Scanning Worm Detection with ARP Anomaly in Local Area Network

J. Sun and J. Yi (PRC)


Address Resolution Protocol (ARP), Anomaly Detection, Scanning Worm


Local area network (LAN) is usually partitioned into multiple Virtual LANs (VLAN). A scanning worm targeting systems within its own VLAN exhibits anomalous behavior distinct from normal Address Resolution Protocol (ARP) activity. The paper proposes an anomaly-based detection technique based on the ARP activities of individual host to detect propagation of scanning worms. Our experiments indicate that this technique is both accurate and rapid to detect and contain the worm propagation in LAN.

Important Links:

Go Back