Int. J. Inf. Secur.
Behavior-based approach to detect spam over IP telephony attacks
Randa Jabeur Ben Chikha1 · Tarek Abbes1 · Wassim Ben Chikha2 ·
Adel Bouhoula1 © Springer-Verlag Berlin Heidelberg 2015
Abstract Spam over IP telephony (SPIT) is expected to become a serious problem as the use of voice over IP grows.
This kind of spam is appreciated by spammers due to its effectiveness and low cost. Many anti-SPIT solutions are applied to resolve this problem but there are still limited in some cases. Thus, in this paper, we propose a system to detect
SPIT attacks through behavior-based approach. Our framework operates in three steps: (1) collecting significant calls attributes by exploring and analyzing network traces using
OPNET environment; (2) applying sliding windows strategy to properly maintain the callers profiles; and (3) classifying caller (i.e., legitimate or SPITter) using ten supervised learning methods: NaïveBayes, BayesNet, SMO RBFKernel,
SMO PolyKernel, MultiLayerPerceptron with two and three layers, NBTree, J48, Bagging and AdaBoostM1. The results of our experiments demonstrate the great performance of these methods. Our study, based on receiver operating characteristics curves, shows that the AdaBoostM1 classifier is more efficient than the other methods and achieve an almost perfect detection rate with acceptable training time.
B Randa Jabeur Ben Chikha email@example.com; firstname.lastname@example.org
Tarek Abbes email@example.com
Wassim Ben Chikha firstname.lastname@example.org
Adel Bouhoula email@example.com 1 Digital Security Research Unit, Higher School of
Communication of Tunis (Sup’Com), University of Carthage,
Cité El Ghazala, Tunisia 2 SERCOM laboratory, Tunisia Polytechnic School, Carthage
University, 2078 La Marsa, Tunisia
Keywords VoIP · SPIT detection · Behavior-based approach · Supervised learning methods · ROC 1 Introduction
VoIP is a family of technologies that can offer both voice communications and multimedia sessions over internet protocol (IP) networks. This technology is rapidly adopted by consumers and enterprises since it offers more functionalities and higher flexibility than traditional telephony. Two kinds of protocols are used in most VoIP calls, which are signaling protocol and media transmission protocol. Session initiation protocol (SIP) is the most adopted in signaling protocol and real-time transport protocol (RTP) is the most adopted in media transmission.
With the increase in VoIP applications, VoIP threats appear and become more and more a problem. SPIT, known as unsolicited and unwanted calls sent via VoIP networks, is one of these threats. Attacker prefers to make SPIT calls because it can be done quickly and with a low cost. In fact, each VoIP account has an associated IP address. Thus, SPITters can easily send their calls to thousands of IP addresses. As a result,
SPIT can annoy VoIP users. In addition, VoIP network can be overloaded by intensive messages.
In light of this, countermeasures are proposed in order to identify and filter SPIT. These countermeasures are mostly derived from the experience of SPAM defense. They include the reputation-based , call frequency-based , dynamic blacklisting, fingerprinting , challenging suspicious calls by captchas  and the use of more sophisticated machine learning. Under this latter method, Nassar et al. [5,6] perform a supervised learning in order to detect attacks on SIP protocol. They apply the support vector machine (SVM) classifier on the calls history logfile. Moreover, Wu et al.  123
R. Jabeur Ben Chikha et al. propose a semi-supervised learning approach using the metric pairwise constrained k-means method (MPCK-Means) to discover SPIT calls.
In this paper, we propose a SPIT detection system through behavior-based approach. The main contributions of this paper are as follows: (1) the design of SPIT detection system including a large number of identification criteria, (2) the application of “sliding windows” strategy to properly maintain the callers profiles and (3) the investigation of ten supervised classification methods to recognize SPITters.
Depending on the scope and criteria used in classification, each method has shown its effectiveness on many real-life data and has been applied to a wide range of applications.
Moreover, it is too difficult to prior know the most efficient classifier in such scenario. Thus, the purpose of this comparison is to determine the characteristic of each classifier in terms of both SPIT detection and convergence speed. Here, through a comparative study, we prove that the AdaBoostM1 outperforms the other classification methods.
The rest of the paper is organized as follows. In Sect. 2, we mention some related works about anti-SPIT mechanisms and the motivations of using machine learning algorithms.
The proposed system for detecting SPIT attacks is developed in Sect. 3. We describe our simulation scenario in Sect. 4, and then, we present our experiment results in Sect. 5. Finally,
Sect. 6 summarizes this work and enumerates our future works. 2 Related works 2.1 Anti-SPIT mechanisms
SPIT becomes a severe threat for VoIP users because of the reduction in voice call costs, comparing to current infrastructures, and the lack of a global legal and regulatory framework.
It affects the private life of the customer and his correspondences and becomes a source of noise for them. It is classified as social threats by Keromytis . To resolve this problem, many anti-SPIT mechanisms and techniques have been proposed. Bai et al.  have classified these mechanisms into four categories: list-based filtering, reputation-based filtering, Turing test and pattern-based filtering. 2.1.1 List-based filtering
It identifies SPIT according to three types of filtering lists: blacklist, whitelist and graylist. The principle is to block spam calls from blacklist, accept user calls from whitelist and temporarily reject unclassified calls from graylist [10– 13]; Mathieu  proposed a framework including blacklists and whitelists in order to apply statistical traffic analysis method using the number and duration of calls. Nevertheless, list-based filtering approach has some limits. Indeed, the spammers can easily change their addresses to elude detection. Therefore, the list-based filtering is vulnerable to Sybil attack , a threat against identity in which an individual entity masquerades as multiple simultaneous identities. 2.1.2 Reputation-based filtering