Professional Documents
Culture Documents
Syafiq Bin Ibrahim Shah1, Mohammed Anbar1, Ayman Al-Ani1, and Ahmed K. Al-
Ani1
1
National advanced IPv6 Centre, Universiti Sains Malaysia, Penang, Malaysia
syafiqibrahimshah@usm.my, anbar@nav6.usm.my,
ayman@nav6.usm.my,and ahmedkhallel91@nav6.usm.my
Keywords: IPv6, NDP, DoS, Flooding Attack, Entropy, EWMA, RA, Adaptive
Threshold Algorithm, Network Security
1 Introduction
Internet service providers across the world are currently and severely curbed by Inter-
net protocol version 4 (IPv4) addresses. The exhaustion of Internet protocol (IP) ad-
dresses has served as the main motivation of Internet protocol version 6 (IPv6) devel-
opment and deployment [1]. IPv6 provides new features, such as stateless address
auto configuration (SLAAC), neighbor unreachability detection and duplicate address
detection, and the capability to realise end-to-end connectivity without residing on a
network address translation (NAT) infrastructure [2]. These features rely heavily on
the newly introduced neighbor discovery protocol (NDP).
When a denial of service (DoS) is launched, an attacker typically attempts to con-
sume the network bandwidth and central processing unit (CPU) resources of the target
victim. This type of attack can be generated in an IPv6 network by simply flooding
the link-local network with massive amounts of neighbor discovery (ND) packets.
Furthermore, network congestion is bound to happen due to the massive amount of
bandwidth consumption in the network. IPv6 inherits the same foundation as that of
IPv4, which means that the former has essentially adopted the latter’s attributes and
qualities, and even shortcomings.
NDP operates on layer 2 of the IP stack, and it runs on top of Internet control message
protocol version 6 (ICMPv6) [3].
Type Function
Router Solicitation (RS) Used by hosts for router discovery.
Router Advertisement (RA) Used by routers to advertise addressing information.
Neighbor Solicitation (NS) Used for DAD and NUD.
Neighbor Advertisement (NS) Used by hosts for address resolution.
Redirect Used to redirect packets from one router to another.
NDP consists of five message types: router solicitation, router advertisement (RA),
neighbor solicitation, neighbor advertisement and redirect message. The hosts in an
IPv6 network communicate by exchanging these messages. Table 1 lists the types and
function of each message [4, 5].
The most common type of attack is the default attack in which an attacker floods
the network with bogus address prefixes and fake default route information. This type
of attack can be detected by the network intrusion detection system, after which an
RA guard that can drop the malicious packets is implemented [8], [9].
However, attackers have developed evasion techniques to bypass security valida-
tion by forging fake IP extension headers. A security mechanism that only dissects
and verifies the initial upper layer of the packet instead of analysing the entire header
chain will fail to detect the ulterior malicious content [7].
If a packet is too large to be sent through the network, then the source host will di-
vide the packets into fragments by using fragment headers. In IPv6, the reassembly of
these fragmented packets can only be rendered at the destination host. Attackers have
exploited these features by fragmenting malicious packets into smaller chunks. How-
ever, because the malicious packets cannot be reassembled into their full forms, the
security mechanism will defer from performing an analysis, thereby allowing the
malicious packets to penetrate the system [8].
2 Related Work
NDP messages can be protected with an Internet protocol security (IPsec) authentica-
tion header (AH) to ensure congeniality and integrity of information. The host can
verify if the received ND messages are valid and authorised depending on the set of
AH security associations (SA), a feature that is helpful in securing the stateless nature
of NDPs. Incidentally, SAs that are developed with Internet key exchange version 2
require functional IP addresses, which consequently results in bootstrapping prob-
lems. Hence, manual configuration must be performed to secure the NDP with IPSec,
but this process is tedious and the configuration is not scalable [10]. The experiments
conducted by Xinyu, Ting and Yi [11] proved that IPSec seems powerless if an at-
tacker launches a DoS attack using a legitimate non-spoofed IP address.
An RA guard, a mechanism to prevent the exploitation of RA messages, can be in-
stalled on managed switches, but it only forwards the packets received from a port
that is known to be connected to an authorised router. Nonetheless, malicious hosts
can be prevented from launching DoS attacks [12]. However, although RA guards can
effectively verify source legitimacy, the attackers can still circumvent and evade this
layer of protection either by forging fake extension headers or by forcing packet
318 S. B. I. Shah et al.
3 Detection Technique
Ingress packets from the network are captured by the traffic capture engine, after
which the packets are stored as potential datasets. These datasets are then pre-
processed and filtered to reduce irrelevant and unwanted data from the sample. The
goal is to reduce the number of relevant traffic features without negatively affecting
classification and subsequently improve detection efficiency.
The incoming packets in the network are processed as follows. Only IPv6 packets
are filtered in and processed, whereas all other IP packets are filtered out and
dropped. The filtration process continues to filter only the ICMPv6 packets. Then, the
system verifies whether the packet is a type of ICMPv6 RA message. Type 134 mes-
sages are saved as datasets for further computation.
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 319
Two essential variables are used to detect network intrusion in the entropy-based
approach. The first variable is sliding window size and the second one is threshold
value. Sliding window size can be defined based on either a time-period or a number
of packet count. The entropy within the sliding window is calculated to measure ran-
domness, an indication of anomalous behaviour. This research proposes a window
size of 50 packets to gather statistics. The main reason for choosing 50 packets is due
to the small size window. Moreover, a list of 50 values can be calculated much faster
than 500 values. Consequently, the intrusion can be detected much earlier because
less computation is needed.
Entropy is a common method of network intrusion detection. In this research, en-
tropy is mainly selected because it can measure randomness in the packets that are
forwarded into a network. Furthermore, entropy provides a relatively low computa-
tion overhead. The higher the randomness of an information given, the higher the
entropy and vice versa. When an attack occurs, the entropy value of the source IP
address increases because the attacker will always spoof its source IP address on each
packet transmission. Hence, a continuously changing source IP is a strong indicator of
a DoS RA flooding attack. The Mathematical Theory of Communication, a paper
published by C. E. Shannon, defines entropy as:
𝐻(𝑥) = − ∑𝑛𝑖=1 𝑝𝑖 log 𝑝𝑖 (1)
The calculation function computes the entropy of the source IP address of the RA
message every 50 packets. A specific threshold value is therefore important in accu-
rately detecting a flooding attack. Ideally, the threshold value should be updated adap-
tively according to the network traffic condition to perform a much more accurate
320 S. B. I. Shah et al.
𝑋𝑛 = (α + 1) ⋅ µ 𝑛−1 (2)
In accordance with network traffic changes, the threshold is set adaptively based
on the mean value of recent traffic measurement [16]. This research applies the expo-
nential weighted moving average (EWMA) to calculate the mean entropy value in
Equation (3).
If the entropy value of the source IP address exceeds the threshold value consecu-
tively three times, then a DoS RA flooding attack is likely happening and this will
trigger an alarm. In the event that an alarm is triggered, the threshold value is levelled
off until the entropy value falls below the threshold value. The reason for this behav-
iour is to reduce the number of false negative detection.
4 Discussion
In this research, detection accuracy is the metric used to evaluate the effectiveness of
the technique. Detection accuracy reflects the capability of an IDS detection engine to
accurately determine alerts and generate corresponding alarms in the event of network
intrusions. The number of false alarms produced by the system and the percentage of
detection are the main indicators of IDS performance
𝑇𝑃+𝑇𝑁
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = ∗ 100 (4)
𝑇𝑃+𝑇𝑁+𝐹𝑃+ 𝐹𝑁
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 321
Abbreviation Description
TP True Positive; situation where anomalous events are truly detected as anomaly.
TN True Negative; situation where normal events are truly recorded as normal.
FP False Positive; situation where normal events are detected as anomaly.
FN False Negative; situation where anomalous events are recorded as normal.
Four scenarios are considered and taken as baselines to evaluate the accuracy of
the proposed hybrid detection technique. The first scenario involves an attack in the
default mode. The second scenario involves an attacker using the extension header to
evade the RA guard. The third scenario involves an attack that fragments its packets
to avoid detection. The last scenario involves normal IPv6 traffic.
The detection technique is evaluated for each type of dataset (low-, medium- and
high-generated packet traffic datasets) and repeated three times to ensure maximal
robustness. The results are averaged to obtain the precise accuracy and ensure con-
sistency.
The three runs have yielded an average detection accuracy of 99.26%. The results
prove that the detection technique can accurately detect DoS RA flooding attacks, i.e.
the attacker floods the link-local network with bogus prefix address and fake router
information.
The result of 98.3% proves that the detection technique can accurately detect DoS RA
flooding attacks, i.e. the attacker floods the link-local network with bogus address
prefixes and fake router information that sits below an additional layer of extension
headers (Hop_by_Hop) to evade security devices, such as RA guards.
322 S. B. I. Shah et al.
100+100+100
∗ 100 = 100% (7)
3
The result is 100%, which clearly proves that the detection technique can detect
DoS RA flooding attacks, i.e. the attacker floods the link-local network with frag-
mented RA packets to evade security devices, such as RA guards.
100+100+100
∗ 100 = 100% (8)
3
The result is 100%, which clearly proves that the solution does not trigger any false
alarm in normal IPv6 traffic conditions.
The experimental results prove the capability of the proposed technique to detect RA
DoS flooding attacks in IPv6 link-local networks. The effectiveness of the detection
technique is evaluated on datasets that have been generated in real time in controlled
environments. The results further show that the detection accuracy is high at 98%.
The proposed detection technique can be extended to several promising avenues
and directions, such as when building frameworks, to detect NDP flooding attacks in
IPv6 link-local networks. Apart from RA DoS flooding, the other types of NDP flood-
ing attacks that may benefit from this research are RS, NS, NA, redirect and MLD
flooding attacks. Such directions may be helpful in overcoming the limited attacks
that can be detected by the proposed technique in this research. The proposed hybrid
detection technique can only detect RA DoS flooding attack in an IPv6 link local
network. In future work, the proposed detection technique may be extended for other
types of NDP flooding attack detection. The datasets may also be expanded by includ-
ing more attack scenarios to cover all NDP flooding types.
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 323
References
1. Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Proposed DAD-match
Mechanism for Securing Duplicate Address Detection Process in IPv6 Link-Local Net-
work Based on Symmetric-Key Algorithm. In: International Conference on Computational
Science and Technology. pp. 108–118 (2017)
2. Graziani, R.: IPv6 fundamentals: a straightforward approach to understanding IPv6.
Pearson Education (2012)
3. Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Proposed DAD-match
Security Technique based on Hash Function to Secure Duplicate Address Detection in
IPv6 Link-local Network. In: Proceedings of the 2017 International Conference on Infor-
mation Technology. pp. 175–179 (2017)
4. Anbar, M., Abdullah, R., Saad, R., Hasbullah, I.H.: Review of Preventive Security Mecha-
nisms for Neighbour Discovery Protocol. Adv. Sci. Lett. 23, 1130611310 (2017)
5. Anbar, M., Abdullah, R., Al-Tamimi, B.N., Hussain, A.: A Machine Learning Approach to
Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks. Cog-
nit. Comput. 114 (2017)
6. Elejla, O.E., Belaton, B., Anbar, M., Alnajjar, A.: Intrusion detection systems of ICMPv6-
based DDoS attacks. Neural Comput. Appl. 112 (2016)
7. Gont, F.: Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard).
(2014)
8. Levy-Abegnoli, E., de Velde, G., Popoviciu, C., Mohacsi, J.: IPv6 router advertisement
guard. (2011)
9. M. Anbar, R. Abdullah, B. Al-Tamimi, A. H.-C. Computation, and undefined 2017, “A
Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-
Generation IPv6 Networks,” Springer.
10. Arkko, J., Aura, T., Kempf, J., Mntyl, V.-M., Nikander, P., Roe, M.: Securing IPv6 neigh-
bor and router discovery. In: Proceedings of the 1st ACM workshop on Wireless security.
pp. 7786 (2002)
11. Yang, X., Ma, T., Shi, Y.: Typical dos/ddos threats under ipv6. In: Computing in the
Global Information Technology, 2007. ICCGI 2007. International Multi-Conference on. p.
55 (2007)
12. Chown, T., Venaas, S.: Rogue IPv6 Router Advertisement Problem Statement. (2011)
13. Aleesa, A.M., Hassan, R., Kamal, S.U.M.: A rule-based technique to detect router adver-
tisement flooding attack against biobizz web application. Adv. Sci. Lett. 22, 18871891
(2016)
14. Oshima, S., Hirakawa, A., Nakashima, T., Sueyoshi, T.: DoS/DDoS detection scheme us-
ing statistical method based on the destination port number. In: Intelligent Information
Hiding and Multimedia Signal Processing, 2009. IIH-MSP09. Fifth International Confer-
ence on. pp. 206209 (2009)
15. Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against SDN controllers.
In: Computing, Networking and Communications (ICNC), 2015 International Conference
on. pp. 7781 (2015)
16. Cisar, P., Cisar, S.M.: EWMA statistic in adaptive threshold algorithm. In: Intelligent En-
gineering Systems, 2007. INES 2007. 11th International Conference on. pp.5154 (2007)