A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks

Worms use different methods to propagate in networks. One of these methods is by means of broadcasting packets. Broadcasted packets occupy high percentage of network bandwidth, and abnormal broadcast traffic analysis could be a useful method for detecting network problems and infected hosts. In this paper a new method for detecting ARP abnormal traffic in a broadcast domain is introduced. A combination of four different ARP traffic criteria are used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered. Our method focuses on rate anomaly caused by worms, scans and poorly-configured services. We applied our method to a real network to evaluate system accuracy and noticed that during one month, 92.9 percent of alarms were true positive alarms. This technique not only traces ARP anomaly the same way as scanning worms, but also it detects any host that disturbs the traffic rate in different LAN.