论文信息 - A self-confirming engine for preventing man-in-the-middle attack

A self-confirming engine for preventing man-in-the-middle attack

SUMMARY In this paper, we focus on how to correct address mapping violation, in which an attacker rewrites the address mapping table of a victim to perform a Man-in-the-Middle (MITM) attack. We propose a technique for preventing MITM attacks in which a malicious user intercepts and possibly alters the data transmitted between two hosts. MITM attack is hard for legitimate users to notice during their normal communication, because each user believes they are communicating directly. Address mapping violation can occur because of vulnerability of address resolution protocols, Address Resolution Protocol (ARP) in IPv4 and Neighbor Discovery (ND) protocol in IPv6. Accordingly, a good method to prevent MITM attack by address mapping violation is essential for both current and future communications, i.e. wireless networks with roaming users and an interconnected world. Hence, our proposal mainly aims to have high usability in future applications such as embedded devices.

Takashi Kobayashi | Suguru Yamaguchi | Masataka Kanamori

[1] Thomas Narten,et al. Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[2] Jari Arkko. Manual Configuration of Security Associations for IPv6 Neighbor Discovery , 2003 .

[3] IPv6 Neighbor Discovery trust models and threats Status of this Memo , 2002 .

[4] Pekka Nikander,et al. SEcure Neighbor Discovery (SEND) , 2005, RFC.

[5] Hugo Krawczyk,et al. A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6] Thomas Narten,et al. Neighbor Discovery for IP Version 6 , 1998 .

[7] Stephen T. Kent,et al. IP Authentication Header , 1995, RFC.

[8] Karl N. Levitt,et al. System Health and Intrusion Monitoring Using a Hierarchy of Constraints , 2001, Recent Advances in Intrusion Detection.

[9] Stephen T. Kent,et al. Security Architecture for the Internet Protocol , 1998, RFC.

[10] Tuomas Aura,et al. Cryptographically Generated Addresses (CGA) , 2005, ISC.

[11] Thomas Narten,et al. IPv6 Stateless Address Autoconfiguration , 1996, RFC.

[12] Thomas Henry Ptacek,et al. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[13] Dan Harkins,et al. The Internet Key Exchange (IKE) , 1998, RFC.

[14] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .