Mac spoofing attack detection techniques


  1. 1. Introduction
  2. A New MAC Address Spoofing Detection Technique Based on Random Forests
  3. ARP Spoofing Attacks:
  4. A New MAC Address Spoofing Detection Technique Based on Random Forests

The sequence number typically is incremented by one when the sending device sends a management or data frame. The sensor captures the frames from the same MAC address, and if it finds there is a gap between two consecutive frames, it assumes that MAC address spoofing has occurred. These approaches cannot work well when the legitimate station is not sending any frames. In addition, it cannot detect an attacker when it only sends control frames, as control frames do not have sequence numbers. This technique is used to distinguish between the rogue device and the genuine device. The data rates and modulation types are extracted from the physical layer meta-data such as RadioTap and Prism of each captured frame to detect rogue devices.

The modulation types and the data rates depend on the rate adoption algorithm. The information that they use to detect spoofing belongs to the physical layer, which makes their approach more robust against spoofing. The only problem with their approach is that it depends on a small number of data rates and modulation types to detect attackers. Thus, it is possible that the attacker uses the same modulation type and the data rate as the legitimate device because they are limited. Tao et al. The first stage is OS fingerprinting, which can be applied to the network layer in the protocol stack.

MAC Address Flooding Attack and Mitigation Tutorial

The authors extended the synchronization SYN -based OS fingerprinting because it is capable of differentiating the attacker from the legitimate device only if the attacker injects data frames into the network. They utilized the capability information, traffic indication map and tag information which includes the vendor information to extend it.

The second stage employs the data link layer, the sequence number field in particular. They utilized the idea that there could be a sequence number gap between the legitimate device and the attacker consecutive frames. The third stage brings to play the RSS, which belongs to the physical layer; unfortunately, the authors did not explain this stage in much detail. The authors established some rules to detect the MAC address spoofing. They used a simple and yet effective technique to combine the outputs from the three stages.

Every stage outputs either normal or abnormal states of every upcoming frame. They then combined the outputs to evaluate how severe the suspicious frame is; if the analyzer finds the outputs of more than one stage to be abnormal, the alert is triggered. If the OS fingerprinting stage alone is abnormal, the alert is triggered. This indicates that the MAC address of the AP is masqueraded, because the OS fingerprinting that the authors used depends on fields that are vital to the APs, such as capability information.

Some drawbacks exist in such approaches: OS fingerprinting also assumes that most of the tools that attackers use are based on Linux-based operating systems. This is somehow a valid assumption, but the Windows operating system also provides a capability to change the MAC address of any wireless card in the WLAN.

The sequence number techniques have several drawbacks, as explained previously, so combining both SN and OS fingerprinting could miss some intrusions. RSS has been adopted by researchers for localization for several years because of its correlation to the location of a wireless device [ 32 , 33 , 34 , 35 , 36 , 37 ]. The goal of localization is to focus on RSS samples of a single device. In contrast, in spoofing detection, it is sometimes difficult to distinguish between two devices at different locations that claim to be the owner of a specific wireless device through spatial information alone, especially when they are in close proximity.

We exploit the fact that RSS samples at a specific location are similar while the RSS samples at two different locations are distinctive.

  • architekt 3d x5 ultimate mac.
  • What Is ARP Spoofing? — Attacks, Detection, And Prevention.
  • ARP Spoofing Attack: Detection, Prevention and Protection.
  • .
  • excel budget spreadsheet template for mac;
  • use dropbox as home folder mac.
  • tf2 items hack generator mac;

To distinguish an attacker, we should first develop the characteristics of normal behavior by building a profile of the legitimate device. The network architecture is assumed to be similar to the one that is in Figure 1a , which consists of sensors monitoring the network. Every sensor captures frames from nearby wireless devices. Each sensor sends the important information of the captured packets, as shown in Figure 1a , to the server for global detection.

The console receives the packets, normalizes the RSS samples using the timestamps or sequence number, combines the packets and constructs the sample. Each sample contains the information of the same packet from both sensors. Network architecture and profiling. The proposed framework involves two stages: In the offline stage, the legitimate device profile is built.

