Statistical Analysis of Self-Similar Session Initiation Protocol (SIP) Messages for Anomaly Detection

The Session Initiation Protocol (SIP) is an important multimedia session establishment protocol used on the Internet. Due to the nature and deployment realities of the protocol (ASCII message representation, widespread usage over UDP, limited use of encryption), it becomes relatively easy to attack the protocol at the message level to launch denial of service attacks. To mitigate this, self- learning systems have been proposed to detect anomalous SIP messages and filter them. However, previous works use datasets with large differences between the normal and anomalous message. This gives high performance for existing classification systems, including those based on Euclidean distances. We present our analysis on a new dataset that has minimal difference between normal and anomalous messages. Our findings indicate that existing classification schemes behave unsatisfactorily on our dataset. We demonstrate why this is the case by statistical analysis of our dataset, and furthermore, present feature reduction techniques to enhance the classification performance of existing classification schemes on our dataset.