Smart Computing Review, vol. 3, no. 1, February 2013
1
Smart Computing Review
IP Multimedia
Subsystem—An Intrusion
Detection System
Bakkiam David Deebak1 , Rajappa Muthaiah1 , Karuppusamy Thenmozhi2 , and
Pitchai Iyer Swaminathan1
1
School of Computing, SASTRA University / Thanjavur – 613 401, TamilNadu, India
2
School of Electrical and Electronics Engineering, SASTRA University / Thanjavur – 613 401, TamilNadu,
India
* Corresponding Author: Bakkiam David Deebak
Received November 20, 2012; Revised December 25, 2012; Accepted January 3, 2013; Published February
28, 2013
Abstract: The IP Multimedia Subsystem (IMS) amalgamates the core of telecommunication and
Internet protocol (IP) network access to ease network traffic of the next-generation network (NGN).
Since the coalescence of the NGN, malicious attacks can also disrupt multimedia services. This can
lead to financial loss for telecom operators and loss of connection for users. This paper introduces
an attack detection schema (ADS) that provides security from session initiation protocol (SIP)
flooding attacks. The proposed schema is configured with the OpenOpenIMSCore to validate the
accuracy of SIP session traffic. Similarly, the schema is imbedded with the OpenIMS client, which
helps to detect and expose such attacks on the IMS client display. Since even a small flooding
attack could clog the OpenOpenIMSCore, detection accuracy should be relatively higher to prevent
OpenIMSCore from going down. The proposed schema includes a key authentication schema for
proficiently analyzing SIP packets. The proposed authentication is placed between the transport and
application layers. A network traffic tool, Ntop, is configured with the OpenOpenIMSCore to
analyze SIP traffic, Real Time Transport Protocol (RTP) traffic and the throughput rate. Overall,
the proposed schema of ADS improves reasonably well after it cuts off the attacker.
Keywords: IP Multimedia Subsystem, Next Generation Network, Session Initiation Protocol, Real Time
Transport Protocol and Throughput Rate
Introduction
T
he IP Multimedia Subsystem (IMS) amalgamates the core of telecommunication and Internet protocol (IP) network
access to ease network traffic of the next-generation network (NGN). It has a standard architecture framework that
includes protocols from the Internet Engineering Task Force (IETF). The IMS architecture is standardized to access
The corresponding author would like to thank TATA Consultancy Services (TCS) for Research Motivation and Financial Assistance.
DOI: 10.6029/smartcr.2013.01.001
2
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
multimedia services [1] such as data, voice and video, and moreover, standardization forms fixed mobile convergence
(FMC) for wireless and wireline operators. IMS uses the session initiation protocol (SIP) signaling system to establish,
maintain and terminate multimedia services. Since SIP is employed in IMS, a SIP functional element (proxies/server) is
called the OpenIMSCore. The OpenIMSCore has three call session control functions (CSCF)—proxy, serving and
interrogating—and one home authentication server, usually called the home subscriber server (HSS) [2].
Proxy CSCF (P-CSCF) acts as an initial contact point for user terminals, and the user terminal uses SIP session request
methods for communicating with the OpenIMSCore. The SIP session request later be used serving CSCF (S-CSCF) which
controls the session for continuous communication. Since Telecom depend on IMS service, the threat of malicious SIP
attack can disrupt multimedia services. This can lead to financial loss for telecom operators and connection loss for users.
The OpenIMSCore is vulnerable to many attacks that can be launched in two ways: 1) Flooding attack – an attacker
sends numerous SIP-related request messages to a user, which overloads the SIP server or OpenIMSCore, which terminates
the session; subsequently, unexpected session loss degrades network performance of the OpenIMSCore; and 2) Anomalous
SIP request – an attacker sends an anomalous SIP request to confuse the OpenIMSCore or to compel the server to execute
the anomalous code. As a result, code execution collapses the service session and introduces a longer session delay. This
paper focuses on the detection of flooding attack in the IMS client. The SIP Invite flooding attack is investigated in the
open source IMS client and probing is done through the OpenIMSCore.
