Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection
Abstract
:1. Introduction
2. Background
2.1. IPv6 and ICMPv6 Protocols
2.2. Existing IDSs’ Representations
2.2.1. Packet-Based Representation
2.2.2. Flow-Based Representation
3. Literature Review
3.1. Signature-Based IDSs
3.2. Anomaly-Based IDSs
3.2.1. Rules Anomaly-Based IDS
3.2.2. Machine Learning Anomaly-Based IDS
4. Proposed Flow-Based IDS
4.1. Data Collection and Preprocessing Stage
4.1.1. Network Packet Capturing Step
4.1.2. ICMPv6 Packet Filtering Step
4.1.3. Packets Attribute Extraction Step
4.2. Flow Construction and Basic Features Identification Stage
4.2.1. Flow Construction Step
4.2.2. Flow Aggregation Step
4.2.3. Flow Features Extraction Step
4.3. Data Enrichment Stage
4.3.1. Flow Enrichment Step
4.3.2. IP Behavior-Based Enrichment Steps
4.4. Flow-Based Feature Reduction Stage
4.5. ICMPv6-DDoS Attack Detection Stage
5. Analysis of Results and Discussions
5.1. Flow Dataset
5.2. Evaluation Metrics
5.3. Results
5.3.1. Result of Flow-Based Features Reduction Stage
5.3.2. Result of ICMPv6-DDoS Attacks Detection Stage
5.4. Discussion
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Elejla, O.E.; Belaton, B.; Anbar, M.; Smadi, I.M. A New Set of Features for Detecting Router Advertisement Flooding Attacks. In Proceedings of the 2017 Palestinian International Conference on Information and Communication Technology (PICICT), Gaza, Palestine, 8–9 May 2017; pp. 1–5. [Google Scholar] [CrossRef]
- Bahashwan, A.A.; Anbar, M.; Hanshi, S.M. Overview of IPv6 Based DDoS and DoS Attacks Detection Mechanisms. In Communications in Computer and Information Science; Springer: Singapore, 2020; Volume 1132 CCIS, pp. 153–167. [Google Scholar] [CrossRef]
- Conta, A.; Deering, S. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. RFC 4443. 2006. Available online: https://www.rfc-editor.org/info/rfc4443 (accessed on 14 September 2022). [CrossRef] [Green Version]
- Elejla, O.E.; Anbar, M.; Hamouda, S.; Faisal, S.; Bahashwan, A.A.; Hasbullah, I.H. Deep-Learning-Based Approach to Detect ICMPv6 Flooding DDoS Attacks on IPv6 Networks. Appl. Sci. 2022, 12, 6150. [Google Scholar] [CrossRef]
- Hammoodi, A.; Mohammed, H.; Taief, A.; Alamiedy, A. Deep learning approach for detecting router advertisement flooding-based DDoS attacks. J. Ambient. Intell. Humaniz. Comput. 2022, 13, 1–15. [Google Scholar] [CrossRef]
- Hoque, N.; Bhuyan, M.H.; Baishya, R.; Bhattacharyya, D.; Kalita, J. Network attacks: Taxonomy, tools and systems. J. Netw. Comput. Appl. 2014, 40, 307–324. [Google Scholar] [CrossRef]
- Elejla, O.E.; Belaton, B.; Anbar, M.; Alnajjar, A. Intrusion Detection Systems of ICMPv6-based DDoS attacks. Neural Comput. Appl. 2018, 30, 45–56. [Google Scholar] [CrossRef]
- Elejla, O.E.; Anbar, M.; Belaton, B.; Alijla, B.O. Flow-Based IDS for ICMPv6-Based DDoS Attacks Detection. Arab. J. Sci. Eng. 2018, 43, 7757–7775. [Google Scholar] [CrossRef]
- Bahashwan, A.A.; Anbar, M.; Hasbullah, I.H.; Alashhab, Z.R.; Bin-Salem, A. Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP). IEEE Access 2021, 9, 45512–45526. [Google Scholar] [CrossRef]
- Alsadhan, A.A.; Hussain, A.; Alani, M.M. Detecting NDP distributed denial of service attacks using machine learning algorithm based on flow-based representation. In Proceedings of the International Conference on Developments in eSystems Engineering, DeSE, Cambridge, UK, 2–5 September 2018; pp. 134–140. [Google Scholar] [CrossRef]
- Anbar, M.; Abdullah, R.; Saad, R.M.; Alomari, E.; Alsaleem, S. Review of security vulnerabilities in the IPv6 neighbor discovery protocol. In Information Science and Applications (ICISA); Lecture Notes in Electrical Engineering; Springer: Singapore, 2016; Volume 376, pp. 603–612. [Google Scholar] [CrossRef]
- Tayyab, M.; Belaton, B.; Anbar, M. ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review. IEEE Access 2020, 8, 170529–170547. [Google Scholar] [CrossRef]
- Heslop, B. By 2030, Each Person Will Own 15 Connected Devices—Here’s What That Means for Your Business and Content. 2019. Available online: https://www.spiceworks.com/tech/iot/articles/by-2030-each-person-will-own-15-connected-devices-heres-what-that-means-for-your-business-and-content/ (accessed on 10 September 2022).
