Machine and deep learning techniques for detecting internet protocol version six attacks: a review

ABSTRACT


INTRODUCTION
The exponential growth of internet users and applications increases the demands for internet-facing devices that require unique publicly accessible IP addresses, resulting in the internet protocol version 4 (IPv4) addresses pool being depleted. The main reason for this exponential growth is the proliferation of numerous information and communication technologies (ICTs), such as cloud computing, the internet of things (IoT), and wireless technology applications. As a result, internet protocol version 6 (IPv6) was engineered and positioned as the next-generation IP to replace IPv4 in the future and solve the IPv4 address exhaustion issue. According to Google IPv6 adoption data from January 17, 2022, 34.31% of Google users use the IPv6 protocol [1].

OVERVIEW OF IPv6
IPv6 is a network layer protocol that follows the OSI model standard. However, the IPv6 design differs from the IPv4 in terms of address size (32-bit vs. 128-bit), packet header format, address format, and other features, such as mobility, handling the quality of service whenever required, and end-to-end connectivity, which outperforms the IPv4. Besides, some levels of enhanced security in IPv6 are built into the IPv6 stack, such as the internet protocol security (IPSec) protocol support, unlike IPv4. Unfortunately, IPv6 is still vulnerable to attacks even with the new features.
Nevertheless, due to the much larger address space, probing all IPv6 addresses in the network is impractical for attackers compared to IPv4. However, attackers can leverage some specific IPv6 features for exploitation. For example, sending a spoofed packet to the all-router multicast group (FF02::2) allows attackers to discover routers in the network since all routers will respond with a reply, which exposes their presence [11].
IPv6 introduces two new essential protocols, ICMPv6 and neighbor discovery protocol (NDP). ICMPv6 messages consist of error messages and information messages. ICMPv6 error messages' codes range from 1 to 127, and ICMPv6 information messages' codes range from 128 to 255. The NDP, a subset of ICMPv6, depends on five ICMPv6 information messages for its operation. ICMPv6 is a mandatory part of the IPv6 protocol responsible for many crucial functions, including enabling IPv6 nodes in an IPv6 network to discover their neighbors via the duplicate address detection (DAD) process. DAD is vital to the Stateless address auto-configuration (SLAAC) function, allowing IPv6 nodes to assign unique IPv6 addresses to their network interfaces. Additionally, it supports other crucial features, such as address resolution and identifying the path maximum transmission unit (PMTU). Regrettably, these core features prioritize functionality over security, resulting in adversaries being able to easily perform DoS and DDoS attacks by exploiting the ICMPv6 messages [14].

OVERVIEW OF DoS AND DDoS
DoS and DDoS flooding attacks are the most common attacks on IPv6 and IPv4 networks, which could have a destructive impact on the networks. Attackers typically gain control of some infected nodes (called bots) within the local network first before executing DoS or DDoS attacks. Attackers inject a large amount of malicious traffic into the network or send them toward the targeted victim until all available network bandwidth or the victim's computational resources are consumed. In addition, attackers may also inundate the network with spoofed packets from multiple infected nodes to flood the victims' network and servers. The significant difference between a DoS and a DDoS is that the former is triggered from a single source, while the latter involves multiple sources. Figure 1 (see in appendix) illustrates the difference between DDoS and DoS attacks.