In 2003, the Third Generation Partnership Project 2 released a comprehensive security defense for IMS [3] that
addressed the issues of SIP vulnerabilities. Nevertheless, this does not have a security mechanism for detecting and
preventing flooding attacks. The detection and prevention mechanism has not been fully explored for SIP flooding attacks.
Sher and Magedanz [4] suggest that a CPU threshold technique could be used to detect a flooding attack in the
OpenIMSCore. Anomalous attackers always use a traffic pattern technique to exploit a naïve security mechanism. Sengar et
al. [5] and Reynolds and Ghosal [6] proposed a detection schema to identify a SIP attack, which were investigated in SIPbased voice over Internet protocol (VoIP) applications. For more than a decade, Web servers have faced flooding attacks
against transmission control protocol (TCP). Many novel schemas have been proposed for thwarting the TCP SYN flooding
attack [7] [8].
This paper introduces an attack detection schema (ADS) to provide security against SIP flooding attacks. The proposed
schema is configured with the OpenIMSCore to validate the accuracy of SIP session traffic. Similarly, the schema is
imbedded with OpenIMS client (University of Cape Town IP Multimedia Subsystem (UCTIMS)) which helps to detect and
expose the attack on the IMS client display. Since even a small flooding attack could clog the OpenIMSCore, detection
accuracy should be higher in order to prevent the OpenIMSCore from going down. The ADS technique is not timeconstrained and thus has a reasonably accurate detection rate and computational complexity.
The following contributions improve the accuracy rate of the proposed schema.
1. The proposed schema includes a key authentication schema for proficiently analyzing SIP packets. The proposed
authentication is placed between the transport and application layers.
2. Since the proposed schema includes a key authentication schema, the OpenIMSCore analyzes SIP traffic internally to
detect anomalous attacks.
3. A network traffic tool, Ntop [9], is configured with the OpenIMSCore to analyze SIP traffic, RTP traffic and
throughput rate.
IMS Security Background
Many security frameworks have been proposed for thwarting SIP flooding attacks [4] [10] [11]. Sher and Magedanz
proposed a mechanism that weighs the CPU usage of the IMS components [4]. An anomalous attacker may use the crafting
technique to maintain the CPU load below threshold. Awais et al. proposed a mechanism of an artificially based immune
system to detect a flooding attack in the OpenIMSCore [10]. Furthermore the authors compared their schema performance
with signature-based schema.
Sher and Magedanz [4] and Sengar et al. [5] proposed anomalous detection mechanisms for securing VoIP
communication networks. Sengar et al. [5] proposed an attack detection mechanism using the Hellinger distance. The
experimental analysis is very propitious. Nonetheless, detection accuracy is based on the intensity of the flooding attack.
Reynolds and Ghosal [6] proposed a strategy whereby an application layer attack sensor can detect SIP flooding with high
accuracy. Siris and Papagalou [7] proposed a strategy called threshold adaptive and cumulative summation, which is
applied to detect a TCP SYN flooding attack.
Sher et al. [12] proposed security in the transport layer that imbeds an intrusion detection system (IDS) to secure the
application of the IMS server against various time-independent and -dependent attacks. Since SIP uses User Datagram
Protocol (UDP) for communication, there is an issue around transport layer implementation. Other authors investigated
SIP flooding attacks for better OpenIMSCore solutions [13] [14] [15]. In 2007, Sher and Magedanz [16] proposed a
Smart Computing Review, vol. 3, no. 1, February 2013
3
narrowcasting schema that sends the communication request to all participants, and each participant can choose ‗To Whom
he/she would like to send‘ and ‗To whom he/she wouldn‘t like to send‘. They also proposed an intrusion detection and
prevention system to secure the application layer of the OpenIMSCore. This paper addresses anomaly detection that was
not addressed by Sher and Magedanz in 2007 [16].
Mirkovic et al. [17] declared denial of service (DoS) a security threat because it utilizes the availability of target
resources like bandwidth or memory. Moreover, that utilization leads the target system to quickly become unavailable.
Vuong and Bai [18] and Sisalem et al. [19] described SIP vulnerabilities. The SIP does not have any native security
mechanism to thwart all types of flooding attack [17]. Moreover no one has discovered such an anti-attack schema.
