Tags

Type your tag names separated by a space and hit enter

LAN attack detection using Discrete Event Systems.
ISA Trans. 2011 Jan; 50(1):119-30.IT

Abstract

Address Resolution Protocol (ARP) is used for determining the link layer or Medium Access Control (MAC) address of a network host, given its Internet Layer (IP) or Network Layer address. ARP is a stateless protocol and any IP-MAC pairing sent by a host is accepted without verification. This weakness in the ARP may be exploited by malicious hosts in a Local Area Network (LAN) by spoofing IP-MAC pairs. Several schemes have been proposed in the literature to circumvent these attacks; however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose a Discrete Event System (DES) approach for Intrusion Detection System (IDS) for LAN specific attacks which do not require any extra constraint like static IP-MAC, changing the ARP etc. A DES model is built for the LAN under both a normal and compromised (i.e., spoofed request/response) situation based on the sequences of ARP related packets. Sequences of ARP events in normal and spoofed scenarios are similar thereby rendering the same DES models for both the cases. To create different ARP events under normal and spoofed conditions the proposed technique uses active ARP probing. However, this probing adds extra ARP traffic in the LAN. Following that a DES detector is built to determine from observed ARP related events, whether the LAN is operating under a normal or compromised situation. The scheme also minimizes extra ARP traffic by probing the source IP-MAC pair of only those ARP packets which are yet to be determined as genuine/spoofed by the detector. Also, spoofed IP-MAC pairs determined by the detector are stored in tables to detect other LAN attacks triggered by spoofing namely, man-in-the-middle (MiTM), denial of service etc. The scheme is successfully validated in a test bed.

Authors+Show Affiliations

Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati 781039, India. neminath@cse.iitg.ernet.inNo affiliation info availableNo affiliation info availableNo affiliation info availableNo affiliation info available

Pub Type(s)

Journal Article

Language

eng

PubMed ID

20804980

Citation

Hubballi, Neminath, et al. "LAN Attack Detection Using Discrete Event Systems." ISA Transactions, vol. 50, no. 1, 2011, pp. 119-30.
Hubballi N, Biswas S, Roopa S, et al. LAN attack detection using Discrete Event Systems. ISA Trans. 2011;50(1):119-30.
Hubballi, N., Biswas, S., Roopa, S., Ratti, R., & Nandi, S. (2011). LAN attack detection using Discrete Event Systems. ISA Transactions, 50(1), 119-30. https://doi.org/10.1016/j.isatra.2010.08.003
Hubballi N, et al. LAN Attack Detection Using Discrete Event Systems. ISA Trans. 2011;50(1):119-30. PubMed PMID: 20804980.
* Article titles in AMA citation format should be in sentence-case
TY - JOUR T1 - LAN attack detection using Discrete Event Systems. AU - Hubballi,Neminath, AU - Biswas,Santosh, AU - Roopa,S, AU - Ratti,Ritesh, AU - Nandi,Sukumar, PY - 2010/02/28/received PY - 2010/08/07/revised PY - 2010/08/08/accepted PY - 2010/9/1/entrez PY - 2010/9/2/pubmed PY - 2011/4/1/medline SP - 119 EP - 30 JF - ISA transactions JO - ISA Trans VL - 50 IS - 1 N2 - Address Resolution Protocol (ARP) is used for determining the link layer or Medium Access Control (MAC) address of a network host, given its Internet Layer (IP) or Network Layer address. ARP is a stateless protocol and any IP-MAC pairing sent by a host is accepted without verification. This weakness in the ARP may be exploited by malicious hosts in a Local Area Network (LAN) by spoofing IP-MAC pairs. Several schemes have been proposed in the literature to circumvent these attacks; however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose a Discrete Event System (DES) approach for Intrusion Detection System (IDS) for LAN specific attacks which do not require any extra constraint like static IP-MAC, changing the ARP etc. A DES model is built for the LAN under both a normal and compromised (i.e., spoofed request/response) situation based on the sequences of ARP related packets. Sequences of ARP events in normal and spoofed scenarios are similar thereby rendering the same DES models for both the cases. To create different ARP events under normal and spoofed conditions the proposed technique uses active ARP probing. However, this probing adds extra ARP traffic in the LAN. Following that a DES detector is built to determine from observed ARP related events, whether the LAN is operating under a normal or compromised situation. The scheme also minimizes extra ARP traffic by probing the source IP-MAC pair of only those ARP packets which are yet to be determined as genuine/spoofed by the detector. Also, spoofed IP-MAC pairs determined by the detector are stored in tables to detect other LAN attacks triggered by spoofing namely, man-in-the-middle (MiTM), denial of service etc. The scheme is successfully validated in a test bed. SN - 1879-2022 UR - https://www.unboundmedicine.com/medline/citation/20804980/LAN_attack_detection_using_Discrete_Event_Systems_ L2 - https://linkinghub.elsevier.com/retrieve/pii/S0019-0578(10)00071-6 DB - PRIME DP - Unbound Medicine ER -