Abstract
Neighbour Discovery Protocol is vulnerable to various attacks, such as DoS flooding attack that uses excessive amount of Router Advertisement (RA) and Neighbour Solicitation (NS) messages to flood the network, causing congestion and breaking down the network. There are several existing approaches to detect RA and NS DoS flooding attacks. However, these approaches either rely on a packet-based traffic representation, which is inefficient for high-speed networks; or static threshold, which leads to high false-positive rate. Thus, this work proposes a flow-based approach with innovative design to detect RA and NS DoS flooding attacks. The proposed approach utilizes flow-based traffic representation to accommodate high-speed networks. Also, the proposed approach utilizes three algorithms to address the existing approaches’ drawbacks: Entropy-Based Algorithm (EBA), Adaptive Threshold algorithm, and rule-based technique. The EBA is more sensitive and more appropriate for detecting abnormal network traffic. The Adaptive Threshold algorithm can be defined as dynamic values that are used as a baseline for NDP abnormal behavior. Finally, the rule-based technique can operate as a classifier of network traffic behavior and generate specific rules for detecting abnormal NDP-based attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Ani, A., Anbar, M., Al-Ani, A.K., Hasbullah, I.H.: DHCPv6Auth: a mechanism to improve DHCPv6 authentication and privacy. Sādhanā 45(1), 1–11 (2020). https://doi.org/10.1007/s12046-019-1244-4
Bahashwan, A.A.O., Manickam, S.: A brief review of messaging protocol standards for internet of things (IoT). J. Cyber Secur. Mob. 8, 1–14 (2019). https://doi.org/10.13052/2245-1439.811
Bahashwan, A.A., Anbar, M., Abdullah, N.: New architecture design of cloud computing using software defined networking and network function virtualization technology. In: Saeed, F., Mohammed, F., Gazem, N. (eds.) IRICT 2019. AISC, vol. 1073, pp. 705–713. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-33582-3_66
Bahashwan, A.A., Anbar, M., Abdullah, N., Al-Hadhrami, T., Hanshi, S.M.: Review on common IoT communication technologies for both long-range network (LPWAN) and short-range network. In: Saeed, F., Al-Hadhrami, T., Mohammed, F., Mohammed, E. (eds.) Advances on Smart and Soft Computing. AISC, vol. 1188, pp. 341–353. Springer, Singapore (2021). https://doi.org/10.1007/978-981-15-6048-4_30
Anbar, M., Abdullah, R., Al-Tamimi, B.N., Hussain, A.: A machine learning approach to detect router advertisement flooding attacks in next-generation IPv6 networks. Cogn. Comput. 10(2), 201–214 (2018)
Saad, R.M., Anbar, M., Manickam, S.: Rule-based detection technique for ICMPv6 anomalous behaviour. Neural Comput. Appl. 30(12), 3815–3824 (2018)
Bahashwan, A.A., Anbar, M., Hanshi, S.M.: Overview of IPv6 based DDoS and DoS attacks detection mechanisms. In: Anbar, M., Abdullah, N., Manickam, S. (eds.) ACeS 2019. CCIS, vol. 1132, pp. 153–167. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-2693-0_11
Anbar, M., Abdullah, R., Saad, R., Hasbullah, I.H.: Review of preventive security mechanisms for neighbour discovery protocol. Adv. Sci. Lett. 23(11), 11306–11310 (2017)
Elejla, O.E., Belaton, B., Anbar, M., Alabsi, B., Al-Ani, A.K.: Comparison of classification algorithms on ICMPv6-based DDoS attacks detection. In: Computational Science and Technology. LNEE, vol. 481, pp. 347–357. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_34
Tayyab, M., Belaton, B., Anbar, M.: ICMPv6-based DoS and DDoS attacks detection using machine learning techniques, open challenges, and blockchain applicability: a review. IEEE Access 8, 170529–170547 (2020)
Al-Ani, A.K., Anbar, M., Al-Ani, A., Ibrahim, D.R.: Match-prevention technique against denial-of-service attack on address resolution and duplicate address detection processes in IPv6 link-local network. IEEE Access 8, 27122–27138 (2020)
Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Preventing denial of service attacks on address resolution in IPv6 link-local network: AR-match security technique. In: Computational Science and Technology. LNEE, vol. 481, pp. 305–314. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_30
Elejla, O.E., Anbar, M., Belaton, B.: ICMPv6-based DoS and DDoS attacks and defense mechanisms. IETE Tech. Rev. 34(4), 390–407 (2017)