Stallings proposed a rate-limiting schema that allows limited requests per interval time [20], and this schema is suitable
against the single-end attack. Therefore it is not suitable for the distributed flooding attack environment. Some research has
been done in state-machine specifications for detecting DoS attacks [21] [22] [23]. The state-machine schemas are designed
as a model to evaluate the transaction or session to find whether it deviates from SIP specifications or not [21] [22]. Ehlert
et al. conducted timing evaluation [21]. The aforesaid is also not suitable for a distributed network environment.
Nonetheless, it could alleviate a single-ended attack. Nagpal et al. [22] proposed a null-authentication mechanism that
identifies whether the request is coming from a known or unknown SIP user. But this schema does not have any additional
proxy to generate the packets actively. Hence, it does not have a lot of processing overhead. However, this schema does not
have any strategies for message tampering [23], a billing attack [24] and VoIP Spit [25]. Thus paper proposes an ADS
schema to detect all types of SIP-related flooding attacks. Moreover this schema is internally configured with a key
authentication schema for regular updating on the OpenIMS client (UCTIMS) display.
Proposed Schema of Attack Detection
We investigate the OpenIMSCore and client to improve the accuracy of SIP flooding attack detection. To achieve a
reasonable accuracy rate, the attack detection schema is configured with the key authentication schema of the
OpenIMSCore and client. The schema is suitable for time-independent and -dependent attacks. Since the proposed schema
has internal configuration with both core and client, it can act as a middle layer between the OpenIMSCore and application
plane. The proposed schema can detect the misuse and also anomalous flooding attack to improve the reliability of the
communication link. The proposed schema incorporates two modules in the OpenIMSCore and client, called Module of
Misuse Detection and Module of Anomalous Detection
Module of Misuse Detection
This is a core module of the proposed schema that detects attack entry and cuts it before it gets processed by the SCSCF.
Module of Anomaly Detection
This is a sub-module of the proposed schema that allows the attacker to enter the OpenIMSCore and then cuts the attack
with the middleware components of the session authenticate manager.
Figure 1. Proposed ADS detection schema for OpenIMSCore
4
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
Installation Procedure of UCTIMS Client
Open Source UCTIMS Client (UCTIMS Client (2012) [Online]. Available at: http://uctimsclient.berlios.de/) has been
designed and developed to be employed for the Fraunhofer FOKUS OpenIMSCore. This offers a wide range of
functionality and can act as an IMS user agent based on the osip/eXsip library. It has the following features:
1. Registration done through AKAv1 and AKAv2
2. Subscription event of watchers and Reg Info‘s
3. Instant messaging (IM) service
4. DTMF tones via SIP Info messages
5. Supports Presence Status
6. Supports XCAP Presence Rules
2.1 Package instruction is given for Debian operating system
For Repository Update, the following command is to be run: apt-get update
Package 1: The package libosip2-dev is to initialize the parser and state machine codes. This also sets a few callbacks
which inform on the state of changes in the SIP Transaction.
apt-get install libosip2-dev
Package 2: The package libeXosip2-dev is to hide the complexities of using the SIP protocol for multimedia session
establishment and mainly uses VoIP telephony applications.
apt-get install libeXosip2-dev
Package 3: The package libgtk2.0-dev is a multi-platform toolkit to create the graphical user interface (GUI).
apt-get install libgtk2.0-dev
Package 4: The package libxml2-dev is the XML parser, and this toolkit was developed by the Gnome Project. This is to
design markup languages (i.e., text language whereby semantic and structures are added to the content using ‗Markup‘
information enclosed by angle brackets).
apt-get install libxml2-dev
Package 5: The package libcurl4-openssl-dev has a URL-based transfer library for clients that supports DICT, FILE, FTP,
FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS,
TELNET and TFTP.
apt-get install libcurl4-openssl-dev
Package 6: The package libgstreamer0.10-0 is a stream media framework that is based on Filter Graphs to operate on media
data.
apt-get install libgstreamer0.10-0
Package 7: The package libgstreamer-plugins-base0.10-dev has plug-in structures for processing new data types that are
useful for real-time sound video systems.
apt-get install libgstreamer-plugins-base0.10-dev
Package 8: The package libvlc-dev is called the VideoLAN Media Player Project and plays almost all video formats.
apt-get install libvlc-dev
For Code Execution, the following command is typed and run:
$make
For Client Execution, the following command is typed and executed: ./uctimsclient. The execution and graphical views are
shown in Figure 2 and Figure 3.
