Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)

Internet Protocol version six (IPv6) is equipped with new protocols, such as the Neighbor Discovery Protocol (NDP). NDP is a stateless protocol without authentication that makes it vulnerable to many types of attacks, such as Router Advertisement (RA) and Neighbour Solicitation (NS) DoS flooding att...

Full description

Bibliographic Details
Main Authors: Abdullah Ahmed Bahashwan, Mohammed Anbar, Iznan Husainy Hasbullah, Ziyad R. Alashhab, Ali Bin-Salem
Format: Article
Language:English
Published: IEEE 2021-01-01
Series:IEEE Access
Subjects:
Online Access:https://ieeexplore.ieee.org/document/9380280/
Description
Summary:Internet Protocol version six (IPv6) is equipped with new protocols, such as the Neighbor Discovery Protocol (NDP). NDP is a stateless protocol without authentication that makes it vulnerable to many types of attacks, such as Router Advertisement (RA) and Neighbour Solicitation (NS) DoS flooding attacks. In these types of attacks, attackers send an enormous volume of abnormal NDP traffic, which causes congestion that degrades network performance. The expected behavior among these attacks is the existence of NDP traffic abnormalities. Thus, this research aims to propose a flow-based approach to detect abnormal NDP traffic behavior, which is considered an indicator of the presence of NDP-based attacks, such as RA and NS DoS flooding attacks. Also, the proposed approach relies on flow-based network traffic representation and adoption of the Entropy algorithm to detect the randomness in the network traffic. The proposed approach is evaluated in terms of detection accuracy, precision, recall, and F1-Score using a simulated dataset. The experimental result shows that the proposed approach obtained 98.1%, 55%, 100%, and 70.96% for average accuracy, precision, recall, and F1-Score, respectively, in detecting abnormal NDP traffic behavior caused by the RA DoS flooding attack. Meanwhile, the proposed approach obtained 99%, 91.3%, 100%, and 95.45% for average accuracy, precision, recall, and F1-Score, respectively, in detecting the abnormal NDP traffic behavior caused by the NS DoS flooding attack. Also, the proposed approach shows better results compared to other existing approaches.
ISSN:2169-3536