1

KDD CUP dataset has been used to train IPv4 intrusion detection systems. The attacks are identified with the help of these pre-determined features.

Are these features sufficient to classify the attacks in IPv6? In other words, is KDD CUP methodology sufficient to describe all possible attacks in IPv6? If not, then please specify any attack that won't be detected using the above features.

Star Seller
  • 11
  • 1
  • 1
    That data set is not sufficient to train any IDS. The IPv6 header is completely different than the IPv4 header, so many different attacks are possible just by manipulating extension headers. Those didn't even exist in IPv4. – Sander Steffann Aug 07 '16 at 17:02
  • @SanderSteffann It is evident that we require a new data set as new attacks have been developed since '99. But what I would like to know if there is any attack in ipv6 that cannot be detected using above features. – Star Seller Aug 07 '16 at 19:06
  • Star - even from your comment above "we require a new dataset" you should be able to see that there could be all sorts of attacks that KDD CUP will not detect – Rory Alsop Aug 07 '16 at 21:03

1 Answers1

2

First I doubt that this dataset is even sufficient to describe all possible attacks at the IPv4 level. This dataset is from 1999 and in the mean time TCP was developed further (for example TCP fast open) or new attacks were discovered (like TCP split handshake).

Apart from that IPv6 is not just not an extension of the address range. The header format is different and it provides different mechanisms for extensions which could be misused in attacks. Also ICMP and ICMPv6 have some significant differences etc.

please specify any attack that won't be detected using the above features.

This would be too broad. But a simple search will you provide with a wealth of information, for example IPv6- IPv4 Threat Comparison v1.0 where within "Attacks with New Considerations" it also shows attacks new with IPv6.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I accept the outdated status of this dataset. But the mentioned features are also too broad. What I am asking is that: if the above features are not sufficient to describe an attack in IPv6, then please elaborate (considering that attack). What new features, if any, should be added to the above set of features to detect that attack? – Star Seller Aug 08 '16 at 09:55
  • @StarSeller: the mentioned features are broad because your question is. From the sound of your question you expect a full analysis of both the 99s dataset, compare it with everything IPv6 offers and present the result to you on a silver tablet, i.e. no work is done by yourself. I recommend instead that you use the links I gave to start your own more detailed analysis and ask more specific questions if needed. – Steffen Ullrich Aug 08 '16 at 10:51