An intrusion detection and prevention system for IMS and VoIP services

The Voice Over IP (VoIP) environments and the most contemporary ones such as the IP Multimedia Subsystem (IMS) are deployed in order to provide cheap and at the same time high quality services to their users. Video calls, conferences, and applications can be provided to mobile devices with the lowest possible delay, while the Quality of Service (QoS) remains as the top priority for users and providers. Toward this objective, these infrastructures utilize the Session Initiation Protocol (SIP) for signaling handshakes since it is the most flexible and lightweight protocol available. However, according to many researches, it happens to be vulnerable to many attacks that threaten system’s security and availability. In this paper, we introduce a cross-layer mechanism that is able to mitigate in real-time spoofing attacks such as SIP signaling, identity theft, masquerading, and Man in the middle, and also single and distributed source flooding. It consists of three components: the policy enforcer which acts as a black list, and the spoofing and flooding modules. We also introduce a classification of SIP flooding attacks for better representation of the detection coverage. To the best of our knowledge, the proposed detection system is the most complete and accurate in terms of the attack range that is able to deter. Concerning its performance, it does not require computational expensive calculations nor resource demanding security protocols, thus being a lightweight mechanism. The experimental results have demonstrated high detection rates with false alarm rates approaching zero. Finally, it is platform independent and transparent to networks’ operations and thus can be deployed in both VoIP and IMS environments.