Using a Trust Model to Reduce False Positives of SIP Flooding Attack Detection in IMS

The IP Multimedia Subsystem (IMS) is constantly evolving to meet the growth of mobile services and Internet applications. One major security problem of the IMS is flooding attacks. There are many works that have been proposed to detect such attacks. However, generally, the detection systems trigger many alarms and most of them are false positives. These false alarms impact the quality of the detection. In this paper, we first present a method to improve the detection accuracy of SIP flooding detection in IMS by using a trust model. The trust value is calculated by a communication activity between a caller and a callee. By this algorithm, the trust value of an attacker is lower than a legitimate user because it does not have real human activities. To evaluate the proposed method, we integrate the trust model with three SIP flooding attack detection algorithms: Cumulative sum, Hellinger distance, and Tanimoto distance. The system is evaluated by using a comprehensive traffic dataset that consists of varying legitimate and malicious traffic patterns. The experimental results show that the trust integration method can reduce false alarms and improve the accuracy of the flooding attack detection algorithms.