Detecting Flooding Attacks on IMS Networks Using Kullback-Leibler Divergence and Triple EWMA

The IP Multimedia Subsystem (IMS) is a platform for the exchange of multimedia communi-cations that was proposed by 3GPP as of the year 2002. The 3GPP proposal called for the integration of mobile cellular networks and internet technology using a completely IP-based structure. The IMS uses the protocols defined by the IETF, such as SIP, RTP and others. SIP is the backbone of the IMS network, where it is used for signaling and multimedia services control. However, security vulnerabilities are inherent in such integration. When the IMS ar-chitecture is opened for easy network access and the use of SIP, it is far more vulnerable to SIP flooding attacks. This has presented a significant security problem in new networks. In the presented method for detection, network traffic is captured in two phases, being the train-ing phase and the test phase. The distance between the probable distributions of SIP messag-es in these two phases is then measured using the Kullback-Leibler divergence. Then, an adaptive threshold is defined for the Kullback-Leibler divergence which, when passed, means that an attack has occurred. The adaptive threshold is accounted for by the use of a Triple Exponential Moving Average (TEMA), and the performance of the presented detec-tion method in various situations of normal traffic and massive attacks is evaluated. The pa-rameters α, β, ε, and γ are used for estimating the threshold and setting a safe margin for au-thorized traffic. In addition, the effect of changes of the estimate and setting parameters is evaluated.