局域网中ARP异常检测的多元自适应方法

2006 International Conference on Systems and Networks Communications (ICSNC'06) Pub Date : 2006-10-29 DOI:10.1109/ICSNC.2006.5

Majid Farahmand, A. Azarfar, A. Jafari, V. Zargari

{"title":"局域网中ARP异常检测的多元自适应方法","authors":"Majid Farahmand, A. Azarfar, A. Jafari, V. Zargari","doi":"10.1109/ICSNC.2006.5","DOIUrl":null,"url":null,"abstract":"Worms use different methods to propagate in networks. One of these methods is by means of broadcasting packets. Broadcasted packets occupy high percentage of network bandwidth, and abnormal broadcast traffic analysis could be a useful method for detecting network problems and infected hosts. In this paper a new method for detecting ARP abnormal traffic in a broadcast domain is introduced. A combination of four different ARP traffic criteria are used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered. Our method focuses on rate anomaly caused by worms, scans and poorly-configured services. We applied our method to a real network to evaluate system accuracy and noticed that during one month, 92.9 percent of alarms were true positive alarms. This technique not only traces ARP anomaly the same way as scanning worms, but also it detects any host that disturbs the traffic rate in different LAN.","PeriodicalId":217322,"journal":{"name":"2006 International Conference on Systems and Networks Communications (ICSNC'06)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks\",\"authors\":\"Majid Farahmand, A. Azarfar, A. Jafari, V. Zargari\",\"doi\":\"10.1109/ICSNC.2006.5\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Worms use different methods to propagate in networks. One of these methods is by means of broadcasting packets. Broadcasted packets occupy high percentage of network bandwidth, and abnormal broadcast traffic analysis could be a useful method for detecting network problems and infected hosts. In this paper a new method for detecting ARP abnormal traffic in a broadcast domain is introduced. A combination of four different ARP traffic criteria are used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered. Our method focuses on rate anomaly caused by worms, scans and poorly-configured services. We applied our method to a real network to evaluate system accuracy and noticed that during one month, 92.9 percent of alarms were true positive alarms. This technique not only traces ARP anomaly the same way as scanning worms, but also it detects any host that disturbs the traffic rate in different LAN.\",\"PeriodicalId\":217322,\"journal\":{\"name\":\"2006 International Conference on Systems and Networks Communications (ICSNC'06)\",\"volume\":\"73 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-10-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2006 International Conference on Systems and Networks Communications (ICSNC'06)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSNC.2006.5\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 International Conference on Systems and Networks Communications (ICSNC'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSNC.2006.5","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

蠕虫使用不同的方法在网络中传播。其中一种方法是通过广播数据包。广播报文占用了很大的网络带宽，异常广播流量分析是检测网络问题和被感染主机的有效方法。本文介绍了一种检测广播域ARP异常流量的新方法。使用四种不同的ARP流量标准的组合来确定网络异常。考虑了四个参数:速率、爆发度、暗空间和顺序扫描。我们的方法侧重于由蠕虫、扫描和配置不良的服务引起的速率异常。我们将我们的方法应用于一个真实的网络来评估系统的准确性，并注意到在一个月内，92.9%的警报是真正警报。该技术不仅可以像扫描蠕虫一样跟踪ARP异常，而且可以检测到干扰不同局域网内流量速率的任何主机。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks

Worms use different methods to propagate in networks. One of these methods is by means of broadcasting packets. Broadcasted packets occupy high percentage of network bandwidth, and abnormal broadcast traffic analysis could be a useful method for detecting network problems and infected hosts. In this paper a new method for detecting ARP abnormal traffic in a broadcast domain is introduced. A combination of four different ARP traffic criteria are used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered. Our method focuses on rate anomaly caused by worms, scans and poorly-configured services. We applied our method to a real network to evaluate system accuracy and noticed that during one month, 92.9 percent of alarms were true positive alarms. This technique not only traces ARP anomaly the same way as scanning worms, but also it detects any host that disturbs the traffic rate in different LAN.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2006 International Conference on Systems and Networks Communications (ICSNC'06)

自引率

0.00%

发文量