INTRUSION DETECTION SYSTEMS
Anomaly-based techniques are the most efficient for building sophisticated IDS models by automating the process and creating a practical detection system while reducing human intervention and efforts [15], [16]. In addition, those AIDSs build a robust model by monitoring traffic behaviors based on packet features. In anomaly-based techniques, the classification is based on heuristics or rules rather than patterns or signatures and attempts to detect any abnormality that falls out of regular system operation [17]. The IDS must be strategically placed in the network to detect attacks by collecting and monitoring network traffic. After collecting network data and monitoring the traffic, the IDS will analyze the packets to detect possible threats. Researchers have formulated two different classifications of the IDS model: SIDS and AIDS [18]. SIDS depends on a pre-defined signatures database [19], making it unable to identify attacks  [6]. Therefore, detecting zero-day attacks is impossible for SIDS without the pre-defined signatures in its database [20]. On the other hand, unlike the signature-based model, AIDS does not rely on a pre-defined signatures database but detects the anomalies in the network traffic behaviors [21].
AIDS detects unknown attacks from the anomaly in the network traffic behavior [9]. AIDS could either be programmed or self-learning. Developing a self-learning AIDS involves creating a model for the basic processes using the assigned network traffic aggregated over a specified duration [22]. At the same time, the programmed IDS model works in a system that requires an admin or third party to train the model to detect behavioral changes. In other words, the user is the one that defines the acceptable level for the system's abnormal behavior [23]. Table 2 shows the differences between SIDS and AIDS. There are many techniques employed in AIDS, but ML and DL techniques are among the most efficient and widely used to detect attacks in IPv4 and IPv6 networks. Therefore, this work focuses on the review of AIDS based on ML and DL techniques. It efficiently detects zero-day attacks. It is easy to implement, deploy, and update.
Allow for the detection of privilege abuse. For known attacks, the false positive rate (FPR) is low.
Operating system (OS) agnostic. High detection AC and low false alarm rate (FAR). Disadvantages Unable to detect new attacks "zero-day." It is challenging to stay alert at the right time. It is challenging to keep attack patterns up to date.
There is unavailability when behavior profiles are being rebuilt (retrained). Keeping track of attack patterns takes much time.

ML-based IDS
Most researchers utilize ML for two primary purposes. First, feature selection reduces the chosen dataset's dimensionality. Second, classifying data as normal or abnormal [16]. ML techniques can detect abnormal attributes within a specified time interval and efficiently distinguish normal and abnormal traffic without human intervention [24], [25]. The following subsections discuss the most common ML techniques adopted in IDS, including some state-of-the-art IDSs that adopted these ML techniques. Figure 2 illustrates the ML-based IDSs techniques used in the reviewed studies.

Naïve Bayes
Naïve Bayes (NB) is the most straightforward technique for building classifiers based on Bayesian networks to execute the classification process. First, the classifiers specify class labels into problem cases; then represent feature values' vectors. Finally, the class labels will be drawn depending on specific sets [12]. The following are some approaches that employ NB techniques in their systems.
Fadlil et al. [26] proposed a DDoS attack detection approach by statistically analyzing network traffic using NB, achieving significant results in detecting DDoS attacks before it happens. Their approach works by finding network packets' average and standard deviation. Another group of researchers led by Vijayasarathy et al. [27] also used the NB classifier for DDoS attack detection. They had done network  [28] proposed an NB-based approach to detect IPv6 covert channels used by adversaries to circumvent detection by firewalls or IDS. Adversaries create covert channels by sending malicious data to the target using unused flags or bits. The proposed approach used ten extracted features from the traffic in the classification stage: flow label, traffic class, hop limit, source addresses, payload length, ICMPv6 code, ICMPv6 type, ICMPv6 payload, next header, and reserve bit. The authors evaluated their proposed approach using a self-generated dataset and several attacking tools, achieving 94.55% detection accuracy. The high AC is due to the features used related to the targeted attacks. However, this research only detects IPv6 covert channels and does not include DoS and DDoS attacks.

Support vector machine (SVM)
Sain [29] developed the SVM algorithm at AT&T Bell Laboratories in the early 90s. Since then, it has been widely used in network security to detect DDoS attacks with satisfactory results. Consequently, it attracted the attention of many researchers, especially those working with ML-based IDS, for its classification and regression performance [30]. First, the SVM method constructs a set of training examples; then classifies everything into two categories. Finally, it generates a prediction model to classify new samples into one of the two categories.
Many mechanisms utilize the SVM technique in their systems. Subbulakshmi et al. [31] created a dataset comprising DDoS attack traffic. Then, the authors worked on detecting the attacks using enhanced SVM (ESVM), followed by detecting the attacks into different classes using the enhanced multi-class SVM (EMCSVM). Then, SVM evaluates the activity of EMCSVM. Meanwhile, [32] used the SVM classification algorithms to build a DDoS attack detection model, achieving an average AC rate of 95.24% by utilizing only a small amount of collected flows.
Zulkiflee et al. [33] utilized SVM to detect several IPv6 attacks by identifying a set of features most relevant to the attacks they wish to detect, such as the flood router attack. Flood router attack is a type of DoS flooding attack that exploits ICMPv6 RA messages. They detect this attack using a set of five features: Src IP, Src Port, Dst Port, time interval, and protocol. Then, using these features, the SVM algorithm was applied to a real-world traffic dataset to detect the attacks, achieving an average detection AC rate of 99.95%, indicating that SVM is a good classifier and the strength of the chosen features. Meanwhile, Anbar et al. [3] performed feature selection using principal component analysis (PCA) and Information gain ratio (IGR) in their proposed technique. Then, they used an SVM-based predictor model to detect RA flooding attacks, achieving a 98.55% detection AC and only 3.3% FPR using a realistic dataset, indicating their proposed technique's effectiveness in RA flooding attack detection.

