CN113891316A - Wireless device access control method and device - Google Patents
Wireless device access control method and device Download PDFInfo
- Publication number
- CN113891316A CN113891316A CN202111044423.XA CN202111044423A CN113891316A CN 113891316 A CN113891316 A CN 113891316A CN 202111044423 A CN202111044423 A CN 202111044423A CN 113891316 A CN113891316 A CN 113891316A
- Authority
- CN
- China
- Prior art keywords
- target
- wireless
- historical
- characteristic
- target wireless
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012216 screening Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 6
- 239000000284 extract Substances 0.000 description 4
- 239000000523 sample Substances 0.000 description 4
- 102100021934 Cyclin-D1-binding protein 1 Human genes 0.000 description 3
- 102100037922 Disco-interacting protein 2 homolog A Human genes 0.000 description 3
- 101000897488 Homo sapiens Cyclin-D1-binding protein 1 Proteins 0.000 description 3
- 101000805876 Homo sapiens Disco-interacting protein 2 homolog A Proteins 0.000 description 3
- 101000651236 Homo sapiens NCK-interacting protein with SH3 domain Proteins 0.000 description 3
- 101000955093 Homo sapiens WD repeat-containing protein 3 Proteins 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- QTYYIZYAWHBAHQ-UHFFFAOYSA-N 3-(3-amino-2,4,6-trinitrophenyl)-2,4,6-trinitroaniline Chemical compound NC1=C([N+]([O-])=O)C=C([N+]([O-])=O)C(C=2C(=C(N)C(=CC=2[N+]([O-])=O)[N+]([O-])=O)[N+]([O-])=O)=C1[N+]([O-])=O QTYYIZYAWHBAHQ-UHFFFAOYSA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a wireless device access control method and a device, and the method can comprise the following steps: the method comprises the steps that target equipment characteristic fingerprints of target wireless equipment are obtained aiming at the target wireless equipment requesting to be accessed into a target wireless network, wherein the target equipment characteristic fingerprints are composed of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment; matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for controlling access of a wireless device.
Background
Through wireless communication technology, a device having wireless communication functionality can connect to a wireless network in a wireless manner. In order to enhance the security of the wireless network, a Media Access Control (MAC) Address may be used to screen the wireless devices allowed to be accessed, but illegal persons may easily Access the illegal devices used by themselves to the wireless network by counterfeiting the MAC Address, which threatens the security of the wireless network.
Disclosure of Invention
In view of the above, the present application provides a method and an apparatus for controlling access of a wireless device to a wireless network.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a wireless device access control method is provided, which is applied to a wireless controller, and includes:
the method comprises the steps that target equipment characteristic fingerprints of target wireless equipment are obtained aiming at the target wireless equipment requesting to be accessed into a target wireless network, wherein the target equipment characteristic fingerprints are composed of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database;
and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
According to a second aspect of the present application, a wireless device access control method is provided, which is applied to a wireless access point, the wireless access point being configured to establish a target wireless network, the method including:
aiming at target wireless equipment requesting to access the target wireless network, extracting target equipment characteristics from a wireless management frame message sent by the target wireless equipment, and extracting target application characteristics from an application data frame message;
generating the target device characteristic and the target application characteristic into a target wireless device characteristic fingerprint, and sending the characteristic fingerprint to a wireless controller so that the wireless controller matches the target wireless device characteristic fingerprint with historical characteristic fingerprints of historical wireless devices accessed to the target wireless network, which are recorded in a characteristic fingerprint database;
and accessing the target wireless device to the target wireless network under the condition that the matching is determined to be successful.
According to a third aspect of the present application, there is provided a wireless device access control apparatus, applied to a wireless controller, including:
an acquisition unit, configured to acquire, for a target wireless device that requests access to a target wireless network, a target device feature fingerprint of the target wireless device, where the target device feature fingerprint is composed of a target device feature extracted from a wireless management frame packet sent by the target wireless device and a target application feature extracted from an application data frame packet sent by the target wireless device;
the matching unit is used for matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
According to a fourth aspect of the present application, a wireless device access control apparatus is provided, which is applied to a wireless access point, the wireless access point being configured to establish a target wireless network, the apparatus includes:
the extraction unit is used for extracting target equipment characteristics from a wireless management frame message sent by the target wireless equipment and extracting target application characteristics from an application data frame message aiming at the target wireless equipment requesting to access the target wireless network;
the fingerprint generating unit is used for generating the target device characteristic and the target application characteristic into a target wireless device characteristic fingerprint and sending the characteristic fingerprint to a wireless controller so that the wireless controller can match the target wireless device characteristic fingerprint with historical characteristic fingerprints of historical wireless devices accessed to the target wireless network, wherein the historical characteristic fingerprints are recorded in a characteristic fingerprint database;
and the access unit is used for accessing the target wireless equipment to the target wireless network under the condition that the matching is determined to be successful.
According to a fifth aspect of the present application, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method as described in the embodiments of the first and second aspects by executing the executable instructions.
According to a sixth aspect of embodiments of the present application, there is provided a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method as described in the embodiments of the first and second aspects above.
