An Active Intrusion Detection System for LAN Specific Attacks

Hubballi, Neminath; Roopa, S.; Ratti, Ritesh; Barbhuiya, Ferdous Ahmed; Biswas, Santosh; Sur, Arijit; Nandi, Sukumar; Ramachandran, Vivek

doi:10.1007/978-3-642-13577-4_11

Cited by 8 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Whenever ARP response packet is received and the cache needs to be updated, it compares against the correct IP -MAC address pairs and corrects the contents of the local ARP cache if they are different. Ramachandran and Nandi [15,16] checked inconsistencies of the addresses advertised by ARP request and TCP SYN packets. In order to build reliable IP -MAC pairs, they used the IP -MAC address advertised by ARP messages to build TCP SYN packets.…”

Section: Host-based Approachesmentioning

confidence: 99%

“…They maintain IP -MAC addresses of the ARP cache, periodically compare if changes have been made to the ARP cache, and alert administrators if necessary. These tools are cheaper than switches with port security but have slower response time compared to switches [16]. Furthermore, false alarms occur when genuine IP (or MAC) address changes occur.…”

Section: Server-based Approachesmentioning

confidence: 99%

See 1 more Smart Citation

ASA: agent-based secure ARP cache management

Kim

Hong

et al. 2012

IET Commun.

View full text Add to dashboard Cite

Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the 'original' ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.

show abstract

Section: Host-based Approachesmentioning

confidence: 99%

Section: Server-based Approachesmentioning

confidence: 99%

ASA: agent-based secure ARP cache management

Kim

Hong

et al. 2012

IET Commun.

View full text Add to dashboard Cite

show abstract

“…Let there be a single malicious host m in the LAN having IP-MAC pair IP(m)-MAC(m). 2 . It is assumed that Authenticated and Spoofed tables are empty.…”

Section: Theoremmentioning

confidence: 99%

“…Various mechanisms have been proposed to detect and mitigate these ARP attacks at both the host-level and network-level. In [2], a literature review on network based IDS for detecting ARP spoofing attacks with their drawbacks have been discussed. The authors also present a new network based IDS to detect such spoofing attacks and highlights how many of the drawbacks are eliminated.…”

Section: Introductionmentioning

confidence: 99%