Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/12—Detection or prevention of fraud
  • H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
  • H04W12/122—Counter-measures against attacks; Protection against rogue devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1416—Event detection, e.g. attack signature detection
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
  • H04L63/1458—Denial of Service
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
  • H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W84/00—Network topologies
  • H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
  • H04W84/10—Small scale networks; Flat hierarchical networks
  • H04W84/12—WLAN [Wireless Local Area Networks]

Definitions

• the present invention belongs to the general field of telecommunications. It relates, in particular, to a method of defending against a disconnection attempt between two entities corresponding to a network access point and a client device, as well as a system configured to implement said defense method.
• the invention finds a particularly advantageous, although in no way limiting, application in the context of the "Internet of Things".
• a client device when a client device wishes to connect to a communication network, such as for example a local network used at home or within a company, it first seeks to establish a connection with a point of contact. appropriate network access.
• a communication network such as for example a local network used at home or within a company
• network access point (or even more simply “access point” in the following description) conventionally refers to equipment configured to contribute to the deployment of said communication network, by offering communication services to one or more client devices equipped with network interfaces and located within the radio coverage area (home, business, etc.) of said access point.
• an access point can take various forms, depending on the nature of the network deployed. By way of non-limiting example, it may be a router, a network switch, a server, a Wi-Fi internet box, etc.
• connection between a client device and an access point is based on standardized messages exchanged between the latter.
• Such messages consist of sending data packets, in the form of frames conforming to a determined communication protocol, and which correspond, as a general rule, to requests and responses to these requests.
• FIG. 1 schematically represents messages exchanged within the framework of a connection between a client device 10 corresponding to a laptop-type user terminal and an access point 20 corresponding to an internet box Wi-Fi for home use.
• the protocol used for the transmission of these messages is a Wi-Fi protocol complying with an IEEE 802.11 standard (ISO/CEI 8802-11).
• the messages exchanged to establish the connection between the client device 10 and the access point 20 comprise successively in this order: 2
• Said frames T1 and T2 define a discovery phase of the connection capacities of the client device 10 and of the access point 20;
• T3 frame emitted by the client device 10 and corresponding to an authentication request ("AUTHENTICATION REQUEST" in English), as well as a T4 frame emitted by the access point 20, on reception of the T3 frame, and corresponding to a response to said authentication request
• Said frames T3 and T4 define an authentication phase making it possible to validate that the client device 10 is able to connect to the access point 20;
• connection process allowing the establishment of a connection (i.e. a point-to-point link) between the client device 10 and the access point 20.
• connection process allowing the establishment of a connection (i.e. a point-to-point link) between the client device 10 and the access point 20.
• additional standardized messages M1, M2, M3 and M4 are still transmitted between the client device 10 and the access point 20, so as to exchange keys of session allowing them to encrypt their subsequent exchanges.
• This session key exchange corresponds to a so-called “4-way handshake” procedure.
• connection can be broken. This can be done in a legitimate context where the client device 10 transmits to the access point 20 (respectively the access point 20 transmits to the client device 10) a frame corresponding to a disconnection request ("DEAUTH E NTICATION REQUEST" in English).
• a third party entity distinct from the client device 10 and the access point 20, usurps for example the identity of the access point 20 to transmit to the client device 10 one or more disconnection (the opposite example, in which the impersonated identity is that of the client device 10, is of course also possible).
• the client device 10 and/or the access point 20 can each be the subject, by said third party entity, of a malicious disconnection attempt.
• the present invention aims to remedy all or part of the drawbacks of the prior art, in particular those set out above, by proposing a solution which makes it possible to provide 4 effective and easy-to-implement protection against malicious disconnection attempts likely to affect an access point and/or a client device.
• the invention relates to a method of defending against a disconnection attempt between two entities corresponding to a network access point and a client device, said method comprising, after the establishment of a initial connection between said two entities to exchange data over a communication channel in accordance with a determined communication protocol, a set of steps implemented by one or each of said two entities, said set of steps comprising:
• Said method further comprises, if at least one criterion is satisfied for at least one of said two entities, a step of execution, by at least one of said two entities, of a protection process against said malicious disconnection attempt, so maintaining a connection between said two entities.
• the defense method comprises, initially, an analysis phase (evaluation of at least one criterion) executed by at least one of said two entities (client device, point of access) receiving one or more disconnection requests.
• an analysis phase evaluation of at least one criterion
• the analysis phase makes it possible to detect the illegitimate nature of said requests, and therefore ultimately the attack carried out by the attacker.
• an analysis phase carried out by an entity does not conclude with the detection of a malicious disconnection attempt, then the connection between the two entities is legitimately broken.
• the defense method according to the invention comprises another phase corresponding to the implementation of a protection process against said attack.
• Said protection process aims to allow the maintenance of a connection between the client device and the access point, so 5 that the latter can continue to communicate with each other, even possibly in a degraded manner.
• maintaining a connection between the client device and the access point refers either to maintaining the initial connection, or to maintaining a connection made after said initial connection, for example following voluntary disconnection of at least one of said two entities.