- Anbar, M.; Abdullah, R.; Saad, R.M.; Hasbullah, I.H. Review of preventive security mechanisms for neighbour discovery protocol. Adv. Sci. Lett. 2017, 23, 11306–11310. [Google Scholar] [CrossRef]
- Heuse, M. THC IPv6 Attack Tool kit. 2013. Available online: https://www.thc.org (accessed on 10 September 2022).
- Elejla, O.E.; Anbar, M.; Belaton, B.; Hamouda, S. Labeled flow-based dataset of ICMPv6-based DDoS attacks. Neural Comput. Appl. 2019, 31, 3629–3646. [Google Scholar] [CrossRef]
- Anbar, M.; Abdullah, R.; Al-Tamimi, B.N.; Hussain, A. A Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks. Cogn. Comput. 2018, 10, 201–214. [Google Scholar] [CrossRef] [Green Version]
- Sperotto, A. Flow-Based Intrusion Detection. Ph.D. Thesis, University of Twente, Enschede, The Netherlands, 2010. [Google Scholar]
- Roesch, M. Snort-Lightweight intrusion detection for networks. In Proceedings of the 13th Conference on Systems Administration (LISA 1999), Seattle, WA, USA, 7–12 November 1999; pp. 229–238. [Google Scholar]
- Tiwari, A.; Saraswat, S.; Dixit, U.; Pandey, S. Refinements In Zeek Intrusion Detection System. In Proceedings of the 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS), Coimbatore, India, 25–26 March 2022; Volume 1, pp. 974–979. [Google Scholar] [CrossRef]
- Mo, T.P.; Wang, J.H. Design and Implementation of Intrusion Detection System. Diploma Thesis, Potsdam University, Brandenburg, Germany, 2011. [Google Scholar] [CrossRef]
- Gehrke, K.A. The Unexplored Impact of Ipv6 on Intrusion Detection Systems. Master’s Thesis, University of Phoenix, Phoenix, Arizona, 2012. [Google Scholar]
- Gao, X.; Qiu, M.; Liu, M. Machine Learning Based Network Censorship. In Proceedings of the 2021 8th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud), Washington, DC, USA, 26–28 June 2021. [Google Scholar] [CrossRef]
- Bdair, A.H.; Abdullah, R.; Manickam, S.; Al-Ani, A.K. Brief of Intrusion Detection Systems in Detecting ICMPv6 Attacks. In Computational Science and Technology; Lecture Notes in Electrical Engineering; Springer: Singapore, 2020; Volume 603, pp. 199–213. [Google Scholar] [CrossRef]
- OISF Foundation. Suricata: Intrusion Detection System. Available online: https://suricata.io/ (accessed on 14 September 2022).
