D-ARP: An Efficient Scheme to Detect and Prevent ARP Spoofing

Nowadays, cyber-attack is a severe criminal violation, and it is one of the most active fields of research. Man-in-the-middle attack (MITM) is a type of cyber-attack in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read=modify the transferred data between them. ARP spoofing-based MITM attack exploits ARP protocol weakness where the attacker associates its MAC address with the IP address of an intended legitimate host. Although there are many defense approaches for ARP spoofing based-MITM attacks, these methods are uncompleted or have a performance overhead since they modify the original ARP protocol. Also, some of these approaches depend on the centralized server which leads to a single point of failure. This paper presents a detection scheme for ARP spoofing-based MITM attack called D-ARP which is compatible with the original ARP protocol. The main idea of D-ARP is to send an ARP packet signed with a key in parallel with the original ARP packets to make a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address. For more reliability, D-ARP uses the DHCP server and the Nmap feature to detect the MAC addresses of MITM attackers. Moreover, this scheme also offers a module for Admin to create a trusted list of hosts. The experimental results show that D-ARP is very effective to detect and prevent ARP spoofing with zero false positives and zero false negative probabilities without any modifications in the original ARP protocol.

original ARP protocol. D-ARP is a new scheme to detect and prevent ARP spoofing based MITM by sending an ARP packet signed with a key in parallel with the original ARP packets to associate a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address.
The D-ARP scheme guarantees the following: • There is no modification in the original ARP.
• There is no false positive or false negative probability.
• Fully automated process and there is no headache for Admin. • No delay in sending or receiving packets. • No additional overhead.
• No single point of failure. This paper is organized as follows: Section II reviews the literature related to this work. Section III provides an overview of ARP spoofing. Section IV describes our proposed scheme in details. Experimental results are presented in Section V. And finally, Section VI concludes this paper and introduces the future directions.

II. RELATED WORK
It is very important to detect malicious nodes in the network [12], [13]. To detect ARP spoofing, sometimes some networks used software tools such as Arpwatch and Wireshark. Arpwatch [14] used to detect ARP spoofing but it depends on administrator to determine the malicious pairs and this leads to high false positives probability. Also, A Wireshark tool used to detect spoofing by detecting the duplicate use of IP addresses, but it does not detect all forms of cache spoofing and it doesn't able to prevent ARP spoofing.
Therefore, there are many defense approaches for ARP spoofing attacks are proposed. These schemes can be classified into cryptographic solutions, server-based solutions, static entries solutions, voting-based solutions and host based solutions. Cryptographic solutions which the most common solution to prevent attacks such as [15]- [17] which based on authentication hash functions to generate keys (i.e. public and private keys) but these solutions almost need to update the ARP protocol itself.
A server-based solution such as [18] which depends on passing packets via a trusted server to be analyzed. The main limitation of these schemes that the server itself considered as a single point of failure. Static entries methods are the simplest way to prevent ARP spoofing depending on assigning IP addresses manually such as [19], the disadvantages of these methods that they are not suitable for a dynamic environment and large scale networks. Also, voting based techniques such as [20]- [23] provided an enhancement in ARP protocol which depend on other hosts to determine the fake <IP, MAC> mappings, but these have an additional overhead and must follow new ARP protocol. Proportion of host-based solutions depend on a duplicate of replies or machine learning. The main drawback of these approaches that they are not practical and difficult to decide the level of trustiness and importance of each host.
S-ARP [15] is one of the most common cryptographybased approaches. This approach is considered backward compatible with ARP protocol which provides authentication of ARP replies through public-key cryptography. During the initial contact, all hosts generate public and private key pairs and transmit them to the Authoritative Key Distributor (AKD) with signed certificates. Then the server has been distributes these keys to hosts. By using these keys, any host could identify the legal users. However, S-ARP is the common scheme to prevent ARP spoofing based on authentication.
This scheme has a lot of drawbacks. Firstly, it depends on the Authoritative Key Distributor to authenticate replies, which is considered as a single point of failure in the network. Also, hosts need to communicate with AKD every time they receive an ARP reply in order to request the Public Keys of ARP request senders. If this distributor is down, ARP packets that are sent by a previously unknown host, cannot be verified by the host (i. e., the sender's public key is not in the destination's key ring). Secondly, even if the possibility that the AKD is working legitimately, an attacker can impersonate a host that goes down by cloning the hardware address of the host (but only until the cache entry of the host being impersonated, in the host being attacked, expires). Thirdly this scheme is that it does not support the dynamic assignment of IP addresses. Although S-ARP requires dealing with its ARP protocol, it also requires upgrading of the DHCP server called S-DHCP and incremental deployment is not easy, and a host may not accept ARP replies from non-S-ARP hosts. This means that S-ARP requires updates in two protocols. Fourth, one of the most crucial problems with this approach is the processing time to encrypt, decrypt, and send extra packets to get the public key or get the host verified, all this extra time processing is considered a performance overhead compared to the current ARP protocol. Finally, S-ARP will check the ARP replies only while the victims may be deceived by sending an ARP request. [24]- [27].
Authors in [18] proposed a solution to overcome the authentication shortage and solve the voting method issue. The main idea of this solution is using a centralized server. This server has all <IP, MAC> pairs of each host inside this LAN. All Hosts have a table that contains a trusted <IP, MAC> pair, so the host can detect the attack easily and send everything about it to the centralized server.
Rupal et. al. [28] introduced a detection and prevention algorithm for ARP spoofing depending on hosts' authentication. This algorithm sends ICMP packets to construct a table that involves a combination of IP address and its corresponding MAC address for all hosts in the network, this table is called secondary cache. The main idea of this scheme is the duplication of MAC Address in ARP reply in the secondary cache which is responsible for checking IP-MAC addresses respective the system in the network. B. Prabadevi [29] presented a system based on analyzing packets to mitigate ARP spoofing using timestamps. It analyzed the contents of all ARP packets (request and replies) to check whether the Ethernet header is consistent with the ARP header or not. Then, a broadcast alert message is generated for ARP packets with a timestamp for these valid messages and every 20 minutes the system clears the ARP cache.
Hijazi et al. [19] proposed a client/server solution. It does not need installing any special software since the server is responsible for detecting the attack. The solution depends on collecting all <IP, MAC> pairs automatically from ARP cache tables. After validations of <IP, MAC> Pairs, it constructed a table contains these pairs and then registered them in a proxy server which detected the attacker when it connected with the server with the same registered IP address.
A defense method presented in [30] depends on semi-static ARP entries to prevent ARP spoofing. Their main idea is to validate and manage the static entries of ARP and remove manual adding entries into the cache table. It does not need any modification of ARP protocol and devices. Also, it can not work in dynamically addressing environments and is not suitable for large-scale networks.
Xia et al. [31] proposed a defense solution for ARP spoofing oriented to the OpenFlow platform. This mechanism is implemented as a module of the POX controller, which exploits the SDN advantages to make OpenFlow defense against ARP spoofing. Active ARP inspection (AAI) is a centralized unit implemented on OpenFlow to manage its features. All ARP packets on the local subnet are forwarded to the controller to be processed by AAI subsequently. This mechanism is not flexible enough to integrate.
Singh et al. [32] presented a mechanism to validate the new association. Each host maintains a secondary table file to store the <IP, MAC> binding. When the host has received a new binding, it is validated by sending two ICMP probe packets one to the previous binding, and the other to the new one. For new entry of host without a previous entry in ARP cache, is validated by using ARP packets to find all the claiming hosts to that IP, used together with ICMP packet to provide a two-phase validation.
Authors in [33] presented a scheme in SDN environment to detect and prevent spoofed ARP packets by extending the SDN controller to check every packet within networks. The mechanism depends on using the POX controller with the L2 learning module, an OvS switch, and a DHCP server which determine DHCP offer packets. On the connected switches, flow rules are established to forward all ARP and DHCP packets to the controller. POX also maintains a primary table containing IP to MAC address pairs for each device on the network, which is generated from received DHCP offer packets. POX tells switches to ignore received ARP packets with MAC addresses that aren't in the primary table, also a flow rule is then installed for the originating OvS port. The drawback of this solution appears when the network expands and the traffic increase.
The algorithm in [34] is used to detect Man-in-the-middle and its location which depends on studying the nature of ARP VOLUME 4, 2016 Spoofing itself. The algorithm is considered a switch-based detection approach. First, it used data structure to save data from ARP Packets. Then, switch can determine the spoofing place.
A host-side solution based on ARP analysis to detect attacks is proposed in [35]. This solution conjugates machine learning and signal processing to detect MITM attacks which presents a "statefulness" into the ARP protocol by adding a padding layer to the frame and encoding a binary value and a sequence number to match a corresponding ARP request to its reply. The detection mechanism is depends on the time taken for an ARP request to be sent directly from one host to another which varies from the instance where an attacker intercepts the traffic.
Girdler et al. [36] proposed a solution to ARP Spoofing and Blacklist MAC address. This solution is a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS). This is accomplished by dynamically adjusting SDN's operating parameters to detect malicious network traffic. For each incoming packet, after it is accepted by PacketIn events, it is processed by one of four functions (i.e., ARP Request Spoofing, ARP Reply Spoofing, ARP Reply Destination Spoofing, and Blacklisted MAC Addresses) to detect the type of spoofing. Also, the IDPS can identify devices whose MAC address has previously been blacklisted by the IDPS configuration tool.
Authors in [37] presented an algorithm depends on sniffing and analyzing all incoming ARP packets. The basic step is to compare between the real MAC Address and response MAC Address of the ARP Packet sniffed to detect conflicts. After capturing the ARP packet, it is analyzed to obtain the source MAC address of the sniffed ARP packet and the real physical address of the sender. If there is a conflict between the real MAC Address and the response MAC address, then there is an ARP attack. Also, this paper relies on static entries to prevent ARP spoofing.
A client/server-based intrusion detection system (CSIDS) was proposed in [38]. This protocol depends on a client/server model for exchanging and controlling the resolution messages between system members. CSIDS requires sending a control message to the server for every suspicious packet to check whether a host is in its cache table or not. If it is not in its cache table, CSIDS uses the voting technique for each host in the LAN, and upon receiving the answers, the server then replies to the requested client with a positive or negative packet. Although the system is effective, the voting process takes time, and this leads to an increase in the delay time between sending the query packet to the server and waiting for the response from the server.

A. ADDRESS RESOLUTION PROTOCOL
Each device connected to the internet has two addresses, IP address, and MAC address. An IP address is assigned to each device while connecting to the internet or local LAN. Furthermore, it is a dynamic address that changes every time the device connected to any network from a different place while the MAC address is unique. The ARP protocol is used to find the MAC address according to the intended IP address [39].
ARP packet encapsulated in an Ethernet frame which is constructed whenever the sender needs the MAC address for the destination to communicate with it. By knowing the IP address of the destination, the ARP maps this IP address to the data link layer address (MAC address). Figure 2 represents the format of the ARP request/reply on the Ethernet frame [40]. ARP has been designed to work effectively under regular circumstances not to deal with malicious hosts. In a normal case, if host A needs to communicate with host B in the same network and the MAC address of host B is unknown for host A. Host A will send an ARP broadcast request to all devices in the network to receive only one ARP unicast reply from host B and this ARP reply contains the MAC address of host B. Each host has a cache table which recorded all IP and MAC pairs for all hosts contacts with him before. Figure  3 illustrates an example of three devices cache tables after sending a broadcast ARP request from host A and receiving a unicast ARP reply from host B [24], [41], [42].

B. ARP SPOOFING-BASED MITM
ARP Spoofing is the most common type of spoofing, more damaging and easy to perform. ARP spoofing-based MITM attack exploits the weakness of ARP protocol in which an unauthorized third party secretly accesses the communication between two hosts in the same network. According to ARP protocol, operating systems maintain a cache table of ARP replies from different hosts, in order to minimize the number of ARP requests that are being broadcast. When a host receives any ARP packet, it will automatically update its ARP cache table with the new <IP, MAC> association entry. Note that the <IP, MAC> mapping that received in the ARP reply should be used to update the ARP cache, even if that sender's IP address is already in the table [8], [43].
Since ARP is a stateless protocol, any host can be spoofed easily by forged messages, as long as there's no correlation between ARP requests and replies. This leads to untrusted <IP, MAC> pairs in the ARP cache table. In an ARP spoofing attack, the attacker can send ARP requests or replies with fake <IP, MAC> mappings (i.e., IP address of the destination and attacker MAC address), in an attempt to poison the other hosts' cache tables on the LAN. Therefore, packets redirect to the attacker instead of legitimate destination. There are two general ways in which an ARP Poisoning attack can be accomplished: The attacker can either wait to see ARP requests for a specific target and send a reply, or transmit a gratuitous ARP reply which is an unsolicited broadcast packet which means it is possible to receive a reply without a request matched with it [44]- [46]. In

IV. PROPOSED SCHEME
This section proposes the overall architecture of D-ARP scheme for ARP spoofing detection and prevention, then it introduces D-ARP three modules in detail (i. e., host, admin, and DHCP modules).

A. OVERALL SCHEME ARCHITECTURE
D-ARP is a detection and prevention scheme that is compatible with the original ARP protocol and follows its characteristics for sending a broadcast, receiving a reply, timeout, and cache [8]. As we mentioned in section III, the main problem in ARP protocol, there is no correlation between requests and replies. Therefore, the cache table can be easily updated by forged messages. The main idea of the D-ARP scheme is to solve the problem of replies duplication and prevent the five different forms to poison cache tables as mentioned before, without any changes in the original ARP protocol. In order to correlate requests and replies, an encrypted key will be injected into the D-ARP requests and these requests VOLUME 4, 2016 will be sent in parallel with the original one. Therefore, D-ARP should be installed on all hosts within a LAN. For each host, all signed ARP requests and replies will be recorded in a log file which used to correlate signed requests and replies. All requests and replies will also be recorded in the ARP cache table after three levels of validations (i. e., DHCP server, Nmap feature, and log file). Furthermore, the network administrator can create a trusted list that can be inserted automatically in all hosts' cache tables. The main D-ARP steps: 1) The DHCP server is used to grant IP addresses to all of the hosts within the LAN. 2) Using DHCP server and Nmap feature as an additional two levels of validations to validate all packets' sender and destination <IP, MAC> pairs. 3) This scheme provides a monitoring function for the admin that allows him/her to see all ARP requests and replies packets which are transmitted and received within the LAN. 4) The admin creates a trusted list which contains static entries on both the DHCP server and ARP cache table trusted entries and this list can be modified by the admin only. Once any of the hosts in the LAN is active, its ARP cache table will be updated automatically as in the trusted list. This contributes to the reduction of network congestion. For example, host A will directly connect with host B without sending a broadcast ARP request if the IP address and the MAC address of host B are in the trusted list. 5) For hosts that are not in the trusted list, they send an ARP request or reply in parallel with the original one. 6) Unsigned ARP replies will automatically be discarded, while signed ones will be recorded in a log file as a third level of validations to automatically detect any form of the five forms to poison the ARP cache table as mentioned above. 7) Once a detection occurred, D-ARP informs the victim and the admin about attack details and provides the evidence to expose the attacker with the three levels of validation. Also, ARP cache table for victim will be removed and updated again with the trusted list.
D-ARP consists of three modules host, DHCP server, and admin module in detail.

B. HOST MODULE
D-ARP is a host−based solution, so it manages all ARP packets to detect and prevent ARP spoofing. Figure 5 illustrates the host GUI which is divided into two parts (i.e., left and right). The left part contains: • IP and MAC addresses of the host itself. • Interface used to pass a packet. • The IP address of the destination host which used in sending a broadcast packet. • Send ARP request button.
The right part contains all received requests and replies information. Here, there are two types of replies : 1) Original reply without key.
2) D-ARP reply with a key.

1) Key Generation
Key generation is an essential step in the scheme implementation. Many cryptographic hash functions are used to generate digital signatures for preventing attacks such as the Secure Hash Algorithm (SHA)-3 and Rivest Shamir Adleman (RSA) algorithm [48] [49]. The main purpose for using the key is to bind a request with its reply and to distinguish (i.e., differentiate) between different requests, so this key should be very lightweight as described before. To achieve this target we can use simple function for light calculations and to make the host itself immune to other attacks. Also, simple calculations lead to saving time and avoiding delays in sending requests [50] [51]. Each host generates a different key for each broadcast request using a simple function. The key generates from collection of random characters consisting of letters, numbers, and symbols, then the output of this function is encrypted by the Cipher algorithm [52], which is a simple cryptographic hash function that doesn't need either complex calculations or time. The complexity of the key generator is constant.
The key consists of eight characters such as f#QK2bM, f6Zdv@cl, 9ZWn$q6 and !@NTeK@O. The default size of all ARP packets (i.e. requests or replies) is 28 bytes while the size of D-ARP packets after adding a key field is 36 bytes as shown in figure 6. Therefore the length of each key is 8 bytes since it is available to extend the ARP packet size to 60 bytes [35] for experimental purposes.
Since D-ARP uses a maximum of 8 bytes generated keys and this limits the key space to ( 26 alphabet + 10 numbers + 8 symbols = 44 then 44 8 = 1.4048224e + 13) possible unique keys, so each host in the proposed scheme may generate a 1.4048224e + 13 key to increase the variety of generations and reduce the chance of repeated the key. The verification of D-ARP requests depend on sender IP address, key, and MAC address together from Log file.

FIGURE 6. D-ARP packet header
Another more secure way is to apply a cryptography technique to generate a digital signature for each request's key. We use the RSA cryptosystem combined with the Secure Hash Algorithm (SHA-256) in the proposed scheme [53]. We use (SHA-256) hash function to generate a random key for each request packet then the RSA algorithm is used for encrypting it.
RSA is a secure asymmetric cryptography algorithm for the reliability of data transmission, which uses a public key for encryption and requires another key (i.e., private) known only to the intended destination to be kept secret for decryption [54]. RSA can be used either for encryption purposes (i.e., ensuring that the attacker cannot read packets that sends to the intended destination from a specific source) or for signing requests to guarantee that they are transmitted from a legitimate host. Thus, we ensure that spoofing can't be accomplished by sending a request or gratuitous request.
The proposed scheme aims to protect ARP cache entries from attacks by generating a signature for signing each request. Also, the proposed scheme requires generating public and private keys and encrypting them using RSA for each host. Keys are generated and distributed by the Administrator via secure channels. On the sender side, the sender encrypts the signature with its private key because it doesn't know the destination and then sends the broadcast request with a signature. On the destination side, the host decrypts the signature with the sender's public key to send a unicast reply. Therefore, the intended host only can send a unicast encrypted reply and the attack can be easily detected.
2) Request/Reply scenario By using the "Send ARP request" button we can send a D-ARP broadcast packet to all hosts in this LAN. The details of the request will be appeared at the bottom of the lefthand side. At the same time, other hosts' cache tables will be updated with <IP, MAC> pairs after validation from the DHCP-Nmap list to be compatible with the original ARP protocol. The pseudocode of the proposed sending a request in the sender-side algorithm is given in Algorithm 1. Figures 7 and 8 illustrated a normal case of sending and receiving packets using cipher algorithm and RSA algorithm respectively. appendInLogFile(sndrIP,sndrMac, destIP, destMac, key) 5: ARPpkt=structARPRequestpkt(sndrIP, sndrMac, destIP, destMac, key) 6: sendARPpkt(ARPpkt) 7: updateGUI(ARPpkt) 8: else 9: ARPpkt=getInformationFromARPCacheTable() 10: sendARPpkt(ARPpkt) 11: appendInLogFile(ARPpkt) 12: updateGUI(ARPpkt) 13: end if  When the destination host receives request packets, it checks the validation of <IP, MAC> pair before update the cache table. Each host has a small file called log file contains specific information in the D-ARP header packet such as key, type of packet request or reply, sender IP, sender MAC, destination IP, and destination MAC. After checking the validity of the request, it sends a D-ARP reply and updates the log file with request details. In case of any mismatch, it drops these packets which means it is a detection of forged requests. The pseudocode of the proposed destination side algorithm when the host receives a request and detects spoofing from forged requests is given in Algorithm 2.

Algorithm 2 Receiving requests and detecting spoofing (Destination Side)
Input receiving request packet, host IP address Output update GUI and cache Alert:Spoof detected Forged Request 10: removeFromCacheTableandLogfile(spoofedpkt) 11: informAdmin(spoofedpkt) 12: isSpoofed = true 13: end if 14: end if 15: else 16: if isValidated(pkt.getsndrIP(),pkt.getSndrMAC()) then 17: appendInLogFile(pkt) 18: else 19: Alert:Spoof detected Forged Request 20: removeFromCacheTableandLog file(pkt) 21: informAdmin(pkt) 22: isSpoofed = true 23: end if 24: end if After recording signed packets in a log file, D-ARP will check <IP, MAC> pair and keys for all received replies. If there is any conflict in MAC addresses, the host notifies that there is an attacker. Also, an alert message appears containing attacker information, and the host removes these packets from a log file. Then the spoofing data is sent to the admin, and the attacker is blocked automatically.
We classified the ARP spoofing detection into two cases: • case1 D-ARP detects the attacker: when the host receives a request or a reply and its IP and MAC pair differ from which exists in the DHCP-Nmap list. After detecting the spoofing, we prevent the attacker by block the MAC address. • case2 D-ARP detects the attacker: When the host receives more than one reply and it detects a conflict or duplication of MAC addresses for the same IP or duplication of keys. After detecting the spoofing, D-ARP collects all MAC addresses from the replies. Through DHCP-Nmap list, D-ARP easily determine the forged MAC address and prevent it.
The pseudocode of the proposed algorithm in case of receiving replies is given in Algorithm 3. When the spoofing has occurred, hosts are notified and information will send to the admin who decides the attacker.

C. DHCP SERVER MODULE
The DHCP server is responsible for assigning an IP address to all hosts in the LAN automatically. DHCP has a configuration file which contains static entries. These entries are used by the network administrator to create a trusted list. Also, the DHCP server helps to solve poison of the ARP cache table by gratuitous requests because it guarantees each host has a distinct IP address. In Admin module can view the online hosts which takes an IP from DHCP server and at the same time it uses D-ARP scheme. This module helps to detect the attacker, it will be discussed later in detection cases.

D. ADMIN MODULE
As shown in figure 9 Admin GUI has 5 tabs.
In order to reduce the number of broadcast requests in the LAN. Admin creates a trusted list, this list is VOLUME 4, 2016  figure 15, all hosts in the trusted list in figure 9 inserted in cache table of host A.
To be compatible with the original ARP to make sure D-ARP is Displayed every ARP packet sent and received within Then we have the detection scenarios: First scenario: If the victim host received two replies for the same request with the same key and different MAC addresses, an alarm message will be appeared to inform there is an attacker and its MAC address as shown in figure 16. Then information in the replies packets will send automatically to the admin to identify the attacker itself. As shown in figure17 Second scenario:If the victim host received more than one reply for the same request with different keys and different MAC addresses, an alarm will be appeared to inform there is an attacker and its MAC address as shown in figure18. Also, this information sent to admin in figure 19 In table 2, we compare between our proposed scheme D-ARP and related methods. This table shows clearly that D-ARP proved its efficiency as it outperforms the previous prevention methods S-ARP [15], [55], [29] and [36].

VI. CONCLUSION AND FUTURE WORK
In this paper, we propose a D-ARP scheme for detecting and preventing of ARP spoofing based MITM which it can be installed easily on all hosts. We successfully proved the efficiency and credibility of the D-ARP scheme. It is considered a complete solution to detect all forms of ARP spoofing and identify the attacker without any changes in ARP protocol. D-ARP is effective to reduce network congestion since D-ARP Name S-ARP [15] Ref. [55] Ref. [29] Ref. [