Private:sip botnet

From NMSL

Detection of Botnets Mounted on the Session Initiation Protocol

Botnet is a group of compromised computers (called bots) controlled by remote attackers to distribute Spam emails, launch denial of service attacks, and perform other malicious activities. Botnets can be deployed on top of different protocols, such as Internet Relay Chat (IRC), Hyper Text Transfer Protocol (HTTP), and Session Initiation Protocol (SIP). SIP is widely used to initiate voice over IP sessions, and it has been recently adopted by the telecommunications standards bodies to be the signaling protocol for mobile telecommunication core networks. Such adoption will introduce a huge number of potential devices to botnets. Therefore, botnets deployed over SIP present a serious threat for the Internet. We propose a novel approach to detect SIP botnets by looking for users who behave in similar and coordinated patterns. We show through extensive experimental evaluations that the proposed approach achieves low false positive and false negative rates.

References and Links