Archive/A Dual-Model Framework for Detecting IPv4 Fragmentation-Consistent Traffic Patterns in Flow-Level Datasets
A Dual-Model Framework for Detecting IPv4 Fragmentation-Consistent Traffic Patterns in Flow-Level Datasets
Maksim Iavich, Vladimer Svanadze
16 de julho de 2026
en

Abstract

IPv4 fragmentation attacks, including tiny fragment injection, teardrop offset manipulation, and fragment flooding exploit the RFC 791 reassembly process to evade firewalls and network intrusion detection systems (NIDSs). Detection is challenging because widely used flow-level datasets (UNSW-NB15, CIC-IDS2017), lack the packet-level fragment header information required for direct RFC 791 validation. This study investigates whether fragmentation-related traffic can be identified using only flow-level statistical features. The proposed framework introduces four contributions: (1) a direction-corrected proxy labeling scheme, where flows are labeled as fragmented when CVL < 0.70, validated on a controlled 3000-flow Scapy dataset with F1 = 0.873 and ROC-AUC = 0.895 against verified packet-level ground truth; (2) a dual-model Random Forest architecture with feature separation to prevent circular self-prediction; (3) RFC 791-inspired statistical heuristics applied as a post-inference filter; and (4) a six-configuration ablation study with a reproducible protocol. The study distinguishes fragmentation-like statistical signatures from confirmed packet-level fragmentation. The benchmark model Mfrag achieves F1 ≈ 0.998 on synthetic data, while external PCAP validation yields F1 = 0.873. Unlike most flow-level NIDS research, the framework is validated against both controlled Scapy-generated traffic and the MAWI real-world backbone trace, establishing a practical performance bound (F1 = 0.82 for the full hybrid framework). The attack classification model Mattack achieves F1 = 0.974 on dataset-provided labels. Results show that flow-level analysis can provide useful indicators of fragmentation-related activity when packet-level evidence is unavailable, while highlighting the limitations of statistical detection.

IPC Classification

G06H04

Keywords

dual-modelframeworkdetectingipv4fragmentation-consistenttrafficpatternsflow-leveldatasetsnetworkfragmentationattacksincludingtinyfragmentinjectionteardropoffsetmanipulationfloodingexploitreassemblyprocessevade
Referencie esta publicação

€ 4.00