【正文】 buffer overflow. 5. MAC, IP Cloning Attacks: The attacker could assign to himself the IP, MAC of the victim puter, recently IP, MAC can be changed easily without spoofing software, especially in Linux systems. After identify this duplicate in the IP, AMC, the victim puter will disconnect his work interface, since the MAC addresses are designed to be globally unique, and on the other hand each puter must be assigned to a single IP address in the same work. The attacker can also pretend to be a receiver devise. This means impersonated an important entity like bank and obtain private information about user. In fact, ARP poisoning attacks violate all the security rules: confidentiality, integrity, and availability. Since the attacker can read and modify secret information or prevent a victim host from access to any service on its LAN or WAN [6], [7]. III. RELATED WORK Several solutions have been proposed for manipulate the ARP poisoning problem. The ARP watch [8], ARP Guard [9] are manual solutions, so these depend on administrator to process the ARP cache, which is achieved by specialized work tools. This solution involves assigning a static IP addresses to all hosts in the LAN, also setting VLAN (Virtual LAN) and so on. This technique laborious for administrators and there is no mechanism to distinguish between a malicious and genuine host, as well as this solution is unsuitable for DHCP environments. In Hou et al. [10] is a dynamic detection approach, which depends on snort tool founder et al. [11]. A snort is Intrusion Detection System (IDS)。 it can be used to detect ARP spoofing attacks。 it is active and can detect different kinds of attacks through its ability to achieve a realtime packet analyzing on IP works. But it has a lot of statuses of falsepositive warning, which inform unreal reports to a work administrator。 moreover, the inability to detect all categories of ARP spoofing attacks. Currently, other prevention techniques produced from some manufacturers to detect ARP spoofing attacks, like routers and switches merged with some functions of a firewall. Carnut et al. [12] proposed switched works to detect ARP spoofing attacks, it can reduce significantly of false positive, but involves a plex setup。 however, these devices cannot distinguish between the legitimate modification and malicious update for ARP mapping, and they are incapable of give us high credibility in additional to the cost. In addition to the former schemes, a solution of encryption and authentication like [13], [14], [15] that used to prevent ARP attacks. This solution includes upgrade the existing ARP protocol, because, the shared pair keys must be applying to authenticate all ARP request response packets. This method can overe the ARP spoofing problem effectively, but cryptographic techniques lead to failure point in a work, also performance of address resolution protocol decrease. Moreover, the limitations with DHCP (Dynamic Host Configuration Protocol) which means the auto determination for IP address, the reason that it involves DHCP server upgrade, and requires high putational rate. Tripunitara et al. [16] proposed approach depends on a middleware technology。 it seems capable of prevent ARP cache poisoning attacks, but it requires modifications on all the hosts on the same LAN. Middleware approaches applied streams based working subsystem, which means adding some modules into the work system kernel. Therefore, in this mechanism, all inflow and outflow packets will be monitored and controlled. This manner is effective to detect and defense against ARP attacks. However, the significant disadvantage in this method is the incapability of response for legitimate host when he spoofed by attacker, and using this method include great constraints in the case of DHCP. Finally, there are basic points that should be taken into account for any ideal solution。 any scheme should have backwards patible and do not change the classic ARP. In addition, the solution does not breach work layer solution is necessary to be easy to apply, usage and availability, in additional to the low cost. On the other hand。 any solution should not spend a lot of resources or cause high traffic in the work. However, a solution needs to be capable of detection and defense against all kinds of attacks, which occur as a result of the vulnerabilities in ARP. IV. PROPOSED SCHEME In the present work, we propose a new mechanism to the problem of ARP cache poisoning. Traditional structure of each ARP [1] packet there are fields specified for the SourceTarget IP addresses (SIP,TIP) and fields to the corresponding Source Target MAC Addresses (SMAC, TMAC), and the packet must be described in operation type fields (Opcode) through the value (1) for a request and (2) for the reply. A host that works with these specifications has to send his SIP, SMAC and TIP in request packets via broadcast mode。 In contrast, the received host must send back his SIP, SMAC and TIP, TMAC in reply packets through unicast mode. In some circumstances, a host sends broadcast ARP request without solicit any reply, or send a broadcast reply to which no request has been sent, these kinds of request/reply packets called gratuitous ARP packets [17], [18]. The gratuitous ARP packets apply in the following scenarios: ? IP misconfiguration, In case of a host receives an ARP packet includes a SIP that equals to its IP address (SIP =TIP), which implies IP conflict. ? Changing the Network Interface Card (NIC) status from inactive to active, connecting work cable, the host associates with a new station in case of wireless LANs, and so on. A lot of operating systems send gratuitous ARP in the following cases: startup, wakes from sleep, and any changing in the work connection status. As previously stated, our proposed algorit