• a voluntary disconnection is for example triggered following the activation, by at least one of said two entities, of a monitor mode, as described in more detail below with reference to particular modes of implementation of the 'invention.
• Such an implementation is particularly advantageous in that it can be implemented in a simpler way than the solutions of the prior art.
• the defense method according to the invention can be implemented at the application level (i.e. in a processor executing steps of the defense method and equipping an entity).
• the solution proposed by the invention offers the possibility of easily deploying effective protection against malicious disconnection attempts.
• the defense method may also include one or more of the following characteristics, taken in isolation or in all technically possible combinations.
• a metric corresponds to the rate of reception of requests belonging to the set of requests received by an entity, the criterion associated with said metric being satisfied if said reception rate is greater than a given threshold.
• a metric corresponds to the power level in reception of the requests belonging to the set of requests received by an entity, called "level 6 of disconnection", the criterion associated with said metric being satisfied if the difference between said disconnection level and the power level in reception of valid data frames received by said entity prior to the reception of said set of requests is, in value absolute and for a determined period, above a given threshold.
• said method further comprises, when the rate of reception of requests belonging to the set of requests received by one of said two entities, called "first entity", has reached a first given threshold, steps implemented by said first entity and comprising:
• a metric corresponds to the number or to the rate of falsified requests detected by said first entity, the criterion associated with said metric being satisfied if said number or said rate is greater than a second given threshold .
• monitor mode by activating said monitor mode (“monitor” in English, other names may still be encountered, such as for example: Radio Frequency Monitoring, RF Monitor, rfmon, RFMON, Air Monitor, Network Monitor, NetMon, or even RF monitoring), an entity equipped with a suitable network card (for example a Wi-Fi network card) is able to listen (“to sniff”) the Wi-Fi traffic on the channel of its choice , including that of the communication network to which it was attached before the activation of said monitor mode.
• a suitable network card for example a Wi-Fi network card
• a metric corresponds to the number of falsified requests detected by said first entity, the criterion associated with said metric being satisfied if said number is greater than or equal to 1.
• said method further comprises, when the rate of reception of requests belonging to the set of requests received by one of said two entities, called "first entity", has reached a first given threshold, steps implemented by said first entity and comprising:
• a metric corresponds to the rate of valid data packets detected by said first entity, the criterion associated with said metric being satisfied if said rate is greater than a second given threshold.
• a protection process executed by an entity comprises a modification of at least one communication parameter used by one of said two entities to transmit data after the establishment of said initial connection.
• modifying at least one communication parameter corresponds to a defense strategy making it possible to circumvent the attack in progress, rather than seeking to lead a frontal opposition in the face of this attack.
• a defense strategy is more a behavior of “flight” and/or “camouflaging” vis-à-vis the attack in progress, than a counter-attack behavior. Accordingly, the point here is not to try to identify the attacker, but rather to evade them, while trying to maintain a connection.
• a protection process is executed by the client device, a modified parameter corresponding to a unique identifier of said client device.
• a protection process is executed by the access point, at least one corresponding modified parameter:
• a unique identifier such as for example a hardware address
• the communication channel corresponds to a preferred implementation insofar as this makes it possible to increase security.
• the existing connection or a future connection if applicable
• each of said two entities executes a protection process comprising a role reversal, so that the access point is configured as a client device, and the client device is configured as access point.
• a protection process is executed by said entity and consists in ignoring the disconnection request(s) received, or
• a protection process is executed by each of said two entities and consists in ignoring the disconnection request(s) received.
• Iterations can for example be carried out periodically within the same communication session.
• the fact of iterating a protection process (for example by regularly modifying at least one communication parameter and/or by performing a role reversal on a regular basis) makes it possible to consolidate the defense that can be implemented, and ultimately improve the security of the connection between the client device and the access point.
• said defense method comprises a step of transmitting a message from the other of said two entities, called "first entity”, to said second entity , said message comprising said protection process, said transmission being implemented following the establishment of the initial connection and in an encrypted manner.
• the communication protocol is a Wi-Fi protocol.
• the invention relates to a computer program comprising instructions for the implementation of reception, evaluation and execution steps of a defense method according to the invention when said program of computer is run by a computer.
• This program may use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in partially compiled form, or in any other desirable form.
• the invention relates to a computer-readable information or recording medium on which a computer program according to the invention is recorded.
• the information or recording medium can be any entity or device capable of storing the program.
• the medium may include a storage medium, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording medium, for example a diskette (floppy disk) or a disk hard.
• the information or recording medium can be a transmissible medium such as an electrical or optical signal, which can be conveyed via an electrical or optical cable, by radio or by other means.
• the program according to the invention can in particular be downloaded from an Internet-type network.
• the information or recording medium may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.
• the invention relates to a network access point capable of being connected to a client device to exchange data over a communication channel in accordance with a determined communication protocol, said access point comprising:
• reception module configured to receive, after a connection has been established between said access point and the client device, a set of disconnection requests
• an evaluation module configured to evaluate at least one criterion defined from a metric based on said set of requests or else on at least one other disconnection request received after the reception of said set of requests, so as to allow the detection of a malicious logout attempt.
