SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree

Dongwon Seo, Heejo Lee, Ejovi Nuwere

    Research output: Contribution to journalArticlepeer-review

    25 Citations (Scopus)


    Voice over IP (VoIP) services have become prevalent lately because of their potential advantages such as economic efficiency and useful features. Meanwhile, Session Initiation Protocol (SIP) is being widely used as a session protocol for the VoIP services. Many mobile VoIP applications have recently been launched, and they are becoming attractive targets for attackers to steal private information. In particular, malformed SIP messages and SIP flooding attacks are the most significant attacks as they cause service disruption by targeting call procedures and system resources. Although much research has been conducted in an effort to address the problems, they remain unresolved challenges due to the ease of launching variants of attacks. In this paper, we propose a stateful SIP inspection mechanism, called SIP-VoIP Anomaly Detection (SIPAD), that leverages a SIP-optimized data structure to detect malformed SIP messages and SIP flooding attacks. SIPAD precomputes the SIP-optimized data structure (termed a stateful rule tree) that reorganizes the SIP rule set by hierarchical correlation. Depending on the current state and the message type, SIPAD determines the corresponding branches from the stateful rule tree, and inspects a SIP message's structure by comparing it to the branches. The SIP-optimized rule tree provides higher detection accuracy, wider detection coverage and faster detection than existing approaches. Conventional SIP inspection schemes tend to have high overhead costs due to the complexity of their rule matching schemes. Experimental results of our SIP-optimized approach, by contrast, indicate that it dramatically reduces overhead and can even be deployed in resource-constrained environments such as smartphones.

    Original languageEnglish
    Pages (from-to)562-574
    Number of pages13
    JournalComputer Communications
    Issue number5
    Publication statusPublished - 2013 Mar 1


    • Flooding attacks
    • Malformed messages
    • SIP anomaly detection
    • VoIP security

    ASJC Scopus subject areas

    • Computer Networks and Communications


    Dive into the research topics of 'SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree'. Together they form a unique fingerprint.

    Cite this