Title: Methods and Systems for IPv6 Security Measurement

Date: Thursday, July 9th (7/9), 2026

Time: 1:00PM-3:00PM ET

Location: Coda C1315 (Grant Park)

Zoom: https://gatech.zoom.us/j/92774415705?pwd=prEHbNJP6joPOcb4e43gWsrWC0LPX0.1

Grant Williams

Computer Science Ph.D. Candidate

School of Cybersecurity and Privacy

College of Computing

Georgia Institute of Technology

https://grantqwilliams.com

Committee:

Dr. Frank Li (co-advisor), SCP, Georgia Institute of Technology

Dr. Cecilia Testart, SCP, Georgia Institute of Technology

Dr. Alberto Dainotti, SCS/SCP, Georgia Institute of Technology

Dr. Liz Izhikevich, Electrical and Computer Engineering, University of California Los Angeles

Dr. Paul Pearce (co-advisor), School of Information and Computer Sciences, University of California Irvine

Abstract:

IPv4 Internet scanning transformed Internet Security, enabling a diverse set of tasks ranging from tracking botnets to analyzing cryptographic vulnerabilities. Such advances did not directly extend to IPv6 given the vast scale of its address space. Security scanning measurements routinely ignored IPv6 as researchers lacked the ability to exhaustively scan the IPv6 address space. Target Generation Algorithms (TGAs) were proposed for enabling IPv6 scanning-based measurement, but such methods have significant limitations and have not been extensively evaluated or applied broadly to Internet security scans. Our work addresses these challenges by building and evaluating multiple IPv6 scanning systems, exploring metrics and seed datasets for use in evaluating these systems, and deploying these artifacts for use in security evaluations.

We develop 6Sense, an online deep-learning approach for finding responsive IPv6 addresses based on domain knowledge of address structure. We then propose a set of metrics for evaluating IPv6 scanning approaches and show 6Sense is able to identify more than 3.6x more hosts and 4x more end-site assignments than prior approaches. We deploy 6Sense for IPv6 security measurements across the Internet: exploring TLS certificates, surveying open ports, and quantifying security-sensitive services. Second, we explore how input datasets affect what IPv6 scanning systems are able to find. We determine how to optimize the number and quality of discovered addresses by filtering these datasets for responsiveness and network characteristics.

Unfortunately, simply exploring based on a single IPv6 dataset is not enough to get a comprehensive picture of IPv6 security. To perform a large scale security measurement, we build Discovery6, a combined generative system incorporating reinforcement learning ICMP error message based discovery (Periphery6), generative scanning (using 6Sense and 6Tree), and seed collection (from traceroutes and domain names). We collect an IPv6 dataset of over 19M IPv6 addresses with over 35M responses across 41 TCP ports. We add IPv6-based protocol fingerprinting with MRI (an IPv6-based protocol detection mechanism based on LZR). We explore security applications using these new datasets and methods showing the lack of firewalls in IPv6, differences in IPv4/IPv6 unexpected protocols on TCP, and security concerns in DNS, TLS, and SSH.

All told, we build methods and systems for enabling IPv6 Internet scanning and allowing comparable security measurements on IPv6 to those deployed on IPv4.