$SSOLFDWLRQVDQG,QQRYDWLRQVLQ0RELOH&RPSXWLQJ$,0R&
Performance analysis of VoIP spoofing attacks using
classification algorithms
G. Vennila, N. Supriya Shalini,
Department of Electronics and Communication
Engineering, Thiagarajar College of Engg., Madurai, India
vennilatg@tce.edu, nsupriyashalini@gmail.com
Abstract-Voice over Internet Protocol (VoIP) is an emerging
trend of applications on the internet today. As with any recent
technology, VoIP also introduces both fortuity and problems.
Existing VoIP honeypot experimental set ups based on SIP
(Session Initiation Protocol) deals with the basic attacks like DoS
(Denial of Service), enumeration detection, signature collection
and SPIT (Spam over Internet Telephony). These VoIP service
abuse attacks cause discrepancy between the services offered to
the VoIP users and service providers. We executed successive
attempts with different sets of attributes and sample subsets to
collect exact traffic records used for detecting and categorizing
the attack packets using honeypot. Finally, a comparison of both
the algorithms with its true and false positive rates is evaluated.
For result analysis, we propose a test-bed using Zoiper (SIP
clients), Asterisk server, Artemisa honeypot and Wireshark as
network analyzer. The test-bed demonstrates how the honeypot
effectively works in improvising the robustness of the VoIP
security system from billing attacks and toll frauds.
Keywords -VoIP Honeypot, VoIP Service abuse attack, Registration
hijacking, Invite replay attack, Bye Delay Attack, Fake Busy attack
I. INTRODUCTION
The tremendous growth of VoIP is driven by its several
fundamental benefits over traditional Public Switched
Telephone Network (PSTN). Even if VoIP offers lesser
expenditure and superior flexibility, it also introduces major
risks and vulnerabilities [1]. There remains a great deal of
research, which still needs to be carried out into the particular
problems which need to be solved for VoIP networks to be a
technical and commercial success. The non-deterministic
nature of the Internet, and the impact, which this specifically
has on voice traffic, is one major area of concern. Inherent
problems with security due to the open standard of public IP
networks are also of equal importance. Current VoIP
applications tackle this problem by introducing new algorithm
and tool.
This paper focuses on the challenges and impact of
employing security services into VoIP networks by using
honeypot. The honeypot detects the incoming packets,
categorizes them after feature extraction phase. In this paper
we compare two decision algorithms- Naive Bayes’ and C4.5
Decision tree classifier evaluates the performance with their
true/false positive rates. In the remaining of this paper, section
II gives a related work. Section III gives brief overview of
‹,(((
MSK. Manikandan,
Department of Electronics and Communication
Engineering, Thiagarajar College of Engg., Madurai, India
manimsk@tce.edu
VoIP architecture. Section IV summarizes the VoIP threat
model. Section V deals with the experimental setup and
section VI with performance analysis of the classifier
algorithms. Section VII concludes the paper.
II. RELATED WORK
A numeral of credulous susceptibilities in SIP can influence
invoice records in various ways, illustrating their relevancy
against genuine mercantile VoIP providers. The main focus is
primarily on attacks that create invoice inconsistencies. Four
kinds of billing attacks are focused by Ruishan Zhang that
may perhaps result in charges for the calls that the users have
not made. They may also result in over charges that the user
has made. The paper concludes with a set of subscribers that
are susceptible to these kinds of billing attacks [1]. S.Niccolini
proposed a prototype using Snort - an Intrusion Detection and
Prevention System (IDPS). The proposed architecture extends
the functionality of snort by introducing pre-processing
features to analyze protocols over TCP/UDP. This proposed
prototype increases QoS by forwarding the voice traffic
without delay of service [2]. The use of SIP specific honeypots
to catch targeting the internet telephony system, protocols and
application presented in [3].
The design and implementation of such honeypot system
explore the use of a statistical engine for indentifying attacks
and other misbehavior based on training on legitimate traces
of SIP traffic. The working model depends on Bayesian
inference and motivates the need for a VoIP honeypot by
introducing functional scenarios to bring realistic benefits. A
honeyphone which controls a rich set of network tools with an
application programming interface is used. The AVISPA Tool
is a push-button tool used to identify a protocol level
vulnerability in the way SIP handles authentication [4] [5].
AVISPA is a model checker for validating security protocol
and applications using high level protocol specification and
language that gets compiler into an intermediate format that
can be consumed by a number of lower level checkers.
Attacks are possible with the SIP digest authentication,
whereby an adversary can reuse another party credential to
obtain unauthorized access to SIP or PSTN services. This
attack is possible since authentication may be demanded in
response to an INVITE message at any time during a call, and