- Rietz, R.; Vogel, M.; Schuster, F.; König, H. Parallelization of network intrusion detection systems under attack conditions. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment; Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Singapore, 2014; Volume 8550 LNCS, pp. 172–191. [Google Scholar] [CrossRef]
- Atlasis, A. Security Impacts of Abusing IPv6 Extension Headers. In Proceedings of the Black Hat Security Conference, Abu Dhabi, United Arab Emirates, 3–6 December 2012; pp. 1–10. [Google Scholar]
- Atlasis, A.; Rey, E. Evasion of High-End IPS Devices in the Age of IPv6. Technical Report, Black Hat. 2015. Available online: https://www.blackhat.com/docs/us-14/materials/us-14-Atlasis-Evasion-Of-HighEnd-IPS-Devices-In-The-Age-Of-IPv6.pdf (accessed on 13 September 2022).
- Gascon, H.; Orfila, A.; Blasco, J. Analysis of update delays in signature-based network intrusion detection systems. Comput. Secur. 2011, 30, 613–624. [Google Scholar] [CrossRef] [Green Version]
- Kabiri, P.; Ghorbani, A.A. Research on intrusion detection and response: A survey. Int. J. Netw. Secur. 2005, 1, 84–102. [Google Scholar]
- Barbhuiya, F.A.; Biswas, S.; Nandi, S. Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol. In Proceedings of the 4th International Conference on Security of Information and Networks, Sydney, Australia, 14–19 November 2011; pp. 111–118. [Google Scholar] [CrossRef]
- Bansal, G.; Kumar, N.; Nandi, S.; Biswas, S. Detection of NDP based attacks using MLD. In Proceedings of the Fifth International Conference on Security of Information and Networks-SIN ’12, Jaipur, India, 25–27 October 2012; ACM Press: New York, NY, USA, 2012; pp. 163–167. [Google Scholar] [CrossRef]
- Li, Y.; Li, Z.T.; Liu, S. A fuzzy anomaly detection algorithm for IPv6. In Proceedings of the 2006 2nd International Conference on Semantics Knowledge and Grid, SKG, Guilin, China, 1–3 November 2006; pp. 4–7. [Google Scholar] [CrossRef]
- Lee, W.; Stolfo, S.; Mok, K. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344), Oakland, CA, USA, 9–12 May 1999; pp. 120–132. [Google Scholar] [CrossRef] [Green Version]
- Zulkiflee, M.; Ahmad, M.; Sahib, S.; Ghani, M. A framework of features selection for ipv6 network attacks detection. WSEAS Trans. Commun. 2015, 14, 399–408. [Google Scholar]
- Saad, R.M.A.; Anbar, M.; Manickam, S.; Alomari, E. An Intelligent ICMPv6 DDoS Flooding-Attack Detection Framework (v6IIDS) using Back-Propagation Neural Network. IETE Tech. Rev. 2016, 33, 244–255. [Google Scholar] [CrossRef]
- Sperotto, A.; Sadre, R.; van Vliet, F.; Pras, A. A Labeled Data Set for Flow-Based Intrusion Detection. In International Workshop on IP Operations and Management; Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Berlin/Heidelberg, Germany, 2009; Volume 5843 LNCS, pp. 39–50. [Google Scholar] [CrossRef]
Representation | Advantage | Disadvantage |
---|---|---|
Packet-based representation | Contains the details of the whole packets. Immediate availability of the traffic for IDS without preprocessing. | Every packet needs to be inspected. Has the problem of exposing sensitive details. Unable to detect attacks that use encrypted payload |
Flow-based representation | Allows for detection of attacks that use encrypted payload Overcomes the problem of sensitive details Allows for building fast IDS | Availability of fewer packet details Flows need to be constructed before IDS works Inability to detect attacks that use encrypted payload |
IDS | Description | Drawbacks |
---|---|---|
Snort [19] | Open-source IDS | Limited to its database of signatures |
Uses the same policies for IPv6 and | Unable to detect self-modifying or zero-day attacks | |
