A data structure records the name and number of switches through which a specific flow passes, source and destination IP addresses, the source and destination MAC addresses, and sequence of ports through which the flow passes. Hong et al. collected dynamic information about the topology’s links, which aids in the detection of the attack. SDN provides a novel programming paradigm for detecting attacks, which motivates the development of a solution for dealing with ARP vulnerabilities in the SDN environment. Existing solutions are based on either checking the traffic against the stored MAC/IP binding which becomes a time-consuming task when the network is a significant one, checking the pattern of traffic which is time taking task , cryptographic solutions is a complex task in terms of processing power, creating a flow-graph for detection of ARP-Poison attack or statistical techniques which is also a computationally intensive task. The proposed solution for preventing the attack is to block the specific port identified programmatically, which is efficient because it avoids handcrafted feature construction and is thus efficient in terms of time and processor load in mitigating the attack.
Random hosts flood the ARP table to capacity, causing delays in the processing of legitimate requests. These attacks can be mitigated by establishing a secure link . The pictorial representation of the poisoning attack is shown in Fig. 2. ARP Poisoning and ARP Flood are the means to carry out the Eavesdropping and MITM attack .ĪRP Flooding is an attack that uses random host machine MAC addresses to flood the host’s ARP table. (2) Crafting an ARP request to a genuine host: In this method, the attacker broadcasts a forged ARP request packet, to which legitimate hosts respond, resulting in false MAC/IP information being stored in the ARP table and the table being poisoned. So, every packet which has to reach the genuine host will now reach the attacker. While crafting the ARP reply, the attacker put its MAC address in the destination MAC address field. (1) Crafting an ARP reply to a genuine host’s ARP request: In this method, the attacker keeps on waiting for the ARP request packet from the genuine host for which it will craft the ARP reply packet. But if the attacker interferes and maliciously updates the ARP table then it can lead to an attack situation known as an ARP Poison attack. An ARP Poison attack is an attack where the ARP table reflects malicious information, propagated by the attacker by sending a fabricated ARP request or reply packets using Scapy . ARP Poison attack can be performed in many ways and two are discussed below: The source host (H1) revises its ARP table with the destination MAC address of the Host (H2) and the communication proceeds.
If IP/MAC pairing is not present in H1, it will broadcast an ARP request packet, which will be answered by the destination host (H2) as shown in Fig. 1. In a traditional network, when the source host (H1) communicates with the destination host (H2), the source host checks its ARP table for the destination MAC address. Each host in the network holds an ARP table that maps IP addresses to MAC addresses. It differs from a traditional network in that it is non-programmable and static. Although SDN provides several advantages due to the logically centralized controller, it is also vulnerable to a range of threats i.e. Denial of Service (DoS) attack, Distributed Denial of Service (DDoS) attack , Eavesdropping attack, Man-in-the-middle (MITM) attack , etc.ĪRP is an address resolution protocol that provides the Media access control (MAC) address of a host, from its IP address. SDN transforms the networking industry out of a rigid network towards a network defined and managed by software. The attack detection time of 63000 microseconds also demonstrates the efficiency of attack detection. During the attack, a high CPU utilization of more than 97% and a high memory usage serve as experimental evidence. The hybrid model of Convolution Neural Network-Long Short Term Memory (CNN-LSTM) model out-performs the other ML models with an accuracy score of 99.73%. This dataset is used to train the ML model and detect the attacks. A python application is developed at the SDN controller using Mininet that collects and logs the features required to detect the attack into a file known as a traffic dataset. The classification of benign network traffic from ARP Poison and ARP Flooding attacks is presented in this paper employing machine learning (ML) techniques. Software-Defined Networking (SDN) is a programmable network architecture that allows network devices to be controlled remotely, but it is still highly susceptible to traditional attacks such as Address Resolution Protocol (ARP) Poisoning, ARP Flooding, and others.