Design And Implementation Of A Featured-Based Automatic Generation Algorithm For Detecting Malformed SIP Message

The Session Initiation Protocol (SIP) has been used widely for Voice over IP (VoIP) services because of its potential advantages, economical efficiency and call setup simplicity. However, SIP-based VoIP services suffer from security flaws, because SIP is based on plain text. So SIP is susceptible to malformed message attacks. To prevent the use of malformed messages, using rule matching is more effective.As a result, a malformed SIP signaling detection method, which can automatically generate regular expressions according to ABNF pattern in RFC3261 of SIP rules, is proposed in this paper. This method can automatically generate a set of paradigm of regular expressions by defining ABNF before; this set of regular expressions can be used for intrusion detection systems for SIP malformed message attacks detection.In the malformed messages pre-processing module, this paper introduces the basic theory about SIP and studies the paradigm of ABNF lexical and syntax, and proposed a method to generate SIP rule regular expressions by utilizing a compiler, which made use of ABNF grammar, parsing, and finally automatically generate SIP regular expressions. In the abnormal detection module, the SIP regular expressions are used as detection rule to detect malformed messages.This paper also derives regular expressions from SIP ABNF definition paticularly. To illustrate the implementation, this paper chooses one rule as an example to analyze the program flow. Then, this paper set up an experimental environment to verify that the regular expressions is equivalent with the definition of SIP protocol rules. The result of the experiments shows that the regular expressions generated by this method are completed and definite for the definition of the ABNF pattern in RFC 3261. Moreover, the detection rate for those messages which are not in compliance with the rules in RFC 3261 is 100%, and false detection rate is 0. In order to prove that the pre-processing module gets higher fault tolerance, this paper compares them by handling error inputs.Finally, this paper presents that the regular expressions is alreay used in a VoIP defense system in practical, aim to detect abnormal SIP signals.