that in turn lead to 480 illegitimate messages it is a huge amount of
message to waste CPU services it causes an attack situation and exceeds the threshold value. The
IDS will check if it is not a false alarm by calling information from CS that is checking the
difference of register request and 200 OK response must be nearly zero, whereas if it became
very large. Register flooding attack is confirmed. Fig 7 shows the CPU load on P-CSCF under
register flooding attack.

Fig. 7 CPU load on P-CSCF under attack

In the real environment P-CSCF process a huge number of authenticated messages. Therefore
performance must not be compromised for this reason two servers are deployed in proposed
Intrusion detection and prevention System, the results shown the average delay per message is
minimized that we measured in normal and high traffic scenarios.

5. Results and Analysis

To evaluate performance of IDS for authentication and re-authentication procedures and evaluate
the detection rate of the proposed solution the IMS testbed is implemented.

A. Testbed
The open source IMS server from Fokus is installed and thoroughly tested. The objective of this
was to configure and optimize the Fokus IMS Core for Audio/Video calling between two users as
well as Conference calling. The Fokus IMS Core was installed on the server and an open source
IMS client from Boghe was used for communication. All the services were tested, which include
Registration\ authentication, Voice Call, Video Call, and Conference Call etc. According to the
results the IMS Core was reconfigured and tested again. The development was started on the
main security module, two servers the IDS server and cooperative server were developed to
authorize and funnel all client requests and security threats before redirecting them to the main
1 by the researchers. Therefore, it is used to
IMS server. SIPp is a SIP traffic generator usually used
9
generate flooding traffic for testing.
Through this Testbed evaluation of the Response time for response time authentication and each
subsequent re-authentication, also to evaluation of CPU load of the proposed scheme is executed.
The testbed architecture is depicted in Figure. . The IMS platform was developed on an Intel core
i3 at 2.4 GHz machine with 4 GB RAM, while the client was installed on an Intel core i5 at 2.4
GHz with 4 GB RAM..

Figure 3: Deployment Scenario for IDS

Major baseline approaches deployed were VN [13], RA [15], HU[8]. Following scenarios are
considered during the registration process;

S1:In this scenario traffic of 50 SIP REGISTER requests per second is generated through a
Request Generator (RG), The Response time is observed for the authentications.
S2:Comparision of response time with existing IMS authentication procedure.
S3:Time period during which traffic is monitored is divided in 3 intervals, of 20 seconds to a
minute the evaluation scenarios is considered for the detection .
S4: Time period during which traffic is monitored is divided in 4 intervals, of 15 seconds for a
minute the evaluation scenarios is considered for the detection rate .

B . Performance Evaluation
Performance is measured using fault detection ratio and false positive rates. Evaluation of
response time and CPU load is also performed
Response Time
The response time is calculated for proposed IDS and VA, RA, HA, IMS AKA is performed to
see the effect of introducing a new IDS module and the time user has to wait for a response.

CPU Load 2
0
Whenever an additional module is implemented it effect CPU load however, the proposed
approach deployed a separate IDS module rather then implementing it in existing servers.
Comparisons are performed with VA, RA, HA, IMS AKA
Fault detection Analysis

Fault detection ratio

Fault detection ratio is defined as follows
𝐹 𝐷𝑅 𝑓𝑎𝑢𝑙𝑡 𝑑𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑟𝑎𝑡𝑖𝑜 = 𝑅𝐹𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑓 𝑜𝑟𝑔𝑒𝑑 \ 𝐹 𝑅𝐷𝑓𝑜𝑟𝑔𝑒𝑑𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑑𝑒𝑡𝑒𝑐𝑡𝑒𝑑 (2)

Table 2 Fault Detection Rate

RRS RF RD FDR
10 7 4 100
20 15 10 100
30 25 19 100
40 35 38 100
50 45 42 100
60 55 53 100
70 65 64 100
80 75 74 100
100 95 94 100
200 190 186 100
500 450 450 100
1000 900 899 100

Table 3 Fault detection rate

Intensity /sec No of request Proposed RA HA VA

1 20 89.55 79.1 80.15 84.99
1 30 90.19 76.13 76.11 89.19
1 40 84.89 76.56 66.56 86.77
10 20 99.25 98.94 88.94 88.44
10 30 100 95.35 85.16 95.3
10 40 99.22 86.89 78.80 98.91
100 20 100 98.7 96.90 94.94
100 30 100 98.15 91.15 99.10
100 40 100 100 100 100
1000 20 100 96.64 91.76 91.64
1000 30 99.64 99.90 92.9 92.90
1000 40 100 97.80 90.94 90.96
Table 4 Fault detection rate
Fault detection ration for baseline schemes are compared in table :4

2
1
 100
90
80
70
Detection Ratio

60 Proposed
50
RA
40
HA
30
20 VA
10
0
1 2 3 4 5 6 7 8 9 10 11 12
Number of request

Figure 4:Fault detection ratio

It can be seen detection accuracy for low intensity attacks increases with smaller number of
requests, although using less number of requests, detection accuracy of high intensity attacks is
dercresing. Although with larger number of requests, attacks does not show same level of
detection accuracy but high intensity attacks are detected with good accuracy.

