ICMPv6 DDoS Attack Detection Method Based on Information Entropy and LSTM

doi:10.3778/j.issn.1002-8331.2007-0256

Abstract

Abstract:

As the basic supporting protocol for IPv6 network operation, the ICMPv6 protocol is an important part of IPv6 DDoS attack defense. Based on the analysis of the current status of ICMPv6 DDos attack detection at home and abroad, this paper proposes a dual detection method based on the combination of information entropy and Long Short-Term Memory（LSTM）. This method can effectively identify abnormal traffic through preliminary detection based on information entropy, and then confirm the abnormal traffic based on the deep detection of the improved LSTM neural network. Simulation experiments show that the accuracy of this method for identifying ICMPv6 DDoS attacks can reach more than 95%. Compared with the commonly used detection methods, the accuracy of this method is higher. At the same time, compared with the detection method based only on LSTM, this method shortens the detection time by more than 50% and has better performance.

Key words: distributed denial of service attack, attack detection, ICMPv6, information entropy, long short-term memory

摘要：

ICMPv6（Internet Control Management Protocol version 6）协议作为IPv6网络运行的基础支撑协议，是IPv6 DDoS（Distribute Denial of Service）攻击防御的一个重要环节。在分析国内外ICMPv6 DDos攻击检测现状的基础上，提出了一种基于信息熵与长短期记忆网络（Long Short-Term Memory，LSTM）相结合的双重检测方法。该方法通过基于信息熵的初步检测能有效识别出异常流量，再进一步基于改进的LSTM网络的深度检测对异常流量进行确认。仿真实验表明，该方法对ICMPv6 DDoS攻击的识别准确率能达到95%以上，与常用的检测方法相比，该方法的准确率更高。同时，与只基于LSTM的检测方法相比，该方法缩短了50%以上的检测时间，具有更好的性能。

关键词: 分布式拒绝服务攻击, 攻击检测, ICMPv6, 信息熵, 长短期记忆网络

JIANG Kui, QIU Yuandong, ZHENG Haocheng. ICMPv6 DDoS Attack Detection Method Based on Information Entropy and LSTM[J]. Computer Engineering and Applications, 2021, 57(21): 148-154.

江魁，丘远东，郑浩城. 基于信息熵与LSTM的ICMPv6 DDoS攻击检测方法[J]. 计算机工程与应用, 2021, 57(21): 148-154.

References

[1] 徐凌伟，权天祺.基于BP神经网络的移动安全性能预测[J].聊城大学学报（自然科学版），2020，33（3）：34-40.
XU L W，QUAN T Q.Mobile security performance prediction based on BP neural network[J].Journal of Liaocheng University（Natural Science Edition），2020，33（3）：34-40.
[2] 郑茂宽.制造业数字化转型升级需系统性工业互联网安全保障[J].中国信息安全，2019（11）：40-43.
ZHENG M K.Digital transformation and upgrading of manufacturing industry requires systematic industrial Internet security[J].China Information Security，2019（11）：40-43.
[3] 丁彭父乐.基于IPv6多地址性的DoS攻击与防御研究[D].哈尔滨：哈尔滨工业大学，2014.
DING P F L.Research on DoS attack and defense based on IPv6 multi-address[D].Harbin：Harbin Institute of Technology，2014.
[4] CONTA A.Internet control message protocol（ICMPv6） for the Internet protocol version 6（IPv6） specification[S].RFC2463，1998.
[5] ELEJLA O E，ANBAR M，BELATON B.ICMPv6-based DoS and DDoS attacks and defense mechanisms：review[J].IETE Technical Review，2017，34（4）：390-407.
[6] YANG X Y，MA T，SHI Y.Typical DoS/DDoS threats under IPv6[C]//Proceedings of the 2nd International Multi-Conference on Computing in the Global Information Technology，2007：55-60.
[7] MARTIN C E，DUNN J H.Internet protocol version 6（IPv6） protocol security assessment[C]//IEEE Military Communications Conference，Orlando，FL，USA，29-31 Oct，2007.Orlando，FL：IEEE，2007：1-7.
[8] ELEJLA O E，BELATON B，ANBAR M，et al.Intrusion detection systems of ICMPv6-based DDoS attacks[J].Neural Computing & Applications，2016.
[9] 陈先昌.基于卷积神经网络的深度学习算法与应用研究[D].杭州：浙江工商大学，2014.
CHEN X C.Deep learning algorithm and application research based on convolutional neural network[D].Hangzhou：Zhejiang Gongshang University，2014.
[10] 尹宝才，王文通，王立春.深度学习研究综述[J].北京工业大学学报，2015（1）：48-59.
YIN B C，WANG W T，WANG L C.A survey of deep learning research[J].Journal of Beijing University of Technology，2015（1）：48-59.
[11] SAAD R M A，ANBAR M.An intelligent ICMPv6 DDoS flooding-attack detection framework（v6IIDS） using back-propagation neural network[J].IETE Technical Review：Institution of Electronics and Telecommunication Engineers Technical Review，2016（3）：244-255.
[12] ZULKIFLEE M A，AHMAD M S，SAHIB S，et al.A framework of features selection for Ipv6 network attacks detection[J].WSEAS Transactions on Communication，2015，14（46）：399-408.
[13] PRAPTODIYONO S，HASBULLAH I H，ANBAR M，et al.Improvement of address resolution security in ipv6 local network using trust-ND[J].TELKOMNIKA Indonesian Journal of Electrical Engineering，2015，13（1）：195-202.
[14] LU C，SINGH V P.Entropy-based derivation of generalized distributions of hydrometeorological frequency analysis[J].Journal of Hydrology，2018，557（1）：699.
[15] HOCHREITER S，SCHMIDHUBER J.Long short-term memory[J].Neural Computation，1997，9（8）：1735-1780.
[16] GREFF K，SRIVASTAVA R K，KOUTNIK J，et al.LSTM：a search space odyssey[J].IEEE Transactions on Neural Networks & Learning Systems，2016，28（10）：2222-2232.
[17] ELEJLA O E，ANBAR M，BELATON B.Flow-based datasets[EB/OL].[2016].https：//sites.google.com/site/flowbaseddatasets/.
[18] SATRYA G B，CHANDRA R L，YULIANTO F A.The detection of DDOS flooding attack using hybrid analysis in IPv6 networks[C]//3rd International Conference on Information and Communication Technology，2015.
[19] ELEJLA O E，ANBAR M，BELATON B，et al.Labeled flow-based dataset of ICMPv6-based DDoS attacks[J].Neural Computing & Applications，2018，31：3629-3646.