Cognitive Computation

, Volume 10, Issue 2, pp 201–214 | Cite as

A Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks

  • Mohammed Anbar
  • Rosni Abdullah
  • Bassam Naji Al-Tamimi
  • Amir Hussain


Router advertisement (RA) flooding attack aims to exhaust all node resources, such as CPU and memory, attached to routers on the same link. A biologically inspired machine learning-based approach is proposed in this study to detect RA flooding attacks. The proposed technique exploits information gain ratio (IGR) and principal component analysis (PCA) for feature selection and a support vector machine (SVM)-based predictor model, which can also detect input traffic anomaly. A real benchmark dataset obtained from National Advanced IPv6 Center of Excellence laboratory is used to evaluate the proposed technique. The evaluation process is conducted with two experiments. The first experiment investigates the effect of IGR and PCA feature selection methods to identify the most contributed features for the SVM training model. The second experiment evaluates the capability of SVM to detect RA flooding attacks. The results show that the proposed technique demonstrates excellent detection accuracy and is thus an effective choice for detecting RA flooding attacks. The main contribution of this study is identification of a set of new features that are related to RA flooding attack by utilizing IGR and PCA algorithms. The proposed technique in this paper can effectively detect the presence of RA flooding attack in IPv6 network.


RA flooding attack Network security IGR PCA SVM IPv6 security 



The authors are grateful to the anonymous reviewers for their constructive comments and suggestions, which greatly helped improve the quality of the paper. Professor A. Hussain is supported by the UK Engineering and Physical Sciences Research Council (EPSRC) grant no. EP/M026981/1.

Compliance with Ethical Standards

Conflict of Interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.


