GB2568667A - Detecting unsanctioned messages in electronic networks - Google Patents

Detecting unsanctioned messages in electronic networks Download PDF

Info

Publication number
GB2568667A
GB2568667A GB1719050.5A GB201719050A GB2568667A GB 2568667 A GB2568667 A GB 2568667A GB 201719050 A GB201719050 A GB 201719050A GB 2568667 A GB2568667 A GB 2568667A
Authority
GB
United Kingdom
Prior art keywords
network
access point
implemented method
machine
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1719050.5A
Other versions
GB2568667B (en
GB201719050D0 (en
Inventor
Marc Town Samuel
Meriac Milosch
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Arm IP Ltd
Original Assignee
Arm IP Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arm IP Ltd filed Critical Arm IP Ltd
Priority to GB1719050.5A priority Critical patent/GB2568667B/en
Publication of GB201719050D0 publication Critical patent/GB201719050D0/en
Priority to US16/191,024 priority patent/US10924934B2/en
Publication of GB2568667A publication Critical patent/GB2568667A/en
Application granted granted Critical
Publication of GB2568667B publication Critical patent/GB2568667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2123Dummy operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method of detecting unsanctioned messages in wireless networks by exposing over the network at least one device address appearing to be a physical device operable to connect to a wireless access point 204 and detecting by a detector component a message referring to the at least one device address or wireless access point address 206; determining that the message falsely claims to originate at one of the device address or the access point device address 208 and in response, emitting an alert signal 218. By deliberately simulating a spoof or fake device address pretending to be a real, known device, that may not currently be present in the network, the method may detect a wireless impersonation attack by monitoring for an unsanctioned response to the dummy traffic or detecting traffic to or from the 'non-existent' device. This may mitigate attacks against IoT or security systems, or attempts to establish if an occupant is currently present in the network. Also disclosed is a method comprising exposing over the network a device identifier appearing to be a physical device or access point identifier, detecting a message utilising a communication resource associated with said identifier and determining the message to be suspect.