the responder may issue an INVITE message during a call
either automatically or all the way through a user action.
While the solution is simple, it requires changes possibly to all
end device SIP implementation.
Decision under uncertainty is made using probability
theory. It is a great issue to classify raw data logically to
reduce the expected hazard with the help of Bayes’ rule. It is
based on the past and future data. In K- nearest neighbor the
result of new instance query is handled. Review of Naive
Bayes’ and K- nearest neighbor classifier is done and its
performance is observed [6]. Intrusion detection speed and
computational cost is another major vital role, because
datasets are huge and impact of the attacker varies day to day.
Bayes’ and KNN classifier is a simple and fast feature
selection method. It eradicates features with no helpful
information on them which results in faster learning process of
redundant feature omission [7]. Information regarding possible
confidentiality violating rules can consequently be used to
alter the IDS rule sets to reduce the estimated amount of data
confidentiality destructions at some point in normal operation
is discussed in [8]. Data mining algorithms are being applied
in building IDS to protect computing resources against
unauthorized access. Most of the solution is used to detect and
further classify into four categories such as Denial of Service
(DoS), U2R (User to Root), R2L (Remote to Local), probe and
to reduce the false alarm rate of IDS [9]. The experimental
results using the KDD99 data set shows that while Naive
Bayes' is one of the most efficient classifier, decision trees are
more attractive as far as the detection of new attacks [10].
In general, the normal way of detecting the attacks by
using different types of tools that provide alert to the
administrators. But most of the attackers normally escape from
those tools because they are mostly rule-based [11]. Nowadays
the need of enhanced attack detection techniques became a
vital role for the VoIP network. SIP based VoIP system has
many security problems and effects relate to confidentiality,
integrity and availability. The attacks on the SIP system, such
as registration hijacking, impersonating a proxy, DoS and
spam are conferred in [12]. Authentication mechanisms are
established for hop-hop and end to end security to protect the
attacks from registration hijacking. This attack allows
performing toll fraud and calling hijacking [13]. In the
proposed system uses the labeled data set from honeypot and
not any pre-defined data set as in existing IDS. Thus the
honeypot data are more valuable than that of the signature
based collection algorithms.
III. PROPOSED VOIP SYSTEM ARCHITECTURE
The VoIP architecture is composed of Zoiper clients, SIP
proxy server (Asterisk), gateways, and VoIP honeypots as
shown in Fig.1.VoIP has been employed with a variety of
protocols such as SIP, Real time Transport Protocol (RTP),
and Session Description Protocol (SDP) etc. VoIP systems
make use of session control and signaling protocols to have
power over the signaling, set-up and tear-down of calls. The
fundamental operation of VoIP is to transmit the voice signal