During profiling, we label the legitimate device RSS samples for the training set as zero and all possible other locations as one to construct a profile of the legitimate device. Once we are satisfied with our predictor, we can serialize it, as shown in Figure 1b , to predict new unseen data. After serialization, the training procedure depicted in the lower part of the figure is not necessary for real-time prediction.

1. Introduction

Thus, in the online stage, any new packet can be fed immediately to the predictor. The predictor then predicts if the packet comes from a legitimate device or not. If it finds that the packet is coming from a suspicious device, an alert is triggered. We used the Python library [ 38 ] in our experiment to train and test our detection method. Algorithm 1 shows the training set using the random forests ensemble method. Random forests uses a specified number of trees e.

Each tree works on a different subset of the dataset randomly to create the ensemble [ 39 ]. To detect MAC address spoofing, we used the prediction ability of random forests after serialization to predict unseen new samples, as indicated in Algorithm 2. The new sample is classified as normal or abnormal, if the predictor finds it to be different from the profiled samples. We covered an area of m 2 using 15 locations marked by the red dots in Figure 2 to evaluate our proposed method.

The distance between any two neighbors is about four meters from 3—5 m. We tried to simulate the attacker to be at every possible place throughout our test-bed. We placed two sensors, indicated by the triangles, to cover as much ground as possible of the network diameter. We also used some active probing techniques to force the device to respond to specific frames in order to speed up the process of profiling.

A New MAC Address Spoofing Detection Technique Based on Random Forests

Each sensor captures enough packets for legitimate device profiling. The total number of combinations is ; we chose one location to be the location of the legitimate device e. We tested all possible combinations. To avoid high variance and determine whether the dataset is sufficient to train a random forests classifier of trees, we used the learning curve of one of the noisiest datasets, that of Locations 6 and 7, where the distance between the two locations is less than 4 m, shown in Figure 3 a.

We started with about samples and determined that we could improve the accuracy and reduce the variance. At about 15, samples, the variance was eliminated and stabilized, indicating that a dataset of 20, observations is more than enough. Figure 3 b shows how random forests of trees separate the data-points when the attacker is 10 m away from a genuine user.

The random forests ensemble method performed very well in the presence of outliers and can separate data of any shape. Optimization and data separation. Figure 4 a illustrates the signal attenuation that signal strength might face in wireless networks. We picked two of the sampled locations to represent this phenomenon and measure consecutive packets at each location.

One sampled location is close to the first sensor, and the other one is close to the other sensor. The two subplots show an attenuation of about a 3. It is not rare to see some signal attenuation in our experiments. This phenomenon exists because of several factors, such as multi-path fading and obstacles that could make the signal oscillate, especially when there is a significant distance between the sender and receiving device. Data distribution and attenuation. Sensor 1 data distribution; c Location 8: Sensor 2 data distribution. The distribution of the data from Location 8 at the two sensors is shown in Figure 4b ,c.

Some researchers state that the distribution of the transmitter and sensor pair is Gaussian [ 2 , 3 ], while other researchers report that the distribution is not Gaussian [ 29 , 30 ] or that it is not rare to see non-Gaussian distributions of RSS samples [ 18 ]. We found that non-Gaussian distributions are not rare and have different distribution shapes and peaks. The distribution of 10, RSS samples is shown in the figure.

Figure 4b shows a distribution of data that form two Gaussians with one peak that is slightly greater than the other one i. This suggests that using clustering algorithm-based approaches [ 2 , 3 , 18 , 27 , 28 ] can generate many false alerts or cause the intrusion detection system to allow large margins that permit attackers to harm the network. To evaluate our proposed solution and compare it to previous work [ 2 , 3 , 18 , 27 , 28 ], we implemented the four possible GMM kernels, because the kernel that [ 18 ] used was not indicated in their article.