Figure 2. Execution view of UCTIMS client
Smart Computing Review, vol. 3, no. 1, February 2013
5
Figure 3. Graphical view of UCTIMS client
■ Setting Parameters of UCTIMS Preference Tool
The following steps are done for registration of the UCIMS client in the OpenIMSCore network.
Step 1: Choose Tab Profile and Type ‗Alice‘, for example
Step 2: Choose Tab IMS and make the following changes
Public User Identity
:
sip:[email protected]
Private User Identity
:
[email protected]
Proxy CSCF
:
192.168.91.30:4060
Realm
:
sastratcs.test
Password
:
xxxxx
QoS Strength
:
Mandatory
QoS Type
:
Segmented
Access Network
:
IEEE 802.11a
Step 3: Click ‗Ok‘
Step 4: Choose Tab Option and Select Register ‗Alice‘
■ Registration and De-registration in UCTIMS
When the UCTIMS Client has been run,
Step 1: The user credentials must be entered correctly in the UCTIMS preference options (As briefly shown as above)
Step 2: Click ‗Ok‘ and Choose Options  Register / Register As Alice (If Alice credentials have been set in
Preferences) as shown in Figure 4.
Step 3: Details for Registration Status, Delay and Messages must be seen in the graphical view of UCTIMS When
UCTIMS clients have completed their conversation,
Step 1: Ch
-Register
Step 2: Details for De-Registered Status and its Related Message of Notification must be seen in the graphical view of
UCTIMS, as shown in Figure 5.
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
6
Figure 4. Preferences view of UCTIMS client
Figure 5. Registration & de-registration views of UCTIMS client (―Alice‖)
Installation Procedure of OpenIMSCore
The Multimedia Platform of the OpenIMSCore network (OpenIMSCore Network (2009) [Online]. Available at:
http://www.openim-score.org/.) has been built under Linux Mint (Version 14) for probing communications of the IP
Multimedia Subsystem client. The Linux Mint OS has been installed in the following packages for configuring Proxy –
Call Session Control Function, Serving – Call Session Control Function, and Interrogating – Call Session Control Function.
■ Packages to be Installed
Package 1: The package sun-java6-jdk is installed include Java tools useful to developing and testing the the multimedia
core network.
Package 2: The package mysql-server is installed to provide database access to the multimedia core network.
Package 3: The package libmysqlclient15-dev is installed to provide the Fast, Stable, true multi-user and multi-threaded
SQL database in the multimedia core network.
Smart Computing Review, vol. 3, no. 1, February 2013
7
Package 4: The package libxml2& libxml2-dev is installed for parsing XML documents during registration / de –
registration of IMS clients in the multimedia core network.
Package 5: The package bind9 is installed to enable the multimedia core network domain on the network.
Package 6: The package ant is installed for supporting Built-in-Task in the multimedia core network.
Package 7: The package flex is installed for performing text pattern matching in the multimedia core network.
Package 8: The package bison is installed for analyzing parsing ambiguities in the multimedia core network.
■ Running Views of CSCF
The command ./pcscf is executed in the terminal; the P-CSCF server will start to serve as proxy for registered IMS clients.
The running terminal is seen in Figure 6. The command. /scscf is executed in the terminal; the S-CSCF server will start to
handle registration, authentication, downloading, traffic routing, session performance, supervision, execution and
maintenance. The running terminal is seen in Figure 7. The command. /scscf is executed in the terminal; the I-CSCF server
will start to act as an access control point between the P-CSCF and the S-CSCF. The running terminal is seen in Figure 8.
The command ./fhoss.sh is executed in the terminal; the HSS server will start to act as a service control point between the
P-CSCF and the S-CSCF. The running terminal is seen in Figure 9. Details of CSCSF Elements and Port Numbers are
listed in Table 1.
