CN106982434A - A kind of wireless LAN safety cut-in method and device - Google Patents
A kind of wireless LAN safety cut-in method and device Download PDFInfo
- Publication number
- CN106982434A CN106982434A CN201710122664.9A CN201710122664A CN106982434A CN 106982434 A CN106982434 A CN 106982434A CN 201710122664 A CN201710122664 A CN 201710122664A CN 106982434 A CN106982434 A CN 106982434A
- Authority
- CN
- China
- Prior art keywords
- scanned
- mac address
- sta
- legal
- incidence relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 239000000523 sample Substances 0.000 description 4
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 3
- 102100039558 Galectin-3 Human genes 0.000 description 3
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 3
- 101150051246 MAC2 gene Proteins 0.000 description 3
- 238000005242 forging Methods 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Abstract
The present invention relates to wireless LAN safety cut-in method and device, methods described includes:The pre-registration of legal AP in wireless network is received, safety database is set up;The related information that the STA that dynamically recording current Lawful AP is reported is set up with the legal AP, sets up dynamic data base;Pass through the wireless signal around legal finder AP scannings, the scanned data message interacted between STA and scanned AP of crawl;MAC Address using the scanned AP is keyword, the described safety database of search, if find identical MAC Address;If finding, the MAC Address and its incidence relation using the MAC Address of the scanned AP and the scanned STA is keywords, the described dynamic data base of search, if find identical incidence relation;If not finding, judge the scanned AP for rogue AP.By method and device provided in an embodiment of the present invention, it can prevent that STA accesses the loss that rogue AP is caused to user in Wi-Fi, lifts the security of wireless network access.
Description
Technical field
The invention belongs to WLAN (Wireless Local Area Networks, wireless network) field, especially
It is related to a kind of wireless LAN safety cut-in method and device.
Background technology
At present, when user accesses wireless network using mobile terminal by Wi-Fi, the wind of some secure contexts can be faced
Danger, especially current increasing businessman provides the Wi-Fi accesses freely used, while facilitating us to use, together
Sample exposes increasing risk.In all wireless networks access risk, the maximum class of harmfulness should utilize non-
Method WAP (Wireless Access Point, AP) provides wireless network access, then further by fishing website
Obtain a large amount of personal informations of user.Specifically, by a rogue AP, identical or similar service set is set
(Service Set dentifir, SSID) provides free service on net.User once accesses this rogue AP, it is difficult to find
Arrive.The mode that this rogue AP again may be by redirecting realizes Portal web portal pages, but they are similar one kind
Fishing webpage or website.User then continues to input the completion certification of oneself accounts information, and at this moment rogue AP just easily obtains
The accounts informations such as the cell-phone number of user.And being no more than for maximum is endangered, pretend after certification success, any website that user accesses is all
It is possible to go to the fishing website specified, this includes Web bank, various e-bank's paying websites etc., as a result causes user big
The wealth of amount incurs loss.
Generally, for most of domestic consumers, it is difficult to distinguish oneself whether accessed a rogue AP.And
User when accessing and using wireless network unconsciously, and the personal information and wealth of oneself will be compromised.How to prevent from using
Family access rogue AP is the problem currently faced.
In the prior art, wireless network secure mechanism, for the security threat of rogue AP fishing website, passes through third party's canal
Road shows that dynamic password is verified.It is exactly specifically user when accessing wireless network, one can be shown in the Portal pages
String dynamic password, and the mediavisualizer for pointing out user to notice place place can also show that dynamic password (is brushed for general each minute
Newly once), compare whether two dynamic passwords are consistent by user, completion can be accessed when legal.General rogue AP is not known simultaneously
The generating algorithm of dynamic password is known, so completely the same dynamic password is hardly produced, so as to reach certain effect.But this
Solution is planted there is also certain leak, the mediavisualizer of third party's channel is also possible to be pretended or illegally installed, this
Sample just loses safe meaning.On the other hand, Consumer's Experience is not so good, and user not too much notes also troublesome sometimes, then goes
Judge the uniformity of dynamic password, worse situation is if without third-party mediavisualizer or due to originals such as equipment faults
Because that can not use, these situations can make this method failure, and security threat is still present.
