Abstract
Intrusion Detection System (IDS) is a hardware or software that monitors network or host activities for detecting malicious behavior. There are certain attacks which do not change the syntax/sequence of network traffic nor lead to any statistical deviation. Such attacks are difficult to detect by signature or anomaly IDSs. Active Discrete Event System (DES) based IDSs are now being proposed for such attacks. These IDSs involve sending of probe packets to create difference in sequence of events under attack and normal conditions. Following that, normal and attack behavior are specified using the DES model and a detector is designed. The detector is the IDS, which observes sequences of events to decide whether the states through which the DES traverses corresponds to the normal or attack model. Modeling the normal and attack behavior by DES is a manual process and it is prone to errors. So the resulting IDS cannot be guaranteed for its correctness. To address the issues of traditional DES framework, Linear-time Temporal Logic (LTL) based DES has been proposed in literature, which provides a paradigm for stating the system specifications, modeling, detector construction and checking its correctness. Also, the detector design procedure has polynomial time complexity in the number of system states as compared to exponential complexity of the traditional framework. In this paper the LTL based DES framework is suitably adapted and applied for developing an IDS for detection of Address Resolution Protocol (ARP) spoofing attacks. Experimental results illustrate that high detection rate and accuracy could be achieved with minimal resource overheads.
Similar content being viewed by others
References
S. Axelsson, “Intrusion detection systems: A survey and taxonomy,” Technical Report, Department of Computer Engineering, Chalmers University, 2000.
A. Ghosh, A. Schwartzbard, and M. Schatz, “Learning program behavior profiles for intrusion detection,” in Proc. 1st Workshop Intrusion Detection and Network Monitoring. Berkeley, CA, USA: USENIX Association, 1999, pp. 51–62.
D. C. Plummer, “RFC 826: An Ethernet Address Resolution Protocol, Or, Converting Network Protocol Addresses to 48 bit Ethernet Addresses for Transmission on Ethernet Hardware,” IETF, Nov. 1982.
J. Postel, “RFC 792: Internet Control Message Protocol,” IETF, Sept. 1981.
H. Neminath, S. Biswas, S. Roopa, R. Ratti, S. Nandi, F. A. Barbhuiya, A. Sur, and V. Ramachandran, “A DES approach to intrusion detection system for ARP spoofing attacks,” in Proc. 18th Mediterranean Conf. Control and Automation, Marrakech, Morocco, 2010, pp. 695–700.
N. Hubbali, S. Biswas, S. Roopa, R. Ratti, and S. Nandi, “LAN attack detection using discrete event systems,” ISA Trans., vol. 50, no. 1, pp. 119–130, Jan. 2010.
F. A. Barbhuiya, S. Biswas, H. Neminath, and S. Nandi, “A host based DES approach for detecting ARP spoofing,” in Proc. IEEE Symp. Computational Intelligence in Cyber Security (CICS), Paris, France, 2011, pp. 114–121.
M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. C. Teneketzis, “Diagnosability of Discrete-Event Systems”, IEEE Trans. Autom. Control, vol. 40. no. 9. pp. 1555–1575, Sept. 1995.
C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. Boston: Kluwer Academic Publishers, 1999.
C. M. Kozierok, The TCP/IP Guide. San Francisco, USA: No Starch Press, 2005.
Cisco System. Cisco 6500 Catalyst Switches [Online]. Available: http://www.cisco.com/en/US/products/hw/switches/ps708.
A. Lockhart, “Network security,” in Network Security Hacks, 2nd ed. Sebastopol, CA, USA: O’Reilly Media, 2007.
Arpdefender [Online]. Available: http://www.arpdefender.com.
colasoft-capsa [Online]. Available: http://www.colasoft.com.
S. Jiang and R. Kumar, “Failure diagnosis of discrete-event systems with linear-time temporal logic specifications,” IEEE Trans. Autom. Control, vol. 49, no. 6, pp. 934–945, Jun. 2004.
A. Pnueli, “The temporal logic of programs,” in Proc. 18th Annu. Symp. Foundations of Computer Science. Washington, DC: IEEE, 1977, pp. 46–57.
M. Huth and M. Ryan, Logic in Computer Science, 2nd ed. Cambridge, UK: Cambridge University Press, 2004.
A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and A. Tacchella, “Nusmv 2: An open source tool for symbolic model checking,” in Proc. 14th Int. Conf. Computer Aided Verification. London: Springer, 2002, pp. 359–364.
Z. Wang and Y. Zhou, “Monitoring ARP attack using responding time and state ARP cache,” in Proc. 6th Int. Symp. Neural Networks (ISNN 09). Berlin: Springer, 2009, pp. 701–709.
M. G. Gouda and C.-T. Huang, “A secure address resolution protocol,” Comput. Netw., vol. 41, no. 1, pp. 57–71, Jan. 2003.
W. Lootah, W. Enck, and P. McDaniel, “TARP: Ticket-based address resolution protocol,” in Proc. 21st Annu. Conf. Computer Security Applications, Tucson, AZ, USA, 2005, pp. 106–116.
M. Roesch, “SNORT-Lightweight intrusion detection for networks,” in Proc. 13th USENIX Conf. System Administration. Berkeley, CA, USA: USENIX Association, 1999, pp. 229–238.
C. L. Abad and R. I. Bonilla, “An analysis on the schemes for detecting and preventing ARP cache poisoning attacks,” in Proc. 27th Int. Conf. Distributed Computing Systems, Toronto, Canada, 2007, pp. 60–67.
H.-W. Hsiao, C. S. Lin, and S.-Y. Chang, “Constructing an ARP attack detection system with SNMP traffic data mining,” in Proc. 11th Int. Conf. Electronic Commerce. New York, USA: ACM, 2009, pp. 341–345.
V. Ramachandran and S. Nandi, “Detecting ARP spoofing: An active technique,” in Proc. 1st Int. Conf. Information Security Systems. Heidelberg: Springer, 2005, pp. 239–250.
Z. Trabelsi and K. Shuaib, “Man in the middle intrusion detection,” in Proc. GLOBECOM, San Francisco, USA, 2006, pp. 1–6.
Cisco Systems. Cisco 3560 Catalyst Switches [Online]. Available: http://www.cisco.com. Accessed Oct. 2012.
E. M. Clarke Jr., O. Grumberg, and D. A. Peled, Model Checking. Cambridge, MA, USA: MIT Press, 1999.
NuSMV [Online]. Available: http://www.nusmv.fbk.eu.
J. Davies, “Introduction to IPv6,” in Microsoft TechNet Archive. 2008.
T. Narten, E. Nordmark, and W. Simpson, “RFC 2461: Neighbor Discovery for IP Version 6 (IPv6),” IETF, Dec. 1998.
F. A. Barbhuiya, G. Bansal, N. Kumar, S. Biswas, and S. Nandi, “Detection of neighbor discovery protocol based attacks in IPv6 network,” Netw. Sci., doi: 10.1007/s13119-013-0018-2.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mitra, M., Banerjee, P., Barbhuiya, F.A. et al. IDS for ARP spoofing using LTL based discrete event system framework. Netw.Sci. 2, 114–134 (2013). https://doi.org/10.1007/s13119-013-0019-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13119-013-0019-1