A Subnet Based Intrusion Detection Scheme for Tracking down the Origin of Man-In-The-Middle Attack

The Address Resolution Protocol (ARP), has proved to work well under regular circumstances, but it is not equipped to cope with malicious hosts. Several methods to mitigate, detect and prevent these attacks do exist for the gateways/routers and nodes. This work is focused towards developing our own tailor made Intrusion Detection technique at the subnet level and we present an algorithm that detects the source of ARP poisoning in the Man-in-the-Middle attack. It is designed to detect both the attack and the attacker. The algorithm uses filtering rules to capture the network traffic and pass the IP packets through four phases. After the first three phases, the algorithm is made to raise an alarm on potential ARP poisoning to the user, if one exists, and the fourth phase detects the source IP that has initiated the attack and raises another alarm. This method works successfully even if there is more than one MITM attacker in the subnet. There is a proof of concept implemented for this algorithm. As a result of this experiment, it was found that the Windows 7 Operating System is also vulnerable to ARP attacks as the earlier versions of Windows.