Skip to main content
SpringerLink
Log in

IDS for ARP spoofing using LTL based discrete event system framework

  • Research Article
  • Published:
Networking Science

Abstract

Intrusion Detection System (IDS) is a hardware or software that monitors network or host activities for detecting malicious behavior. There are certain attacks which do not change the syntax/sequence of network traffic nor lead to any statistical deviation. Such attacks are difficult to detect by signature or anomaly IDSs. Active Discrete Event System (DES) based IDSs are now being proposed for such attacks. These IDSs involve sending of probe packets to create difference in sequence of events under attack and normal conditions. Following that, normal and attack behavior are specified using the DES model and a detector is designed. The detector is the IDS, which observes sequences of events to decide whether the states through which the DES traverses corresponds to the normal or attack model. Modeling the normal and attack behavior by DES is a manual process and it is prone to errors. So the resulting IDS cannot be guaranteed for its correctness. To address the issues of traditional DES framework, Linear-time Temporal Logic (LTL) based DES has been proposed in literature, which provides a paradigm for stating the system specifications, modeling, detector construction and checking its correctness. Also, the detector design procedure has polynomial time complexity in the number of system states as compared to exponential complexity of the traditional framework. In this paper the LTL based DES framework is suitably adapted and applied for developing an IDS for detection of Address Resolution Protocol (ARP) spoofing attacks. Experimental results illustrate that high detection rate and accuracy could be achieved with minimal resource overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. S. Axelsson, “Intrusion detection systems: A survey and taxonomy,” Technical Report, Department of Computer Engineering, Chalmers University, 2000.

    Google Scholar 

  2. A. Ghosh, A. Schwartzbard, and M. Schatz, “Learning program behavior profiles for intrusion detection,” in Proc. 1st Workshop Intrusion Detection and Network Monitoring. Berkeley, CA, USA: USENIX Association, 1999, pp. 51–62.

    Google Scholar 

  3. D. C. Plummer, “RFC 826: An Ethernet Address Resolution Protocol, Or, Converting Network Protocol Addresses to 48 bit Ethernet Addresses for Transmission on Ethernet Hardware,” IETF, Nov. 1982.

    Google Scholar 

  4. J. Postel, “RFC 792: Internet Control Message Protocol,” IETF, Sept. 1981.

    Google Scholar 

  5. H. Neminath, S. Biswas, S. Roopa, R. Ratti, S. Nandi, F. A. Barbhuiya, A. Sur, and V. Ramachandran, “A DES approach to intrusion detection system for ARP spoofing attacks,” in Proc. 18th Mediterranean Conf. Control and Automation, Marrakech, Morocco, 2010, pp. 695–700.

    Google Scholar 

  6. N. Hubbali, S. Biswas, S. Roopa, R. Ratti, and S. Nandi, “LAN attack detection using discrete event systems,” ISA Trans., vol. 50, no. 1, pp. 119–130, Jan. 2010.

    Article  Google Scholar 

  7. F. A. Barbhuiya, S. Biswas, H. Neminath, and S. Nandi, “A host based DES approach for detecting ARP spoofing,” in Proc. IEEE Symp. Computational Intelligence in Cyber Security (CICS), Paris, France, 2011, pp. 114–121.

    Google Scholar 

  8. M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. C. Teneketzis, “Diagnosability of Discrete-Event Systems”, IEEE Trans. Autom. Control, vol. 40. no. 9. pp. 1555–1575, Sept. 1995.

    Article  MathSciNet  MATH  Google Scholar 

  9. C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. Boston: Kluwer Academic Publishers, 1999.

    Book  MATH  Google Scholar 

  10. C. M. Kozierok, The TCP/IP Guide. San Francisco, USA: No Starch Press, 2005.

    Google Scholar 

  11. Cisco System. Cisco 6500 Catalyst Switches [Online]. Available: http://www.cisco.com/en/US/products/hw/switches/ps708.

  12. A. Lockhart, “Network security,” in Network Security Hacks, 2nd ed. Sebastopol, CA, USA: O’Reilly Media, 2007.

    Google Scholar 

  13. Arpdefender [Online]. Available: http://www.arpdefender.com.

  14. colasoft-capsa [Online]. Available: http://www.colasoft.com.

  15. S. Jiang and R. Kumar, “Failure diagnosis of discrete-event systems with linear-time temporal logic specifications,” IEEE Trans. Autom. Control, vol. 49, no. 6, pp. 934–945, Jun. 2004.

