SIP-based VoIP traffic behavior profiling
First Claim
1. A method for profiling SIP network traffic comprising:
- tallying a plurality of SIP messages associated with a SIP server to produce a first message tally count;
tallying a plurality of SIP messages associated with the SIP server according to a plurality of distinct user resource indicators (URIs) to produce a plurality of second message tally counts;
calculating a user activity diversity metric (UAD) associated with the SIP server using normalized entropy according to the first message tally count and the plurality of second message tally counts; and
providing a measure of randomness of user activities based on the user activity diversity metric.
6 Assignments
0 Petitions
Accused Products
Abstract
With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.
79 Citations
12 Claims
-
1. A method for profiling SIP network traffic comprising:
-
tallying a plurality of SIP messages associated with a SIP server to produce a first message tally count; tallying a plurality of SIP messages associated with the SIP server according to a plurality of distinct user resource indicators (URIs) to produce a plurality of second message tally counts; calculating a user activity diversity metric (UAD) associated with the SIP server using normalized entropy according to the first message tally count and the plurality of second message tally counts; and providing a measure of randomness of user activities based on the user activity diversity metric. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
Specification