• the invention relates to a client device capable of being connected to a network access point to exchange data over a communication channel in accordance with a determined communication protocol, said client device comprising:
• reception module configured to receive, after a connection has been established between said access point and the client device, a set of disconnection requests
• an evaluation module configured to evaluate at least one criterion defined from a metric based on said set of requests or else on at least one other disconnection request received after the reception of said set of requests, so as to allow the detection of a malicious logout attempt.
• the invention relates to a system for defending against a disconnection attempt between two entities corresponding to a network access point and a client device, said entities being able to be connected to each other to exchange data on a communication channel in accordance with a determined communication protocol, and in which:
• At least one of said two entities comprises an execution module configured to execute, if at least one criterion is satisfied for at least one of said two entities, a protection process against said malicious disconnection attempt, so as to maintain a connection between the access point and the client device.
• FIG. 1 schematically represents a connection method, in accordance with the state of the art, between a client device and an access point, said connection method comprising exchanges of messages according to a Wi-Fi protocol;
• FIG. 2 schematically shows, in its environment, a particular embodiment of a defense system according to the invention
• FIG. 3 schematically shows an example of hardware architecture of a client device belonging to the defense system of Figure 2;
• FIG. 4 schematically shows an example of hardware architecture of an access point belonging to the defense system of Figure 2;
• FIG. 5 shows, in the form of a flowchart, the main steps of a defense method according to the invention as they are implemented by the defense system of Figure 2;
• FIG. 6 schematically shows a first particular mode of implementation of the method of Figure 5;
• FIG. 7 schematically shows a second particular mode of implementation of the method of Figure 5;
• FIG. 8 schematically shows a third particular mode of implementation of the method of Figure 5;
• FIG. 9 schematically shows a fourth particular embodiment of the method of Figure 5;
• FIG. 10 schematically shows a fifth particular embodiment of the method of Figure 5;
• FIG. 2 schematically represents, in its environment, a particular embodiment of a system 100 according to the invention.
• the system 100 comprises two entities, namely a client device 110 and a network access point 120.
• the client device 10 is a mobile terminal held by a user, such as for example a smart telephone or “smartphone”, a digital tablet, a laptop computer, etc.
• the access point 120 is a network gateway making it possible to connect a local communication network for domestic private use 130 (“LAN” type network, acronym for the English expression “Local Area Network”) to the public network internet (“WAN” type network, acronym for the English expression “Wide Area Network”, not shown in FIG. 2). It is noted that said access point 120 is still known under the name “Internet box”. 11
• the data (messages) exchanged between the client device 110 and the access point 120, via a CAN communication channel of the local network 130 deployed by the access point 120 are in the form of packets encapsulated in frames (for example requests and responses to these requests).
• Said frames conform to a Wi-Fi protocol complying with an IEEE 802.11 standard (ISO/CEI 8802-11).
• neither of said two entities 110, 120 is configured in software and hardware to implement PMF protection.
• no limitation is attached to the respective natures of said client device 110 (fixed terminal for example, such as a fixed PC) and of said access point 120 (dedicated server for example).
• an access point 120 offering connectivity to remote servers does not constitute an implementation variant of the invention.
• the invention does not exclude considering other modes in which the client device 110 is intended solely to communicate with the access point 120 via the local network 130 deployed by the latter, i.e. without seeking to be connected with a another network likely to be placed behind the access point 120 (example: a drone acts as a Wi-Fi access point so that a mobile phone can connect to it to control it, all communications remaining between these only two entities, the drone offering no connectivity with remote servers).
• Wi-Fi protocol such as for example a proprietary protocol.
• the invention also does not exclude that the communication protocol is based on a wired technology (optical fiber, Ethernet cable, KNX bus, etc.).
• FIG. 2 is given for purely illustrative purposes, and that the number of access points as well as the number of client devices that may belong to the system 100 are not limiting factors of the invention.
• the client device 110 and the access point 120 are configured so as to be able to carry out processing allowing them to establish a connection between them, by implementing a connection method such as that described with reference to FIG. 1 (transmission of frames T1 to T6).
• the client device 110 comprises for example one or more processors and storage means (magnetic hard disk, electronic memory, optical disk, etc.) in which are stored data and a computer program, in the form of a set of program code instructions to be executed to implement a first 12 set of steps (transmission of frames T1, T3, T5, and reception of frames T2, T4, T6) of said connection method.
• processors and storage means magnetic hard disk, electronic memory, optical disk, etc.
• a computer program in the form of a set of program code instructions to be executed to implement a first 12 set of steps (transmission of frames T1, T3, T5, and reception of frames T2, T4, T6) of said connection method.
• the client device 110 also comprises one or more programmable logic circuits, of the FPGA, PLD, etc. type, and/or specialized integrated circuits (ASIC), and/or a set of discrete electronic components, etc. adapted to implement said first set of steps of the connection method.
• programmable logic circuits of the FPGA, PLD, etc. type, and/or specialized integrated circuits (ASIC), and/or a set of discrete electronic components, etc. adapted to implement said first set of steps of the connection method.
• the client device 110 includes a set of means configured in software (specific computer program) and/or hardware (FPGA, PLD, ASIC, etc.) to implement said first set of steps of the connection process.
• the access point 120 comprises for example one or more processors and storage means (magnetic hard disk, electronic memory, optical disk, etc.) in which are stored data and a computer program, under the form of a set of program code instructions to be executed to implement a second set of steps (transmission of frames T2, T4, T6, and reception of frames T1, T3, T5) of said connection method.
• processors and storage means magnetic hard disk, electronic memory, optical disk, etc.
• the access point 120 also comprises one or more programmable logic circuits, of the FPGA, PLD, etc. type, and/or specialized integrated circuits (ASIC), and/or a set of discrete electronic components, etc. . adapted to implement said second set of steps of the connection method.
• programmable logic circuits of the FPGA, PLD, etc. type, and/or specialized integrated circuits (ASIC), and/or a set of discrete electronic components, etc. . adapted to implement said second set of steps of the connection method.
• the access point 120 comprises a set of means configured in software (specific computer program) and/or hardware (FPGA, PLD, ASIC, etc.) to implement said second set of steps of the connection process.
• the system 100 is further configured to perform processing making it possible to provide, once the client device 110 and the access point 120 are connected to each other, a defense against an attack consisting of a malicious disconnection attempt. , by implementing a defense method according to the invention.
• a defense aims in particular to maintain a connection between the client device 110 and the access point 120 so that they can continue to communicate with each other.
• malware disconnection attempt reference is generally made to an attack targeting the client device 110 and/or the access point 120.
• the client device 110 and the access point 120 can each receive one or more illegitimate disconnection requests (i.e. issued by an unauthenticated third-party entity at the origin of the attack in question).
• the client device 110 and the access point 120 both contribute to the method of defense, and are 13 respectively configured appropriately to implement steps of said defense method.
• the client device 110 (respectively the access point 120) can carry out processing operations making it possible to maintain a connection with the access point 120 (respectively with the client device 110).
• FIG. 3 schematically represents an example of hardware architecture of the client device 110 belonging to the system 100 of FIG. 2.
• the client device 110 has the hardware architecture of a computer.
• the client device 110 comprises, in particular, a processor 1_1, a random access memory 2_1, a ROM 3_1 and a non-volatile memory 4_1. It further comprises a communication module 5_1.
• the read only memory 3_1 of the client device 110 constitutes a recording medium in accordance with the invention, readable by the processor 1_1 and on which is recorded a computer program PROG_1 in accordance with the invention, comprising instructions for the execution of steps of the defense method according to the invention.
• the PROG_1 program defines functional modules of the client device 110, which are based on or control the hardware elements 1_1 to 5_1 of the client device 110 mentioned above, and which include in particular:
• reception module MOD_RX_l configured to receive, after a connection has been established between the access point 120 and the client device 110 (in accordance with the connection method mentioned above), a set of disconnection requests,
• an evaluation module MOD_EVAL_l configured to evaluate at least one criterion defined from a metric based on said set of requests or on at least one other disconnection request received after the reception of said set of requests, so as to allow detection of a malicious disconnection attempt
• an execution module MOD_EXEC_l configured to execute, if at least one criterion is satisfied for said client device 110, a protection process against said malicious disconnection attempt, so as to maintain a connection between the access point 120 and the client device 110.
• a “set of disconnection requests” can comprise one or more disconnection requests.
• the communication module 5_1 allows in particular the client device 110 to communicate with the access point 120, and therefore integrates the means configured in a material way and/or 14 software described above to implement said first set of steps (transmission of frames Tl, T3, T5, and reception of frames T2, T4, T6) of the connection process.
• the communication module 5_1 also allows the client device 110 to communicate with entities of the local network other than the access point 120, and integrates in particular for this purpose said reception module MOD_RX_l (the disconnection request(s) received being likely to be illegitimate, and therefore transmitted by a third party).
• the access point 120 has a hardware architecture similar to that of the client device 110.
• FIG. 4 schematically represents an example of the hardware architecture of the access point 120 belonging to the system 100 of FIG. 2.
• the access point 120 has the hardware architecture of a computer.
• the access point 120 comprises, in particular, a processor 1_2, a random access memory 2_2, a read only memory 3_2 and a non-volatile memory 4_2. It further comprises a communication module 5_2.
• the read only memory 3_2 of the access point 120 constitutes a recording medium in accordance with the invention, readable by the processor 1_2 and on which is recorded a computer program PROG_2 in accordance with the invention, comprising instructions for execution of steps of the defense method according to the invention.
• the PROG_2 program defines functional modules of the access point 120, which rely on or control the hardware elements 1_2 to 5_2 of the access point 120 mentioned above, and which include in particular:
• reception module MOD_RX_2 configured to receive, after a connection has been established between the access point 120 and the client device 110 (in accordance with the connection method mentioned above), a set of disconnection requests,
• an evaluation module MOD_EVAL_2 configured to evaluate at least one criterion defined from a metric based on said set of requests or on at least one other disconnection request received after the reception of said set of requests, so as to allow detection of a malicious disconnection attempt
• an execution module MOD_EXEC_2 configured to execute, if at least one criterion is satisfied for said access point 120, a protection process against said malicious disconnection attempt, so as to maintain a connection between the access point 120 and client device 110.
• the communication module 5_2 notably allows the access point 120 to communicate with the client device 110, and therefore integrates the means configured in hardware and/or software manner described above to implement said second set of steps ( transmission of frames T2, T4, T6, and reception of frames T1, T3, T5) of the connection method.
• the communication module 5_2 also allows the access point 120 to communicate with entities of the local network other than the client device 110, and in particular integrates said communication module for this purpose. 15 reception MOD_RX_2 (the disconnection request(s) received being likely to be illegitimate, and therefore transmitted by a third party entity).
• a general implementation of the defense method will now be described, as executed by the system 100 of FIG. 2. Particular modes of implementation are described later. It should be noted that said defense method is implemented after the establishment of a connection between the client device 110 and the access point 120. In other words, the implementation of the connection method precedes that of the connection method. defence, and it is now considered that the client device 110 and the access point 120 are connected to each other via a so-called "initial" connection, so as to be able to exchange data on the CAN communication channel in accordance with a Wi-Fi protocol mentioned above.
• FIG. 5 represents, in the form of a flowchart, the main steps of the defense method according to the invention as they are implemented by the system 100 of FIG. 2.
• the defense method comprises, initially, an analysis phase executed by at least one of the two entities 110, 120 receiving one or more disconnection requests (it being understood that only one of said two entities 110, 120 or said two entities 110, 120 can receive disconnection requests).
• disconnection requests are received from a third party entity leading an attack (malicious disconnection attempt), and hereinafter referred to as "attacker ATT" (without however said requests, and therefore a fortiori the ATT attacker itself, are authenticated)
• the analysis phase executed by an entity 110, 120 makes it possible to detect the illegitimate nature of said requests, and therefore ultimately the attack carried out by the ATT attacker.
• the method comprises another phase executed by said at least one entity of the system 100 and which corresponds to the implementation of a protection process against said attack.
• Said protection process aims to allow the maintenance of a connection between the client device 110 and the access point 120, so that the latter can continue to communicate with each other, even possibly in a degraded manner.
• degraded reference is made here for example to a communication carried out late, this delay coming from the time that it was necessary to allocate to detect a malicious disconnection attempt.
• the attacker ATT transmits to the client device 110 (respectively to the access point 120) a set ENS_1 of disconnection requests (respectively a set ENS_2 of disconnection requests).
• the defense method comprises a step E10 of reception, by the client device 110, of the set ENS_1.
• Said step E10 is implemented by the reception module MOD_RX_l equipping the client device 110.
• the defense method also includes a step E20 of reception, by the access point 120, of the set ENS_2. Said step E20 is implemented by the reception module MOD_RX_2 equipping the access point 120.
• steps E10 and E20 are implemented in parallel, which is due to the fact that the sets ENS_1 and ENS_2 are assumed to be sent simultaneously by the attacker ATT. It should however be noted that nothing excludes considering asynchronous receptions of said sets ENS_1 and ENS_2 (for example consecutive receptions) in the event that the attacker ATT does not send said sets ENS_1 and ENS_2 simultaneously.
• the defense method also comprises a step E30 of evaluation, by the client device 110, of at least one criterion CRIT1 J (i being an integer index greater than or equal to 1) defined from a metric MET1 J based on said set ENS_1 of requests or indeed on at least one other disconnection request received after the reception of said set ENS_1 of requests, so as to allow the detection of a malicious disconnection attempt.
• Said step E30 is implemented by the evaluation module MOD_EVAL_1 equipping the client device 110.
• the defense method also comprises a step E40 of evaluation, by the access point 120, of at least one criterion CRIT2J (j being an integer index greater than or equal to 1) defined from a metric MET2J based on said set ENS_2 of requests or indeed on at least one other disconnection request received after the reception of said set ENS_2 of requests, so as to allow the detection of a malicious disconnection attempt.
• Said step E40 is implemented by the evaluation module MOD_EVAL_2 equipping the access point 120.
• the invention does not exclude the fact of considering criteria based on the same metric, but nevertheless distinct from one another (distinct threshold values).
• the metric or metrics used for the implementation of step E30 can be entirely or partly distinct from the metric or metrics used for the implementation of step E40.
• the defense method comprises a step E50 of execution, by the client device 110, of a process of protection against the malicious disconnection attempt which targets it as well as the point of access 120, so as to maintain a connection between said two entities 110, 120.
• Said step E50 is implemented by the execution module MOD_EXEX_1 equipping the client device 110.
• the defense method includes a step E60 of execution, by the access point 120, of a process of protection against the disconnection attempt which targets it as well as the client device 110, here too with the aim of maintaining a connection between said two entities 110, 120.
• Said step E60 is implemented by the execution module MOD_EXEX_2 equipping the access point 120.
• protection processes respectively executed by the client device 110 and the access point 120 may differ from each other. These aspects are described in more detail later.
• the metric or metrics used for the implementation of step E30 can be entirely or partly distinct from the metric or metrics used for the implementation of step E40.
• a metric applicable to one of the two entities 110, 120 of the system 100 can also be applied, according to entirely similar technical arrangements, to the other of said two entities 110, 120.
• FIG. 6 schematically represents a first particular mode of implementation of the method of FIG. 5.
• step E30 is executed using a metric MET1_1 corresponding to the reception rate DEB_RX of the requests belonging to the set ENS_1 of requests received by the client device 110.
• the criterion CRIT1_1 associated with said metric MET1_1 is as to satisfies it if said reception rate DEB_RX is greater than a given threshold Sl_l.
• disconnection requests REQ_DECl_k (k being an integer index), forming said set ENS_1, are received continuously (i.e. over time) by the client device 110, after an exchange of data with the access point 120 (this data exchange is symbolized by arrows bearing the references DATAI and DATA2).
• Each disconnection request REQ_DECl_k has:
• MAC_SRC origin of said request REQ_DECl_k
• an address corresponding to a unique identifier of the access point 120 namely in this example the hardware address MAC_2 (“MAC” being the acronym of the English expression "Media Access Control") of said access point 120,
• REQ_DECl_k disconnection requests actually originate from the attacker ATT, and that they are therefore indeed illegitimate requests since they usurp the identity of the access point 120.
• the reception rate DEB_RX of said disconnection requests is equal to twelve requests per second, even though the threshold S1_1 associated with the criterion CRIT1_1 is set at ten disconnection requests per second.
• FIG. 7 schematically represents a second particular mode of implementation of the method of FIG. 5.
• step E30 is executed using a metric MET1_2 corresponding to the power level in reception of the requests belonging to the set ENS_1 of requests received by the client device 110, called “disconnection level”.
• said disconnection level corresponds to a level of “RSSI” type (acronym of the English expression “Received Signal Strength Indication”), denoted below RSSI_DEC.
• Criterion CRIT1_2 associated with said metric MET1_2 is satisfied if the difference between said RSSI disconnection level and the reception power level RSSI_RX of valid data frames (“DATA2” data in FIG. 7) received by said device client 110 prior to receipt of said set ENS_1 is, in absolute value and for a determined duration, greater than a given threshold Sl_2.
• the RSSI_DEC disconnection level is equal to -50 dBm for a duration of 1 second (three requests REQ_DEC1_1, REQ_DEC1_2 and REQ_DEC1_3 are received by the client device 110 for 1 second, and each of these requests is associated with a disconnection level RSSI_DEC is equal to -50 dBm).
• the power level in reception RSSI_RX prior to the reception of said disconnection requests is equal to -80 dBm.
• the difference between the RSSI_DEC and RSSI_RX levels, in absolute value and for 1 second, is therefore equal to 30, even though the threshold S1_2 associated with the criterion CRIT1_2 is fixed at 10 dBm per second.
• the threshold S1_2 is exceeded, and the criterion CRIT1_2 is therefore satisfied, such that a malicious disconnection attempt is detected (in this case, the client device 110 detects that it is under attack).
• FIG. 8 schematically represents a third particular mode of implementation of the method of FIG. 5.
• FIGS. 6 and 8 use the same notation formalism.
• the defense method further comprises, when the reception rate DEB_RX of the requests belonging to the set ENS_1 of requests received by the client device 110 has reached a first given threshold S1_3 (said reception rate DEB_RX is here evaluated during the reception step E10), steps implemented by said client device 110 and comprising: an activation (step Eli) of a monitor mode.
• steps implemented by said client device 110 comprising: an activation (step Eli) of a monitor mode.
• the client device 110 is able to listen (“to sniff”) the traffic of the local network 130. It is noted that the fact of activating said monitor mode, on the part of the device client 110, leads de facto to the (voluntary) disconnection of the client device 110, the access point 20
• switching to monitor mode refers to the disconnection of the Wi-Fi card previously used to allow the latter to communicate with the access point 120, following the initial connection). All the technical aspects related to the activation of such a monitor mode, as well as the capabilities of the client device 110 once configured in this monitor mode, are well known to those skilled in the art and are therefore not described further. detail here,
• step E12 - monitoring (step E12) of the network traffic on said CAN communication channel, so as to be able to detect at least one disconnection request, called a "falsified request", emitted by a source usurping the identity of the client device 110 and intended for the access point 120.
• step E30 is executed using a metric MET1_3 corresponding to the number N_FAL of falsified requests detected by the client device 110 (these are requests usurping the identity of the client device 110, intended for the access point 120 and detected after switching to monitor mode).
• the criterion CRIT1_3 associated with said metric MET1_3 is for its part satisfied if said number N_FAL is greater than a second given threshold S1_4.
• the threshold S1_3 is exceeded, and the criterion CRIT1_3 is therefore satisfied, such that a malicious disconnection attempt is detected (in this case, the client device 110 detects that the access point 120 is under attack).
• first threshold S1_3 (respectively a second threshold S1_4) equal to two disconnection requests per second (respectively equal to 0) only constitutes one example of implementation of said third mode of implementation.
• no limitation is attached to the value of said first threshold Sl_3 (respectively to the value of said second threshold Sl_4) ⁇
• the implementation of said third mode is not limited either by the fact of considering a metric corresponding to the number of falsified requests detected by the client device 110.
• a metric corresponding to the reception rate of falsified requests detected by the client device 110 the threshold taken into account for the criterion associated with this other metric being for example equal to ten falsified requests detected in 1 second. 21
• a reconnection to said access point 120 should be considered for said client device 110 being given that an objective of the method of defense is to maintain a connection between these two entities.
• Such a reconnection can be envisaged during the execution of the protection process (step E50) if the latter consists for example of ignoring the disconnection requests received, or even at the end of said protection process if the latter consists of example in a modification of at least one communication parameter used by one of said two entities 110, 120 to transmit data after the establishment of the initial connection.
• the reconnection mechanism as such is known to those skilled in the art (awaiting receipt of a beacon frame, called “beacon frame” in English, procedure of "handshake in 4 stages”, etc.).
• FIG. 9 schematically represents a fourth particular mode of implementation of the method of FIG. 5.
• FIGS. 6 and 9 use the same notation formalism.
• the defense method further comprises, when the reception rate DEB_RX of the requests belonging to the set ENS_1 of requests received by the client device 110 has reached a first given threshold S1_5 (said reception rate DEB_RX is here evaluated during the reception step E10), steps implemented by said client device 110 and comprising:
• step E12 of the network traffic on said CAN communication channel, so as to be able to detect at least one valid data packet transmitted by the access point 120, and intended for the client device 110.
• step E30 is executed using a metric MET1_4 corresponding to the rate DEB_VAL of valid data packets detected by the client device 110.
• the criterion CRIT1_4 associated with said metric MET1_4 is satisfied if said rate DEB_VAL is greater than a second given threshold S1_6.
• the threshold S1_6 is exceeded, and the criterion CRI1_4 is therefore satisfied, such that a malicious disconnection attempt is detected.
• first threshold Sl_5 (respectively a second threshold Sl_6) equal to two disconnection requests per second (respectively equal to three valid packets) only constitutes an example of implementation of said fourth mode of implementation .
• no limitation is attached to the value of said first threshold S1_5 (respectively to the value of said second threshold S1_6).
• such a fourth mode of implementation finds a preferential (but not exclusive) application when the client device 110 is equipped with a plurality of network cards (in this case, these are cards Wi-Fi, as for example in the case of a Wi-Fi repeater), it being understood that monitor mode is activated by disconnecting the Wi-Fi card previously used to allow the latter to communicate with the access point 120, following the initial connection.
• a plurality of network cards in this case, these are cards Wi-Fi, as for example in the case of a Wi-Fi repeater
• steps E50 and E60 are described allowing the execution, by each of the entities 110, 120 of the system 100, of a process of protection against the attack carried out by the attacker ATT.
• FIG. 10 schematically represents a fifth particular mode of implementation of the method of FIG. 5.
• FIG. 10 and any one of FIGS. 6, 7, 8 and 9 use the same notation formalism.
• the access point 120 transmits to the client device 110 a message MESS_DEF (step E00 of the defense method in said fifth mode of setting implemented).
• Said MESS_DEF message is preferably transmitted in an encrypted manner and comprises the protection processes that each of the entities 110, 120 is intended to apply in the event that a malicious disconnection attempt targeting at least one of the said two entities 110, 120 is detected.
• the message MESS_DEF allows the access point 120 to inform the client device 110 that, in the event of detection of an attack, each entity 110, 120 must modify a communication parameter used by said entity 110, 120 to transmit data after initial connection establishment. More particularly, the access point 120 here modifies its hardware address MAC_2 to MAC_4 and the client device 110 must modify its hardware address MAC_1 to MAC_3. In other words, each of the two entities 110, 120 of the system 100 modifies its hardware address.
• the message MESS_DEF and therefore a fortiori the protection processes that it contains, have here been stored by said access point 120 prior to the implementation of the defense process.
• This storage is for example performed in the non-volatile memory 4_2 of the access point 120, during the design and manufacture of the latter.
• said MESS_DEF message transmitted by the access point 120 to the client device 110 can correspond to a standardized message registered in the standard on which the communication protocol used by said two entities 110, 120 is based.
• the client device 110 memorizes the protection process which is transmitted to it during the implementation of the defense method, since it is the access point 120 which is at the origin of this standardized transmission.
• each of the two entities 110, 120 is targeted by a disconnection attempt detected according to an implementation conforming to said third mode (FIG. 8) and in which the metric taken into account is the number of requests falsified 24 detected by each of the two entities 110, 120. It is further considered that a criterion common to said two entities 110, 120 is associated with said metric, this criterion being satisfied if said number of falsified requests detected is greater than or equal to 1 .
• the client device 110 implements reception steps E10, activation of a monitor mode Eli and monitoring E12,
• the access point 120 implements reception steps E20, activation of a monitor mode E21 (similar to step Eli) and monitoring E22 (similar to step E12).
• each entity 110, 120 detects a falsified request:
• the client device 110 detects a REC_DEC1 request usurping the identity of said client device 110 and addressed to the access point 120,
• the access point 120 detects a REC_DEC2 request usurping the identity of said access point 120 and addressed to the client device 110.
• each entity 110, 120 detects an attack and therefore executes the protection process associated with it, that is to say a change of hardware address.
• a communication parameter modified by the access point 120 can correspond to any one of the communication parameters among:
• a unique identifier of said access point 120 such as for example the hardware address MAC_2 of the latter, an identifier of the BSSID (Basic Service Set Identifier) type, an identifier of the ESSID (Extended Service Set Identifier) type in English), etc. ; and or
• the CAN communication channel associated with said initial connection For example, in the case of a local Wi-Fi network using the 2.4 GHz frequency band, there are thirteen usable channels, the CAN channel being one of said thirteen channels; and or
• an identifier of the communication network such as an identifier of the “SSID” type (acronym for the English expression “Service Set Identifier”); and or 25
• a time datum contained in frames transmitted by said access point 120 such as for example an indication of availability ("uptime” in English") contained in a header referring to a timestamp of the BSS type ("BSS timestamp in English, where “BSS” corresponds to the acronym of the English expression “Basic Service Cet”); and or
• a unique identifier and/or the CAN communication channel are modified as a priority, because this makes it possible to increase the security of the existing connection (or of a future connection if applicable) between the access point 120 and the client device 110. It is noted that these provisions are further combined with the fact that the hardware address of the client device 110 can also be modified within the framework of the execution of the protection process dedicated to said client device 110.
• the fifth mode of implementation of FIG. 10 has also been described by considering that the sender of the message MESS_DEF is the access point 120. Of course, it is also possible to envisage this role of sender being played by the client device 110.
• the client device 110 can itself execute a protection process, this protection process having been for example transmitted by the access point 120 via a message similar to the message MESS_DEF mentioned above.
• These provisions can be transposed symmetrically in the case where the access point 120 is the only 26 attacked, detects this attack, and executes a protection process transmitted by the client device 110.
• a protection process can be executed by the access point 120 after the client device 110 has notified said access point 120, for example by means of of an appropriate alert message.
• the hardware architecture of the client device 110 differs from that described above with reference to FIG. 3, and that the client device 110 therefore comprises a reception module, an evaluation module and no runtime module (or a runtime module that remains inactive here).
• the access point 120 for its part comprises an execution module configured to execute, upon receipt of said alert message, the protection process associated with it.
• these provisions can be transposed to the case where the access point 120 is the only one attacked, detects this attack, and the client device 110 executes a protection process after having been notified by the access point 120.
• At least one of said two entities 110, 120 (ideally the two entities 110, 120) is able to detect a malicious disconnection attempt which targets it, and that, following attack detection, at least one of said two entities 110, 120 is able to execute a protection process, so as to maintain a connection between said two entities 110, 120.
• each of said two entities 110, 120 executes a protection process (it being understood that said two entities 110, 120 are attacked or only one of said two entities is attacked), and each process protection performed by one entity 110, 120 includes a role reversal with the other entity 110, 120.
• the access point 120 is configured as (i.e. plays the role of) client device, and the client device 110 is configured as (i.e. acts as) an access point.
• a protection process is executed by said client device 110 (respectively by said point access 120) and consists in ignoring the disconnection request(s) received. Otherwise, in this mode, the client device 110 (respectively the access point 120) does not modify any communication parameter, so that it can continue to communicate “normally” with the point 27 access 120 (respectively with the client device 110). “Normally” refers to the fact that the detected attack is ignored.
• a protection process is executed by each of said two entities 110, 120 and consists in ignoring the request or requests for disconnection received. This mode is therefore based on bases similar to those mentioned in the previous mode, with the difference that this time the two entities 110, 120 of the system 100 are attacked and both ignore the disconnection requests that they receive.
• Still other variants remain possible, such as for example maintaining several connections between the client device 110 and the access point 120 once an attack has been detected, so as to increase the difficulty of carrying out an attack for the user.
• ATT attacker or even that the client device 110 and/or the access point transmit deliberately erroneous frames so as to confuse the ATT attacker.
• the invention has also been described so far considering that neither of said two entities 110, 120 is configured in software and hardware to implement PMF protection.
• the solution proposed by the invention is particularly simple to implement, the firmware of the Wi-Fi cards equipping the two entities 110, 120 not needing to be modified.
• the invention nevertheless remains applicable, at the cost of a more complex technical implementation, in cases where at least one entity 110, 120 of the system 100 can implement PMF protection (it being understood that an entity capable of to implement a PMF protection cannot activate it if the other entity is not able to manage this PMF protection).

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=76601402

Family Applications (1)

Country Status (4)

Family Cites Families (3)

• 2021
  • 2021-05-10 FR FR2104907A patent/FR3122796A1/fr not_active Withdrawn
• 2022
  • 2022-05-09 EP EP22726270.6A patent/EP4338375A1/de active Pending
  • 2022-05-09 WO PCT/FR2022/050877 patent/WO2022238644A1/fr active Application Filing
  • 2022-05-09 CN CN202280034082.4A patent/CN117296296A/zh active Pending

Also Published As

Similar Documents

Legal Events