Decision tree (DT)
The DT algorithm is a simple technique but one of the most commonly used ML and data mining techniques. Its ability to perform decision analysis [12] makes it suitable as a protective mechanism to observe a category and conclude the category-targeted value. Also, it can represent decisions and make a decision explicitly. This algorithm relies on a learned dataset whenever new data needs to be classified. In other words, it classifies data according to the previously learned dataset [34]. Several mechanisms make use of the DT technique in their systems. For example, Zekri et al. [35] designed a DT-based model for detecting DDoS flooding attacks automatically and effectively using their attack signatures. They used this and the C4.5 algorithms to reduce DDoS attacks, achieving an ideal classification with 98.8% accuracy. Also, another mechanism by Pydipalli et al. [36] can learn DDoS attack patterns using both signature-based and anomaly-based detection approaches to reap the benefit of both. After the pre-processing step, they performed the training set classification using the C4.5 DT algorithm, achieving a high AC rate of 99.93% in detecting DDoS attacks.

Artificial neural network (ANN)
In 1943, McCulloc and Pitts introduced a set of simple neurons in an ANN to perform computational tasks. The neurons behave like biological networks by replicating the biological neurons' functionality [37]. Afterward, researchers develop neural networks for decision-making applications, such as real-time cyber-attack detection. For example, Saad et al. [38] employed the back-propagation neural network (BPNN) algorithm, an ML technique, for DDoS attack detection in IPv6 networks. They first ranked and selected a set of features using IGR and PCA before applying BPNN. After using 80% of the dataset for BPNN training, they used the remaining dataset for testing, achieving 98.3% detection AC. In addition, seven researchers led by Hodo et al. [39] used ANN to design a paradigm to analyze threats in IoT network traffic, focusing on classifications of legitimate threat patterns on IoT networks and achieving a very high detection AC of 99.4%.

K-mean clustering
K-mean clustering is a technique to group a dataset into K groups. This algorithm determines K initial cluster centers in a dataset and then refines them by each case joining its closest cluster center. After that, each cluster center updates its cases' average [12]. Several approaches employ the K-mean clustering technique in their systems. For example, Hao et al. [40] created a detection model to detect DDoS attacks of undetermined sessions, achieving efficient detection rates (DRs) of DDoS attacks with a reasonable AC rate of 86%. Additionally, Putri et al. [41] used the clustering algorithm of K-means in their proposed approach to detect DDoS attacks, achieving a high AC rate of 97.83% and a DR of 98.63%. Promisingly, on WEKA tools, the obtained results are higher for both AC rate (99.69%) and DR (99.01%).

Fuzzy logic (FL)
The FL technique is derived from fuzzy set theory, which deals with approximation rather than precision based on the traditional predicate logic [12]. One of the attractive features of this technique is the handling of real-life uncertainty, making anomaly detection more efficient. Several works use FL algorithms in their systems. For example, Iyengar et al. [42] designed a fuzzy logic model based on pre-defined rules that recognize malicious DDoS packets from regular traffic and then perform suitable procedures to mitigate them. In addition, Balarengadurai and Saraswathi [43] used the FL algorithm to create a mechanism to detect and predict DDoS attacks in IEEE 802.15.4 environment. Their fuzzy-based detection and prediction system (FBDPS) mitigates DDoS attacks by checking each sensor node's energy consumption. FBDPS classifies a node as malicious if it consumes an abnormal amount of energy. Moreover, FBDPS can differentiate DDoS attack types based on the malicious node's energy consumption rate.
Yao et al. [44] proposed an anomaly-based detection algorithm using the fuzzy technique to detect NDP-based attacks. The evaluation results using real-world network data from the CERNET2 backbone revealed that the approach could detect attacks with high detection AC and low false rates. However, the dataset's malicious and normal traffic data were from two different sources that might produce a biased result. Meanwhile, Saad et al. [45] developed an approach based on fuzzy techniques for detecting ICMPv6 echo flooding attacks with high AC and low root means square error (0.26). They evaluated their proposed approach using a real-world dataset comprising 2,000 normal and abnormal network traffic records. However, the work lacks important data, such as information on the testbed, attacking tools, false alarm rate, and detection AC.

