This Report was presented to the Faculty of the Graduate School of The University of Texas at Austin in partial fulfillment of the requirements for the degree of

Master of Science in Engineering

The Internet Protocol (IP) defines the format by which packets are relayed throughout and across networks. A majority of the Internet today uses Internet Protocol version 4 (IPv4), but due to several key industries, a growing share of the Internet is adopting IPv4’s successor, Internet Protocol version 6 (IPv6) for its promise of unique addressability, automatic configuration features, built-in security, and more. Since the invention of the Internet, network security has proven a leading and worthwhile concern. The evolution of the information security field has produced an important solution for network security monitoring: the intrusion detection system (IDS). In this report, I explore the difference in detection effectiveness and resource usage of two network monitoring philosophies, signature-based and behavior-based detection. I test these philosophies, represented by leading edge passive monitors Snort and Bro, against several categories of state-of-the-art IPv6 attacks. I model an IPv6 host-to-host intrusion across the Internet in a virtual test network by including benign background traffic and mimicking adverse network conditions. My results suggest that neither IDS philosophy is superior in all categories and a hybrid of the two, leveraging each’s strengths, would best secure a network against leading IPv6 vulnerabilities.