According to the technical scheme provided by the application, the wireless device characteristic fingerprint is generated by extracting the wireless device characteristic and the application characteristic from the wireless management frame and the application data frame and utilizing the two characteristics. A wireless device characteristic fingerprint can uniquely identify a wireless device and is difficult to counterfeit. Therefore, if the matching of the characteristic fingerprint of the wireless device and the characteristic fingerprint of the historical device which has successfully accessed the wireless network is successful, the wireless device is one of the historical devices which have been allowed to access, but not a counterfeit device of the historical device, and the wireless device can be allowed to access the wireless network at the moment, so that the counterfeit device of the historical device is prevented from accessing the wireless network, and the access security of the wireless network is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a flow chart illustrating a method for wireless device access control according to an exemplary embodiment of the present application;
fig. 2 is a flow chart illustrating another method of wireless device access control according to an exemplary embodiment of the present application;
fig. 3 is a schematic diagram of a network architecture to which a wireless device access control method according to an embodiment of the present application is applied;
fig. 4 is a detailed flowchart illustrating a method for wireless device access control according to an exemplary embodiment of the present application;
FIG. 5 is a schematic diagram of an electronic device shown in accordance with an exemplary embodiment of the present application;
fig. 6 is a block diagram illustrating a wireless device access control apparatus according to an exemplary embodiment of the present application;
fig. 7 is a block diagram illustrating another wireless device access control apparatus according to an example embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Next, examples of the present application will be described in detail.
Fig. 1 is a flow chart illustrating a wireless device access method according to an exemplary embodiment of the present application. As shown in fig. 1, the method applied to the wireless controller may include the following steps:
step 102: the method comprises the steps of acquiring a target device characteristic fingerprint of a target wireless device aiming at the target wireless device requesting to access a target wireless network, wherein the target device characteristic fingerprint is composed of a target device characteristic extracted from a wireless management frame message sent by the target wireless device and a target application characteristic extracted from an application data frame message sent by the target wireless device.
In an embodiment, a Wireless Access Point Controller (AC) may be used to manage all Access Points (APs) in a Wireless network, for example, to issue configuration to the APs, modify relevant configuration parameters, perform radio frequency management, perform Access security control, and the like. The wireless device can be accessed into the wireless network through the AP, and the AC can carry out security control on the wireless device needing to be accessed into the wireless network.
In one embodiment, when a wireless device (hereinafter referred to as a target wireless device) requests to join a wireless network (hereinafter referred to as a target wireless network), the target wireless device sends different types of messages, and the wireless access point can collect the messages and extract required information from the collected messages. In the application, the wireless access point can mainly collect two types of messages, namely a wireless management frame message and an application data frame message.
It should be noted that there are various types of frame messages that can be divided into wireless management frame messages, such as a Probe Request (Probe Request) frame message, an Authentication (Authentication) frame message, an Association Request (Association Request) frame message, and so on. The verification request frame message is usually issued when a target wireless device starts a wireless network card and externally scans and searches for a wireless signal of a target wireless network, wherein the verification request frame message carries network card information of the target wireless device; the authentication frame message and the association request frame message are used for connecting a frame message sent when a certain wireless signal is sent, and the frame message also carries the network card information of the target wireless device.
Further, the wireless access point may acquire information, such as radio frequency information, device manufacturer information, rate set information, and wireless network card performance parameters, for representing device characteristics of the target wireless device from the wireless management frame messages, where the information jointly forms target device characteristics of the target wireless device, and if the wireless device characteristics of two wireless devices are the same, it may be indicated that the two wireless devices belong to wireless devices of the same manufacturer and the same model.
In order to distinguish whether two wireless devices are the same device or not in a finer granularity manner, the wireless access point in the application can also acquire an application data frame message. When the target wireless device requests to connect to the target wireless network, an application installed in the target wireless device sends an application data frame message to attempt to connect to the target wireless network, where the application data frame message is generally a TCP (Transmission Control Protocol) message or a UDP (User data Protocol) message, and the wireless access point may collect connection information from the two types of application data frame messages as a target application feature of the target wireless device. For example, the wireless access point may collect, from the application data frame packet, quadruple information (a source IP address, a source port number, a destination IP address, and a destination port number) corresponding to a packet sent by each application, and use the quadruple information corresponding to all applications as a target application feature of the target wireless device. Of course, the quadruple information is only one expression form of the connection information, and the wireless access point may also use the triplet information (the source port number, the destination IP address, and the destination port number) corresponding to the application data frame message sent by all applications as the target application feature of the target wireless device, or use other information in the application data frame message sent by the application installed in the target wireless device as the target application feature of the target wireless device (for example, the quintuple information and the heptatuple information), which is not limited in this application.
Further, if the target application characteristic of the target wireless device is the same as or similar to the application characteristic of the other device, it indicates that the application installed in the target wireless device is the same as or similar to the application installed in the other device. For a wireless device, the probability that the device characteristics are the same as those of another wireless device and the application characteristics are the same as those of another wireless device or satisfy the similarity is extremely low. Therefore, when the device characteristics of two wireless devices are the same and the application characteristics are the same or achieve a certain similarity, the two wireless devices can be identified as the same device, in other words, the device characteristics and the application characteristics can be combined with the device characteristic fingerprint of the wireless device to uniquely identify the wireless device.