Figure 6. P-CSCF Server
Figure 7. S-CSCF Server
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
8
Figure 8. I-CSCF Server
Figure 9. HSS Server
Table 1. Details of CSCSF Elements and Port Numbers
CSCF Servers
Configuration Port
Server Of P-CSCF
4060
Server Of I-CSCF
5060
Server Of S-CSCF
6060
Interfacer Of Diameter
3868, 3869, 3870
Flooding Attack Tools
Technology trends change every moment of our lifetime. The same is true for attackers. Although IMS has almost all
security mechanisms, such as MD5 amd AKA V1/V2 for user authentication and authorization, malicious attacks have still
not hit a breaking point. This is why multimedia networks degrade greatly. The DoS attack has been pegged as an attack to
Smart Computing Review, vol. 3, no. 1, February 2013
9
which the OpenIMSCore network is vulnerable. 3GPP, ETSI and TISPAN have been security safeguards against signaling
and media traffic, but they do not do measuring, which is still incomplete.
For instance, it does not counteract the DoS attack designed to block voice call service. In this paper, flooding attack
detection has been analyzed thoroughly using the OpenIMSCore and IMS client. Figure 10 shows the time-independent
attack. Invite flooding generates numerous invite messages to make the server crash. Re-invite flooding generates
numerous re-invite messages to interrupt established service (e.g., voice call service – terminated without any reason).
Teardown flooding generates a bye message for service termination (e.g., before actual call/chat termination).
Figure 10. Possible flooding attacks against P-CSCF
Flooding Attack Behavior
As for the testing phase, the OpenIMSCore network and the UCTIMS client have been configured for active anomaly
detection. Whenever a flooding attack is launched, detection of requests (invite/re-invite/teardown) can be seen on the
display of the client, whereas the anomaly attack could be known by the victim and the victim could disconnect from the
service to elude server crash. The following performance degradation comes with dispersing the flooding attack.
1. It increases the initial poison call rate whereby the additional calls get mixed.
2. At the beginning, the OpenIMSCore network behaves normally by Sending (100 Trying) for each request.
3. For every spoofed request, the OpenIMSCore network transmits seven responses to the unreachable destination.
4. During the transmit response of the spoofed request, the OpenIMSCore network degrades in server performance and
call throughput. Moreover, it suffers from frequent timeouts.
Setting Parameters of Flooding Attack
Figure 11 illustrates the command execution of an invite flooding attack.
Set Interface as lo/eth0/eth1
Set Username as Bob/Alice
Set Target IP with Port as open-ims.test:4060
Set Number of Invite Request as 1000/2000
Figure 12 illustrates detection of invite flooding. Invite flooding has been invoked by IMS client Bob, whereby the
client endures ―Destination Unreachable‖ and the call never ends between the parties until sever timeout. Therefore we
need an efficient IMS client for detecting any such attack in order to prevent server timeout. We have done a thorough
analysis investigating the attack detection schema using both the OpenIMSCore and the client.
Figure 11. Launching of invite flooding attack
10
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
Figure 12. Invite flooding attack in UCTIMS
Homogeneous voice call communication
The following settings were made for testing homogeneous voice call communication:
Step 1: Linux Mint IMS client is registered as ―Bob‖
Step 2: Ubuntu IMS client is registered as ―Alice‖
Step 3: Establish voice call service between homogeneous multimedia clients
Step 4: Probe SIP and RTP Traffic analysis
In-depth analysis of SIP traffic was done by using Network Analyzer (Wireshark (2013) [Online]. Available at:
http://www.wireshark.org/) and Network Monitor (Ntop). The SIP Traffic View was analyzed after the attack was
initialized and it showed steady growth after detection occurred. Figure 13 illustrates the SIP traffic. The RTP traffic also
shows steady improvement after the proposed schema detects the anomaly attack. Figure 14 illustrates RTP Traffic View.
When the proposed schema detects the attack, it cuts off the attacker and starts serving the communication link to the call
parties. The probing result shows that after the cutoff, the throughput rate is reliable, as shown in Figure 15.