into digital form in packets rather than that of signals in
PSTN. To transfer audio, video streams over IP networks RTP
protocol is used.
Fig.1 Proposed VoIP architecture with honeypot
When the voice packets of VoIP calls are distributed and
interpreted to the unsecured public network, the VoIP packets
are easier to be endangered by the attacker. Therefore, the aim
of this paper is to detect and classify the occurrence of service
abuse attacks using honeypot. Honeypot are traps set to the
attacker. In a honeypot system the first entity to communicate
with the attacker is the honeypot rather than the server itself.
The honeypot gathers all the useful credentials from the
attacker and the attack patterns or methodologies. The
proposed architecture consists of ten clients with a server and
a honeypot connected to the internet. In this paper the
honeypot uses two kinds of algorithms to classify the attack
packets and compares the performance of two algorithms
based on attributes collected by it.
IV. VOIP THREATS
The most significant defenselessness in the VoIP network is
the service abuse attack that makes calls with no permission or
put off the length of call. Resulting in either, charge on the
calls the VoIP users not made or overprices on the VoIP calls
the users have made. The following sub sections summarize
how VoIP service abuse threats are generated in the proposed
VoIP system architecture.
A. Registration Hijacking
A SIP registration hijacks implemented by an attacker by
hindering a legitimate SIP client registration and replacing it
with the attacker IP address instead. This allows the attacker to
interrupt incoming calls and reroute, replay or terminate calls
as they desire. In the proposed method, the SIP registration
method permits a User agent to discover it to the registrar
server at which the user is sited. The registrar assesses the
identity in the FROM header field of a REGISTER message to
determine whether this request will be capable of modifying
the contact addresses associated with the address in the TO
header field. The FROM field of a SIP requestt is customized
by chance by the real User Agent, and this opeens the door to
malicious registrations. This results in attackeers gaining the
ability to place calls over the VoIP system or redirecting
legitimate class to a malicious user’s device.
B. INVITE Replay attack
Invite Replay billing attacks endeavor to construct
unregistered calls by replaying the interruupted INVITE
method. This kind of billing attacks takes bbenefit of the
execution errors of the default funcctionality (no
acknowledgement is sent in return) of SIP authentication.
Even if the INVITE methods are shiellded by SIP
authentication it could be successful.
B. Fake Busy Attack
Fake Busy billing attack purposely seizes VoIP calls of
intended VoIP subscribers and controls thhe call length
(duration). The call attempted by the VoIP subsscriber may fall
short, and yet the VoIP subscriber will be charged for a
duration determined by the attacker. Accordinng to Fig.2 the
MITM sends fake BUSY method to the actual user and takes
incharge of the transaction and starts communiccating with the
server as if it is the actual user.
Fig. 2 Service abuse attack
C. Bye Delay Attack
Bye Delay billing attack hunts for evideently extended
duration of established calls linking targeted VooIP subscribers
by interrupting the BYE messages. Here, MITM M intercept the
BYE message when a caller or callee commuunicates its SIP
server and sends back a 200 OK message. Thiss may give the
caller or callee an impression of successfully eended call. But
actually the call is in the hands of the man in the middle.
Thereby the user will be charged for the call thhat the attacker
has planned for.
D. BYE Drop attack
Bye Drop billing attack lengthens thee duration of
established calls by introducing anonymous BY
YE messages in

the communication among user ag gents. Its mechanism is
analogous with the previously discusssed Bye delay spoofing
attack. The attacker drops fake BYE messages in the
transaction thereby deceiving the serrver as if the transaction
has ended.
V. EXPERIMENTALL SET-UP
In our experimental test bed Artem misa and Zoiper are used
as honeypot and SIP clients who aree registered with Asterisk
SIP server as shown in Fig.3. To showcase the accurate voice
traffic result we have been analyzinng them on basis of call
volume, call transfer and call hold tim
me. To get in depth about
the attack analysis of our experiment, Wireshark is used which
pinpoint us the packet flow in VOIIP networks. It also lays
emphasis on the SIP packet flow.
Fig. 3 Experimen
ntal Test Bed
As a result we have at last taken into account about 10
nodes and monitor their whole transaaction and that of the SIP
server using Wireshark.
A. Data Collection
Collecting an accurate dataset for performing decision tree
analysis is a tedious task. Data colleection and pre-processing
often consume majority of the time in our research. For the
experiment, the honeypot is monitored for a period of one
week which assists in detailed performmance analysis to classify
the attributes.
B. Feature Extraction
The data captured from honeypot is extracted for labeling as
shown in table I. Feature extraction deepends on the data source
and category of attack to be detecteed. Artemisa is bait that
performs tricks on system or service without being part of the
production itself. The fundamental aim m of honeypot is to study
the behavior of intruders who interaccts with the SIP servers.
The honeypot analyses the data origginated in the SIP logs.
According to the proposed scripting ru ules in Artemisa, features
are extracted and labeled. Features are classified into three Where,
types,

   = probability of instance B being in class Aj,


• Fundamental features related to connection 
• Type of protocol used, call duration, via,
From IP, To IP, etc.,
• Traffic features related to conflicts from normal
secure setup
• No. of calls from same IP, no. of
unregistered calls, no. of failed packets,
etc.,
  = probability of generating instance B given class Aj,

 = probability of occurrence of class Aj,
 = probability of instance B occurring
Our experimental results for Service abuse attack are
computed from Eq.2. Naive Bayes’ classifiers assume
attributes have independent distributions, and thereby estimate
   
  =       *..….*   (2)
   