  1. 1.
    Barbhuiya FA, Bansal G, Kumar N, Biswas S, Nandi S. Detection of neighbor discovery protocol based attacks in ipv6 network. Netw Sci 2013;2(3-4):91–113.CrossRefGoogle Scholar
  2. 2.
    Goel JN, Mehtre B. Stack overflow based defense for ipv6 router advertisement flooding (dos) attack. Proceedings of 3rd international conference on advanced computing, networking and informatics. New Delhi: Springer; 2016. p. 299–308.Google Scholar
  3. 3.
    Caicedo CE, Joshi JB, Tuladhar SR. Ipv6 security challenges. Computer 2009;42(2):36–42.CrossRefGoogle Scholar
  4. 4.
    Narten T, Simpson WA, Nordmark E, Soliman H. Neighbor discovery for ip version 6 (ipv6), Tech. Rep. 2461, 2007, obsoleted by RFC 4861, upyeard by RFC 4311. [Online]. Available:
  5. 5.
    Finlayson R, Mann T, Mogul J, Theimer M. A reverse address resolution protocol, Tech. Rep., 1984, rFC-903, JUN. [Online]. Available:
  6. 6.
    Hendriks L, Sperotto A, Pras A. Characterizing the ipv6 security landscape by large-scale measurements. IFIP international conference on autonomous infrastructure, management and security. Cham: Springer; 2015. p. 145–149.Google Scholar
  7. 7.
    Barbhuiya FA, Biswas S, Nandi S. Detection of neighbor solicitation and advertisement spoofing in ipv6 neighbor discovery protocol. Proceedings of the 4th international conference on Security of information and networks. New York: ACM; 2011. p. 111–118.Google Scholar
  8. 8.
    Xu X, Wang X. An adaptive network intrusion detection method based on pca and support vector machines. Advanced data mining and applications. Berlin: Springer; 2005. p. 696–703.Google Scholar
  9. 9.
    De la Hoz E, De La Hoz E, Ortiz A, Ortega J, Prieto B. Pca filtering and probabilistic som for network intrusion detection. Neurocomputing 2015;164:71–81.CrossRefGoogle Scholar
  10. 10.
    Bamakan SMH, Wang H, Yingjie T, Shi Y. An effective intrusion detection framework based on mclp/svm optimized by time-varying chaos particle swarm optimization. Neurocomputing 2016;199:90–102.CrossRefGoogle Scholar
  11. 11.
    Shyu M-L, Chen S-C, Sarinnapakorn K, Chang L. A novel anomaly detection scheme based on principal component classifier. 3rd IEEE international conference on data mining; 2003. p. 353–365.Google Scholar
  12. 12.
    Yang X, Ma T, Shi Y. Typical dos/ddos threats under ipv6. International multi-conference on computing in the global information technology. Guadeloupe: IEEE; 2007. p. 55–55.Google Scholar
  13. 13.
    Anbar M, Abdullah R, Saad RMA, Alomari E, Alsaleem S. Review of security vulnerabilities in the IPv6 neighbor discovery protocol. Singapore: Springer Singapore, 2016, pp. 603–612. [Online]. Available: .
  14. 14.
    Hota H, Shrivas AK. Decision tree techniques applied on nsl-kdd data and its comparison with various feature selection techniques. Advanced computing, networking and informatics. Cham: Springer; 2014. p. 205–211.Google Scholar
  15. 15.
    Viertiö-Oja H, Maja V, Särkelä M, Talja P, Tenkanen N, Tolvanen-Laakso H, Paloheimo M, Vakkuri A, Yli-Hankala A, Meriläinen P. Description of the entropy algorithm as applied in the yearx-ohmeda entropy module. Acta Anaesthesiol Scand 2004;48(2):154–61.CrossRefPubMedGoogle Scholar
  16. 16.
    Lv JC, Yi Z, Li Y. Non-divergence of stochastic discrete time algorithms for pca neural networks. IEEE transactions on neural networks and learning systems 2015;26(2):394–9.CrossRefPubMedGoogle Scholar
  17. 17.
    Liu G, Yi Z, Yang S. A hierarchical intrusion detection model based on the pca neural networks. Neurocomputing 2007;70(7):1561–8.CrossRefGoogle Scholar
  18. 18.
    Yang J, Gong L, Tang Y, Yan J, He H, Zhang L, Li G. An improved svm-based cognitive diagnosis algorithm for operation states of distribution grid. Cogn Comput 2015;7(5):582–93.CrossRefGoogle Scholar
  19. 19.
    Wang W, Battiti R. 2005. Identifying intrusions in computer networks based on principal component analysis, Tech. Rep DIT-05-084.Google Scholar
  20. 20.
    Xu T, He D, Luo Y. Ddos attack detection based on rlt features. 2007 international conference on, computational intelligence and security; 2007. p. 697–701.Google Scholar
  21. 21.
    Zargar G, Kabiri P. Identification of effective network features for probing attack detection. NDT ’09. First international conference on networked digital technologies, 2009. Ostrava: IEEE; 2009. p. 392–397.Google Scholar
  22. 22.
    Tanveer M. Robust and sparse linear programming twin support vector machines. Cogn Comput 2015;7(1): 137–49. [Online]. Available: Scholar
