EP1849261A1 - Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk - Google Patents

Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk

Info

Publication number
EP1849261A1
EP1849261A1 EP06709328A EP06709328A EP1849261A1 EP 1849261 A1 EP1849261 A1 EP 1849261A1 EP 06709328 A EP06709328 A EP 06709328A EP 06709328 A EP06709328 A EP 06709328A EP 1849261 A1 EP1849261 A1 EP 1849261A1
Authority
EP
European Patent Office
Prior art keywords
access point
address
list
frames
probe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06709328A
Other languages
English (en)
French (fr)
Inventor
Roland Duffau
Jérôme RAZNIEWSKI
Laurent Butti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Publication of EP1849261A1 publication Critical patent/EP1849261A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to wireless access technologies to telecommunications networks. It applies in particular to IEEE 802.11 type technologies standardized by the Institute of Electrical and Electronics Engineers (IEEE). IEEE 802.11 technologies are widely used in corporate and residential networks as well as in areas of intensive use (“hot spots"). More particularly, the invention relates to the hacking of wireless networks by spoofing of access point addresses.
  • IEEE 802.11 type technologies standardized by the Institute of Electrical and Electronics Engineers (IEEE). IEEE 802.11 technologies are widely used in corporate and residential networks as well as in areas of intensive use (“hot spots"). More particularly, the invention relates to the hacking of wireless networks by spoofing of access point addresses.
  • frame is meant here a set of data forming a block transmitted in a network and containing useful data and service information, generally located in a header area of the block.
  • a frame may be described as a data packet, datagram, data block, or other expression of this type.
  • the access point is an essential element of communication between a client and a network. Therefore, it is a critical point, and therefore interesting for attackers. Attacks using fake access points appeared with the following objectives:
  • a known technique for detecting MAC address spoofing relies on the analysis of the Sequence Number ("Sequence Number") field of the IEEE 802.11 frames. These sequence numbers, managed at low level in the radio card, are necessarily incremented by one unit for each transmitted frame. This makes it possible to locate important variations between several successive frames sent by the same MAC address. By comparing these variations with predefined thresholds, it is possible to detect anomalies in the frames appearing coming from a MAC address, and to deduce the probable usurpation of this address by an attacker.
  • Sequence Number Sequence Number
  • This technique requires the management of very precise and delicate thresholds to position. It is difficult to implement on its own and to ensure the absence of false positives (false alarms) and false negatives (non detected).
  • the main difficulty lies in the management of frame losses, for example during a long-distance transmission. Indeed, some frames are lost, which leads to false positive problems because the sequence numbers vary greatly from frame to frame. It is necessary to manage the detection thresholds very finely. Therefore, this technique is often insufficient and must be combined with one or more others to correlate the alarms and thus have a higher confidence in the alarms raised.
  • An object of the present invention is to provide a new method of address spoofing detection in an IEEE 802.11 type wireless network or the like.
  • the invention thus proposes a method for detecting address spoofing in a wireless network, comprising the following steps:
  • the method uses cross-referencing of information collected by probes that pick up the frames transmitted over the wireless network and by legitimate access points controlled by the network administrator. If an illegitimate access point successfully spoofs the MAC address of a legitimate access point and has one or more wireless stations associated with it, that legitimate access point will not generally consider that these stations are associated with it.
  • probes can be deployed in the coverage area of the wireless network to capture the frames and establish the first lists for at least one access point. Each first list established is then compared to the second list obtained from the legitimate access point to detect a possible address spoofing in the network.
  • Another aspect of the invention relates to an address spoofing detection device in a wireless network for carrying out the above method.
  • This device comprises:
  • the credentials received may include the first list, or alternatively build the first list.
  • the first list is established directly by the probe before being transmitted to the address spoof detection device.
  • the probe is arranged to establish itself the first list.
  • the first list can be established by the device detection of address spoofing, from the identification information received from the probe.
  • the device then comprises means for analyzing the identification information to establish the first list.
  • identification information therefore designates the first list itself as well as information making it possible to establish this first list, for example the source and destination fields of the captured frames.