We considered only the best performing kernel i. We first calculated the accuracy of the previously-proposed solutions [ 2 , 3 , 18 , 27 , 28 ] along with our proposed method. The clustering algorithm-based approaches [ 2 , 3 , 18 , 27 , 28 ] did not work well, as shown in Table 1 a, especially when the two locations were close to each other because of the reasons mentioned earlier see Section 4. Our proposed method achieved the best accuracy of We tested all of the detection methods where the distances between the two locations were less than 4 m, as shown in Table 1 b, between 4 and 8 m, as shown in Table 1 c, and between 8 and 13 m, as shown in Table 1 d.

When the locations are close to each other, the clustering algorithm-based approaches [ 2 , 3 , 18 , 27 , 28 ] did not perform well, with a minimum of All of the techniques did slightly better when the locations were a little further apart, as shown in Table 1 c. To evaluate our detection method more rigorously, we used the receiver operating characteristic ROC curve, shown in Figure 5a , which plots the detection rate, that is the true positive rate or sensitivity against the 1 - specificity or false positive rate FPR.

ARP Spoofing Attacks:

We evaluated our detection method to measure the tradeoff between correct detection and FPR for different distances between the attacker and legitimate device. We also measured the prediction time to see if it is possible to predict the captured frames in real time.

Table 2 shows the average testing time, standard deviation, minimum and maximum values for 10, samples of all of the tested locations. The clustering algorithm-based methods, of Chen et al. Figure 5b illustrates the overall performance of our detection method and the existing methods with regard to testing time.

A New MAC Address Spoofing Detection Technique Based on Random Forests

Our detection method has a good performance in terms of testing time, with an average of only ms. ROC curve of the proposed method and testing time of all of the methods. RSS measurements can be utilized to differentiate wireless devices based on location. Some factors play a vital role in measuring the RSS, such as multi-path fading, absorption effects, transmission power and the distance between the transmitter and the receiver. Our experiment shows multiple situations where the data forms different shapes and peaks. This is probably because WLAN devices interfere with one another.

In addition, microwave ovens and Bluetooth might cause more collision and interference in the frequency band. Thus, our proposed method is very effective because unlike the previous solutions [ 2 , 3 , 18 , 27 , 28 ] that could deal with the data if it were only Gaussian distributed our method could pick the data of any shape. The overall accuracy of our proposed method is We tested the proposed method where the distances between the genuine device and the attacker are less than 4 m, from 4—8 m and from 4—8 m.

The longest distance between any two locations in our test-bed is about 13 m. Although we did not test any two locations where the distance is more than 13 m, we believe that the accuracy would be perfect as the distance between the attacker and the legitimate device increases to more than 13 m.

We also did not test different types of antennas, such as directional or beam antennas, because this research assumes that the attacker uses an omnidirectional antenna, so more sophisticated attacks might remain undetected. The sensors placement is significant to determine the difference between the profiled legitimate device samples and the masquerader frames. Figure 6 shows how important the features after training are at determining the two locations for three different combinations note that understanding feature importance is a capability that is provided by almost all of the ensemble methods.

The first feature comprises the RSS samples captured by the first sensor, and the second feature consists of the RSS samples captured by the second sensor. The figure shows which sensor determines most of the samples of Locations 1 and It appears that the two sensors are close: In this case, the distance between the attacker and the legitimate device is about 12 m.

The legitimate device i. This service is more advanced with JavaScript available, learn more at http: ACN Advanced Communication and Networking pp Cite as. Unable to display preview. Download preview PDF. Skip to main content. Advertisement Hide. International Conference on Advanced Communication and Networking. Conference paper. This is a preview of subscription content, log in to check access. Willens, S. Based on what you read, can you find what is wrong with the ARP table below?

Here is a hint: Look out for the duplicates. Now, based on your finding, can you answer the following questions? Leave your answers and thoughts in the comment section below.

How does ARP spoofing work?

Sign in. Forgot your password? Get help. Password recovery. Kali Linux Ubuntu Govt Sites Taken Down. What Is Group Policy Editor? Android 10 Q: OnePlus 6T Review: Rock Pi 4 B Review: All App Gadget.