NETWORK BASED MAN IN THE MIDDLE ATTACK

DETECTION USING PACKET SNIFFING AND TRAFFIC

ANALYSIS.

Ms. K.R. 1Nandhashree, B S 2Shamini, S 3Shivdhareni, R P 4Viveka

Assistant Professor1,UG Scholar2,3,4, Department of Cyber Security,
SRM Valliammai Engineering College.

ABSTRACT

Incorporation of generic packet sniffing with a verbose traffic analysis algorithm;

in conjunction with Scapy’s packet construction, and Sniff’s efficient packet capturing; the
ambivalence of this research comprises the variables and consequences of MitM attacks on
network traffic. Exploiting real-time traffic is another advantage of the system as it uses
Scapy’s packets sniffing to analyze traffic caught. The extracted packets are then fed into a
traffic analysis algorithm developed capable of alarming of any such traffic pattern consistent
with MitM attack. Packet Sniffing emphasizes on features such as IP address and MAC
addresses of the packet, user’s; sessions and data encryption. Disparities in these aspects for
instance, changed and irregular paths, delays that are not regular or even transfer of Sensitive
data in out rightly unencrypted channels may point to a more exacting Man-in-the-Middle
attacks. Packet Sniffing and traffic analysis afford great deal of likelihood in warding off MitM
attacks before they actually happen. By identifying potential intrusions in the initial stages
effectively, the administrators of the networks may contain security breaches and protect the
data and information in the network. Thus, through packet sniffing, the behavior of network
traffic or the total picture of the matter in question is understood by the administrators so that
extraneous unidentified traffic that could indicate that they have fallen prey to a MitM attack
can be recognized with reasonable ease. When the traffic is examined in detail, the
administrators can find signs of actual attacks or attempts at unauthorized transfers of data or
attempted impersonation.

Keywords: Packet Sniffing, Traffic Analysis, Scapy, ARP Spoofing, Network Security
INTRODUCTION

In the creation of the connected digital environment, the protection of networks is

crucial especially when MitM attacks are possible, in which an attacker can gain control over a
conversation between two people and often the targets aren’t even aware of what is happening.
They executed through ARP spoofing, DNS spoofing or session hijacking and can potentially
compromise the confidentiality, availability and credibility of the communication and results
to theft of information or unauthorized access or information manipulation.

Packet sniffing has the function of the first buttress to note man-in-the-middle (MITM)
attacks by acknowledging network traffic. This assists algorithms in monitoring packets
going through the network, assess their headers; and/or content, for abnormal features like
shifts in source/destination addresses, shifts in packet time sequencing, or any alteration of
data not authorized. Based on the comparison of real-time network actions with reference
benchmarks or defined symbols of MITM, the packet sniffing algorithms can alert of the
threats at first sight. In this way, it allows security units to quickly maximize or minimize
responses to suspicious activity thus minimizing the chances of data interception or
manipulation. Packet sniffing also help in the analysis of encrypted traffic to identify could
have been hidden and malicious traffic facilitating the strengthening of general network
protection from MITM attacks.

Traffic analysis algorithms help in identified the man-in-the-middle (MITM) attacks

since it involves the observation and analyzing of patterns and behaviors within the traffic.
This assist in analysing parameters as packet size, frequency and time as it seeks for signs of
interception or manipulation by an unlawful party. It is possible to introduce basic standards
of the networks’ regular activity and pause whenever something irregular is observed by the
analysis algorithms. They are indispensable tools for detecting MITM attacks because the
attackers normally leave slight imprints in the amount of traffic or in the pattern of
connection. With the help of real-time monitoring and analysis, traffic analysis algorithms
contribute to the general security of networks by helping in the early identification and
prevention of MTM threats of the networks and protecting confidential information from
unauthorized accessing and modifying.
 MAN-IN-THE-MIDDLE ATTACK
Man in the Middle attack is a type of cyber assault in which the target is two
communicating parties, and the attacker secretly and possibly alter the messages being
exchanged. . In effect, the sheer aggressor physically locates himself in the middle of the
communicating participants and merely transmits messages from one participant to the other.
This lets them can listen to the conversation, take private information that can include
passwords or the details of a bank account, or even change the conversation by including
their input. . MITM attacks may occur in a variety of ways including unauthorized access to
unprotected networks such as WiFi or router gain and are a threat to integrity and
confidentiality to information that is transmitted through the network.
RELATED WORKS
[1] A proper experimental validation of the ability to detect assaults with the help of man in
the middle – attacks that are inevitable in the case of encrypted control systems. This
validation is done through emulating MITM attacks within an environment that models the
actual deployment so as to test the system robustness. In conducting the actual simulation of
the threat, the researchers can apply precise attack scripts and study the performance of a
system’s sensors in detecting MITM threats. It is important that testing should involve probe
different attack strength, encryption algorithm, etc for adequate testing. Results of
experiments help to identify the state of the system and its efficiency to some specific
conditions, on the basis of that corrections and optimizations can be made. From detailed
experimental analysis, it is possible to build the confidence of members of the stakeholders’
community into the effectiveness of encrypted control systems, particularly when it comes to
attack identification, with a view of improving on the reliability of such systems in various
critical infrastructures.

