Exposing resource consumption attacks in internet multimedia services

Attackers always find ways to elude the employed security mechanisms of a system, no matter how strong they are. Nevertheless, audit trails - which as a rule of thumb are kept by any service provider - store all the events pertaining to the service of interest. Therefore, audit trail data can be a valuable ally when it comes to the certification of the security level of a given service. This stands especially true for critical realtime services such as multimedia ones, which nowadays are on the rise. This work proposes a practical, simple to implement yet powerful solution based on the Hellinger Distance metric for conducting audit trail analysis destined to expose security incidents. Our solution relies on a set of different features existing in the app layer protocol for session handling in order to classify the analyzed traffic as intrusive or not. Taking the well-known Session Initiation Protocol (SIP) as an example, we thoroughly evaluate the effectiveness of the proposed detection scheme in terms of accuracy under various realistic scenarios. The outcomes reveal competitive detection rates in terms of false positives and negatives and can be used as a reference for future works in the field.