WO2012108687A2 - Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method - Google Patents

Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method Download PDF

Info

Publication number
WO2012108687A2
WO2012108687A2 PCT/KR2012/000930 KR2012000930W WO2012108687A2 WO 2012108687 A2 WO2012108687 A2 WO 2012108687A2 KR 2012000930 W KR2012000930 W KR 2012000930W WO 2012108687 A2 WO2012108687 A2 WO 2012108687A2
Authority
WO
WIPO (PCT)
Prior art keywords
arp
address
candidate
address information
response
Prior art date
Application number
PCT/KR2012/000930
Other languages
French (fr)
Other versions
WO2012108687A3 (en
Inventor
Joosaeng KIM
Taesoo HAN
Jong Hyun Kim
Original Assignee
Ahnlab., Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ahnlab., Inc. filed Critical Ahnlab., Inc.
Publication of WO2012108687A2 publication Critical patent/WO2012108687A2/en
Publication of WO2012108687A3 publication Critical patent/WO2012108687A3/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to a technique for detecting Address Resolution Protocol (ARP) spoofing attacks and, more specifically, to a method of detecting ARP spoofing attacks using ARP locking and a computer-readable recording medium storing a program for executing the method.
  • ARP Address Resolution Protocol
  • a representative of these methods is hacking using an ARP spoofing attack.
  • the ARP spoofing attack is a process of forging the Internet Protocol (IP) address of a target computer, forging the information of an ARP cache of a switch or some other network equipment, bypassing traffic between the target computer and a server to an attacker’s computer. Accordingly, a hacker can illegitimately acquire desired personal information such as an Identification (ID), a password, financial information, etc. from the bypassed traffic.
  • IP Internet Protocol
  • ID Identification
  • password password
  • financial information etc.
  • the above-described conventional method examines one by one whether an execution file including malware is present or is running when it is suspected that an ARP spoofing attack has been made, which entails an inefficiency incurring a long work time and high cost.
  • the conventional method has the problem of not permanently coping with the ARP spoofing attacks.
  • the present invention provides a method of detecting an ARP spoofing attack using ARP locking and a computer-readable recording medium storing a program for executing the method.
  • ARP Address Resolution Protocol
  • IP Internet Protocol
  • MAC Media Access Control
  • ARP Address Resolution Protocol
  • IP Internet Protocol
  • MAC Media Access Control
  • ARP Address Resolution Protocol
  • IP Internet Protocol
  • MAC Media Access Control
  • an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack, and extracting information about a process sending the ARP response to transmit the extracted information about the process to the server.
  • ARP Address Resolution Protocol
  • IP Internet Protocol
  • MAC Media Access Control
  • an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, and determining that there is the ARP spoofing attack and blocking the inbound packet.
  • a method of detecting Address Resolution Protocol (ARP) spoofing attack including:
  • IP Internet Protocol
  • MAC Media Access Control
  • an IP address of the sender sending an ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending an ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packet.
  • Fig. 1 is a block diagram illustrating a system for detecting an Address Resolution Protocol (ARP) spoofing attack using ARP locking to which embodiments of the present invention are applied;
  • ARP Address Resolution Protocol
  • Fig. 2 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with a first embodiment of the present invention
  • Fig. 3 is a flowchart illustrating the detailed process of step 218 illustrated in Fig. 2;
  • Fig. 4 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with a second embodiment of the present invention
  • Fig. 5 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with a third embodiment of the present invention
  • Fig. 6 is a block diagram illustrating the configuration of a standalone apparatus for detecting an ARP spoofing attack using ARP locking to which embodiments of the present invention are applied;
  • Fig. 7 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with the fourth embodiment of the present invention.
  • Fig. 8 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with the fifth embodiment of the present invention.
  • Fig. 1 is a block diagram illustrating a system for detecting an Address Resolution Protocol (ARP) spoofing attack using ARP locking to which embodiments of the present invention are applied.
  • ARP Address Resolution Protocol
  • the system for detecting an ARP spoofing attack includes a server 110 having a database 112 and a plurality of agent Personal Computers (PCs) 130 connected to the server 110 over a network 120.
  • PCs Personal Computers
  • ARP locking refers to a service enabling an agent PC to preemptively defend an ARP spoofing attack and remedy the ARP spoofing attack even though the agent PC has been subject to the ARP spoofing attack.
  • Each of the agent PCs 130 serves to detect the ARP spoofing attack and includes an agent service module 132, a network engine module 134, a network filter driver 136 and ARP cache 138.
  • the server 110 manages the agent PCs 130 physically connected over the network 120.
  • the server 110 transmits a command to collect ARP information to the agent PCs 130 over the network 120, analyzes ARP responses collected from the individual agent PCs 130 to determine senders within the network 120, that desire to protect from the ARP spoofing attack or to which an access is allowable, and transmits address information, including IP and MAC addresses, of the candidate senders to the individual agent PCs 130.
  • an ARP response may contain source and destination IP and MAC addresses, a response time (in time milliseconds), an agent ID, etc.
  • the ARP responses and the address information of the candidate senders are stored in the database 112.
  • the server 110 determines that address information of a sender sending one ARP response only that has been received via one agent PC 130 is one of the address information of the candidate senders. However, in case where two or more same ARP responses are received in response to an ARP request, the server 110 recognizes an occurrence of an ARP spoofing attack from the two or more same ARP responses and does not use address information of senders sending the ARP responses as the address information of the candidate senders.
  • the server 110 does not also use the address information of the sender sending the first ARP response as the address information of the candidate senders.
  • the server 110 selects an ARP response that has arrived first from the agent PC and uses address information of a sender sending the first arrived ARP response as one of the address information of the candidate senders.
  • the reason is that ARP responses from a gateway arrive quickly for a specific time period, while ARP responses from an ARP spoofing attacker arrive later than the ARP response from the gateway because the ARP responses from the ARP spoofing attacker are made to all target agent PCs.
  • address information of the candidate senders to be protected from an ARP spoofing attack may be directly entered into the server 110 via a user interface, and the server 110 transmits the address information of the candidate senders to the individual agent PCs 130 over the network 120. Further, the server 110, in accordance with a third embodiment of the present invention, transmits the address information of the candidate senders, entered via the user interface together with a command to detect ARP spoofing attacks, to the individual agent PCs 130 over the network 120.
  • the server 110 may terminate a process, which is executed on an agent PC transmitting an ARP response that was determined to be related to an ARP spoofing attack, depending on a predetermined option and then blocks the execution of the process on another agent PCs when receiving information about the process (for example, an ID and name of the process, information about the agent PC, etc.).
  • the ARP cache 138 of the agent PC 130 is a table that stores IP and MAC addresses for a sender sending the ARP response.
  • the agent service module 132 of the agent PC 130 performs data communication with the server 110 over the network 120.
  • the agent service module 132 transfers the command to collect ARP information, received from the server 110, to the network engine module 134, and transmits the collected ARP responses, transferred by the network engine module 134, to the server 110 over the network 120.
  • the agent service module 132 transfers the address information of the candidate senders, received from the server 110, to the network engine module 134. Furthermore, the agent service module 132 transfers the address information of the candidate senders received from the server 110, together with the command to detect ARP spoofing attacks, to the network engine module 134. In addition, in accordance with the third embodiment of the present invention, the agent service module 132 transmits information about a process, transmitting the ARP response that was determined to be related to an ARP spoofing attack, to the server 110 over the network 120.
  • the network engine module 134 when the ARP information collection command is received via the agent service module 132, transmits an ARP request for collecting ARP information over the network 120, collects ARP responses arriving for a specific time period and transfers the collected ARP responses to the agent service module 132. Further, the network engine module 134, when the address information of the candidate senders is received via the agent service module 132, detects ARP spoofing attacks by performing comparison of the address information of the candidate senders, address information of an ARP cache 138, and address information of a sender transmitting the ARP response in a received inbound packet.
  • the network engine module 134 compares the address information of the ARP cache with the address information of the candidate senders; initializes the address information of the ARP cache if the IP address of the ARP cache is consistent with any one of the candidate IP addresses of senders and a MAC address of the ARP cache is not consistent with the candidate MAC address of the sender of which IP address is consistent with that of the ARP cache; compares the IP and MAC addresses of a sender sending the ARP response with the candidate IP and MAC addresses of senders; and then transfers a command to block the inbound packet to the network filter driver 136 in case where an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response.
  • the collection of the ARP responses performed by the network engine module 134 may be performed several times (for example, three or four times).
  • the ARP responses collected over the several times are then transmitted to the server 110 via the agent service module 132.
  • the network engine module 134 when the address information of the candidate senders are received via the agent service module 132, detects an ARP spoofing attack by performing comparison of the address information of the ARP cache, the address information of candidate senders, and the address information of the sender sending the ARP response in the received inbound packet.
  • the network engine module 134 compares the address information of the ARP cache with the address information of candidate senders , and initializes the address information of the ARP cache if an IP address of the ARP cache is consistent with any one of the candidate IP addresses of senders and a MAC address of the ARP cache is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the ARP cache, thereby remedying the ARP cache from an ARP spoofing attack.
