I am trying to find out and propose features that can be used to detect IPv6 attacks.
I have seen a few researchers used IP address as a feature, but I see that it can be a feature because it will cheat the classifiers which will consider that the given IPs in the training dataset are indicators for the attacks or the normal record. on another work. the classifiers will consider that the IPs that appear with attack records in the training dataset as an indicator for any recodes in the testing datasert. therefore if this model is applied online it will consider any record with one of these IPs as an attack and ignore any attack from other IPs
please give me your opinion or any resources that discussed this issue
Thanks
You can use these links :
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5370928&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5370928
https://hal.archives-ouvertes.fr/hal-01054522/document
http://jis.eurasipjournals.springeropen.com/articles/10.1186/s13635-016-0034-3
If we consider IP address as a location, the classifier may learn something about locations from where attaches are commnly originated.
Thank davood
but all these resources considered information or data about the IP as a feature
I am asking about the IP its self can be one of the features that i can give to the classifier ?
Mairidan Wushouer
but IP address can be changed anytime and attack can be launched from randomly generated addresses
Hi Omar,
Try considering physical address too. You can refer my papers in my profile reference.
Yes, you can.
Many hackers fake their IP addresses before attacking to target networks.
Faked IP addresses may be 127.0.0.1 or 0.0.0.0 and so on.
To your question, IP is a valid feature for detecting attacks, but in concert with other indicators, not usually by itself.
IP is not typically used by itself to take action, unless current activity identifies active attack (for the reasons above). The question is in what context is the IP seen. Is it associated with an known C&C channel? Is it associated with malware download? Without context, IP alone is usually insufficient to take specific action.
thanks all
I still did not the answer I am looking for
my question I wanna build a dataset with features to be used as input for classifiers to build a detection model od DDoS attacks
is IP address can be one of these features as it exists in the network ?
Dear friend, from your answer: "but IP address can be changed anytime and attack can be launched from randomly generated addresses", the IP address can not be used as a feature to detect an attack unless the hacker you know will use it every time :D
Irrespective of an IP address can be faked, gamed or spoofed, it can be used as a feature for intrusion detection. As for as Intrusion Detection is concerned, we will be able to detect the IP from where the attack is launched, but then whether IP is real or not could not be known. In IDS, intrusions are detected, but identifying the validity of underlying IP is beyond the scope of detection.
Hi Omar,
I think you can use the IP Addresses as a feature for DDoS attack detection. IP Addresses represent hosts and each host has its own specific normal behaviour. As a consequence, requests from unexpected IP Addresses could be indicators for malicious activities.
However, IP Addresses are categorical attributes and you need a meaningful similarity measure. For example, you could use IP2Vec (https://ieeexplore.ieee.org/document/8215725/) to transfer IP Addresses to meaningful continuous vector representations based on their typical network connections.
Best Regards
Markus
IP can be spoofed by the attacker. Hence, it may be infeasible to use it as a feature for attack classification in intrusion detection systems. Feature which are independent and cannot be changes by attacker can be useful in classification problems.
Check this paper.
Article A study on efficient detection of network-based IP spoofing ...
- Badges
- Science topic