In addition, in the prior art, some schemes can first set up the MAC Address database of legal AP, be swept using finder AP
Retouch the wireless signal of surrounding, data message of the crawl wireless terminal (Station, STA) between AP, by analysis and with number
It is compared according to the MAC Address of the legal AP in storehouse, so as to judge that current STA exchanges data with rogue AP.But this scheme
Still have a great leak, when the MAC Address of rogue AP disguise oneself as it is just the same with the MAC Address of some legal AP
When, after the person of being found AP scannings to the MAC Address of this rogue AP, data base querying that can be into server by workflow, and
Obtained result is the MAC Address of legal AP, and this scheme is just failed at this moment, is also this hair if how to make up this problem
It is bright the problem of to solve.
The content of the invention
In summary, the embodiment of the present invention provides a kind of wireless LAN safety cut-in method and device, wireless to prevent
The problem of STA accesses rogue AP in LAN, improves the security that STA accesses WLAN, it is to avoid userspersonal information lets out
Reveal the loss caused.
In a first aspect, the embodiment of the present invention provides a kind of method of wireless LAN safety access, applied to electronic equipment,
Including:The pre-registration of legal AP in wireless network is received, safety database is set up, the MAC Address for storing the legal AP;
The related information that the STA that dynamically recording current Lawful AP is reported is set up with the legal AP, sets up dynamic data base, and will be described
STA MAC Address, the MAC Address of the legal AP and both related informations are stored in the dynamic data base;By closing
Wireless signal around the finder AP scannings of method, the scanned data message interacted between STA and scanned AP of crawl, parsing
Obtain the MAC Address of the scanned STA and the MAC Address and its incidence relation of the scanned AP;With the scanned AP
MAC Address be keyword, the described safety database of search, if find identical MAC Address;If finding, with the quilt
The MAC Address and its incidence relation of the MAC Address and the scanned STA that scan AP are keyword, the described dynamic number of search
According to storehouse, if find identical incidence relation;If not finding, judge the scanned AP for rogue AP.
Further, with the MAC Address of the scanned AP and the MAC Address and its incidence relation of the scanned STA
For keyword, described dynamic data base is searched for, if find identical incidence relation, in addition to:If finding, judge that this is swept
The AP retouched is legal AP.
Further, the MAC Address using the scanned AP is keyword, the described safety database of search, if look for
To identical MAC Address, in addition to:If finding, judge the scanned AP for rogue AP.
Further, when judging the scanned AP for rogue AP, the finder AP is by forging and the quilt
STA identical MAC Address is scanned, is judged as that illegal AP sends disassociation relation message to described, to cause the judgement
The incidence relation with the scanned STA is released for illegal AP.
Further, be judged as that illegal AP releases the incidence relation failure with the scanned STA when described, then it is described
Finder AP sends the working channel for being judged as illegal AP described in a large amount of broadcast data packets occupancy, prevents the scanned STA
With the incidence relation between it so that the scanned STA abandons using automatically.
Second aspect, the embodiment of the present invention provides a kind of wireless LAN safety access device, including:Safety database,
Dynamic data base, scanning element and judging unit, wherein, the safety database, the MAC Address for storing legal AP;Institute
Dynamic data base is stated, the related information that the STA reported for dynamically recording current Lawful AP is set up with the legal AP, and by institute
The MAC Address, the MAC Address of the legal AP and both related informations for stating STA are stored in the dynamic data base;It is described
Scanning element, the wireless signal for scanning surrounding by legal finder AP, crawl is scanned between STA and scanned AP
Interactive data message, parsing obtains MAC Address and its association of the MAC Address and the scanned AP of the scanned STA
Relation;The judging unit, for using the MAC Address of the scanned AP as keyword, searching for described safety database, being
It is no to find identical MAC Address;If finding, with the MAC Address of the scanned AP and the scanned STA MAC Address and
Its incidence relation is keyword, the described dynamic data base of search, if find identical incidence relation;If not finding, judge
The scanned AP is rogue AP.
Further, the judging unit, is additionally operable to the MAC Address of the scanned AP and the scanned STA
MAC Address and its incidence relation are keyword, the described dynamic data base of search, if find identical incidence relation;If looking for
Arrive, judge the scanned AP for legal AP.
Further, the judging unit, is additionally operable to the MAC Address using the scanned AP as keyword, and search is described
Safety database, if find identical MAC Address;If not finding, judge the scanned AP for rogue AP.
Further, described device also includes:Lifting unit, for judging the scanned AP when the judging unit
During for rogue AP, forged and the scanned STA identicals MAC Address, be judged as illegally to described by the finder AP
AP send disassociation relation message, described to be judged as that illegal AP is released and associate with the scanned STA
System.
Further, the lifting unit, is additionally operable to be judged as that illegal AP is released with the scanned STA's when described
Incidence relation fails, then the work for being judged as illegal AP described in a large amount of broadcast data packets occupancy is sent by the finder AP
Channel, prevents the scanned STA and the incidence relation between it so that the scanned STA abandons using automatically.
By a kind of wireless LAN safety cut-in method and device provided in an embodiment of the present invention, closed by setting up storage
The related information that the STA that the safety database and storage current Lawful AP of method AP MAC Address are reported is set up with the legal AP
Dynamic data base, it may be found that STA and AP MAC Address and its incidence relation that person's AP real time scans are arrived, go safety database and
Dynamic data library inquiry, judges whether scanned AP is legal AP by Query Result, so as to find rogue AP in time, improves and use
The security of wireless network is accessed at family by STA, it is to avoid the personal information to user causes leakage or illegal utilization.
Brief description of the drawings
, below will be to embodiment or description of the prior art in order to illustrate more clearly of scheme of the invention or of the prior art
In required for the accompanying drawing that uses make one and simple introduce, it should be apparent that, drawings in the following description are some realities of the present invention
Example is applied, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to these accompanying drawings
Obtain other accompanying drawings.
The network topology schematic diagram for the WLAN that Fig. 1 is provided by the embodiment of the present invention;
A kind of schematic flow sheet for wireless LAN safety cut-in method that Fig. 2 is provided by the embodiment of the present invention;
A kind of schematic flow sheet for wireless LAN safety cut-in method that Fig. 3 is provided by the embodiment of the present invention;
A kind of wireless LAN safety access device that Fig. 4 is provided by the embodiment of the present invention constitutes structural representation.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is only
Presently preferred embodiments of the present invention is given in a part of embodiment of the present invention, rather than whole embodiments, accompanying drawing.The present invention can
Realized with many different forms, however it is not limited to embodiment described herein, on the contrary, providing the mesh of these embodiments
Be make understanding to the disclosure more it is thorough comprehensively.Based on the embodiment in the present invention, the common skill in this area
The every other embodiment that art personnel are obtained under the premise of creative work is not made, belongs to the model that the present invention is protected
Enclose.
Unless otherwise defined, all of technologies and scientific terms used here by the article is with belonging to technical field of the invention
The implication that technical staff is generally understood that is identical.Term used in the description of the invention herein is intended merely to description tool
The purpose of the embodiment of body, it is not intended that in the limitation present invention.In description and claims of this specification and above-mentioned accompanying drawing
Term " first ", " second " etc. be to be used to distinguish different objects, rather than for describing particular order.In addition, term " bag
Include " and " having " and their any deformations, it is intended that covering is non-exclusive to be included.For example contain series of steps or list
The step of process, method, system, product or the equipment of member are not limited to list or unit, but alternatively also include not
The step of listing or unit, or alternatively also include for other intrinsic steps of these processes, method, product or equipment or
Unit.
Referenced herein " embodiment " is it is meant that the special characteristic, structure or the characteristic that describe can be wrapped in conjunction with the embodiments
In at least one embodiment of the present invention.Each position in the description occur the phrase might not each mean it is identical
Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and
Implicitly understand, embodiment described herein can be combined with other embodiments.
Embodiment one
The embodiment of the present invention one provides a kind of wireless LAN safety cut-in method.Refering to Fig. 1, it is illustrated that for present invention implementation
A kind of network topology schematic diagram for WLAN WLAN that example is provided.The WLAN WLAN includes wireless access control
Device (Wireless Access Ponit Control, AC) AC10, wireless access point AP 20 and wireless terminal STA30 processed.AC10
It is WLAN access control equipment, is responsible for converging the data from different AP20 and accessing cable network, completes simultaneously
The control function such as AP20 configuration management, the certification of wireless user, management and broadband-access, safety.In WLAN WLAN
In, if STA accesses rogue AP 20, it is necessary to find and recognize in time, prevent STA30 from setting up incidence relation with rogue AP, or
Person can not carry out data access.Refering to Fig. 2 and Fig. 3, a kind of wireless office's net safety access method shown in it can apply to nothing
Line access controller AC10.Refering to Fig. 4, a kind of wireless LAN safety access device shown in it, its correspondence physical entity can
To be Radio Access Controller AC10, interchanger or wireless router.
Refering to Fig. 2, it is illustrated that be a kind of flow chart of wireless LAN safety cut-in method provided in an embodiment of the present invention, institute
The method of stating includes:
Step S1001:The pre-registration of legal AP in Wi-Fi is received, safety database is set up, for storing the conjunction
Method AP MAC Address.
The pre-registration that public place provides the legal AP of wireless service is received, the MAC Address safety of storage legal AP is set up
Database.There is tetra- legal AP of MAC1, MAC2, MAC3, MAC4 MAC Address in such as safety database.
Step S1002:The related information that the STA that dynamically recording current Lawful AP is reported is set up with the legal AP, sets up
Dynamic data base, and the MAC Address of the STA, the MAC Address of the legal AP and both related information deposits is described
In dynamic data base.
Dynamically associating information and being stored in dynamic data base M2 for all STA and legal AP is recorded, when a certain user passes through
After STA access legal APs, current STA and this legal AP related information are reported by legal AP, is recorded in the dynamic data
In storehouse;After STA and legal AP disassociation, then this record is deleted;Such as a certain moment dynamic data base content is as follows:
STA MAC_A associated APs MAC1 (<MAC_A, MAC1>), STA MAC_B associated APs MAC2 (<MAC_B, MAC2>), STA
MAC_C associated APs MAC3 (<MAC_C, MAC3>), STA MAC_D associated APs MAC4 (<MAC_D, MAC4>).
Step S1003:By the wireless signal around legal finder AP scannings, crawl is scanned STA and scanned
Between AP interaction data message, parsing obtain the MAC Address of the scanned STA and the MAC Address of the scanned AP and
Its incidence relation.
Wherein, legal MAC1 AP is finder AP, after the fixing point in place is installed, and is normally wirelessly connect except providing
Enter service, utilize the wireless signal around the full band scan of radio frequency gap;Finder AP grabs some scanned STA with being swept
The data message interacted between AP is retouched, these messages can be:The datagram of Beacon frames, wireless association message or encryption
Text.
For Beacon frames, finder AP is first obtained from Beacon frames under corresponding scanned AP MAC Address and caching
Come, it is suspicious AP set that these MAC Address are corresponding.
For wireless association message, finder AP passes through Probe/Authentication/Association Request
Frame and Probe/Authentication/Association Response frames, obtain scanned STA MAC Address, quilt respectively
Scan AP MAC Address and its incidence relation.
For the data message of encryption, finder AP by Payload encrypted messages, obtaining scanned STA's respectively
The MAC Address and its incidence relation of MAC Address, scanned AP.
Finder AP can be counted by above-mentioned data acquisition system and be analyzed some groups<STA MAC, AP MAC>Data, put
Put in finder AP caching.
Step S1004:MAC Address to be scanned AP searches for described safety database, if find phase as keyword
Same MAC Address;If so, performing step S1005;If it is not, performing step S1007.
Receive what finder AP was reported<STA MAC, AP MAC>Data, with<STA MAC, AP MAC>In AP MAC
For keyword, the safety database pre-established is searched for, if find identical MAC Address;If so, performing step S1005;If
It is no, perform step S1007.
Step S1005:To be scanned AP MAC Address and scanned STA MAC Address and its incidence relation as key
Word, the described dynamic data base of search, if find identical incidence relation;If so, performing step S1006;If it is not, performing step
Rapid S1007.
Finder AP receives the message that safety database finds identical MAC Address, then again with<STA MAC, AP MAC
>Group for keyword send query message, using be scanned AP MAC Address and scanned STA MAC Address and its incidence relation as
Keyword, the described dynamic data base of search, if find identical incidence relation;If so, performing step S1006;If it is not, holding
Row step S1007.