Step 104: and matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database.
Step 106: and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Since the device characteristic fingerprint of the wireless device can be used to uniquely identify the wireless device, the target wireless device can be accessed by matching the target device characteristic fingerprint with historical device characteristic fingerprints of historical wireless devices accessing the target wireless network recorded in a characteristic fingerprint library when the target wireless device requests access to the target wireless network. The characteristic fingerprint library records historical device characteristic fingerprints of historical wireless devices which have successfully accessed the target wireless network. If the target device signature of the target wireless device matches the historical device signature of the target wireless device, the wireless device is one of the devices that has successfully accessed the target wireless network.
When the target wireless device characteristic fingerprint and the historical device characteristic fingerprint exist in an integral form, the wireless controller can match the integral of the wireless device characteristic fingerprint with the integral of the historical device characteristic fingerprint when matching the target wireless device characteristic fingerprint with the historical device characteristic fingerprint. In this case, the criterion that the target wireless device characteristic fingerprint and the historical device characteristic fingerprint match successfully may be set as: the specific parameters of various types of features contained in the target wireless device feature fingerprint are the same as the parameters contained in the corresponding features in the historical device feature fingerprint, or the ratio of the specific parameters of various types of features contained in the target wireless device feature fingerprint to the parameters contained in the corresponding features in the historical device feature fingerprint is the same and reaches a preset ratio. The present application does not limit the specific value of the preset ratio.
Since the feature fingerprint of the wireless device in the present application is composed of at least two parts, namely, the device feature and the application feature, when matching, the two types of features can be matched respectively:
as for the device characteristics, as can be seen from the above, the device characteristics may reflect whether the two devices are devices of the same manufacturer and the same model, and the device characteristics may include radio frequency information, device manufacturer information, rate set information, wireless network card performance parameters, and the like, which will not change with the use of the user. Therefore, when the target device characteristics of the target wireless device are the same as the corresponding parameters in the historical device characteristics in the historical device characteristic fingerprints during matching, the target wireless device and the historical device can be considered to be devices of the same manufacturer and the same model, that is, the device characteristics are considered to be successfully matched.
For the application features, as can be seen from the above, the application features are formed by the connection information of the application-sent message installed in the wireless device, and when the connection information of the application-sent message installed in the target wireless device is the same as the connection information included in the historical device feature fingerprint, that is, when the target application features are the same as the historical application features, it is considered that the device and the application features are successfully matched. However, since the application installed in the wireless device may slightly change according to the preference of the user when the user uses the wireless device, at this time, when the similarity between the connection information of the message sent by the application installed in the target wireless device and the connection information included in the historical device feature fingerprint reaches the preset threshold, that is, the similarity between the target application feature and the historical application feature reaches the preset threshold, the application feature matching may also be considered to be successful.
If the application characteristics of the target wireless device and the application characteristics of the historical device match successfully, the device and the application installed in the historical device can be considered to be the same or similar. Further, if the device characteristics of the target wireless device are also the same as those of the history device, it means that the history device and the target wireless device are not only the same manufacturer, the same model, and the same or similar applications installed therein. The probability that two different devices simultaneously satisfy the two conditions is extremely low, so that the two characteristics can be utilized to form a characteristic fingerprint of the wireless device, and the characteristic fingerprint is used for uniquely identifying the wireless device.
As can be seen from the foregoing, since the uniqueness of the target device characteristic fingerprint is determined by the device characteristic and the application characteristic, the wireless controller can determine that the target wireless device characteristic fingerprint matches the historical device characteristic fingerprint successfully only if the device characteristic matches the application characteristic successfully, and thus allow the target wireless device to access the target wireless network. The matching process of the two types of characteristics can be carried out simultaneously or one by one, for example, the matching process of the application characteristics can be omitted firstly if the matching of the equipment characteristics is unsuccessful, the matching of the target wireless equipment characteristic fingerprint and the historical equipment characteristic fingerprint is directly determined to be failed and an alarm is given, or the matching process of the application characteristics can be carried out firstly, if the matching of the application characteristics is unsuccessful, the matching process of the equipment characteristics can be omitted, and the matching of the target wireless equipment characteristic fingerprint and the historical equipment characteristic fingerprint is directly determined to be failed and an alarm is given.
The above-mentioned embodiment can confirm whether the target wireless device is one of the devices historically accessing the target wireless network through the device characteristic fingerprint with unique identification, and can prevent the counterfeit device accessing the historical device of the target wireless network from accessing the target wireless network. However, if the target wireless device is a new wireless device that has not yet accessed the target wireless network, the target wireless network is likewise not accessible using the method in the above embodiment.
Aiming at the situation, the effect of releasing the wireless equipment which is not accessed to the target wireless network can be achieved by screening the MAC address. Specifically, the method comprises the following steps: the wireless controller can acquire the MAC address of the target wireless device, then match the target wireless device with the MAC address of the historical device which has accessed the target wireless network, if the MAC address of the target wireless device is different from the MAC address of the historical device, the target wireless device is not accessed to the target wireless network, and at the moment, the target wireless device can be directly allowed to access to the target wireless network.
