CN113891316B - Wireless device access control method and device - Google Patents
Wireless device access control method and device Download PDFInfo
- Publication number
- CN113891316B CN113891316B CN202111044423.XA CN202111044423A CN113891316B CN 113891316 B CN113891316 B CN 113891316B CN 202111044423 A CN202111044423 A CN 202111044423A CN 113891316 B CN113891316 B CN 113891316B
- Authority
- CN
- China
- Prior art keywords
- target
- wireless
- equipment
- historical
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012216 screening Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 6
- 102100021934 Cyclin-D1-binding protein 1 Human genes 0.000 description 3
- 102100037922 Disco-interacting protein 2 homolog A Human genes 0.000 description 3
- 101000897488 Homo sapiens Cyclin-D1-binding protein 1 Proteins 0.000 description 3
- 101000805876 Homo sapiens Disco-interacting protein 2 homolog A Proteins 0.000 description 3
- 101000651236 Homo sapiens NCK-interacting protein with SH3 domain Proteins 0.000 description 3
- 101000955093 Homo sapiens WD repeat-containing protein 3 Proteins 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
Abstract
The application provides a wireless device access control method and device, wherein the method can comprise the following steps: aiming at target wireless equipment requesting to access a target wireless network, acquiring target equipment characteristic fingerprints of the target wireless equipment, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment; matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in a characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Description
Technical Field
The application relates to the technical field of network communication, in particular to a wireless device access control method and device.
Background
Devices with wireless communication capabilities may be connected to a wireless network in a wireless manner through wireless communication techniques. In order to enhance the security of the wireless network, a wireless device that allows access may be screened using a MAC (Media Access Control Address ) address, but an illegal person easily accesses an illegal device used by himself into the wireless network by spoofing the MAC address, which poses a threat to the security of the wireless network.
Disclosure of Invention
In view of this, the present application provides a wireless device access control method and apparatus for controlling wireless device access to a wireless network.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, a wireless device access control method is provided, which is applied to a wireless controller, and includes:
aiming at target wireless equipment requesting to access a target wireless network, acquiring target equipment characteristic fingerprints of the target wireless equipment, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in a characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network;
and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
According to a second aspect of the present application, there is provided a wireless device access control method applied to a wireless access point, the wireless access point being configured to build a target wireless network, the method comprising:
extracting target equipment characteristics from a wireless management frame message sent by target wireless equipment aiming at the target wireless equipment requesting to access the target wireless network, and extracting target application characteristics from an application data frame message;
generating the target equipment characteristics and the target application characteristics into target wireless equipment characteristic fingerprints, and sending the characteristic fingerprints to a wireless controller so that the wireless controller can match the target wireless equipment characteristic fingerprints with historical characteristic fingerprints of historical wireless equipment accessed to the target wireless network, which are recorded in a characteristic fingerprint library;
and if the matching is determined to be successful, the target wireless device is accessed to the target wireless network.
According to a third aspect of the present application, there is provided a wireless device access control apparatus, applied to a wireless controller, including:
the acquisition unit is used for acquiring target equipment characteristic fingerprints of target wireless equipment aiming at the target wireless equipment requesting to access a target wireless network, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
the matching unit is used for matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in the characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
According to a fourth aspect of the present application, there is provided a wireless device access control apparatus applied to a wireless access point for constructing a target wireless network, the apparatus comprising:
an extracting unit, for a target wireless device requesting to access the target wireless network, extracting target device characteristics from a wireless management frame message sent by the target wireless device, and extracting target application characteristics from an application data frame message;
the fingerprint generation unit is used for generating the target equipment characteristics and the target application characteristics into target wireless equipment characteristic fingerprints and sending the characteristic fingerprints to the wireless controller so that the wireless controller can match the target wireless equipment characteristic fingerprints with the historical characteristic fingerprints of the historical wireless equipment accessed to the target wireless network, which are recorded in a characteristic fingerprint library;
and the access unit is used for accessing the target wireless equipment to the target wireless network under the condition that the matching is determined to be successful.
According to a fifth aspect of the present application, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method as described in the embodiments of the first and second aspects above by executing the executable instructions.
According to a sixth aspect of embodiments of the present application, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method as described in the embodiments of the first and second aspects above.
According to the technical scheme provided by the application, the wireless device characteristics and the application characteristics are extracted from the wireless management frame and the application data frame, and the wireless device characteristic fingerprints are generated by utilizing the wireless device characteristics and the application characteristics. Wireless device feature fingerprints can uniquely identify a wireless device and are difficult to impersonate. Therefore, if the characteristic fingerprint of the wireless device is successfully matched with the characteristic fingerprint of the history device which is successfully accessed to the wireless network, the wireless device is one of the history devices which are allowed to be accessed, but not the counterfeit device of the history device, and the wireless device can be allowed to be accessed to the wireless network at the moment, so that the counterfeit device of the history device is prevented from being accessed to the wireless network, and the access security of the wireless network is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a flow chart illustrating a wireless device access control method according to an exemplary embodiment of the present application;
fig. 2 is a flow chart illustrating another wireless device access control method according to an exemplary embodiment of the present application;
fig. 3 is a schematic diagram of a network architecture to which a wireless device access control method according to an embodiment of the present application is applied;
fig. 4 is a specific flowchart illustrating a wireless device access control method according to an exemplary embodiment of the present application;
FIG. 5 is a schematic diagram of an electronic device, according to an exemplary embodiment of the present application;
fig. 6 is a block diagram illustrating a wireless device access control apparatus according to an exemplary embodiment of the present application;
fig. 7 is a block diagram illustrating another wireless device access control apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Next, embodiments of the present application will be described in detail.