Description

DETECTING UNSANCTIONED MESSAGES IN ELECTRONIC NETWORKS
The present technology relates to methods and apparatus for detecting unsanctioned messages, such as operational instruction messages, in networks of electronic devices where the networks have wireless portions.
In networked computing environments, wireless portions of a network, such as a WiFi (RTM) network may be vulnerable to malicious interference -- wireless messages may be observed and their behaviour mimicked to create an attack surface that may be exploited for unintended purposes.
In a first approach to the many difficulties encountered in seeking to detect unsanctioned messages in such electronic networks, the present technology provides a machine-implemented method, comprising exposing over a wireless part of a network of electronic devices at least one device address appearing to be a physical device address operable to connect at least one electronic device with at least one wireless access point device having an access point device address; detecting by a detector component on the wireless part of the network of electronic devices a message referring to the at least one device address; determining by the detector component that the message falsely claims originate at one of the device address and the access point device address; and responsive to the determining, emitting an alert signal.
Implementations of the disclosed technology will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 shows a block diagram of an exemplary network in a home equipped with several interconnected devices;
Figure 2 shows a method of operation according to the presently described technology;
Figure 3 shows a method of providing simulated message traffic for use in the method of operation of the embodiment of Figure 2 and other embodiments; and
Figure 4 shows an arrangement of hardware and software components by means of which the presently described technology may be implemented.
The present technology thus provides a mechanism for detecting wireless impersonation attacks, including wireless deauthentication attacks, by simulating the presence and behaviour of devices that may not be physically present in the network, generating supposed traffic involving these purported or virtualised devices and detecting any other traffic purporting to be to or from these, in reality, non-existent devices - if such network traffic is detected, it is known immediately that it is unsanctioned and must be spurious. This is because all sanctioned traffic to and from such virtual devices has been generated and is therefore known in advance. Metaphorically, the purported or virtualised devices act like the canary taken underground by old-time miners to detect toxic gases - the canary would succumb to the effects of gas before it could affect the miners, and would thus provide an early warning of danger without placing a miner at risk - so here the purported or virtualised devices may suffer the effects of an attack, provide warning, and protect the true devices in the network.
With present-day computing and communications technology, locations such as homes, offices, industrial plants and the like contain many electronic devices, and these devices are often linked in networks. With the evolution of the Internet of Things (IoT), many items of hardware that were traditionally disconnected from the rest of the world are now connected, by wired or wireless means, to one another and to the wider electronic environment. It is not uncommon for a home to have numerous connected devices with computing and communications capacity built in, such as heating and cooling systems, lighting systems, security systems, entertainment systems, and household utility devices such as refrigerators, freezers and washing machines. In many cases, people in the home may be connected, at least intermittently, to other devices by for example a mobile (cell) phone or another portable device, such as a wearable personal device.
At least some parts of such a network may operate wirelessly, and this offers a range of opportunities for malicious exploitation by the ill-disposed, whether the exploitation takes the form of electronic misdeeds, such as stealing bank details, or of physical actions, such as burglary. Malicious drive-by penetrations of systems are facilitated by the wireless nature of the communications, and these penetrations can have damaging consequences.
For example, by observing and perhaps triggering specific traffic patterns on a wireless network by means of unsanctioned messages injected into the traffic, it might be possible to infiltrate the system to detect typical times of day when occupants of a home or other location are present and when they are absent. In one example, by issuing false polling messages, wearable devices may be caused to respond if they are present - an absence of such responses might be taken to mean that the occupants are absent, and that it is thus a propitious time for making an illegal entry into the property. It might also be possible to wirelessly disable security systems, such as passive infrared (PIR.) motion detectors, alarms and security cameras, by using such unsanctioned messages, thereby easing the illegal entry even further.
Similarly, it may be possible to invade the system to simulate financial transactions with a regular payee, as observed over a period, and to hijack the payments by manipulating the payee details in a transaction message. These are merely examples of the exploits that may be available if unsanctioned message activity can be inserted into a wireless system in such a manner as to fit in with previously observed traffic patterns. As is well-known to those of skill in the art, many other exploits are possible, when once a malicious intruder has access to the network and knowledge of the behaviour of the various connected devices.
In one special case, it might be possible for an online intruder to use an unsanctioned message or message flow to deauthenticate a device on the network either for the purpose of substituting an imposter device under the control of the intruder after re-establishing the connection with the wireless access point, or perhaps for the purpose of switching off a security camera or the like.
Wirelessly-connected devices are thus susceptible to attacks in which an attacker sends a spoofed wireless message, for example causing a targeted device to become disconnected from the network or to perform some other malicious action. The spoofed frame may be generated, for example, using MAC addresses sniffed from observing network traffic. The attacker can send a spoofed frame to the access point which is supposedly from an attached device, to an attached device supposedly from the access point, or from one attached supposed device to a peer device in a peer-to-peer mesh arrangement. By such means, the attacker can gain access to the network for unsanctioned purposes.
Beyond mere annoyance (for example, interrupting network traffic for a device while it reconnects to the network), this type of attack can be used to knock security devices such as Internet of Things (IoT) security cameras and passive infrared (PIR.) sensors off the network before a physical intrusion, or as a precursor to password cracking attacks by repeated triggering of handshake messages which can be observed by the attacker.
It will be clear to one of ordinary skill in the art that intrusions of the sort exemplified above pose a significant threat in a home setting - the threat is even greater in the case of an industrial plant, in which the manipulation of systems by means of unsanctioned messages could have dangerous consequences. Interference with systems controlling chemical or physical processes in such a plant could cause costly damage or even danger to personnel.
In Figure 1, there is shown a block diagram of an exemplary network in a home equipped with a number of interconnected devices. It will be clear to one of ordinary skill in the art that the block diagram represents a very simple arrangement. In a real-world setting, many homes, office and other premises have much more complex networks. In Figure 1 are shown a network in which an occupant 102 may carry a mobile (cell) phone 104 and be wearing a personal device, such as wearable fitness tracker 106. The wireless portion of the network according to this and other embodiments may comprise devices operable with various wireless protocols, including WiFi®, Z-Wave, ZigBee, Bluetooth, and the like. Central to the network is a central wireless access point, such as wireless router 108. The network also comprises a connected smart refrigerator 110, which is operable to detect the product codes of perishable products and warn occupant 102, via wireless router 108 and mobile (cell) phone 104 when a refrigerated product has reached the end of its usable life. Further connected to wireless router 108 is temperature sensor 112, which may, for example, communicate with occupant 102 via wireless router 108 and mobile (cell) phone 104 to control heating system 114. In addition, passive infrared (PIR) motion detector 116, which may be connected to security camera 118, is connected to the wireless router 108, by means of which alarm 120 may be sounded if necessary. If a network such as that shown in Figure 1 is penetrated by a malicious intruder, any of the attached devices may be taken over by the intruder and controlled, disabled or substituted, with unpredictable detrimental effects.
In Figure 2 is shown an exemplary method 200 of operation according to one possible implementation of the present technology. The method begins at START step 202, and at step 204, a representation of a device, either a physical device or an emulation of such a device, is exposed to the wireless part of the network. The representation may be by means of an address, such as a MAC address, or may be by means of some other distinguishing characteristic, such as a device's pre-allocated time slot. At 206, the network traffic over the wireless part of the network is monitored, and at test 208, a test is performed to detect any message using the device address or other identifying characteristic, whether as the source of the message or as its destination. The test may be performed by any suitable form of detector component, whether embodied in hardware, software, ora combination of hardware and software, and elements of the detector component may be located at any level of the communications stack, and in any network termination or intermediate node. If no such message is detected, the process completes at END step 220. Following END step 220, as will be clear to one of skill in the art, the process may continue in a further iteration, either by entering at START step 202, or by iteration that portion of the process starting at 206, whereby the wireless part of the network continues to be monitored. If a message using the device address or other identifying characteristic is detected at 208, the system is checked at 210 for any action, such as a remedial action, that is configured to occur on detection of an unsanctioned message. If an action has been so configured, it is performed at 212, and the process passes to END step 220, to be iterated as necessary. Remedial actions within the system may include blocking of certain types of device traffic until the matter is resolved, or may take many other forms, as would be clear to one of skill in the art. Other actions, for example, real world actions, such as activating security cameras or applying additional locking mechanisms may be applied to increase physical protection for premises or property. If no immediate action has been configured, the NO branch from test 210 is followed, and the system increments a threat level by the contribution represented by this message. The threat level is tested at test 216 to determine whether it passes above a threshold threat level, which may be pre-set according to the requirements of the system. For example, a threat level threshold may be pre-set so that detection of a single unsanctioned message is sufficient to pass the threshold, or it may be that a single spurious message is a contributory factor to a cumulative threat level where the threshold is set at some value greater than one. If the threshold threat level is not detected as being passed at test 216, the process ends at END step 220, and may begin a further iteration of the method or part of the method as described above. If the threat level is detected as being passed at test 216, an alert signal is emitted at 218, and the process completes at END step 220, with the option of reiteration as configured.