  • the network engine module 134 compares the IP address and MAC address of the sender sending the ARP response in the inbound packet, transferred by the network filter driver 136, with the candidate IP and MAC addresses of senders, and then transfers a command to block the inbound packet to the network filter driver 136 if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and the MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response..
  • the network engine module 134 when the address information of candidate senders are received via the agent service module 132 along with a command to detect an ARP spoofing attack command, compares the IP and MAC addresses of the sender sending the ARP response in an outbound packet transferred by the network filter driver 136 with the candidate IP and MAC addresses of senders; detects that there is the ARP spoofing attack if the IP address of the sender sending the ARP response is consistent with any one of the candidate IP addresses of senders and the MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response, extracts information about a process (for example, an ID of the process, a name of the process, information about an agent PC on which the process is executed, etc.) transmitting the ARP response; and transmits the process information to the agent service module 132; and transfers a command to filter the inbound packet to
  • the network filter driver 136 transfers the ARP response contained in an inbound packet to the network engine module 134, and blocks the inbound packet when the packet filtering command in accordance with the result of the comparison between the address information of the sender sending the ARP response and the address information of candidate senders is transferred by the network engine module 134. Further, in accordance with the third embodiment of the present invention, the network filter driver 136 transfers the ARP response in an outbound packet to the network engine module 134, and blocks the outbound packet when the packet filtering command in accordance with the result of the comparison between the address information of the sender sending the ARP response in the outbound packet and the address information of candidate senders is transferred by the network engine module 134.
  • a single agent PC capable of gaining access over the network is illustrated in Fig. 1 for ease of description and clarity of understanding, the present invention is not limited thereto. It is apparent to those skilled persons that a plurality of agent PCs can access the server 110 over the network 120 and be provided with ARP spoofing attack detection that is provided in accordance with the present invention.
  • Fig. 2 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the first embodiment of the present invention.
  • step 202 the server 110 is in standby mode or execution mode. If, in standby mode or execution mode, in order to execute the ARP locking, a function to automatically collect ARP information is turned on in step 204, the server 110 generates a command to collect ARP information and transfers the ARP information collection command to the agent service module 132 in the respective agent PCs 130 over the network 120 in step 206.
  • step 208 the agent service module 132 delivers the ARP information collection command to the network engine module 134, and the network engine module 134 broadcasts an ARP request for collecting ARP information over the network 120 and waits to receive an ARP response from each agent PC 130.
  • the network engine module 134 collects ARP responses arriving from the respective agent PCs 130 for a specific time period and transfers the collected ARP responses to the agent service module 132.
  • the agent service module 132 transmits the collected ARP responses to the server 110 over the network 120.
  • the server 110 analyzes the ARP responses collected from the respective agent PCs to determine senders that desire to protect against the ARP spoofing attack or to which an access is allowable.
  • the ARP responses and address information, including IP and MAC addresses, of the candidate senders are stored in the database 112.
  • the address information of the candidate senders is then transmitted to each agent PC 130 over the network 120.
  • step 218 the agent PC 130 detects an ARP spoofing attack using the address information of the candidate senders provided by the server 110, which will be described in detail with reference to Fig. 3.
  • Fig. 3 is a flowchart illustrating the detailed process of step 218 of detecting an ARP spoofing attack illustrated in Fig. 2.
  • step 302 when the address information of the candidate senders is received from the server 110, the agent service module 132 delivers the received address information of the candidate senders to the network engine module 134 for the registration thereof.
  • step 304 the network engine module 134 checks whether IP and MAC addresses of an ARP cache 138 in the agent PC 130 is consistent with the candidate IP and MAC addresses of the senders by comparing them with each other. If, as a result of the checking at step 304, it is checked that the IP address of the ARP cache 138 is consistent with any one of the IP addresses of the candidate senders and the MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 138, the network engine module 134 determines that there is an ARP spoofing attack and initializes the address information of the ARP cache in step 306.
  • the network filter driver 136 transfers an inbound packet, received over the network 120, to the network engine module 134 in step 308,and the network engine module 134 checks whether the inbound packet is an ARP response in step 310. If, as a result of the checking in step 310, it is checked that the inbound packet is an ARP response, the process goes to step 312.
  • step 312 it is checked whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders by comparing them with each other.
  • step 312 If, as a result of the checking in step 312, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 308 of receiving an inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, the process advances to step 314.
  • step 314 it is checked whether the MAC address of the sender sending the ARP response is consistent with the candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response. If, as a result of the checking in step 314, the MAC address of the sender sending the ARP response is consistent with a candidate MAC address of the sender, it is determined that there is no ARP spoofing attack and the process returns to step 308 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the candidate MAC address of the sender, the network engine module 134 determines that there is an ARP spoofing attack, and provides a command to filter the inbound packet to the network filter driver 136.
  • the network filter driver 136 blocks the inbound packet in accordance with the packet filtering command transferred by the network engine module 134, thereby blocking a malicious ARP spoofing attack.
  • the detection and blocking of such ARP spoofing attack is continued using the candidate IP and MAC addresses of the senders while the ARP responses of inbound packets are being received.
  • Fig. 4 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the second embodiment of the present invention.
  • step 402 an administrator or a user directly enters address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack or to which an access is allowable, into the server 110 via a user interface. Then the server 110 transmits the candidate address information for senders to the individual agent PCs 130 over the network 120 in step 404.
  • address information including IP and MAC addresses
  • the agent service module 132 of the agent PC 130 delivers the address information of the candidate senders to the network engine module 134 and the network engine module 134 then checks whether address information of an ARP cache 138 in an agent PC 130 is consistent with the addresses information of the candidate senders by comparing them with each other.
  • the network engine module 134 determines that there is an ARP spoofing attack and initializes the address information of the ARP cache in step 408.
  • the network filter driver 136 transfers an inbound packet, received over the network 120, to the network engine module 134 in step 410, and the network engine module 134 checks whether the transferred inbound packet is an ARP response in step 412. If, as a result of the checking in step 412, it is checked that the inbound packet is an ARP response, the process goes to step 414.
  • step 414 the network engine module 134 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders .
  • step 414 If, as a result of the checking in step 414, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 410 of receiving another inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is checked whether the MAC address of the sender sending the ARP response is consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 416.
  • the network engine module 134 determines that there occurs an ARP spoofing attack and transfers a command to block the inbound packet to the network filter driver 136.
  • the network filter driver 136 blocks the inbound packet for ARP spoofing in compliance with the packet filtering command transferred by the network engine module 134 in step 418, thereby blocking the malicious ARP spoofing attack.
  • the detection and blocking of such ARP spoofing packets is continuously performed using the IP and MAC addresses of the candidate senders while the ARP responses of inbound packets are being received.
  • Fig. 5 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the third embodiment of the present invention.
  • an administrator executes the ARP locking by initiating a function to automatically collect address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack or directly entering the address information of the candidate senders.
  • the server 110 then generates a command to detect an ARP spoofing attack and transmits the ARP spoofing attack detection command, together with the address information of the candidate senders, to the agent PC 130 over the network 120.
  • the address information of the candidate senders is then provided to the agent service module 132 and in turn, to the network engine module 134 along with the ARP spoofing attack detection command.
  • the network filter driver 136 transfers an outbound packet, received over the network 120, to the network engine module 134 in step 506, and the network engine module 134 checks whether the outbound packet is an ARP response in step 508. Thereafter, if it is checked that the outbound packet is an ARP response, the network engine module 134 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 510
  • step 510 If, as a result of the checking in step 510, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 506 of receiving another outbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, the process goes to step 511.
  • step 511 it is checked whether a MAC address of the sender sending the ARP response is consistent with a MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response. If, as a result of the checking in step 511, the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate senders of which IP address is consistent with that of the sender sending the ARP response, the network engine module 134 determines that there is an ARP spoofing attack, extracts information of a process that transmits the outbound packet, for example, an ID of the process, a name of the process, information about an agent PC on which the process is executed, etc., and transfers the process information to the agent service module 132 in step 512.
  • the IP address of an ARP cache needs not be same to any one of IP addresses of the candidate senders.
  • any one of IP addresses of the candidate senders is IP address of a mail server and the agent PC is just the mail server, there occurs a situation that the IP address of a sender sending the ARP response is the same that of the mail server which is any one of the IP addresses of the candidate senders, which causes erroneously blocking the ARP response.
