A self-learning system for detection of anomalous SIP messages

Konrad Rieck; Stefan Wahl; Pavel Laskov; Peter Domschitz; Klaus Robert Müller

doi:10.1007/978-3-540-89054-6_5

A self-learning system for detection of anomalous SIP messages

Konrad Rieck, Stefan Wahl, Pavel Laskov, Peter Domschitz, Klaus Robert Müller

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

34 Citations (Scopus)

Abstract

Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

Original language	English
Title of host publication	Principles, Systems and Applications of IP Telecommunications
Subtitle of host publication	Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers
Publisher	Springer Verlag
Pages	90-106
Number of pages	17
ISBN (Print)	354089053X, 9783540890539
DOIs	https://doi.org/10.1007/978-3-540-89054-6_5
Publication status	Published - 2008
Event	2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008 - Heidelberg, Germany Duration: 2008 Jul 1 → 2008 Jul 2

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5310 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008
Country/Territory	Germany
City	Heidelberg
Period	08/7/1 → 08/7/2

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-540-89054-6_5

Cite this

Rieck, K., Wahl, S., Laskov, P., Domschitz, P., & Müller, K. R. (2008). A self-learning system for detection of anomalous SIP messages. In Principles, Systems and Applications of IP Telecommunications: Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers (pp. 90-106). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5310 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-540-89054-6_5

A self-learning system for detection of anomalous SIP messages. / Rieck, Konrad; Wahl, Stefan; Laskov, Pavel et al.
Principles, Systems and Applications of IP Telecommunications: Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers. Springer Verlag, 2008. p. 90-106 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5310 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Rieck, K, Wahl, S, Laskov, P, Domschitz, P & Müller, KR 2008, A self-learning system for detection of anomalous SIP messages. in Principles, Systems and Applications of IP Telecommunications: Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5310 LNCS, Springer Verlag, pp. 90-106, 2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008, Heidelberg, Germany, 08/7/1. https://doi.org/10.1007/978-3-540-89054-6_5

Rieck K, Wahl S, Laskov P, Domschitz P, Müller KR. A self-learning system for detection of anomalous SIP messages. In Principles, Systems and Applications of IP Telecommunications: Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers. Springer Verlag. 2008. p. 90-106. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-89054-6_5

Rieck, Konrad ; Wahl, Stefan ; Laskov, Pavel et al. / A self-learning system for detection of anomalous SIP messages. Principles, Systems and Applications of IP Telecommunications: Services and Security for Next Generation Networks - Second International Conference, IPTComm 2008, Revised Selected Papers. Springer Verlag, 2008. pp. 90-106 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{61638b8ec6454f189f82692a465db8a6,

title = "A self-learning system for detection of anomalous SIP messages",

abstract = "Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.",

author = "Konrad Rieck and Stefan Wahl and Pavel Laskov and Peter Domschitz and M{\"u}ller, {Klaus Robert}",

year = "2008",

doi = "10.1007/978-3-540-89054-6_5",

language = "English",

isbn = "354089053X",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "90--106",

booktitle = "Principles, Systems and Applications of IP Telecommunications",

note = "2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008 ; Conference date: 01-07-2008 Through 02-07-2008",

}

TY - GEN

T1 - A self-learning system for detection of anomalous SIP messages

AU - Rieck, Konrad

AU - Wahl, Stefan

AU - Laskov, Pavel

AU - Domschitz, Peter

AU - Müller, Klaus Robert

PY - 2008

Y1 - 2008

N2 - Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

AB - Current Voice-over-IP infrastructures lack defenses against unexpected network threats, such as zero-day exploits and computer worms. The possibility of such threats originates from the ongoing convergence of telecommunication and IP network infrastructures. As a countermeasure, we propose a self-learning system for detection of unknown and novel attacks in the Session Initiation Protocol (SIP). The system identifies anomalous content by embedding SIP messages to a feature space and determining deviation from a model of normality. The system adapts to network changes by automatically retraining itself while being hardened against targeted manipulations. Experiments conducted with realistic SIP traffic demonstrate the high detection performance of the proposed system at low false-positive rates.

UR - http://www.scopus.com/inward/record.url?scp=57349174533&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-89054-6_5

DO - 10.1007/978-3-540-89054-6_5

M3 - Conference contribution

AN - SCOPUS:57349174533

SN - 354089053X

SN - 9783540890539

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 90

EP - 106

BT - Principles, Systems and Applications of IP Telecommunications

PB - Springer Verlag

T2 - 2nd International Conference on Principles, Systems and Applications of IP Telecommunications, IPTComm 2008

Y2 - 1 July 2008 through 2 July 2008

ER -

A self-learning system for detection of anomalous SIP messages

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this