Machine learning keeps emergency response systems available under attack

Everyone should be able to access emergency calling services at any time, in any place, and under any condition. But this is not always true. The next-generation 9-1-1 (NG911 in America, NG112 in Europe) systems consist of several entities that need to offer non-stop emergency services. Apart from technical difficulties, like for example the low signal strength of the emergency caller's mobile device, these services face also malicious challenges coming from outside the perimeter of the architecture.

The NG911 architecture is prone to a number of different threats that may affect the integrity and the availability of the system. The most common and devastating is a variation of denial of service (DoS) attacks called distributed denial of service (DDoS) attacks. Both rely on the exploitation of weaknesses with aim to set the system out of service by sending a plethora of requests. DDoS is more powerful because its distributed nature, coming from many compromised systems, makes it difficult to prevent/detect.

One flavor of DDoS attacks is known as telephony denial of service (TDoS). The intent of TDoS is to create a large volume of calls which will be left unanswered.

The dilemma, when designing an intrusion detection system (IDS) for critical infrastructures, is how to detect and respond to these threats without introducing significant delays into the NG911 ecosystem. Machine learning (ML) holds great potential, but it’s not without some debate.

Figure1: Abstract overview of the NG911 solution

Emergency response time

There are different ways to launch a TDoS attack. One of the most common relies on the exploitation of a botnet. Currently, a new army of infected zombies, the Mirai botnet, has been presented in the scientific community [1]. In the case of emergency calling centers, a TDoS can occupy the agents in a public safety answering point (PSAP) and thus the legitimate calls cannot be served [2]. When this happens, the genuine calls are usually stuck in a call queue waiting for a couple of minutes. These minutes may be proven crucial for the emergency caller. Indeed, every second is important.

ML-based DDoS detection

In the interest of safeguarding those crucial seconds, in the last decade there is a blooming on ML-based IDS [3]. One question that arises at this point is whether an ML-based solution could tackle the DDoS prevention/detection problem. The main problem of these solutions pertains to the fact that while they do usually offer novel mechanisms to combat security flaws, they do not provide proofs for the efficiency of their deployment on real-time systems. Thus, the main question in this case revolves around the time overhead introduced in the NG911 infrastructure. Can the system consume this overhead without affecting the emergency calling service?

When one talks about the detection of DDoS, by exploiting ML-driven solutions, the first thing that comes to our minds is related to analytical training and classification. The training phase pertains to a first-analysis method, which aims to produce a set of categories from the input data. This model can be used in a later time, during the classification phase, to decide which is the category that better matches the inputs we want to access. It is obvious that these phases need enough time to be completed. But is this time restrictive for an emergency caller?

Table 1 (from research I co-authored) offers the overall overview of the time costs for all the ML-based IDS techniques that have been tested [4].

The dilemma, when designing an intrusion detection system (IDS) for critical infrastructures, is how to detect and respond to these threats without introducing significant delays into the NG911 ecosystem. Machine learning (ML) holds great potential, but it’s not without some debate.

ClassifierMinMaxAvgSt. Dev
Naïve Bayes0.15171.133.487.76
Neural Networks0.10129.203.427.74
Decision Trees (J48)0.08388.013.287.91
Random Forest0.0891.743.567.72


Table1: Classification overhead


The selection of the appropriate ML technique depends on the actual problem that needs to be addressed. For example, it is totally different to perform packet classification [4], or RTP stream classification using deep learning [5].

In this respect, every time we reach a decision to deploy an ML IDS solution, the following issues need to be taken into account:

  • What is the problem we want to address (i.e., detection of DDoS attacks, etc.)?
  • Which element will host the ML solution?
  • What is the performance overhead (i.e., CPU, memory etc.)?
  • What is the routing overhead?
  • What are the security concerns of the ML solution?

Can your emergency call wait for a while?

It becomes apparent that the availability of emergency calling services is a sine qua non for the efficient handling of emergency incidents. To this end, the introduction of a few milliseconds’ delay to the handling of an emergency incident is something that most probably would not make any difference to the emergency callers. In any case, the lower the delay of connecting an emergency caller with a PSAP agent, the better for saving lives.

[1] Kolias, Constantinos, et al. "DDoS in the IoT: Mirai and other botnets." Computer 50.7 (2017): 80-84. [2] Mirsky, Yisroel, and Mordechai Guri. "DDoS Attacks on 9-1-1 Emergency Services." IEEE Transactions on Dependable and Secure Computing (2020). [3] Mishra, Preeti, et al. "A detailed investigation and analysis of using machine learning techniques for intrusion detection." IEEE Communications Surveys & Tutorials 21.1 (2018): 686-728. [4] Tsiatsikas, Zisis, et al. "Realtime DDoS detection in SIP ecosystems: Machine learning tools of the trade." International Conference on Network and System Security. Springer, Cham, 2016. [5] Karpathy, Andrej, et al. "Large-scale video classification with convolutional neural networks." Proceedings of the IEEE conference on Computer Vision and Pattern Recognition, 2014.

Share this blog article

  • Share on Linked In

About Zisis Tsiatsikas
Innovation and Patent Advisor
Zisis Tsiatsikas was born in Thessaloniki, Greece, in 1986. He earned a diploma (2011), an MSc (2013) and a Ph.D (2019) in Network Security under the supervision of Professor Georgios Kambourakis. All from the Department of Information and Communication Systems Engineering of the University of the Aegean, at Samos island, Greece. He started his professional steps as a junior researcher and a lab teaching assistant in the same department back in 2012. Since 2016, he’s worked for Unify as an R&D Engineer in the NG911 project. Additionally, he participates in the unified communications and collaboration patent office. During this period, he’s had the chance to collaborate with different engineers, contributing both to the development lifecycle and the patent process. He was recognized by Unify as the Inventor of the Year 2019, out of 123 inventors, for scoring the highest number of first filings in 2019.

Follow or contact Zisis