{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T21:34:43Z","timestamp":1769031283732,"version":"3.49.0"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T00:00:00Z","timestamp":1768953600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T00:00:00Z","timestamp":1768953600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"France Relance"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"Abstract<\/jats:title>\n With their inherent capacity for massive connectivity, ultra-low latency and high reliability, B5G networks provide an ideal infrastructure to support the diverse and dynamic requirements of IoT (Internet of Things) communication. Originally designed to initiate, modify and terminate multimedia sessions over IP networks, the Session Initiation Protocol (SIP), a standardized protocol developed by the 3GPP, has emerged as a promising protocol for enabling communication and coordination in IoT environments. Nonetheless, SIP encounters a multitude of Distributed Denial of Service (DDoS) threats, with INVITE flooding attacks emerging as a notable challenge. Traditional IoT-IDS (Intrusion Detection System) relies on machine learning models trained on local data of their deployment context. However, such a model may not detect some attack patterns observed in other deployment contexts. We propose a design approach based on federated learning, and in which different IDS collaborate to achieve early detection of any INVITE flooding attack faced by any of them. The results show the effectiveness of the framework in detecting and mitigating INVITE flooding attacks across a various of flow intensities under realistic SIP operational conditions. Performance evaluations under different relevant scenarios demonstrate the robustness of the proposed framework. Experiments show that federated learning (FL) enhances the analysis of SIP flooding attacks, improving accuracy from 47 to 99% through knowledge sharing. The FL model with a GRU architecture and a FedAvgM aggregation function delivers the best performance, even in varied scenarios.<\/jats:p>","DOI":"10.1186\/s42400-025-00527-6","type":"journal-article","created":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T06:16:13Z","timestamp":1768976173000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["SIP-DDoS framework based on federated learning for collaborative anomaly detection"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4826-4446","authenticated-orcid":false,"given":"Oussama","family":"Sbai","sequence":"first","affiliation":[]},{"given":"Benjamin","family":"Allaert","sequence":"additional","affiliation":[]},{"given":"Patrick","family":"Sondi","sequence":"additional","affiliation":[]},{"given":"Ahmed","family":"Meddahi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,1,21]]},"reference":[{"key":"527_CR1","doi-asserted-by":"crossref","unstructured":"Khalil H, Elgazzar K (2023) Leveraging blockchain for device registration and authentication in tsip-based phone-of-things (pot) systems. In: 2023 International wireless communications and mobile computing (IWCMC), IEEE, pp 1605\u20131612","DOI":"10.1109\/IWCMC58020.2023.10183200"},{"issue":"9","key":"527_CR2","doi-asserted-by":"publisher","first-page":"2085","DOI":"10.3390\/math11092085","volume":"11","author":"C Meshram","year":"2023","unstructured":"Meshram C, Lee C-C, Bahkali I, Imoize AL (2023) An efficient fractional chebyshev chaotic map-based three-factor session initiation protocol for the human-centered iot architecture. Mathematics 11(9):2085","journal-title":"Mathematics"},{"key":"527_CR3","doi-asserted-by":"crossref","unstructured":"Yang I-F, Lin Y-C, Yang S-R, Lin P (2021) The implementation of a sip-based service platform for 5g iot applications. In: 2021 IEEE 93rd vehicular technology conference (VTC2021-Spring), IEEE, pp 1\u20136","DOI":"10.1109\/VTC2021-Spring51267.2021.9448772"},{"issue":"16","key":"527_CR4","doi-asserted-by":"publisher","first-page":"14167","DOI":"10.1109\/JIOT.2023.3265674","volume":"10","author":"S-R Yang","year":"2023","unstructured":"Yang S-R, Lin Y-C, Lin P, Fang Y (2023) Aiottalk: a sip-based service platform for heterogeneous artificial intelligence of things applications. IEEE Internet Things J 10(16):14167\u201314181","journal-title":"IEEE Internet Things J"},{"issue":"4","key":"527_CR5","doi-asserted-by":"publisher","first-page":"1423","DOI":"10.1007\/s11036-022-01973-z","volume":"27","author":"N Mahajan","year":"2022","unstructured":"Mahajan N, Chauhan A, Kumar H, Kaushal S, Sangaiah AK (2022) A deep learning approach to detection and mitigation of distributed denial of service attacks in high availability intelligent transport systems. Mobile Netw Appl 27(4):1423\u20131443","journal-title":"Mobile Netw Appl"},{"issue":"1","key":"527_CR6","doi-asserted-by":"publisher","first-page":"783","DOI":"10.1109\/TIE.2022.3148736","volume":"70","author":"Y Yu","year":"2023","unstructured":"Yu Y, Liu G-P, Zhou X, Hu W (2023) Blockchain protocol-based predictive secure control for networked systems. IEEE Trans Industr Electron 70(1):783\u2013792. https:\/\/doi.org\/10.1109\/TIE.2022.3148736","journal-title":"IEEE Trans Industr Electron"},{"key":"527_CR7","doi-asserted-by":"crossref","unstructured":"Garroppo RG, Gazzarrini L, Giordano S, Pagano M, Tavanti L (2016) A sip-based home gateway for domotics systems: from the architecture to the prototype. In: Computer networks: 23rd tnternational conference, CN 2016, Brun\u00f3w, Poland, June 14-17, 2016, Proceedings 23, Springer, pp 344\u2013359","DOI":"10.1007\/978-3-319-39207-3_30"},{"key":"527_CR8","doi-asserted-by":"crossref","unstructured":"Andriopoulou F, Orphanoudakis T, Dagiuklas T (2017) Iota: Iot automated sip-based emergency call triggering system for general ehealth purposes. In: 2017 IEEE 13th international conference on wireless and mobile computing, networking and communications (WiMob), IEEE, pp 362\u2013369","DOI":"10.1109\/WiMOB.2017.8115830"},{"key":"527_CR9","doi-asserted-by":"crossref","unstructured":"Andriopoulou F, Fanariotis A, Orphanoudakis T (2018) Seek: sip-based emergency embedded framework supports elderly and disabled to perform emergency calls. In: 2018 21st Euromicro conference on digital system design (DSD), IEEE, pp 442\u2013449","DOI":"10.1109\/DSD.2018.00080"},{"key":"527_CR10","doi-asserted-by":"crossref","unstructured":"Singla K, Arora R, Kaushal S (2021) An approach towards iot-based healthcare management system. In: Proceedings of the sixth international conference on mathematics and computing: ICMC 2020, Springer, pp 345\u2013356","DOI":"10.1007\/978-981-15-8061-1_27"},{"key":"527_CR11","doi-asserted-by":"crossref","unstructured":"Sbai O, Allaert B, Sondi P, Meddahi A (2023) SIP-DDoS: SIP framework for DDoS intrusion detection based on recurrent neural networks. In: International conference on machine learning for networking, Springer, pp 72\u201389","DOI":"10.1007\/978-3-031-59933-0_6"},{"key":"527_CR12","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1109\/OJCS.2023.3312299","volume":"4","author":"VT Truong","year":"2023","unstructured":"Truong VT, Le LB (2023) Metacids: privacy-preserving collaborative intrusion detection for metaverse based on blockchain and online federated learning. IEEE Open J Compute Soc 4:253\u2013266","journal-title":"IEEE Open J Compute