A scalable detection and prevention scheme for voice over
internet protocol (VoIP) signaling attacks using handler
with Bloom filter
Vennila Ganesan | Manikandan MSK
Department of Electronics and
Communication Engineering, Thiagarajar
College of Engineering, Madurai, India
Vennila Ganesan, Department of
Electronics and Communication
Engineering, Thiagarajar College of
Engineering, Madurai, India.
In this paper, a two‐tier model has been developed that includes a Handler and
a Bloom filter (HBF). In the first‐tier, the handler detects both the flooding and
fake signaling attacks. The Bloom filter, in the second‐tier, prevents both the
attacks before reaching the victim. In the existing systems, the packet level
features are used which do not perform well for detection and prevention of
both the attacks. In this work, flow level features are applied in both tiers.
The proposed model is implemented on the innocent Session Initiation Protocol
(SIP) server in the VoIP network. The two‐tier model ensures the reliability and
trustworthiness between the service provider and the customer. Besides, it also
provides billing information along with the exact call duration to a customer
who makes a call. The experimental results show that the HBF results in a
reduced detection time of 9 seconds with the reduced false positive (FP) of less
than 1% and the false negative (FN) of 0.002% and also preserves the voice call
quality during media conversation.
1 | INTRODUCTION
The tremendous growth of VoIP network is driven by its several benefits over the traditional Public Switched Telephone
Network (PSTN). An increasing number of IP‐based business applications invent various VoIP services with new
features to increase the number of customers. Such applications attract customers by offering greater economical and
flexible services for making both the national and international calls over Internet Protocol (IP) networks. The VoIP
network supports the Session Initiation Protocol (SIP) as signaling protocol and Real‐time Transport protocol (RTP) as
media protocol. Unlike the closed PSTN architecture, the SIP is deployed on the open standard Internet, and hence it
is exaggerated by too many attacks. The VoIP attacks are classified into signaling and media attacks. The signaling
attacks manipulate SIP messages whereas the media attacks manipulate media packets.
The media security is strongly coupled with signalling security, because the media sessions are described by the
Session Description Protocol (SDP) in the signalling plane. Therefore, signalling plane has a gateway for various attacks.
In the signaling plane, an attacker utilizes various SIP signaling messages to misuse the services, because the SIP is a
text‐based request/response message similar to Hyper Text Transfer Protocol (HTTP).
Particularly, the SIP flooding and
service abuse attacks are the most severe of all, and these attacks can target the proxy, the user agent server, and the user
agent client. Furthermore, these attacks are skilled for draining the network resources, capable of charging excessive bill,
and they can also initiate multi‐attribute attack and disrupt perceived Quality of Service (QoS). As SIP‐based applications
are likely to gain their increasing importance in future, the protection against flooding and service abuse attacks now
Received: 10 June 2016 Revised: 17 May 2017 Accepted: 26 July 2017
Int J Network Mgmt. 2018;28:e1995.
Copyright © 2017 John Wiley & Sons, Ltd.wileyonlinelibrary.com/journal/nem 1of18