Shah, S.B.I., Anbar, M., Al-Ani, A., Al-Ani, A.K.: Hybridizing entropy based mechanism with adaptive threshold algorithm to detect RA flooding attack in IPv6 networks. In: Computational Science and Technology. LNEE, vol. 481, pp. 315–323. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-2622-6_31
Bahashwan, A.A., Anbar, M., Hasbullah, I.H., Alashhab, Z.R., Bin-Salem, A.: Flow-based approach to detect abnormal behavior in neighbor discovery protocol (NDP). IEEE Access 9, 45512–45526 (2021). https://doi.org/10.1109/ACCESS.2021.3066630
Anbar, M., Abdullah, R., Saad, R.M.A., Alomari, E., Alsaleem, S.: Review of security vulnerabilities in the IPv6 neighbor discovery protocol. In: Information Science and Applications (ICISA) 2016. LNEE, vol. 376, pp. 603–612. Springer, Singapore (2016). https://doi.org/10.1007/978-981-10-0557-2_59
Elejla, O.E., Anbar, M., Belaton, B., Hamouda, S.: Labeled flow-based dataset of ICMPv6-based DDoS attacks. Neural Comput. Appl. 31(8), 3629–3646 (2018). https://doi.org/10.1007/s00521-017-3319-7
Elejla, O.E., Anbar, M., Belaton, B., Alijla, B.O.: Flow-based IDS for ICMPv6-based DDoS attacks detection. Arab. J. Sci. Eng. 43(12), 7757–7775 (2018). https://doi.org/10.1007/s13369-018-3149-7
Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP flow information export (IPFIX), RFC 3917,10.17487/RFC3917, October 2004. https://www.rfc-editor.org/rfc/pdfrfc/rfc3917.txt.pdf
Beck, F., Cholez, T., Festor, O., Chrisment, I.: Monitoring the neighbor discovery protocol. In: 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI 2007), p. 57. IEEE (2007)
Lecigne, C.: NDPWatch, Ethernet/IPv6 address pairings monitor. http://ndpwatch.sourceforge.net/. Accessed 11 May 2021
Morse, J.: Router Advert MONitoring Daemon. http://ramond.sourceforge.net/. Accessed 11 May 2021
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Lisa, vol. 99, no. 1, pp. 229–238 (1999)
Suricata: Suricata-open source IDS/IPS/NSM engine. https://suricata-ids.org. Accessed 02 Apr 2021
Barbhuiya, F.A., Biswas, S., Nandi, S.: Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol. In: Proceedings of the 4th International Conference on Security of Information and Networks, pp. 111–118. ACM (2011)
Bansal, G., Kumar, N., Nandi, S., Biswas, S.: Detection of NDP based attacks using MLD. In: Proceedings of the Fifth International Conference on Security of Information and Networks, pp. 163–167. ACM (2012)
Alalousi, A., Razif, R., AbuAlhaj, M., Anbar, M., Nizam, S.: A preliminary performance evaluation of K-means, KNN and EM unsupervised machine learning methods for network flow classification. Int. J. Electr. Comput. Eng. 6(2), 778 (2016)
Elejla, O.E., Belaton, B., Anbar, M., Smadi, I.M.: A new set of features for detecting router advertisement flooding attacks. In: 2017 Palestinian International Conference on Information and Communication Technology (PICICT), pp. 1–5. IEEE (2017). https://doi.org/10.1109/PICICT.2017.19
Zulkiflee, M., Azmi, M., Ahmad, S., Sahib, S., Ghani, M.: A framework of features selection for ipv6 network attacks detection. WSEAS Trans. Commun. 14(46), 399–408 (2015)
Aladaileh, M., Anbar, M., et al.: Entropy-based approach to detect DDoS attacks on software defined networking controller. Comput. Mater. Continua 69(1), 373–391 (2021)
Bošnjak, S., Cisar, S.M.: EWMA based threshold algorithm for intrusion detection. Comput. Inf. 29, 1089–1101 (2010)
Al-Adaileh, M.A., Anbar, M., Chong, Y.-W., Al-Ani, A.: Proposed statistical-based approach for detecting distribute denial of service against the controller of software defined network (SADDCS). In: MATEC Web of Conferences, vol. 218, p. 02012. EDP Sciences (2018)
Acknowledgment
This work is supported by Ministry of Higher Education Malaysia under Fundamental Research Grant Scheme with Project Code: FRGS/1/2019/ICT03/USM/02/3.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bahashwan, A.A., Anbar, M., Manickam, S., Hasbullah, I.H., Aladaileh, M.A. (2021). Propose a Flow-Based Approach for Detecting Abnormal Behavior in Neighbor Discovery Protocol (NDP). In: Abdullah, N., Manickam, S., Anbar, M. (eds) Advances in Cyber Security. ACeS 2021. Communications in Computer and Information Science, vol 1487. Springer, Singapore. https://doi.org/10.1007/978-981-16-8059-5_25
Download citation
DOI: https://doi.org/10.1007/978-981-16-8059-5_25
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-8058-8
Online ISBN: 978-981-16-8059-5
eBook Packages: Computer ScienceComputer Science (R0)