Suspicious ARP Activity Detection and Clustering Based on Autoencoder Neural Networks

TL;DR

This paper presents a method combining autoencoder neural networks and clustering to detect and categorize suspicious ARP activities in LAN traffic, enhancing network security analysis.

Contribution

It introduces an unsupervised autoencoder-based approach with dynamic thresholding and clustering for detecting diverse suspicious ARP patterns in real-world LAN data.

Findings

Effective detection of suspicious ARP activities across multiple LANs.

Successful clustering of ARP activity patterns into distinct groups.

Demonstrated robustness on real-world network traffic datasets.

Abstract

The rapidly increasing number of smart devices on the Internet necessitates an efficient inspection system for safeguarding our networks from suspicious activities such as Address Resolution Protocol (ARP) probes. In this research, we analyze sequence data of ARP traffic on LAN based on the numerical count and degree of its packets. Moreover, a dynamic threshold is employed to detect underlying suspicious activities, which are further converted into feature vectors to train an unsupervised autoencoder neural network. Then, we leverage K-means clustering to separate the extracted latent features of suspicious activities from the autoencoder into various patterns. Besides, to evaluate the performance, we collect and adopt a real-world network traffic dataset from five different LANs. At last, we successfully detect suspicious ARP patterns varying in scale, lifespan, and regularity on the LANs.