Detecting Rogue Switch and Device Behaviour Using Network Anomalies in LAN

Abstract

Local Area Networks (LANs) are crucial for modern organizations, facilitating essential communication and data
exchange in wired environments. However, wired LANs are susceptible to internal threats, exacerbated by "Bring Your Own
Device" (BYOD) policies that increase vulnerability to rogue switches. These unauthorized switches, connected with just an
Ethernet cable, can be installed by compromised employees or malicious insiders, undermining network security by
intercepting and manipulating data traffic. These rogue switches, often plug-and-play devices, are particularly dangerous
because they are difficult to detect and can be used to spy on network traffic or launch cyberattacks, further increasing
organizational risks. This study presents a hybrid detection and mitigation framework that combines Dynamic ARP Inspection
(DAI) with DHCP Snooping, Root Guard, and Port Security with Sticky MAC, alongside AI-driven anomaly detection. By
integrating rule-based security mechanisms with supervised machine learning models, the system detects subtle deviations
in network traffic and automates threat mitigation. This approach enhances detection accuracy, reduces false positives, and
seamlessly integrates into existing security baselines. Experimental validation was conducted using GNS3-based lab
simulations with a consistent network topology to evaluate detection effectiveness and dataset generation. Various Layer 2
attacks, including ARP spoofing, MAC flooding, and STP root bridge manipulation, were introduced to assess detection
accuracy. The AI-enhanced system, trained with supervised learning using Logistic Regression, achieved 100% accuracy and
an F1-score of 100% across all three attack scenarios, demonstrating its reliability in mitigating Layer 2 threats. The findings
emphasise the effectiveness of combining AI-driven anomaly detection with traditional network security mechanisms to
enhance LAN security. Unlike conventional reactive approaches, this framework enables proactive, real-time detection and
mitigation, adapting to evolving threats and eliminating reliance on manual monitoring. The ability to detect subtle variations
in network traffic behaviour ensures greater adaptability against sophisticated attacks. By continuously learning and refining
detection models, the system provides scalable, intelligent, and future-ready network protection against increasingly
advanced Layer 2 threats.