Step S1006:Judge this scanned AP for legal AP.
If to be scanned AP MAC Address and scanned STA MAC Address and its incidence relation as keyword, in dynamic
Database finds identical incidence relation, then judges this scanned AP for legal AP, and response searches success message to finder
AP。
Step S1007:Judge this scanned AP for rogue AP.
If the MAC Address to be scanned AP does not find identical MAC Address, then table as keyword in safety database
Bright scanned STA access rogue APs, response searches failed message and gives finder AP.
A kind of wireless LAN safety cut-in method provided using the embodiment of the present invention one, by setting up storage legal AP
The dynamic for the related information that the STA that the safety database and storage current Lawful AP of MAC Address are reported is set up with the legal AP
Database, it may be found that STA and AP MAC Address and its incidence relation that person's AP real time scans are arrived, removes safety database and dynamic
Data base querying, judges whether scanned AP is legal AP, so as to find rogue AP in time by Query Result.
Refering to Fig. 3, it is illustrated that be a kind of flow chart of wireless LAN safety cut-in method provided in an embodiment of the present invention, connect
Continuous Fig. 2, methods described also includes:
Step S1008:When judging scanned AP as rogue AP, the finder AP is scanned by forging with described
STA identical MAC Address, is judged as that illegal AP sends disassociation relation message to described, with cause it is described be judged as it is non-
The AP of method releases the incidence relation with the scanned STA.
Finder AP, to be scanned the identical MAC Address of STA, is judged as that illegal AP sends releasing and closed by forging to described
Connection relation message, it is described to be judged as the disassociation relation message that rogue AP receives forgery, then release this scanned STA association
Relation.If this scanned STA is judged as illegal AP described in secondary association again, the disassociation relation report of forgery can be retransmited
After text, general more than three times disassociations, scanned STA will not associate this again and be judged as rogue AP.
Step S1009:It is judged as that illegal AP releases the incidence relation failure with the scanned STA when described, then institute
State finder AP and send the working channel for being judged as illegal AP described in a large amount of broadcast data packets occupancy, prevent described scanned
STA and the incidence relation between it so that the scanned STA abandons using automatically.
Above-mentioned steps S1008 is performed, if still do not released, finder AP sends a large amount of broadcast data packets and takes institute
The working channel for being judged as illegal AP is stated, at this moment network is typically delayed, and the exception that can become is big, and speed of surfing the Internet can be very slow, Yong Huyi
As can abandon using illegal wireless network automatically.
A kind of wireless LAN safety cut-in method provided using the embodiment of the present invention one, can when finding rogue AP
To release or prevent in time STA by finder AP and be judged as that illegal AP sets up incidence relation, it is to avoid user's access is illegal
Wireless network, cause leakage or the economic loss of personal information.
Embodiment two
The embodiment of the present invention two provides a kind of wireless LAN safety access device.Refering to Fig. 4, it is illustrated that for present invention implementation
A kind of composition structural representation for wireless LAN safety access device that example is provided.A kind of wireless LAN safety access dress
Put, including:Safety database 202, dynamic data base 204, scanning element 206, judging unit 208 and lifting unit 210.
Safety database 202, the MAC Address for storing legal AP.
Dynamic data base 204, the STA reported for dynamically recording current Lawful AP with the legal AP is set up associates letter
Breath, and the MAC Address of the STA, the MAC Address of the legal AP and both related informations are stored in the dynamic data
In storehouse.
Scanning element 206, for being scanned by legal finder AP around wireless signal, the scanned STA of crawl with
The data message of interaction between scanned AP, parsing obtains the MAC Address of the scanned STA and the MAC of the scanned AP
Address and its incidence relation.
Judging unit 208, for using the MAC Address of the scanned AP as keyword, searching for described safety database,
Whether identical MAC Address is found;If not finding, judge the scanned AP for rogue AP;If finding, with described scanned
AP MAC Address and the scanned STA MAC Address and its incidence relation are keyword, search for described dynamic data base,
Whether identical incidence relation is found;If finding, judge the scanned AP for legal AP;If not finding, the quilt is judged
The AP of scanning is rogue AP.