Response Time Evaluation

Response time refers to the amount of time IMS Servers takes to send response to the
user against Register request. The response time is affected by factors such as network
bandwidth, number of users, the number and type of requests submitted, and average processing
time. In this scenario, response time refers to the average, response time. In this experiment while
evaluating system performance, the total delay reflects all time required to service a register
request and return the average response time of all requests.
The faster the response time, the more requests per minute are being processed. Scenarios S1
have been utilized in order to assess the increase in response time introduced by the IDS module
added before IMS core entities. Here the results shown in 50 IMS users request for authentication
10 times each of which is sent after 60 seconds. Figure 13 elucidates the delay imposed due to
IDS module on the Register requests. It is low since almost all calculations have been executed
within a period of milliseconds. In proposed IDS, the response time is calculated using 𝑅𝑇 =
(𝑛 − 𝑟)⁄𝑇𝑝 . Where n is the number of users, or is the number of requests received by IDS
server, 𝑇𝑝 is Total processing time by IMS core entities and IDS.

2
2
 Responce time for authentications
0.09
proposed
Rafique, M.et al 2011
0.08 Hussain et al.,2013
Nikos et al 2013

0.07

0.06
milliseconds

0.05

0.04

0.03

0.02

0.01

0
0 2 4 6 8 10 12
No of authentications

Figure5:Response Time

CPU Load:
CPU load refers to a computer's usage of processing resources, or the amount of work handled
by a CPU. Actual CPU utilization varies depending 2on the amount and type of managed
3
computing tasks. The CPU load of various IDS schemes can effect the P-CSCF working,
although , In proposed solution the IDS is placed before IMS core therefore, ore serv working is
least effcted Figure 6 shows the CPU load P-CSCF due to vrious IDS schemes.
 90
Hussain et al.,2013
Rafique, M.et al 2011
80 Nikos et al 2013
proposed

70

60

50
CPU load

40

30

20

10

0
0 5 10 15 20 25 30
TIME

Figure 6:CPU Load

Refrences
1. 3GPP: TS 23.228: IP Multimedia Subsystems (IMS). Third Generation Partnership Project,
Technical Specification Group Services
and System Aspects (2011)
2. Rosenberg, J., et al.: RFC 3261: SIP: Session Initiation Protocol
(2002)
3. Tanase, M.: IP spoofing: an introduction. Secur. Focus11(2003).
Available at:http://www.securityfocus.com/infocus/1674
4. Wagner, R.: Address resolution protocol spoofing and man-in-themiddle attacks. The SANS
Institute (2001). Available at:http://rr.
sans.org/threats/address.php
5. Geneiatakis, D., et al.: Survey of security vulnerabilities in session initiation protocol. IEEE
Commun. Surv. Tutor. 8, 68–81
(2006)
6. Park, Y., Park, T.: A survey of security threats on 4G networks. In:
IEEE Globecom Workshops, Washington, DC, pp. 1–6 (2007)
7. Keromytis, A.: A survey of voice over IP security research. In:
Prakash, A., Sen Gupta, I. (eds.) Information Systems Security,
vol. 5905, pp. 1–17. Springer, Berlin (2009)
8. 3GPP: TS 33.203: 3G security; Access security for IP-based services (Release 10). Third
Generation Partnership Project, Technical
Specification Group Services and System Aspects (2010)
9. Franks, J., et al.: RFC 2617: HTTP authentication:2 basic and digest
4 Available
access authentication. Internet Eng. Task Force (1999).
at:http://www.ietf.org/rfc/rfc2617.txt
10. Wu, Y., et al.: Intrusion detection in voice over IP environments.
Int. J. Inf. Secur.8, 153–172 (2009)
11. Wu, Y., et al.: Scidive: A stateful and cross protocol intrusion
detection architecture for voice-over-ip environments. In: Proceedgins of the 2004 International
Conference on Dependable
Systems and Networks (DSN 2004), Firenze, Italy, pp. 433–442
(2004)
12. Sengar, H., et al.: Detecting VoIP floods using the Hellinger distance. IEEE Trans. Parallel
Distrib. Syst. 794–805 (2008)
13. Geneiatakis, D., et al.: Utilizing bloom filters for detecting flooding
attacks against SIP based services. Compu. Secur.28, 578–591
(2009)
14. Wan, X.Y., et al.: A SIP DoS flooding attack defense mechanism
based on priority class queue. In: IEEE International Conference on
123
An intrusion detection and prevention system 217
Wireless Communications, Networking and Information Security
(WCNIS), Beijing, China, 25–27 June, pp. 428–431 (2010)
15. Srinivasan, R., et al.: Authentication of Signaling in VoIP Applications. In: Asia-Pacific
Conference on, Communications. pp.
530–533 (2005)
16. Argyroudis, P.G., et al.: Performance analysis of cryptographic protocols on handheld
devices. In: Third IEEE International Symposium on Network Computing and Applications
(NCA 2004), pp.
169–174 (2004)
17. Shen, C., et al.: The impact of TLS on SIP server performance.
In: IPTComm 2010: 4th Conference on Principles, Systems and
Applications of IP Telecommunications Principles, Systems and
Applications of IP Telecommunications, Munich, pp. 59–70 (2010)
18. Geneiatakis, D., et al.: SIP Security Mechanisms: A state-of-the-art
review. In: Proceedings of Fifth International Network Conference,
Samos, Greece, pp. 147–155 (2005)
19. Geneiatakis, D., et al.: SIP message tampering: the SQL code
injection attack. In: Proceedings of 13th International Conference
on Software, Telecommunications and Computer Networks (SoftCOM 2005), Split, Croatia
(2005)
20. Bremler-Barr, A., et al.: Unregister attacks in SIP. In: 2nd Workshop
on Secure Network Protocols, NPSec, pp. 32–37 (2006)
21. Abdelnur, H., et al.: Abusing SIP authentication. In: ISIAS’ 08:
Fourth International Conference on Information Assurance and
Security, pp. 237–242 (2008)
22. Klein, A.: BIND 9 DNS cache poisoning. Available:http://www.
trusteer.com/docs/bind9dns.html(2007)
23. Vrakas, N., et al.: A call conference room interception attack and
its detection. In: Presented at the 7th International Conference on
Trust, Privacy and Security in Digital Business, Bilbao, Spain,
(2010)
2
Asokan, N., et al.: Man-in-the-middle in tunnelled authentication
protocols. Lecture Notes in Computer Science, vol. 53364, p. 28
(2005)
25. Xia, H., Brustoloni, J.: Hardening web browsers against man
-in-the-middle and eavesdropping attacks. In: Proceedings of the
14th International Conference on World Wide Web, Chiba, Japan,
pp. 498–498 (2005)
26. Zhang, R., et al.: On the feasibility of launching the man
-in-the-middle attacks on VoIP from remote attackers. In: Presented
at the 4th ACM Symposium on Information, Computer and Communications Security, Sydney,
Australia, March (2009)
27. Callegari, C., et al.: A novel method for detecting attacks
towards the SIP protocol. In: International Symposium on Performance Evaluation of Computer
and Telecommunication Systems
(SPECTS), pp. 268–273 (2009)
28. Sisalem, D., et al.: SIP Security: Wiley (2009)
29. Vrakas, N., Lambrinoudakis, C.: A cross layer spoofing detection mechanism for multimedia
communication services. Int. J.
Inf. Technol. Syst. Approach (IJITSA)4, 32–47 (2011)
30. Postel, J.: RFC 793: TCP: transmission Control Protocol. (1980)
31. Bellovin, S.: Security problems in the TCP/IP protocol suite. ACM
SIGCOMM Comput. Commun. Rev.19, 48 (1989)
32. 3GPP: TR 33.978 Security aspects of early IP Multimedia Subsystem (IMS). Third
Generation Partnership Project, Technical Specification Group Services and System Aspects
(2008)
33. ETSI: TS 187.003: Telecommunications and internet converged
services and protocols for advanced networking (TISPAN): Security Architecture. (2008)
34. Bloom, B.H.: Space/time trade-offs in hash coding with allowable
errors. Commun. ACM13, 422–426 (1970)
35. Udhayan, J., Hamsapriya, T.: Statistical segregation method to minimize the false detections
during DDoS attacks. Int. J. Netw. Secur.
13, 152–160 (2011)
36. OpenIMS: Fraunhofer Fokus. Available:http://www.openimscore.
org
37. Fawcett, T.: An introduction to ROC analysis. Pattern Recognit.
Lett.27, 861–874 (2006)
38. Chen, E.Y., Itoh, M.: A whitelist approach to protect SIP servers
from flooding attacks. In: IEEE International Workshop Technical
Committee on Communications Quality and Reliability (CQR),
Vancouver, BC, 8–10 June, pp. 1–6 (2010)
39. Nassar, M., Niccolini, S.: Holistic VoIP intrusion detection and
prevention system. In: Bond, G.W., Schulzrinne, H., Sisalem, D.
(eds.) Principles, Systems andApplications of IP Telecommunications (IPTComm 2007). New
York, USA, pp. 1–9 (2007

2
6