Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)

Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)

Internet Protocol version six (IPv6) is equipped with new protocols, such as the Neighbor Discovery Protocol (NDP). NDP is a stateless protocol without authentication that makes it vulnerable to many types of attacks, such as Router Advertisement (RA) and Neighbour Solicitation (NS) DoS flooding att...

Full description

Bibliographic Details
Main Authors: Abdullah Ahmed Bahashwan, Mohammed Anbar, Iznan Husainy Hasbullah, Ziyad R. Alashhab, Ali Bin-Salem
Format: Article
Language:English
Published: IEEE 2021-01-01
Series:IEEE Access
Subjects:
Intrusion detection systems (IDS)
NDP traffic abnormalities
RA~DoS flooding attack
NS~DoS flooding attack
network traffic representation
entropy algorithm
Online Access:https://ieeexplore.ieee.org/document/9380280/
id doaj-2c79bb2db4954a678c02086ce453ea48
record_format Article
spelling doaj-2c79bb2db4954a678c02086ce453ea482021-03-30T14:51:06ZengIEEEIEEE Access2169-35362021-01-019455124552610.1109/ACCESS.2021.30666309380280Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)Abdullah Ahmed Bahashwan0https://orcid.org/0000-0002-2307-6302Mohammed Anbar1https://orcid.org/0000-0002-7026-6408Iznan Husainy Hasbullah2https://orcid.org/0000-0002-2275-3201Ziyad R. Alashhab3https://orcid.org/0000-0002-4748-8037Ali Bin-Salem4https://orcid.org/0000-0001-8042-5938National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, Penang, MalaysiaNational Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, Penang, MalaysiaNational Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, Penang, MalaysiaNational Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, Penang, MalaysiaSchool of Computer Science, Neijiang Normal University, Neijiang, ChinaInternet Protocol version six (IPv6) is equipped with new protocols, such as the Neighbor Discovery Protocol (NDP). NDP is a stateless protocol without authentication that makes it vulnerable to many types of attacks, such as Router Advertisement (RA) and Neighbour Solicitation (NS) DoS flooding attacks. In these types of attacks, attackers send an enormous volume of abnormal NDP traffic, which causes congestion that degrades network performance. The expected behavior among these attacks is the existence of NDP traffic abnormalities. Thus, this research aims to propose a flow-based approach to detect abnormal NDP traffic behavior, which is considered an indicator of the presence of NDP-based attacks, such as RA and NS DoS flooding attacks. Also, the proposed approach relies on flow-based network traffic representation and adoption of the Entropy algorithm to detect the randomness in the network traffic. The proposed approach is evaluated in terms of detection accuracy, precision, recall, and F1-Score using a simulated dataset. The experimental result shows that the proposed approach obtained 98.1%, 55%, 100%, and 70.96% for average accuracy, precision, recall, and F1-Score, respectively, in detecting abnormal NDP traffic behavior caused by the RA DoS flooding attack. Meanwhile, the proposed approach obtained 99%, 91.3%, 100%, and 95.45% for average accuracy, precision, recall, and F1-Score, respectively, in detecting the abnormal NDP traffic behavior caused by the NS DoS flooding attack. Also, the proposed approach shows better results compared to other existing approaches.https://ieeexplore.ieee.org/document/9380280/Intrusion detection systems (IDS)NDP traffic abnormalitiesRA~DoS flooding attackNS~DoS flooding attacknetwork traffic representationentropy algorithm
collection DOAJ
language English
format Article
sources DOAJ
author Abdullah Ahmed Bahashwan
Mohammed Anbar
Iznan Husainy Hasbullah
Ziyad R. Alashhab
Ali Bin-Salem
spellingShingle Abdullah Ahmed Bahashwan
Mohammed Anbar
Iznan Husainy Hasbullah
Ziyad R. Alashhab
Ali Bin-Salem
Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
IEEE Access
Intrusion detection systems (IDS)
NDP traffic abnormalities
RA~DoS flooding attack
NS~DoS flooding attack
network traffic representation
entropy algorithm
author_facet Abdullah Ahmed Bahashwan
Mohammed Anbar
Iznan Husainy Hasbullah
Ziyad R. Alashhab
Ali Bin-Salem
author_sort Abdullah Ahmed Bahashwan
title Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
title_short Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
title_full Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
title_fullStr Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
title_full_unstemmed Flow-Based Approach to Detect Abnormal Behavior in Neighbor Discovery Protocol (NDP)
title_sort flow-based approach to detect abnormal behavior in neighbor discovery protocol (ndp)
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2021-01-01
description Internet Protocol version six (IPv6) is equipped with new protocols, such as the Neighbor Discovery Protocol (NDP). NDP is a stateless protocol without authentication that makes it vulnerable to many types of attacks, such as Router Advertisement (RA) and Neighbour Solicitation (NS) DoS flooding attacks. In these types of attacks, attackers send an enormous volume of abnormal NDP traffic, which causes congestion that degrades network performance. The expected behavior among these attacks is the existence of NDP traffic abnormalities. Thus, this research aims to propose a flow-based approach to detect abnormal NDP traffic behavior, which is considered an indicator of the presence of NDP-based attacks, such as RA and NS DoS flooding attacks. Also, the proposed approach relies on flow-based network traffic representation and adoption of the Entropy algorithm to detect the randomness in the network traffic. The proposed approach is evaluated in terms of detection accuracy, precision, recall, and F1-Score using a simulated dataset. The experimental result shows that the proposed approach obtained 98.1%, 55%, 100%, and 70.96% for average accuracy, precision, recall, and F1-Score, respectively, in detecting abnormal NDP traffic behavior caused by the RA DoS flooding attack. Meanwhile, the proposed approach obtained 99%, 91.3%, 100%, and 95.45% for average accuracy, precision, recall, and F1-Score, respectively, in detecting the abnormal NDP traffic behavior caused by the NS DoS flooding attack. Also, the proposed approach shows better results compared to other existing approaches.
topic Intrusion detection systems (IDS)
NDP traffic abnormalities
RA~DoS flooding attack
NS~DoS flooding attack
network traffic representation
entropy algorithm
url https://ieeexplore.ieee.org/document/9380280/
work_keys_str_mv AT abdullahahmedbahashwan flowbasedapproachtodetectabnormalbehaviorinneighbordiscoveryprotocolndp
AT mohammedanbar flowbasedapproachtodetectabnormalbehaviorinneighbordiscoveryprotocolndp
AT iznanhusainyhasbullah flowbasedapproachtodetectabnormalbehaviorinneighbordiscoveryprotocolndp
AT ziyadralashhab flowbasedapproachtodetectabnormalbehaviorinneighbordiscoveryprotocolndp
AT alibinsalem flowbasedapproachtodetectabnormalbehaviorinneighbordiscoveryprotocolndp
_version_ 1724180415492653056

Similar Items