In Figure 3 is shown an embodiment of a method 300 of providing a representation of a device for use to detect unsanctioned message activity, starting at 302. At 304 a physical device is selected and at 306, the physical device's network traffic is monitored, to detect 308 at least one of a packet timing, a packet sizing, a packet network type, a MAC address class, a time-of-day packet dependency, or the like characteristic from which a simulated traffic pattern for a device of the class can be constructed at 310. Any user data payload is irrelevant to the purpose of the simulation, and should also not be unnecessarily exposed in the simulated traffic, and it is thus obfuscated at 312, whereby the external appearance of the payload has verisimilitude, but does not expose genuine user data. At 314, the simulated traffic pattern is injected into the network, where it does not perform any normal communication function, but is merely in existence to be observed by an unauthorised party and taken for reality. The process completes at END 316, and may be reiterated by the system as required.
In Figure 4 is shown an arrangement of hardware and/or software components in a network 400, giving a very simplified view of the components involved in an implementation operable to perform the method that was described above with reference to Figures 2 and 3. The network 400 comprises one or more physical devices 402, which may be selected by device selector 404. Selected devices 402 have their network traffic 408 monitored by traffic monitor 406, so that patterns of network traffic associated with selected devices 402 can be detected by pattern detector 410. Detected patterns are then used by pattern simulator 412. Traffic monitor 406 continues monitoring network traffic 408, and permits unsanctioned message detector 414 to detect when a message is passed on the network that contains the address, or uses the time slot, of a purported device. The detector component may be embodied in hardware, software, or a combination of hardware and software, and elements of the detector component may be located at any level of the communications stack, and in any network termination or intermediate node. Since no traffic of a true nature will ever use one of these addresses or time slots, the detected message is identified as unsanctioned by unsanctioned message detector 414, and if remediation is configured, remediator component 418 is brought into use to remedy the situation. This remediation may take any of the well-known forms for dealing with unauthorised message traffic, such as isolating all traffic from the offending source, fencing off portions of the network from access to sensitive data, and the like. If immediate remediation is not configured for this system, the level of threat posed by the unsanctioned message may be passed to threat level assessor 416, which may, for example, have a threshold setting beyond which an alert is signalled by alert signaller 420.
There is thus provided in implementations of the present technology a method and apparatus for defending devices in a wireless part of a network from malicious intrusion by detecting such intrusions using multiple false devices purporting to be real devices in the network. When an intruder references any of these false devices in a message, the system is alerted to the fact and can respond appropriately. In one implementation, a physical device may also be made operable to detect unsanctioned traffic referencing its own address. In implementations as described, the physical device address may comprise a prereserved period of network time and the falsely claiming may comprise taking control of a pre-reserved period of network time. In one arrangement, the access point device may be configured never to send functional messages to the physical or purported device, so that any received message claiming to be from the access point device must be, by definition, unsanctioned.
In one refinement, the emitting an alert signal may comprise sending the signal over at least one of the wireless part of the network of electronic devices and a wired channel, where the detector component is operable to be connected by a wired channel to the network of electronic devices.
The emitting of an alert signal may comprise emitting a signal that the message is an unsanctioned message, and may comprise emitting the signal to an operator by a sensory signaller, which may be a visual or auditory signal. The emitting may additionally or alternatively comprise sending an operation request to cause at least one entity in the network of electronic devices to perform a remedial action. The emitting may comprise sending a contributory alert signal to contribute to a threat level assessment by a threat level assessor component.
The number of the plurality of purported or virtualised devices may be made to preponderate over the number of device addresses truly operable to connect at least one electronic device with at least one wireless access point device having an access point device address - thereby in effect flooding the network space with false traffic to confuse an attacker.
In one implementation, exposing at least one device address may further comprise collecting at least one behaviour pattern of at least one device having an address truly operable to connect at least one electronic device with at least one wireless access point device having an access point device address; and emulating the behaviour patterns using the at least one the device address falsely purporting to be an address operable to connect at least one the electronic device with at least one wireless access point device having an access point device address. The collecting of at least one behaviour pattern may comprise collecting at least one of a packet timing pattern, a packet sizing pattern, a packet network type pattern, a MAC address class pattern, a time-of-day packet dependency pattern, or any other pattern characteristics that can be used to produce a simulated traffic pattern for a device - for example, symbol patterns, modulation patterns, bitrate patterns, signal strength patterns or the like. Emulating the behaviour pattern may be achieved by injecting into the wireless part of the network of electronic devices at least one purported message using the derived patterns between the at least one device address and at least one of a wireless access point device address and a further device address. The purported message may comprise spurious data arranged in a data pattern derived from the at least one behaviour pattern. The spurious data thus does not risk disclosure of genuine user data, as it may be generated using nonsense data arranged in the derived pattern. As will be appreciated by one of skill in the art, the emulating may comprise emulating a member of a class of devices wherein the behaviour patterns are operable to be applied to a plurality of purported devices of the class of devices.
In one scenario, when the wireless part of the network of electronic devices comprises at least one entity not requiring authentication of at least one class of message, the class of message comprising deauthentication messages, the message falsely claiming to at least one of originate and terminate at one of the device address and the access point device address may be a deauthentication message, and the present technique at least in part addresses this issue. In one arrangement, the true access point device may be configured never to deauthenticate the physical or purported device that is arranged to detect intrusions. In another arrangement, the device could query the access point to determine if the received deauthentication was legitimate. Both these techniques would require some modification of the access point.
To avoid modification of the access point, the device could instead ignore the deauthentication frame and check whether the connection was actually terminated by the access point by sending test data. This could be done by, for example, sending test data back to the access point using the identity of the seemingly terminated connection, to determine whether an error or a ping reply is returned. It will be clear to one of ordinary skill in the art that the method to be used depends on the protocol. Some protocols ignore invalid packets without returning errors — in such cases it may be necessary to test by sending an encrypted or cryptographically authenticated ping to the access point address under the identity of the seemingly terminated connection. Additionally, the physical or purported device could be configured to inspect some signal metadata of the received deauthentication frame (e.g. signal strength, signal triangulation) and compare this with expected values measured or determined at configuration, installation, or run time of the physical or purported device to calculate a confidence that the frame sent by the access point was genuine. For example, in one arrangement, the device could be a physical device installed immediately adjacent to the access point, and therefore a particular (high) signal strength could be expected for any legitimate frames from the access point. In other cases, packets from the access point should be within a certain range of received signal strength indication (R.SSI) values. If a deauthentication packet is received with a R.SSI value above or below an expected signal strength range, that might indicate an attack.
In implementations, rather than the detector component detecting a false claim as to the origin of a message, the detector component may be configured to detect other characteristics of spoofed messages.
In one such implementation, the method may comprise exposing over a wireless part of a network of electronic devices at least one device identifier appearing to be a physical device identifier operable to connect at least one electronic device with at least one wireless access point device having an access point device identifier. The detector component is configured to detect any message utilising a communication resource associated with the device identifier or the access point device identifier, to determine that the message falsely utilises the communication resource, and responsive to a positive determination, to emit an alert signal. The communication resource may comprise a channel ID, a session ID, a temporary ID, a code division multiple access (CDMA) code (e.g., a scrambling, spreading or access code), a communication timeslot, a communication frequency, or the like.
As will be appreciated by one skilled in the art, the present technique may be embodied as a system, method or computer program product. Accordingly, the present technique may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Where the word component is used, it will be understood by one of ordinary skill in the art to refer to any portion of any of the above embodiments.
Furthermore, the present technique may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present techniques may be written in any combination of one or more programming languages, including object oriented programming languages and conventional procedural programming languages.
For example, program code for carrying out operations of the present techniques may comprise source, object or executable code in a conventional programming language (interpreted or compiled) such as C, or assembly code, code for setting up or controlling an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array), or code for a hardware description language such as Verilog™ or VHDL (Very high speed integrated circuit Hardware Description Language).
The program code may execute entirely on the user's computer, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network. Code components may be embodied as procedures, methods or the like, and may comprise subcomponents which may take the form of instructions or sequences of instructions at any of the levels of abstraction, from the direct machine instructions of a native instruction-set to high-level compiled or interpreted language constructs.
It will also be clear to one of skill in the art that all or part of a logical method according to embodiments of the present techniques may suitably be embodied in a logic apparatus comprising logic elements to perform the steps of the method, and that such logic elements may comprise components such as logic gates in, for example a programmable logic array or application-specific integrated circuit. Such a logic arrangement may further be embodied in enabling elements for temporarily or permanently establishing logic structures in such an array or circuit using, for example, a virtual hardware descriptor language, which may be stored and transmitted using fixed or transmittable carrier media.
In one alternative, an embodiment of the present techniques may be realized in the form of a computer implemented method of deploying a service comprising steps of deploying computer program code operable to, when deployed into a computer infrastructure or network and executed thereon, cause said computer system or network to perform all the steps of the method.
In a further alternative, an embodiment of the present technique may be realized in the form of a data carrier having functional data thereon, said functional data comprising functional computer data structures to, when loaded into a computer system or network and operated upon thereby, enable said computer 15 system to perform all the steps of the method.
It will be clear to one skilled in the art that many improvements and modifications can be made to the foregoing exemplary embodiments without departing from the scope of the present technique.

Claims (21)

1. A machine-implemented method, comprising:
exposing over a wireless part of a network of electronic devices at least one device address appearing to be a physical device address operable to connect at least one electronic device with at least one wireless access point device having an access point device address;
detecting by a detector component on said wireless part of said network of electronic devices a message referring to said at least one device address;
determining by said detector component that said message falsely claims to originate at one of said device address and said access point device address; and responsive to said determining, emitting an alert signal.
2. The machine-implemented method of claim 1, said exposing comprising exposing said at least one device address wherein said at least one device address falsely purports to be a said physical device address.
3. The machine-implemented method of claim 1 or claim 2, said exposing comprising exposing said at least one device address wherein said at least one device address is a said physical device address.
4. The machine-implemented method of any preceding claim, said emitting an alert signal comprising sending said signal over at least one of said wireless part of said network of electronic devices and a wired channel connecting said detector component to said network of electronic devices.
5. The machine-implemented method of any preceding claim, said emitting an alert signal comprising emitting a signal that said message is an unsanctioned message.
6. The machine-implemented method of claim 5, said emitting comprising emitting said signal to an operator by a sensory signaller.
7. The machine-implemented method of claim 6, said emitting said signal to an operator by a sensory signaller comprising emitting at least one of a visual and an auditory signal.
8. The machine-implemented method of claim 5, said emitting comprising sending an operation request to cause at least one entity in said network of electronic devices to perform an action.
9. The machine-implemented method of claim 8, said emitting comprising sending an operation request to cause at least one entity in said network of electronic devices to perform a remedial action.
10. The machine-implemented method of claim 5, said emitting comprising sending a contributory alert signal to contribute to a threat level assessment by a threat level assessor component.
11. The machine-implemented method of claim 2, said exposing over said wireless part of said network of electronic devices said at least one device address further comprising generating and exposing a plurality of said device addresses where each of said plurality falsely purports to be a said real address.
12. The machine-implemented method of claim 11, the number of said plurality preponderating over the number of device addresses truly operable to connect at least one electronic device with at least one wireless access point device having an access point device address.
13. The machine-implemented method of claim 2, said exposing at least one device address further comprising:
collecting at least one behaviour pattern of at least one device having an address truly operable to connect at least one electronic device with at least one wireless access point device having an access point device address; and emulating said behaviour pattern using said at least one said device address falsely purporting to be an address operable to connect at least one said electronic device with at least one wireless access point device having an access point device address.
14. The machine-implemented method of claim 13, said collecting at least one behaviour pattern comprising retrieving said behaviour pattern from a database of patterns associated with a type of said electronic device.
15. The machine-implemented method of claim 13 or claim 14, said collecting at least one behaviour pattern comprising collecting at least one of:
a packet timing pattern;
a packet sizing pattern;
a packet network type pattern;
a MAC address class pattern;
a symbol pattern;
a modulation pattern;
a bitrate pattern;
a signal strength pattern; and a time-of-day packet dependency pattern.
16. The machine-implemented method of any of claims 13 to 15, said emulating further comprising injecting into said wireless part of said network of electronic devices at least one purported message between said at least one device address and at least one of a wireless access point device address and a further device address.
17. The machine-implemented method of claim 16, said at least one purported message comprising spurious data arranged in a data pattern derived from said at least one behaviour pattern.
18. The machine-implemented method of any of claims 13 to 17, said emulating comprising emulating a member of a class of devices, and wherein said behaviour patterns are operable to be applied to a plurality of purported devices of said class of devices.
19. The machine-implemented method of any preceding claim, said wireless part of said network of electronic devices comprising at least one entity not requiring authentication of at least one class of message, said class of message comprising deauthentication messages, and wherein said message falsely claiming to at least one of originate and terminate at one of said device address and said access point device address is a deauthentication message.
20. A machine-implemented method, comprising:
exposing over a wireless part of a network of electronic devices at least one device identifier appearing to be a physical device identifier operable to connect at least one electronic device with at least one wireless access point device having an access point device identifier;
detecting by a detector component on said wireless part of said network of electronic devices a message utilising a communication resource associated with one of said device identifier and said access point device identifier;
determining by said detector component that said message falsely utilises said communication resource; and responsive to said determining, emitting an alert signal.
21.
21. The machine-implemented method of claim 20, said communication resource comprising at least one of:
a channel ID;
a session ID;
a temporary ID;
a CDMA code;
a communication timeslot; and a communication frequency.
22. An electronic apparatus comprising logic circuitry arranged to, in operation, perform all the steps of the method of any preceding claim.
23. A computer program comprising computer program code to, when loaded into a computer and executed thereon, cause said computer to operate logic circuitry to perform all the steps of the method of any of claims 1 to 21.
24. A computer-implemented method of deploying a service comprising steps of deploying computer program code operable to, when deployed into a computer network and executed thereon, cause components of said computer network to operate logic circuitry to perform all the steps of the method of any of claims 1 to
GB1719050.5A 2017-11-17 2017-11-17 Detecting unsanctioned messages in electronic networks Active GB2568667B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1719050.5A GB2568667B (en) 2017-11-17 2017-11-17 Detecting unsanctioned messages in electronic networks
US16/191,024 US10924934B2 (en) 2017-11-17 2018-11-14 Device obfuscation in electronic networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1719050.5A GB2568667B (en) 2017-11-17 2017-11-17 Detecting unsanctioned messages in electronic networks