Genetic algorithms (GA)
Genetic algorithm is based on evolutionary principles and is one of the most used ML techniques, utilizing biological evaluation to solve different optimization problems [46]. A normal behavior profile is created as a baseline to learn from and compare with unknown patterns to make decisions using a genetic strategy. Many IDS use this algorithm to develop the rules to detect attack patterns.
Many researchers utilize GA in their systems, like Chaudhary and Shrimal [47], who used GA in their proposed model to detect DDoS attacks in mobile ad-hoc networks (MANETs), achieving an 85% DR, an acceptable result for detecting DDoS attacks. Meanwhile, Mizukoshi and Munetomo [48] utilized GA to design a scalable real-time traffic analysis model to detect dan prevent DDoS attacks on a distributed Hadoop infrastructure, achieving outstanding results on the WITZ (96%) and DARPA (98%) datasets. However, the authors only measured the accuracy, not other evaluation metrics like recall, precision, and the F1-Score. Table 3 summarizes the related works on ML-based IDS.

DL-based IDS
This section describes DL-based IDS. DL is an advanced branch of ML in the learning process since it mimics multiple layers of neurons [49]. Figure 3 illustrates the two main classes of DL-based techniques. As shown in Figure 3, there are two types of DL techniques. First, the generative architecture (or unsupervised) represents the given systems in a graphical representation. These visual models depict dependence for distribution. These graphs consist of nodes and arcs. The nodes represent random variables, while arcs represent the relationship between nodes with millions of parameters [50]. Then, the common statistical distribution represents the products of the nodes and their related variables [51]. Also, hidden variables cannot be observed in the graphical models. The training of generative models does not depend on the labels of data. Instead, these models go through a pre-training stage (unsupervised learning) for classification purposes. The lower layers have been trained separately from the other layers through a pretraining stage, allowing the different layers to be trained layer by layer from bottom to up. After that, all the other layers will be trained after pre-training. The generative architecture has four sub-classes: Recurrent neural network (RNN), deep Boltzmann machine (DBM), deep auto-encoder (DAE), and deep belief networks (DBN). The second type of DL is discriminative architecture (DA). This architecture classification depends on the discriminative power by characterizing the posterior distributions of conditioned classes from  Kabla) 5623 the input data [12]. The discriminative architecture has two sub-classes: RNN and convolutional neural network (CNN). The following subsections provide more details for these sub-classes with related works.  Figure 3. Taxonomy of deep learning techniques

Recurrent neural network
The RNN model is an architecture type with a feedback loop that links layer by layer and stores the last input's data to increase the reliability of the model [18]. This sub-class of deep generative networks can either be unsupervised or supervised. RNN has two types of architecture: i) Jordan RNN, like a feedback loop, connecting all neurons within one layer to the next, and ii) Elman RNN, which only has superficial feedback looping layer by layer. Due to its ability to store information [52], RNN can train with fewer input vectors but can still accurately classify normal and abnormal patterns. RNN can be trained as a discriminative model by pre-segmenting the training data and post-processing the output to transform it into labeled data. RNN uses its discriminative power for classification when the output is explicitly labeled with data in sequence with the input data sequence.
Several researchers use the RNN approach in their systems. For example, Kim et al. [53] utilized RNN with a long-short-term memory (RNN-LSTM) architecture to train IDS using KDD Cup '99, achieving higher accuracy and DRs than other IDS classifiers, i.e., 93% AC and 98.88% DR. Meanwhile, Tang et al. [52] utilized RNN for IDS in software define networking (SDN)-based networks, achieving an 89% detection accuracy using their proposed gated recurrent unit-RNN (GRU-RNN) when tested on the NSL-KDD dataset. Elejla et al. [54] proposed an approach to detect ICMPv6 DDoS flooding attacks using RNN, gated recurrent unit (GRU), and LSTM. They used an ensemble feature technique to select the significant features to detect ICMPv6 DDoS flooding attacks. In addition, the selected features were used as the input to train the DL training model (e.g., RNN, GRU, and LSTM). The authors used a synthetic dataset to evaluate their proposed technique and showed that LSTM outperformed the other two DL models in AC, recall, precision, and FPR.

