An Active Host-Based Intrusion Detection System for ARP-Related Attacks and its Verification

TL;DR

This paper introduces a host-based intrusion detection system for LAN ARP spoofing attacks that operates without requiring static IP-MAC mappings or ARP modifications, and it is validated through comprehensive testing.

Contribution

The paper presents a novel host-based detection scheme for ARP spoofing that works without additional constraints and is verified across multiple attack scenarios.

Findings

Successfully detects ARP spoofing in various scenarios

Validated effectiveness through test bed experiments

Operates without static IP-MAC or ARP modifications

Abstract

Spoofing with falsified IP-MAC pair is the first step in most of the LAN based-attacks. Address Resolution Protocol (ARP) is stateless, which is the main cause that makes spoofing possible. Several network level and host level mechanisms have been proposed to detect and mitigate ARP spoofing but each of them has their own drawback. In this paper we propose a Host-based Intrusion Detection system for LAN attacks, which works without any extra constraint like static IP-MAC, modifying ARP etc. The proposed scheme is verified under all possible attack scenarios. The scheme is successfully validated in a test bed with various attack scenarios and the results show the effectiveness of the proposed technique.