  • the network service module 132 transmits the process information to the server 110 and the server 110 deals with the ARP spoofing attack in such a way as to terminate the process based on a predetermined option and allows other agent PCs not to execute the process.
  • the network engine module 134 if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, provides a command to block the outbound packet to the network filter driver 136, to make the network filter driver 136 to block the outbound packet in accordance with the packet filtering command, thereby blocking the malicious ARP spoofing attack.
  • the detection and blocking of ARP spoofing packets is continuously performed using the IP addresses of the candidate senders while the ARP responses of inbound packets are being received.
  • Fig. 6 is a block diagram illustrating the configuration of a standalone apparatus for detecting ARP spoofing attack using ARP locking to which embodiments of the present invention are applied.
  • an apparatus 610 for detecting an ARP spoofing attack includes an agent service module 612, a network engine module 614, a network filter driver 616 and an ARP cache 618.
  • the agent service module 612 when a command to detect an ARP spoofing attack is inputted via a user interface, generates a command to collect ARP information and transfers the command to the network engine module 614. Further, the agent service module 612 analyzes address information of ARP responses collected by the network engine module 614 to determine senders that desire to protect against an ARP spoofing attack or to which an access is allowable, and transfers address information, including IP and MAC addresses, of the candidate senders together with a command to detect the ARP spoofing attack, to the network engine module 614.
  • the determination of the address information of the candidate senders is performed in the same manner as in the above-described first embodiment, and the ARP responses and the address information of the candidate senders may be registered in a database or storage (not shown) of the apparatus 610.
  • the agent service module 612 transfers the address information of the candidate senders, directly entered via a user interface, together with a command to detect the ARP spoofing attack, to the network engine module 614.
  • the network engine module 614 when a command to collect ARP information is provided from the agent service module 612, transmits an ARP request for collecting ARP information over the network 620, collects ARP responses in an inbound packet arriving for a specific time period, determines address information, including IP and MAC addresses, of candidate senders by analyzing address information of the collected ARP responses, initializes an ARP cache 618 if an IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache 618 is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 618.
  • the network engine module 614 compares the IP and MAC addresses of a sender sending the ARP response in an inbound packet, transferred by the network filter driver 616, with the IP and MAC addresses of the candidate senders, and then transfers a command to block the inbound packets to the network filter driver 616 if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders but the MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response.
  • the network engine module 614 compares the address information of an ARP cache 618 with the address information of the candidate senders, initializes the address information of the ARP cache 618 if an IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache 618 is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 618, and transfers a command to block the inbound packet to the network filter driver 616 if the IP address of a sender sending the ARP response in an inbound packet is consistent with any one of the IP addresses of the candidate senders and the MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response.
  • the network filter driver 616 transfers the ARP response in the inbound packet, received over the network 620, to the network engine module 614, and blocks the inbound packet, when the packet blocking command is transferred over the network engine module 614, in accordance with the result of the comparison between the IP and MAC addresses of the sender sending an ARP response in an inbound packet and the IP and MAC addresses of the candidate senders.
  • Fig. 7 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the fourth embodiment of the present invention.
  • step 702 when a command to detect an ARP spoofing attack is entered via a user interface, the agent module 612 generates a command to collect ARP information and transfers the command to the network engine module 614. Thereafter, the network engine module 614 transmits an ARP request for collecting ARP information over the network in step 704, collects ARP responses arriving for a specific time period, and transfers the collected ARP responses to the agent service module 612 in step 706.
  • the agent service module 612 analyzes address information of the collected ARP responses provided by the network engine module 614 to determine address information, including IP and MAC addresses, of candidate senders that desire to protect against the ARP spoofing attack or to which an access is allowable.
  • address information including IP and MAC addresses
  • the determination of the address information of the candidate senders is performed in the same manner as in the first embodiment.
  • step 710 the address information of the candidate senders is transferred to the network engine module 614 along with the ARP spoofing attack detection command, and the network engine module 614 checks whether IP and MAC addresses of the ARP cache 618 is consistent with the IP and MAC addresses of the candidate senders in step 710.
  • the network engine module 614 determines that there is an ARP spoofing attack and then initializes the ARP cache 618 in step 712.
  • the network filter driver 616 transfers an inbound packet, received over the network 620, to the network engine module 614 in step 714, and the network engine module 614 checks whether the inbound packet is an ARP response in step 716. Subsequently, if it is determined that the inbound packet is an ARP response, the network engine module 614 determines whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 718.
  • step 718 If, as a result of the checking in step 718, it is determined that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 714 of receiving another inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is determined whether the MAC address of the sender sending the ARP response is consistent with a MAC addresses of a candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 720.
  • step 720 If, as a result of the checking in step 720, it is determined that the MAC address of the sender sending the ARP response is consistent with the MAC address of the candidate sender, it is determined that there is no ARP spoofing attack, and the process returns to step 714 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate sender, the network engine module 614 determines that there occurs the ARP spoofing attack, and transfers a command to block the inbound packet to the network filter driver 616.
  • the network filter driver 616 blocks the inbound packet in comply with the packet filtering command transferred by the network engine module 614, thereby blocking a malicious ARP spoofing attack.
  • the detection and blocking of ARP spoofing packets is continuously performed while the ARP responses of inbound packets are being received.
  • Fig. 8 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the fifth embodiment of the present invention.
  • step 802 address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack is directly inputted via a user interface.
  • the agent service module 612 then transfers the address information of the candidate senders, together with a command to detect the ARP spoofing attack, to the network engine module 614.
  • step 804 the network engine module 614 checks whether address information of the ARP cache 618 is consistent with the address information of the candidate senders transferred by the agent service module 612.
  • the network engine module 614 determines that there occurs an ARP spoofing attack and initializes the ARP cache 618 in step 806.
  • the network filter driver 616 transfers an inbound packet, received over the network 620, to the network engine module 614 in step 808, and the network engine module 614 then checks whether the inbound packet is an ARP response in step 810. If it is checked that the inbound packet is an ARP response, the network engine module 614 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 812.
  • step 812 If, as a result of the checking in step 812, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 808 of receiving another inbound packet. If, however, the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is checked whether the MAC address of the sender sending the ARP response is consistent with the MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 814.
  • step 814 If, as a result of the checking in step 814, it is checked that the MAC address of the sender sending the ARP response is consistent with the MAC addresses of the candidate sender of which IP address is consistent with that of the sender sending the ARP response, it is determined that there is no ARP spoofing attack and the process returns to step 808 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate sender, the network engine module 614 determines that there occurs an ARP spoofing attack and transfers a command to filter the inbound packet to the network filter driver 616.
  • the network filter driver 616 blocks the inbound packet in compliance with the packet filtering command transferred by the network engine module 614, thereby blocking a malicious ARP spoofing attack.
  • the detection and blocking of ARP spoofing packets is continuously performed using the address information of the candidate senders while the ARP responses of inbound packets are being received.
  • the above-described techniques for detecting an ARP spoofing attack using ARP locking in accordance with the embodiments of the present invention may be implemented using computer-executable codes or code segments stored in recording media that can be read by a computer.
  • the computer-readable recording media may include all types of recording media or information storage media that store data that can be read by a computer system.
  • the computer readable media may include, for example, magnetic recording media, optical recording media, and carrier waves.
  • the present invention detects and blocks an ARP spoofing attack on each management target agent using a method of selecting and comparing address information of the candidate senders , the address information of an ARP cache, and the address information of a sender sending of the ARP response or the sender’s address information of the ARP response in an outbound packet which are provided by the server providing ARP detection service, or detects and blocks an ARP spoofing attack on each agent PC using a method of selecting and comparing address information of candidate senders entered by a user or determined by the agent PC, the address information of an ARP cache, and the address information of the sender sending the ARP response in an inbound packet or the sender address information of the ARP response in an outbound packet, thereby rapidly and actively coping with malicious ARP spoofing attacks. That is, the present invention can block and guard against ARP spoofing attacks in advance, and can accurately detect and remedy an ARP spoofing attack even when the ARP spoofing attack has been already made.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of detecting Address Resolution Protocol (ARP) spoofing attack, includes initializing an ARP cache if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache. The method further includes blocking an inbound packet having an ARP response if an IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender is not consistent with a MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response.

