Speaker
Description
Man-in-the-Middle (MitM) attacks remain a significant threat to local area networks, particularly when implemented through Address Resolution Protocol (ARP) spoofing. Although infrastructure-level protection mechanisms such as Dynamic ARP Inspection (DAI) are effective against conventional ARP poisoning attempts, their detection capability is limited in low-rate and insider-like scenarios, where malicious behavior may appear formally valid while remaining anomalous in context. This paper proposes a hybrid LAN protection architecture that combines DAI with an AI-based behavioral detection module to improve the identification of stealthy and context-dependent MitM activity. The proposed approach analyzes ARP, DHCP, and switch-port events using interpretable traffic features and a two-stage detection logic that integrates anomaly filtering and supervised classification. The system was evaluated in a controlled laboratory environment under three attack scenarios: classic high-rate ARP spoofing, low-rate stealth spoofing, and insider spoofing. The experimental results show that DAI alone performs very well in classic spoofing conditions, but its effectiveness decreases substantially in low-rate and insider scenarios. In contrast, the proposed DAI+AI architecture achieves the best overall balance between recall, precision, F1-score, detection latency, and false positive rate. The findings indicate that AI can effectively complement traditional infrastructure-level network defenses by providing behavioral awareness and improved sensitivity to attack patterns that are difficult to detect through rule-based inspection alone.