IDS for ARP spoofing using LTL based discrete event system framework
- PDF / 1,203,354 Bytes
- 21 Pages / 595 x 791 pts Page_size
- 80 Downloads / 180 Views
IDS for ARP spoofing using LTL based discrete event system framework Mahasweta Mitra, Prithu Banerjee, Ferdous A. Barbhuiya, Santosh Biswas (), Sukumar Nandi Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati 781039, India
Received: 18 June 2012/Revised: 21 November 2012/Accepted: 20 March 2013 © Tsinghua University Press and Springer-Verlag Berlin Heidelberg 2013
Abstract Intrusion Detection System (IDS) is a hardware or software that monitors network or host activities for detecting malicious behavior. There are certain attacks which do not change the syntax/ sequence of network traffic nor lead to any statistical deviation. Such attacks are difficult to detect by signature or anomaly IDSs. Active Discrete Event System (DES) based IDSs are now being proposed for such attacks. These IDSs involve sending of probe packets to create difference in sequence of events under attack and normal conditions. Following that, normal and attack behavior are specified using the DES model and a detector is designed. The detector is the IDS, which observes sequences of events to decide whether the states through which the DES traverses corresponds to the normal or attack model. Modeling the normal and attack behavior by DES is a manual process and it is prone to errors. So the resulting IDS cannot be guaranteed for its correctness. To address the issues of traditional DES framework, Linear-time Temporal Logic (LTL) based DES has been proposed in literature, which provides a paradigm for stating the system specifications, modeling, detector construction and checking its correctness. Also, the detector design procedure has polynomial time complexity in the number of system states as compared to exponential complexity of the traditional framework. In this paper the LTL based DES framework is suitably adapted and applied for developing an IDS for detection of Address Resolution Protocol (ARP) spoofing attacks. Experimental results illustrate that high detection rate and accuracy could be achieved with minimal resource overheads. Keywords ARP spoofing, discrete event system, failure detection and diagnosis, linear-time temporal logic
1
Introduction
An Intrusion Detection System (IDS) is a device or a software application that monitors network traffic and intimates the network administrator in case of suspicious or malicious activities. IDSs can be mainly classified in different ways [1] as follows. – Host based IDS (HIDS) and network based IDS (NIDS): An HIDS monitors and analyzes the internals of a single host where it is deployed to check whether there has been any violation of the system’s security policy. On the other hand an NIDS detects malicious behavior by monitoring network of hosts. – Signature based IDS and anomaly based IDS: Signature based IDS references a database of known attack signatures E-mail: [email protected]
and known system vulnerabilities. Each intrusion leaves a fingerprint behind e.g., nature of data packets, failed attempt to run an application, failed log-i
Data Loading...