IPv6 protocols | Evadable using extension header | |
Inaccurate in detecting DDoS attacks | ||
Zeek [20] | Open-source IDS | Limited to its database of signatures |
Uses the same policies for IPv6 and | Unable to detect zero-day and self-modifying attacks | |
IPv6 protocols | Requires a huge amount of resources | |
Allows users to write their own rules | Slow in analyzing traffic | |
Suricata [25] | Open-source IDS | Limited to its database of signatures |
Uses the same policies for IPv6 and | Unable to detect zero-day and self-modifying attacks | |
IPv6 protocols | Evadable using fragmentation or padding | |
Supports multithreading | Consumes machine memory | |
Inaccurate in detecting DDoS attacks | ||
Barbhuiya et al. | Detects NS and NA address spoofing | Consumes network resources. |
[31] | Uses 6 tables | Limited to attacks of NS and NA packets. |
Sends probe packets | Changing NIC card IP address is not allowed | |
Unable to detect attacks from genuine IP address | ||
Bansal et al. | Improved IDS of Barbhuiya et al., [31] | Consumes network resources. |
[32] | Detects NS and NA address spoofing | Limited to NS and NA attacks. |
Uses 4 tables | · NIC card changing IP address is not allowed | |
Send probe packets | Unable to detect attacks from genuine IP address | |
Li et al. [33] | Detects NDP protocol attacks | Limited to NDP attacks. |
Uses fuzzy logic | Uses non-consistent traffic dataset | |
Low false rate (2%) | Few details are given | |
Unreliable detection accuracy (85%) | ||
Lai et al. [34] | Detects IPv6 DDoS attacks. | Unreliable detection accuracy (72.2%). |
Uses Apriori algorithm. | Uses a small dataset for testing (5000 records). | |
Uses 6 packets features. | Depends on irrelevant features such as IPv6 address. | |
Zulkiflee et al. | Detects IPv6 DDoS attacks. | Detects RA DoS only. |
[35] | Uses SVM classifier. | Few datasets and experiments details are given. |
High detection accuracy (99.95%). | Depends on irrelevant features such as IPv6 address | |
Uses 5 packets features. | ||
Redhwan et al. | Detects ICMPv6 DDoS attack. | Small testing dataset. |
[36] | Uses BBNN classifier. | Limited to DDoS attacks of ICMPv6 ECHO request. |
High detection accuracy (98.3%) | Limited attacks’ scenarios. | |
Uses 10 features of packets traffic | Depends on irrelevant features such as IPv6 address | |
Alsadhan et al. | Detects NDP DDoS attacks | Limited to NDP DDoS attacks. |
[10] | Uses flow representation of traffic | Unreliable detection accuracy (84%) |
Depends on 12 flow features. | No features ranking was used. | |
Anbar et al. [17] | Detects RA flooding attacks using | Detects RA DoS only and relies on packets |
IG and PCA for feature selection | representation for detection. | |
and SVM as a classifier. | ||
Elejla et al. [4] | Detects ICMPv6 flooding DDoS | Lacks significant flow based features that |
attacks using ensemble feature selection | contribute to the ICMPv6 DoS/DDoS | |
mechanism and LSTM. | attacks detection. | |
Hammoodi et al. [5] | Detects RA flooding attacks using | Detects RA DoS only and relies on |
ensemble feature selection mechanism | packets representation for detection. | |
and RNN. | ||
Elejla et al. [8] | Detects ICMPv6 DDoS attacks | Unreliable detection accuracy (85%) |
Uses flow representation of traffic | No features ranking is used. | |
Depends on 11 flow features. |
Feature Name | Type | Description |
---|---|---|
ICMPv6Type | Basic | Type of ICMPv6 packet, e.g., NA |
PacketsNumber | Basic | Number of packets that satisfy the definition of flow |
TransferredBytes | Basic | Number of bytes within the flow |
Duration | Basic | Time difference between the last and first packet in the flow |
Ratio | Basic | Ratio of number of bytes in the flow with the duration |
Length_STD | Basic | Standard deviation of packets’ lengths |
FlowLable_STD | Basic | Standard deviation of packets’ flow labels |
HopLimit_STD | Basic | Standard deviation of packets’ hop limits |
TraffiicClass_STD | Basic | Standard deviation of packets’ traffic classes |
NextHeader_STD | Basic | Standard deviation of packets’ next headers |
PayloadLength_STD | Basic | Standard deviation of packets’ payload lengths |
Flows_Same_IPdst | Enriching | Number of previous flows sent to the same IPdst |
Flows_Same_ICMPv6Type | Enriching | Number of previous flows sent with the same ICMPv6 type |
Flow_Similarity | Enriching | Similarity percentage between the previous flows |
IPsrc_First_Seen | Enriching | Time duration of IPsrc appearing for the first time |
IPsrc_Similarity | Enriching | Similarity percentage between IPsrc and previous IPsrcs |
Dataset | Total Packets | Total Flows | Attack Flow | Normal Flows |
---|---|---|---|---|
Flow-based Training Dataset | 200,854 | 101,088 flows | 49,187 | 51,901 |
Flow-based Testing Dataset | 199,137 | 92,640 flows | 42,084 | 50,556 |
Short Term | Description |
---|---|
TP (True Positive) | The percentage of attack flows classified as attack |
TN (True Negative) | The percentage of normal flows classified as normal |
FN (False Negative) | The percentage of attack flows classified as normal |
FP (False Positive) | The percentage of normal flows classified as attack |
Feature Name | Chi-Squared Rank | Information Gain Rank | Summation of Ranks |
---|---|---|---|
ICMPv6Type | 11 | 11 | 22 |
PacketsNumber | 9 | 8 | 17 |
TransferredBytes | 10 | 10 | 20 |
Duration | 7 | 7 | 14 |
Ratio | 8 | 9 | 17 |
Length_STD | 5 | 5 | 10 |
FlowLable_STD | 3 | 4 | 7 |
HopLimit_STD | 2 | 3 | 5 |
TraffiicClass_STD | 1 | 2 | 3 |
NextHeader_STD | 4 | 1 | 5 |
PayloadLength_STD | 6 | 6 | 12 |
Flows_Same_IPdst | 14 | 15 | 29 |
Flows_Same_ICMPv6Type | 12 | 12 | 24 |
Flow_Similarity | 13 | 14 | 27 |
IPsrc_First_Seen | 16 | 16 | 32 |
IPsrc_Similarity | 15 | 13 | 28 |
Classifier | Cross-Validation Test | Supplied Set Test |
---|---|---|
Decision Trees | 99.98% | 99.96% |
Support Vector Machines (SVMs) | 98.70% | 98.65% |
Naïve Bayes | 98.56% | 98.53% |
K-Nearest Neighbors (KNNs) | 99.56% | 99.98% |
Random Forest Trees | 99.99% | 98.83% |
Neural Networks | 99.92% | 99.91% |
Classifier | Cross-Validation Test | Supplied Set Test |
---|---|---|
Decision Trees | 0.02 % | 0.04 % |
Support Vector Machines (SVMs) | 1.30 % | 1.35 % |
Naïve Bayes | 1.44 % | 1.47 % |
K-Nearest Neighbors (KNNs) | 0.04 % | 0.02 % |
Random Forest Trees | 0.01 % | 1.17 % |
Neural Networks | 0.08 % | 0.09 % |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Elejla, O.E.; Anbar, M.; Hamouda, S.; Belaton, B.; Al-Amiedy, T.A.; Hasbullah, I.H. Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection. Symmetry 2022, 14, 2556. https://doi.org/10.3390/sym14122556
Elejla OE, Anbar M, Hamouda S, Belaton B, Al-Amiedy TA, Hasbullah IH. Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection. Symmetry. 2022; 14(12):2556. https://doi.org/10.3390/sym14122556
Chicago/Turabian StyleElejla, Omar E., Mohammed Anbar, Shady Hamouda, Bahari Belaton, Taief Alaa Al-Amiedy, and Iznan H. Hasbullah. 2022. "Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection" Symmetry 14, no. 12: 2556. https://doi.org/10.3390/sym14122556
APA StyleElejla, O. E., Anbar, M., Hamouda, S., Belaton, B., Al-Amiedy, T. A., & Hasbullah, I. H. (2022). Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection. Symmetry, 14(12), 2556. https://doi.org/10.3390/sym14122556