The Optimization of the ARP Poisoning Attack Detection Model Using a Similar Approach Based on NetFlow Analysis
Abstract
Information security and threats are a concern in the cyber era. Attacks can be malicious activities. One of them is known as ARP poisoning attack activity, which attacks by falsifying a computer's identity through illegal access to retrieve confidential information in a target computer. Besides, it has also caused service deadlocks in the network. Previous studies have been introduced for the ARP Attack Detection model using rule-based and mining-based. Still, they cannot show optimal detection performance and obtain high false positive results. This paper proposed a detection model for ARP poisoning attacks using a similarity measurement approach adopting cosine similarity. The goal is to obtain measurements of host activities similar to ARP poisoning attacks. The experiment results showed that the model got an accuracy of 97.25%, recall of 96.43%, and precision of 81% with a similarity threshold value of 0.488. Comparison results with previous studies showed higher detection accuracy than previous studies and some classification methods. It shows that the model can improve intrusion detection performance and facilitate network administrators to analyze ARP poisoning attacks in computer networks.
Downloads
References
[2] V. Bhatia, S. Choudhary, and K. R. Ramkumar, "A Comparative Study on Various Intrusion Detection Techniques Using Machine Learning and Neural Network," ICRITO 2020 - IEEE 8th Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions), pp. 232–236, 2020, doi: 10.1109/ICRITO48877.2020.9198008.
[3] L. Mohan, S. Jain, P. Suyal, and A. Kumar, "Data mining Classification Techniques for Intrusion Detection System," Proceedings - 2020 12th International Conference on Computational Intelligence and Communication Networks, CICN 2020, pp. 351–355, 2020, doi: 10.1109/CICN49253.2020.9242642.
[4] A. Tasneem, A. Kumar, and S. Sharma, "Intrusion Detection Prevention System using SNORT," International Journal of Computer Applications, vol. 181, no. 32, pp. 21–24, 2018, doi: 10.5120/ijca2018918280.
[5] S. Selvarajan, M. Mohan, and B. R. Chandavarkar, "Techniques to Secure Address Resolution Protocol," 2020 11th International Conference on Computing, Communication and Networking Technologies, ICCCNT 2020, doi: 10.1109/ICCCNT49239.2020.9225413.
[6] Z. Trabelsi and W. El-Hajj, "ARP spoofing: A comparative study for education purposes," Proceedings of the 2009 Information Security Curriculum Development Annual Conference, InfoSecCD'09, pp. 60–66, 2009, doi: 10.1145/1940976.1940989.
[7] V. Srivastava and D. Singh, "Enhance detecting and preventing scheme for ARP Poisoning using DHCP," Computer Modelling and New Technologies, vol. 21, no. 2, pp. 93–99, 2017.
[8] Y. P. Atmojo, I. M. D. Susila, I. B. Suradarma, L. Yuningsih, E. S. Rini, and D. P. Hostiadi, "A New Approach for ARP Poisoning Attack Detection Based on Network Traffic Analysis," 2021 4th International Seminar on Research of Information Technology and Intelligent Systems, ISRITI 2021, pp. 18–23, 2021, doi: 10.1109/ISRITI54043.2021.9702860.
[9] A. Krishna, M. A. Ashik Lal, A. J. Mathewkutty, D. S. Jacob, and M. Hari, "Intrusion Detection and Prevention System Using Deep Learning," Proceedings of the International Conference on Electronics and Sustainable Communication Systems, ICESC 2020, pp. 273–278, 2020, doi: 10.1109/ICESC48915.2020.9155711.
[10] V. Rohatgi and S. Goyal, "A detailed survey for detection and mitigation techniques against ARP spoofing," Proceedings of the 4th International Conference on IoT in Social, Mobile, Analytics, and Cloud, ISMAC 2020, pp. 352–356, 2020, doi: 10.1109/I-SMAC49090.2020.9243604.
[11] M. Ren, Y. Tian, S. Kong, D. Zhou, and D. Li, "A detection algorithm for ARP man-in-the-middle attack based on data packet forwarding behavior characteristics," Proceedings of 2020 IEEE 5th Information Technology and Mechatronics Engineering Conference, ITOEC 2020, pp. 1599–1604, 2020, doi: 10.1109/ITOEC49072.2020.9141555.
[12] S. Sun, X. Fu, B. Luo, and X. Du, "Detecting and mitigating ARP attacks in SDN-based cloud environment," IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops 2020, pp. 659–664, 2020, doi: 10.1109/INFOCOMWKSHPS50562.2020.9162965.
[13] S. Hijazi and M. S. Obaidat, "A New Detection and Prevention System for ARP Attacks Using Static Entry," IEEE Systems Journal, vol. 13, no. 3, pp. 2732–2738, 2019, doi: 10.1109/JSYST.2018.2880229.
[14] S. Ahn, T. Lee, and K. Kim, "A Study on Improving Security of ICS through Honeypot and ARP Spoofing," ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future, pp. 964–967, 2019, doi: 10.1109/ICTC46691.2019.8939925.
[15] M. Abid and A. Singh, "Arp Spoofing Detection via Wireshark and Veracode," International Journal of New Technology and Research, vol. 4, no. 5, p. 263063, 2018.
[16] H. Y. Ibrahim, P. M. Ismael, A. A. Albabawat, and A. B. Al-Khalil, "A Secure Mechanism to Prevent ARP Spoofing and ARP Broadcasting in SDN," Proceedings of the 2020 International Conference on Computer Science and Software Engineering, CSASE 2020, pp. 13–19, 2020, doi: 10.1109/CSASE48920.2020.9142092.
[17] T. Yu and R. Yue, "Detecting Abnormal Interactions among Intranet Groups Based on Netflow Data," IOP Conference Series: Earth and Environmental Science, vol. 428, no. 1, 2020, doi: 10.1088/1755-1315/428/1/012039.
[18] H. Debar, "The IDMEF : RFC 4765," Mycological Research, 2007.
[19] D. P. Hostiadi and T. Ahmad, "Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis," Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 7, pp. 4219–4232, 2022, doi: 10.1016/j.jksuci.2022.05.004.
[20] S. Bagui and K. Li, "Resampling imbalanced data for network intrusion detection datasets," Journal Big Data, vol. 8, no. 1, 2021, doi: 10.1186/s40537-020-00390-x.
[21] M. N. Aziz and T. Ahmad, "Clustering under-sampling data for improving the performance of intrusion detection system," Journal of Engineering Science and Technology, vol. 16, no. 2, pp. 1342–1355, 2021.
[22] F. Selahshoor, H. Jazayeriy, and H. Omranpour, "Intrusion Detection systems using Real-Valued Negative Selection Algorithm with Optimized Detectors," 5th Iranian Conference on Signal Processing and Intelligent Systems, ICSPIS 2019, pp. 18–19, 2019, doi: 10.1109/ICSPIS48872.2019.9066040.
[23] P.-C. Chang, Y.-W. Wang, and C.-H. Liu, "The development of a weighted evolving fuzzy neural network for PCB sales forecasting," Expert Systems with Applications, vol. 32, no. 1, pp. 86–96, 2007, doi: https://doi.org/10.1016/j.eswa.2005.11.021.
[24] D. P. Hostiadi, W. Wibisono, and T. Ahmad, "B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis," KSII Transactions on Internet and Information Systems, vol. 14, no. 10, pp. 4176–4197, 2020, doi: 10.3837/tiis.2020.10.014.
[25] Y. Zou, F. Dong, B. Lei, S. Sun, T. Jiang, and P. Chen, "Maximum similarity thresholding," Digital Signal Processing, vol. 28, pp. 120–135, 2014, doi: 10.1016/j.dsp.2014.02.008.
[26] J. C. Vega, M. A. Merlini, and P. Chow, "FFShark: A 100G FPGA Implementation of BPF Filtering for Wireshark," Proceedings - 28th IEEE International Symposium on Field-Programmable Custom Computing Machines, FCCM 2020, pp. 47–55, 2020, doi: 10.1109/FCCM48280.2020.00016.
[27] M. A. R. Putra, T. Ahmad, and D. P. Hostiadi, "Analysis of Botnet Attack Communication Pattern Behavior on Computer Networks," International Journal of Intelligent Engineering and Systems, vol. 15, no. 4, pp. 533–544, 2022, doi: 10.22266/ijies2022.0831.48.
This work is licensed under a Creative Commons Attribution 4.0 International License.
The Authors submitting a manuscript do so on the understanding that if accepted for publication, the copyright of the article shall be assigned to Jurnal Lontar Komputer as the publisher of the journal. Copyright encompasses exclusive rights to reproduce and deliver the article in all forms and media, as well as translations. The reproduction of any part of this journal (printed or online) will be allowed only with written permission from Jurnal Lontar Komputer. The Editorial Board of Jurnal Lontar Komputer makes every effort to ensure that no wrong or misleading data, opinions, or statements be published in the journal.
This work is licensed under a Creative Commons Attribution 4.0 International License.