Fig. 1 is a flow chart illustrating a wireless device access method according to an exemplary embodiment of the present application. As shown in fig. 1, the method applied to the wireless controller may include the following steps:
step 102: and aiming at the target wireless device requesting to access the target wireless network, acquiring a target device characteristic fingerprint of the target wireless device, wherein the target device characteristic fingerprint consists of target device characteristics extracted from a wireless management frame message sent by the target wireless device and target application characteristics extracted from an application data frame message sent by the target wireless device.
In one embodiment, the wireless controller (AC, wireless Access Point Controller) may be configured to manage all wireless Access Points (APs) in the wireless network, such as issuing configuration to the APs, modifying relevant configuration parameters, radio frequency management, access security control, etc. The wireless device can be accessed into the wireless network through the AP, and the AC can perform security control on the wireless device which needs to be accessed into the wireless network.
In an embodiment, when a certain wireless device (hereinafter referred to as a target wireless device) requests to join a certain wireless network (hereinafter referred to as a target wireless network), the target wireless device may send different types of messages, and the wireless access point may collect the messages and extract required information from the collected messages. In the present application, the wireless access point may mainly collect two types of messages, namely, a wireless management frame message and an application data frame message.
It should be noted that there are various types of frame messages that can be classified into wireless management frame messages, such as a Request for Authentication (Probe Request) frame message, an Authentication (Authentication) frame message, an association Request (Association Request) frame message, and so on. After the target wireless device starts the wireless network card, the verification request frame message is issued when the wireless signal of the target wireless network is searched by external scanning, wherein the verification request frame message carries own network card information of the target wireless device; the identity verification frame message and the association request frame message are used for frame messages sent when a certain wireless signal is connected, and the frame messages also carry own network card information of the target wireless device.
Further, the wireless access point may collect information for indicating the device characteristics of the target wireless device, such as radio frequency information, device manufacturer information, rate set information, wireless network card performance parameters, etc., from the several types of wireless management frame messages, where these information together form the target device characteristics of the target wireless device, and if the wireless device characteristics of the two wireless devices are the same, it may be stated that the two wireless devices belong to the same manufacturer and the same model of wireless device.
In order to distinguish whether two wireless devices are the same device or not with finer granularity, the wireless access point in the application also collects the application data frame message. Since the target wireless device requests to connect to the target wireless network, the installed application will send an application data frame message to attempt to connect to the target wireless network, and such an application data frame message is typically a TCP (Transmission Control Protocol ) message or a UDP (User Datagram Protocol, user datagram protocol) message, the wireless access point may collect connection information from the two types of application data frame messages as the target application characteristics of the target wireless device. For example, the wireless access point may collect, from the application data frame packet, four tuple information (source IP address, source port number, destination IP address, and destination port number) corresponding to the packet sent by each application, and use the four tuple information corresponding to all applications as the target application feature of the target wireless device. Of course, the quadruple information is only one expression form of the connection information, and the wireless access point may use the triple information (source port number, destination IP address and destination port number) corresponding to the application data frame packet sent by all applications as the target application feature of the target wireless device, or use other information in the application data frame packet sent by the application installed in the target wireless device as the target application feature (for example, five-tuple information and seven-tuple information) of the target wireless device, which is not limited in this application.
Further, if the target application feature of the target wireless device is the same as or similar to the application feature of the other device, it is indicated that the application installed in the target wireless device is the same as or similar to the application installed in the other device. For a certain wireless device, the device characteristics are the same as that of another wireless device, and meanwhile, the application characteristics are the same as that of the other wireless device or the probability of meeting the similarity is very low. Therefore, when the device characteristics of two wireless devices are the same and the application characteristics are the same or reach a certain similarity, the two wireless devices can be identified as the same device, in other words, the device characteristics and the application characteristics can be combined as the device characteristic fingerprint of the wireless device to uniquely identify the wireless device.
Step 104: and matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment of the historical wireless equipment accessed to the target wireless network, which are recorded in a characteristic fingerprint library.
Step 106: and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Since the device characteristic fingerprint of the wireless device may be used to uniquely identify the wireless device, when the target wireless device requests access to the target wireless network, the target device characteristic fingerprint may be matched to the historical device characteristic fingerprints of the historical wireless devices accessing the target wireless network recorded in the characteristic fingerprint library. And the characteristic fingerprint library records the characteristic fingerprints of the historical equipment of the historical wireless equipment which is successfully accessed to the target wireless network. If the target device characteristic fingerprint of the target wireless device matches the historical device characteristic fingerprint successfully, it is stated that the wireless device is one of the devices that have successfully accessed the target wireless network, whereby the wireless controller may allow the target wireless device to access the target wireless network.
When the target wireless device feature fingerprint and the historical device feature fingerprint are in an integral form, the wireless controller may match the integral of the wireless device feature fingerprint with the integral of the historical device feature fingerprint when matching the target wireless device feature fingerprint and the historical device feature fingerprint. In this case, the criteria for successful matching of the target wireless device feature fingerprint and the historical device feature fingerprint may be set as: the specific parameters of the various features contained in the target wireless device feature fingerprint are the same as the parameters contained in the corresponding features in the historical device feature fingerprint, or the proportion of the specific parameters of the various features contained in the target wireless device feature fingerprint to the parameters contained in the corresponding features in the historical device feature fingerprint is the same as the preset proportion. The specific values of the preset ratio are not limited in the present application.
Since the characteristic fingerprint of the wireless device in the application is at least composed of two parts, namely a device characteristic and an application characteristic, the two types of characteristics can be respectively matched during matching:
aiming at the equipment characteristics, the equipment characteristics can reflect whether two pieces of equipment are equipment of the same manufacturer and the same model, and the equipment characteristics can comprise radio frequency information, equipment manufacturer information, rate set information, wireless network card performance parameters and the like, and the information cannot change along with the use of a user. Therefore, when the target device characteristics of the target wireless device and corresponding parameters in the historical device characteristics in the historical device characteristic fingerprints are the same in matching, the target wireless device and the historical device can be considered to be devices of the same manufacturer and the same model, namely, the device characteristics are considered to be successfully matched.
Aiming at the application characteristics, the application characteristics are composed of the connection information of the message sent by the application installed in the wireless equipment, and when the connection information of the message sent by the application installed in the target wireless equipment is matched with the connection information contained in the characteristic fingerprints of the historical equipment, namely the target application characteristics are identical with the historical application characteristics, the equipment and the application characteristics are considered to be successfully matched. However, since the user may slightly change the installed application according to the preference of the user when using the wireless device, at this time, when the similarity between the connection information of the message sent by the installed application in the target wireless device and the connection information included in the feature fingerprint of the history device reaches a preset threshold, that is, when the similarity between the feature of the target application and the feature of the history application reaches the preset threshold, the matching of the application features may also be considered to be successful.
If the application characteristics of the target wireless device and the application characteristics of the history device match successfully, then the applications installed in the device and the history device may be considered the same or similar. Further, if the device characteristics of the target wireless device are also the same as the device characteristics of the calendar history device, it is indicated that the calendar history device and the target wireless device are not only devices of the same manufacturer and the same model, but also applications installed therein are the same or similar. The probability that two different devices simultaneously meet the two conditions is extremely low, so that the two characteristics can be utilized to form a characteristic fingerprint of the wireless device, and the characteristic fingerprint is used for uniquely identifying the wireless device.
As can be seen from the above, since the uniqueness of the target device feature fingerprint is determined by both the device feature and the application feature, the wireless controller can determine that the target wireless device feature fingerprint is successfully matched with the historical device feature fingerprint only when the device feature and the application feature are successfully matched, thereby allowing the target wireless device to access the target wireless network. The matching processes of the two types of features can be performed simultaneously or one by one, for example, the matching of the device features is performed firstly, if the matching of the device features is unsuccessful, the matching process of the application features can be omitted, the matching failure of the target wireless device feature fingerprint and the historical device feature fingerprint can be directly recognized and the alarm can be performed, or the matching process of the application features can be performed firstly, if the matching of the application features is unsuccessful, the matching process of the device features can be omitted, and the matching failure of the target wireless device feature fingerprint and the historical device feature fingerprint can be directly recognized and the alarm can be performed.
The embodiment can confirm whether the target wireless device is one of the devices of the historical access target wireless network through the device characteristic fingerprint with unique identification, and further can prevent the counterfeit device of the historical device accessed to the target wireless network from accessing to the target wireless network. However, if the target wireless device is a new wireless device that has not yet accessed the target wireless network, the target wireless network is likewise not accessed using the methods of the embodiments described above.
Aiming at the situation, the method and the device can achieve the effect of releasing the wireless equipment which is not accessed to the target wireless network by screening the MAC address. Specifically: the wireless controller can acquire the MAC address of the target wireless device, then match the MAC address of the target wireless device with the MAC address of the history device which is accessed to the target wireless network, and if the MAC address of the target wireless device is different from the MAC address of the history device, the target wireless device is not accessed to the target wireless network, and the target wireless device can be directly allowed to access to the target wireless network.