    Article  MathSciNet  Google Scholar 

  16. A. Pnueli, “The temporal logic of programs,” in Proc. 18th Annu. Symp. Foundations of Computer Science. Washington, DC: IEEE, 1977, pp. 46–57.

    Google Scholar 

  17. M. Huth and M. Ryan, Logic in Computer Science, 2nd ed. Cambridge, UK: Cambridge University Press, 2004.

    MATH  Google Scholar 

  18. A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and A. Tacchella, “Nusmv 2: An open source tool for symbolic model checking,” in Proc. 14th Int. Conf. Computer Aided Verification. London: Springer, 2002, pp. 359–364.

    Chapter  Google Scholar 

  19. Z. Wang and Y. Zhou, “Monitoring ARP attack using responding time and state ARP cache,” in Proc. 6th Int. Symp. Neural Networks (ISNN 09). Berlin: Springer, 2009, pp. 701–709.

    Chapter  Google Scholar 

  20. M. G. Gouda and C.-T. Huang, “A secure address resolution protocol,” Comput. Netw., vol. 41, no. 1, pp. 57–71, Jan. 2003.

    Article  MATH  Google Scholar 

  21. W. Lootah, W. Enck, and P. McDaniel, “TARP: Ticket-based address resolution protocol,” in Proc. 21st Annu. Conf. Computer Security Applications, Tucson, AZ, USA, 2005, pp. 106–116.

    Google Scholar 

  22. M. Roesch, “SNORT-Lightweight intrusion detection for networks,” in Proc. 13th USENIX Conf. System Administration. Berkeley, CA, USA: USENIX Association, 1999, pp. 229–238.

    Google Scholar 

  23. C. L. Abad and R. I. Bonilla, “An analysis on the schemes for detecting and preventing ARP cache poisoning attacks,” in Proc. 27th Int. Conf. Distributed Computing Systems, Toronto, Canada, 2007, pp. 60–67.

    Google Scholar 

  24. H.-W. Hsiao, C. S. Lin, and S.-Y. Chang, “Constructing an ARP attack detection system with SNMP traffic data mining,” in Proc. 11th Int. Conf. Electronic Commerce. New York, USA: ACM, 2009, pp. 341–345.

    Google Scholar 

  25. V. Ramachandran and S. Nandi, “Detecting ARP spoofing: An active technique,” in Proc. 1st Int. Conf. Information Security Systems. Heidelberg: Springer, 2005, pp. 239–250.

    Chapter  Google Scholar 

  26. Z. Trabelsi and K. Shuaib, “Man in the middle intrusion detection,” in Proc. GLOBECOM, San Francisco, USA, 2006, pp. 1–6.

    Google Scholar 

  27. Cisco Systems. Cisco 3560 Catalyst Switches [Online]. Available: http://www.cisco.com. Accessed Oct. 2012.

  28. E. M. Clarke Jr., O. Grumberg, and D. A. Peled, Model Checking. Cambridge, MA, USA: MIT Press, 1999.

    Google Scholar 

  29. NuSMV [Online]. Available: http://www.nusmv.fbk.eu.

  30. J. Davies, “Introduction to IPv6,” in Microsoft TechNet Archive. 2008.

    Google Scholar 

  31. T. Narten, E. Nordmark, and W. Simpson, “RFC 2461: Neighbor Discovery for IP Version 6 (IPv6),” IETF, Dec. 1998.

    Google Scholar 

  32. F. A. Barbhuiya, G. Bansal, N. Kumar, S. Biswas, and S. Nandi, “Detection of neighbor discovery protocol based attacks in IPv6 network,” Netw. Sci., doi: 10.1007/s13119-013-0018-2.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, 781039, India

    Mahasweta Mitra, Prithu Banerjee, Ferdous A. Barbhuiya, Santosh Biswas & Sukumar Nandi

Authors
  1. Mahasweta Mitra
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prithu Banerjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ferdous A. Barbhuiya
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Santosh Biswas
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sukumar Nandi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Santosh Biswas.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mitra, M., Banerjee, P., Barbhuiya, F.A. et al. IDS for ARP spoofing using LTL based discrete event system framework. Netw.Sci. 2, 114–134 (2013). https://doi.org/10.1007/s13119-013-0019-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13119-013-0019-1

Keywords

Search

Navigation