JP2016054346A - Access point detection device, access point detection method, and access point detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve detection accuracy of an unauthorized access point.SOLUTION: Regarding (k) pieces (k≥1) of continuous identical time slots, a traffic volume collation part 15 of an unauthorized access point detection device 10 calculates a weighted sum of traffics for each uplink and downlink which are successively measured by a wireless-side traffic measurement part 13 and a wired-side traffic measurement part 14, via a noticed irregular access point. The traffic volume collation part 15 then determines predetermined correlation values of a traffic volume Aof a wired frame and a traffic volume Bof a wireless frame in time slots [t, t](i=1, 2, ..., n-k+1). In the case where the predetermined correlation value is equal to or greater than a predetermined threshold, for example, the traffic volume collation part 15 determines the irregular access point as an unauthorized access point.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an access point detection device, an access point detection method, and an access point detection program.

  In recent years, wireless LAN (Local Area Network) access points, soft access points that operate on PCs (Personal Computers), Wi-Fi (registered trademark) routers, smartphones with a tethering function, etc., users can easily build a wireless LAN. And it has become available.

  Wireless LAN access points can be broadly classified into managed wireless LAN access points and unmanaged wireless LAN access points in a managed network that is a managed network of a company or the like. A user can easily connect an unauthorized access point, which is a wireless LAN access point that is not managed in the managed network, to the managed network without permission. An unauthorized access point connected to a managed network is called an unauthorized access point.

  For example, a soft access point operated by a user on a legitimate PC permitted to connect to a managed network may become an unauthorized access point. An unauthorized access point can be an entry point for unauthorized entry into a managed network. When a managed network is illegally infiltrated, there is a high risk of security incidents such as information leakage, website alteration, and malware intrusion. An unauthorized access point is an unauthorized access point that a user maliciously connects to the managed network for the purpose of unauthorized intrusion, and the user carelessly connects with the management rules of the managed network giving priority to convenience. With a non-regular access point.

  Technologies for detecting unauthorized access points include the following. That is, there are a technique for detecting an unauthorized access point on the wired LAN side and a technique for detecting on the wireless LAN side. For example, the technology for detecting unauthorized access points on the wired LAN side monitors device information connected to each port of a node connected to the wired LAN side of a wireless LAN access point, such as a router or an edge switch, and does not manage them. If the wireless LAN access point is connected, it is regarded as an unauthorized access point.

  In addition, for example, a technique for detecting an unauthorized access point on the wireless LAN side is managed in a managed network by observing radio waves using a wireless LAN monitoring device, an analyzer, etc., detecting a device operating as a wireless LAN access point, and If there is an unauthorized access point other than the wireless LAN access point, it is regarded as an unauthorized access point.

  In addition, for example, the detection technique on the wired LAN side is characterized in that the wireless communication specified by IEEE (registered trademark) 802.11 often has a larger access delay than the wired communication specified by IEEE 802.3. Use. The technology detected on the wired LAN side estimates the presence of traffic from the wireless LAN access point from the packet arrival interval and the response delay of TCP ACK (Transmission Control Protocol ACKnowledgement). The technology detected on the wired LAN side assumes that an unauthorized access point is connected if there is traffic from the wireless LAN access point in a segment where there is no wireless LAN access point managed in the managed network.

R. Beyah, et al., “Rogue Access Point Detection using Temporal Traffic Characteristics”, GLOBECOM, 2004. W. Wei, et al., “Passive Online Rogue Access Point Detection Using Sequential Hypothesis Testing with TCP ACK-Pairs”, ACM SIGCOMM IMC., 2007. WildPackets, Inc., “Getting the Most from Your Wireless Network”, [online], [searched August 20, 2014], Internet <URL: http://www.wildpackets.com/elements/whitepapers/get_the_most_from_your_wireless_network. pdf>

  However, in the above-described conventional technology, the detected unauthorized access point is a wireless LAN access point connected to a provider network, such as a Wi-Fi router or a smartphone, or an unauthorized access point connected to a managed network. Cannot be determined. That is, the conventional technique has a problem that detection accuracy is low and an unauthorized access point is erroneously detected.

  An example of an embodiment disclosed in the present application has been made in view of the above, and an object thereof is to improve detection accuracy of an unauthorized access point.

  An example of an embodiment disclosed in the present application is that an access point detection device that detects a wireless LAN (Local Area Network) access point connected to a management network includes a detection unit, a wireless-side traffic measurement unit, a wired-side traffic measurement unit, and a verification A part. The detection unit detects an unauthorized wireless LAN access point that is not permitted to connect to the management network. The wireless-side traffic measurement unit measures traffic of wireless communication transmitted / received by the non-regular wireless LAN access point detected by the detection unit. The wired-side traffic measurement unit measures the traffic of wired communication transmitted and received by devices that are candidates for unauthorized access points. The collation unit collates wireless communication traffic and wired communication traffic to determine whether or not there is a predetermined correlation or more, and an unauthorized wireless LAN access point having a predetermined correlation or more is an unauthorized access point. Is determined.

  According to an example of an embodiment disclosed in the present application, for example, the accuracy of detecting an unauthorized access point can be improved.

FIG. 1 is a diagram illustrating an example of a configuration of a managed network including an unauthorized access point detection device according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of the unauthorized access point detection device according to the first embodiment. FIG. 3 is a diagram illustrating an example of a regular access point list according to the first embodiment. FIG. 4 is a diagram illustrating an example of calculating a weighted sum of traffic amounts according to the first embodiment. FIG. 5 is a flowchart illustrating an example of unauthorized access point detection processing according to the first embodiment. FIG. 6 is a diagram illustrating an example of a configuration of a managed network including an unauthorized access point detection device according to the second embodiment. FIG. 7 is a diagram illustrating an example of the configuration of the unauthorized access point detection device according to the second embodiment. FIG. 8 is a diagram illustrating an example of a computer in which the unauthorized access point detection apparatus according to the first and second embodiments is realized by executing a program.

  Hereinafter, embodiments of an access point detection device and the like disclosed in the present application will be described. The following embodiments are merely examples, and do not limit the technology disclosed by the present application. Moreover, you may combine suitably embodiment shown below and its modification in the range which does not contradict.

[Explanation of terms]
Each term referred to in the following embodiments will be described. “Managed network” refers to a network that is a managed closed network used in companies, government offices, and the like. The “regular access point” is a wireless local area network (LAN) access point that is managed in the managed network and permitted to connect to the managed network. The “non-regular access point” is a wireless LAN access point that is not managed in the managed network and is not permitted to connect to the managed network. The “illegal access point” is a wireless LAN access point that is determined to be illegally connected to the managed network by a predetermined determination process among non-regular access points. The “illegal access point detection target device” is a device that is a node of a managed network to which an unauthorized access point can be wired.

  The “wireless MAC (Media Access Control) address” of the wireless LAN access point is a MAC address on the wireless communication interface side when the wireless LAN access point performs wireless LAN communication conforming to IEEE 802.11 with other devices. is there. The “wired MAC address” of the wireless LAN access point is a MAC address on the wired communication interface side when the wireless LAN access point performs wired LAN communication conforming to IEEE 802.3 with another device.

  In addition, “uplink” is a terminal node of the managed network in the managed network, and from an apparatus connected to the external apparatus to an edge that is a connection apparatus used for connection with an external apparatus such as a wireless LAN access point. Data distribution direction that goes through an external device. Further, “downlink” refers to a data distribution direction from an edge to a device connected to the external device via the external device in the managed network.

[Embodiment 1]
(Configuration of Managed Network According to Embodiment 1)
The first embodiment disclosed in the present application will be described below. FIG. 1 is a diagram illustrating an example of a configuration of a managed network including an unauthorized access point detection device according to the first embodiment. The managed network 1 according to the first embodiment includes switches 2a to 2d, a regular access point 3 connected to the switch 2d, and an unauthorized access point detection device 10. The switches 2a to 2d are switches corresponding to layer 2 or layer 3 of the OSI (Open Systems Interconnection) reference model to which other network devices are connected by wire.

  In the managed network 1, an unauthorized access point 51 is connected via the switch 2b. The non-regular access point 51 is connected to a PC (Personal Computer) 53a having a wireless LAN connection function. The unauthorized access point 51 can become an unauthorized access point by connecting the PC 53a.

  In addition, the managed network 1 is connected via a switch 2c to a PC 52a that can function as a non-regular access point and that functions as a wireless LAN access point by the operation of software. A PC 53b having a wireless LAN connection function is connected to the PC 52a. The PC 52a can become an unauthorized access point by connecting the PC 53b.

  In addition, the managed network 1 is connected to a PC 52b that functions as a wireless LAN access point by an operation of software, which can be an unauthorized access point, via the authorized access point 3. The PC 52b is connected to a PC 53c having a wireless LAN connection function. The PC 52b can become an unauthorized access point by connecting the PC 53b.

  The unauthorized access point detection device 10 is installed, for example, in a wired connection with the switch 2b and in the vicinity of the switch 2b, that is, in a range where the wireless LAN communication of the unauthorized access point 51 connected to the switch 2b can be intercepted. The unauthorized access point detection device 10 is wired to any one of the switches 2b, 2c and the authorized access point 3 which are unauthorized access point detection target devices, and is installed in the vicinity of each of the switches 2b, 2c and the authorized access point 3. The The unauthorized access point detection target device is a node in the managed network 1 to which a device having a wireless LAN communication function can be connected by wire, and corresponds to the switches 2b and 2c and the regular access point 3 in FIG.

(Configuration of Unauthorized Access Point Detection Device According to Embodiment 1)
FIG. 2 is a diagram illustrating an example of the configuration of the unauthorized access point detection device according to the first embodiment. FIG. 3 is a diagram illustrating an example of a regular access point list according to the first embodiment. The unauthorized access point detection apparatus 10 according to the first embodiment includes a storage unit 11 having a regular access point list 11a, an irregular access point detection unit 12, a wireless side traffic measurement unit 13, a wired side traffic measurement unit 14, and a traffic amount verification unit. 15 has an antenna 16.

  The regular access point list 11a is a list that lists, for example, wireless side MAC addresses such as identification information on the wireless LAN side of the regular access points to which the unauthorized access point detection device is connected. The unauthorized access point detection unit 12 is configured such that the wireless side MAC address of the access point included in the wireless frame detected in the vicinity of the unauthorized access point detection target device to which the unauthorized access point detection device 10 is connected via the antenna 16 is It is determined whether or not it is registered in the regular access point list 11a.

  Then, when the wireless MAC address of the access point is registered in the regular access point list 11a, the unauthorized access point detection unit 12 determines that the access point that transmits and receives the wireless frame is a regular access point. Further, when the wireless MAC address of the access point is not registered in the regular access point list 11a, the unauthorized access point detection unit 12 determines that the access point that transmits and receives the wireless frame is an unauthorized access point.

  The radio side traffic measurement unit 13 focuses on the radio side MAC address of the irregular access point included in the radio frame detected by the irregular access point detection unit 12. Then, the radio side traffic measurement unit 13 sets the traffic amount of the radio frame in which the radio side MAC address is stored as the transmission destination MAC address as the uplink traffic amount, and stores the radio side MAC address as the source MAC address. The traffic volume of the radio frame is sequentially measured for each uplink and downlink, with the traffic volume of the radio frame as the downlink traffic volume. The radio side traffic measurement unit 13 measures the traffic amount of the radio frame with respect to the payload of the data frame excluding the control frame, the management frame, and the like.

  The radio side traffic measurement unit 13 measures the amount of radio frame traffic in units of a predetermined length of time slot. Here, “uplink” refers to a radio frame transmission direction to an unauthorized access point. Further, “downlink” here refers to a radio frame transmission direction from an unauthorized access point. The radio side traffic measurement unit 13 measures the traffic amount of the radio frame using an existing technique such as a monitor tool or a capture tool.

  Note that the radio side traffic measurement unit 13 does not perform radio frame traffic measurement when a radio frame including the radio side MAC address of the irregular access point detected by the irregular access point detection unit 12 cannot be detected.

  The wired-side traffic measurement unit 14 sets the traffic amount of the wired frame in which the wireless MAC address of the non-regular access point is stored as the transmission source MAC address as the upstream traffic amount, and stores the wireless MAC address as the transmission destination MAC address. The traffic amount of the wired frame is determined as the downstream traffic amount, and the traffic amount of the wired frame is sequentially measured for each uplink and downlink in the unauthorized access point detection target device. The wired side traffic measurement unit 14 measures the traffic amount for the payload of the wired frame.

  When the wired-side traffic measurement unit 14 measures the traffic amount of the wired frame, the wired-side traffic measurement unit 14 has the same timing and length as the predetermined time slot when the wireless-side traffic measurement unit 13 measures the traffic amount of the wireless frame. Measure in slots. Here, uplink is the frame transmission direction from the unauthorized access point to the unauthorized access point detection target device. Further, “downlink” in this case is a frame transmission direction from the unauthorized access point detection target device to the unauthorized access point. The wired-side traffic measurement unit 14 measures the traffic amount of the wired frame using an existing technique such as a monitor tool or a capture tool.

  The traffic amount matching unit 15 is configured to measure each traffic for each uplink and downlink with respect to consecutive k (k ≧ 1) identical time slots sequentially measured by the wireless-side traffic measurement unit 13 and the wired-side traffic measurement unit 14. Calculate the weighted sum. In the following, it is assumed that i, j are indexes indicating time slots, n is the total number of time slots used for unauthorized access point detection processing, and k is the number of time slots used for calculating a weighted sum of traffic amounts.

FIG. 4 is a diagram illustrating an example of calculating a weighted sum of traffic amounts according to the first embodiment. Time slots shown in FIG. _{4 [t i, t i +} 1] (i = 1,2, ···, n) was measured in the total amount of _{a i} of traffic wired frame, and the total amount of traffic of a radio frame _{b i} To do.

In the example of FIG. 4, a graph g1 shows a change with time of the total traffic amount a _i of the wired frame. Further, in the example of FIG. 4, the graph g2 illustrates the changes over time of the total amount b _i of the traffic of the radio frame. The total amount of wired frame traffic in the time slot [t ₁ , t ₂ ] is a ₁ , and the total amount of wireless frame traffic is b ₁ . The total amount of wired frame traffic in the time slot [t ₂ , t ₃ ] is a ₂ , and the total amount of wireless frame traffic is b ₂ . The total amount of wired frame traffic in the time slot [t ₃ , t ₄ ] is a ₃ , and the total amount of wireless frame traffic is b ₃ . The total amount of wired frame traffic in the time slot [t ₄ , t ₅ ] is a ₄ , and the total amount of wireless frame traffic is b ₄ .

The traffic amounts a _i and b _i per unit time of the wired frame and the wireless frame are substantially the same (a _i ≈b _i ) if the frames are based on the same communication. However, since there are actually processing delays, transfer delays, propagation delays, etc. at the switch and wireless LAN access point, the traffic volume per unit time of the wired frame and the wireless frame does not always match. Therefore, in the embodiment, the traffic amount A _i of the wired frame and the traffic amount B _i of the wireless frame in the same k consecutive time slots (k ≧ 1) are collated. Specifically, the traffic amount matching unit 15 uses weighted sums such as the following equations (1) and (2) for traffic amount matching.

Then, the traffic amount matching unit 15 calculates the traffic amount A _i of the wired frame and the traffic amount B _i of the wireless frame in the time slot [t _i , t _{i + k} ] (i = 1, 2,..., N−k + 1). Determine correlation.