Description

METHOD OF DETECTING ARP SPOOFING ATTACKS USING ARP LOCKING AND COMPUTER-READABLE RECORDING MEDIUM STORING PROGRAM FOR EXECUTING THE METHOD
The present invention relates to a technique for detecting Address Resolution Protocol (ARP) spoofing attacks and, more specifically, to a method of detecting ARP spoofing attacks using ARP locking and a computer-readable recording medium storing a program for executing the method.
Recently, with the rapid development and popularization of the Internet and network technologies, the Internet has become popularized as an environment with easily available, with the result that the Internet users have explosively increased.
However, although the population of the Internet users has grown quickly thanks to the popularization of the Internet environment, all Internet users do not have expert knowledge about computers or the Internet and, therefore, various types of crimes are committed over a network abusing the vulnerable point of the Internet users and are also gradually increasing.
For example, there are many cases where personal information is illegitimately acquired and distributed, or personal financial information is illegitimately acquired and financial crimes are committed using the personal financial information. Due to the above cases, currently, the understanding of network security has been improved, and efforts to prevent illegitimate hacking and interest in the prevention of illegitimate hacking have increased.
There are many types of methods for illegitimately acquiring personal information. A representative of these methods is hacking using an ARP spoofing attack. The ARP spoofing attack is a process of forging the Internet Protocol (IP) address of a target computer, forging the information of an ARP cache of a switch or some other network equipment, bypassing traffic between the target computer and a server to an attacker’s computer. Accordingly, a hacker can illegitimately acquire desired personal information such as an Identification (ID), a password, financial information, etc. from the bypassed traffic.
Such malicious ARP spoofing attacks are serious problems in light of the fact that, with a recent increase in the number of Internet users, a variety of type of network equipments is widely used by individuals and in homes as well as by companies.
Therefore, in order to cope with the malicious ARP spoofing attacks, there has been used a conventional method of scanning the ARP cache of a local network equipment, recognizing that an ARP spoofing attack has been made in the local network equipment if a plurality of Media Access Control (MAC) addresses having the same IP address is repeatedly found out, examining whether an execution file including malware for making an ARP spoofing attack is present or is running in the local network equipment to detect the ARP spoofing attack, and deleting the execution file or preventing a process of the execution file from running if the ARP spoofing attack is detected, thereby dealing with the ARP spoofing attack.
However, the above-described conventional method examines one by one whether an execution file including malware is present or is running when it is suspected that an ARP spoofing attack has been made, which entails an inefficiency incurring a long work time and high cost.
Furthermore, because the names of execution files or the malwares are continuously changing and evolving, the conventional method has the problem of not permanently coping with the ARP spoofing attacks.
Therefore, a new technique for rapidly and actively dealing with ARP spoofing attacks is urgently demanded in light of the problems of the above-described conventional method.
In view of the above, the present invention provides a method of detecting an ARP spoofing attack using ARP locking and a computer-readable recording medium storing a program for executing the method.
In accordance with a first aspect of the present invention, there is provided a method of detecting Address Resolution Protocol (ARP) spoofing attack,
in response to a command to collect ARP information from a server, transmitting collected ARP responses;
receiving address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack, wherein the address information of the candidate senders is determined by analysis of address information of the senders sending the ARP responses;
comparing address information of an ARP cache with the address information of the candidate senders;
initializing the address information of the ARP cache if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache;
comparing address information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packets.
In accordance with a second aspect of the present invention, there is provided a method of detecting Address Resolution Protocol (ARP) spoofing attack, including:
receiving address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of senders that desire to protect against the ARP spoofing attack from a server;
comparing address information of an ARP cache with the address information of the candidate senders;
if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
comparing the address information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packet.
In accordance with a third aspect of the present invention, there is provided a method of detecting Address Resolution Protocol (ARP) spoofing attack, including:
receiving candidate addresses information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of senders that desire to protect from the ARP spoofing attack, together with a command to detect the ARP spoofing attack, from a server;
comparing address information of a sender sending an ARP response in a received outbound packet with the address information of the candidate senders; and
if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack, and extracting information about a process sending the ARP response to transmit the extracted information about the process to the server.
In accordance with a fourth aspect of the present invention, there is provided a method of detecting Address Resolution Protocol (ARP) spoofing attacks, including:
broadcasting an ARP request over a network in response to a command to collect ARP information of senders;
collecting ARP responses to the ARP request for a preset time period;
analyzing the collected ARP responses to determine address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack;
comparing address information of an ARP cache with the address information of the candidate senders;
if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
comparing address information of a sender sending an ARP response of a received inbound packet with the address information of the candidate senders; and
if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, and determining that there is the ARP spoofing attack and blocking the inbound packet.
In accordance with a fifth aspect of the present invention, there is provided a method of detecting Address Resolution Protocol (ARP) spoofing attack, including:
when address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack is entered via a user interface, comparing address information of an ARP cache with the address information of the candidate senders;
if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
comparing addresses information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
an IP address of the sender sending an ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending an ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packet.
The above and other objects and features of the present invention will become apparent from the following description of embodiments given in conjunction with the accompanying drawings, in which:
Fig. 1 is a block diagram illustrating a system for detecting an Address Resolution Protocol (ARP) spoofing attack using ARP locking to which embodiments of the present invention are applied;
Fig. 2 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with a first embodiment of the present invention;
Fig. 3 is a flowchart illustrating the detailed process of step 218 illustrated in Fig. 2;
Fig. 4 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with a second embodiment of the present invention;
Fig. 5 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with a third embodiment of the present invention;
Fig. 6 is a block diagram illustrating the configuration of a standalone apparatus for detecting an ARP spoofing attack using ARP locking to which embodiments of the present invention are applied;
Fig. 7 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with the fourth embodiment of the present invention; and
Fig. 8 is a flowchart illustrating the process of detecting and blocking an ARP spoofing attack using ARP locking in accordance with the fifth embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that they can be readily implemented by those skilled in the art.
Fig. 1 is a block diagram illustrating a system for detecting an Address Resolution Protocol (ARP) spoofing attack using ARP locking to which embodiments of the present invention are applied.
The system for detecting an ARP spoofing attack includes a server 110 having a database 112 and a plurality of agent Personal Computers (PCs) 130 connected to the server 110 over a network 120.
The term used herein "ARP locking" refers to a service enabling an agent PC to preemptively defend an ARP spoofing attack and remedy the ARP spoofing attack even though the agent PC has been subject to the ARP spoofing attack.
Each of the agent PCs 130 serves to detect the ARP spoofing attack and includes an agent service module 132, a network engine module 134, a network filter driver 136 and ARP cache 138.
The server 110 manages the agent PCs 130 physically connected over the network 120. In accordance with a first embodiment of the present invention, the server 110 transmits a command to collect ARP information to the agent PCs 130 over the network 120, analyzes ARP responses collected from the individual agent PCs 130 to determine senders within the network 120, that desire to protect from the ARP spoofing attack or to which an access is allowable, and transmits address information, including IP and MAC addresses, of the candidate senders to the individual agent PCs 130. Herein, an ARP response may contain source and destination IP and MAC addresses, a response time (in time milliseconds), an agent ID, etc. The ARP responses and the address information of the candidate senders are stored in the database 112.
In case where there is no spoofing attack, a single ARP response is arrived in response to an ARP request. Therefore, the server 110 determines that address information of a sender sending one ARP response only that has been received via one agent PC 130 is one of the address information of the candidate senders. However, in case where two or more same ARP responses are received in response to an ARP request, the server 110 recognizes an occurrence of an ARP spoofing attack from the two or more same ARP responses and does not use address information of senders sending the ARP responses as the address information of the candidate senders. Further, in case where one first ARP response has been received from an agent PC and two or more second ARP responses having the same address information as that of the first ARP response has been received from other agent PCs for a specific time period, the server 110 does not also use the address information of the sender sending the first ARP response as the address information of the candidate senders.
Furthermore, in case where one ARP response has arrived from one agent PC for each ARP request and all the ARP responses from the agent PC are not the same address information, the server 110 selects an ARP response that has arrived first from the agent PC and uses address information of a sender sending the first arrived ARP response as one of the address information of the candidate senders. The reason is that ARP responses from a gateway arrive quickly for a specific time period, while ARP responses from an ARP spoofing attacker arrive later than the ARP response from the gateway because the ARP responses from the ARP spoofing attacker are made to all target agent PCs.
Furthermore, in accordance with the second embodiment of the present invention, address information of the candidate senders to be protected from an ARP spoofing attack may be directly entered into the server 110 via a user interface, and the server 110 transmits the address information of the candidate senders to the individual agent PCs 130 over the network 120. Further, the server 110, in accordance with a third embodiment of the present invention, transmits the address information of the candidate senders, entered via the user interface together with a command to detect ARP spoofing attacks, to the individual agent PCs 130 over the network 120. In addition, the server 110 may terminate a process, which is executed on an agent PC transmitting an ARP response that was determined to be related to an ARP spoofing attack, depending on a predetermined option and then blocks the execution of the process on another agent PCs when receiving information about the process (for example, an ID and name of the process, information about the agent PC, etc.).
Meanwhile, the ARP cache 138 of the agent PC 130 is a table that stores IP and MAC addresses for a sender sending the ARP response.
The agent service module 132 of the agent PC 130 performs data communication with the server 110 over the network 120. In accordance with the first embodiment of the present invention, the agent service module 132 transfers the command to collect ARP information, received from the server 110, to the network engine module 134, and transmits the collected ARP responses, transferred by the network engine module 134, to the server 110 over the network 120.
Further, the agent service module 132, in accordance with the second embodiment of the present invention, transfers the address information of the candidate senders, received from the server 110, to the network engine module 134. Furthermore, the agent service module 132 transfers the address information of the candidate senders received from the server 110, together with the command to detect ARP spoofing attacks, to the network engine module 134. In addition, in accordance with the third embodiment of the present invention, the agent service module 132 transmits information about a process, transmitting the ARP response that was determined to be related to an ARP spoofing attack, to the server 110 over the network 120.
The network engine module 134, in accordance with the first embodiment of the present invention, when the ARP information collection command is received via the agent service module 132, transmits an ARP request for collecting ARP information over the network 120, collects ARP responses arriving for a specific time period and transfers the collected ARP responses to the agent service module 132. Further, the network engine module 134, when the address information of the candidate senders is received via the agent service module 132, detects ARP spoofing attacks by performing comparison of the address information of the candidate senders, address information of an ARP cache 138, and address information of a sender transmitting the ARP response in a received inbound packet. More specifically, the network engine module 134 compares the address information of the ARP cache with the address information of the candidate senders; initializes the address information of the ARP cache if the IP address of the ARP cache is consistent with any one of the candidate IP addresses of senders and a MAC address of the ARP cache is not consistent with the candidate MAC address of the sender of which IP address is consistent with that of the ARP cache; compares the IP and MAC addresses of a sender sending the ARP response with the candidate IP and MAC addresses of senders; and then transfers a command to block the inbound packet to the network filter driver 136 in case where an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response.
