Conference Paper

An Active Intrusion Detection System for LAN Specific Attacks

DOI: 10.1007/978-3-642-13577-4_11 Conference: Advances in Computer Science and Information Technology, AST/UCMA/ISA/ACN 2010 Conferences, Miyazaki, Japan, June 23-25, 2010. Joint Proceedings
Source: DBLP


Local Area Network (LAN) based attacks are due to compromised hosts in the network and mainly involve spoofing with falsified
IP-MAC pairs. Since Address Resolution Protocol (ARP) is a stateless protocol such attacks are possible. Several schemes have
been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static,
modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose an Intrusion Detection System
(IDS) for LAN specific attacks without any extra constraint like static IP-MAC, changing the ARP etc. The proposed IDS is
an active detection mechanism where every pair of IP-MAC are validated by a probing technique. The scheme is successfully
validated in a test bed and results also illustrate that the proposed technique minimally adds to the network traffic.

30 Reads
  • [Show abstract] [Hide abstract]
    ABSTRACT: The function of Address Resolution Protocol (ARP) is critical in local area networking as well as for routing Internet traffic across gateways. ARP, being a Stateless protocol, is prone to various attacks such as ARP spoofing, ARP flooding and ARP poisoning. This work discusses about an efficient scalable implementation of an Intrusion Detection System (IDS) with active detection, to detect ARP spoofing, flooding and related attacks like Man-in-the-Middle(MiTM) and Denial-of-Service(DoS) etc.
    No preview · Chapter · Dec 2010
  • [Show abstract] [Hide abstract]
    ABSTRACT: Most of the LAN based-attacks involves the spoofing of the victim host with falsified IP-MAC pairs. MAC Spoofing is possible because of the stateless nature of the Address Resolution Protocol (ARP), which is responsible for resolving IP Addresses to MAC Addresses. Several mechanisms have been proposed to detect and mitigate ARP spoofing attempts both at the network level and at the host level, but each of them have their own drawback. In this paper we propose a Host-based Intrusion Detection system for LAN attacks which work without any extra constraint like static IP-MAC, modifying ARP etc. The scheme is successfully validated in a test bed with various attack scenarios and the results show the effectiveness of the proposed technique.
    No preview · Article · Jan 2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the `original` ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.
    No preview · Article · May 2012 · IET Communications
Show more