Deep auto-encoder
The DAE is a generative model with several forms, including denoising and stacked auto-encoders [55]. It is also known as a "deep auto-encoder" because its model has multiple hidden layers. Generally, it has an input layer representing the sample data and two or more hidden layers to transform the features and map them into the output layer where the features would be reconstructed. Auto-encoder training results in a "bottleneck" structure because the hidden layer is more restricted than the input layer [56]. The following methods employ the DAE technique in their systems. Abolhasanzadeh et al. [57] proposed an approach based on a DAE to detect IPv4-based attacks by applying bottleneck features to reduce the big data dimensionality, increasing the efficiency of intrusion detection. The authors used the NSL-KDD dataset for evaluation, achieving good AC for real-world intrusion detection. In addition, Farahnakian and Heikkonen [58] proposed a DAE-based IDS and tested it using the KDD Cup '99 dataset, achieving significantly improved AC (96.53%) and DR (95.65%). Ujjan et al. [59] proposed sFlow and adaptive polling-based sampling with Snort IDS and a DL-based model to detect various DDoS attacks inside IoT networks with a very high detection AC of 95%. Meanwhile, Asad et al. [60] proposed a detection mechanism based on DNN that employs feed-forward back-propagation for accurate DDoS attack detection, achieving a very high detection AC of 98%.

Deep Boltzmann machine
The DBM is one of the generative architectures derived from the general (BM) machine. It is regarded as a good classifier when a substantial amount of unlabeled data is involved in training, followed by fine-tuning with labeled data. Although the DBM's units on the same layer are unconnected, there is a connection between the input and the hidden units, making DBM a unidirectional graphical model. Classic BM has a network of units based on arbitrary decisions to identify whether the states are off or on [55]. However, BM is time-consuming to train as it is a slow-processing algorithm. Reducing the DBM's hidden layers to a single layer result in a restricted Boltzmann machine (RBM). Many researchers use DBM in their systems. For example, Elsaeidy et al. [30] utilized deep RBM to extract effective and significant high-level features for detecting different DDoS attacks. Also, Imamverdiyev et al. [61] utilized the deep RBM model in their proposed DoS detection method tested on the NSL-KDD dataset.

Deep belief networks
DBN are created by stacking DBM with one or more hidden layers. The ability to learn training data's joint probability distribution without using labeled data puts the DBN in the generative probabilistic model category [12]. DBN can construct the models using either unsupervised pre-training or supervised fine-tuning techniques. The training aims to learn the weights between layers. Several works employed the DBN technique in the systems. For example, Xin and Wang [62] utilized the DBN algorithm to select the features layer by layer to reduce the dimensionality of features. Although the DBN is an unsupervised learning algorithm, it is more suited for use with a large amount of unlabeled data, making it a practical algorithm for network intrusion detection, as shown by the experimental results. Additionally, Alom et al. [63] utilized the DBN in their intrusion detection, achieving 97.5% AC in detecting and classifying attacks using the NSL-KDD dataset.

Convolutional neural network
CNN is a deep learning neural network for processing structured arrays of data such as images and is widely used in computer vision. Many applications based on natural language processing successfully use CNN [64]. Training the CNN is more straightforward than other connected networks since it has fewer parameters with a similar quantity of hidden units [63]. More clearly, CNN is biologically inspired and has a multi-layer perceptron. CNN architecture comprises the convolutional layer, the max-pooling (gathering) layer, and the fully connected layer. The max-pooling layer should follow each convolutional layer. Moreover, the last stage comprises many stacked max-pooling and convolutional layers in a neural network to create a fully-connected layer in a non-linear fashion [65].
Many researchers employ CNN in their systems. For example, Fan and Ling-zhi [66] used KDD Cup 99 to test their proposed CNN-based model, achieving a high DR of 97.7%. Meanwhile, Teyou and Ziazet [67] proposed an effective and flexible network-IDS (NIDS) that adopted CNN and tested with the NSL-KDD dataset, achieving a high detection rate of 99.97%. Also, Haider et al. [68] proposed a DL-based CNN ensemble solution to detect DDoS attacks in an SDN environment, achieving a high attack detection AC of 99.48%. Moreover, Liu et al. [69] implemented DL models in their proposed end-to-end attack detection approach that analyzes the payloads. Their proposed CNN-based payload classification approach (PL-CNN) and RNN-based payload classification approach (PL-RNN) for attack detection achieved 99.36% and 99.98% detection AC, respectively, when tested on the DARPA1998 dataset. This paper comprehensively covers the two main architectures of DL, generative architectures and discriminative architectures. Lately, many researchers have shown interest in utilizing DL techniques in IDS. Table 4 (see in appendix) summarizes the related work on DDoS IDS utilizing DL techniques.

