Real-Time Detection and Identification of ARP Spoofing Attacks in Microgrids

IF 3.4 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-04-23 DOI:10.1109/ACCESS.2025.3563721

Kalinath Katuri;Ha Thi Nguyen;Emmanouil Anagnostou

{"title":"Real-Time Detection and Identification of ARP Spoofing Attacks in Microgrids","authors":"Kalinath Katuri;Ha Thi Nguyen;Emmanouil Anagnostou","doi":"10.1109/ACCESS.2025.3563721","DOIUrl":null,"url":null,"abstract":"The integration of smart devices and advanced communication infrastructure has turned power systems into cyber-physical systems (CPS), introducing cyber vulnerabilities. One such vulnerability arises from the use of the address resolution protocol (ARP), which is commonly employed in power systems’ information technology (IT) infrastructure to assign internet protocol (IP) addresses to devices such as relays, controllers, and meters. Due to the lack of authentication in ARP, attackers can exploit it to infiltrate substation automation systems (SAS). To detect and locate ARP spoofing attacks, a novel network intrusion detection system (NIDS) was developed using Snort3, TShark, and Python scripts to monitor ARP broadcast messages. This detection method was tested on a dedicated, real-time multi-agent CPS testbed, where a microgrid is simulated as the physical layer using a real-time digital simulator (RTDS), while the cyber layer consists of a multi-agent control implemented in a graphical network simulator (GNS3) together with Raspberry Pi devices. The real-time operator’s view is developed in Grafana visualization, mimicking the real-world microgrid operation. Two common practical ARP attacks, known as man-in-the-middle (MITM) and false data injection (FDI) attacks, were conducted to evaluate the performance of the proposed NIDS method. Both MITM and FDI attacks were implemented using IT network testing tools, such as Ettercap and the Scapy library in Python. The results have shown that the proposed NIDS system can detect, localize, and publish the IP address of the attacker in both MITM and FDI attack scenarios. In addition, the impact analysis results indicated that for an identical malicious payload, the FDI attack is more severe when compared to MITM due to the intermittent nature of false data injection.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"72427-72441"},"PeriodicalIF":3.4000,"publicationDate":"2025-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10975017","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10975017/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The integration of smart devices and advanced communication infrastructure has turned power systems into cyber-physical systems (CPS), introducing cyber vulnerabilities. One such vulnerability arises from the use of the address resolution protocol (ARP), which is commonly employed in power systems’ information technology (IT) infrastructure to assign internet protocol (IP) addresses to devices such as relays, controllers, and meters. Due to the lack of authentication in ARP, attackers can exploit it to infiltrate substation automation systems (SAS). To detect and locate ARP spoofing attacks, a novel network intrusion detection system (NIDS) was developed using Snort3, TShark, and Python scripts to monitor ARP broadcast messages. This detection method was tested on a dedicated, real-time multi-agent CPS testbed, where a microgrid is simulated as the physical layer using a real-time digital simulator (RTDS), while the cyber layer consists of a multi-agent control implemented in a graphical network simulator (GNS3) together with Raspberry Pi devices. The real-time operator’s view is developed in Grafana visualization, mimicking the real-world microgrid operation. Two common practical ARP attacks, known as man-in-the-middle (MITM) and false data injection (FDI) attacks, were conducted to evaluate the performance of the proposed NIDS method. Both MITM and FDI attacks were implemented using IT network testing tools, such as Ettercap and the Scapy library in Python. The results have shown that the proposed NIDS system can detect, localize, and publish the IP address of the attacker in both MITM and FDI attack scenarios. In addition, the impact analysis results indicated that for an identical malicious payload, the FDI attack is more severe when compared to MITM due to the intermittent nature of false data injection.

查看原文本刊更多论文

微电网中ARP欺骗攻击的实时检测与识别

智能设备和先进通信基础设施的融合使电力系统变成了网络物理系统（CPS），带来了网络漏洞。其中一个漏洞来自地址解析协议（ARP）的使用，该协议通常用于电力系统的信息技术（IT）基础设施，用于为继电器、控制器和仪表等设备分配互联网协议（IP）地址。由于ARP协议缺乏认证，攻击者可以利用它渗透到变电站自动化系统（SAS）中。为了检测和定位ARP欺骗攻击，使用Snort3、TShark和Python脚本开发了一种新的网络入侵检测系统（NIDS）来监控ARP广播消息。该检测方法在专用的实时多代理CPS试验台上进行了测试，其中微电网使用实时数字模拟器（RTDS）模拟为物理层，而网络层由图形网络模拟器（GNS3）和树莓派设备中实现的多代理控制组成。实时操作员视图是在Grafana可视化中开发的，模拟了现实世界的微电网运行。通过两种常见的实际ARP攻击，即中间人攻击（MITM）和虚假数据注入攻击（FDI），来评估所提出的NIDS方法的性能。MITM和FDI攻击都是使用IT网络测试工具实现的，例如Ettercap和Python中的Scapy库。实验结果表明，该系统在MITM和FDI攻击场景下均能检测、定位并发布攻击者的IP地址。此外，影响分析结果表明，对于相同的恶意有效载荷，由于虚假数据注入的间歇性，FDI攻击比MITM更严重。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.