Active DES based detection of ARP related attacks

Definition 2.9 F i -diagnosability)

LetΨ(XFi)={s∈Lf(G)|the last transition of s is measurable and f inal(s)∈ XFi}.

A DES model G is said to be Fi-diagnosable for the failure Fiunder a measurement limitation if the following holds

∃n∈Ns.t. [∀s∈Ψ(XFi){∀t∈Lf(G)/s(|t| ≥n⇒D)}], where the condition D is∀u∈P⁻¹[P(st)], f inal(u)∈ XF_i.

The above definition means the following. Letsbe any finite prefix of a trace of Gthat ends in anFi-state and lettbe any sufficiently long continuation ofs. ConditionDthen requires that every sequence of transitions, measurement equivalent withst(i.e., belonging toP⁻¹(P(st))), shall end into anFi-state. This implies that, along every continuationtofs, one can detect the occurrence of failure corresponding toFi within a finite delay, or more specifically, within at mostntransitions afters.

Let there be two traces s1 and s2 that violate the Fi-definition of diagnosability;

P⁻¹(P(s1))=P⁻¹(P(s2)) andP⁻¹(P(s1)) ends into anFi-state whileP⁻¹(P(s2)) ends in into an non-Fi-state. Ifs1ands2are the only traces that violate diagnosability ands2be eliminated, then the model will become diagnosable.

The problem of active diagnosis ([21]): Given a DES model G with controllable and uncontrollable transitions, eliminate minimum number of traces S from L(G)such that L(G)−S is diagnosable by Definition2.9.

2.4.2.4 The Diagnoser

In this subsection the construction method for diagnoser is given. The diagnoser is represented as a directed graphO=hZ,Ai, whereZis the set of diagnoser nodes, called O-nodes, andAis the set of diagnoser transitions, calledO-transitions. EachO-nodez∈Zis

2.4. Active DES modeling 39

a set ofG-states representing the uncertainty about the actual state and eachO-transition a ∈ A of the form hzi,zfiis a set of equivalent transitions representing the uncertainty about the actual measurable transition that occurs. Before discussing the procedure for constructing the diagnoser fromG, the following definitions are introduced.

Definition 2.10 (Unmeasurable successor and unmeasurable reach of a set ofG-states):

Theunmeasurable successor(set) of a set Y of states is defined asU(Y)=S

x∈Y{x⁺|τ =hx,x⁺i ∈

=_u}. Theunmeasurable reachof a set Y of G-states, denoted asU^∗(Y), is the reflexive-transitive closure of unmeasurable successors of Y.

The diagnoser is constructed starting from the initial state(s) of the model. The states in X0 are partitioned into equivalent subsets denoted asX01,X02,· · ·X0m. For alli, 1≤i≤m, an initialO-nodez0i is obtained as the unmeasurable reach ofX0i, i.e.,z0i = U^∗(X0i). The set of all initial O-nodes is denoted asZ0 = z01,· · · ,z0m. The initialO-nodes capture the fact that the diagnoser can infer a set z0i of the possible initial system states (or their unmeasurable reach) by measuring the variables without waiting for the first measurable transition. Given anyO-nodez, theO-transitions emanating fromzare obtained as follows.

Let=_mzdenote the set of measurableG-transitions from the statesx∈z. LetAz be the set of all equivalence classes of=_mzunderE. For eacha∈ Az, a successorO-nodez⁺ofzsuch thatz⁺= f inal(a) can be created as follows. Letz⁺_a ={f inal(τ)|τ∈a}; thenz⁺ =U^∗(z⁺_a) anda is designated as: hz,z⁺i. The set of the diagnoser transitions is augmented as: A←A∪ {a}, and the set ofO-nodes is augmented as:Z← Z∪ {z⁺}. Eacha∈Ais an ordered pairhz,z⁺i, wherez=initial(a) andz⁺= f inal(a). Thus, eachO-node contains equivalent states.

