Publications (2)0 Total impact
-
Conference Proceeding: On the inefficacy of Euclidean classifiers for detecting self-similar Session Initiation Protocol (SIP) messages
[show abstract] [hide abstract]
ABSTRACT: The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, most deployments over UDP, limited use of message encryption), it becomes relatively easy to attack the protocol at the message level. To mitigate this, self-learning systems have been proposed to counteract new threats. However the efficacy of existing machine learning algorithms must be studied on varied data sets before they can be successfully used. Existing literature indicates that Euclidean distance based classifiers work well to detect anomalous messages. Our work suggests that such classifiers do not produce adequate results for well-crafted malicious messages that differ very slightly from normal messages. To demonstrate this, we gather SIP traffic and minimally perturb it using 13 generic transforms to create malicious SIP messages. We use the Levenshtein distance, L, as a measure of similarity between normal and malicious SIP messages. We subject our dataset - consisting of malicious and normal SIP messages - to Euclidean distance-based classifiers as well as four standard classifiers. Our results show vast differences for Euclidean distance-based classifiers on our dataset than reported in current literature. We further see that the standard classifiers are better able to classify an anomalous message when L is small.Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on; 06/2011 -
Conference Proceeding: Statistical Analysis of Self-Similar Session Initiation Protocol (SIP) Messages for Anomaly Detection
[show abstract] [hide abstract]
ABSTRACT: The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, widespread usage over UDP, limited use of encryption), it becomes relatively easy to attack the protocol at the message level to launch denial of service attacks. To mitigate this, self- learning systems have been proposed to detect anomalous SIP messages and filter them. However, previous works use datasets with large differences between the normal and anomalous message. This gives high performance for existing classification systems, including those based on Euclidean distances. We present our analysis on a new dataset that has minimal difference between normal and anomalous messages. Our findings indicate that existing classification schemes behave unsatisfactorily on our dataset. We demonstrate why this is the case by statistical analysis of our dataset, and furthermore, present feature reduction techniques to enhance the classification performance of existing classification schemes on our dataset.New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on; 03/2011