The collection of the ARP responses performed by the network engine module 134 may be performed several times (for example, three or four times). The ARP responses collected over the several times are then transmitted to the server 110 via the agent service module 132.
Furthermore, in accordance with the second embodiment of the present invention, the network engine module 134, when the address information of the candidate senders are received via the agent service module 132, detects an ARP spoofing attack by performing comparison of the address information of the ARP cache, the address information of candidate senders, and the address information of the sender sending the ARP response in the received inbound packet. More specifically, the network engine module 134 compares the address information of the ARP cache with the address information of candidate senders , and initializes the address information of the ARP cache if an IP address of the ARP cache is consistent with any one of the candidate IP addresses of senders and a MAC address of the ARP cache is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the ARP cache, thereby remedying the ARP cache from an ARP spoofing attack. Furthermore, the network engine module 134 compares the IP address and MAC address of the sender sending the ARP response in the inbound packet, transferred by the network filter driver 136, with the candidate IP and MAC addresses of senders, and then transfers a command to block the inbound packet to the network filter driver 136 if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and the MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response..
Furthermore, in accordance with the third embodiment of the present invention, the network engine module 134, when the address information of candidate senders are received via the agent service module 132 along with a command to detect an ARP spoofing attack command, compares the IP and MAC addresses of the sender sending the ARP response in an outbound packet transferred by the network filter driver 136 with the candidate IP and MAC addresses of senders; detects that there is the ARP spoofing attack if the IP address of the sender sending the ARP response is consistent with any one of the candidate IP addresses of senders and the MAC address of the sender sending the ARP response is not consistent with a candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response, extracts information about a process (for example, an ID of the process, a name of the process, information about an agent PC on which the process is executed, etc.) transmitting the ARP response; and transmits the process information to the agent service module 132; and transfers a command to filter the inbound packet to the network filter driver 136.
Thereafter, in accordance with the first and second embodiments of the present invention, the network filter driver 136 transfers the ARP response contained in an inbound packet to the network engine module 134, and blocks the inbound packet when the packet filtering command in accordance with the result of the comparison between the address information of the sender sending the ARP response and the address information of candidate senders is transferred by the network engine module 134. Further, in accordance with the third embodiment of the present invention, the network filter driver 136 transfers the ARP response in an outbound packet to the network engine module 134, and blocks the outbound packet when the packet filtering command in accordance with the result of the comparison between the address information of the sender sending the ARP response in the outbound packet and the address information of candidate senders is transferred by the network engine module 134.
Meanwhile, although in the present embodiments, only a single agent PC capable of gaining access over the network is illustrated in Fig. 1 for ease of description and clarity of understanding, the present invention is not limited thereto. It is apparent to those skilled persons that a plurality of agent PCs can access the server 110 over the network 120 and be provided with ARP spoofing attack detection that is provided in accordance with the present invention.
Hereinafter, the process of detecting an ARP spoofing attack using ARP locking in accordance with first to third embodiments of the present invention having the above-described configuration will be described in detail.
Fig. 2 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the first embodiment of the present invention.
Referring to Fig. 2, in step 202, the server 110 is in standby mode or execution mode. If, in standby mode or execution mode, in order to execute the ARP locking, a function to automatically collect ARP information is turned on in step 204, the server 110 generates a command to collect ARP information and transfers the ARP information collection command to the agent service module 132 in the respective agent PCs 130 over the network 120 in step 206.
Next, in step 208, the agent service module 132 delivers the ARP information collection command to the network engine module 134, and the network engine module 134 broadcasts an ARP request for collecting ARP information over the network 120 and waits to receive an ARP response from each agent PC 130.
Thereafter, in step 210, the network engine module 134 collects ARP responses arriving from the respective agent PCs 130 for a specific time period and transfers the collected ARP responses to the agent service module 132. In step 212, the agent service module 132 then transmits the collected ARP responses to the server 110 over the network 120.
Subsequently, in step 214, the server 110 analyzes the ARP responses collected from the respective agent PCs to determine senders that desire to protect against the ARP spoofing attack or to which an access is allowable. The ARP responses and address information, including IP and MAC addresses, of the candidate senders are stored in the database 112. In step 216, the address information of the candidate senders is then transmitted to each agent PC 130 over the network 120.
Thereafter, in step 218, the agent PC 130 detects an ARP spoofing attack using the address information of the candidate senders provided by the server 110, which will be described in detail with reference to Fig. 3.
Fig. 3 is a flowchart illustrating the detailed process of step 218 of detecting an ARP spoofing attack illustrated in Fig. 2.
First of all, in step 302, when the address information of the candidate senders is received from the server 110, the agent service module 132 delivers the received address information of the candidate senders to the network engine module 134 for the registration thereof.
In step 304, the network engine module 134 checks whether IP and MAC addresses of an ARP cache 138 in the agent PC 130 is consistent with the candidate IP and MAC addresses of the senders by comparing them with each other. If, as a result of the checking at step 304, it is checked that the IP address of the ARP cache 138 is consistent with any one of the IP addresses of the candidate senders and the MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 138, the network engine module 134 determines that there is an ARP spoofing attack and initializes the address information of the ARP cache in step 306.
Meanwhile, the network filter driver 136 transfers an inbound packet, received over the network 120, to the network engine module 134 in step 308,and the network engine module 134 checks whether the inbound packet is an ARP response in step 310. If, as a result of the checking in step 310, it is checked that the inbound packet is an ARP response, the process goes to step 312.
In step 312, it is checked whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders by comparing them with each other.
If, as a result of the checking in step 312, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 308 of receiving an inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, the process advances to step 314.
In step 314, it is checked whether the MAC address of the sender sending the ARP response is consistent with the candidate MAC address of the sender of which IP address is consistent with that of the sender sending the ARP response. If, as a result of the checking in step 314, the MAC address of the sender sending the ARP response is consistent with a candidate MAC address of the sender, it is determined that there is no ARP spoofing attack and the process returns to step 308 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the candidate MAC address of the sender, the network engine module 134 determines that there is an ARP spoofing attack, and provides a command to filter the inbound packet to the network filter driver 136.
Accordingly, in step 316, the network filter driver 136 blocks the inbound packet in accordance with the packet filtering command transferred by the network engine module 134, thereby blocking a malicious ARP spoofing attack. The detection and blocking of such ARP spoofing attack is continued using the candidate IP and MAC addresses of the senders while the ARP responses of inbound packets are being received.
Although the present embodiment has been described and shown that a comparison is made between the IP address of the sender sending the ARP response and the IP addresses of the candidate senders to determine whether the MAC addresses thereof are consistent with each other if the IP addresses are consistent with each other, this is merely an example that is presented for ease of description and clarity of understanding like the this embodiment, and the present invention is not necessarily limited thereto. It is apparent to those skilled persons that it may be possible to first compare the MAC address of the sender sending the ARP response with the MAC addresses of the candidate senders and then check whether the IP addresses thereof are consistent with each other if the MAC addresses thereof are not consistent with each other. Alternatively, it may be possible to compare IP addresses with each other and MAC addresses with each other at the same time.
Fig. 4 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the second embodiment of the present invention.
Referring to Fig. 4, first, in step 402, an administrator or a user directly enters address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack or to which an access is allowable, into the server 110 via a user interface. Then the server 110 transmits the candidate address information for senders to the individual agent PCs 130 over the network 120 in step 404.
Thereafter, in step 406, the agent service module 132 of the agent PC 130 delivers the address information of the candidate senders to the network engine module 134 and the network engine module 134 then checks whether address information of an ARP cache 138 in an agent PC 130 is consistent with the addresses information of the candidate senders by comparing them with each other.
If, as a result of the checking in step 406, an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with the MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, the network engine module 134 determines that there is an ARP spoofing attack and initializes the address information of the ARP cache in step 408.
Meanwhile, the network filter driver 136 transfers an inbound packet, received over the network 120, to the network engine module 134 in step 410, and the network engine module 134 checks whether the transferred inbound packet is an ARP response in step 412. If, as a result of the checking in step 412, it is checked that the inbound packet is an ARP response, the process goes to step 414.
In step 414, the network engine module 134 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders .
If, as a result of the checking in step 414, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 410 of receiving another inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is checked whether the MAC address of the sender sending the ARP response is consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 416.
If, as a result of the checking in step 416, the MAC address of the sender sending the ARP response is consistent with the MAC address of the candidate sender, it is determined that there is no ARP spoofing attack and the process returns to step 410 of receiving another inbound packet. If, however, the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate sender, the network engine module 134 determines that there occurs an ARP spoofing attack and transfers a command to block the inbound packet to the network filter driver 136.
Thus, the network filter driver 136 blocks the inbound packet for ARP spoofing in compliance with the packet filtering command transferred by the network engine module 134 in step 418, thereby blocking the malicious ARP spoofing attack. The detection and blocking of such ARP spoofing packets is continuously performed using the IP and MAC addresses of the candidate senders while the ARP responses of inbound packets are being received.
Fig. 5 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the third embodiment of the present invention.
Referring to Fig. 5, first, in step 502, an administrator executes the ARP locking by initiating a function to automatically collect address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack or directly entering the address information of the candidate senders. In step 504, the server 110 then generates a command to detect an ARP spoofing attack and transmits the ARP spoofing attack detection command, together with the address information of the candidate senders, to the agent PC 130 over the network 120. The address information of the candidate senders is then provided to the agent service module 132 and in turn, to the network engine module 134 along with the ARP spoofing attack detection command.
Meanwhile, the network filter driver 136 transfers an outbound packet, received over the network 120, to the network engine module 134 in step 506, and the network engine module 134 checks whether the outbound packet is an ARP response in step 508. Thereafter, if it is checked that the outbound packet is an ARP response, the network engine module 134 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 510
If, as a result of the checking in step 510, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 506 of receiving another outbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, the process goes to step 511.