Henceforth, we refer to states, transitions and traces ofGasG-states,G-transitions and G-traces, respectively. Similarly, for the diagnoser nodes and transitions, we use “O-nodes”

and “O-transitions”, respectively.

Definition 2.11 (Fi-O-node): An O-node, which contains an Fi-state, is called an Fi-O-node, denoted as zFi.

Definition 2.12 (Fi-certainO-node): An Fi-O-node z is called an Fi-certain O-node if z⊆XFi. An Fi-O-node which is not Fi-certain is called Fi-uncertain.

A path of the diagnoserOis a sequence of O-transitionsγ =ha1,a2, ...i, with consecution property. It may be noted that corresponding to any O-pathγ = ha1,a2,· · · i, there is a

unique sequence ofO-nodeshz1,z2,· · · i, wherezi =initial(ai) andz_i+1= f inal(ai), fori≥1.

The term “O-path” is, therefore, used interchangeably for bothO-transition sequence and O-node sequence. Similarly, “G-traces”, is used interchangeably for both G-transition sequence andG-state sequence.

Definition 2.13 (Fi-uncertain cycle): An Fi-uncertain cycleis an Fi-O-cycle in which there is no Fi-certain O-node.

Definition 2.14 (Fi-indeterminate cycle): An Fi-uncertain cycle γ, in which the Fi-states contained in the O-nodes of γ form a cycle in G comprising transitions from γ, is called an Fi-indeterminate cycle.

The equivalence betweenFi-diagnosability and the absence ofFi-indeterminateO-cycles has been formally established for DES models [20]. Fi-uncertainO-nodes comprise some normalG-states and someFi-G-states. So,Fi-uncertainO-nodes cannot detect whether the system is normal or a fault has occurred. On the other hand,Fi-certainO-nodes can detect that a fault has occurred because theFi-certain nodes comprise onlyFi-G-states. Presence ofFi-indeterminate cycles imply that after failureFi, the system can move indefinitely in Fi-uncertainO-nodes making the fault non-diagnosable. In active diagnosis, minimum number of traces fromL(G) are to be eliminated (if possible, because of controllability) such that there is noFi-indeterminate cycles. In other words, in anyFi-indeterminate cycleγ, the Fi-state sequence (trace) contained in theO-nodes ofγwhich form a cycle inGcomprising transitions fromγ, is to be eliminated (if possible).

Now we present an abstract example to illustrate the active diagnosis problem. Figure 2.5(a) illustrates active DES model of an abstract system. The model has seven states, namelya,b,c,a⁰,b⁰,c⁰,d⁰, where all the non-primed (primed) states represent normal (failure) behavior. In other words,C(a)=C(b)=C(c)=NandC(a⁰)=C(b⁰)=C(c⁰)=C(d⁰)=Fi. The dotted transition (f ailure) represent occurrence of the failureFi. We assume that transitions 1E1⁰, 2E2⁰and 3E3⁰, so statesaEa⁰,bEb⁰andcEc⁰. f ailureis the only unobservable transition.

Transitions f ailure,1,2,1⁰,2⁰ are assumed uncontrollable, while 3,3⁰,4⁰ are controllable transitions.

The diagnoser for the DES model of Figure2.5(a) is shown in Figure2.5(b). Some of the initial steps diagnoser construction for this example are as follows.

(i) The initial state of the diagnoser i.e.,z1 is obtained as follows. X0 is partitioned into

2.4. Active DES modeling 41

failure

a b c

a' b' c' d'

1 2

3

1' 2'

3'

4'

5'

(a) Active DES Model

z1

{a,a'}

a1 ={1,1'} z₂ {b,b'}

z3

{c,c'}

a2 ={2,2'}

a3 ={3,3'}

a4 ={4'} z4

{d'}

a5 ={5'}

(b) Diagnoser for DES model (a)

a b c

a' b' c' d'

1 2

3

1' 2' 4'

5'

