Labeled flow-based dataset of ICMPv6-based DDoS attacks

Abstract

DDoS attacks that depend on Internet Control Message Protocol version 6 (ICMPv6) are one of the most commonly performed IPv6 attacks against today’s IPv6 networks. A few detection systems were proposed to detect these attacks based on self-generated datasets. These datasets used an unsuitable representation that depends on packets format as well as they include non-qualified features which lead to false alerts if the systems are applied in real networks. Moreover, most of the existing datasets are unavailable for other researchers’ usage due to their author’s privacy issues. The objective of this paper is benchmarking datasets of ICMPv6-based DDoS attacks to be used for the tuning, evaluations, and comparisons of any detection system of the attacks. The datasets setup is based on a real IPv6-enabled network topology and ensuring attack exposure. The proposed datasets are considered as the first labeled and publically available flow-based datasets represented using a set of flow-based features of the ICMPv6-based DDoS attacks. The requirements of good datasets have been achieved in the proposed datasets to ensure they are worthy be used by other researchers. Moreover, the datasets and their features proved their abilities to represent the attacks traffics by achieving robust and acceptable high detection accuracies as well as low false positive rate.

This is a preview of subscription content, access via your institution.

Fig. 1

Reproduce with permission from [4]

Fig. 2
Fig. 3
Fig. 4
Fig. 5

References

  1. 1.

    Conta A, Gupta M (2006) Internet control message protocol (icmpv6) for the internet protocol version 6 (ipv6) specification. Request for Comments 4443 [online]. https://tools.ietf.org/html/rfc4443.Last Accessed Aug 2015

  2. 2.

    Postel J (1981) Rfc 792: Internet control message protocol. Request for Comments 792 [online]. https://tools.ietf.org/html/rfc792.Last Accessed 2016

  3. 3.

    Elejla OE, Anbar M, Belaton B (2016) Icmpv6-based dos and ddos attacks and defense mechanisms: Review. IETE Tech Rev 34:1–18

    Google Scholar 

  4. 4.

    Ard JB (2012) Internet protocol version six (ipv6) at uc davis: traffic analysis with a security perspective. University of California, Davis

    Google Scholar 

  5. 5.

    Weber J, Wegener C, Schwenk J (2013) Ipv6 security test laboratory,” master dissertation Department of Network and Data Security. Ruhr-University Bochum, Bochum

    Google Scholar 

  6. 6.

    Elejla OE, Belaton B, Anbar M, Alnajjar A (2016) A reference dataset for icmpv6 flooding attacks. J Eng Appl Sci 11(3):476–481

    Google Scholar 

  7. 7.

    Lakhina A, Crovella M, Diot C (2004) Characterization of network-wide anomalies in traffic flows. In: Proceedings of the 4th ACM SIGCOMM conference on internet measurement, pp 201–206

  8. 8.

    Sperotto A, Sadre R, Pras A (2008) Anomaly characterization in flow-based traffic time series. In: International workshop on IP operations and management, Springer, Berlin, pp 15–27

  9. 9.

    Strayer WT, Lapsely D, Walsh R, Livadas C (2008) Botnet detection based on network behavior. In: Lee W, Wang C, Dagon D (eds) Botnet detection. Advances in Information Security, vol 36. Springer, New York, pp 1–24

  10. 10.

    Sheikhan M, Jadidi Z (2014) Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network. Neural Comput Appl 24(3–4):599–611

    Article  Google Scholar 

  11. 11.

    Sperotto A (2010) Flow-based intrusion detection. Ph.D. thesis Centre for Telematics and Information Technology. University of Twente, Enschede

  12. 12.

    Winter P, Hermann E, Zeilinger M (2011) Inductive intrusion detection in flow-based network data using one-class support vector machines. In: 4th IFIP international conference on IEEE new technologies, mobility and security (NTMS), pp 1–5

  13. 13.

    Jacobson V, Craig Leres S (2016) Mccanne. Tcpdump. http://www.tcpdump.org, Accessed 2016

  14. 14.

    Chappell L, Combs G (2010) Wireshark network analysis: The official wireshark certified network analyst study guide. https://www.wireshark.org/, Accessed 2016

  15. 15.

    Nsl-Kdd (1998) Dataset for network –based intrusion detection systems. http://iscx.info/NSL-KDD/ Accessed 2016

  16. 16.

    Lippmann R, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 darpa off-line intrusion detection evaluation. Comput Netw 34(4):579–595

    Article  Google Scholar 

  17. 17.

    U. O. California, Kdd cup (1999). http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, Accessed 2016

  18. 18.

    L. B. N. Laboratory (2004) Lbnl/icsi enterprise tracing project. http://www.icir.org/enterprise-tracing/. Accessed 2016

  19. 19.