In another case, the MAC address of the target wireless device may be the same as the MAC address of a history device that has already accessed the target wireless network, at this time, the target device feature fingerprint of the target wireless device may be further compared with the history device feature fingerprint of the history device, if the matching of the two feature fingerprints is successful, the target wireless device is the history device, and if the matching of the two feature fingerprints is failed, the target wireless device is identified as a counterfeit MAC address of the history device, and an alarm operation may be performed while the target wireless device is prohibited from accessing the target wireless network, so as to remind an administrator of the counterfeit device. Compared with a method of comparing the target device characteristic fingerprint with the historical characteristic fingerprint of each historical device one by one in a traversal mode, the historical characteristic fingerprints are screened by using the MAC addresses, matching time can be reduced, matching efficiency is improved, and data processing resources are saved.
The MAC addresses that have been accessed to the target wireless network may be stored separately by the wireless controller, forming a historical MAC address library separately, and associating each MAC address in the historical MAC address library with each historical device feature fingerprint in the feature fingerprint library, so that the wireless controller may match the MAC address of the target wireless device with the MAC addresses of devices historically accessed to the target wireless network using the MAC address library, and then locate the corresponding historical device feature fingerprint from the feature fingerprint library based on the MAC addresses. Or, while recording the characteristic fingerprint of each historical device in the characteristic fingerprint library, the MAC address of each historical device may be used to mark the characteristic fingerprint of the historical device corresponding to the historical device. The storage form of the MAC address is not limited in the present application.
In the above embodiments, the present application constructs the characteristic fingerprint of the wireless device by using the application characteristic and the device characteristic of the wireless device, which can be used as the unique identifier of the wireless device and is difficult to counterfeit. And matching the characteristic fingerprint of the target equipment with the characteristic fingerprint of the historical equipment, and further performing access control on the wireless equipment requesting to access the target wireless network according to the matching result. The difficulty of spoofing the characteristic fingerprint in this application is greater than merely confirming whether the target device should be allowed to access the target wireless network by its MAC address. The matching of the characteristic fingerprints and the screening of the MAC addresses are combined, illegal equipment imitating the MAC addresses can be determined, and the safety of the wireless equipment when the wireless equipment is accessed to a wireless network is improved.
Fig. 2 is a flow chart illustrating a wireless device access method according to an exemplary embodiment of the present application. As shown in fig. 2, the method applied to the wireless access point may include the following steps:
And step 208, under the condition that the matching is determined to be successful, accessing the target wireless equipment to the target wireless network.
For the detailed embodiment of the step corresponding to fig. 2, reference may be made to the related embodiment of the step corresponding to fig. 1, which is not described herein again.
Fig. 3 is a schematic diagram of a network architecture of a system to which the embodiment of the present application is applied. As shown in fig. 3, 31, 32, 33 represent wireless devices that are wirelessly connected to wireless access points, which are used to construct a wireless network that can access the wireless devices into the wireless network, the wireless access points being numbered 34, 35, 36 in the figure. The wireless controller 37 is used for centralized control of the wireless access points 34 to 36, is also one of important components of a wireless network, is responsible for managing all the wireless access points in the wireless network, and can realize functions of issuing configuration, modifying related configuration parameters, radio frequency intelligent management, access security control and the like.
Fig. 4 is a flow chart illustrating a method for wireless device access control according to an exemplary embodiment of the present application. The steps involved in fig. 4 are described in detail below in conjunction with the network architecture diagram shown in fig. 3:
in step 402, wireless controller 37 obtains a target device signature fingerprint.
Assuming that the target wireless device is the wireless device 31 shown in fig. 3, the wireless access point corresponding to the target wireless device is the wireless access point 34, and the wireless network requested to join by the target wireless device 31 is called a target wireless network. The wireless controller 37 may obtain the target device signature fingerprint of the target wireless device 31 from the wireless access point 34. The characteristic fingerprint is composed of target device characteristics extracted by the wireless access point 34 from the wireless management frame message sent by the target wireless device 31 and target application characteristics extracted from the application data frame message sent by the target wireless device 31.
For example, the radio management frame may include three types, namely a Probe Request frame, an Authentication frame, and an Association Request frame. The field information to be extracted by the wireless access point 34 from the wireless management frame mainly has the following fields: RF radio frequency information, equipment manufacturer information, rate set information, wireless network card performance parameters. Then, the wireless access point 34 extracts radio frequency information from the Probe Request frame and records the radio frequency information as RF _ a, equipment manufacturer information as Vendor _ P _ a, a Rate set as Rate _ Support _ P _ a, and a network card performance parameter as HT _ CAP _ P _ a; the equipment manufacturer information extracted from the Authentication frame by the wireless access point 34 is recorded as Vendor _ Auth _ a, the Rate set is recorded as Rate _ Support _ Auth _ a, and the network card performance parameter is recorded as HT _ CAP _ Auth _ a; the device Vendor information extracted from the Association Request frame is denoted as vector _ Ass _ a, the Rate set is denoted as Rate _ Support _ Ass _ a, and the network card performance parameter is denoted as HT _ CAP _ Ass _ a. Further, the wireless access point 34 generates the data as the target device characteristics of the target wireless device, that is: RF _ A, Vendor _ P _ A, Rate _ Support _ P _ A, HT _ CAP _ P _ A, Vendor _ Auth _ A, Rate _ Support _ Auth _ A, HT _ CAP _ Auth _ A, Vendor _ Ass _ A, Rate _ Support _ Ass _ A, HT _ CAP _ Ass _ A.
