An active DES based IDS for ARP spoofing

A network Intrusion Detection System (IDS) is a device or software that monitors network activities and raises alerts on detection of malicious behavior. State-transition based framework like Finite State Machines (FSM), extended FSM, timed FSM, Discrete Event Systems (DES) etc. are widely used in network IDSs because the framework enables formal modeling, analysis, verification etc. The attack detection capability in these IDSs is based on passive monitoring of sequence of events with the assumption that intrusions lead to change in the sequence (which needs to be detected). However, there are certain attacks like ARP spoofing, Internet Control Message Protocol (ICMP) error message based attacks etc. for which passive monitoring schemes have several limitations because in such attacks there is no change in sequence of events. IDSs with active probing are now being proposed for such attacks which involve sending of probe packets that cause difference in sequence of events under attack condition and can be then detected using passive monitoring. In this paper we propose an IDS to detect ARP spoofing attacks using active state-transition framework called “active DES”.