An active DES based IDS for ARP spoofing

A network Intrusion Detection System (IDS) is a device or software that monitors network activities and raises alerts on detection of malicious behavior. State-transition based framework like Finite State Machines (FSM), extended FSM, timed FSM, Discrete Event Systems (DES) etc. are widely used in network IDSs because the framework enables formal modeling, analysis, verification etc. The attack detection capability in these IDSs is based on passive monitoring of sequence of events with the assumption that intrusions lead to change in the sequence (which needs to be detected). However, there are certain attacks like ARP spoofing, Internet Control Message Protocol (ICMP) error message based attacks etc. for which passive monitoring schemes have several limitations because in such attacks there is no change in sequence of events. IDSs with active probing are now being proposed for such attacks which involve sending of probe packets that cause difference in sequence of events under attack condition and can be then detected using passive monitoring. In this paper we propose an IDS to detect ARP spoofing attacks using active state-transition framework called “active DES”.

[1]  D. Thorsley,et al.  Intrusion Detection in Controlled Discrete Event Systems , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[2]  Stéphane Lafortune,et al.  Active diagnosis of discrete event systems , 1997, Proceedings of the 36th IEEE Conference on Decision and Control.

[3]  Stephanie Forrest,et al.  Learning DFA representations of HTTP for protecting web applications , 2007, Comput. Networks.

[4]  Brian J. d'Auriol,et al.  A State Transition Model Case Study for Intrusion Detection Systems , 2004, Security and Management.

[5]  Christos G. Cassandras,et al.  Introduction to Discrete Event Systems , 1999, The Kluwer International Series on Discrete Event Dynamic Systems.

[6]  S Roopa,et al.  A DES approach to intrusion detection system for ARP spoofing attacks , 2010, 18th Mediterranean Conference on Control and Automation, MED'10.

[7]  Santosh Biswas,et al.  LAN attack detection using Discrete Event Systems. , 2011, ISA transactions.

[8]  Santosh Biswas,et al.  An Active Host-Based Detection Mechanism for ARP-Related Attacks , 2011 .

[9]  Khaled Shuaib,et al.  Man in the Middle Intrusion Detection , 2006 .

[10]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[11]  Sukumar Nandi,et al.  Detecting ARP Spoofing: An Active Technique , 2005, ICISS.

[12]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.