  23. 23.
    Al-Shaer E. Modeling and verification of firewall and ipsec policies using binary decision diagrams. Automated firewall analytics. Cham: Springer International Publishing; 2014. p. 25–48.Google Scholar
  24. 24.
    Arkko J, Kempf J, Zill B, Nikander P. SEcure Neighbor Discovery (SEND), RFC 3971 (Proposed Standard), Tech. Rep. 3971, Mar. 2005, upyeard by RFCs 6494, 6495, 6980. [Online]. Available:
  25. 25.
    AlSa’deh A, Meinel C. Secure neighbor discovery: review, challenges, perspectives, and recommendations. IEEE Secur Priv 2012;10(4):26–34.CrossRefGoogle Scholar
  26. 26.
    Beck F, Cholez T, Festor O, Chrisment I. Monitoring the neighbor discovery protocol. ICCGI, 2007. international multi-conference on computing in the global information technology, 2007; 2007. p. 57–57.Google Scholar
  27. 27.
    Chown T, Venaas S. Rogue ipv6 router advertisement problem statement, Tech. Rep., 2011, rFC-6104, Feb. [Online]. Available:
  28. 28.
    Ramachandran V, Nandi S. Detecting arp spoofing: an active technique. International conference on information systems security. Berlin: Springer; 2005. p. 239–250.Google Scholar
  29. 29.
    Saad RM, Anbar M, Manickam S, Alomari E. An intelligent icmpv6 ddos flooding-attack detection framework (v6iids) using back-propagation neural network. IETE Tech Rev 2015;33:244–55.CrossRefGoogle Scholar
  30. 30.
    Levy-Abegnoli E, Van de Velde G, Popoviciu C, Mohacsi J. Ipv6 router advertisement guard, IETF, Tech. Rep., 2011, rFC-6105, Feb. [Online]. Available:
  31. 31.
    Gont F. Implementation advice for ipv6 router advertisement guard (ra-guard), Internet Engineering Task Force (IETF), Tech. Rep., 2014, rFC-7113, Feb. [Online]. Available:
  32. 32.
    Headquarters A. Ipv6 configuration guide, cisco ios release 12.4, Cisco, Tech. Rep., 2012. [Online]. Available:
  33. 33.
    Uğuz H. A two-stage feature selection method for text categorization by using information gain, principal component analysis and genetic algorithm. Knowl-Based Syst 2011;24(7):1024–32.CrossRefGoogle Scholar
  34. 34.
    Sharma R, Pachori RB. Classification of epileptic seizures in eeg signals based on phase space representation of intrinsic mode functions. Expert Syst Appl 2015;42(3):1106–17.CrossRefGoogle Scholar
  35. 35.
    Lin S-l, Liu Z. Parameter selection in svm with rbf kernel function. J Zhengzhou Univ Technol 2007;35(2):1–4.Google Scholar
  36. 36.
    NAv6. 2016. National advanced ipv6 centre,, 2016 online; accessed 1 OCT.
  37. 37.
    Narayanan HT et al. Seamless decoding of normal and oid compressed snmp pdus-an enhancement to wireshark. Procedia Eng 2012;38:1479–86.CrossRefGoogle Scholar
  38. 38.
    Naik A, Samant L. Correlation review of classification algorithm using data mining tool: weka, rapidminer, tanagra, orange and knime. Procedia Comput Sci 2016;85:662–8.CrossRefGoogle Scholar
  39. 39.
    Livadas C, Walsh R, Lapsley D, Strayer WT. Using machine learning techniques to identify botnet traffic. IEEE conference on local computer networks, Proceedings 2006 31st. Piscataway: IEEE; 2006. p. 967–974.Google Scholar
  40. 40.
    Elhamahmy M, Elmahdy HN, Saroit IA. A new approach for evaluating intrusion detection system. International Journal of Artificial Intelligent Systems and Machine Learning 2010;11:2.Google Scholar
  41. 41.
    Gepperth A, Karaoguz C. A bio-inspired incremental learning architecture for applied perceptual problems. Cogn Comput 2016;8(5):924–34. Scholar
  42. 42.
    Javed SG, Majid A, Ali S, Kausar N. A bio-inspired parallel-framework based multi-gene genetic programming approach to denoise biomedical images. Cogn Comput 2016;8(4):776–93. [Online]. Available: Scholar
  43. 43.
    Wen G, Hou Z, Li H, Li D, Jiang L, Xun E. Ensemble of deep neural networks with probability-based fusion for facial expression recognition, Cogn Comput. 2017. [Online]. Available:
  44. 44.
    Siddique N, Adeli H. Nature-inspired chemical reaction optimisation algorithms, Cogn Comput. 2017. [Online]. Available:

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  • Mohammed Anbar
    • 1
  • Rosni Abdullah
    • 1
  • Bassam Naji Al-Tamimi
    • 2
  • Amir Hussain
    • 3
  1. 1.National Advanced IPv6 Center of Excellence (NAv6)Universiti Sains MalaysiaGelugorMalaysia
  2. 2.College of Computer Science and EngineeringTaibah UniversityAl-Madinah Al-MunawarahKingdom of Saudi Arabia
  3. 3.Institute of Computing Science and Mathematics, School of Natural SciencesUniversity of StirlingStirlingUK

Personalised recommendations