In another case, the MAC address of the target wireless device may be the same as the MAC address of a certain historical device that has been connected to the target wireless network, at this time, the characteristic fingerprints of the target device of the target wireless device may be further compared with the characteristic fingerprints of the historical device, if the characteristic fingerprints of the target wireless device and the historical device are successfully matched, the target wireless device is the historical device, if the characteristic fingerprints of the target wireless device and the historical device are failed to match, the target wireless device is imitated to the MAC address of the historical device, and the target wireless device is prevented from being connected to the target wireless network, and at the same time, an alarm operation may be performed to remind a manager to pay attention to the imitated device. Compared with the method of comparing the characteristic fingerprints of the target device with the characteristic fingerprints of the historic devices one by one in a traversing mode, the method has the advantages that the characteristic fingerprints of the target device are screened by using the MAC address, the matching time can be shortened, the matching efficiency is improved, and the data processing resources are saved.
The MAC addresses of the devices having access to the target wireless network may be stored separately by the wireless controller, to form a history MAC address library independently, and associate each MAC address in the history MAC address library with each history device feature fingerprint in the feature fingerprint library, so that the wireless controller may use the MAC address library to match the MAC address of the target wireless device with the MAC address of the device having access to the target wireless network, and then locate the corresponding history device feature fingerprint from the feature fingerprint library according to the MAC address. Or, the characteristic fingerprints of the corresponding historical equipment can be marked by using the MAC addresses of the historical equipment while the characteristic fingerprints of the historical equipment are recorded in the characteristic fingerprint library, and in this case, the wireless controller can screen the characteristic fingerprints of the historical equipment corresponding to the historical equipment with the same MAC address as the target wireless equipment only by querying the characteristic fingerprint library. The present application does not limit the storage form of the MAC address.
In the above embodiments, the present application constructs a feature fingerprint of a wireless device using the application features and device features of the wireless device, which can be a unique identification of the wireless device and is difficult to impersonate. And matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, and further performing access control on the wireless equipment requesting to access the target wireless network according to the matching result. The difficulty in the present application of feature fingerprinting is greater than merely confirming, via the MAC address of the target device, whether the target device should be allowed to access the target wireless network. The matching of the characteristic fingerprints and the screening of the MAC address are combined, illegal equipment which imitates the MAC address can be determined, and the security of the wireless equipment when the wireless equipment is accessed to a wireless network is improved.
Fig. 2 is a flow chart illustrating a wireless device access method according to an exemplary embodiment of the present application. As shown in fig. 2, the method applied to the wireless access point may include the following steps:
step 204, for a target wireless device requesting access to the target wireless network, extracting a target device feature from a wireless management frame message sent by the target wireless device, and extracting a target application feature from an application data frame message.
And 206, generating the target device characteristic and the target application characteristic into a target wireless device characteristic fingerprint, and sending the characteristic fingerprint to a wireless controller so that the wireless controller can match the target wireless device characteristic fingerprint with the historical characteristic fingerprint of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint library.
And step 208, accessing the target wireless device to the target wireless network under the condition that the matching is determined to be successful.
The detailed embodiments of the steps corresponding to fig. 2 may refer to the related embodiments of the steps corresponding to fig. 1, and are not described herein.
Fig. 3 is a schematic diagram of a network architecture of a system to which the embodiments of the present application are applied. As shown in fig. 3, 31, 32, 33 represent wireless devices that are wirelessly connected to wireless access points that are used to construct a wireless network into which the wireless devices may be connected, the wireless access points being shown at 34, 35, 36. The wireless controller 37 is used for centralized control of the wireless access points 34 to 36, which is also one of the important components of a wireless network, is responsible for managing all wireless access points in the wireless network, and can realize functions of issuing configuration, modifying relevant configuration parameters, intelligent management of radio frequency, access security control and the like.
Fig. 4 is a flow chart illustrating a wireless device access control method according to an exemplary embodiment of the present application. The steps involved in fig. 4 are described in detail below in connection with the network architecture diagram shown in fig. 3:
in step 402, the wireless controller 37 obtains a target device characteristic fingerprint.
Assuming that the target wireless device is the wireless device 31 shown in fig. 3, the wireless access point corresponding to the target wireless device is the wireless access point 34, and the wireless network to which the target wireless device 31 requests to join is referred to as a target wireless network. The wireless controller 37 may obtain a target device characteristic fingerprint of the target wireless device 31 from the wireless access point 34. The feature fingerprint is composed of target device features extracted from a wireless management frame message sent by the target wireless device 31 by the wireless access point 34 and target application features extracted from an application data frame message sent by the target wireless device 31.
For example, the wireless management frame may include three types, namely, a Probe Request frame, an Authentication frame, and a Association Request frame. The field information to be extracted by the wireless access point 34 from the wireless management frame mainly includes the following fields: RF radio frequency information, equipment vendor information, rate set information, wireless network card performance parameters. Then, the wireless access point 34 extracts the radio frequency information from the Probe Request frame and marks the radio frequency information as rf_a, the equipment manufacturer information as vendor_p_a, the Rate set as rate_support_p_a, and the network card performance parameter as ht_cap_p_a; the wireless access point 34 extracts equipment Vendor information from the Authentication frame and marks the equipment Vendor information as vendor_auth_a, the Rate set as rate_support_auth_a, and the network card performance parameter as ht_cap_auth_a; the device Vendor information extracted from Association Request frames is denoted as vendor_ Ass _a, the Rate set is denoted as rate_support_ Ass _a, and the network card performance parameter is denoted as ht_cap_ Ass _a. Further, the wireless access point 34 generates the data as the target device characteristics of the target wireless device, namely: rf_a, rate_support_p_a, ht_cap_p_a, rate_auth_a, rate_support_auth_a, ht_cap_auth_a, vendor_ Ass _a, rate_support_ Ass _a, ht_cap_ Ass _a.
Further, regarding the target application feature, it is assumed that the application feature is configured by triple (source port, destination IP, destination port) information included in a TCP or UDP packet transmitted when an application installed from the target wireless device 31 accesses the target wireless network. Assuming that n applications are installed in total in the target wireless device 31, the target application characteristics of the target wireless device 31 can be expressed as: { (SPORT 1, DIP1, DPORT 1), (SPORT 2, DIP2, DPORT 2) … … (SPORTn, DIPn, DPORTn) }, where SPORT represents the source port, DIP represents the destination IP, and DPORT represents the destination port.
The target device characteristics and the target application characteristics together form a target wireless device 31 target device characteristic fingerprint.
In step 404, the wireless controller 37 obtains the MAC address of the target wireless device 31.
The MAC address of the target wireless device 31 may be collected by the wireless access point 34 and sent to the wireless controller 37, or may be collected by the wireless controller 37 itself, which is not limited in this application.
In step 406, the wireless controller 37 confirms whether the history device identical to the MAC address of the target device is queried from the feature fingerprint library.
It is assumed that each of the historical feature fingerprints of the historical devices recorded in the feature fingerprint library is added with a corresponding MAC address as an identifier. The wireless controller can confirm from the feature fingerprint library whether there is a history device identical to the MAC address of the target wireless device 31 among history devices that have history access to the target wireless network.
If the result of the validation is that the MAC address of a history of devices in the library of feature fingerprints is not the same as the MAC address of the target wireless device 31, it is indicated that the target wireless device 31 has not yet accessed the target wireless network. Step 408b may be entered at this point to allow the target wireless device 31 to access the target wireless network. The reason why the device that has not been accessed in the history is granted access to the target wireless network is that in practical application, a malicious device often accesses the target wireless network by spoofing the MAC address of the history device that has been accessed to the target wireless network, and if the MAC address of the target wireless device 31 has not been accessed to the target wireless network, it is indicated that the target wireless device 31 is necessarily not a spoofing device that spoofs the MAC address, and then it can be directly released. Of course, if the condition of accessing the target wireless network is set to "only the history of devices accessing the target wireless network is accessible", then the target wireless device 31 may also be directly denied access to the target wireless network in step 408 b.
If the result of the validation is that there is a history of devices in the feature fingerprint library having the same MAC address as the MAC address of the target wireless device 31, step 408a may be entered.
Step 408a, determining a historical feature fingerprint of the same historical device as the MAC address of the target wireless device from the feature fingerprint library.
In step 410a, the target feature fingerprint is matched with the determined historical feature fingerprint.
Since the historical feature fingerprints of each historical device in the feature fingerprint library are identified by their corresponding MAC addresses. In the above steps, a historical feature fingerprint of the same historical device as the MAC address of the target wireless device may be determined. The wireless controller 37 may match the target device characteristic fingerprint of the target wireless device 31 with the determined historical device characteristic fingerprint.
Specifically, it is assumed that the history device features included in the history device feature fingerprint are: rf_b, rate_support_p_b, ht_cap_p_b, rate_auth_b, rate_support_auth_b, ht_cap_auth_b, vendor_ Ass _b, rate_support_ Ass _b, ht_cap_ Ass _b. The wireless controller 37 may compare the parameters contained therein with corresponding parameters in the target device characteristic fingerprint one by one. For example, the same parameters are used to match vendor_p_b with vendor_p_a. If the parameters contained in the historical device characteristics and the target device characteristics are the same, then the target device characteristics may be considered to be successfully matched with the historical device characteristics.
For the application feature, it is assumed that the historical application feature included in the above-described historical device feature fingerprint is: { (SPORT 1, DIP1, DPORT 1), (SPORT 2, DIP2, DPORT 2) … … (SPORTm, DIPm, DIPm) }. The wireless controller 37 may confirm that the triplet information in { (SPORT 1, DIP1, DPORT 1), (SPORT 2, DIP2, DPORT 2) … … (SPORTn, DIPn, DPORTn) } is the same proportion as the respective triplet information contained in the history application feature, for example, assuming that n is equal to 10 and the same triplet information is 9, it is indicated that the similar proportion is 9/10, that is, 90%. Assuming that the preset threshold is 80%, the similar proportion of the two values exceeds the preset threshold, and the matching of the historical application characteristic and the target application characteristic can be considered to be successful.
Step 412a, confirm whether the match was successful.
In this step, when the target device characteristic and the target application characteristic of the target wireless device 31 are successfully matched with the history device characteristic and the history application characteristic of the history device determined in the above step, respectively, it may be confirmed that the target device characteristic fingerprint and the history device characteristic fingerprint of the target wireless device 31 are successfully matched. Step 414aa may be entered at this point to allow the target wireless device to access the target wireless network.
If the matching in step 412 fails, it indicates that the MAC address of the target wireless device 31 is the same as the MAC address of the history device determined in the above step, but the feature fingerprint is different, and indicates that the target wireless device 31 is a counterfeit device of the above history device, at this time, an alarm operation may be performed to alert relevant personnel to notice the counterfeit device.
Corresponding to the above method embodiments, the present specification also provides an embodiment of an apparatus.
Fig. 5 is a schematic structural diagram of a wireless device access control electronic device according to an exemplary embodiment of the present application. Referring to fig. 5, at the hardware level, the electronic device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a non-volatile storage 510, although other services may be required. The processor 502 reads a corresponding computer program from the nonvolatile memory 510 into the memory 508 and then runs, forming a wireless device access control means on a logical level. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present application, that is, the execution subject of the following processing flows is not limited to each logic unit, but may be hardware or logic devices.
Fig. 6 is a block diagram illustrating a wireless device access control apparatus according to an exemplary embodiment of the present application. Referring to fig. 6, the apparatus includes an acquisition unit 602, a matching unit 604, an address acquisition unit 606, wherein:
an obtaining unit 602, configured to obtain, for a target wireless device requesting access to a target wireless network, a target device feature fingerprint of the target wireless device, where the target device feature fingerprint is configured by a target device feature extracted from a wireless management frame packet sent by the target wireless device and a target application feature extracted from an application data frame packet sent by the target wireless device;
a matching unit 604, configured to match the characteristic fingerprint of the target device with a characteristic fingerprint of a historical device of a historical wireless device accessing the target wireless network, where the characteristic fingerprint is recorded in a characteristic fingerprint library; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Optionally, the matching the characteristic fingerprint of the target device with the characteristic fingerprint of the history device of the history wireless device accessing the target wireless network recorded in the characteristic fingerprint library includes:
matching the target device features with historical device features in the historical device feature fingerprints, and matching the target application features with historical application features in the historical device feature fingerprints;
and under the condition that the matching results are successful, the target equipment characteristic fingerprint is judged to be matched with the historical equipment characteristic fingerprint.
Optionally, the apparatus further includes: an address acquisition unit 606, configured to acquire a MAC address of the target wireless device;
the matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessing the target wireless network recorded in the characteristic fingerprint library comprises the following steps:
screening historical feature fingerprints corresponding to historical wireless devices with the same MAC address as the target wireless device in the feature fingerprint library;
and matching the target characteristic fingerprint with the screened historical characteristic fingerprint.
Optionally, under the condition that the screened historical characteristic fingerprint is not matched with the characteristic fingerprint of the target device, the target wireless device is judged to be a counterfeit device.
Optionally, if the historical wireless device that is the same as the MAC address of the target wireless device is not screened, allowing the target wireless device to access the target wireless network.
Fig. 7 is a block diagram illustrating another wireless device access control apparatus according to an exemplary embodiment of the present application. Referring to fig. 7, the apparatus includes an extraction unit 702, a fingerprint generation unit 704, an access unit 706, wherein:
an extracting unit 702, for a target wireless device requesting to access the target wireless network, extracting a target device feature from a wireless management frame message sent by the target wireless device, and extracting a target application feature from an application data frame message;
a fingerprint generating unit 704, configured to generate the target device feature and the target application feature into a target wireless device feature fingerprint, and send the feature fingerprint to a wireless controller, so that the wireless controller matches the target wireless device feature fingerprint with a historical feature fingerprint of a historical wireless device accessing the target wireless network, which is recorded in a feature fingerprint library;
an access unit 706, configured to access the target wireless device to the target wireless network if it is determined that the matching is successful.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, e.g. a memory comprising instructions executable by a processor of a wireless device access control apparatus to implement a method as described in any of the above embodiments, e.g. the method may comprise:
aiming at target wireless equipment requesting to access a target wireless network, acquiring target equipment characteristic fingerprints of the target wireless equipment, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment; matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in a characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Wherein the non-transitory computer readable storage medium may be a ROM, random-access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc., which is not limited in this application.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (9)
1. A wireless device access control method, applied to a wireless controller, comprising:
aiming at target wireless equipment requesting to access a target wireless network, acquiring target equipment characteristic fingerprints of the target wireless equipment, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in a characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network;
if the matching is successful, allowing the target wireless device to access the target wireless network;
the matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessing the target wireless network recorded in the characteristic fingerprint library comprises the following steps:
matching the target device features with historical device features in the historical device feature fingerprints, and matching the target application features with historical application features in the historical device feature fingerprints;
and under the condition that the matching results are successful, the target equipment characteristic fingerprint is judged to be matched with the historical equipment characteristic fingerprint.
