Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection

Abstract

Internet Protocol version 6 (IPv6) and its core protocol, Internet Control Message Protocol version 6 (ICMPv6), need to be secured from attacks, such as Denial of Service (DoS) and Distributed DoS (DDoS), in order to be reliable for deployment. Several Intrusion Detection Systems (IDSs) have been built and proposed to detect ICMPv6-based DoS and DDoS attacks. However, these IDSs suffer from several drawbacks, such as the inability to detect novel attacks and a low detection accuracy due to their reliance on packet-based traffic representation. Furthermore, the existing IDSs that rely on flow-based traffic representation use simple heuristics features that do not contribute to detecting ICMPv6-based DoS and DDoS attacks. This paper proposes a flow-based IDS by enriching the existing features with a set of new features to improve the detection accuracy. The flow consists of packets with similar attributes (i.e., packets with the same source and destination IP address) and features that can differentiate between normal and malicious traffic behavior, such as the source IP address’s symmetry and the whole flow’s symmetry. The experimental results reveal that the enriched features significantly improved the IDS’s detection accuracy by 16.02% and that the false positive rate decreased by 19.17% compared with state-of-the-art IDSs.