Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Peng Jiang,Hongyi Wu,Cong Wang,Chunsheng Xin

DOI: https://doi.org/10.1109/ICC.2018.8422830

2018-01-01

Abstract:Identity-based attacks such as MAC spoofing are common in wireless networks. The recently developed virtualization technologies bring a new type of MAC spoofing attack, virtual MAC spoofing. This makes it even more challenging to detect such attacks, especially in a tight environment with spatial similarities. In this paper, we design, implement and evaluate a system to effectively detect virtual MAC spoofing attacks via deep learning. A deep convolutional neural network is constructed to extract physical features from CSI obtained from packet transmissions, to detect virtual MAC spoofing attacks. An important merit of the proposed detection system is that this system can distinguish two devices even at the same location, which was not well addressed by previous approaches. Our extensive experimental results demonstrate the effectiveness of the system with an average detection accuracy of 95%, even when devices are co-located.

Yang Liu,Ke Dong,Liang Dong,Bin Li

2008-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon is seriously threaten the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Lei Yang,Lejun Chi,Dongjie Zhu,Chengwen Tang,Kun Wang

2006-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon seriously threatens the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Cai Hongmin,Li Qinglong,Huang Jun,Li Huaji

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.02.085

2012-01-01

Abstract:With the development of campus networks,the users' number of campus networks is greatly increased,meanwhile the ARP spoofing attacks in LAN impact the internet surfing quality of campus networks users significantly as well.In the paper,we read ARP table of routers and switches by SNMP to detect the ARP spoofing attacks,and quickly locate the ARP spoofing attacker in conjunction with DCBI networks managing system with perfect effect.

秦丰林,段海新,郭汝廷

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.01.008

2009-01-01

Abstract:Up to now,many schemes have been proposed to protect against ARP spoofing which can be classified into three categories as detecting,preventing and avoiding techniques according to their functions.This paper summarized and analyzed each of these schemes,identified their advantages and weaknesses,presented some factors that have to be considered in improving ARP protocol.

LI Pei-Guo,BI Jun,ZHOU Zi-Jian

2008-01-01

Periodical of Ocean University of China

Abstract:Source address spoofing has become a widely used mechanism to achieve attack because it is easy to launch and difficult to detect and trace.Source address spoofing attacks pose a significant threat to the Internet today.Network security is facing a severe challenge we have never met before.It is an important task to research source address spoofing attacks.This paper surveys the definition of source address spoofing attacks,explains the principles of Backscatter and ICMP techniques,and analyzes the newest Backscatter data captured by CAIDA network telescopes from the macro and micro views.The traffic of ICMP packets is extracted and gathered by advanced data mining and statistical analysis techniques.The distribution of attacked ports by source address spoofing is given according to the ICMP packet.Some major attacked services are analyzed in detail and new methods of DoS/DDoS by means of spoofing are also explored,including their hazards.Finally,the source address spoofing attacks situation on the Internet and future work are discussed to conclude the article.

Yao Guang,Bi Jun

DOI: https://doi.org/10.3969/j.issn.1000-0801.2008.01.005

2009-01-01

Abstract:Source address spoofing has become a widely used mechanism for attacks because it can be easily launched and is difficult to defend against and trace. Therefore,the classification of network attacks based on source address spoofing is very important.This paper presents a survey of the modes of source address spoofing and their effect on the Internet.The source address spoofing attacks are related to the attacker,the victim and the spoofed host.Source address spoofing attacks can be classified into six categories based on the position of the host being spoofed.This classification clarifies the problems of source address spoofing which will lead to improved prevention methods as a foundation of a trustworthy Internet architecture.