Soc"},{"key":"527_CR13","doi-asserted-by":"publisher","DOI":"10.1016\/j.adhoc.2024.103540","volume":"162","author":"D Javeed","year":"2024","unstructured":"Javeed D, Saeed MS, Adil M, Kumar P, Jolfaei A (2024) A federated learning-based zero trust intrusion detection system for internet of things. Ad Hoc Netw 162:103540","journal-title":"Ad Hoc Netw"},{"issue":"2","key":"527_CR14","doi-asserted-by":"publisher","first-page":"2455","DOI":"10.1109\/JSYST.2023.3236995","volume":"17","author":"J Li","year":"2023","unstructured":"Li J, Tong X, Liu J, Cheng L (2023) An efficient federated learning system for network intrusion detection. IEEE Syst J 17(2):2455\u20132464","journal-title":"IEEE Syst J"},{"key":"527_CR15","unstructured":"SIPp: SIPp. https:\/\/sipp.sourceforge.net\/"},{"key":"527_CR16","doi-asserted-by":"publisher","first-page":"112574","DOI":"10.1109\/ACCESS.2020.3001688","volume":"8","author":"IM Tas","year":"2020","unstructured":"Tas IM, Unsalver BG, Baktir S (2020) A novel sip based distributed reflection denial-of-service attack and an effective defense mechanism. IEEE access 8:112574\u2013112584","journal-title":"IEEE access"},{"key":"527_CR17","doi-asserted-by":"crossref","unstructured":"Aldhaheri A, Alwahedi F, Ferrag MA, Battah A (2023) Deep learning for cyber threat detection in iot networks: a review. Internet of Things and Cyber-Phys Syst","DOI":"10.1016\/j.iotcps.2023.09.003"},{"key":"527_CR18","doi-asserted-by":"crossref","unstructured":"Mukhaini GA, Anbar M, Manickam S, Al-Amiedy TA, Al\u00a0Momani A (2023) A systematic literature review of recent lightweight detection approaches leveraging machine and deep learning mechanisms in internet of things networks. J King Saud Univ-Compute Inform Sci 101866","DOI":"10.1016\/j.jksuci.2023.101866"},{"key":"527_CR19","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2024.101063","volume":"25","author":"S Trilles","year":"2024","unstructured":"Trilles S, Hammad SS, Iskandaryan D (2024) Anomaly detection based on artificial intelligence of things: a systematic literature mapping. Internet of Things 25:101063","journal-title":"Internet of Things"},{"issue":"1","key":"527_CR20","doi-asserted-by":"publisher","first-page":"32","DOI":"10.3390\/fi16010032","volume":"16","author":"H Khazane","year":"2024","unstructured":"Khazane H, Ridouani M, Salahdine F, Kaabouch N (2024) A holistic review of machine learning adversarial attacks in iot networks. Future Internet 16(1):32","journal-title":"Future Internet"},{"issue":"10","key":"527_CR21","doi-asserted-by":"publisher","first-page":"2287","DOI":"10.3390\/electronics12102287","volume":"12","author":"M Moshawrab","year":"2023","unstructured":"Moshawrab M, Adda M, Bouzouane A, Ibrahim H, Raad A (2023) Reviewing federated learning aggregation algorithms; strategies, contributions, limitations and future perspectives. Electronics 12(10):2287","journal-title":"Electronics"},{"key":"527_CR22","doi-asserted-by":"publisher","first-page":"346","DOI":"10.1016\/j.comcom.2022.09.012","volume":"195","author":"S Agrawal","year":"2022","unstructured":"Agrawal S, Sarkar S, Aouedi O, Yenduri G, Piamrat K, Alazab M, Bhattacharya S, Maddikunta PKR, Gadekallu TR (2022) Federated learning for intrusion detection system: concepts, challenges and future directions. Comput Commun 195:346\u2013361","journal-title":"Comput Commun"},{"issue":"3","key":"527_CR23","doi-asserted-by":"publisher","first-page":"2309","DOI":"10.1109\/TNSM.2022.3177512","volume":"19","author":"L Lavaur","year":"2022","unstructured":"Lavaur L, Pahl M-O, Busnel Y, Autrel F (2022) The evolution of federated learning-based intrusion detection and mitigation: a survey. IEEE Trans Netw Serv Manage 19(3):2309\u20132332","journal-title":"IEEE Trans Netw Serv Manage"},{"key":"527_CR24","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.108661","volume":"203","author":"EM Campos","year":"2022","unstructured":"Campos EM, Saura PF, Gonz\u00e1lez-Vidal A, Hern\u00e1ndez-Ramos JL, Bernabe JB, Baldini G, Skarmeta A (2022) Evaluating federated learning for intrusion detection in internet of things: review and challenges. Comput Netw 203:108661","journal-title":"Comput Netw"},{"key":"527_CR25","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.108283","volume":"197","author":"C Alvares","year":"2021","unstructured":"Alvares C, Dinesh D, Alvi S, Gautam T, Hasib M, Raza A (2021) Dataset of attacks on a live enterprise voip network for machine learning based intrusion detection and prevention systems. Comput Netw 197:108283","journal-title":"Comput Netw"},{"key":"527_CR26","doi-asserted-by":"crossref","unstructured":"Nassar M, State R, Festor O (2010) Labeled voip data-set for intrusion detection evaluation. In: Meeting of the European network of universities and companies in information and communication engineering, Springer, pp 97\u2013106","DOI":"10.1007\/978-3-642-13971-0_10"},{"key":"527_CR27","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103560","volume":"136","author":"UK Lilhore","year":"2024","unstructured":"Lilhore UK, Dalal S, Simaiya S (2024) A cognitive security framework for detecting intrusions in iot and 5g utilizing deep learning. Compute Secur 136:103560","journal-title":"Compute Secur"},{"key":"527_CR28","doi-asserted-by":"publisher","first-page":"62722","DOI":"10.1109\/ACCESS.2022.3176317","volume":"10","author":"I Ullah","year":"2022","unstructured":"Ullah I, Mahmoud QH (2022) Design and development of rnn anomaly detection model for iot networks. IEEE Access 10:62722\u201362750","journal-title":"IEEE Access"},{"key":"527_CR29","doi-asserted-by":"publisher","first-page":"2269","DOI":"10.1109\/ACCESS.2021.3137201","volume":"10","author":"M Zeeshan","year":"2021","unstructured":"Zeeshan M, Riaz Q, Bilal MA, Shahzad MK, Jabeen H, Haider SA, Rahim A (2021) Protocol-based deep intrusion detection for dos and ddos attacks using unsw-nb15 and bot-iot data-sets. IEEE Access 10:2269\u20132283","journal-title":"IEEE Access"},{"key":"527_CR30","doi-asserted-by":"publisher","first-page":"165557","DOI":"10.1109\/ACCESS.2021.3135195","volume":"9","author":"D Pereira","year":"2021","unstructured":"Pereira D, Oliveira R, Kim HS (2021) Classification of abnormal signaling sip dialogs through deep learning. IEEE Access 9:165557\u2013165567","journal-title":"IEEE Access"},{"issue":"2","key":"527_CR31","doi-asserted-by":"publisher","first-page":"27","DOI":"10.3390\/computers11020027","volume":"11","author":"D Pereira","year":"2022","unstructured":"Pereira D, Oliveira R (2022) Detection of abnormal sip signaling patterns: a deep learning comparison. Computers 11(2):27","journal-title":"Computers"},{"issue":"20","key":"527_CR32","doi-asserted-by":"publisher","first-page":"5875","DOI":"10.3390\/s20205875","volume":"20","author":"W Nazih","year":"2020","unstructured":"Nazih W, Hifny Y, Elkilani WS, Dhahri H, Abdelkader T (2020) Countering ddos attacks in sip based voip networks using recurrent neural networks. Sensors 20(20):5875","journal-title":"Sensors"},{"key":"527_CR33","doi-asserted-by":"crossref","unstructured":"Stanek J, Kencl L (2011) Sipp-dd: sip ddos flood-attack simulation tool. In: 2011 Proceedings of 20th international conference on computer communications and networks (ICCCN), IEEE, pp 1\u20137","DOI":"10.1109\/ICCCN.2011.6005946"},{"key":"527_CR34","doi-asserted-by":"crossref","unstructured":"Meddahi A, Drira H, Meddahi A (2021) Sip-gan: generative adversarial