(c) Active DES Model: after trace {1',2',3'} eliminated

(d) Diagnoser for DES model ( c) 4

z₅ {c}

a6 ={4}

a7 ={4}

z₁ {a,a'}

a1 ={1,1'} z2

{b,b'}

z3

{c,c'}

a2 ={2,2'}

a4 ={4'} z₄ {d'}

a5 ={5'}

z5

{c}

a6 ={4}

a7 ={4}

4

failure

Figure 2.5: Active DES model for diagnosis of ARP

measurement equivalent subsets of G-states which in this case one i.e., X0 = a; there is only one initial G-statea (as shown in Figure 2.5(a)) and X01 = {a}. AsX0 could be partitioned into only one subset of measurement equivalent initialG-states,Z1 = aand z01 = U^∗({S01}) = U^∗({a}) = {a,a⁰}. Thus, there is only one initialO-nodez1 (as shown in Figure2.5(b)) andz1 ={a,a⁰}.

(ii) The outgoingO-transitions fromz1are obtained as follows. Here,=_mz

1 ={1,1⁰}which are all the outgoing measurable transitions fromG-states inz1. Now,Az1 ={{1,1⁰}}as 1E1⁰. Corresponding to{1,1⁰}there is anO-transitiona1.

(iii) The destination O-node corresponding to a1 is obtained as follows. z⁺_1a1 = {b,b⁰} as a1 comprisesG-transitions 1,1⁰ and f inal(1)= band f inal(1⁰) =b⁰. Further,z⁺₁ ={b,b⁰}as U^∗({b}) ={b,b⁰}andU^∗({b⁰})= {b⁰}. Thus, the destinationO-node of theO-transitiona1 is z2: {b,b⁰}. Similarly, the construction of the diagnoser continues till no more newO-nodes are created in step (iii).

It may be noted that there is anFi-indeterminate cyclehz1,z2,z3i=γsay (Figure2.5(b)), making the fault non-diagnosable. Active diagnosis theory can be applied to see if the failure can be made diagnosable by eliminating some traces. In the Figure2.5(b),Fi-state sequence (trace) contained in the O-nodes of γ (i.e., z1,z2,z3) which form a cycle in G comprising transitions fromγ(i.e.,a1,a2,a3), ish1⁰,2⁰,3⁰i. As 3⁰ is a controllable transition, its triggering event can be disabled when the system is in statec⁰ (or c as cEc⁰) which eliminatesh(1⁰,2⁰,3⁰)^∗ifrom the language of the model; the model with this trace removed is shown in Figure2.5(c) and the corresponding diagnoser in Figure2.5(d). In the Figure 2.5(d), that there is noFi-indeterminate cycle makingFidiagnosable. In other words, to makeFi diagnosable, when the system is in statec⁰ (orc ascEc⁰) the controller needs to enable event for transition 4⁰ and the disable event for transition 4⁰.

2.4.3 DES Modeling of ARP spoofing

Figure2.6illustrates the active DES model for ARP with probing under normal and request spoofing.

The values of different parameters in the active DES framework (Subsection2.4.2) for modeling ARP is as follows.

Σ ={RQP,RSP,PRQP,PRSP,attack}. The set of statesSis shown in Figure2.6. States with

2.4. Active DES modeling 43

x₂ x3 x4

1, 2, , , ,{ ,

},{ 0}

IPS MACS

x x RQP IPS RQP

MACS RQP y

  

  ₂, ₃, ,{ },

, ,{ 0}}

x x PRQP IPS PRQPIPD

y



  

3, 4, ,{ , },{ },

,

IPS MACS req

x x PRSP IPSPRSP MACSPRSP yT

 

1:uc



2:c



3:uc



x1

4, , , , ,1

, x x  

 

4:uc



5:c



21,,,,{},

, reqxxyT

x2'

x3' x4’

1', 2', , , ,{ ,

},{ 0}

IPS MACS

x x RQP IPS RQP

MACS RQP y

  

 

23',',,{},,,{0}} IPDxxPRQPIPSPRQP y 

3', 4', ,{ , },{ },

,

IPS MACS req

x x PRSP IPSPRSP MACSPRSP yT

 

x5’

4', 5', ,{ , ! },{ },

,

IPS MACS req

x x PRSP IPSPRSP MACS PRSP yT

  ' :1 uc



2':c

' :3 uc

 ' :uc₄

x1'

5', 1', , , , , x x      ' :c7



x6' ' :⁶ uc x7’

3', 6', ,{ , ! },{ },

,

IPS MACS req

x x PRSP IPSPRSP MACS PRSP yT

 

6", 7", ,{ , },{ },

,

IPS MACS req

x x PRSP IPSPRSP MACSPRSP yT

 

7', 1', , , , , x x   

 

' :5 uc



' :uc8



2', 1', , , , ,

x x   y Treq

 

4', 1', , , _req, , x x   y T  

6', 1', , , _req, , x x   y T  

3', 1', , , _req, , x x   y T  

' :9 uc

 ' :uc11

 ' :10 uc



' :uc12



1, 1',

, , , ,

x x attack   failure

Figure 2.6: Active DES based model of ARP spoofing under normal and attack condition

no primes correspond to normal situation and those with single prime denote request spoofing. Initial stateX0 =x1. Model variable set isV ={IPS,IPD}and both its elements have the same domain given as D1(= D2) = {d.d.d.d|d ∈ {1,2,· · · ,255}}. There is one clock variabley. The transitions are shown in Figure2.6; like states, transitions without primes are for normal model while single prime are for request spoofing. It may be noted that there are “−” for some fields in the tuple representing the transitions. If “−” is for φ(V) orΦ(C) then it represents TRUE condition, while if the “−” is for Reset(C) or Assign(V) then it represents NO action (i.e., reset or assignment) is to be taken. Controllable transitions are marked asuand uncontrollable ones byuc. The failure causing transition x1,x⁰₁,attack,−,−,−,−(i.e., that cause request spoofing) is the only unmeasurable transition.

The overview of the active DES model for ARP under normal and request spoofing cases are as follows.

Normal case

In the normal case (Figure2.6), the model moves fromx1to statex2on observation of an

eventRQPby transitionτ1; this transition is uncontrollable, because any genuine host or attacker can send a response packet to another host. Enabling ofτ1is only dependent on RQPand not on any model variables or clock invariant condition; this is depicted by “−” in the transition. Model variablesIPSandMACSare assigned with source IP address and source MAC address ofRQP, respectively. Clock variableyis reset to 0. Following that in statex2, there are two options, either an ARP probe (PRQP) is sent (τ2) or the system moves back to statex1afterTreq(τ5) time of receipt of theRQP. Transitionτ2is enabled onPRQP (sent to source IP address of theRQPunder question); correspondence ofPRQPwithRQP is determined by checking model variableIPS withPRQPIPD. Also, clock variable y is reset. It may be noted that decision on sending the PRQPis made by the supervisory controller based on conditions like, (i)PRQPis sent if source IP-MAC ofRSPis new (not yet verified), (ii)PRQPis not sent if extra traffic in network due to probing is to be minimized etc. Soτ2 is a controllable transition. IfPRQPis not sent the system waits in statex2 for Treqand then moves tox1 viaτ5; clock invariant condition y> Treqinτ5 determines that Treqtime has passed. As occurrence of τ5 is dependent onτ2 (which is controllable), so τ5also is controllable. After transitionτ2, probe response (PRSP) from the (normal) host arrives (τ3); correspondence ofPSQPwithRQPis ensured by checkingIPS=PRSPIPS and MACS=PRSPMACS. Further, thePRSPis to arrive withinTreqtime afterPRQPis sent; this is checked by the clock invariant conditiony≤Treqin the transitionτ3. PRSPs are sent by hosts and are uncontrollable from the IDS perspective, making transitionτ3uncontrollable.

In the normal situation only one probe response would arrive for the probe request. So after receipt of one probe response the model returns back to the initial statex1by transition τ4. Theτ4fires instantaneously after the system reachesx4, so there is no enabling event or condition. Due to absence of enabling conditionτ4 is an uncontrollable transition.

Request Spoofing case

The primed states and transitions in Figure 2.6 represent ARP request spoofing with probing by IDS. The model moves to statex⁰₂ on observation of an eventRQPby transition τ⁰₁. Model variablesIPSandMACSare assigned with source IP address and source MAC address ofRQP, respectively. Clock variableyis reset to 0. Likeτ1,τ⁰₁is an uncontrollable transition. Following that in statex⁰₂, there are two options, either an ARP probe (PRQP) is sent (τ⁰₂) or the system moves back to statex1afterTreq(τ⁰₇) time of receipt of theRQP. As in the case of normal condition,τ⁰₂andτ⁰₇are controllable transitions. After transitionτ⁰₂, there

2.4. Active DES modeling 45

are three options–(i) probe response from the attacker arrives (τ⁰₃) havingPRSPMACSthe same as spoofedRQPMACSor (ii) probe response from the normal host arrives (τ⁰₅) having PRSPMACSnot same as spoofedRQPMACSor (iii) no response arrives (and the system moves back to statex⁰₁ byτ⁰₁₀) as it may be the case that source IP address of the request packet questionRQPIPSis non existent and the attacker does not sent any reply to the probe. As in the normal case,τ⁰₃,τ⁰₅andτ⁰₁₀ are uncontrollable transitions. Let transitionτ⁰₅fire and bring the system to x⁰₆. Atx⁰₆there are two options–(i) probe response from the attacker arrives (τ⁰₆) havingPRSPMACSthe same as spoofedRQPMACSor (ii) no other response to the probe arrives (and the system moves back to statex⁰₁byτ⁰₁₁) as it may be the case that the attacker does not sent any reply to the probe. Transitions τ⁰₆ andτ⁰₁₁ are uncontrollable.

If τ⁰₆ occurs the system moves to x⁰₇ following which τ⁰₈ occurs instantaneously. In the attack situation more than one probe response would arrive for the probe request. So after receipt of more than one probe response the model returns back to the initial statex⁰₁by transitionτ⁰₈;τ⁰₈is uncontrollable. In a similar way the other sequence of states fromx⁰₃ (x⁰₄,x⁰₅,x⁰₁) can be explained. It may be noted that the model does not capture which probe response (PRSP) is from normal and which is from attacker. The model only denotes the fact that there are two responses with different MAC addresses;τ⁰₃, τ⁰₄ andτ⁰₅, τ⁰₆are the two combinations of arrival of the responses with different MAC addresses. Further, these PRSPs are to arrive withinTreq time afterPRQPis sent.

2.4.3.1 Diagnoser for the DES model of ARP request spoofing

After development of the active DES model, we design a diagnoser by technique explained in Subsection 2.4.2.4 with a slight modification. In the diagnoser for the DES model of ARP request spoofing, no transitions and states are created fromFi-certain nodes. The diagnoser declares an attack when anFi-certain node is reached as the estimate comprises states only from the attack model; no further estimation is required and one can stop at Fi-certain nodes. Figure2.7illustrates the diagnoser for the DES model of Figure2.6.

In the diagnoser, nodesz1,z2,z3,z4 (z5,z6,z7) are Fi-uncertain (Fi-certain) and attack cannot (can) be detected there. It may be noted that there are twoFi-indeterminate cycles.

Repercussions of such indeterminate cycles on attack diagnosability and elimination of traces to break such cycles are as follows:

1 1

1: , ' a  

57:'a

z1:

x1,x1' z2:

x2,x2'

2 2

2 : , ' a  

z3: x3,x3'

3 3

3 : , '

a  

z5: x6'

z4: x4,x4'

5 7

4 : , ' a  

10

5:

' a



4 12

6 : , ' a  

9 : '4

a 

z7: x5'

z6: x1'

Figure 2.7: Diagnoser for the DES model of Figure2.6

• hz1,z2i: This indeterminate cycle occurs if transitionτ⁰₂fromx⁰₂(τ2fromx2) is not fired, i.e.,PRQPis not sent by controller. In other words, without sending a probe packet there is no difference in sequence of ARP events under spoofing attack and normal condition, thereby making attack (failureFi) non-diagnosable. This indeterminate cycle can be broken by eliminating trace h(τ⁰₁, τ⁰₇)^∗i (as τ⁰₇ and τ⁰₂ are controllable) which can be achieved by firing eventPRQPat statex⁰₂(orx2).

• hz1,z2,z3,z4i: This indeterminate cycle occurs if transitionτ⁰₄fromx⁰₄is not fired, i.e., PRSPfrom the genuine host does not arrive. There can be several reasons when PRSPfrom the genuine host does not arrive namely: (i) Source IP address in RSP (i.e.,PRQPIPD) being verified is non existent. For thatPRQP(τ⁰₂) with non-existing destination IP only the attacker responds (τ⁰₃) as only the attacker knows about the non existent spoofed IP address. (ii) Source IP address inRSP(i.e.,PRQPIPD) being verified is that of the attacker itself. hz1,z2,z3,z4ican be broken by eliminating trace h(τ⁰₁, τ⁰₂, τ⁰₃, τ⁰₁₂)^∗i. It may be noted that this is not possible because transitionsτ⁰₄and τ⁰₁₂ are uncontrollable. So, if the source IP address in IP-MAC ofRQP(τ1 orτ⁰₁) is non existent or is that of a attacker, the spoofing cannot be detected. It may be noted that these two cases do not lead to severe situations. Associating IP address of non existent host or that of the attacker itself with different (false) MAC lead to diversion of traffic destined to non existent host or attacker (to the host that has the associated false MAC).

Now we discuss a case where the attack is detected. Let diagnoser reach nodez5by the sequencez1,z2,z3. z5being anFi-certainO-node, reached by occurrence ofa7 (by virtue of τ⁰₅), declares an attack. It may be observed from Figure2.6thatτ⁰₅corresponds to thePRSP

2.5. Experimentation and Result 47

for aPRQPwithinTreqtime whose source MAC is not same as the source MAC of theRQP under question.

2.5 Experimentation and Result

In this section we present the experimental testbed followed by results. The standard benchmarks for an IDS are accuracy, detection rate, resource consumption etc.In our case as some extra ARP messages are generated for probing, we also considered extra traffic statistics also as a benchmark along with accuracy, detection rate and resource consumption.

The results in different situation of the network traffic is provided in this section.

In ARP request spoofing attack, an attacker sends (by broadcast) an ARP request packet with falsified IP-MAC pair (in sender hardware address-sender protocol address fields).

The host with IP address given in the “target protocol address” field of the request packet updates its cache with wrong IP-MAC pairing. For example, let there be three hosts A,B and D; A and B are genuine and D is attacker. In request spoofing (targetting A) attacker D sends a forged ARP request packet with target protocol address as IP(A) and sender hardware address-sender protocol address asIP(B)-MAC(D); A will update its cache with MAC address of D corresponding to IP address of B. This will result in packets intended to be sent to B (by A) being sent to D. On the other hand if D sends a forged ARP request packet withIP(B)-MAC(X) (whereMAC(X) is the MAC address of a non existing host) then all packets intended to be sent to B (by A) will be lost. ARP response spoofing is similar to ARP request spoofing. However, in the case of response spoofing, ARP response packet is used. For the sake of brevity, we will illustrate the proposed scheme for request spoofing attack only; the same will hold for response spoofing attacks also.

2.5.1 Testbed Architecture

As ARP is stateless, the sequence of ARP packets under normal and spoofed conditions is same. So for detection of spoofing, a mechanism is required that can create difference in packet sequence under normal and attack condition; this concept is used in the proposed IDS. The basic architecture of the network being monitored using the IDS is shown in Figure2.8. As shown in the figure, the IDS comprises a DES diagnoser and a supervisory