DISCUSSION
The different protocol structure of IPv4 and IPv6 makes it almost impossible to create a generalized AIDS that concurrently detects both IPv4 and IPv6-based attacks. However, as shown in Tables 3 and 4, several AIDS have been proposed based on ML and DL techniques. Table 3 presents 19 ML-based AIDS, and the majority (13) are for IPv4 networks. SVM and FL algorithms are the two commonly used algorithms for detecting IPv4 and IPv6-based attacks. Meanwhile, the highest detection AC achieved by ML-based AIDSs for IPv4-based attacks is 99.93% (using a DT) and 99.95% for IPv6-based attacks (using SVM). At the same time, the lowest detection AC is 85% (using GA) and 94.55% (using NB) for IPv4 and IPv6, respectively. As for DL-based AIDS, Table 4 lists five proposed DL-based AIDS, but all five are for detecting IPv4 DDoS attacks. DBN is the most common DL algorithm used in AIDS to detect IPv4-based attacks, even though it achieved the lowest detection AC (73%) compared to CNN, which has the best detection AC for DL-based AIDSs (99.98%). However, it is worth noting that researchers typically evaluated their ML or DL-based AIDSs using self-generated datasets.

DIFFERENCES BETWEEN ML AND DL
ML and DL techniques are the best methods to build IDS detection models since they can reduce human efforts [16]. However, if it involves training a massive amount of network traffic from a high-speed network, DL-based IDS is the best choice [4]. Several key differences between ML and DL include structuring, model building duration, computational complexity, effectiveness in dealing with big data, and evaluation metrics, such as detection AC and dimensionality reduction quality. Highlighting these differences would help researchers select the most appropriate technique. Table 5 shows the differences between ML and DL, which could serve as a quick reference for researchers in the field. It automatically learns features and classifiers.
6. Usually, the output is a numerical value like a score. The output can vary from a score, an element, or text. 7. The input of ML algorithms should be in numerical form.
The input to the DL algorithms could be text, photo, sound, video, and signals. 8. It requires a shorter time to build a model. Require a longer time to build and train the model. 9. Suitable for thousands of data points.
Suitable for big data, i.e., millions of data points. 10. Less scalability.
Higher scalability. 11. ML has a low dependency on hardware computational resources.
DL is highly dependent and has a high consumption of hardware computational resources. 12. ML has learning limitations.
DL has no theoretical limit to what it can learn.

CONCLUSION AND FUTURE RESEARCH DIRECTIONS
ML and DL techniques have shown impressive results in solving problems in many research domains, including cybersecurity. Many researchers have adapted ML and DL techniques in AIDS to detect different IPv4 and IPv6-based attacks with high accuracy. Generally, ML and DL techniques are used as classifiers or for feature selection. However, some researchers use ML and DL techniques for both. This paper provides a qualitative comparison that benchmarks this review study with the existing studies. The benchmark reveals a lack of review studies on ML and DL used in AIDS. In addition, this paper presented a comprehensive review of the adaption of ML and DL techniques in AIDS for detecting IPv4 and IPv6 attacks, such as DoS and DDoS flooding attacks.
Moreover, this study revealed that ML and DL techniques significantly contribute to accurately detecting IPv4 and IPv6 attacks. However, ML techniques are more prevalent in IDS compared to DL techniques. Therefore, it is recommended that a review of ML and DL-based AIDS to detect attacks on SDN and IoT networks is conducted in the future. In addition, other techniques used in AIDS, such as statistical, rule-based, and information theory-based techniques, can also be reviewed. Finally, any literature studies on AIDS in the future should also include evaluation metrics based on detection AC, speed, and time since they are critical for evaluating detection techniques' performance.