Monitoring ARP Attack Using Responding Time and State ARP Cache

ARP cache poisoning is considered to be one of the easiest and the most dangerous attacks in local area networks. This paper proposes a solution to monitor the ARP poisoning problem, by extending the current ARP protocol implementation. Instead of the traditional stateless ARP cache, we use a state ARP cache in order to manage and secure the ARP cache. We also use a novel approach by monitoring responding time which is different between normal and malicious ARP reply. This method records ARP cache that may be malicious ARP reply, using the records we discover the attackers whose responding time is abnormal comparing with other responding time. Because the network condition is not smooth, the responding time is related to the Normal Distribution function, we use hypothesis testing to make sure who is the attacker.