Mingchun Zheng,Shoubao Yang,Xianglan Piao,Weifeng Sun

DOI: https://doi.org/10.1007/978-3-319-15554-8_18

2015-01-01

Abstract:A detective strategy with multi-layer modules and algorithm on ARP spoof attacks are proposed after some researches against the security problem of ARP. By the research of ARP and ARP attacks, and the consideration of resources and efficiency, the structure of the detective strategy is divided into mainly four modules, ARP spoof prediction module, head information detection, refusing ARP reply packets without request module and sending RARP request module. And there is also an extension module for extending. The result shows with the cooperation among the modules, many APR spoof attacks can be detected and prevented, and there are almost no mistakes.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

XING Jinge,LIU Yang

DOI: https://doi.org/10.3969/j.issn.1005-9369.2012.08.016

2012-01-01

Abstract:Attackers using ARP spoofing attack network segment host In the LAN,which threaten the LAN security seriously.This paper analyzed the common tricks such as monitor,intercept,and malicious attacks which attackers used,and summarized the IP matched methods based on ARP cheat theory,data frame detection method,Echo time method,ARP response analysis method,tools detection method and so on.A prevent ARP spoofing algorithm is proposed in this paper,which made use of ARP cache update policy,switching equipment control and other strategies to prevent ARP spoofing.This algorithm can reject ARP spoofing,achieve the goals of maintaining network security.

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1007/978-3-642-31020-1_30

2012-01-01

Abstract:Address Resolution Protocol (ARP) is the network part that is responsible for identifying a Media Access Control (MAC) address of each other, through mapping an IP address to the corresponding MAC address. Unfortunately, ARP is a stateless protocol, the weakness in ARP effects directly on the security standards of the network and especially in Ethernet. In this paper, we propose a new architecture; named a CSIDS Client/Server based Intrusion Detection System designed to detection and defense against ARP spoofing attacks. The main idea behind this approach is to implement a real-time analyzing for received ARP packets and in case of detection a suspicious ARP packet a resolution message will be exchanged between system parts on the same network. This system is resilience by making at most two objects (client/server) to work efficiently; on the other hand, just one client is capable of defending on himself.

Lu Xi

2008-01-01

Abstract:IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem,we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes,and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes,MASK can not only enlarge the domain of the spoofing prevention service,but also filter spoofing packets in advance. Through analysis and simulations,we demonstrate MASK's accuracy and effectiveness.

孙谦,黄家林,傅军

DOI: https://doi.org/10.3969/j.issn.1007-1423-b.2008.08.039

2008-01-01

Abstract:For the ARP spoofing of Trojan Horse Virus breaks out heavily and high frequency in recent campus network, discuss a method that is combined with port mirror technique, log and protocol analyzing technique for auto-orientation of those computer infected by the ARP virus. The test results show that this method is effective and feasible.

Bi, Jun,Ping Hu,Peiguo Li

DOI: https://doi.org/10.1109/ICN.2010.43

2010-01-01

Networks

Abstract:Source address spoofing is one of the most dangerous means of attacks in today’s Internet. In this paper, we study and classification and characteristics of the source address spoofing. Source address spoofing can be classified in six categories. The characteristics of first category of source address spoofing are analyzed by the statistical analysis of packets collected by the CAIDA network telescope, because we found that partial information of the original source address spoofing attack packets could be found in the ICMP error packets returned to the network telescope.

Guang Yao,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1016/j.comnet.2012.08.018

IF: 5.493

2013-01-01

Computer Networks

Abstract:Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.

ZHAO Xin,CHEN Dao-xu,XIE Li

2000-01-01

Journal of Software

Abstract:There is a kind of active attack based on TCP over the Internet, which is called IP Hijack. This kind of attack is different from the passive attack based on network sniffing. It can bypass the protection of system password and S/KEY, and get full control of the link between two end points. This can cause great harm to the network system. In this paper, the principle of this kind of attack is analyzed, the attack detecting technology and the protecting measures against IP Hijack are also given.

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

刘扬,刘杨,胡仕成,朱东杰

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.23.009

2007-01-01

Abstract:The basic responsibility of network management is checking and controlling of network information, while the most important task is limiting illegal accessing network. Through analyzing the principle of the ARP spoofing, the LAN information is monitored by ARP spoofing, and the content of DNS request package is analyzed, then redirection technology of illegal accessing is researched based on ARP spoofing and corresponding arithmetic combined with DNS spoofing is presented, thus the illegal accessing degree is reduced, and the automatic network monitoring function is achieved.