Evaluation of open-source intrusion detection systems for IPv6 vulnerabilities in realistic test network

Abstract

The Internet Protocol (IP) defines the format by which packets are relayed throughout and across networks. A majority of the Internet today uses Internet Protocol version 4 (IPv4), but due to several key industries, a growing share of the Internet is adopting IPv4’s successor, Internet Protocol version 6 (IPv6) for its promise of unique addressability, automatic configuration features, built-in security, and more. Since the invention of the Internet, network security has proven a leading and worthwhile concern. The evolution of the information security field has produced an important solution for network security monitoring: the intrusion detection system (IDS). In this report, I explore the difference in detection effectiveness and resource usage of two network monitoring philosophies, signature-based and behavior-based detection. I test these philosophies, represented by leading edge passive monitors Snort and Bro, against several categories of state-of-the-art IPv6 attacks. I model an IPv6 host-to-host intrusion across the Internet in a virtual test network by including benign background traffic and mimicking adverse network conditions. My results suggest that neither IDS philosophy is superior in all categories and a hybrid of the two, leveraging each’s strengths, would best secure a network against leading IPv6 vulnerabilities.