• Misconception features related to SIP session status
codes Where,
• 4xx Client error, 5xx Server error, 3xx 
  = probability of class Aj generating attack instance B
redirection, etc., 
These attributes are used in detecting any discrepancies in    = probability of class Aj generating the observed

the VoIP environment. value for attribute B1, B2….Bn.
When the honeypot receives the voice packets, it decides
TABLE I. COLLECTION OF LABELED ATTRIBUTES the incoming packets are of a Fake_BUSY attack when the
probabilities of attributes like no. of unregistered calls, no. of
Duration of the call Time of call answered/ended Failed_for fake BUSY methods, no. of unauthorized IPs, packet inter
packets arrival time and no. of forwarded calls are HIGH as
Request/ Response Timeout packets BUSY
method methods
mentioned in Eq.3.
Source / Destination Status of the call INVITE
IP packet count (COMPLETED / methods p(Fake_BUSY_attack /Aj) =
ANSWERED/ REJECTED/ p(no_of_ Fake_ BUSY_packets= HIGH/Aj)*
CANCELLED/ BUSY) p(no_of _Unauthorized _IPs =HIGH /Aj) *
Timestamp between Protocol used BYE methods
the packets
p(no_of_fwd_calls= HIGH/Aj )*
Packets per day Registered users Registration p(packet_inter_arrival_time= HIGH/Aj) (3)
request per
day 2) C4.5 Decision Tree algorithm
Registration_Failed Not Matching peer found Via The C4.5 model divide samples or training data on basis
packets packets
unauthorized IP's Bytes per seconds Caller ID
of the collected features as listed in table I. The procedure will
Packet rate Average packet size Contact prolong until the sample subset cannot be split. At last,
Packet inter arrival Forwarded calls Forbidden examine the least possible level split and those samples that
time messages don’t comprise noteworthy input to the model will be
discarded. C4.5 algorithm makes decision from Artemisia
C. Proposed algorithm result which consists of a set of labelled data.
This paper considers two classifier algorithms namely The training data is a set
! " !" " !# $ $ $ !% of previously
Naive Bayes’ and C4.5 Decision tree algorithm for classified samples. Every sample ti consists of a p-dimensional
performance analysis of VoIP service abuse attacks. vector &"% &"% " &#"% ' where Vi stands for attributes or features
of the sample over and above the class in which ti falls. The
1) Naive Bayes’ classifier algorithm chooses the attribute that most efficiently splits the
A Naive Bayesian classifier is a simple and powerful set of samples into small subsets supplementing in one class or
classifier with independent assumptions. The incoming the other at each node of the proposed VoIP set-up. The
packets from Artemisa classify and assume a set of monitored feature with the highest normalized information gain is
attributes for instance. The proposed algorithm estimates preferred to formulate the decision. The C4.5 algorithm then
the posterior probability that an attack packet is classified recurses on the minor subsets [14].
under  with each class A1 - Registration Hijacking, A2 -
Invite Replay, A3 - Fake Busy and A4 - Bye Delay as stated in VI.PERFORMANCE ANALYSIS OF THE PROPOSED CLASSIFIER
Eq.1. ALGORITHM
In this section, we recapitulate our experimental results to





 identify the VoIP service abuse threats for intrusion detection.
 
(1) Experimental results are presented in terms of the true
 
positive, false positive, true negative and false negative for
incoming packets. This accomplishes the good level of


inequity from normal data in the honeypot. The proposed
classification increases the accuracy of true posiitive rates.
The flow graph shown in Fig.4 representts the working
model of the proposed technique and the corresponding
procedure is illustrated as follows,
1. The Artemisa honeypot setup will be the iniitial unit of our
proposed test bed that communicates with all the inward
bound voice packets and identifies the maliccious incomes.

Fig. 5 Detection rates of classification algorithm

Figure.5 emphasis the detection rates of the two

classification algorithms. The classiffication algorithm works
with the help of received packets on n Registration hijacking,
INVITE replay frames, fake BUSY Y attacks and fake BYE
messages.

Fig.4 Flow graph for proposed system

m

2. Feature extraction phase proposed in the hooneypot which

includes ,
a. Creating labelled data set from the received
packets like call_duration,
registration_failed_packets, unauthhorized_ip,
etc.,
Fig. 6 Packet classification of serrvice abuse attack
b. Discovering attribute subsets for analogous
a
instances. Figure.6 shows the number ppackets identified under
c. Identify and analyze relevant attribbutes for service abuse attacks. Out of 19,821
1 packets received at the
classification of VoIP threats menttioned in SIP server for a period of one weeek 2,161 packets were
categorized under the number of unreegistered calls protruding
section IV.
the SIP server. 12,038 packets weree categorized under fake
3. The infected packets are then sent to the proposed BUSY/BYE/CANCEL methods 2,68 80 packets under failed
classifier algorithm. Our proposed methodoology will now category and remaining 2,942 packetss include other factors for
identify and trap the attacker and also classsifies the attack service abuse attacks.
packets.
4. Then performance analyses with the two claassifiers are
done and the results are charted.


