Detecting man-in-the-middle attacks on non-mobile systems

Authors:
Visa Antero Vallivaara;Mirko Sailio;Kimmo Halunen
Affiliations:
VTT Technical Research Center of Finland, Oulu, Finland;VTT Technical Research Center of Finland, Oulu, Finland;VTT Technical Research Center of Finland, Oulu, Finland
Venue:
Proceedings of the 4th ACM conference on Data and application security and privacy
Year:
2014

Citing 5
Cited 0

Detection and analysis of routing loops in packet traces

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
On the Distribution of Round-Trip Delays in TCP/IP Networks

LCN '99 Proceedings of the 24th Annual IEEE Conference on Local Computer Networks
A low-cost embedded IDS to monitor and prevent Man-in-the-Middle attacks on wired LAN environments

SECUREWARE '07 Proceedings of the The International Conference on Emerging Security Information, Systems, and Technologies
Formal methods for cryptographic protocol analysis: emerging issues and trends

IEEE Journal on Selected Areas in Communications
Measurement and analysis of single-hop delay on an IP backbone network

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we propose a method for detecting man-in-the-middle attacks using the timestamps of TCP packet headers. From these timestamps, the delays can be calculated and by comparing the mean of the delays in the current connection to data gathered from previous sessions it is possible to detect if the packets have unusually long delays. We show that in our small case study we can find and set a threshold parameter that accurately detects man-in-the-middle attacks with a low probability of false positives. Thus, it may be used as a simple precautionary measure against malicious attacks. The method in its current form is limited to non-mobile systems, where the variations in the delay are fairly low and uniform.