Flow-Based IDS for ICMPv6-Based DDoS Attacks Detection

The Internet Control Message Protocol version Six (ICMPv6) is categorized as the most important part of the Internet Protocol version Six (IPv6) due to its core functionalities. However, ICMPv6 protocol is vulnerable to different types of attacks such as Distributed Denial of Services (DDoS) attacks that are based on ICMPv6 messages. ICMPv6-based DDoS attacks are the most performed attacks against IPv6 networks and considered a grave problem of today Internet. Intrusion Detection Systems (IDSs) under different categories have been proposed to detect ICMPv6-based DDoS attacks. However, these IDSs are inefficient in detecting the attacks due to their limitations. The main limitation of the existing IDSs is the dependency on packet-based representation and features which are unsuitable for detecting DDoS attacks as experimentally proven. Therefore, this research proposes a new IDS, based on a flow-based representation of traffic, and a set of novel features for detecting the attacks. This is the first time a flow-based representation and features are proposed to detect ICMPv6-based DDoS attacks. Cross-validation and supplied set testing approaches have been applied to evaluate the proposed IDS using seven classifiers. The evaluation experiments were conducted based on real datasets and showed that the proposed flow-based IDS with the proposed novel features is efficient and reliable in detecting ICMPv6-based DDoS attacks with acceptable detection accuracies and false positive rates.