SIP-based VoIP traffic behavior profiling

US 7,441,429 B1
Filed: 09/28/2006
Issued: 10/28/2008
Est. Priority Date: 09/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method for profiling SIP network traffic comprising:

tallying a plurality of SIP messages associated with a SIP server to produce a first message tally count;

tallying a plurality of SIP messages associated with the SIP server according to a plurality of distinct user resource indicators (URIs) to produce a plurality of second message tally counts;

calculating a user activity diversity metric (UAD) associated with the SIP server using normalized entropy according to the first message tally count and the plurality of second message tally counts; and

providing a measure of randomness of user activities based on the user activity diversity metric.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.

79 Citations

View as Search Results

12 Claims

1. A method for profiling SIP network traffic comprising:
- tallying a plurality of SIP messages associated with a SIP server to produce a first message tally count;
  
  tallying a plurality of SIP messages associated with the SIP server according to a plurality of distinct user resource indicators (URIs) to produce a plurality of second message tally counts;
  
  calculating a user activity diversity metric (UAD) associated with the SIP server using normalized entropy according to the first message tally count and the plurality of second message tally counts; and
  
  providing a measure of randomness of user activities based on the user activity diversity metric.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the plurality of SIP messages comprise one or more register request messages, the SIP server comprises a registrar, and the UAD provides a measure of randomness of caller activities with respect to the registrar, the method further comprises identifying anomalies of SIP network traffic based on the measure of randomness of caller activities with respect to the registrar.
  - 3. The method of claim 2 wherein the plurality of SIP messages comprises one or more call request messages, the SIP server comprises a call proxy, the plurality of distinct URIs correspond to source IP address of the one or more call request messages, the UAD comprises a UAD_caller, and the UAD_caller provides a measure of randomness of caller activities, the method further comprises identifying anomalies of SIP network traffic based on the measure of randomness of caller activities.
  - 4. The method of claim 3 wherein the plurality of SIP messages comprise one or more call request messages, the SIP server comprises a call proxy, the plurality of distinct URIs correspond to destination IP address of the one or more call request messages, and the UAD comprises a UAD_callee, and the UAD_callee provides a measure of randomness of callee activities, the method further comprises identifying anomalies of SIP network traffic based on the measure of randomness of callee activities.
  - 5. The method of claim 4 wherein the plurality of SIP messages comprise one or more call request messages, the SIP server comprises a call proxy, the plurality of distinct URIs comprises a plurality of distinct URI pairs, wherein each distinct URI pair consists of a first URI and a second URI, the first URI corresponding to source IP address of a first call request message, the second URI corresponding to destination IP address of a second call request messages, and the UAD comprises a UAD_caller-callee, and the UAD_caller_callee provides a measure of randomness of caller_callee pair activities, the method further comprises identifying anomalies of SIP network traffic based on the measure of randomness of caller_callee pair activities.
  - 6. The method of claim 5, further comprising:
    - calculating a first and second parameters associated with a feature function for at least one time increment of a plurality of time increments, the feature function comprising at least one selected from a group consisting of the UAD, the UAD_caller, the UAD_callee, and the UAD_caller callee, the first and second parameters being statistical parameters calculated according to a predetermined algorithm;
      
      incrementing an alert level and locking the first parameter upon the second parameter exceeding a first threshold;
      
      decrementing the alert level upon the second parameter becoming lower than a second threshold;
      
      unlocking the first parameter upon the alert level becoming lower than a first level; and
      
      reporting an anomaly upon the alert level exceeding a second level.
  - 7. The method of claim 6 wherein the first and second threshold are calculated during a learning period prior to the plurality of time increments.
  - 8. The method of claim 6 wherein the first threshold equals the second threshold.
  - 9. The method of claim 6 wherein the first parameter is calculated according to an average of percent deviation from past average associated with the feature function.
  - 10. The method of claim 6 wherein the second parameter is calculated according to a deviation from the first parameter associated with the feature function.
  - 11. The method of claim 7 wherein the first or second threshold is calculated according to a maximum of the second parameter during the learning period.
  - 12. The method of claim 6 further comprising:
    - comparing a current histogram to a last clean histogram upon the anomaly being reported to generate a comparison result, the current histogram and the last clean histogram being associated with the feature function; and
      
      identifying a cause of the anomaly based on the comparison result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Nucci, Antonio, Zhang, Zhi-Li, Ranjan, Supranamaya
Primary Examiner(s)
Tsang; Fan
Assistant Examiner(s)
NGUYEN, PHUNG HOANG JOSEPH

Application Number

US11/540,893
Time in Patent Office

761 Days
Field of Search

370/230, 370/230.1, 370231-235, 370/237, 709224-226
US Class Current

70/229
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 65/1104   Session initiation protocol...

Y10T 70/5854   Bolt, nut, stud, stud-cap

SIP-based VoIP traffic behavior profiling

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SIP-based VoIP traffic behavior profiling

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links