Study on Machine Learning Models for IPv6 Address Lookup in Large Block Lists

The advent of the digital age has provided cybercriminals with easy access to sensitive information. A firewall with a blocklist of known malicious IP addresses is the most trusted barrier used by cyber-security experts. But, as the number of entries in the blocklist grows, the rate of traffic flow across exit routers is affected negatively. However, as the world continues to migrate from IPv4 to IPv6, the size of the IP block list is bound to grow many-fold due to an increase in the number of malicious devices/users, affecting lookup speed. In this paper, we explored various techniques of Machine Learning (ML) as a faster alternative to the current default conventional “Tries” as a lookup algorithm. Tries and ML models are trained using a large randomly sampled IPv6 blocklisL After selecting a small subset from a large blocklist, per query lookup-time distribution from different ML models was compared with per query lookup-time distribution obtained from “Tries”. For IPv6 address blocklist larger than 20K, we found that ML algorithms, specifically tree-based ML models like Decision Tree, were faster and more accurate than the traditional “Tries” approach. We also discovered that for queries with batch sizes of 1000 samples, “Tree-Based” ML models trained on blocklists ranging from 20K to 500K took between 1.4-1.6 milliseconds, compared to 1.5-22.14 milliseconds for the traditional “Tries” based IP lookup approach when trained on the same training datasets. As a result, the Decision Tree-based lookup approach achieves nearly 20 times faster lookup speed than the traditional “Tries” based approach. The findings can be applied to the development of faster block list processing firewalls for IPv6 networks.