Publications (3)

Publication Number Publication Date
GB201719050D0 GB201719050D0 (en) 2018-01-03
GB2568667A true GB2568667A (en) 2019-05-29
GB2568667B GB2568667B (en) 2022-03-16

Family

ID=60805753

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1719050.5A Active GB2568667B (en) 2017-11-17 2017-11-17 Detecting unsanctioned messages in electronic networks

Country Status (1)

Country Link
GB (1) GB2568667B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738032B (en) * 2020-12-17 2022-10-11 公安部第三研究所 Communication system for preventing IP deception

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2677792A1 (en) * 2012-06-20 2013-12-25 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
CN105721417A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Honeypot apparatus carried in industrial control system, and industrial control system
WO2017053806A1 (en) * 2015-09-25 2017-03-30 Acalvio Technologies, Inc. Dynamic security mechanisms
US20170244732A1 (en) * 2016-02-19 2017-08-24 Aruba Networks, Inc. Detecting deauthentication and disassociation attack in wireless local area networks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080151844A1 (en) * 2006-12-20 2008-06-26 Manish Tiwari Wireless access point authentication system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2677792A1 (en) * 2012-06-20 2013-12-25 Thomson Licensing Method and device for countering fingerprint forgery attacks in a communication system
WO2017053806A1 (en) * 2015-09-25 2017-03-30 Acalvio Technologies, Inc. Dynamic security mechanisms
CN105721417A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Honeypot apparatus carried in industrial control system, and industrial control system
US20170244732A1 (en) * 2016-02-19 2017-08-24 Aruba Networks, Inc. Detecting deauthentication and disassociation attack in wireless local area networks

Also Published As

Publication number Publication date
GB2568667B (en) 2022-03-16
GB201719050D0 (en) 2018-01-03

Similar Documents

Publication Publication Date Title
US10924934B2 (en) Device obfuscation in electronic networks
Touqeer et al. Smart home security: challenges, issues and solutions at different IoT layers
Zaminkar et al. SoS-RPL: securing internet of things against sinkhole attack using RPL protocol-based node rating and ranking mechanism
Miloslavskaya et al. Internet of Things: information security challenges and solutions
Mosenia et al. A comprehensive study of security of internet-of-things
Nobakht et al. A host-based intrusion detection and mitigation framework for smart home IoT using OpenFlow
Ul Rehman et al. A study of smart home environment and its security threats
Sherasiya et al. Intrusion detection system for internet of things
Abed et al. Review of security issues in Internet of Things and artificial intelligence‐driven solutions
Saxena et al. Analysis of security attacks in a smart home networks
Ahanger Defense scheme to protect IoT from cyber attacks using AI principles
Hamza et al. IoT network security: requirements, threats, and countermeasures
Zohourian et al. IoT Zigbee device security: A comprehensive review
Chhetri et al. Identifying vulnerabilities in security and privacy of smart home devices
Kumar et al. Raptor: advanced persistent threat detection in industrial iot via attack stage correlation
Alghayadh et al. Hid-smart: Hybrid intrusion detection model for smart home
Alheeti et al. An intelligent security system for autonomous cars based on infrared sensors
Mosenia et al. Disaster: Dedicated intelligent security attacks on sensor-triggered emergency responses
GB2568667A (en) Detecting unsanctioned messages in electronic networks
Jalalitabar et al. Demonstrating the threat of hardware trojans in wireless sensor networks
Shah et al. A study of security attacks on internet of things and its possible solutions
Monjur et al. Hardware security in advanced manufacturing
Ullrich et al. Secure cyber-physical production systems: Solid steps towards realization
Aschenbruck et al. A security architecture and modular intrusion detection system for WSNs
GB2568668A (en) Device obfuscation in electronic networks