[2] MITM attacks involve intercepting and, sometimes, modifying conversations of users with
web servers to enable eavesdropping or even modifying the contents of the transfer. Further on,
there is a session hijacking which allows the attacker to gain a unauthorized access to the active
user sessions thus leading to the disclosure of sensitive information. The following are derived
from general issues in encryption, session, and authentication: To avoid such risks, its requires
strengthened measures such as HTTPS implementation, secure session handling and strong
authentication measures. Furthermore, real-time detection mechanisms that can distinguish
peculiar traffic that indicates MITM attacks and session hijack are very crucial. By facing with
these threats and risks in detail, Web systems can enhance the solidification of defense against
malicious usages against the people’s interactions’ integrity and confidentiality.

[3] A recent development in the detection of MITM attack is the online network traffic anomaly
detection using tensor sketch. Using tensor sketching that is used in the techniques herein, this
method is capable of summarizing high-dimensional network traffic data into tangible and
readily analyzable representations. That is why with the help of sketching a tensor it is
possible to notice the first sign of MITM activity that might produce unusual traffic patterns or
unexpected changes in the network. Sophisticated neural networks work on such sketches and
immediately alert about potentially dangerous traffic anomalies. Because this approach allows
for online detection, the capability of MITM detection systems is improved to offer near real
time detection as this reduces the amount of time an attack remains undetected and the longer
an attack remains ongoing, the more damage it can do. Incorporation of tensor sketch based
anomaly detection into current architectures of network security expands the protection area
from MITM attacks, preserving the network’s integrity, and maintaining data confidentiality.

[4] Performing a research on the JavaScript static analysis tools used in the identification of
vulnerabilities in Node. The js packages assists in the detection of man-in-the-middle (MITM)
attack. These tools look at the source code of Node. in js packages, fundamental issues which
could be misused in MITM attacks are established. These tools offer information about where
vulnerabilities lie, for example where JavaScript code bears such risks as insecure
dependencies or inadequate input validation. The use of state-of-art static analysis tool and
machine learning improves the chances of accurately identifying potential vulnerability to be
addressed on an as early as possible basis. To this end, organizations can perform a
comparative analysis of the various tools of static analysis in order to identify out the best
solutions in the use of Node. Other js packages, against MITM attacks and therefore enhance
the security posturing of their applications and systems.

[5] To protect a remote state estimation from stealthy linear man-in-the-middle (MITM)
attacks when resources are limited, there are certain approaches. MITM attacks involve the
interception, manipulation of sensor data and control commands between remote devices and
estimation systems and are least likely to be detected. The problem here is how to discover
weak signs of MITM activity under constraints such as limited computational or
communicational abilities. Optimization of the anomaly detection algorithm plays a large role
in the detection of anomalies; for better efficiency and accuracy. With using enhanced
methodologies like the anomaly pattern recognition and the optimization of the system, the
remote state estimation systems can improve the level of protection against stealthy linear
MITM attacks and safeguard the estimation procedures under limited resources.

[6] Supervisory network anomaly detection with scale variable IP traffic is very effective way
to monitor and counter threats. This is because as already demonstrated the proposed method
for identifying anomalies in IP traffic can operate at various levels of detail including packet
level, and/or flow level. Variable granularity is an extremely flexible manner of perceiving the
network activity, thus it allows to see small shifts which point to malicious activity.
Sophisticated algorithms work with IP traffic data where even the size of packets and their
frequency and time intervals are taken into account. This approach facilitates the enhancement
of efficiency of the detection of anomalies since the level of detail is varied with respect to
network conditions and security needs in relation to the minimization of false signals. Thus,
analyzing all available data, organizations can detect and correct an incipient deviation from
the norm in terms of network activity and increase the level of security.

