Conference Paper

An Active Intrusion Detection System for LAN Specific Attacks.

DOI: 10.1007/978-3-642-13577-4_11 Conference: Advances in Computer Science and Information Technology, AST/UCMA/ISA/ACN 2010 Conferences, Miyazaki, Japan, June 23-25, 2010. Joint Proceedings
Source: DBLP

ABSTRACT Local Area Network (LAN) based attacks are due to compromised hosts in the network and mainly involve spoofing with falsified
IP-MAC pairs. Since Address Resolution Protocol (ARP) is a stateless protocol such attacks are possible. Several schemes have
been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static,
modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose an Intrusion Detection System
(IDS) for LAN specific attacks without any extra constraint like static IP-MAC, changing the ARP etc. The proposed IDS is
an active detection mechanism where every pair of IP-MAC are validated by a probing technique. The scheme is successfully
validated in a test bed and results also illustrate that the proposed technique minimally adds to the network traffic.

8 Followers
 · 
124 Views
  • [Show abstract] [Hide abstract]
    ABSTRACT: The function of Address Resolution Protocol (ARP) is critical in local area networking as well as for routing Internet traffic across gateways. ARP, being a Stateless protocol, is prone to various attacks such as ARP spoofing, ARP flooding and ARP poisoning. This work discusses about an efficient scalable implementation of an Intrusion Detection System (IDS) with active detection, to detect ARP spoofing, flooding and related attacks like Man-in-the-Middle(MiTM) and Denial-of-Service(DoS) etc.
    12/2010: pages 258-267;
  • [Show abstract] [Hide abstract]
    ABSTRACT: Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the `original` ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.
    IET Communications 05/2012; 6(7):685-693. DOI:10.1049/iet-com.2011.0566 · 0.74 Impact Factor