Detecting man-in-the-middle attacks on non-mobile systems

Abstract

In this paper we propose a method for detecting man-in-the-middle attacks using the timestamps of TCP packet headers. From these timestamps, the delays can be calculated and by comparing the mean of the delays in the current connection to data gathered from previous sessions it is possible to detect if the packets have unusually long delays. We show that in our small case study we can find and set a threshold parameter that accurately detects man-in-the-middle attacks with a low probability of false positives. Thus, it may be used as a simple precautionary measure against malicious attacks. The method in its current form is limited to non-mobile systems, where the variations in the delay are fairly low and uniform.