Analyzing Anomalies in Anonymized SIP Traffic

The Session Initiation Protocol (SIP) is a signaling protocol widely used nowadays for controlling multimedia communication sessions. Thus, understanding and troubleshooting SIP behavior is of utmost importance to network designers and operators. However, SIP traffic traces are hard to come by due to privacy and confidentiality issues. SIP contains a lot of personal information spread within the various SIP messages - IP addresses, names, usernames and domains, e-mail addresses etc. The known IP-address anonymization methods are thus insufficient. We present SiAnTo, an extended anonymization technique that substitutes session-participant information with matching, but nondescript, labels. This allows for SIP traces to be publicly shared, while keeping interesting traffic-session properties intact. We further demonstrate its usefulness by studying the problem of SIP NAT traversal as recorded in the anonymized traces. We analyze properties of the so-called "registration storm" incident and measure the influence of the active NAT traversal techniques on SIP traffic pattern, both only possible thanks to the preservation of session relationships inside the anonymized traces. As further benefit to the research community, we set up a public data-store with both the anonymization module and the anonymized traces available and invite other parties to share further SIP data using these open tools.