  • the invention also proposes a system for detecting address spoofing in a wireless network comprising the above device and a probe arranged to restart the establishment of new identification information relating to the stations associated with the point d. access, after transmission of the previous identification information.
  • Each set sent by the probe after a time interval ⁇ t is therefore representative of the network activity observed during this time interval only.
  • the invention also proposes a computer program to be installed in an interface device with at least one access point of a wireless network and with a probe for helping to detect address spoofing in the network without wire, for execution by a processing unit of this device.
  • This program includes instructions for performing the following steps during a program execution by the processing unit: receiving from the probe identification information from frames picked up by the probe on the wireless network, the captured frames having an address field that includes an access point address, the identification information corresponding to a first list of stations associated with the access point; obtaining from said access point a second list of stations associated therewith; and compare the first and second station lists.
  • FIG. 1 is a block diagram of a wireless network in which the invention is implemented
  • FIG. 2 is a block diagram of an access point of this network, which is to detect a possible address spoofing
  • FIG. 3 is a block diagram of an exemplary probe for an address spoof detection system according to an embodiment of the invention.
  • FIG. 4 is a block diagram of an exemplary detection device according to the invention.
  • FIG. 5 is a flowchart of an executable program in the device of FIG. 4.
  • the invention is described hereinafter in its particular application to the detection of MAC address spoofing in an IEEE 802.11 type wireless network.
  • beacons The well-known method of associating an IEEE 802.11 client with an access point (AP) is as follows.
  • the client station listens to the radio channel to search for specific frames called beacons ("Beacon").
  • the client examines the information contained in this type of frame, in particular the network name (SSID, "Service Set Identifier") and the parameters specific to the deployed network.
  • the client sends Probe Request ("Probe Request") frames containing the desired network name (SSID).
  • the access point (s) concerned responds to the request by returning a "Probe Response" frame indicating their presence.
  • the client selects the access point and asks to authenticate with him. If authentication succeeds, the client requests to associate with the access point. If the association succeeds, the client is able to send and receive data through the access point to which it is connected.
  • the attacker When using an illegitimate access point on the radio channel, the attacker usually uses a technique of complete spoofing of the access point: same network name (SSID), same MAC address. But he does not use usually not the same radio channel for radio interference issues.
  • SSID network name
  • MAC address MAC address
  • the IEEE 802.11 network schematized in FIG. 1 comprises a certain number of access points 1 distributed over the coverage area of the network.
  • these access points are connected to a network of IP 2 type which may be the Internet.
  • IP 2 type which may be the Internet.
  • two other modules 3, 4 are connected to the access points 1 either directly or via the IP network 2, namely a detection device, or analyzer,
  • FIG. 2 schematically shows the constituent elements of a legitimate access point 1 of the wireless network.
  • Circuits 10 provide the interface with the wired portion of the network, while the radio circuits 11 cooperating with the antenna 12 of the access point are responsible for transmitting and receiving signals on the wireless interface .
  • the protocols of the IEEE 802.11 standard, in particular the MAC protocol allow the client stations 5 to access the wireless network, in a manner known per se.
  • These protocols are typically implemented by the execution of appropriate programs by a processor 13 or logical circuits of the access point 1.
  • these programs further comprise a software module 14 which builds and maintains the list of clients 5 associated with access point 1.
  • This list denoted L2 contains the MAC addresses of all clients 5 that are associated with access point 1 at the instant in question. It is based on client associations and disassociations observed by the MAC layer of the access point.
  • This list L2 is transmitted to the analyzer 3 through the network 2, either at the request of the analyzer 3, or spontaneously periodically.
  • Each probe 4 (FIG. 3) is a passive listening device for the track radio. It comprises circuits 40 for interfacing with the wired part of the network and radio circuits 41 for applying the reception processes to the signals picked up by the antenna 42 of the probe.
  • the probe 4 also comprises a processor 43 which executes programs implementing the reception part of the IEEE 802.11 protocols, in particular the MAC protocol.
  • the MAC layer of the probe 4 examines the source address, destination address and frame type fields that are contained in the frames picked up by the antenna 42.
  • the processor 43 also executes a software module 44 which, in a first variant of the invention, constructs lists of clients respectively associated with a certain number of access points 1. These access points are those whose MAC address is observed in the source and / or destination address fields of the captured frames. The other address field of the captured frame makes it possible to identify the client who issued it or for which it is intended.
  • the software module transmits to the analyzer identification information relating to clients associated with the access point.
  • the analyzer establishes the list of clients associated with the access point from the credentials received.
  • the lists of associated clients are built for different access point addresses over a predefined duration ⁇ t which is for example of the order of a few minutes.
  • This duration ⁇ t can be specified by the analyzer 3, which can in particular adapt it according to the number of associations observed or the usurpation detection statistics.
  • Each identification of an "association success" frame originating from an access point 1 (that is to say having as source MAC address the BSSID ("Basic Service Set Identifier") of a device already identified as being an access point), the module 44 of the probe adds, in the list L1 corresponding to this access point 1, the destination MAC address found in this frame, if the latter address is not not already present in list L1; and / or • the IEEE 802.11 data frames received from a device identified as an access point are examined by the module 44 of the probe which adds, in the list L1 corresponding to this access point, the destination MAC address found in these frames, if the latter address is not already present in the list L1.
  • the BSSID Basic Service Set Identifier
  • a threshold defined as the minimum number N of frames of this type that the probe must capture to validate the fact.
  • N the minimum number of frames of this type that the probe must capture to validate the fact.
  • the probe 4 also determines when a client 5 disconnects from an access point 1, and removes the address of this client from the corresponding list L1. For this, it can for example detect requests for "disassembly” or “désauthentification” to the MAC address of a device identified as an access point. It then deletes the source MAC address of this request from the corresponding list, which corresponds to the client that disconnects.
  • FIG. 4 schematically shows the constitution of an analyzer device 3 which supervises the spoofing detection process and triggers alarms in the event of detection, so that the wireless network administrator can take the appropriate measures.
  • the analyzer 3 comprises circuits 30 for interfacing with the wired part of the network and a processor 35 which, by means of appropriate programs, carries out the checking and comparison operations making it possible to detect address spoofing.
  • the processor 35 periodically retrieves, with the periodicity ⁇ t, the lists L1, L2 established by the probes 4 and the access points 1.
  • the sending of the lists L1, L2 can be carried out spontaneously by the probes 4 and / or access points 1 with the periodicity ⁇ t, or in response to a request from the analyzer 3.
  • the analyzer 3 uses for example mechanisms present in the equipment of access point type, by a protocol such as SNMP ("Simple Network Management Protocol ").
  • the analyzer 3 deduces that there is an impersonation of this access point. This means that the additional clients found by the probe are not associated with the legitimate access point, but with an access point 8 having impersonated the legitimate access point.
  • the analyzer 3 then triggers an alarm to warn the administrator. It can also handle the triggered alarm itself by automatically performing a predefined action by the administrator;
  • probe 4 has not seen some frames, so its list of clients identified as associates is less important than the L2 list of actually associated clients. This is the case that we seek to avoid by multiplying the association identification techniques of a client 5 to an access point 1;
  • the detection program executed in the analyzer 3 is, for example, in accordance with FIG.
  • the method according to the invention provides results all the better that there is no loss of frames on the radio channel.
  • the loss can affect disassembly or de-authentication request frames. If this is the case, the probe 4 will display a list L1 of potentially larger clients than the access point 1, and the analyzer 3 will conclude to a spoof of MAC address when there is none .
  • the method according to the invention makes it possible to detect the theft of equipment identity without going through a heavy analysis of the frames. This detection is very light in analysis time.
  • this method makes it possible to detect an address theft even if the attacker 8 is away from the legitimate equipment 1, because of the centralization of the analysis. Multiple and potentially distant probes can be used.
  • the embodiment that has been described may receive various modifications without departing from the scope of the invention.
  • the method is particularly applicable to all types of wireless network type IEEE 802.11 or the like.
  • the analyzer 3 can of course be produced in the same machine as a probe 4 or an access point 1. There are also very varied ways of connecting the probes 4 to the network. Some of these Probes 4 can be collocated with access points 1 and share some of their resources.
EP06709328A 2005-02-18 2006-02-15 Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk Withdrawn EP1849261A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0501703 2005-02-18
PCT/FR2006/000353 WO2006087473A1 (fr) 2005-02-18 2006-02-15 Procede, dispositif et programme de detection d'usurpation d'adresse dans un reseau sans fil

