EP1849261A1 - Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk - Google Patents
Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerkInfo
- Publication number
- EP1849261A1 EP1849261A1 EP06709328A EP06709328A EP1849261A1 EP 1849261 A1 EP1849261 A1 EP 1849261A1 EP 06709328 A EP06709328 A EP 06709328A EP 06709328 A EP06709328 A EP 06709328A EP 1849261 A1 EP1849261 A1 EP 1849261A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- access point
- address
- list
- frames
- probe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
Definitions
- the present invention relates to wireless access technologies to telecommunications networks. It applies in particular to IEEE 802.11 type technologies standardized by the Institute of Electrical and Electronics Engineers (IEEE). IEEE 802.11 technologies are widely used in corporate and residential networks as well as in areas of intensive use (“hot spots"). More particularly, the invention relates to the hacking of wireless networks by spoofing of access point addresses.
- IEEE 802.11 type technologies standardized by the Institute of Electrical and Electronics Engineers (IEEE). IEEE 802.11 technologies are widely used in corporate and residential networks as well as in areas of intensive use (“hot spots"). More particularly, the invention relates to the hacking of wireless networks by spoofing of access point addresses.
- frame is meant here a set of data forming a block transmitted in a network and containing useful data and service information, generally located in a header area of the block.
- a frame may be described as a data packet, datagram, data block, or other expression of this type.
- the access point is an essential element of communication between a client and a network. Therefore, it is a critical point, and therefore interesting for attackers. Attacks using fake access points appeared with the following objectives:
- a known technique for detecting MAC address spoofing relies on the analysis of the Sequence Number ("Sequence Number") field of the IEEE 802.11 frames. These sequence numbers, managed at low level in the radio card, are necessarily incremented by one unit for each transmitted frame. This makes it possible to locate important variations between several successive frames sent by the same MAC address. By comparing these variations with predefined thresholds, it is possible to detect anomalies in the frames appearing coming from a MAC address, and to deduce the probable usurpation of this address by an attacker.
- Sequence Number Sequence Number
- This technique requires the management of very precise and delicate thresholds to position. It is difficult to implement on its own and to ensure the absence of false positives (false alarms) and false negatives (non detected).
- the main difficulty lies in the management of frame losses, for example during a long-distance transmission. Indeed, some frames are lost, which leads to false positive problems because the sequence numbers vary greatly from frame to frame. It is necessary to manage the detection thresholds very finely. Therefore, this technique is often insufficient and must be combined with one or more others to correlate the alarms and thus have a higher confidence in the alarms raised.
- An object of the present invention is to provide a new method of address spoofing detection in an IEEE 802.11 type wireless network or the like.
- the invention thus proposes a method for detecting address spoofing in a wireless network, comprising the following steps:
- the method uses cross-referencing of information collected by probes that pick up the frames transmitted over the wireless network and by legitimate access points controlled by the network administrator. If an illegitimate access point successfully spoofs the MAC address of a legitimate access point and has one or more wireless stations associated with it, that legitimate access point will not generally consider that these stations are associated with it.
- probes can be deployed in the coverage area of the wireless network to capture the frames and establish the first lists for at least one access point. Each first list established is then compared to the second list obtained from the legitimate access point to detect a possible address spoofing in the network.
- Another aspect of the invention relates to an address spoofing detection device in a wireless network for carrying out the above method.
- This device comprises:
- the credentials received may include the first list, or alternatively build the first list.
- the first list is established directly by the probe before being transmitted to the address spoof detection device.
- the probe is arranged to establish itself the first list.
- the first list can be established by the device detection of address spoofing, from the identification information received from the probe.
- the device then comprises means for analyzing the identification information to establish the first list.
- identification information therefore designates the first list itself as well as information making it possible to establish this first list, for example the source and destination fields of the captured frames.
- the invention also proposes a system for detecting address spoofing in a wireless network comprising the above device and a probe arranged to restart the establishment of new identification information relating to the stations associated with the point d. access, after transmission of the previous identification information.
- Each set sent by the probe after a time interval ⁇ t is therefore representative of the network activity observed during this time interval only.
- the invention also proposes a computer program to be installed in an interface device with at least one access point of a wireless network and with a probe for helping to detect address spoofing in the network without wire, for execution by a processing unit of this device.
