Suspicious ARP Activity Detection and Clustering Based on Autoencoder Neural Networks
This addresses network security for smart device environments, but is incremental as it applies existing autoencoder and clustering methods to ARP data.
The paper tackled the problem of detecting suspicious ARP activity on LANs by analyzing ARP traffic sequences and using an autoencoder neural network with K-means clustering, successfully identifying patterns varying in scale, lifespan, and regularity on real-world data from five LANs.
The rapidly increasing number of smart devices on the Internet necessitates an efficient inspection system for safeguarding our networks from suspicious activities such as Address Resolution Protocol (ARP) probes. In this research, we analyze sequence data of ARP traffic on LAN based on the numerical count and degree of its packets. Moreover, a dynamic threshold is employed to detect underlying suspicious activities, which are further converted into feature vectors to train an unsupervised autoencoder neural network. Then, we leverage K-means clustering to separate the extracted latent features of suspicious activities from the autoencoder into various patterns. Besides, to evaluate the performance, we collect and adopt a real-world network traffic dataset from five different LANs. At last, we successfully detect suspicious ARP patterns varying in scale, lifespan, and regularity on the LANs.