IDS for ARP spoofing using LTL based discrete event system framework

Abstract

Intrusion Detection System (IDS) is a hardware or software that monitors network or host activities for detecting malicious behavior. There are certain attacks which do not change the syntax/sequence of network traffic nor lead to any statistical deviation. Such attacks are difficult to detect by signature or anomaly IDSs. Active Discrete Event System (DES) based IDSs are now being proposed for such attacks. These IDSs involve sending of probe packets to create difference in sequence of events under attack and normal conditions. Following that, normal and attack behavior are specified using the DES model and a detector is designed. The detector is the IDS, which observes sequences of events to decide whether the states through which the DES traverses corresponds to the normal or attack model. Modeling the normal and attack behavior by DES is a manual process and it is prone to errors. So the resulting IDS cannot be guaranteed for its correctness. To address the issues of traditional DES framework, Linear-time Temporal Logic (LTL) based DES has been proposed in literature, which provides a paradigm for stating the system specifications, modeling, detector construction and checking its correctness. Also, the detector design procedure has polynomial time complexity in the number of system states as compared to exponential complexity of the traditional framework. In this paper the LTL based DES framework is suitably adapted and applied for developing an IDS for detection of Address Resolution Protocol (ARP) spoofing attacks. Experimental results illustrate that high detection rate and accuracy could be achieved with minimal resource overheads.