    Elejla OE, Jantan AB, Ahmed AA (2014) Three layers approach for network scanning detection. J Theor Appl Inf Technol 70(2):251–264

    Google Scholar 

  20. 20.

    Wide (2016) Mawi working group traffic archive. http://mawi.wide.ad.jp/mawi/. Accessed 2016

  21. 21.

    Barrera D, Van Oorschot P (2009) Security visualization tools and ipv6 addresses. In: 6th international workshop on IEEE visualization for cyber security, VizSec 2009. pp 21–26

  22. 22.

    Caida (2014) The cooperative association for internet data analysis. https://www.caida.org/data/active/ipv6_allpref_topology_dataset.xml. Accessed 25 Feb 2016

  23. 23.

    Gray MD (2015) Discovery of ipv6 router interface addresses via heuristic methods. Monterey, Naval Postgraduate School, California

  24. 24.

    Fomenkov M, Claffy K (2011) Internet measurement data management challenges. In: Workshop on research data lifecycle management, Princeton

  25. 25.

    Zulkiflee M, Haniza N, Shahrin S, Ghani M (2014) A framework of ipv6 network attack dataset construction by using testbed environment. Int Rev Comput Softw (IRECOS) 9(8):1434–1441

    Article  Google Scholar 

  26. 26.

    Zulkiflee MA, Ahmad MSss, Sahib S, Ghani M (2015) A framework of features selection for ipv6 network attacks detection. WSEAS Trans Commun 14(46):399–408

    Google Scholar 

  27. 27.

    Saad R, Manickam S, Alomari E, Anbar M, Singh P (2014) Design & deployment of testbed based on icmpv6 flooding attack. J Theor Appl Inf Technol 64(3):795–801

  28. 28.

    Najjar F, Kadhum MM (2015) Reliable behavioral dataset for ipv6 neighbor discovery protocol investigation. In: 5th international conference on, IEEE IT convergence and security (ICITCS), pp 1–5

  29. 29.

    Elejla OE, Anbar M, Belaton B (2016) Flow-based datasets. https://sites.google.com/site/flowbaseddatasets/. Accessed 2016

  30. 30.

    Usm (2016) Universiti sain malaysia (usm). https://www.usm.my/index.php/en/. Accessed 2016

  31. 31.

    Heuse M (2013) Thc ipv6 attack tool kit. http://www.aldeid.com/wiki/THC-IPv6-Attack-Toolkit. Accessed 2015

  32. 32.

    Gont F (2012) Si6 networks’ ipv6 toolkit. http://www.si6networks.com. Accessed 2015

  33. 33.

    Grossman J, Marsili B, Goudjil C, Eromenko A (2013) Gns3 graphical network simulator. https://www.gns3.com/. Accessed 23 Jan 2016

  34. 34.

    Cisco N (2001) Netflow services solutions guide. http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/netflow/nfwhite.html#wp1030058. Accessed 2016

  35. 35.

    Baldi M, Baralis EM, Risso FGO (2004) Data mining techniques for effective flow-based analysis of multi-gigabit network traffic

  36. 36.

    Yu S (2014) Distributed denial of service attack and defense. Springer, Berlin

    Book  Google Scholar 

  37. 37.

    Vykopal J (2010) Flow-based intrusion detection in large and high-speed networks. PhD thesis

  38. 38.

    Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2012) Nsl-kdd dataset

  39. 39.

    Hall M, Frank E, Holmes G, Pfahringer B, Reutemann P, Witten IH (2009) The weka data mining software: an update. ACM SIGKDD Explor Newslett 11(1):10–18

    Article  Google Scholar 

  40. 40.

    Japkowicz N (2000) The class imbalance problem: Significance and strategies. In: Proceedings of the international conference on artificial intelligence, Citeseer

  41. 41.

    Weiss GM, Provost F (2003) Learning when training data are costly: the effect of class distribution on tree induction. J Artif Intell Res 19:315–354

    Article  MATH  Google Scholar 

Download references

Acknowledgements

This research was supported by the Short Term Research Grant, Universiti Sains Malaysia (USM) No: 304/PNAV/6313272.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Omar E. Elejla.

Ethics declarations

Disclosure

The authors declare that there is no conflict of interest regarding the publication of this paper.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Elejla, O.E., Anbar, M., Belaton, B. et al. Labeled flow-based dataset of ICMPv6-based DDoS attacks. Neural Comput & Applic 31, 3629–3646 (2019). https://doi.org/10.1007/s00521-017-3319-7

Download citation

Keywords

  • Intrusion detection
  • Dataset generation
  • ICMPv6-based DDoS attacks
  • Flow-based datasets
  • Features extraction