2. The method according to claim 1, wherein the method further comprises: acquiring the MAC address of the target wireless device;
the matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessing the target wireless network recorded in the characteristic fingerprint library comprises the following steps:
screening historical feature fingerprints corresponding to historical wireless devices with the same MAC address as the target wireless device in the feature fingerprint library;
and matching the characteristic fingerprint of the target equipment with the screened historical characteristic fingerprint.
3. The method of claim 2, wherein the target wireless device is determined to be a counterfeit device if the screened historical feature fingerprint does not match the target device feature fingerprint.
4. A method according to claim 3, further comprising:
and if the historical wireless equipment which is the same as the MAC address of the target wireless equipment is not screened, allowing the target wireless equipment to access the target wireless network.
5. A wireless device access control method, applied to a wireless access point, the wireless access point configured to establish a target wireless network, the method comprising:
extracting target equipment characteristics from a wireless management frame message sent by target wireless equipment aiming at the target wireless equipment requesting to access the target wireless network, and extracting target application characteristics from an application data frame message;
generating the target equipment characteristics and the target application characteristics into target wireless equipment characteristic fingerprints, and sending the characteristic fingerprints to a wireless controller so that the wireless controller can match the target wireless equipment characteristic fingerprints with historical characteristic fingerprints of historical wireless equipment accessed to the target wireless network, which are recorded in a characteristic fingerprint library;
and accessing the target wireless equipment into the target wireless network under the condition that the matching is determined to be successful.
6. A wireless device access control apparatus for use with a wireless controller, the apparatus comprising:
the acquisition unit is used for acquiring target equipment characteristic fingerprints of target wireless equipment aiming at the target wireless equipment requesting to access a target wireless network, wherein the target equipment characteristic fingerprints consist of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
the matching unit is used for matching the characteristic fingerprints of the target equipment with the characteristic fingerprints of the historical equipment, recorded in the characteristic fingerprint library, of the historical wireless equipment accessed to the target wireless network; if the matching is successful, allowing the target wireless device to access the target wireless network;
the matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessing the target wireless network recorded in the characteristic fingerprint library comprises the following steps:
matching the target device features with historical device features in the historical device feature fingerprints, and matching the target application features with historical application features in the historical device feature fingerprints;
and under the condition that the matching results are successful, the target equipment characteristic fingerprint is judged to be matched with the historical equipment characteristic fingerprint.
7. A wireless device access control apparatus for use with a wireless access point for constructing a target wireless network, the apparatus comprising:
an extracting unit, for a target wireless device requesting to access the target wireless network, extracting target device characteristics from a wireless management frame message sent by the target wireless device, and extracting target application characteristics from an application data frame message;
the fingerprint generation unit is used for generating the target equipment characteristics and the target application characteristics into target wireless equipment characteristic fingerprints and sending the characteristic fingerprints to the wireless controller so that the wireless controller can match the target wireless equipment characteristic fingerprints with the historical characteristic fingerprints of the historical wireless equipment accessed to the target wireless network, which are recorded in a characteristic fingerprint library;
and the access unit is used for accessing the target wireless equipment to the target wireless network under the condition that the matching is determined to be successful.
8. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of claims 1-5 by executing the executable instructions.
9. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044423.XA CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044423.XA CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113891316A CN113891316A (en) | 2022-01-04 |
| CN113891316B true CN113891316B (en) | 2023-12-26 |
Family
ID=79008445
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111044423.XA Active CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113891316B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104955028A (en) * | 2015-06-23 | 2015-09-30 | 北京奇虎科技有限公司 | Method, device and sensor for identifying phishing WIFI (wireless fidelity) |
| CN104981028A (en) * | 2015-03-09 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Wireless network access method and related equipment |
| US10172180B1 (en) * | 2015-08-25 | 2019-01-01 | Marvell International Ltd. | Configuring network connections |
| WO2019043378A1 (en) * | 2017-08-31 | 2019-03-07 | Sony Corporation | A decoder, encoder, computer program and method |
| WO2020011276A1 (en) * | 2018-07-11 | 2020-01-16 | 杭州博联智能科技股份有限公司 | Data sending, receiving, and communication method using wifi management frame, device, and storage medium |
| US10771498B1 (en) * | 2015-06-10 | 2020-09-08 | Marvell Asia Pte., Ltd. | Validating de-authentication requests |
| CN111770556A (en) * | 2020-06-24 | 2020-10-13 | 上海连尚网络科技有限公司 | Network connection method, device, electronic equipment and medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2487948A1 (en) * | 2011-02-11 | 2012-08-15 | Research In Motion Limited | System and method for managing access to a communication network |
| US8811401B2 (en) * | 2012-06-21 | 2014-08-19 | Breakingpoint Systems, Inc. | Binding of network flows to process threads |
| CN104145451B (en) * | 2012-08-23 | 2017-07-14 | 华为技术有限公司 | Message processing method, deep-packet detection request network element and deep packet inspection device |
| CN103596173B (en) * | 2013-09-30 | 2018-04-06 | 北京智谷睿拓技术服务有限公司 | Wireless network authentication method, client and service end wireless network authentication device |
| US11243983B2 (en) * | 2017-10-30 | 2022-02-08 | Qualcomm Incorporated | System and method for compact storage and efficient retrieval of access point information for detecting rogue access points |
| US20200015043A1 (en) * | 2018-07-05 | 2020-01-09 | Qualcomm Incorporated | Uplink service access via a wireless local area network (wlan) |
-
2021
- 2021-09-07 CN CN202111044423.XA patent/CN113891316B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104981028A (en) * | 2015-03-09 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Wireless network access method and related equipment |
| US10771498B1 (en) * | 2015-06-10 | 2020-09-08 | Marvell Asia Pte., Ltd. | Validating de-authentication requests |
| CN104955028A (en) * | 2015-06-23 | 2015-09-30 | 北京奇虎科技有限公司 | Method, device and sensor for identifying phishing WIFI (wireless fidelity) |
| US10172180B1 (en) * | 2015-08-25 | 2019-01-01 | Marvell International Ltd. | Configuring network connections |
| WO2019043378A1 (en) * | 2017-08-31 | 2019-03-07 | Sony Corporation | A decoder, encoder, computer program and method |
| WO2020011276A1 (en) * | 2018-07-11 | 2020-01-16 | 杭州博联智能科技股份有限公司 | Data sending, receiving, and communication method using wifi management frame, device, and storage medium |
| CN111770556A (en) * | 2020-06-24 | 2020-10-13 | 上海连尚网络科技有限公司 | Network connection method, device, electronic equipment and medium |
Non-Patent Citations (6)
| Title |
|---|
| A Secure Condition-Based Location Authentication Protocol for Mobile Devices;Chien-Ming Chen ect.;《2016 Third International Conference on Computing Measurement Control and Sensor Network (CMCSN)》;全文 * |
| Meysam Nasimi ; Bin Han ; Hans D. Schotten ect..A Comprehensive Survey of RAN Architectures Toward 5G Mobile Communication System.《IEEE Access ( Volume: 7)》.2019,全文. * |
| Mohammad Asif Habibi Institute of Wireless Communication (WiCon), Technische Universität Kaiserslautern, Kaiserslautern, Germany * |
| 一种基于干扰模型的无线网状网自适应路由策略;束永安;洪佩琳;卢汉成;黄景博;;小型微型计算机系统(01);全文 * |
| 无线网络安全;黄凌;;科技信息(第32期);全文 * |
| 移动设备网络流量分析技术综述;徐明;杨雪;章坚武;;电信科学(04);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113891316A (en) | 2022-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20050208926A1 (en) | Access point and method for controlling connection among plural networks | |
| US20070230411A1 (en) | System and method for providing differentiated service levels to wireless devices in a wireless network | |
| CN109088865B (en) | User identity authentication method and device, readable storage medium and computer equipment | |
| EP2549785A1 (en) | Method and apparatus for authenticating communication devices | |
| CN108055455B (en) | Privacy protection method and device for home monitoring and computer readable storage medium | |
| CN109688186B (en) | Data interaction method, device, equipment and readable storage medium | |
| US20030028808A1 (en) | Network system, authentication method and computer program product for authentication | |
| CN107251614A (en) | Access point is turned to | |
| CN108737381A (en) | A kind of extended authentication method of Internet of things system | |
| CN110708336B (en) | Video terminal authentication method and device, electronic equipment and storage medium | |
| EP3945739A1 (en) | Non-intrusive / agentless network device identification | |
| CN103313429A (en) | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot | |
| CN106162649A (en) | A kind of identify the method for WAP legitimacy, terminal and system | |
| CN112491888A (en) | Method and system for preventing equipment from being falsely used | |
| CN111885106A (en) | Internet of things safety management and control method and system based on terminal equipment characteristic information | |
| CN112822160A (en) | Equipment identification method, device, equipment and machine-readable storage medium | |
| WO2013185709A1 (en) | Call authentication method, device, and system | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| CN111526112A (en) | Cross-domain device registration method and device and computer readable storage medium | |
| CN101841813B (en) | Anti-attack wireless control system | |
| CN113891316B (en) | Wireless device access control method and device | |
| CN112910854B (en) | Method and device for safe operation and maintenance of Internet of things, terminal equipment and storage medium | |
| CN113839945A (en) | Credible access control system and method based on identity | |
| CN111565196B (en) | KNXnet/IP protocol intrusion detection method, device, equipment and medium | |
| CN106535189B (en) | Network access control information configuration method and device and exit gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |