الفهرس 
IntroductionOnly 14 pages are availabe for public view
 |  | from | 89 |  |  |
| | | from | 89 | | |
Abstract
Voice over Internet Protocol (VoIP) is a technology that enables the user to make voice or telephone calls over the Internet Protocol (IP) networks. Since the internet has been and continues to be a prominent form of communication, VoIP services are going to be a promising communication medium because of their low cost and added features. So, many companies have transformed their telephone systems into Voice over IP (VoIP) systems.
VoIP networks have two main functions: signaling function to establish, modify, and terminate a conversation and media transmission function to carry voice traffic. The Session Initiation Protocol (SIP) is one of the most common protocols that are used for signaling functions in VoIP networks. It is very popular because of its flexibility, simplicity, and easy implementation, so it is a target of many attacks.
Recently, VoIP networks have been vulnerable to many security threats. In addition, the intensity of attacks seems to have been growing; this might be a result of the rapid increase in the capabilities of tools used by attackers. Two of the most harmful and specific types of VoIP attacks are Denial of Service (DoS) and Distributed Denial of Service (DDoS). The main objective of these attacks is to prevent legitimate users from using VoIP services. These attacks may affect VoIP service availability by targeting one or many VoIP servers. Such attacks can thus affect business productivity and lead to revenue loss.
In this thesis, we propose a system to detect low and high rate DoS and DDoS attacks in SIP-based VoIP networks. First, we build a benchmark system using a linear Support Vector Machine (SVM) with l1 regularization (i.e. l1-SVM) classifier. In this system, we project the SIP messages into a very high dimensional space using string-based n-gram features. Hence, a linear classifier is trained on top of these features. This system has detected malformed messages, INVITE flooding, and Spam over Internet Telephony (SPIT) attacks with high accuracy (i.e., F1 score: 100%) and outperformed other systems significantly in the detection speed (i.e., the average detection time is 0.57 ms for malformed message attacks, and
0.73 ms and for INVITE flooding and SPIT attacks).
For DDoS attacks, the previous system failed to detect the low-rate attacks, so a deep learning system was built to detect low and high rate DDoS attacks. This system uses token embedding to enhance extracted features from SIP messages and a Recurrent Neural Network (RNN) to classify messages into normal and malicious. To evaluate this system, a real traffic dataset was built. This dataset contains three attack scenarios with different attack durations and intensities. Our experimental results have shown that this system detects DDoS attacks with high accuracy (i.e., F1 score: 100%) and low detection time (i.e., 0.16 ms on a GPU system and 0.80 ms on a CPU system). In addition, it outperformed our classical machine learning proposed system (i.e., l1-SVM) in detecting low-rate DDoS attacks.