Figure 18. SIP Traffic View (after flooding attack detection)
Smart Computing Review, vol. 3, no. 1, February 2013
11
Figure 14. RTP Traffic View (after flooding attack detection)
Figure 15. Throughput Rate View (after flooding attack detection)
Conclusions
The IMS architecture is standardized to access multimedia services (such as data, voice and video), and moreover, this
standardization constitutes fixed mobile convergence (FMC) for wireless and wireline operators. The OpenIMSCore is
vulnerable to many attacks that can be launched in two ways: flooding attack and anomalous SIP request. The SIP invite
flooding attack has been investigated in the UCTIMS open source client, and probing was done through the OpenIMSCore.
The proposed schema adopted a key authentication schema for proficiently analyzing SIP packets. The proposed
authentication was placed between the transport and application layers to test SIP traffic, RTP traffic and throughput rate.
The network traffic analysis tool Ntop shows the result as reasonably good after the proposed schema cuts off the attacker.
References
[1] Poikeselka, Mayer, Khartabil, and Niemi, ―The IMS IP Multimedia Concepts and Services,‖ 2nd ed. John Wiley &
Sons, Ltd., 2006.
[2] A. Cuevas, J. Moreno, P. Vidales, and H. Einsiedler, ―The IMS Service Platform: A Solution for Next-Generation
Network Operators to Be More than Bit Pipes,‖ IEEE Comm. Mag., pp. 75–81, Aug. 2006. Article (CrossRef Link)
[3] 3rd Generation Partnership Project 2 (3GPP2), ―IMS Security Framework,‖ Dec. 2003.
[4] M. Sher and T. Magedanz, ―Secure Service Provisioning Framework (SSPF) for IP Multimedia System and Next
Generation Mobile Networks,‖ in Proc. of IWWST’05, pp. 101–106, April 2005.
[5] H. Sengar, H. Wang, D. Wijesekera, and S. Jajodia, ―Detecting VoIP Floods using the Hellinger Distance,‖ IEEE
Transactions on Parallel and Distributed Systems, vol. 19, no. 6, pp. 794–805, June 2008. Article (CrossRef Link)
[6] B. Reynolds and D. Ghosal, ―Secure IP Telephony Using Multi-Layered Protection,‖ in Proc. of Net. and Distributed
Sys. Sec. Symp., Feb 2003. Article (CrossRef Link)
12
Deebak et al.: IP Multimedia Subsystem—An Intrusion Detection System
[7] V. Siris and F. Papagalou, ―Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks,‖
Computer Communications, vol. 29, no. 9, pp. 1433-1442, 2006. Article (CrossRef Link)
[8] H. Wang, D. Zhang, and K. Shin, ―Detecting SYN flooding attacks,‖ in Proc. of IEEE INFOCOM 2002, vol. 3, 2002.
Article (CrossRef Link)
[9] Ntop – A Traffic Analysis Tool, 2012.
[10] A. Awais, M. Farooq, and M. Javed, ―Attack analysis & bio-inspired security framework for IP Multimedia
subsystem,‖ in Proc. of the Conference Companion on Genetic and Evolutionary Computation, pp. 2093-2098, 2008.
Article (CrossRef Link)
[11] Y. Rebahi, M. Sher, and T. Magedanz, ―Detecting flooding attacks against IP Multimedia Subsystem (IMS)
networks,‖ in Proc. of IEEE/ACS Intl. Conf. on Comp. Sys. and App., pp. 848–851, 2008. Article (CrossRef Link)
[12] M. Sher, S. Wu and T. Magedanz, ―Security Threats and Solutions for Application Server of IP Multimedia
Subsystem (IMSAS),‖ in Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation, 2006.
[13] E. Y. Chen, ―Detecting DoS attacks on SIP systems,‖ in Proc. of IEEE Workshop on VoIP Management and Security,
pp.53-58, Apr. 2006. Article (CrossRef Link)
[14] D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, S. Ehlert and D. Sisalem, ―Survey of
Security Vulnerabilities in SIP Protocol,‖ IEEE Communication Surveys, vol. 8, no. 3, pp. 68-81, 2006. Article
(CrossRef Link)
[15] Michael T. Hunter, Russell J Clark and Frank S. Park, ―Security Issues With the IP Multimedia Subsystem (IMS),‖
MNCNA, ACM, 2007. Article (CrossRef Link)
[16] M. Sher and T. Magedanz, ―Developing Intrusion Detection and Prevention System for IP Multimedia Subsystem
Application Servers,‖ Journal of Information Assurance and Security, 2007. Article (CrossRef Link)
[17] J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher. ―Internet Denial of Service: Attack and Defense Mechanisms,‖
Prentice Hall, 2005.