For example, the traffic amount matching unit 15 calculates a correlation coefficient ρ (A _i , B _i ) between the traffic amount A _i of the wired frame and the traffic amount B _i of the wireless frame as in the following equation (3). Then, when the correlation coefficient ρ (A _i , B _i ) is equal to or greater than a predetermined threshold, the traffic amount matching unit 15 determines that the non-regular access point is an unauthorized access point. If the traffic amount matching unit 15 determines that the access point is an unauthorized access point, it outputs an alert from an output unit (not shown). On the other hand, when ρ (A _i , B _i ) is less than a predetermined threshold, the traffic amount matching unit 15 determines that the non-regular access point is not an unauthorized access point.

Alternatively, the traffic amount matching unit 15 calculates a correlation value I (A _i , B _i ) between the traffic amount A _i of the wired frame and the traffic amount B _i of the wireless frame as in the following equation (4), Instead of the correlation coefficient ρ (A _i , B _i ), the correlation between the traffic amount A _i of the wired frame and the traffic amount B _i of the radio frame may be determined. In the equation (4), the correlation value I (A _i , B _i ) may be obtained by replacing A _i and B _i .

(Unauthorized Access Point Detection Processing According to Embodiment 1)
FIG. 5 is a flowchart illustrating an example of unauthorized access point detection processing according to the first embodiment. The unauthorized access point detection process according to the first embodiment may be executed every time the unauthorized access point detection process is performed, or may be always performed.

  First, the unauthorized access point detection unit 12 of the unauthorized access point detection device 10 determines whether an unauthorized access point has been detected (step S11). Then, when the non-regular access point is detected by the non-regular access point detection unit 12 (Yes in step S11), the radio-side traffic measurement unit 13 determines the radio-side traffic on the radio side for each detected time slot. The amount is measured (step S12). On the other hand, if an unauthorized access point is not detected (No at Step S11), the unauthorized access point detection unit 12 ends the unauthorized access point detection process.

  Subsequent to step S12, the wired-side traffic measurement unit 14 measures the amount of traffic on the wired side for each time slot and MAC address for a device that is a candidate for an unauthorized access point (step S13). Next, the traffic amount matching unit 15 calculates a weighted sum of the traffic amounts of the wireless frame and the wired frame for each uplink and downlink and for each wired wireless side for consecutive k time slots (k ≧ 1) ( Step S14).

  Next, the traffic amount matching unit 15 compares the weighted sum of each traffic amount on the wired side wireless side for each uplink and downlink (step S15). Next, the traffic amount collation unit 15 determines whether or not the correlation of the weighted sum of the traffic amounts on the wireless side wired side is equal to or greater than a threshold value (step S16). When determining that the correlation between the weighted sums of the respective traffic amounts on the wireless-side wired side is equal to or greater than the threshold (Yes in step S16), the traffic amount matching unit 15 determines that the non-regular access point is an unauthorized access point, and outputs the output unit. To output an alert (step S17). When the process of step S17 ends, the irregular access point detection unit 12 moves the process to step S18.

  On the other hand, when it is determined that the correlation between the weighted sums of the respective traffic amounts on the wireless side wired side is less than the threshold (No in step S16), the traffic amount matching unit 15 determines that the non-regular access point is not an unauthorized access point. The process proceeds to S18.

  In step S18, the irregular access point detector 12 determines whether or not other irregular access points can be detected. If the non-regular access point detection unit 12 determines that another non-regular access point can be detected (Yes in step S18), the process proceeds to step S11. On the other hand, if the unauthorized access point detection unit 12 determines that no other unauthorized access point can be detected (No in step S18), the unauthorized access point detection process ends.

  In the unauthorized access point detection process according to the first embodiment described above, each time one non-regular access point is detected, each traffic amount on the wireless side wired side is measured and collated with respect to the detected unauthorized access point. However, the present invention is not limited to this, and the first embodiment simultaneously detects a plurality of non-regular access points, measures each traffic amount on the wireless-side wired side for the detected plurality of non-regular access points, and performs a collation process in parallel. You may go.

(Effect by Embodiment 1)
The prior art cannot be detected if the unauthorized access point spoofs the MAC address of the regular access point for the wired MAC address. Further, in the conventional technology, when an unauthorized access point is operating on a PC connected to the authorized access point, or when an unauthorized access point is operating on an authorized PC connected to the managed network by wire, However, since it is determined that a legitimate device is connected, an unauthorized access point cannot be detected.

  The prior art assumes that the wireless LAN communication speed is lower than the wired LAN communication speed. However, in recent years, the wireless LAN has become faster, and the wireless LAN communication speed is higher than the wired LAN communication speed. If it is large, the transmission delay of the wired LAN becomes dominant, and the feature of the wireless LAN frame arrival interval cannot be detected. Further, the conventional technology cannot detect an unauthorized access point in the case of UDP communication without TCP ACK.

  On the other hand, in the first embodiment, since the unauthorized access point is detected based on the wireless MAC address of the access point, even if the unauthorized access point spoofs the MAC address of the authorized access point for the wired MAC address. , Rogue access points can be detected. In addition, since Embodiment 1 detects an unauthorized access point based on the wireless MAC address of the access point, even if the payload is an encrypted wireless LAN frame, An unauthorized access point can be detected based on the MAC address. In the first embodiment, when an unauthorized access point is operating on a PC connected to the authorized access point, even when the unauthorized access point is operating on an authorized PC connected to the managed network by wire, Since an unauthorized access point is detected based on the wireless side MAC address, an unauthorized access point can be detected.

  Further, in the first embodiment, since a wireless frame and a wired frame are collated with a traffic amount per unit time, an unauthorized access point can be detected without depending on individual frame characteristics such as an arrival interval. Further, in the first embodiment, since the unauthorized access point is detected based on the MAC address, the unauthorized access point can be detected without depending on the communication protocol of layer 3 or higher of the OSI reference model.

  That is, the first embodiment has a connection form of an access point to a managed network, presence / absence of encryption in a wireless LAN, magnitude relationship between communication speeds of a wireless LAN and a wired LAN, a higher layer protocol of layer 3 or higher, and wired connection of a regular access point. An unauthorized access point can be detected without depending on the side MAC address spoofing.

[Embodiment 2]
The second embodiment disclosed in the present application will be described below. In the description of the second embodiment, the same components and processing functions as those of the first embodiment are denoted by the same reference numerals, description thereof is omitted, and only differences are described. In the second embodiment, a rogue access point detection apparatus centrally controls and executes rogue access point detection processing for each wireless LAN communication detected via an antenna installed in the vicinity of each rogue access point detection target apparatus. Thus, it is different from the first embodiment.

(Configuration of Managed Network According to Embodiment 2)
FIG. 6 is a diagram illustrating an example of a configuration of a managed network including an unauthorized access point detection device according to the second embodiment. The managed network 1-1 according to the second embodiment includes an unauthorized access point detection device 10-1 instead of the unauthorized access point detection device 10 as compared with the managed network 1 according to the embodiment.

  The unauthorized access point detection device 10-1 according to the second embodiment transmits a wireless frame of wireless LAN communication performed by each device from the antennas 16a, 16b, and 16c installed in the vicinity of the switches 2b and 2c and the regular access point 3, respectively. Receive and measure the traffic volume. The unauthorized access point detection device 10-1 is wired to all of the switches 2b, 2c and the regular access point 3, and determines the traffic amount of the wired frame corresponding to the radio frame received via the antennas 16a, 16b, and 16c. , The switches 2b and 2c and the regular access point 3.