Lifting unit 210, for when the judging unit judges the scanned AP for rogue AP, passing through the hair
Existing person AP is forged and the scanned STA identicals MAC Address, is judged as that illegal AP sends disassociation relation report to described
Text, described to be judged as that illegal AP releases the incidence relation with the scanned STA.In addition, being judged as described in non-
The AP of method releases the incidence relation failure with the scanned STA, then passes through the finder AP and send a large amount of broadcast data packets
It is judged as illegal AP working channel described in taking, prevents the scanned STA and the incidence relation between it so that described
Scanned STA abandons using automatically.
A kind of wireless LAN safety access device provided using the embodiment of the present invention one, by setting up storage legal AP
The dynamic for the related information that the STA that the safety database and storage current Lawful AP of MAC Address are reported is set up with the legal AP
Database, it may be found that STA and AP MAC Address and its incidence relation that person's AP real time scans are arrived, removes safety database and dynamic
Data base querying, judges whether scanned AP is legal AP, so as to find rogue AP in time by Query Result.In addition, may be used also
Further to release or prevent STA by finder AP and be judged as the incidence relation that illegal AP is set up, it is ensured that STA is accessed
Legal wireless network, protects userspersonal information not compromised, it is to avoid the loss caused due to leakage of personal information.
, can be by it in above-described embodiment provided by the present invention, it should be understood that disclosed apparatus and method
Its mode is realized.For example, device embodiment described above is only schematical, for example, the division of the module, only
Only a kind of division of logic function, can there is other dividing mode when actually realizing, for example, multiple module or components can be tied
Another system is closed or is desirably integrated into, or some features can be ignored, or do not perform.
The module illustrated as separating component can be or may not be it is physically separate, it is aobvious as module
The part shown can be or may not be physical module, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of module therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
Embodiments of the invention are these are only, the scope of the claims of the present invention are not intended to limit, although with reference to the foregoing embodiments
The present invention is described in detail, for those skilled in the art comes, it still can be to foregoing each specific reality
Apply the technical scheme described in mode to modify, or equivalence replacement is carried out to which part technical characteristic.It is every to utilize this
The equivalent structure that description of the invention and accompanying drawing content are done, is directly or indirectly used in other related technical fields, similarly
Within scope of patent protection of the present invention.
Claims (10)
1. a kind of wireless LAN safety cut-in method, it is characterised in that including:
The pre-registration of legal AP in wireless network is received, safety database is set up, the MAC Address for storing the legal AP;
The related information that the STA that dynamically recording current Lawful AP is reported is set up with the legal AP, sets up dynamic data base, and will
The MAC Address of the STA, the MAC Address of the legal AP and both related informations are stored in the dynamic data base;
Pass through the wireless signal around legal finder AP scannings, the scanned number interacted between STA and scanned AP of crawl
According to message, parsing obtains the MAC Address of the scanned STA and the MAC Address and its incidence relation of the scanned AP;
MAC Address using the scanned AP is keyword, the described safety database of search, if with finding identical MAC
Location;If finding,
MAC Address and its incidence relation using the MAC Address of the scanned AP and the scanned STA is keyword, search
Described dynamic data base, if find identical incidence relation;If not finding, judge the scanned AP for rogue AP.
2. according to the method described in claim 1, it is characterised in that the step:With the MAC Address of the scanned AP and institute
The MAC Address and its incidence relation for stating scanned STA are keyword, the described dynamic data base of search, if find identical
Incidence relation, in addition to:If finding, judge this scanned AP for legal AP.
3. according to the method described in claim 1, it is characterised in that the step:Using the MAC Address of the scanned AP as pass
Key word, the described safety database of search, if find identical MAC Address, in addition to:If finding, judge described scanned
AP be rogue AP.
4. according to the method described in claim 1, it is characterised in that methods described also includes:When judging the scanned AP
During for rogue AP, the finder AP is judged as illegally by forgery and the scanned STA identicals MAC Address to described
AP send disassociation relation message, described to be judged as that illegal AP is released and associate with the scanned STA
System.
5. method according to claim 4, it is characterised in that methods described also includes:
It is judged as that illegal AP releases the incidence relation failure with the scanned STA when described, then the finder AP is sent
It is judged as illegal AP working channel described in a large amount of broadcast data packets occupancy, prevents the scanned STA and the pass between it
Connection relation so that the scanned STA abandons using automatically.
