ARProof: A cross-protocol approach to detect and mitigate ARP-spoofing attacks in smart home networks

Smart homes are increasingly vulnerable to cyberattacks that lead to network instability, causing homeowners to lodge complaints with their Broadband Service Providers (BSPs). Therefore, effective and timely detection of cyberattacks is crucial for both customers and BSPs. Address Resolution Protocol (ARP) spoofing is one of the most common attacks that can facilitate larger and more severe follow-up attacks. Unfortunately, there are currently no methods that can effectively detect and mitigate ARP spoofing in smart homes from a BSP’s perspective. Current Machine Learning (ML)-based methods often rely on a single dataset from a controlled lab environment designed to mimic a single home, assuming that the results will generalize to all smart homes. Our findings indicate that this assumption is flawed. They are also unsuitable for smart homes from a BSP’s perspective, as they require custom applications, introduce additional overhead, and often rely on the injection of probing traffic into the network. To address these issues, we developed an algorithm that can detect ARP spoofing in smart home networks, regardless of the network structure or connected devices. It uses a cross-protocol strategy by correlating ARP packets with Dynamic Host Configuration Protocol (DHCP) messages to validate address bindings. We evaluated our method using four public datasets and two real-world testbeds, achieving 100% detection accuracy in all scenarios. In addition, the algorithm requires only little computational overhead, confirming its suitability for use by BSPs to detect and mitigate ARP spoofing attacks in smart homes.