- This program includes instructions for performing the following steps during a program execution by the processing unit: receiving from the probe identification information from frames picked up by the probe on the wireless network, the captured frames having an address field that includes an access point address, the identification information corresponding to a first list of stations associated with the access point; obtaining from said access point a second list of stations associated therewith; and compare the first and second station lists.
- FIG. 1 is a block diagram of a wireless network in which the invention is implemented
- FIG. 2 is a block diagram of an access point of this network, which is to detect a possible address spoofing
- FIG. 3 is a block diagram of an exemplary probe for an address spoof detection system according to an embodiment of the invention.
- FIG. 4 is a block diagram of an exemplary detection device according to the invention.
- FIG. 5 is a flowchart of an executable program in the device of FIG. 4.
- the invention is described hereinafter in its particular application to the detection of MAC address spoofing in an IEEE 802.11 type wireless network.
- beacons The well-known method of associating an IEEE 802.11 client with an access point (AP) is as follows.
- the client station listens to the radio channel to search for specific frames called beacons ("Beacon").
- the client examines the information contained in this type of frame, in particular the network name (SSID, "Service Set Identifier") and the parameters specific to the deployed network.
- the client sends Probe Request ("Probe Request") frames containing the desired network name (SSID).
- the access point (s) concerned responds to the request by returning a "Probe Response" frame indicating their presence.
- the client selects the access point and asks to authenticate with him. If authentication succeeds, the client requests to associate with the access point. If the association succeeds, the client is able to send and receive data through the access point to which it is connected.
- the attacker When using an illegitimate access point on the radio channel, the attacker usually uses a technique of complete spoofing of the access point: same network name (SSID), same MAC address. But he does not use usually not the same radio channel for radio interference issues.
- SSID network name
- MAC address MAC address
- the IEEE 802.11 network schematized in FIG. 1 comprises a certain number of access points 1 distributed over the coverage area of the network.
- these access points are connected to a network of IP 2 type which may be the Internet.
- IP 2 type which may be the Internet.
- two other modules 3, 4 are connected to the access points 1 either directly or via the IP network 2, namely a detection device, or analyzer,
- FIG. 2 schematically shows the constituent elements of a legitimate access point 1 of the wireless network.
- Circuits 10 provide the interface with the wired portion of the network, while the radio circuits 11 cooperating with the antenna 12 of the access point are responsible for transmitting and receiving signals on the wireless interface .
- the protocols of the IEEE 802.11 standard, in particular the MAC protocol allow the client stations 5 to access the wireless network, in a manner known per se.
- These protocols are typically implemented by the execution of appropriate programs by a processor 13 or logical circuits of the access point 1.
- these programs further comprise a software module 14 which builds and maintains the list of clients 5 associated with access point 1.
- This list denoted L2 contains the MAC addresses of all clients 5 that are associated with access point 1 at the instant in question. It is based on client associations and disassociations observed by the MAC layer of the access point.
- This list L2 is transmitted to the analyzer 3 through the network 2, either at the request of the analyzer 3, or spontaneously periodically.
- Each probe 4 (FIG. 3) is a passive listening device for the track radio. It comprises circuits 40 for interfacing with the wired part of the network and radio circuits 41 for applying the reception processes to the signals picked up by the antenna 42 of the probe.
- the probe 4 also comprises a processor 43 which executes programs implementing the reception part of the IEEE 802.11 protocols, in particular the MAC protocol.
- the MAC layer of the probe 4 examines the source address, destination address and frame type fields that are contained in the frames picked up by the antenna 42.
- the processor 43 also executes a software module 44 which, in a first variant of the invention, constructs lists of clients respectively associated with a certain number of access points 1. These access points are those whose MAC address is observed in the source and / or destination address fields of the captured frames. The other address field of the captured frame makes it possible to identify the client who issued it or for which it is intended.
- the software module transmits to the analyzer identification information relating to clients associated with the access point.
- the analyzer establishes the list of clients associated with the access point from the credentials received.
- the lists of associated clients are built for different access point addresses over a predefined duration ⁇ t which is for example of the order of a few minutes.
- This duration ⁇ t can be specified by the analyzer 3, which can in particular adapt it according to the number of associations observed or the usurpation detection statistics.
- Each identification of an "association success" frame originating from an access point 1 (that is to say having as source MAC address the BSSID ("Basic Service Set Identifier") of a device already identified as being an access point), the module 44 of the probe adds, in the list L1 corresponding to this access point 1, the destination MAC address found in this frame, if the latter address is not not already present in list L1; and / or • the IEEE 802.11 data frames received from a device identified as an access point are examined by the module 44 of the probe which adds, in the list L1 corresponding to this access point, the destination MAC address found in these frames, if the latter address is not already present in the list L1.
- the BSSID Basic Service Set Identifier
- a threshold defined as the minimum number N of frames of this type that the probe must capture to validate the fact.
- N the minimum number of frames of this type that the probe must capture to validate the fact.
- the probe 4 also determines when a client 5 disconnects from an access point 1, and removes the address of this client from the corresponding list L1. For this, it can for example detect requests for "disassembly” or “désauthentification” to the MAC address of a device identified as an access point. It then deletes the source MAC address of this request from the corresponding list, which corresponds to the client that disconnects.
- FIG. 4 schematically shows the constitution of an analyzer device 3 which supervises the spoofing detection process and triggers alarms in the event of detection, so that the wireless network administrator can take the appropriate measures.
- the analyzer 3 comprises circuits 30 for interfacing with the wired part of the network and a processor 35 which, by means of appropriate programs, carries out the checking and comparison operations making it possible to detect address spoofing.
- the processor 35 periodically retrieves, with the periodicity ⁇ t, the lists L1, L2 established by the probes 4 and the access points 1.
- the sending of the lists L1, L2 can be carried out spontaneously by the probes 4 and / or access points 1 with the periodicity ⁇ t, or in response to a request from the analyzer 3.
- the analyzer 3 uses for example mechanisms present in the equipment of access point type, by a protocol such as SNMP ("Simple Network Management Protocol ").
- the analyzer 3 deduces that there is an impersonation of this access point. This means that the additional clients found by the probe are not associated with the legitimate access point, but with an access point 8 having impersonated the legitimate access point.
- the analyzer 3 then triggers an alarm to warn the administrator. It can also handle the triggered alarm itself by automatically performing a predefined action by the administrator;
- probe 4 has not seen some frames, so its list of clients identified as associates is less important than the L2 list of actually associated clients. This is the case that we seek to avoid by multiplying the association identification techniques of a client 5 to an access point 1;
- the detection program executed in the analyzer 3 is, for example, in accordance with FIG.
- the method according to the invention provides results all the better that there is no loss of frames on the radio channel.
- the loss can affect disassembly or de-authentication request frames. If this is the case, the probe 4 will display a list L1 of potentially larger clients than the access point 1, and the analyzer 3 will conclude to a spoof of MAC address when there is none .
- the method according to the invention makes it possible to detect the theft of equipment identity without going through a heavy analysis of the frames. This detection is very light in analysis time.
- this method makes it possible to detect an address theft even if the attacker 8 is away from the legitimate equipment 1, because of the centralization of the analysis. Multiple and potentially distant probes can be used.
- the embodiment that has been described may receive various modifications without departing from the scope of the invention.
- the method is particularly applicable to all types of wireless network type IEEE 802.11 or the like.
- the analyzer 3 can of course be produced in the same machine as a probe 4 or an access point 1. There are also very varied ways of connecting the probes 4 to the network. Some of these Probes 4 can be collocated with access points 1 and share some of their resources.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0501703 | 2005-02-18 | ||
PCT/FR2006/000353 WO2006087473A1 (fr) | 2005-02-18 | 2006-02-15 | Procede, dispositif et programme de detection d'usurpation d'adresse dans un reseau sans fil |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1849261A1 true EP1849261A1 (de) | 2007-10-31 |
Family
ID=35159983
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06709328A Withdrawn EP1849261A1 (de) | 2005-02-18 | 2006-02-15 | Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk |
Country Status (3)
Country | Link |
---|---|
US (1) | US20080263660A1 (de) |
EP (1) | EP1849261A1 (de) |
WO (1) | WO2006087473A1 (de) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI20075305L (fi) * | 2007-05-02 | 2008-11-03 | Eads Secure Networks Oy | Datavirtojen hallinta tietoliikennejärjestelmässä |
US8695095B2 (en) * | 2011-03-11 | 2014-04-08 | At&T Intellectual Property I, L.P. | Mobile malicious software mitigation |
US8700913B1 (en) | 2011-09-23 | 2014-04-15 | Trend Micro Incorporated | Detection of fake antivirus in computers |
CN103368738B (zh) * | 2012-04-11 | 2017-02-15 | 华为技术有限公司 | 一种安全身份发现及通信方法 |
US10129751B2 (en) * | 2012-05-25 | 2018-11-13 | Comcast Cable Communications, Llc | Wireless gateway supporting public and private networks |
CN105992198B (zh) * | 2015-06-15 | 2019-09-17 | 中国银联股份有限公司 | 一种确定无线局域网安全程度的方法及装置 |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ES2322894T3 (es) * | 2002-04-08 | 2009-07-01 | Airmagnet, Inc. | Monitorizacion de una red de area local. |
US20040078598A1 (en) * | 2002-05-04 | 2004-04-22 | Instant802 Networks Inc. | Key management and control of wireless network access points at a central server |
US7965842B2 (en) * | 2002-06-28 | 2011-06-21 | Wavelink Corporation | System and method for detecting unauthorized wireless access points |
US7634252B2 (en) * | 2003-03-07 | 2009-12-15 | Computer Assocaites Think, Inc. | Mobility management in wireless networks |
US7522908B2 (en) * | 2003-04-21 | 2009-04-21 | Airdefense, Inc. | Systems and methods for wireless network site survey |
US20050060576A1 (en) * | 2003-09-15 | 2005-03-17 | Kime Gregory C. | Method, apparatus and system for detection of and reaction to rogue access points |
-
2006
- 2006-02-15 WO PCT/FR2006/000353 patent/WO2006087473A1/fr active Application Filing
- 2006-02-15 EP EP06709328A patent/EP1849261A1/de not_active Withdrawn
- 2006-02-15 US US11/884,603 patent/US20080263660A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO2006087473A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2006087473A1 (fr) | 2006-08-24 |
US20080263660A1 (en) | 2008-10-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220045990A1 (en) | Methods and systems for api deception environment and api traffic control and security | |
US7536723B1 (en) | Automated method and system for monitoring local area computer networks for unauthorized wireless access | |
US7216365B2 (en) | Automated sniffer apparatus and method for wireless local area network security | |
US7724717B2 (en) | Method and apparatus for wireless network security | |
US7970894B1 (en) | Method and system for monitoring of wireless devices in local area computer networks | |
WO2006035140A1 (fr) | Procede, dispositif et programme de detection d'usurpation de point d'acces. | |
US7971253B1 (en) | Method and system for detecting address rotation and related events in communication networks | |
US20070025245A1 (en) | Method and apparatus for identifying wireless transmitters | |
WO2006079710A1 (fr) | Procede, dispositif et programme de detection d'usurpation d'adresse dans un reseau sans fil | |
EP1849261A1 (de) | Verfahren, einrichtung und programm zur detektion von adressen-spoofing in einem drahtlosen netzwerk | |
Garant et al. | Mining botnet behaviors on the large-scale web application community | |
Jain et al. | ETGuard: Detecting D2D attacks using wireless evil twins | |
EP1905194B1 (de) | Detektieren eines doppelanschlusses zwischen einem verdrahteten netz und mindestens einem drahtlosen netz | |
WO2007010101A2 (fr) | Detection d’une intrusion par detournement de paquets de donnees dans un reseau de telecommunication | |
Lu et al. | Client-side evil twin attacks detection using statistical characteristics of 802.11 data frames | |
d'Estalenx et al. | NURSE: eNd-UseR IoT malware detection tool for Smart homEs | |
FR3105486A1 (fr) | Procédé de détection d’un comportement malveillant dans un réseau de communication, dispositif, équipement d’accès audit réseau, procédé de détection d’une attaque distribuée dans ledit réseau, dispositif, équipement nœud et programmes d’ordinateur correspondants | |
Idland | Detecting mac spoofing attacks in 802.11 networks through fingerprinting on the mac layer | |
WO2022238644A1 (fr) | Procede de defense contre une tentative de deconnexion entre deux entites, systeme associe | |
Medeiros et al. | Learning remote computer fingerprinting | |
Tao | A novel intrusion detection system for detection of MAC address spoofing in wireless networks. | |
FR2888432A1 (fr) | Procedes de protection des trames de gestion echangees entre deux equipements sans fil, de reception et d'emission de telles trames, programmes d'ordinateur et supports de donnees contenant ces programmes d'ordinateur | |
FR2995427A1 (fr) | Dispositif de surveillance de trames a l'interconnexion d'un reseau local domestique et de l'internet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070813 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20120613 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20120830 |