[7] Securing containerized environments in Kubernetes require in the mutation-enabled

proactive defense against MITM service attacks. These attacks take advantage of threats in
service communications making them rather dangerous. The system that is based on
Kubernetes learns of potential MITM risks and with the help of mutation-based defense
mechanisms changes service configurations. Real-time monitoring helps discover activities
portraying MITM threats so that triggering of measures such as mutating services points or
implementing escalated access control measures can be done. This defensive strategy is
proactive, which enhances Kubernetes security since such attacks are unlikely to occur. It
validates the content of services of all kinds, as well as maintaining confidentiality of inter-
service communication which improves general inter-mesh robustness for Kubernetes
infrastructure and protects fundamental assets against modern cyber threats.

[8] Detecting prolonged DoH traffic boosts MITM detection: Identifying malicious DNS
tunneling tools. dns tunneling, for instance, sneaks these tools through Network Security
through the use of DoH to encrypt unauthorized data within DNS queries. Infrequent
communication may be an abnormal pattern as well as the size of the queries or the number
and frequency of DoH traffic flows. Using intelligent algorithms for real time processing and
threats identification gives a quick way of perceiving threats. In this case, concentrating on
analysing DoH traffic that remains persistent, it is possible to prevent DNS tunneling-based
MITM attacks and strengthen network protection and data non-disclosure.

[9] Equipping DNS traffic of service intents by analytically encrypting the features improves
MITM attack identification. This approach analyzes encrypted DNS queries and responses to
extract the intention of the original service request and then, it aims to detect such behaviors
that can indicate the presence of MITM. Defining frequency, timing, and content of DNS
traffic, the system can make conclusion about the legitimate usage of the services and
recognize interference attempts. Utilisation of elaborate algorithms and intelligent learning
thus helps in a proper inference of service intentions to prevent MITM attacks detection
earlier. This is a proactive approach of defense strategy that enhances the robustness of
networks against the emerging dangers and guarantee the confidentiality and integrity of
service communication particularly in the encrypted DNS.

[10] Using such sophisticated techniques as deep learning models, this approach might be used
 analyse encrypted stream of network traffic in order to recognise certain anamolies that might
indicate MITM attack. By performing feature extraction as well as classification on the traffic,
artificial intelligence is capable of deciding whether the traffic is normal or anomalous, even
in the communications that are encrypted. Some of these systems get better at detecting the
attacks over time by learning from the labelled data, and adapting to evolving tactics.
Furthermore, by using the main explainable AI methods, including feature importance
analysis, the security analysts will be able to understand which factors are behind MITM
detection and come up with more efficient response measures in this regard. In a broader
context, thus, the analysis of the encrypted network traffic using machine learning appears to
be a rather effective measure for preventing MITM attacks and enhancing the protection of
networks.

PACKET SNIFFING AND TRAFFIC ANALYSIS

Packet sniffing is another method employed to obtain data and analyze packets
containing such data as they pass through a particular computer network. Traffic analysis,
concerns the identification of the features and tendencies of the network traffic in contrast to
the actual data payloads.

1. Functionality:
Packet sniffing involves capturing and analyzing data packets as they transverse over a
network. Relative to the use of packet sniffers, in the detection of MITM attack, packet
sniffers are used to scan for suspicious activity that may suggest that an intermediary has
intervened in the communication of two parties.

2. Indicators of MITM Attacks:

Packet sniffers can detect MITM attacks because they will identify changes in the packet
transmission they would not expect, for instance, changes in packet headers, and the routing of
packets .Also, the packet sniffers will be useful in pointing out any variations in the encryption
standards or in cases where there is decryption intrusion, a sign of tampering by an adversary.

3. Analyzing Communication Patterns:

Traffic analysis involves the assessment of the traffic flowing through a network with a view
of identifying the usual traffic from the anomalous traffic. In the context of MITM attack
detection traffic analysis means studying the traffic volume, time distribution and sources and
destinations to detect difference from normal traffic that suggest that someone is intercepting
data.

4. Identifying Anomalies:
Traffic analysis as a method for MITM detection is concerned with detecting such features with traffic
as increased or decreased traffic rates on particular links, uncharacteristic traffic exchange between
nodes, or differing data rates. These anomalies could be indicative of a MITM attacker who s
intercepting and modifying the traffic over the networks.
ARCHITECTURAL FRAMEWORK

Figure 1: Man-in-the-Middle Attack Detection

ARP spoofing based approach detects MitM attack and generally describes parts of the system
and the flow of data to isolate and address this form of threat. Network monitoring component
records the packets of the local network and the usage of the ARP protocol; the algorithms for
anomaly detection signal that something is wrong with the ARP. By the formation of this
integrated system, it is easy for the system to counter act any instance of ARP spoofing hence
enhancing the security of the network.

MODULES

MODULE 1: CAPTURING AND ANALYZING THE PACKETS

Scapy is a Python based packet manipulation tool through which you can learn about
capturing network packets in order to identify MITM attacks. First of all, the Scapy is employed
to detect and capture packages from the specific network interface. Lastly, compare the
extracted packets with the usual traffic flow and look for such features as ‘abnormal’ source or
destination, inexplicable packets’ sequence, or modified data payload. Furthermore, Scapy can
also be used in construction of probes or responses to confirm network health status.
 MODULE 2: INTERCEPTING THE NETWORK TRAFFIC

In interception assists in detecting of activities that are out-of-order or a sign of an

intrusion in a network. Analyzing packet contents and their metadata, particular dangerous
patterns that may point at certain perils of the world wide web usage can be detected, such as
intrusion attempts, malware distribution, or data leakage. Through this proactive approach, it
becomes easier for the organizations to quickly respond to security threats, reduce threats and
protect sensitive information .The presence of a traffic interception module is also useful for
performance tuning and troubleshooting a network. From the captured traffic, it is possible to
determine the presence of such problems as bottlenecks, high latency, and low bandwidth that
slow down a network. Such quantitative information enables network administrators to carry
out specific improvements like QoS plans or network architectures that must improve the users’
experience and guarantee functionality.

MODULE 3: DETECTING ARP CACHE POISONING

Network traffic analyzers are paramount in detecting ARP cache poisoning, it is a
form of cyber attack where to link his/her MAC address to an IP address of another device, the
attacker has to alter the ARP cache of a network device. Such analyzers analyze the network
traffic, so a wide variety of violations, for example, several devices attempt to obtain the single
IP address or frequent MAC changes address associations are identified. These could be used as
flags of ARP cache poisoning attempts.

MODULE 4: GENERATING THE ALERT

The task entails the identification and management a system to monitor and alert of
potential MITM attacks. These attacks happen when a third party eavesdrops and meddles with
a conversation between two individuals, normally resulting in disclosure of information or
unauthorised access. Thus, using the effective algorithms of detection and monitoring, the
system should identify rapidly deep packet inspection and links to MITM activity to prevent the
possible threats and to preserve the confidentiality and integrity of the data transmissions.
RESULTS AND DISCUSSION
The following are some of the ways through which it is possible to capture network
traffic to be analyzed with the intention of identifying signs of MITM Network-based attack
detection incorporates the use of a range of tools and methodologies. Since the ARP spoofing is
one of the most commonly used techniques in MITM attacks, one of the possibilities is to
analyze the ARP (Address Resolution Protocol) traffic itself. Traditional approaches mostly
rely on the pattern matching approach where traffic seen on the network will be compared with
MITM known attacks. Such techniques may not be useful in identifying new or more
sophisticated MITM strategies even though they are useful in identifying well-known threats.
On the other hand more enhanced MITM detection systems employ the use of algorithms in the
use of machine learning and heuristic analysis to detect indications of MITM assaults. Because
of the higher accuracy the systems can adapt themselves to the changes in the tactics of the
attack. However, to ‘run’ them and exploit them as presented in the paper they could require
more computational capability and knowhow.
FUTURE ENHANCEMENTS
Packet sniffing and traffic analysis for MitM detection could therefore involve
incorporating improved deep learning algorithms for better detection and resilience and real
time countermeasures in the event of a detection. Further improvements of the anomaly
detection algorithms reducing the number of false positives, as well as the application of the
analysis of encrypted traffics for encrypted communication channels can improve the detection
capacities. In furtherance, it can use behavioral analysis of network devices and user and the
scalability of the current analysis in case of a growing network, integration with threat
intelligence feeds, and the development of tools to create network maps for forensic analysis to
enhance the system’s capability to quickly and effectively identify and counter MitM attacks.
All these improvements are designed to assist organizations with primary protection measures
to tackle newly emerged MitM threats as well as preserve the comprehensive overview of the
network events for efficient investigation of security incidents and threats.

