SFADS: A SIP Flooding Attack Detection Scheme with the Internal and External Detection Features in IMS Networks

Abstract

IP Multimedia Subsystem (IMS) is a standardized Next Generation Networking (NGN) architecture. It takes Session Initiation Protocol (SIP) as the core signaling protocol of IMS and NGN. With IMS networks widespread deployment, SIP flooding attacks are becoming into a major threat to IMS network. However, the existing SIP flooding attack detection schemes are inefficient for detecting low rate SIP flooding attacks and are lacking in poor recovery for detecting high-rate SIP flooding attacks. In this paper, we propose a novel SIP flooding attack detection scheme with the internal and external detection features in IMS networks, called SFADS (SIP flooding attack detection scheme). In SFADS, based on the analysis of SIP flooding attacks, we first extract the abrupt change of SIP session request as the external detection feature, and the abnormal abrupt change of difference between the sequence of legitimate SIP session establishment and the SIP session request messages as the internal detection feature. Then we use the improved cumulative sum control chart algorithm to analyze the two detection features. Finally, we take the analysis data as inputs and adopt Fuzzy Logic to detect SIP flooding attacks. To investigate the detection performance of the proposed SFADS, we conduct simulations with the prototype implement in an IMS network testbed. Simulation results show the performance of the proposed SFADS is better than that of other schemes.