networks for sip traffic generation. In: 2021 International symposium on networks, computers and communications (ISNCC), IEEE, pp 1\u20136","DOI":"10.1109\/ISNCC52172.2021.9615632"},{"issue":"1","key":"527_CR35","doi-asserted-by":"publisher","first-page":"286","DOI":"10.1109\/TII.2022.3156642","volume":"19","author":"O Aouedi","year":"2022","unstructured":"Aouedi O, Piamrat K, Muller G, Singh K (2022) Federated semisupervised learning for attack detection in industrial internet of things. IEEE Trans Industr Inf 19(1):286\u2013295","journal-title":"IEEE Trans Industr Inf"},{"issue":"9","key":"527_CR36","doi-asserted-by":"publisher","first-page":"15704","DOI":"10.1109\/JIOT.2023.3348117","volume":"11","author":"W Yao","year":"2023","unstructured":"Yao W, Zhao H, Shi H (2023) Privacy-preserving collaborative intrusion detection in edge of internet of things: a robust and efficient deep generative learning approach. IEEE Internet Things J 11(9):15704\u201315722","journal-title":"IEEE Internet Things J"},{"key":"527_CR37","doi-asserted-by":"publisher","first-page":"52215","DOI":"10.1109\/ACCESS.2024.3386631","volume":"12","author":"M Bhavsar","year":"2024","unstructured":"Bhavsar M, Bekele Y, Roy K, Kelly J, Limbrick D (2024) Fl-ids: federated learning-based intrusion detection system using edge devices for transportation iot. IEEE Access 12:52215\u201352226","journal-title":"IEEE Access"},{"key":"527_CR38","doi-asserted-by":"publisher","first-page":"42357","DOI":"10.1109\/ACCESS.2024.3378727","volume":"12","author":"Y Alhasawi","year":"2024","unstructured":"Alhasawi Y, Alghamdi S (2024) Federated learning for decentralized ddos attack detection in iot networks. IEEE Access 12:42357\u201342368","journal-title":"IEEE Access"},{"key":"527_CR39","doi-asserted-by":"crossref","unstructured":"Rosenberg J, Schulzrinne H, Camarillo G, Johnston A, Peterson J, Sparks R, Handley M, Schooler E (2002) Sip: session initiation protocol. Technical report","DOI":"10.17487\/rfc3261"},{"issue":"18","key":"527_CR40","doi-asserted-by":"publisher","first-page":"4436","DOI":"10.1002\/sec.1328","volume":"8","author":"I Hussain","year":"2015","unstructured":"Hussain I, Djahel S, Zhang Z, Na\u00eft-Abdesselam F (2015) A comprehensive study of flooding attack consequences and countermeasures in session initiation protocol (sip). Secur Commun Netw 8(18):4436\u20134451","journal-title":"Secur Commun Netw"},{"key":"527_CR41","unstructured":"Kone\u010dn\u1ef3 J, McMahan HB, Ramage D, Richt\u00e1rik P (2016) Federated optimization: distributed machine learning for on-device intelligence. arXiv preprint arXiv:1610.02527"},{"key":"527_CR42","unstructured":"Hsu T-MH, Qi H, Brown M (2019) Measuring the effects of non-identical data distribution for federated visual classification. arXiv preprint arXiv:1909.06335"},{"key":"527_CR43","unstructured":"Reddi S, Charles Z, Zaheer M, Garrett Z, Rush K, Kone\u010dn\u1ef3 J, Kumar S, McMahan HB (2020) Adaptive federated optimization. arXiv preprint arXiv:2003.00295"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00527-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00527-6","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00527-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T06:16:17Z","timestamp":1768976177000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00527-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,21]]},"references-count":43,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["527"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00527-6","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,21]]},"assertion":[{"value":"13 August 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"109"}}