CONCLUSION
Consequently, the application of packet sniffing and traffic analysis for the
identification of network-based Man-in-the-Middle attack is a significant aspect of the
contemporary security management. By the inclusion of techniques in deep packet inspection,
traffic pattern analysis, businesses can incorporate use of Machine learning algorithms to counter
MitM attacks and restrict access to sensitive data through their network infrastructure. However,
unlike various types of safety and security detection methods, having numerous advantages in the
fortification of network security status, it imposes certain challenges, such as constant updates,
alterations in accordance with the new threats, and some issues of privacy and network neutrality.
Therefore, considering the improvement of technology and the existence of new and more
complex threats in cyberspace,
there is a need for constant work and research to detect new MitM attacks and enhance the
protection and availability of the organizational data and quality of network resources.

REFERENCES

[1] Akane Kousgi, Kaoru Ternishi, Kiminao kogiso, ‘Experimental Validation of the
Attack-Detection Capability of Encrypted Control Systems Using Man-in-the-Middle
Attacks’,Vol.12,pp.35-47,2024.
[2] Muteeb bin muzammil, Muhammad bilal, Sahar ajmal sandile c. Shongwe, yazeed y.
Ghadi,‘Unveiling Vulnerabilities of Web Attacks Considering Man in the Middle Attack and
Session Hijacking’,Vol.46,pp.65-75,2024.
[3] Shuyu Pei , Jigang Wen , Kun Xie , Gaogang Xie , Kenli Li, ‘On-Line Network
Traffic Anomaly Detection Based on Tensor Sketch’, Vol.34,pp.1-12,2023.

[4] Tiago Brito , Mafalda Ferreira , Miguel Monteiro , Pedro Lopes , Miguel Barros ,
José Fragoso , Nuno Santos , ‘Study of JavaScript Static Analysis Tools for Vulnerability
Detection in Node.js Packages’ ,Vol.72, pp.1-14, 2023.

[5] Yingwen Zhang, Zhaoxia Peng, Guoguang Wen, Jinhuan Wang, Tingwen Huang,
‘Optimal Stealthy Linear Man-in-the-Middle Attacks With Resource Constraints on Remote
State Estimation’, Vol. 54, pp. 45-56, 2023.
[6] Shohei Kamamura, Yuki Takei, Masato Nishiguchi, Yuhei Hayashi, Takayuki
Fujiwara, ‘Network Anomaly Detection Through IP Traffic Analysis With Variable
Granularity’, Vol.11, pp. 18-28, 2023.
[7] Tengchao Ma , Changqiao Xu , Shujie Yang , Yiting Huang , Qingzhao An ,
Xiaohui Kuan , Luigi Alfredo Grieco , ‘A Mutation-Enabled Proactive Defense Against
Service- Oriented Man-in-the-Middle Attack in Kubernetes’ , Vol.72 , pp.43-
56, 2023.

[8] Rikima Mitsuhashi, Yong Jin, Katsuyoshi Iida, Takahiro Shinagawa, Yoshiaki
Takai, ‘Malicious DNS Tunnel Tool Recognition Using Persistent DoH Traffic Analysis’,
Vol.20,pp.86-95,2023.

[9] MS Kumar, B Chidambararajan, RV Devi…,” Invading into Android Using

Metasploit” - Next-Gen Technologies in Computational Intelligence, 2024.
 [10] S. Navaneetha Krishnan Dr. M. Senthil Kumar, Dr. B. Chidambararajan, V Rahul,
R. Kishore Kumar,” Survey On Malware Detection Using Reverse Engineering Techniques”-
Scopus Indexed International Conference on Next-Gen Technologies in Computational
Intelligence [NGTCI-2023]-Taylor and Francis Series, March 2023.