[18] S. Vuong and Y. Bai. ―A Survey of VoIP Intrusions and Intrusion Detection Systems,‖ in Proc. of 6th International
Conference on Advanced Communication Technology (ICACT 2004), Feb. 2004. Article (CrossRef Link)
[19] D. Sisalem, J. Kuthan, and S. Ehlert. ―Denial of Service Attacks Targeting a SIP VoIP Infrastructure - Attack
Scenarios and Prevention Mechanisms,‖ IEEE Network - Special Issue on Securing VoIP, vol. 20, no. 5, pp. 26-31,
Sep. 2006. Article (CrossRef Link)
[20] W. Stallings. ―Network Security Essentials: Applications and Standards,‖ 3rd edition. Pearson Education, 2007.
[21] H. Sengar, D. Wijesekera, H. Wang and S. Ja jodia. ―VoIP Intrusion Detection through Interacting Protocol State
Machines,‖ in Proc. of International Conference on Dependable Systems and Networks (DSN-2006), June 2006.
Article (CrossRef Link)
[22] S. Ehlert, G. Zhang, D. Geneiatakis. Kambourakis, T. Dagiuklas, J. Markl and Sisalem, ―Two Layer Denial of
Service Prevention on SIP VoIP Infrastructures,‖ Computer Communications, vol. 31, no. 10, pp. 2443-2456, June
2008. Article (CrossRef Link)
[23] S. Nagpal, E. Yardeni, H. Schulzrinne and G. Ormazabal. ―Secure SIP: A Scalable Prevention Mechanism for DoS
Attacks on SIP-based VoIP Systems,‖ Principles, Systems and Applications of IP Telecommunications (IPTComm
2008), July 2008. Article (CrossRef Link)
[24] D. Geneiatakis, G. Kambourakis. Lambrinoudakis, T. Dagiuklas and S. Gritzalis, ―A Framework for Protecting a
SIP-based Infrastructure against Malformed Message Attacks,‖ Computer Networks, vol. 51, no. 10, pp. 2580-2593,
July 2007. Article (CrossRef Link)
[25] R. Zhang, X. Wang, X. Yang, and X. Jiang. ―Billing Attacks on SIP-Based VoIP Systems,‖ in Proc. of 1st USENIX
Workshop on Offensive Technology (WOOT ’07), Aug. 2007. Article (CrossRef Link)
[26] J. Quittek, S. Niccolini, S. Tartarelli, M. Stiemerling, M. Brunner and T. Ewald. ―Detecting SPIT Calls by Checking
Human Communication Patterns,‖ in Proc. of IEEE International Conference on Communications (ICC ’07), June
2007. Article (CrossRef Link)
Bakkiam David Deebak was born in Cheranmahadevi in 1984. He was obtained the B.Tech
(Information Technology) from Anna University in 2007 and M.E (Embedded Systems and
Computing) from RTM Nagpur University in 2009. Currently, he is working towards the Ph.D.
degree in SASTRA University. His research interest includes Wireless and Multimedia
Communication Network.
Smart Computing Review, vol. 3, no. 1, February 2013
Rajappa Muthaiah obtained Ph.D. degree from SASTRA University in 2009. Currently, he is
working as Associate Professor in SASTRA University. His research interest includes Image
Processing, VLSI and Speech Recognition.
Karuppusamy Thenmozhi obtained Ph.D. degree from SASTRA University in 2008.
Currently, he is working as Associate Dean in School of Electrical and Electronics Engineering
at SASTRA University. Her research interest includes Networking and Wireless
Communication.
Pitchai Iyer Swaminathan obtained Doctorate Degree in Electronics and Communication
Engineering. Currently, he is working as Dean in School of Computing at SASTRA University.
His research interest includes Embedded Systems, Software Engineering and Expert Systems.
Copyrights © 2013 KAIS
13