Publications (1)

Publication Number Publication Date
EP1849261A1 true EP1849261A1 (de) 2007-10-31

Family

ID=35159983

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06709328A Withdrawn EP1849261A1 (de) 2005-02-18 2006-02-15 Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk

Country Status (3)

Country Link
US (1) US20080263660A1 (de)
EP (1) EP1849261A1 (de)
WO (1) WO2006087473A1 (de)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20075305L (fi) * 2007-05-02 2008-11-03 Eads Secure Networks Oy Datavirtojen hallinta tietoliikennejärjestelmässä
US8695095B2 (en) * 2011-03-11 2014-04-08 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US8700913B1 (en) 2011-09-23 2014-04-15 Trend Micro Incorporated Detection of fake antivirus in computers
CN103368738B (zh) * 2012-04-11 2017-02-15 华为技术有限公司 一种安全身份发现及通信方法
US10129751B2 (en) * 2012-05-25 2018-11-13 Comcast Cable Communications, Llc Wireless gateway supporting public and private networks
CN105992198B (zh) * 2015-06-15 2019-09-17 中国银联股份有限公司 一种确定无线局域网安全程度的方法及装置

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2322894T3 (es) * 2002-04-08 2009-07-01 Airmagnet, Inc. Monitorizacion de una red de area local.
US20040078598A1 (en) * 2002-05-04 2004-04-22 Instant802 Networks Inc. Key management and control of wireless network access points at a central server
US7965842B2 (en) * 2002-06-28 2011-06-21 Wavelink Corporation System and method for detecting unauthorized wireless access points
US7634252B2 (en) * 2003-03-07 2009-12-15 Computer Assocaites Think, Inc. Mobility management in wireless networks
US7522908B2 (en) * 2003-04-21 2009-04-21 Airdefense, Inc. Systems and methods for wireless network site survey
US20050060576A1 (en) * 2003-09-15 2005-03-17 Kime Gregory C. Method, apparatus and system for detection of and reaction to rogue access points

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2006087473A1 *

Also Published As

Publication number Publication date
WO2006087473A1 (fr) 2006-08-24
US20080263660A1 (en) 2008-10-23

Similar Documents

Publication Publication Date Title
US20220045990A1 (en) Methods and systems for api deception environment and api traffic control and security
US7536723B1 (en) Automated method and system for monitoring local area computer networks for unauthorized wireless access
US7216365B2 (en) Automated sniffer apparatus and method for wireless local area network security
US7724717B2 (en) Method and apparatus for wireless network security
US7970894B1 (en) Method and system for monitoring of wireless devices in local area computer networks
WO2006035140A1 (fr) Procede, dispositif et programme de detection d'usurpation de point d'acces.
US7971253B1 (en) Method and system for detecting address rotation and related events in communication networks
US20070025245A1 (en) Method and apparatus for identifying wireless transmitters
WO2006079710A1 (fr) Procede, dispositif et programme de detection d'usurpation d'adresse dans un reseau sans fil
EP1849261A1 (de) Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk
Garant et al. Mining botnet behaviors on the large-scale web application community
Jain et al. ETGuard: Detecting D2D attacks using wireless evil twins
EP1905194B1 (de) Detektieren eines doppelanschlusses zwischen einem verdrahteten netz und mindestens einem drahtlosen netz
WO2007010101A2 (fr) Detection d’une intrusion par detournement de paquets de donnees dans un reseau de telecommunication
Lu et al. Client-side evil twin attacks detection using statistical characteristics of 802.11 data frames
d'Estalenx et al. NURSE: eNd-UseR IoT malware detection tool for Smart homEs
FR3105486A1 (fr) Procédé de détection d’un comportement malveillant dans un réseau de communication, dispositif, équipement d’accès audit réseau, procédé de détection d’une attaque distribuée dans ledit réseau, dispositif, équipement nœud et programmes d’ordinateur correspondants
Idland Detecting mac spoofing attacks in 802.11 networks through fingerprinting on the mac layer
WO2022238644A1 (fr) Procede de defense contre une tentative de deconnexion entre deux entites, systeme associe
Medeiros et al. Learning remote computer fingerprinting
Tao A novel intrusion detection system for detection of MAC address spoofing in wireless networks.
FR2888432A1 (fr) Procedes de protection des trames de gestion echangees entre deux equipements sans fil, de reception et d'emission de telles trames, programmes d'ordinateur et supports de donnees contenant ces programmes d'ordinateur
FR2995427A1 (fr) Dispositif de surveillance de trames a l'interconnexion d'un reseau local domestique et de l'internet

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20070813

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20120613

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20120830