Quick Detection of Stealthy SIP Flooding Attacks in VoIP Networks

Denial of Service (DoS) attacks such as the SIP flooding pose great threats to normal operations of VoIP networks, and can bear various forms to elude detection. In this paper, we address the stealthy SIP flooding attack, where intelligent attackers deliberately increase the flooding rates in a slow pace. As the attack only gradually influences the traffic, it can effectively be disguised from previous SIP flooding detection methods. In order to identify the stealthy attack in its early stage for timely response, we propose a detection scheme based on the signal processing technique wavelet, which is able to quickly expose the changes induced by the attack. In particular, we monitor the percentage of energy corresponding to the detail signal obtained from the wavelet analysis as an indication of the attack. Also, considering the scalability of the proposed scheme, we resort to the sketch technique, which can summarize the traffic observations to a fixed-size hash table to provide raw traffic signals for the wavelet analysis regardless how many users exist in the VoIP network. We validate the performance of the proposed scheme through computer simulation and demonstrate its ability to quickly and accurately detect the attacks.