Securing IP-Multimedia Subsystem (IMS) against Anomalous Message Exploits by Using Machine Learning Algorithms

Modern communication infrastructure (IP Multimedia Subsystem (IMS) and Voice over IP (VoIP)) are vulnerable to zero day attacks and unknown threats. Anomalous SIP requests can be used to remotely launch malicious activity. Furthermore, anomalous messages are capable of crashing - sometimes with one message only - servers and end points. Recently, it is shown that a malicious SIP message "INVITE of Death" crash a server or gain unfettered access to it. In contrast, little research is done to protect IMS against such anomalous messages. In this paper, we propose an anomalous message detection framework that extracts novel syntactical features from SIP messages at the P-CSCF of an IMS. Our framework operates in four steps: (1) analyzes the byte-level distribution of SIP message, (2) extracts spatial features from IMS messages in form of byte transition probabilities, (3) uses well-known feature selection scheme to remove redundancy in the features set, and (4) uses standard machine learning algorithms to raise the final alarm. The benefit of our framework is that it is lightweight requiring less processing and memory resources and provides high detection accuracy. We have evaluated our system on a real-world IMS dataset consisting of more than 10, 000 benign and malicious SIP messages. The results of our experiments demonstrate that using machine learning algorithms, our framework achieves detection accuracy of more than 99%. Last but not least, its testing time is 152μ seconds per packet, as a result, it can be easily deployed on IMS core.