Detection of botnets mounted on the Session Initiation Protocol

A botnet is a group of compromised computers (called bots) controlled by remote attackers to distribute spam emails, launch denial of service attacks, and perform other malicious activities. Botnets can be deployed on top of different protocols, such as the Internet Relay Chat (IRC), the Hyper Text Transfer Protocol (HTTP), and the Session Initiation Protocol (SIP). The SIP is widely used to initiate voice over IP, and it has been recently adopted by the telecommunications standards bodies to be the signaling protocol for mobile telecommunication core networks. Such adoption will introduce a huge number of potential devices to botnets. Therefore, botnets deployed over the SIP present a serious threat for the Internet. We propose a novel approach to detect SIP botnets by looking for users who behave in similar and coordinated patterns. We show through extensive experimental evaluations that the proposed approach achieves low false positive and false negative rates.