In step 511, it is checked whether a MAC address of the sender sending the ARP response is consistent with a MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response. If, as a result of the checking in step 511, the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate senders of which IP address is consistent with that of the sender sending the ARP response, the network engine module 134 determines that there is an ARP spoofing attack, extracts information of a process that transmits the outbound packet, for example, an ID of the process, a name of the process, information about an agent PC on which the process is executed, etc., and transfers the process information to the agent service module 132 in step 512.
At the above step, the IP address of an ARP cache needs not be same to any one of IP addresses of the candidate senders. For example, assuming that any one of IP addresses of the candidate senders is IP address of a mail server and the agent PC is just the mail server, there occurs a situation that the IP address of a sender sending the ARP response is the same that of the mail server which is any one of the IP addresses of the candidate senders, which causes erroneously blocking the ARP response.
Thereafter, in step 514, the network service module 132 transmits the process information to the server 110 and the server 110 deals with the ARP spoofing attack in such a way as to terminate the process based on a predetermined option and allows other agent PCs not to execute the process.
Further, in step 516, the network engine module 134, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, provides a command to block the outbound packet to the network filter driver 136, to make the network filter driver 136 to block the outbound packet in accordance with the packet filtering command, thereby blocking the malicious ARP spoofing attack. The detection and blocking of ARP spoofing packets is continuously performed using the IP addresses of the candidate senders while the ARP responses of inbound packets are being received.
Meanwhile, although the present embodiment has been described and shown as first extracting the process information of a ARP response of an outbound packet and then blocking the outbound packet if it is determined that there is an ARP spoofing attack, this is merely an example which is presented for ease of description and clarity of understanding, and the present invention is not necessary limited thereto. It is apparent to those skilled persons in the art that the sequence of these steps may be changed or they may be performed at the same time.
Fig. 6 is a block diagram illustrating the configuration of a standalone apparatus for detecting ARP spoofing attack using ARP locking to which embodiments of the present invention are applied.
As shown in Fig. 6, an apparatus 610 for detecting an ARP spoofing attack includes an agent service module 612, a network engine module 614, a network filter driver 616 and an ARP cache 618.
Referring to Fig. 6, in accordance with a fourth embodiment of the present invention, the agent service module 612, when a command to detect an ARP spoofing attack is inputted via a user interface, generates a command to collect ARP information and transfers the command to the network engine module 614. Further, the agent service module 612 analyzes address information of ARP responses collected by the network engine module 614 to determine senders that desire to protect against an ARP spoofing attack or to which an access is allowable, and transfers address information, including IP and MAC addresses, of the candidate senders together with a command to detect the ARP spoofing attack, to the network engine module 614. In this case, the determination of the address information of the candidate senders is performed in the same manner as in the above-described first embodiment, and the ARP responses and the address information of the candidate senders may be registered in a database or storage (not shown) of the apparatus 610.
Furthermore, in accordance with a fifth embodiment of the present invention, the agent service module 612 transfers the address information of the candidate senders, directly entered via a user interface, together with a command to detect the ARP spoofing attack, to the network engine module 614.
Thereafter, in accordance with the fourth embodiment of the present invention, the network engine module 614, when a command to collect ARP information is provided from the agent service module 612, transmits an ARP request for collecting ARP information over the network 620, collects ARP responses in an inbound packet arriving for a specific time period, determines address information, including IP and MAC addresses, of candidate senders by analyzing address information of the collected ARP responses, initializes an ARP cache 618 if an IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache 618 is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 618. Further, the network engine module 614 compares the IP and MAC addresses of a sender sending the ARP response in an inbound packet, transferred by the network filter driver 616, with the IP and MAC addresses of the candidate senders, and then transfers a command to block the inbound packets to the network filter driver 616 if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders but the MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response.
Furthermore, in accordance with a fifth embodiment of the present invention, the network engine module 614 compares the address information of an ARP cache 618 with the address information of the candidate senders, initializes the address information of the ARP cache 618 if an IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache 618 is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 618, and transfers a command to block the inbound packet to the network filter driver 616 if the IP address of a sender sending the ARP response in an inbound packet is consistent with any one of the IP addresses of the candidate senders and the MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response.
Furthermore, in accordance with the fourth and fifth embodiments of the present invention, the network filter driver 616 transfers the ARP response in the inbound packet, received over the network 620, to the network engine module 614, and blocks the inbound packet, when the packet blocking command is transferred over the network engine module 614, in accordance with the result of the comparison between the IP and MAC addresses of the sender sending an ARP response in an inbound packet and the IP and MAC addresses of the candidate senders.
Hereinafter, the process of detecting an ARP spoofing attack using ARP locking performed by the apparatus 610 having the above-described configuration will be described in detail.
Fig. 7 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the fourth embodiment of the present invention.
Referring to Fig. 7, in step 702, when a command to detect an ARP spoofing attack is entered via a user interface, the agent module 612 generates a command to collect ARP information and transfers the command to the network engine module 614. Thereafter, the network engine module 614 transmits an ARP request for collecting ARP information over the network in step 704, collects ARP responses arriving for a specific time period, and transfers the collected ARP responses to the agent service module 612 in step 706.
In step 708, the agent service module 612 analyzes address information of the collected ARP responses provided by the network engine module 614 to determine address information, including IP and MAC addresses, of candidate senders that desire to protect against the ARP spoofing attack or to which an access is allowable. The determination of the address information of the candidate senders is performed in the same manner as in the first embodiment.
Thereafter, in step 710, the address information of the candidate senders is transferred to the network engine module 614 along with the ARP spoofing attack detection command, and the network engine module 614 checks whether IP and MAC addresses of the ARP cache 618 is consistent with the IP and MAC addresses of the candidate senders in step 710.
If, as a result of the checking in step 710, it is checked that the IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and the MAC address of the ARP cache 618 is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache 618, the network engine module 614 determines that there is an ARP spoofing attack and then initializes the ARP cache 618 in step 712.
Meanwhile, the network filter driver 616 transfers an inbound packet, received over the network 620, to the network engine module 614 in step 714, and the network engine module 614 checks whether the inbound packet is an ARP response in step 716. Subsequently, if it is determined that the inbound packet is an ARP response, the network engine module 614 determines whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 718.
If, as a result of the checking in step 718, it is determined that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 714 of receiving another inbound packet. However, if the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is determined whether the MAC address of the sender sending the ARP response is consistent with a MAC addresses of a candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 720.
If, as a result of the checking in step 720, it is determined that the MAC address of the sender sending the ARP response is consistent with the MAC address of the candidate sender, it is determined that there is no ARP spoofing attack, and the process returns to step 714 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate sender, the network engine module 614 determines that there occurs the ARP spoofing attack, and transfers a command to block the inbound packet to the network filter driver 616.
As a result, in step 722, the network filter driver 616 blocks the inbound packet in comply with the packet filtering command transferred by the network engine module 614, thereby blocking a malicious ARP spoofing attack. The detection and blocking of ARP spoofing packets is continuously performed while the ARP responses of inbound packets are being received.
Fig. 8 is a flowchart illustrating the process of detecting an ARP spoofing attack using ARP locking in accordance with the fifth embodiment of the present invention.
Referring to Fig. 8, in step 802, address information, including IP and MAC addresses, of candidate senders that desire to protect against an ARP spoofing attack is directly inputted via a user interface. The agent service module 612 then transfers the address information of the candidate senders, together with a command to detect the ARP spoofing attack, to the network engine module 614.
In step 804, the network engine module 614 checks whether address information of the ARP cache 618 is consistent with the address information of the candidate senders transferred by the agent service module 612.
If, as a result of the checking in step 804, it is checked that the IP address of the ARP cache 618 is consistent with any one of the IP addresses of the candidate senders and the MAC address of the ARP cache is not consistent with a MAC address of the candidate sender of which IP address is consistent with that of the ARP cache 618, the network engine module 614 determines that there occurs an ARP spoofing attack and initializes the ARP cache 618 in step 806.
Meanwhile, the network filter driver 616 transfers an inbound packet, received over the network 620, to the network engine module 614 in step 808, and the network engine module 614 then checks whether the inbound packet is an ARP response in step 810. If it is checked that the inbound packet is an ARP response, the network engine module 614 checks whether the IP address of a sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders in step 812.
If, as a result of the checking in step 812, it is checked that the IP address of the sender sending the ARP response is not consistent with all the IP addresses of the candidate senders, it is determined that there is no ARP spoofing attack and the process returns to step 808 of receiving another inbound packet. If, however, the IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders, it is checked whether the MAC address of the sender sending the ARP response is consistent with the MAC address of the candidate sender of which IP address is consistent with that of the sender sending the ARP response in step 814.
If, as a result of the checking in step 814, it is checked that the MAC address of the sender sending the ARP response is consistent with the MAC addresses of the candidate sender of which IP address is consistent with that of the sender sending the ARP response, it is determined that there is no ARP spoofing attack and the process returns to step 808 of receiving another inbound packet. However, if the MAC address of the sender sending the ARP response is not consistent with the MAC address of the candidate sender, the network engine module 614 determines that there occurs an ARP spoofing attack and transfers a command to filter the inbound packet to the network filter driver 616.
Accordingly, in step 816, the network filter driver 616 blocks the inbound packet in compliance with the packet filtering command transferred by the network engine module 614, thereby blocking a malicious ARP spoofing attack. The detection and blocking of ARP spoofing packets is continuously performed using the address information of the candidate senders while the ARP responses of inbound packets are being received.
The above-described techniques for detecting an ARP spoofing attack using ARP locking in accordance with the embodiments of the present invention may be implemented using computer-executable codes or code segments stored in recording media that can be read by a computer. The computer-readable recording media may include all types of recording media or information storage media that store data that can be read by a computer system. The computer readable media may include, for example, magnetic recording media, optical recording media, and carrier waves.
As described above, the present invention detects and blocks an ARP spoofing attack on each management target agent using a method of selecting and comparing address information of the candidate senders , the address information of an ARP cache, and the address information of a sender sending of the ARP response or the sender’s address information of the ARP response in an outbound packet which are provided by the server providing ARP detection service, or detects and blocks an ARP spoofing attack on each agent PC using a method of selecting and comparing address information of candidate senders entered by a user or determined by the agent PC, the address information of an ARP cache, and the address information of the sender sending the ARP response in an inbound packet or the sender address information of the ARP response in an outbound packet, thereby rapidly and actively coping with malicious ARP spoofing attacks. That is, the present invention can block and guard against ARP spoofing attacks in advance, and can accurately detect and remedy an ARP spoofing attack even when the ARP spoofing attack has been already made.
While the invention has been shown and described with respect to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the scope of the invention as defined in the following claims.

Claims (20)

  1. A method of detecting Address Resolution Protocol (ARP) spoofing attack, comprising:
    in response to a command to collect ARP information from a server, transmitting collected ARP responses;
    receiving address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack, wherein the address information of the candidate senders is determined by analysis of address information of the senders sending the ARP responses;
    comparing address information of an ARP cache with the address information of the candidate senders;
    initializing the address information of the ARP cache if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache;
    comparing address information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
    if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packets.
  2. The method of claim 1, further comprising storing the address information of the candidate senders in a database.
  3. The method of claim 1, wherein said transmitting collected ARP responses comprises:
    transmitting an ARP request for collecting the ARP information over a network; and
    collecting ARP responses arriving for a preset time period and transmitting the ARP responses to the server.
  4. The method of claim 1, wherein address information of a sender sending one ARP response only in response to one ARP request is determined as one of the address information of the candidate senders.
  5. The method of claim 1, wherein address information of a sender sending an ARP response that has arrived first in response to one ARP request is determined as one of the address information of the candidate senders.
  6. A method of detecting Address Resolution Protocol (ARP) spoofing attack, comprising:
    receiving address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect against the ARP spoofing attack from a server;
    comparing address information of an ARP cache with the address information of the candidate senders;
    if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
    comparing the address information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
    if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packet.
  7. The method of claim 6, wherein the address information of the candidate senders is addresses information that has been stored in a database of the server via a user interface.
  8. The method of claim 6, wherein address information of a sender sending one ARP response only in response to one ARP request is determined as one of the address information of the candidate senders.
  9. The method of claim 6, wherein address information of a sender sending an ARP response that has arrived first in response to one ARP request is determined as one of the address information of the candidate senders.
  10. A method of detecting Address Resolution Protocol (ARP) spoofing attack, comprising:
    receiving addresses information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack, together with a command to detect the ARP spoofing attack, from a server;
    comparing address information of a sender sending an ARP response in a received outbound packet with the address information of the candidate senders; and
    if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack, and extracting information about a process sending the ARP response to transmit the extracted information about the process to the server.
  11. The method of claim 10, further comprising blocking the outbound packet when it is determined that there is the ARP spoofing attack.
  12. The method of claim 10, wherein address information of a sender sending one ARP response only in response to one ARP request is determined as one of the address information of the candidate senders.
  13. The method of claim 10, wherein address information of a sender sending an ARP response that has arrived first in response to one ARP request is determined as one of the address information of the candidate senders.
  14. A method of detecting Address Resolution Protocol (ARP) spoofing attack, comprising:
    broadcasting an ARP request over a network in response to a command to collect ARP information of senders;
    collecting ARP responses to the ARP request for a preset time period;
    analyzing the collected ARP responses to determine address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack;
    comparing address information of an ARP cache with the address information of the candidate senders;
    if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
    comparing address information of a sender sending an ARP response of a received inbound packet with the address information of the candidate senders; and
    if an IP address of the sender sending the ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending the ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, and determining that there is the ARP spoofing attack and blocking the inbound packet.
  15. The method of claim 14, wherein address information of a sender sending one ARP response only in response to one ARP request is determined as one of the address information of the candidate senders.
  16. The method of claim 14, wherein address information of a sender sending an ARP response that has arrived first in response to one ARP request is determined as one of the address information of the candidate senders.
  17. A method of detecting Address Resolution Protocol (ARP) spoofing attack, comprising:
    when address information, including Internet Protocol (IP) and Media Access Control (MAC) addresses, of candidate senders that desire to protect from the ARP spoofing attack is entered via a user interface, comparing address information of an ARP cache with the address information of the candidate senders;
    if an IP address of the ARP cache is consistent with any one of the IP addresses of the candidate senders and a MAC address of the ARP cache is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the ARP cache, initializing the address information of the ARP cache;
    comparing addresses information of a sender sending an ARP response in a received inbound packet with the address information of the candidate senders; and
    if an IP address of the sender sending an ARP response is consistent with any one of the IP addresses of the candidate senders and a MAC address of the sender sending an ARP response is not consistent with a MAC address of a candidate sender of which IP address is consistent with that of the sender sending the ARP response, determining that there is the ARP spoofing attack and blocking the inbound packet.
  18. The method of claim 17, wherein address information of a sender sending one ARP response only in response to one ARP request is determined as one of the address information of the candidate senders.
  19. The method of claim 17, wherein address information of a sender sending an ARP response that has arrived first in response to one ARP request is determined as one of the address information of the candidate senders.
  20. A computer-readable recording medium storing a program for executing the method of detecting Address Resolution Protocol (ARP) spoofing attack set forth in any one of claims 1, 6, 10, 14 and 17.
PCT/KR2012/000930 2011-02-08 2012-02-08 Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method WO2012108687A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020110011068A KR101236822B1 (en) 2011-02-08 2011-02-08 Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded
KR10-2011-0011068 2011-02-08

Publications (2)

Publication Number Publication Date
WO2012108687A2 true WO2012108687A2 (en) 2012-08-16
WO2012108687A3 WO2012108687A3 (en) 2012-12-13

Family

ID=46639059

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/000930 WO2012108687A2 (en) 2011-02-08 2012-02-08 Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method

Country Status (2)

Country Link
KR (1) KR101236822B1 (en)
WO (1) WO2012108687A2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187224A (en) * 2014-06-17 2015-12-23 腾讯科技(深圳)有限公司 Invasion detection method and device
CN105262712A (en) * 2014-05-27 2016-01-20 腾讯科技(深圳)有限公司 Network intrusion detection method and device
CN107027140A (en) * 2017-03-27 2017-08-08 武汉虹信通信技术有限责任公司 Protocal layers customer instance consistency maintaining method in a kind of LTE
CN107040507A (en) * 2016-01-21 2017-08-11 曜祥网技股份有限公司 Network blocking method and equipment
CN107295020A (en) * 2017-08-16 2017-10-24 北京新网数码信息技术有限公司 A kind of processing method and processing device of attack of address resolution protocol
CN108471430A (en) * 2018-07-03 2018-08-31 杭州安恒信息技术股份有限公司 A kind of Internet of Things embedded-type security means of defence and device
CN108574674A (en) * 2017-03-10 2018-09-25 武汉安天信息技术有限责任公司 A kind of ARP message aggressions detection method and device
CN111683162A (en) * 2020-06-09 2020-09-18 福建健康之路信息技术有限公司 IP address management method and device based on flow identification
TWI709309B (en) * 2019-09-25 2020-11-01 飛泓科技股份有限公司 Network management device and network management method thereof
CN115348113A (en) * 2022-10-18 2022-11-15 安徽华云安科技有限公司 Man-in-the-middle attack resisting method

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101228089B1 (en) * 2012-09-10 2013-02-01 한국인터넷진흥원 Ip spoofing detection apparatus
KR101434178B1 (en) * 2012-11-30 2014-08-27 한국인터넷진흥원 Method for detecting data packet caused of abnormal billing in mobile communication network
KR101489178B1 (en) * 2013-09-12 2015-02-03 숭실대학교산학협력단 Device and method for arp spoofing detection
KR101657180B1 (en) * 2015-05-04 2016-09-19 최승환 System and method for process access control system
KR102286291B1 (en) * 2018-11-13 2021-08-06 한국전자통신연구원 Decoy apparatus and method for expand fake attack surface using deception network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040213172A1 (en) * 2003-04-24 2004-10-28 Myers Robert L. Anti-spoofing system and method
US7234163B1 (en) * 2002-09-16 2007-06-19 Cisco Technology, Inc. Method and apparatus for preventing spoofing of network addresses
US7464183B1 (en) * 2003-12-11 2008-12-09 Nvidia Corporation Apparatus, system, and method to prevent address resolution cache spoofing
US20100107250A1 (en) * 2007-09-06 2010-04-29 Huawei Technologies Co., Ltd. Method and apparatus for defending against arp spoofing attacks

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100779072B1 (en) * 2004-12-08 2007-11-27 한국전자통신연구원 ARP poisoning detection apparatus and method
KR100528171B1 (en) 2005-04-06 2005-11-15 스콥정보통신 주식회사 Ip management method and apparatus for protecting/blocking specific ip address or specific device on network
KR100807933B1 (en) * 2006-11-28 2008-03-03 엘지노텔 주식회사 System and method for detecting arp spoofing and computer readable storage medium storing program for detecting arp spoofing
KR101064382B1 (en) * 2007-06-07 2011-09-14 주식회사 케이티 Arp attack blocking system in communication network and method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7234163B1 (en) * 2002-09-16 2007-06-19 Cisco Technology, Inc. Method and apparatus for preventing spoofing of network addresses
US20040213172A1 (en) * 2003-04-24 2004-10-28 Myers Robert L. Anti-spoofing system and method
US7464183B1 (en) * 2003-12-11 2008-12-09 Nvidia Corporation Apparatus, system, and method to prevent address resolution cache spoofing
US20100107250A1 (en) * 2007-09-06 2010-04-29 Huawei Technologies Co., Ltd. Method and apparatus for defending against arp spoofing attacks

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262712A (en) * 2014-05-27 2016-01-20 腾讯科技(深圳)有限公司 Network intrusion detection method and device
CN105187224A (en) * 2014-06-17 2015-12-23 腾讯科技(深圳)有限公司 Invasion detection method and device
CN107040507A (en) * 2016-01-21 2017-08-11 曜祥网技股份有限公司 Network blocking method and equipment
CN108574674A (en) * 2017-03-10 2018-09-25 武汉安天信息技术有限责任公司 A kind of ARP message aggressions detection method and device
CN107027140A (en) * 2017-03-27 2017-08-08 武汉虹信通信技术有限责任公司 Protocal layers customer instance consistency maintaining method in a kind of LTE
CN107295020A (en) * 2017-08-16 2017-10-24 北京新网数码信息技术有限公司 A kind of processing method and processing device of attack of address resolution protocol
CN108471430A (en) * 2018-07-03 2018-08-31 杭州安恒信息技术股份有限公司 A kind of Internet of Things embedded-type security means of defence and device
TWI709309B (en) * 2019-09-25 2020-11-01 飛泓科技股份有限公司 Network management device and network management method thereof
CN111683162A (en) * 2020-06-09 2020-09-18 福建健康之路信息技术有限公司 IP address management method and device based on flow identification
CN111683162B (en) * 2020-06-09 2022-10-25 福建健康之路信息技术有限公司 IP address management method based on flow identification
CN115348113A (en) * 2022-10-18 2022-11-15 安徽华云安科技有限公司 Man-in-the-middle attack resisting method
CN115348113B (en) * 2022-10-18 2022-12-23 安徽华云安科技有限公司 Man-in-the-middle attack resisting method

Also Published As

Publication number Publication date
KR20120090574A (en) 2012-08-17
KR101236822B1 (en) 2013-02-25
WO2012108687A3 (en) 2012-12-13

Similar Documents

Publication Publication Date Title
WO2012108687A2 (en) Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method
WO2017069348A1 (en) Method and device for automatically verifying security event
WO2011010823A2 (en) Method for detecting and preventing a ddos attack using cloud computing, and server
WO2017091047A1 (en) Method for blocking connection in wireless intrusion prevention system and device therefor
WO2012153913A1 (en) Method of defending against a spoofing attack by using a blocking server
WO2014054854A1 (en) Log analysis system and log analyis method for security system
WO2014081205A1 (en) Illegal ap detection system and detection method therefor
WO2012023657A1 (en) Network-based harmful-program detection method using a virtual machine, and a system comprising the same
WO2019160195A1 (en) Apparatus and method for detecting malicious threats contained in file, and recording medium therefor
WO2017034072A1 (en) Network security system and security method
WO2015034241A1 (en) Method and system for configuring smart home gateway firewall
WO2013024986A2 (en) Network identifier position determining system and method for same
WO2018056601A1 (en) Device and method for blocking ransomware using contents file access control
WO2020013439A1 (en) Device and method for control routing in sdn network
WO2017171188A1 (en) Security device using transaction information collected from web application server or web server
CN104901850B (en) A kind of malicious code terminal compromised machines network locating method
CN109995696A (en) A kind of system identifying device-fingerprint
WO2017026840A1 (en) Internet connection device, central management server, and internet connection method
WO2019103443A1 (en) Method, apparatus and system for managing electronic fingerprint of electronic file
CN111368595A (en) System for identifying equipment fingerprint
WO2015102356A1 (en) Method for selectively allowing or blocking internet access request traffic sharing authorized ip on basis of present time, and system for detecting current state of and blocking authorized ip sharing so as to perform method thereof
WO2019231089A1 (en) System for performing bi-directional inquiry, comparison and tracking on security policies and audit logs, and method therefor
CN112367315A (en) Endogenous safe WAF honeypot deployment method
WO2019182219A1 (en) Blockchain-based trusted network system
WO2020067734A1 (en) Non-address network equipment and communication security system using same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12744444

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12744444

Country of ref document: EP

Kind code of ref document: A2