Automatic Attack Detection and Correction System Development Teerapat Sanguankotchakorn, Senior member IEEE Telecommunications Field of Study School of Engineering and Technology Asian Institute of Technology, Thailand teerapat@ait.ac.th Thanatorn Dechasawatwong Telecommunications Field of Study School of Engineering and Technology Asian Institute of Technology, Thailand d_tanatorn@hotmail.com Abstract— Recently, there are increasingly numerous hacking techniques which are used to compromise the computer systems. One popular hacking technique is called Man-in-the-Middle attack [1]. This technique uses the weakness of ARP protocol [5] namely “ARP spoofing” to damage the users on both confidentiality and privacy issues. It does not only steal the sensitive information, but also leads to the collapse of the network communications. The current methods to secure the users are mainly only passive detections; for example, to monitor invalid MAC to IP addresses mappings, and give the alerts to the administrators. The main disadvantages of this method are the time lag between learning and detecting spoofing. Moreover, it does neither correct spoofing automatically, nor does it not resolve at the root of problems (the attacker’s host). In this work, we propose the algorithm called “SmartARP” to detect and correct the ARP spoofing attack. The algorithm works as follows: the constructed ARP-Request and TCP SYN packets are sent to the network to verify the inconsistencies. When the algorithm detects ARP spoofing, it will send the correct ARP packets to the victim’s hosts to correct their ARP caches automatically. In addition, the invalid ARP-Reply packets will be sent to update the attacker’s host to deny it. We measure the performance of our proposed techniques using various evaluation metrics such as Response time, Correction time, the Successful Correction ratio, CPU Usage and Network Utilization. It can be shown that our proposed techniques are fast, intelligent, scalable and reliable in detecting and correcting attacks. Keywords- TCP/IP; ARP protocol; ARP spoofing; ARP spoofing attack I. INTRODUCTION A. Background The Internet, a network made up of millions of computers connected together, is growing rapidly every day. All the information on the Internet is distributed on millions of computers around the world. People can share their ideas and point of views across the world, thus providing wider commercial opportunity. However, the entire Internet is at risk from the hackers who are taking advantages from Internet flaws. For instance, the hackers may imitate webpage of businesses such as bank or credit card companies to trick people into disclosing account numbers, passwords and other sensitive information. Moreover, the hackers may attempt to make a computer resource unavailable to its intended users using the method called Denial-of-Service attack [1]. They are able to attack computer networks and capture information or other secret data and redirect it to the systems under their control. Currently, one of the most critical problems is the Man-in- the-Middle attack [1][6]. It is a form of active eavesdropping in which the attacker makes independent connections with the victims, and relays messages between them. The attacker makes the victims believe that they are talking directly to each other over a private connection despite in fact the entire conversation is controlled by the attacker. The attacker is able to intercept all messages going between the two victims and inject new ones. It has been shown [1] that the Man-in-the- Middle attacks can significantly affect the security in an organization, and might cause other kinds of attacks such as Denial-of-Service or DNS spoofing [2]. Due to these problems, it is very important to explore the methods to protect against those attacks, and should have self- assessment standards for administrators to be able to determine the risks in the organization. There are many existing research works on the techniques to detect and protect the ARP spoofing attack from hackers [3-4,7-11]. In this paper, we propose the technique called SmartARP to detect, correct and reply to the ARP spoofing attack. We developed the program to verify our proposed algorithm. We measure the performance of our proposed algorithm using the criteria such as Response time, Correction time, the Successful Correction time CPU usage and the Network Utilization. This paper is structured as follows: Section 2 details the System Development and Measurements Tools. Section 3 describes the Simulation Network Model while Section 4 illustrates the Results and Discussion. Finally, the conclusion is made in Section 5. B. Related Works Secure ARP protocol (S-ARP) [4] is a backward compatible extension to ARP that relies on public-key cryptography to authenticate ARP replies. It was proposed as a replacement for the ARP protocol in order to deal with ARP spoofing. In order to be implemented in a LAN, every secured hosts have to be modified to use S-ARP instead of ARP.