Vesper: Using Echo Analysis to Detect Man-in-the-Middle Attacks in LANs

Research output: Contribution to journalArticlepeer-review

21 Scopus citations


The man-in-the-middle (MitM) attack is a cyber attack in which an attacker intercepts traffic, thus harming the confidentiality, integrity, and availability of the network. It remains a popular attack vector due to its simplicity. However, existing solutions are either not portable, suffer from a high false positive rate, or simply not generic. In this paper, we propose Vesper: a novel plug-and-play MitM detector for local area networks. Vesper uses a technique inspired from impulse response analysis used in the domain of acoustic signal processing. Analogous to how echoes in a cave capture the shape and construction of the environment, so to can a short and intense pulse of ICMP echo requests model the link between two network hosts. Vesper uses neural networks called autoencoders to model the normal patterns of the echoed pulses and detect when the environment changes. Using this technique, Vesper is able to detect MitM attacks with high accuracy while incurring minimal network overhead. We evaluate Vesper on LANs consisting of video surveillance cameras, servers, and PC workstations. We also investigate several possible adversarial attacks against Vesper and demonstrate how Vesper mitigates these attacks.

Original languageEnglish
Article number8543616
Pages (from-to)1638-1653
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Issue number6
StatePublished - 1 Jun 2019


  • LAN security
  • Man in the middle
  • anomaly detection
  • echo-analysis

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Vesper: Using Echo Analysis to Detect Man-in-the-Middle Attacks in LANs'. Together they form a unique fingerprint.

Cite this