Conference Paper

An Active Intrusion Detection System for LAN Specific Attacks.

DOI: 10.1007/978-3-642-13577-4_11 Conference: Advances in Computer Science and Information Technology, AST/UCMA/ISA/ACN 2010 Conferences, Miyazaki, Japan, June 23-25, 2010. Joint Proceedings
Source: DBLP

ABSTRACT Local Area Network (LAN) based attacks are due to compromised hosts in the network and mainly involve spoofing with falsified
IP-MAC pairs. Since Address Resolution Protocol (ARP) is a stateless protocol such attacks are possible. Several schemes have
been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static,
modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose an Intrusion Detection System
(IDS) for LAN specific attacks without any extra constraint like static IP-MAC, changing the ARP etc. The proposed IDS is
an active detection mechanism where every pair of IP-MAC are validated by a probing technique. The scheme is successfully
validated in a test bed and results also illustrate that the proposed technique minimally adds to the network traffic.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Spoofing with falsified IP-MAC pair is the first step in most of the LAN based-attacks. Address Resolution Protocol (ARP) is stateless, which is the main cause that makes spoofing possible. Several network level and host level mechanisms have been proposed to detect and mitigate ARP spoofing but each of them has their own drawback. In this paper we propose a Host-based Intrusion Detection system for LAN attacks, which works without any extra constraint like static IP-MAC, modifying ARP etc. The proposed scheme is verified under all possible attack scenarios. The scheme is successfully validated in a test bed with various attack scenarios and the results show the effectiveness of the proposed technique.
    06/2013; 3. DOI:10.5121/ijnsa.2011.3311
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Ethernet is the survivor of the LAN wars. It is hard to find an IP packet that has not passed over an Ethernet segment. One important reason for this is Ethernet's simplicity and ease of configuration. However, Ethernet has always been known to be an insecure technology. Recent successful malware attacks and the move towards cloud computing in data centers demand that attention be paid to the security aspects of Ethernet. In this paper, we present known Ethernet related threats and discuss existing solutions from business, hacker, and academic communities. Major issues, like insecurities related to Address Resolution Protocol and to self-configurability, are discussed. The solutions fall roughly into three categories: accepting Ethernet's insecurity and circling it with firewalls; creating a logical separation between the switches and end hosts; and centralized cryptography based schemes. However, none of the above provides the perfect combination of simplicity and security befitting Ethernet.
    IEEE Communications Surveys &amp Tutorials 01/2013; 15(3):1477-1491. DOI:10.1109/SURV.2012.121112.00190 · 6.49 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the `original` ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.
    IET Communications 05/2012; 6(7):685-693. DOI:10.1049/iet-com.2011.0566 · 0.72 Impact Factor