Detection of Volumetric ICMPv6 DDoS attack using Ensemble Stacking on Deep Neural Network

The internet serves as a vital hub for information exchange, seamlessly intertwining with our daily lives. Operating on IPv6 and IPv4 protocols, it facilitates connections between sources and destinations. However, these protocols harbour vulnerabilities, particularly evident in Internet Control Message Protocol version 6 (ICMPv6), making it susceptible to Distributed Denial of Service (DDoS) attacks inherent in IPv6 design. Despite ongoing advancements in Artificial Intelligence/Machine Learning (AI/ML) driven research, such attacks persist, inflicting significant losses on organizations. In response, this study introduces two distinct architectures within a Deep Neural Network (DNN) model. Model 1 integrates Convolutional Neural Networks (CNN) with Long Short-Term Memory (LSTM), inspired by Ahmed Issa’s work. Meanwhile, Model 2 proposes an integration of Recurrent Neural Networks (RNN) with Gated Recurrent Units (GRU). The models were evaluated following Ahmed Issa’s architecture using NSL-KDD, Sain Malaysian and Mendeley datasets, resulting in accuracies of 80%, 97.01%, 95.06%, 72.89%, and 64.94%, respectively. Notably, NSL-KDD and Mendeley datasets are IPv4-based, whereas the Sain Malaysian data is IPv6-based. These results were compared with those obtained using the NSLKDD benchmark datasets. These results demonstrated that such combinations are effective for detecting ICMP DDoS attacks.

Further experiments were performed on the proposed model's architecture, and it was deployed using the Sain Malaysian datasets (IPv6-based). As a result, both models exhibited promising performance, achieving accuracies of up to 83.95% and 83.83%, respectively. Further ML techniques were also deployed using the proposed model. Three combinations were derived using the stacking technique for comparison: (1) CNN with LSTM + RNN with GRU, (2) various ML techniques, and (3) a combination of both (1) and (2) treated as ALL. The optimistic results obtained were 84.14%, 86.16%, and 86.19%, respectively. Additionally, two sets of ICMPv6 datasets are generated in two distinct environments, which helps to prove our research model is robust. The experiments continued to evaluate the robustness of the proposed model using Feature engineering from the physical and data link layers of the network to, windowing, Time Series split, Cross validation, ADASYN, LIME, SHAP, and AAD, measuring the model performance by metrics like Recall, F1 measure, Precision, ROC and AUC achieving promising results focusing more on Accuracy results. The results ranged from 81.56% to 99.998%, and in some cases reached 100%. The AAD and the inferences indicated that the Proposed model at base classifiers are not suitable for real-time implementation but recommended for Ensemble Stacking in realtime deployments.

Further, an Ensemble stacking technique is deployed on the proposed Model 1 and Model 2 as base classifiers along with the ADASYN technique, achieving outstanding results of accuracies of 99.89% and 99.97%, respectively. A critical evaluation based on datasets, features, and state-of-the-art research results validates our proposed model as a promising solution with a superior score for the detection and prediction of ICMPv6 DDoS attacks, particularly for Echo reply and request packets.