 TABLE II. DETECTION RATES OF CLASSIFIER ALGORITHM [7] S. Parsazad,E. Saboori, A. Allahyar " Fast Feature
Reduction in intrusion detection datasets", MIPRO, 2012
Proceedings of the 35th International Convention,
Algorithm True True False False pp.1023 - 1029, 2012
Positive Positive Positive Positive
(Normal) (Attack) (Normal) (Attack)
[8] M Ulltveit , V. Oleshchuk, Privacy Violation
Classification of Snort Ruleset , 2010 18th Euromicro
International Conference on Parallel, Distributed and
Network-Based Processing (PDP), pp.654 - 658, 2010
Naive Bayes’ 0.983 0.978 0.134 0.083
[9] H Om, A. Kundu, "A hybrid system for reducing the
false alarm rate of anomaly intrusion detection system",
C4.5 Decision 0.994 0.962 0.006 0.056 2012 1st International Conference on Recent Advances in
Tree Information Technology (RAIT), pp.131 - 136, March
2012.
The data identified as attack packets make sure that it [10] M. Panda, M.R Patra, M.R, A Comparative Study of Data
results in enhanced security of the SIP server to the maximum Mining Algorithms for Network Intrusion Detection ,
level. Table II depicts the performance comparison of the ICETET '08 First International Conference on Emerging
observed results for the two classification algorithm. Trends in Engineering and Technology, pp. 504 - 507,
July 2008.
VII.CONCLUSION [11] T Subbulakshmi, A.F Afroze, Multiple learning based
From the classified results, Asterisk server takes action classifiers using layered approach and Feature Selection
over the packets either to accept or drop using the suspicion for attack detection, International Conference on
algorithm. The suspicion technique proposed here is more Emerging Trends in Computing, Communication and
predictive towards attacks. This paper analyzes and Nanotechnology (ICE-CCN), pp.308 - 314, March 2013.
categorizes a large volume of honeypot data and compares the [12] S Liancheng , J Ning, Research on Security Mechanisms
true and false positive rates of the two classification of SIP-Based VoIP System, Ninth International
algorithms. Thus the proposed technique augments the Conference on Hybrid Intelligent Systems, pp. 408 - 410,
robustness of the VoIP network with Artemisa by preventing Aug. 2009
service abuse attacks to a greater extent. [13] Si Duanfeng, Q Long , Han Xinhui, Zou Wei, Security
REFERENCES mechanisms for SIP-based multimedia communication
[1] R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing infrastructure, International Conference on
Attacks on SIP-based VoIP Systems. In Proceedings of Communications, Circuits and Systems (ICCCAS 2004),
the 1st USENIX workshop on Offensive Technologies, pp.575 - 578, June 2004
pages 1–8, August2007. [14] R. Quinlan, “C4.5: Programs for Machine Learning,”
[2] S. Niccolini, R. G. Garroppo, S. Giordano, G. Risi, and S. Morgan Kaufmann Publishers, San Mateo, CA, 1993.
Ventura. SIP Intrusion Detection and Prevention:
Recommendations and Prototype Implementation. In
Proceedings of the 1st IEEE Workshop on VoIP
Management and Security (VoIP MaSe), pages 47–52,
April 2006.
[3] M. Nassar,R. State O. Festor. VoIP Honeypot
Architecture. In Proceedings of the 10th IFIP/IEEE
International Symposium on Integrated Network
Management, pages 109–118,May 2007
[4] H Abdelnur, T Avanesov, M Rusinowitch, Abusing SIP
Authentication, Fourth International Conference on
Information Assurance and Security (ISIAS '08), pp. 237
- 242, 2008.
[5] R. State, O. Festor, H. Abdelanur, V. Pascual, J. Kuthan,
R. Coeffic, J. Janak, and J. Floroiu SIP digest
authentication relay attack. draft-state-sip-relay-attack-00,
March 2009
[6] M.J Islam, Q.M. J Wu, M Ahmadi, M. A Sid-Ahmed,
"Investigating the Performance of Naive- Bayes Classifiers
and K- Nearest Neighbor Classifiers", International
Conference on Convergence Information Technology, pp.1541
- 1546, 2007