This Article 
 Bibliographic References 
 Add to: 
Detecting VoIP Floods Using the Hellinger Distance
June 2008 (vol. 19 no. 6)
pp. 794-805
Voice over IP (VoIP) a.k.a. Internet telephony is gaining market share rapidly and now competes favorably as one of the visible applications of the Internet. Nevertheless, being an application running over the TCP/IP protocol suite, it is susceptible to flooding attacks. If flooded, being a time-sensitive service, VoIP voice quality may show noticeable degradation and even encounter sudden service disruptions. Because multiple protocols are involved in VoIP service, and most of them are susceptible to flooding, an effective solution must be able to detect and overcome hybrid floods. As a solution, we offer \emph{VoIP Flood Detection Systems (vFDS)}---an online, statistical anomaly detection framework that generates alerts based on abnormal variations in a selected hybrid collection of traffic flows. It does so by viewing collections of related packet streams as evolving probability distributions and measuring abnormal variations in their relationships using the \emph{Hellinger distance}---a measure of variability between two probability distributions. Experimental results show that vFDS is fast and accurate in detecting flooding attacks, without noticeably increasing call setup times or introducing jitter into the voice streams.

[1] “CISCO SIP Proxy Server,” SIP High Availability Overview, software/ios123/123cgcr/vvfax_c/callc_c/ sip_c/sipha_chachap1.htm, 2005.
[2] “iSoftTech SIP Proxy Server,” Software Design Overview Template, , 2005.
[3] AltiGen Communications, AltiGen Alti-IP 600H IP Telephone, Product Overview—VoIP Phones, http://www.altigen.comanalog-IP-telephone-sets.html , 2005.
[4] Arbor Networks, Arbor Peakflow and Netflow, Product Overview, http://www.arbornetworks.comdownloads/, 2006.
[5] M. Carson and D. Santay, NIST Net Network Emulation Package, Nist Net Web Site,, June 1998.
[6] E. Chen, “Detecting Dos Attacks on Sip Systems,” Proc. IEEE FirstWorkshop VoIP Management and Security (VoIP MaSe '06), Apr. 2006.
[7] T. Darmohray and R. Oliver, “Hot Spares for DoS Attacks,” ;login: The Magazine of Usenix and SAGE, vol. 25, no. 7, July 2000.
[8] DEC, “Digital Equipment Corporation Traces,” Hourly Traffic Traces, 2005.
[9] A. Deslauriers, J. Pichitlamken, P. L'Ecuyer, and A.N. Avramidis, “Markov Chain Models of a Telephone Call Center with Call Blending,” technical report, GERAD and DIRO, Univ. of Montreal, 2003.
[10] T. Eyers and H. Schulzrinne, “Predicting Internet Telephony CallSetup Delay,” Proc. First IP-Telephony Workshop (IPtel '00), Apr. 2000.
[11] M. Fannes and P. Spincemaille, The Mutual Affinity of Random Measures, eprint arXiv:math-ph/0112034, Dec. 2001.
[12] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, Hypertext Transfer Protocol—HTTP1.1, IETF RFC 2616, 1999.
[13] S. Gomatam, A.F. Karr, C. Liu, and A.P. Sanil, “Data Swapping: ARisk-Utility Framework and Web Service Implementation,” Proc. Nat'l Conf. Digital Government Research (DG.O), 2003.
[14] M. Handley and V. Jacobson, SDP: Session Description Protocol, IETF RFC 2327, 1998.
[15] A. Hoffmann, “Securing Large Scale VoIP Infrastructures,” Proc.Third Ann. VoIP Security Workshop, June 2006.
[16] V. Jacobson and M.J. Karels, “Congestion Avoidance and Control,” Proc. ACM SIGCOMM '88, pp. 314-329, Aug. 1988.
[17] A.B. Johnston, SIP Understanding the Session Initiation Protocol, second ed. Artech House, 2004.
[18] G. Jongbloed and G. Koole, “Managing Uncertainty in Call Centers Using Poisson Mixtures,” Applied Stochastic Models in Business and Industry, vol. 17, pp. 307-318, 2001.
[19] J. Klensin, Simple Mail Transfer Protocol, IETF RFC 2821, 2001.
[20] Mazu Networks, “Mazu Profiler,” Product Overview, /, 2006.
[21] NLANR, NLANR Network Traffic Traces, Front Range GigaPOP, Daily traffic traces, http://pma.nlanr.netTraces/, 2005.
[22] P. Russell, Netfilter/iptables, Firewall, http:/, 2005.
[23] D. Pollard, Asymptopia, first ed., book in progress, pollard/, 2000.
[24] Qovia Inc., “Network Intrusion and QoS Impact in VoIP,” white paper, http:/, Aug. 2004.
[25] B. Reynolds and D. Ghosal, “Secure IP Telephony Using Multi-Layered Protection,” Proc. Network and Distributed System Security Symp. (NDSS '03), Feb. 2003.
[26] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, SIP: Session Initiation Protocol, IETF RFC 3261, 2002.
[27] H. Scholz, “Attacking VoIP Networks,” Proc. Third Ann. VoIP Security Workshop, June 2006.
[28] H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, RTP: A Transport Protocol for Real-Time Applications, IETF RFC 1889, 1996.
[29] H. Sengar, H. Wang, D. Wijesekera, and S. Jajodia, “Fast Detection of Denial of Service Attacks on IP Telephony,” Proc. 14th Int'l Workshop Quality of Service (IWQoS '06), June 2006.
[30] H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “VoIP Intrusion Detection through Interacting Protocol State Machines,” Proc. Int'l Conf. Dependable Systems and Networks (DSN '06), June 2006.
[31] W. Stevens, TCP/IP Illustrated Volume-1, first ed. Addison-Wesley, 1994.
[32] S.J. Stolfo, W.-J. Li, S. Hershkop, K. Wang, C.-W. Hu, and O. Nimeskern, “Detecting Viral Propagations Using Email Behavior Profiles,” ACM Trans. Internet Technology, May 2004.
[33] Telecost, Telecost: On Call Durations, Product Overview, , 2005.
[34] K. Thompson, G.J. Miller, and R. Wilder, “Wide-Area Internet Traffic Patterns and Characteristics,” IEEE Network, vol. 11, Nov./Dec. 1997.
[35] H. Wang, D. Zhang, and K.G. Shin, “Detecting SYN Flooding Attacks,” Proc. IEEE INFOCOM '02, June 2002.
[36] H. Wang, D. Zhang, and K.G. Shin, “SYN-Dog: Sniffing SYN Flooding Sources,” Proc. 22nd Int'l Conf. Distributed Computing Systems (ICDCS '02), July 2002.
[37] “World Agroforestry Center,” Regression and Analysis of Variance, Tutorial, http:/, 2005.
[38] Y. Wu, S. Bagchi, S. Garg, N. Singh, and T. Tsai, “SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments,” Proc. Int'l Dependable Systems and Networks Conf. (DSN '04), June 2004.
[39] Zultys Tech nologies, “Datasheet-ZIP 4X4,” Product Overview— VoIP Phones, http:/, 2005.

Index Terms:
Network-level security and protection, Communication/Networking and Information Technology
Hemant Sengar, Haining Wang, Duminda Wijesekera, Sushil Jajodia, "Detecting VoIP Floods Using the Hellinger Distance," IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 6, pp. 794-805, June 2008, doi:10.1109/TPDS.2007.70786
Usage of this product signifies your acceptance of the Terms of Use.