Detecting man-in-the-middle attacks on non-mobile systems

In this paper we propose a method for detecting man-in-the-middle attacks using the timestamps of TCP packet headers. From these timestamps, the delays can be calculated and by comparing the mean of the delays in the current connection to data gathered from previous sessions it is possible to detect if the packets have unusually long delays. We show that in our small case study we can find and set a threshold parameter that accurately detects man-in-the-middle attacks with a low probability of false positives. Thus, it may be used as a simple precautionary measure against malicious attacks. The method in its current form is limited to non-mobile systems, where the variations in the delay are fairly low and uniform.

[1]  Angelos D. Keromytis,et al.  DoubleCheck: Multi-path verification against man-in-the-middle attacks , 2009, 2009 IEEE Symposium on Computers and Communications.

[2]  Christophe Diot,et al.  Detection and analysis of routing loops in packet traces , 2002, IMW '02.

[3]  Gopi Nath Nayak,et al.  Different flavours of Man-In-The-Middle attack, consequences and feasible solutions , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[4]  Konstantina Papagiannaki,et al.  Analysis of point-to-point packet delay in an operational network , 2004, IEEE INFOCOM 2004.

[5]  Sándor Molnár,et al.  On the distribution of round-trip delays in TCP/IP networks , 1999, Proceedings 24th Conference on Local Computer Networks. LCN'99.

[6]  Catherine A. Meadows,et al.  Formal methods for cryptographic protocol analysis: emerging issues and trends , 2003, IEEE J. Sel. Areas Commun..

[7]  Carlos Miguel Tavares Calafate,et al.  A low-cost embedded IDS to monitor and prevent Man-in-the-Middle attacks on wired LAN environments , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[8]  Mihai Ordean,et al.  Towards securing client-server connections against man-in-the-middle attacks , 2012, 2012 10th International Symposium on Electronics and Telecommunications.

[9]  Konstantina Papagiannaki,et al.  Measurement and analysis of single-hop delay on an IP backbone network , 2003, IEEE J. Sel. Areas Commun..