ent levels: (i)
, e.g. broad-view of their behavior bymonitoring and keeping statistics related to only the mes-sage types (request vs response); (ii)
, e.g. coarse-view of the servers activity by separating their logical rolesinto
; and (iii)
, e.g.narrow-view of individual user activities, like typical av-erage duration and length of the calls, number of calls re-ceived and made, etc. As a consequence, our methodologyallowsustobalancethespeedofproﬁling, theresourcecon-sumption, the desired sophistication of behavior character-istics, andﬁnallythelevelofsecuritytobeoffered, basedonthe speciﬁc objectives and needs of the VoIP operator. Builtupon the SIP trafﬁc behavior proﬁling methodology, we de-velop a simple and yet effective entropy-based anomaly de-tection algorithm for detecting potential security attacks aswell as performance problems. We demonstrate the efﬁcacyof our algorithm in detecting potential VoIP attacks throughtestbed experimentation.The remainder of this paper is structured as follows. InSection 2 we introduce some basic concepts of the SIP-based service, we discuss how challenging is to monitorand proﬁle the service and introduce the data sets used inthis paper to identify meaningfully VoIP trafﬁc features tobe proﬁled. In Section 3 we present in great details ourmethodology. First we introduce a new algorithm to auto-matically discover SIP servers, and breaks down their log-ical functionality, e.g. registrars and call proxies. Secondwe discuss at very high-level which trafﬁc features shouldbe monitored at the
levelsin order to gain a complete view of the VoIP trafﬁc activ-ity. Third we introduce a new algorithm based on Infor-mation Entropy that proﬁles the chosen metrics over timeand generates alerts while any of the features diverges fromits historical trend. Section 4 analyzes the trafﬁc featuresdiscussed in Section 3 while using real packet traces col-lected from a wireless VoIP service provider. This sectionhighlights some preliminary interesting ﬁndings that vali-dates the overall approach. Section 5 describes three differ-ent VoIP attacks generated in a controlled lab environmentand presents the outcome results of applying our methodol-ogy. Section 7 summarizes our ﬁndings and concludes thepaper.
2 Background and Data Sets
We ﬁrst provide a quick overview of SIP-based IP tele-phony. We then brieﬂy touch on the challenges in proﬁlingSIP trafﬁc behaviors based on
passive packet monitoring
,and describe the SIP data sets used in our study.
2.1 SIP-based VoIP Service
The session initiation protocol (SIP)  is the Internetstandard signaling protocol for setting up, controlling, andterminating VoIP sessions
. SIP-based VoIP services re-quire
support from entities such as SIP regis-trars, call proxies, and so forth (see Fig. 1) – we collectivelyrefer to these entities as
. A SIP registrar asso-ciates SIP users (e.g., names or identities called
)with their current locations (e.g., IP addresses). A SIP callproxyassistsusersinestablishingcalls(called
intheSIP jargon) by handling and forwarding signaling messagesamong users (and other SIP servers). In practice, a physicalhost (SIP server) may assume multiple logical roles, e.g.,functioning both as registrars and call proxies.
Figure 1. SIP servers and clients
protocol, withsyntax very similar to HTTP. SIP messages are of type ei-ther
ﬁeld is usedto distinguish between different SIP operations. The mostcommon
(for user regis-tration),
(these four usedfor call set-up or tear-down),
(for event notiﬁcation).
messages contain a
informing the results of the requestedoperations (e.g.,
ﬁelds in anSIP message contain respectively the SIP URIs of the userwhere a
message is originated from (e.g., thecaller of a call) or destined to (e.g., the callee of a call). Inthe case of a
isoriginated. Other important ﬁelds include
and variousidentiﬁers and tags to string together various transactionsand dialogs. The reader is referred to  for details.
2.2 Problem Discussion and Data Sets
In this paper, we focus on characterizing and proﬁl-ing SIP-based VoIP trafﬁc behavior by using
passive traf- ﬁc monitoring
, with the objective to identify anomalies to
In addition to IP telephony, it can also be used for teleconferencing,presence, event notiﬁcation, instant messaging, and other multimedia ap-plications.