6. a kind of wireless LAN safety access device, it is characterised in that including:Safety database, dynamic data base, scanning are single
Member and judging unit, wherein,
The safety database, the MAC Address for storing legal AP;
The dynamic data base, the related information set up for the STA that dynamically recording current Lawful AP is reported with the legal AP,
And the MAC Address of the STA, the MAC Address of the legal AP and both related informations are stored in the dynamic data base
In;
The scanning element, the wireless signal for scanning surrounding by legal finder AP, the scanned STA of crawl is with being swept
The data message interacted between AP is retouched, parsing obtains the MAC Address of the scanned STA and the MAC Address of the scanned AP
And its incidence relation;
The judging unit, for using the MAC Address of the scanned AP as keyword, searching for described safety database, being
It is no to find identical MAC Address;If finding, with the MAC Address of the scanned AP and the scanned STA MAC Address and
Its incidence relation is keyword, the described dynamic data base of search, if find identical incidence relation;If not finding, judge
The scanned AP is rogue AP.
7. device according to claim 6, it is characterised in that the judging unit, is additionally operable to the scanned AP's
MAC Address and the scanned STA MAC Address and its incidence relation are keyword, the described dynamic data base of search, if
Find identical incidence relation;If finding, judge the scanned AP for legal AP.
8. device according to claim 6, it is characterised in that the judging unit, is additionally operable to the scanned AP's
MAC Address is keyword, the described safety database of search, if find identical MAC Address;If not finding, judge described
Scanned AP is rogue AP.
9. according to any described device of claim 6 or 8, it is characterised in that further comprise:Lifting unit, for working as
When stating judging unit and judging the scanned AP for rogue AP, pass through the finder AP and forge and the scanned STA phases
With MAC Address, be judged as that illegal AP sends disassociation relation message to described, described to be judged as illegal AP
Release the incidence relation with the scanned STA.
10. device according to claim 9, it is characterised in that the lifting unit, is additionally operable to be judged as illegally when described
AP release and fail with the incidence relation of the scanned STA, then sending a large amount of broadcast data packets by the finder AP accounts for
With the working channel for being judged as illegal AP, the scanned STA and the incidence relation between it are prevented so that the quilt
Scanning STA abandons using automatically.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710122664.9A CN106982434B (en) | 2017-03-03 | 2017-03-03 | Wireless local area network security access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710122664.9A CN106982434B (en) | 2017-03-03 | 2017-03-03 | Wireless local area network security access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106982434A true CN106982434A (en) | 2017-07-25 |
| CN106982434B CN106982434B (en) | 2020-02-11 |
Family
ID=59338275
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710122664.9A Active CN106982434B (en) | 2017-03-03 | 2017-03-03 | Wireless local area network security access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106982434B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112003862A (en) * | 2020-08-24 | 2020-11-27 | 迈普通信技术股份有限公司 | Terminal safety protection method, device, system and storage medium |
| CN113225788A (en) * | 2021-04-20 | 2021-08-06 | Oppo广东移动通信有限公司 | WiFi connection method and device, electronic equipment and readable storage medium |
| CN113473471A (en) * | 2021-06-21 | 2021-10-01 | 杭州网银互联科技股份有限公司 | Method for blocking wireless mobile terminal from accessing illegal AP |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060045272A1 (en) * | 2004-08-26 | 2006-03-02 | Satoshi Ohaka | Control program, communication relay apparatus control method, communication relay apparatus, and system |
| CN1996893A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Method, device and system for monitoring illegal access point in the wireless LAN |
| CN101079741A (en) * | 2007-06-29 | 2007-11-28 | 杭州华三通信技术有限公司 | Access point, access controller and method for monitoring illegal access |
| CN102843682A (en) * | 2012-08-20 | 2012-12-26 | 中国联合网络通信集团有限公司 | Access point authorizing method, device and system |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
-
2017
- 2017-03-03 CN CN201710122664.9A patent/CN106982434B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060045272A1 (en) * | 2004-08-26 | 2006-03-02 | Satoshi Ohaka | Control program, communication relay apparatus control method, communication relay apparatus, and system |
| CN1996893A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Method, device and system for monitoring illegal access point in the wireless LAN |
| CN101079741A (en) * | 2007-06-29 | 2007-11-28 | 杭州华三通信技术有限公司 | Access point, access controller and method for monitoring illegal access |
| CN102843682A (en) * | 2012-08-20 | 2012-12-26 | 中国联合网络通信集团有限公司 | Access point authorizing method, device and system |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112003862A (en) * | 2020-08-24 | 2020-11-27 | 迈普通信技术股份有限公司 | Terminal safety protection method, device, system and storage medium |
| CN112003862B (en) * | 2020-08-24 | 2022-08-12 | 迈普通信技术股份有限公司 | Terminal safety protection method, device, system and storage medium |
| CN113225788A (en) * | 2021-04-20 | 2021-08-06 | Oppo广东移动通信有限公司 | WiFi connection method and device, electronic equipment and readable storage medium |
| CN113473471A (en) * | 2021-06-21 | 2021-10-01 | 杭州网银互联科技股份有限公司 | Method for blocking wireless mobile terminal from accessing illegal AP |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106982434B (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101208981B (en) | Security parameters for negotiation protecting management frames in wireless networks | |
| CN105897782A (en) | Method and device for treating call request of interface | |
| CN103313429B (en) | A kind of processing method identifying forgery WIFI hot spot | |
| CN105898743B (en) | A kind of method for connecting network, apparatus and system | |
| CN106572464B (en) | Illegal AP monitoring method in wireless local area network, inhibition method thereof and monitoring AP | |
| CN106961683A (en) | A kind of method, system and finder AP for detecting rogue AP | |
| CN105681272B (en) | The detection of mobile terminal fishing WiFi a kind of and resist method | |
| CN104580116B (en) | A kind of management method and equipment of security strategy | |
| CN106792704A (en) | A kind of method and device for detecting fishing access point | |
| CN104053154B (en) | A kind of wireless network access controlling method, device and access point apparatus | |
| CN103297437A (en) | Safety server access method for mobile intelligent terminal | |
| CN106982434A (en) | A kind of wireless LAN safety cut-in method and device | |
| CN106559783A (en) | A kind of authentication method to WIFI network, device and system | |
| CN106211157A (en) | Base station reorientation method and base station redirection device | |
| TWI474668B (en) | Method for distinguishing and blocking off network node | |
| CN106255106A (en) | A kind of wireless network connecting method and device | |
| CN103430582B (en) | Prevention of eavesdropping type of attack in hybrid communication system | |
| CN106792684A (en) | The wireless network secure guard system and means of defence of a kind of multiple-protection | |
| CN108965241A (en) | Based on WLAN source address verification method | |
| CN101610509B (en) | Method, device and system for protecting communication security | |
| CN106412904B (en) | Method and system for preventing counterfeit user authentication authority | |
| CN106714158A (en) | WiFi access method and device | |
| CN107302785A (en) | A kind of cut-in method, smart machine, gateway and access system | |
| CN107241461A (en) | MAC Address acquisition methods, gateway device, network authentication apparatus and network system | |
| CN104144417B (en) | Mobile Internet access Subscriber Number inverse-checking method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201106 Address after: Room 10242, No. 260, Jiangshu Road, Xixing street, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: Hangzhou Jiji Intellectual Property Operation Co.,Ltd. Address before: 201616 Shanghai city Songjiang District Sixian Road No. 3666 Patentee before: Phicomm (Shanghai) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221230 Address after: 110000 Room 301, No. 73, Yalujiang East Street, Huanggu District, Shenyang, Liaoning 1002 Patentee after: Shenyang bangcui Technology Co.,Ltd. Address before: Room 10242, No. 260, Jiangshu Road, Xixing street, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou Jiji Intellectual Property Operation Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231016 Address after: Room 704, 705, and 706, Block B, Building 1, No. 200 Tianfu Fifth Street, Chengdu High tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu City, Sichuan Province, 610095 Patentee after: Chengdu Chengdian bangcui Technology Co.,Ltd. Address before: 110000 Room 301, No. 73, Yalujiang East Street, Huanggu District, Shenyang, Liaoning 1002 Patentee before: Shenyang bangcui Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |