Skip to main content
SpringerLink
Log in

Propose a Flow-Based Approach for Detecting Abnormal Behavior in Neighbor Discovery Protocol (NDP)

  • Conference paper
  • First Online:
Advances in Cyber Security (ACeS 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1487))

Included in the following conference series:

Abstract

Neighbour Discovery Protocol is vulnerable to various attacks, such as DoS flooding attack that uses excessive amount of Router Advertisement (RA) and Neighbour Solicitation (NS) messages to flood the network, causing congestion and breaking down the network. There are several existing approaches to detect RA and NS DoS flooding attacks. However, these approaches either rely on a packet-based traffic representation, which is inefficient for high-speed networks; or static threshold, which leads to high false-positive rate. Thus, this work proposes a flow-based approach with innovative design to detect RA and NS DoS flooding attacks. The proposed approach utilizes flow-based traffic representation to accommodate high-speed networks. Also, the proposed approach utilizes three algorithms to address the existing approaches’ drawbacks: Entropy-Based Algorithm (EBA), Adaptive Threshold algorithm, and rule-based technique. The EBA is more sensitive and more appropriate for detecting abnormal network traffic. The Adaptive Threshold algorithm can be defined as dynamic values that are used as a baseline for NDP abnormal behavior. Finally, the rule-based technique can operate as a classifier of network traffic behavior and generate specific rules for detecting abnormal NDP-based attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Al-Ani, A., Anbar, M., Al-Ani, A.K., Hasbullah, I.H.: DHCPv6Auth: a mechanism to improve DHCPv6 authentication and privacy. Sādhanā 45(1), 1–11 (2020). https://doi.org/10.1007/s12046-019-1244-4

    Article  Google Scholar 

  2. Bahashwan, A.A.O., Manickam, S.: A brief review of messaging protocol standards for internet of things (IoT). J. Cyber Secur. Mob. 8, 1–14 (2019). https://doi.org/10.13052/2245-1439.811

    Article  Google Scholar 

  3. Bahashwan, A.A., Anbar, M., Abdullah, N.: New architecture design of cloud computing using software defined networking and network function virtualization technology. In: Saeed, F., Mohammed, F., Gazem, N. (eds.) IRICT 2019. AISC, vol. 1073, pp. 705–713. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-33582-3_66

    Chapter  Google Scholar 

  4. Bahashwan, A.A., Anbar, M., Abdullah, N., Al-Hadhrami, T., Hanshi, S.M.: Review on common IoT communication technologies for both long-range network (LPWAN) and short-range network. In: Saeed, F., Al-Hadhrami, T., Mohammed, F., Mohammed, E. (eds.) Advances on Smart and Soft Computing. AISC, vol. 1188, pp. 341–353. Springer, Singapore (2021). https://doi.org/10.1007/978-981-15-6048-4_30

    Chapter  Google Scholar 

  5. Anbar, M., Abdullah, R., Al-Tamimi, B.N., Hussain, A.: A machine learning approach to detect router advertisement flooding attacks in next-generation IPv6 networks. Cogn. Comput. 10(2), 201–214 (2018)

    Article  Google Scholar 

  6. Saad, R.M., Anbar, M., Manickam, S.: Rule-based detection technique for ICMPv6 anomalous behaviour. Neural Comput. Appl. 30(12), 3815–3824 (2018)

    Article  Google Scholar 

  7. Bahashwan, A.A., Anbar, M., Hanshi, S.M.: Overview of IPv6 based DDoS and DoS attacks detection mechanisms. In: Anbar, M., Abdullah, N., Manickam, S. (eds.) ACeS 2019. CCIS, vol. 1132, pp. 153–167. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-2693-0_11

    Chapter  Google Scholar 

  8. Anbar, M., Abdullah, R., Saad, R., Hasbullah, I.H.: Review of preventive security mechanisms for neighbour discovery protocol. Adv. Sci. Lett. 23(11), 11306–11310 (2017)

    Article  Google Scholar 

  9. Elejla, O.E., Belaton, B., Anbar, M., Alabsi, B., Al-Ani, A.K.: Comparison of classification algorithms on ICMPv6-based DDoS attacks detection. In: Computational Science and Technology. LNEE, vol. 481, pp. 347–357. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_34

    Chapter  Google Scholar 

  10. Tayyab, M., Belaton, B., Anbar, M.: ICMPv6-based DoS and DDoS attacks detection using machine learning techniques, open challenges, and blockchain applicability: a review. IEEE Access 8, 170529–170547 (2020)

    Article  Google Scholar 

  11. Al-Ani, A.K., Anbar, M., Al-Ani, A., Ibrahim, D.R.: Match-prevention technique against denial-of-service attack on address resolution and duplicate address detection processes in IPv6 link-local network. IEEE Access 8, 27122–27138 (2020)

    Article  Google Scholar 

  12. Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Preventing denial of service attacks on address resolution in IPv6 link-local network: AR-match security technique. In: Computational Science and Technology. LNEE, vol. 481, pp. 305–314. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_30

    Chapter  Google Scholar 

  13. Elejla, O.E., Anbar, M., Belaton, B.: ICMPv6-based DoS and DDoS attacks and defense mechanisms. IETE Tech. Rev. 34(4), 390–407 (2017)

    Article  Google Scholar 

  14. Shah, S.B.I., Anbar, M., Al-Ani, A., Al-Ani, A.K.: Hybridizing entropy based mechanism with adaptive threshold algorithm to detect RA flooding attack in IPv6 networks. In: Computational Science and Technology. LNEE, vol. 481, pp. 315–323. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_31

    Chapter  Google Scholar 

  15. Bahashwan, A.A., Anbar, M., Hasbullah, I.H., Alashhab, Z.R., Bin-Salem, A.: Flow-based approach to detect abnormal behavior in neighbor discovery protocol (NDP). IEEE Access 9, 45512–45526 (2021). https://doi.org/10.1109/ACCESS.2021.3066630

    Article  Google Scholar 

  16. Anbar, M., Abdullah, R., Saad, R.M.A., Alomari, E., Alsaleem, S.: Review of security vulnerabilities in the IPv6 neighbor discovery protocol. In: Information Science and Applications (ICISA) 2016. LNEE, vol. 376, pp. 603–612. Springer, Singapore (2016). https://doi.org/10.1007/978-981-10-0557-2_59

    Chapter  Google Scholar 

  17. Elejla, O.E., Anbar, M., Belaton, B., Hamouda, S.: Labeled flow-based dataset of ICMPv6-based DDoS attacks. Neural Comput. Appl. 31(8), 3629–3646 (2018). https://doi.org/10.1007/s00521-017-3319-7

    Article  Google Scholar 

  18. Elejla, O.E., Anbar, M., Belaton, B., Alijla, B.O.: Flow-based IDS for ICMPv6-based DDoS attacks detection. Arab. J. Sci. Eng. 43(12), 7757–7775 (2018). https://doi.org/10.1007/s13369-018-3149-7

    Article  Google Scholar 

  19. Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP flow information export (IPFIX), RFC 3917,10.17487/RFC3917, October 2004. https://www.rfc-editor.org/rfc/pdfrfc/rfc3917.txt.pdf

  20. Beck, F., Cholez, T., Festor, O., Chrisment, I.: Monitoring the neighbor discovery protocol. In: 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI 2007), p. 57. IEEE (2007)

    Google Scholar 

  21. Lecigne, C.: NDPWatch, Ethernet/IPv6 address pairings monitor. http://ndpwatch.sourceforge.net/. Accessed 11 May 2021

  22. Morse, J.: Router Advert MONitoring Daemon. http://ramond.sourceforge.net/. Accessed 11 May 2021

  23. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)

    Article  Google Scholar 

  24. Roesch, M.: Snort: lightweight intrusion detection for networks. In: Lisa, vol. 99, no. 1, pp. 229–238 (1999)

    Google Scholar 

  25. Suricata: Suricata-open source IDS/IPS/NSM engine. https://suricata-ids.org. Accessed 02 Apr 2021

  26. Barbhuiya, F.A., Biswas, S., Nandi, S.: Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol. In: Proceedings of the 4th International Conference on Security of Information and Networks, pp. 111–118. ACM (2011)

    Google Scholar 

  27. Bansal, G., Kumar, N., Nandi, S., Biswas, S.: Detection of NDP based attacks using MLD. In: Proceedings of the Fifth International Conference on Security of Information and Networks, pp. 163–167. ACM (2012)

    Google Scholar 

  28. Alalousi, A., Razif, R., AbuAlhaj, M., Anbar, M., Nizam, S.: A preliminary performance evaluation of K-means, KNN and EM unsupervised machine learning methods for network flow classification. Int. J. Electr. Comput. Eng. 6(2), 778 (2016)

    Google Scholar 

  29. Elejla, O.E., Belaton, B., Anbar, M., Smadi, I.M.: A new set of features for detecting router advertisement flooding attacks. In: 2017 Palestinian International Conference on Information and Communication Technology (PICICT), pp. 1–5. IEEE (2017). https://doi.org/10.1109/PICICT.2017.19

  30. Zulkiflee, M., Azmi, M., Ahmad, S., Sahib, S., Ghani, M.: A framework of features selection for ipv6 network attacks detection. WSEAS Trans. Commun. 14(46), 399–408 (2015)

    Google Scholar 

  31. Aladaileh, M., Anbar, M., et al.: Entropy-based approach to detect DDoS attacks on software defined networking controller. Comput. Mater. Continua 69(1), 373–391 (2021)

    Article  Google Scholar 

  32. Bošnjak, S., Cisar, S.M.: EWMA based threshold algorithm for intrusion detection. Comput. Inf. 29, 1089–1101 (2010)

    Google Scholar 

  33. Al-Adaileh, M.A., Anbar, M., Chong, Y.-W., Al-Ani, A.: Proposed statistical-based approach for detecting distribute denial of service against the controller of software defined network (SADDCS). In: MATEC Web of Conferences, vol. 218, p. 02012. EDP Sciences (2018)

    Google Scholar 

Download references

Acknowledgment

This work is supported by Ministry of Higher Education Malaysia under Fundamental Research Grant Scheme with Project Code: FRGS/1/2019/ICT03/USM/02/3.

Author information

Authors and Affiliations

  1. National Advanced IPv6 Center (NAv6), Universiti Sains Malaysia (USM), 11800, Gelugor, Penang, Malaysia

    Abdullah Ahmed Bahashwan, Mohammed Anbar, Selvakumar Manickam, Iznan Husainy Hasbullah & Mohammad A. Aladaileh

Authors
  1. Abdullah Ahmed Bahashwan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammed Anbar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Selvakumar Manickam
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Iznan Husainy Hasbullah
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mohammad A. Aladaileh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Abdullah Ahmed Bahashwan or Mohammed Anbar .

Editor information

Editors and Affiliations

  1. Hodeidah University, Hodeidah, Yemen

    Nibras Abdullah

  2. Universiti Sains Malaysia, Penang, Malaysia

    Selvakumar Manickam

  3. Universiti Sains Malaysia, Penang, Malaysia

    Mohammed Anbar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bahashwan, A.A., Anbar, M., Manickam, S., Hasbullah, I.H., Aladaileh, M.A. (2021). Propose a Flow-Based Approach for Detecting Abnormal Behavior in Neighbor Discovery Protocol (NDP). In: Abdullah, N., Manickam, S., Anbar, M. (eds) Advances in Cyber Security. ACeS 2021. Communications in Computer and Information Science, vol 1487. Springer, Singapore. https://doi.org/10.1007/978-981-16-8059-5_25

Download citation

  • DOI: https://doi.org/10.1007/978-981-16-8059-5_25

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-16-8058-8

  • Online ISBN: 978-981-16-8059-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation