Identifying Anomalous Transitions in SIP Traffic

Abstract

The analysis of lawfully intercepted traffic is a key part of many investigations of criminal activity. This makes it vitally important that the intercepted data is correct and that issues with the configuration of the network or interception solution do not contain errors. A late discovery of a problem in either the network setup or the traffic delivered to law enforcement can lead to loss of crucial information.

This thesis presents a method that aids in the timely discovery of such issues by using machine learning to create a state machine that models the traffic of a SIP network. This state machine is learned with state merging using the blue-fringe algorithm with multiple statistical tests. The state machine is learned in an unsupervised manner from completely anonymous data. Any new network traces can be classified by the state machine using the probability of the transitions found in the model. Any sequence in the trace that has a transition below a certain threshold will be seen as anomalous.

The result of this method is a model that can identify anomalies from a large dataset with 99% recall and 81% precision. It is also shown that the model can identify the errors in the data from an incorrect configuration encountered in the past. This is done in a white-box fashion that shows exactly which transitions in the SIP traffic are incorrect. Being able to do this gives the opportunity to prevent a loss of critical data for an investigation by alerting operators of errors in the network as soon a possible. This allows them to resolve the issues faster and gather as much evidence as possible.