Further, for the target application profile, it is assumed that the application profile is composed of triplet (source port, destination IP, destination port) information contained in a TCP or UDP packet transmitted when the application installed in the target wireless device 31 accesses the target wireless network. Assuming that a total of n applications are installed in the target wireless device 31, the target application characteristics of the target wireless device 31 can be expressed as: { (SPORT1, DIP1, DPORT1), (SPORT2, DIP2, DPORT2) … … (SPORTn, DIPn, DPORTn) }, where SPORT stands for source port, DIP for destination IP, and DPORT for destination port.
The target device characteristics and the target application characteristics together form a target wireless device 31 target device characteristic fingerprint.
At step 404, the wireless controller 37 acquires the MAC address of the target wireless device 31.
The MAC address of the target wireless device 31 may be collected by the wireless access point 34 and sent to the wireless controller 37, or may be collected by the wireless controller 37, which is not limited in this application.
In step 406, wireless controller 37 determines whether the historical device having the same MAC address as the target device is queried from the signature fingerprint repository.
It is assumed that the historical feature fingerprints of the historical devices recorded in the feature fingerprint library are added with respective corresponding MAC addresses as identifiers. The wireless controller can confirm from the feature fingerprint library whether there is a history device having the same MAC address as the target wireless device 31 among the history devices having accessed the target wireless network historically.
If the result of the verification is that the MAC address of the historical device is not the same as the MAC address of the target wireless device 31 in the fingerprint database, it indicates that the target wireless device 31 has not been connected to the target wireless network. Step 408b may then be entered, allowing the target wireless device 31 to access the target wireless network. The reason why the device whose history has not been accessed is agreed to access the target wireless network is that in practical application, a malicious device often illegally accesses the target wireless network by counterfeiting the MAC address of the history device which has been accessed to the target wireless network, and if the MAC address of the target wireless device 31 has not been accessed to the target wireless network, it indicates that the target wireless device 31 is not necessarily a counterfeit device which counterfeits the MAC address, and can directly release the target wireless network. Of course, if the condition for accessing the target wireless network is set to "accessible only by the historical devices accessing the target wireless network", then the target wireless device 31 may also be directly denied access to the target wireless network in step 408 b.
If the result of the validation is that the MAC address of the historic device is the same as the MAC address of the target wireless device 31 in the library of signature fingerprints, step 408a may be entered.
At step 408a, a historical signature of the historical device having the same MAC address as the target wireless device is determined from the signature library.
Step 410a, matching the target characteristic fingerprint with the determined historical characteristic fingerprint.
Since the historical characteristic fingerprints of each historical device in the characteristic fingerprint library are identified by the corresponding MAC addresses. In the above steps, the historical characteristic fingerprint of the historical device with the same MAC address as the target wireless device can be determined. The wireless controller 37 may match the target device signature fingerprint of the target wireless device 31 with the determined historical device signature fingerprints.
Specifically, it is assumed that the historical device features included in the historical device feature fingerprint are: RF _ B, Vendor _ P _ B, Rate _ Support _ P _ B, HT _ CAP _ P _ B, Vendor _ Auth _ B, Rate _ Support _ Auth _ B, HT _ CAP _ Auth _ B, Vendor _ Ass _ B, Rate _ Support _ Ass _ B, HT _ CAP _ Ass _ B. Wireless controller 37 may compare the parameters contained therein against the corresponding parameters in the target device signature fingerprint one by one. For example, whether the vector _ P _ B and the vector _ P _ a are matched is the same, and the other parameters are the same. If the parameters contained in the historical device characteristics and the target device characteristics are the same, the target device characteristics and the historical device characteristics can be considered to be successfully matched.
For the application features, it is assumed that the historical application features included in the historical device feature fingerprints are: { (SPORT1, DIP1, DPORT1), (SPORT2, DIP2, DPORT2) … … (SPORTm, DIPM) }. The wireless controller 37 may confirm that the triplet information in { (SPORT1, DIP1, DPORT1), (SPORT2, DIP2, DPORT2) … … (SPORT, DIP, DPORT) } is in the same proportion as the respective triplet information contained in the historical application feature, for example, assuming that n is equal to 10 and the triplet information that is the same is 9, it is stated that the ratio that is similar is 9/10, i.e., 90%. Assuming that the preset threshold is 80%, the similarity ratio of the two exceeds the preset threshold, and the matching between the historical application features and the target application features can be considered successful.
In step 412a, it is confirmed whether the matching is successful.
In this step, when the target device profile and the target application profile of the target wireless device 31 are successfully matched with the historical device profile and the historical application profile of the historical device determined in the above step, respectively, it can be confirmed that the target device profile fingerprint of the target wireless device 31 is successfully matched with the historical device profile fingerprint. Step 414aa may then be entered, allowing the target wireless device to access the target wireless network.
If the matching in step 412 fails, it indicates that the MAC address of the target wireless device 31 is the same as the MAC address of the history device determined in the above step but the characteristic fingerprint is different, and indicates that the target wireless device 31 is a counterfeit device of the above history device, at this time, an alarm operation may be performed to remind the relevant person of paying attention to the counterfeit device.
Corresponding to the method embodiments, the present specification also provides an embodiment of an apparatus.
Fig. 5 is a schematic diagram illustrating a wireless device access control electronic device according to an exemplary embodiment of the present application. Referring to fig. 5, at the hardware level, the electronic device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a non-volatile memory 510, although it may also include hardware required for other services. The processor 502 reads the corresponding computer program from the non-volatile memory 510 into the memory 508 and runs it, forming a wireless device access control means on a logical level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Fig. 6 is a block diagram illustrating a wireless device access control apparatus according to an example embodiment of the present application. Referring to fig. 6, the apparatus includes an obtaining unit 602, a matching unit 604, and an address obtaining unit 606, where:
an obtaining unit 602, configured to obtain, for a target wireless device that requests access to a target wireless network, a target device feature fingerprint of the target wireless device, where the target device feature fingerprint is composed of a target device feature extracted from a wireless management frame message sent by the target wireless device and a target application feature extracted from an application data frame message sent by the target wireless device;
a matching unit 604, configured to match the target device characteristic fingerprint with a historical device characteristic fingerprint of a historical wireless device accessing the target wireless network, which is recorded in a characteristic fingerprint library; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
Optionally, the matching the target device characteristic fingerprint with a historical device characteristic fingerprint of a historical wireless device accessing the target wireless network, which is recorded in a characteristic fingerprint library, includes:
matching the target device characteristics with historical device characteristics in the historical device characteristic fingerprints, and matching the target application characteristics with historical application characteristics in the historical device characteristic fingerprints;
and if the matching results are successful, determining that the target equipment characteristic fingerprint is matched with the historical equipment characteristic fingerprint.
Optionally, the apparatus further comprises: an address obtaining unit 606, configured to obtain a MAC address of the target wireless device;
the matching of the target device characteristic fingerprint with the historical device characteristic fingerprint of the historical wireless device accessing the target wireless network, which is recorded in a characteristic fingerprint database, comprises:
screening historical characteristic fingerprints corresponding to historical wireless equipment with the same MAC address as the target wireless equipment in the characteristic fingerprint database;
and matching the target characteristic fingerprint with the screened historical characteristic fingerprint.
Optionally, under the condition that the screened historical characteristic fingerprint is not matched with the target device characteristic fingerprint, the target wireless device is determined to be a counterfeit device.
Optionally, if a history wireless device with the same MAC address as the target wireless device is not screened, allowing the target wireless device to access the target wireless network.
Fig. 7 is a block diagram illustrating another wireless device access control apparatus according to an example embodiment of the present application. Referring to fig. 7, the apparatus includes an extracting unit 702, a fingerprint generating unit 704, and an accessing unit 706, wherein:
an extracting unit 702, configured to, for a target wireless device that requests to access the target wireless network, extract a target device feature from a wireless management frame message sent by the target wireless device, and extract a target application feature from an application data frame message;
a fingerprint generating unit 704, configured to generate the target device characteristics and the target application characteristics into target wireless device characteristic fingerprints, and send the characteristic fingerprints to a wireless controller, so that the wireless controller matches the target wireless device characteristic fingerprints with historical characteristic fingerprints of historical wireless devices accessing the target wireless network, which are recorded in a characteristic fingerprint library;
an accessing unit 706, configured to access the target wireless network to the target wireless device if it is determined that the matching is successful.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium, e.g. a memory, comprising instructions executable by a processor of a wireless device access control apparatus to implement a method as in any one of the above embodiments, such as the method may comprise:
the method comprises the steps that target equipment characteristic fingerprints of target wireless equipment are obtained aiming at the target wireless equipment requesting to be accessed into a target wireless network, wherein the target equipment characteristic fingerprints are composed of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment; matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
The non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, etc., which is not limited in this application.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A wireless device access control method is applied to a wireless controller, and comprises the following steps:
the method comprises the steps that target equipment characteristic fingerprints of target wireless equipment are obtained aiming at the target wireless equipment requesting to be accessed into a target wireless network, wherein the target equipment characteristic fingerprints are composed of target equipment characteristics extracted from wireless management frame messages sent by the target wireless equipment and target application characteristics extracted from application data frame messages sent by the target wireless equipment;
matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database;
and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
2. The method of claim 1, wherein matching the target device signature to historical device signature fingerprints of historical wireless devices accessing the target wireless network recorded in a signature fingerprint library comprises:
matching the target device characteristics with historical device characteristics in the historical device characteristic fingerprints, and matching the target application characteristics with historical application characteristics in the historical device characteristic fingerprints;
and if the matching results are successful, determining that the target equipment characteristic fingerprint is matched with the historical equipment characteristic fingerprint.
3. The method of claim 1, further comprising: acquiring the MAC address of the target wireless device;
the matching of the target device characteristic fingerprint with the historical device characteristic fingerprint of the historical wireless device accessing the target wireless network, which is recorded in a characteristic fingerprint database, comprises:
screening historical characteristic fingerprints corresponding to historical wireless equipment with the same MAC address as the target wireless equipment in the characteristic fingerprint database;
and matching the target characteristic fingerprint with the screened historical characteristic fingerprint.
4. The method of claim 3, wherein in the event that the filtered historical fingerprint does not match the target device fingerprint, determining that the target wireless device is a counterfeit device.
5. The method of claim 4, further comprising:
and if the historical wireless device with the same MAC address as the target wireless device is not screened, allowing the target wireless device to access the target wireless network.
6. A wireless device access control method applied to a wireless access point, the wireless access point being configured to establish a target wireless network, the method comprising:
aiming at target wireless equipment requesting to access the target wireless network, extracting target equipment characteristics from a wireless management frame message sent by the target wireless equipment, and extracting target application characteristics from an application data frame message;
generating the target device characteristic and the target application characteristic into a target wireless device characteristic fingerprint, and sending the characteristic fingerprint to a wireless controller so that the wireless controller matches the target wireless device characteristic fingerprint with historical characteristic fingerprints of historical wireless devices accessed to the target wireless network, which are recorded in a characteristic fingerprint database;
and accessing the target wireless device to the target wireless network under the condition that the matching is determined to be successful.
7. A wireless device access control apparatus, applied to a wireless controller, the apparatus comprising:
an acquisition unit, configured to acquire, for a target wireless device that requests access to a target wireless network, a target device feature fingerprint of the target wireless device, where the target device feature fingerprint is composed of a target device feature extracted from a wireless management frame packet sent by the target wireless device and a target application feature extracted from an application data frame packet sent by the target wireless device;
the matching unit is used for matching the characteristic fingerprint of the target device with the characteristic fingerprint of the historical device of the historical wireless device accessed to the target wireless network, which is recorded in a characteristic fingerprint database; and if the matching is successful, allowing the target wireless equipment to access the target wireless network.
8. A wireless device access control apparatus, applied to a wireless access point, the wireless access point being configured to establish a target wireless network, the apparatus comprising:
the extraction unit is used for extracting target equipment characteristics from a wireless management frame message sent by the target wireless equipment and extracting target application characteristics from an application data frame message aiming at the target wireless equipment requesting to access the target wireless network;
the fingerprint generating unit is used for generating the target device characteristic and the target application characteristic into a target wireless device characteristic fingerprint and sending the characteristic fingerprint to a wireless controller so that the wireless controller can match the target wireless device characteristic fingerprint with historical characteristic fingerprints of historical wireless devices accessed to the target wireless network, wherein the historical characteristic fingerprints are recorded in a characteristic fingerprint database;
and the access unit is used for accessing the target wireless equipment to the target wireless network under the condition that the matching is determined to be successful.
9. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of any one of claims 1-6 by executing the executable instructions.
10. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044423.XA CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044423.XA CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113891316A true CN113891316A (en) | 2022-01-04 |
| CN113891316B CN113891316B (en) | 2023-12-26 |
Family
ID=79008445
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111044423.XA Active CN113891316B (en) | 2021-09-07 | 2021-09-07 | Wireless device access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113891316B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120210001A1 (en) * | 2011-02-11 | 2012-08-16 | Christopher Maybee Ryerson | System and method for managing access to a communication network |
| US20130343388A1 (en) * | 2012-06-21 | 2013-12-26 | Jonathan Stroud | Binding of network flows to process threads |
| US20150156083A1 (en) * | 2012-08-23 | 2015-06-04 | Huawei Technologies Co., Ltd. | Packet processing method, deep packet inspection request network element and deep packet inspection device |
| CN104955028A (en) * | 2015-06-23 | 2015-09-30 | 北京奇虎科技有限公司 | Method, device and sensor for identifying phishing WIFI (wireless fidelity) |
| CN104981028A (en) * | 2015-03-09 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Wireless network access method and related equipment |
| US20160119316A1 (en) * | 2013-09-30 | 2016-04-28 | Beijing Zhigu Rui Tuo Tech Co., Ltd. | Wireless network authentication method and wireless network authentication apparatus |
| US10172180B1 (en) * | 2015-08-25 | 2019-01-01 | Marvell International Ltd. | Configuring network connections |
| WO2019043378A1 (en) * | 2017-08-31 | 2019-03-07 | Sony Corporation | A decoder, encoder, computer program and method |
| US20190130019A1 (en) * | 2017-10-30 | 2019-05-02 | Qualcomm Incorporated | System and method for compact storage and efficient retrieval of access point information for detecting rogue access points |
| US20200015043A1 (en) * | 2018-07-05 | 2020-01-09 | Qualcomm Incorporated | Uplink service access via a wireless local area network (wlan) |
| WO2020011276A1 (en) * | 2018-07-11 | 2020-01-16 | 杭州博联智能科技股份有限公司 | Data sending, receiving, and communication method using wifi management frame, device, and storage medium |
| US10771498B1 (en) * | 2015-06-10 | 2020-09-08 | Marvell Asia Pte., Ltd. | Validating de-authentication requests |
| CN111770556A (en) * | 2020-06-24 | 2020-10-13 | 上海连尚网络科技有限公司 | Network connection method, device, electronic equipment and medium |
-
2021
- 2021-09-07 CN CN202111044423.XA patent/CN113891316B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120210001A1 (en) * | 2011-02-11 | 2012-08-16 | Christopher Maybee Ryerson | System and method for managing access to a communication network |
| US20130343388A1 (en) * | 2012-06-21 | 2013-12-26 | Jonathan Stroud | Binding of network flows to process threads |
| US20150156083A1 (en) * | 2012-08-23 | 2015-06-04 | Huawei Technologies Co., Ltd. | Packet processing method, deep packet inspection request network element and deep packet inspection device |
| US20160119316A1 (en) * | 2013-09-30 | 2016-04-28 | Beijing Zhigu Rui Tuo Tech Co., Ltd. | Wireless network authentication method and wireless network authentication apparatus |
| CN104981028A (en) * | 2015-03-09 | 2015-10-14 | 深圳市腾讯计算机系统有限公司 | Wireless network access method and related equipment |
| US10771498B1 (en) * | 2015-06-10 | 2020-09-08 | Marvell Asia Pte., Ltd. | Validating de-authentication requests |
| CN104955028A (en) * | 2015-06-23 | 2015-09-30 | 北京奇虎科技有限公司 | Method, device and sensor for identifying phishing WIFI (wireless fidelity) |
| US10172180B1 (en) * | 2015-08-25 | 2019-01-01 | Marvell International Ltd. | Configuring network connections |
| WO2019043378A1 (en) * | 2017-08-31 | 2019-03-07 | Sony Corporation | A decoder, encoder, computer program and method |
| US20190130019A1 (en) * | 2017-10-30 | 2019-05-02 | Qualcomm Incorporated | System and method for compact storage and efficient retrieval of access point information for detecting rogue access points |
| US20200015043A1 (en) * | 2018-07-05 | 2020-01-09 | Qualcomm Incorporated | Uplink service access via a wireless local area network (wlan) |
| WO2020011276A1 (en) * | 2018-07-11 | 2020-01-16 | 杭州博联智能科技股份有限公司 | Data sending, receiving, and communication method using wifi management frame, device, and storage medium |
| CN111770556A (en) * | 2020-06-24 | 2020-10-13 | 上海连尚网络科技有限公司 | Network connection method, device, electronic equipment and medium |
Non-Patent Citations (5)
| Title |
|---|
| CHIEN-MING CHEN ECT.: "A Secure Condition-Based Location Authentication Protocol for Mobile Devices", 《2016 THIRD INTERNATIONAL CONFERENCE ON COMPUTING MEASUREMENT CONTROL AND SENSOR NETWORK (CMCSN)》 * |
| MOHAMMAD ASIF HABIBI INSTITUTE OF WIRELESS COMMUNICATION (WICON), TECHNISCHE UNIVERSITÄT KAISERSLAUTERN, KAISERSLAUTERN, GERMANY ;: "A Comprehensive Survey of RAN Architectures Toward 5G Mobile Communication System", 《IEEE ACCESS ( VOLUME: 7)》 * |
| 徐明;杨雪;章坚武;: "移动设备网络流量分析技术综述", 电信科学, no. 04 * |
| 束永安;洪佩琳;卢汉成;黄景博;: "一种基于干扰模型的无线网状网自适应路由策略", 小型微型计算机系统, no. 01 * |
| 黄凌;: "无线网络安全", 科技信息, no. 32 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113891316B (en) | 2023-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088865B (en) | User identity authentication method and device, readable storage medium and computer equipment | |
| CN109688186B (en) | Data interaction method, device, equipment and readable storage medium | |
| US8990573B2 (en) | System and method for using variable security tag location in network communications | |
| WO2016169142A1 (en) | Method, terminal and system for identifying legitimacy of wireless access point and storage medium | |
| CN103313429A (en) | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot | |
| CN110855709A (en) | Access control method, device, equipment and medium for security access gateway | |
| EP2874367A1 (en) | Call authentication method, device, and system | |
| CN109033857A (en) | A kind of method, apparatus, equipment and readable storage medium storing program for executing accessing data | |
| CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
| JP5099646B2 (en) | Wireless LAN access point, wireless LAN terminal, wireless LAN fraud prevention system, method and program | |
| CN112822160A (en) | Equipment identification method, device, equipment and machine-readable storage medium | |
| CN112491888A (en) | Method and system for preventing equipment from being falsely used | |
| CN111526112A (en) | Cross-domain device registration method and device and computer readable storage medium | |
| CN110659908A (en) | Data transaction identity verification system | |
| CN114363067B (en) | Network access control method, device, computer equipment and storage medium | |
| CN113839945B (en) | Trusted access control system and method based on identity | |
| CN101841813A (en) | Anti-attack wireless control system | |
| CN112910854B (en) | Method and device for safe operation and maintenance of Internet of things, terminal equipment and storage medium | |
| KR101212509B1 (en) | System and method for service control | |
| CN113891316B (en) | Wireless device access control method and device | |
| CN114157438A (en) | Network equipment management method and device and computer readable storage medium | |
| EP3174268B1 (en) | Method and apparatus for using network exhaustive resource | |
| CN106535189B (en) | Network access control information configuration method and device and exit gateway | |
| CN102231733B (en) | Access control method, host device and identifier router | |
| US20130191909A1 (en) | Industrial Automation System and Method for Safeguarding the System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |