Метод машинного навчання для аналізу шкідливого мережевого трафіку на прикладному рівні (DHCP Spoof)
DHCP (Dynamic Host Configuration Protocol) is a critically important component of network infrastructure that provides automatic assignment of IP addresses and configuration parameters to clients. However, due to the lack of authentication mechanisms in the basic protocol, it is vulnerable to DHCP s...
Збережено в:
| Дата: | 2025 |
|---|---|
| Автори: | , , , , , |
| Формат: | Стаття |
| Мова: | Ukrainian |
| Опубліковано: |
Kamianets-Podilskyi National Ivan Ohiienko University
2025
|
| Онлайн доступ: | http://mcm-tech.kpnu.edu.ua/article/view/332335 |
| Теги: |
Додати тег
Немає тегів, Будьте першим, хто поставить тег для цього запису!
|
| Назва журналу: | Mathematical and computer modelling. Series: Technical sciences |
Репозитарії
Mathematical and computer modelling. Series: Technical sciences| Резюме: | DHCP (Dynamic Host Configuration Protocol) is a critically important component of network infrastructure that provides automatic assignment of IP addresses and configuration parameters to clients. However, due to the lack of authentication mechanisms in the basic protocol, it is vulnerable to DHCP spoofing attacks, in which an attacker impersonates a legitimate server and delivers malicious configuration settings to clients. This paper proposes a machine learning–based approach for detecting such attacks, capable of identifying both standard spoofing scenarios involving fake IP addresses and more sophisticated ones involving MAC address spoofing under a legitimate IP address.
As part of the study, a tool was developed to generate DHCP traffic simulating a variety of behaviors, including normal sessions, attacks from rogue IP addresses, and impersonation of legitimate servers. The application of machine learning (ML) methods is proposed for traffic analysis based on real-time data capture using the Wireshark platform. Based on the captured PCAP files, the dataset generation process was automated, producing a compact yet informative set of features (e.g., the number of unique IP/MAC addresses, the MAC address of the first responder, and IP-to-MAC consistency). The classification model built using a decision tree demonstrated high accuracy and the ability to detect both types of attacks.
The proposed method offers significant advantages over classical approaches, such as DHCP Snooping, which require manual configuration and are ineffective against attacks involving MAC spoofing. The developed model and methodology demonstrate exceptional reliability, achieving 100% detection accuracy for DHCP spoofing attacks, which is critical for maintaining real-time network responsiveness. The results confirm the effectiveness of behavioral analysis of DHCP sessions combined with machine learning techniques for anomaly detection, opening up new possibilities for integration into practical traffic monitoring and network security systems. |
|---|