Abstract
Service platforms using text-based protocols need to be protected against attacks. Machine-learning algorithms with pattern matching can be used to detect even previously unknown attacks. In this paper, we present an extension to known Support Vector Machine (SVM) based anomaly detection algorithms for the Session Initiation Protocol (SIP). Our contribution is to extend the amount of different features used for classification (feature space) by exploiting the structure of SIP messages, which reduces the false positive rate. Additionally, we show how combining our approach with attribute reduction significantly improves throughput.
Highlights
The world of telecommunication is evolving from closed legacy networks towards open IP-based networks
The true positive rate (TPR) and false positive rate (FPR) in our tests have been obtained by using a test trace containing 12,923 messages (10,000 invalid)
A major problem was setting the Support Vector Machine (SVM) parameters in a way to ensure a correct classification for different kind of traces, i.e., when considering different Session Initiation Protocol (SIP) protocol extensions
Summary
The world of telecommunication is evolving from closed legacy networks towards open IP-based networks. While Nassar et al proposed to use traffic characteristics as features for the classification, the approach by Rieck et al [4] is based on n-grams that are generated from the We propose to add protocol knowledge to the feature extraction step to achieve better classification results and lower FPR. We highlight our extensions for mapping text messages into feature space and how we performed attribute reduction.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