(Configuration of Unauthorized Access Point Detection Device According to Embodiment 2)
FIG. 7 is a diagram illustrating an example of the configuration of the unauthorized access point detection device according to the second embodiment. The unauthorized access point detection device 10-1 according to the second embodiment includes a storage unit 11 having a regular access point list 11a, an irregular access point detection unit 12-1, a wireless side traffic measurement unit 13-1, and a wired side traffic measurement unit. 14-1, a traffic amount matching unit 15-1, and antennas 16a, 16b, and 16c.

  The non-regular access point detection unit 12-1 receives the MAC address of the access point included in the radio frame detected in the vicinity of the unauthorized access point detection target device in which each antenna is arranged in the vicinity via the antennas 16a, 16b, and 16c. Is registered in the regular access point list 11a.

  Then, when the wireless MAC address of the access point is registered in the regular access point list 11a, the unauthorized access point detection unit 12-1 determines that the access point that transmits and receives the wireless frame is a regular access point. Further, when the wireless MAC address of the access point is not registered in the regular access point list 11a, the unauthorized access point detection unit 12-1 determines that the access point that transmits and receives the wireless frame is an unauthorized access point. .

  The wireless-side traffic measurement unit 13-1 pays attention to the wireless-side MAC address of the unauthorized access point included in the wireless frame detected by the unauthorized access point detection unit 12-1. Then, the radio side traffic measurement unit 13-1 sets the traffic amount of the radio frame in which the radio side MAC address of the unauthorized access point is stored as the source MAC address as the uplink traffic amount, and the radio side MAC address is the destination. The traffic volume of the radio frame stored as the MAC address is set as the downlink traffic volume, and the traffic volume of the radio frame is sequentially measured for each uplink and downlink.

  The wired-side traffic measurement unit 14-1 uses the traffic amount of the wired frame in which the MAC address of the device that is a candidate for the unauthorized access point is stored as the source MAC address as the upstream traffic amount, and the MAC address is the destination MAC address. As the traffic volume of the wired frame stored as the downlink traffic volume, the unauthorized access point detection target device sequentially measures the traffic volume of the wired frame for each uplink and downlink.

  The traffic amount matching unit 15-1 performs uplink and downlink operations for consecutive k (k ≧ 1) identical time slots sequentially measured by the wireless-side traffic measurement unit 13-1 and the wired-side traffic measurement unit 14-1. Every time, the weighted sum of each traffic is calculated. Then, the traffic amount matching unit 15-1 obtains a predetermined correlation value between the wired side traffic amount and the wireless side traffic amount for each traffic, and when the predetermined correlation value is equal to or larger than a predetermined threshold, the non-regular access point is It is determined that the access point is an unauthorized access point.

(Modification)
In the first and second embodiments, the weighted sum of the wired-side traffic amount and the wireless-side traffic amount is calculated for k consecutive time slots (k ≧ 1), and the correlation between the wired-side traffic and the wireless-side traffic is determined. However, the present invention is not limited thereto, and k (k ≧ 1) consecutive time slots are regarded as one time slot, and the difference between the total amount of wired traffic and the total amount of wireless traffic in one time slot is equal to or less than a predetermined threshold. It may be determined that there is a correlation between the wired side traffic and the wireless side traffic.

  In the first and second embodiments, the wired-side traffic amount and the wireless-side traffic amount are measured separately for uplink and downlink. However, the present invention is not limited to this, and the wired-side traffic is determined for either uplink or downlink only. And the traffic volume on the wireless side may be measured.

In the first and second embodiments, k (k ≧ 1) weighting coefficients {α _j }, {β _j } (j = 1, 2,..., K) in the equations (1) and (2) are Alternatively, it may be a value determined in advance according to the network configuration, the processing performance of each network node, and the like at the design stage of the managed networks 1 and 1-1. Alternatively, the weighting coefficients {α _j }, {β _j } (j = 1, 2,..., K) calculate the weighted sum of the wired side traffic amount and the wireless side traffic amount, and the wired side traffic and the wireless side Each time the traffic correlation is determined, optimization may be performed so that a value indicating the correlation becomes a minimum value.

  In the first and second embodiments, when measuring the traffic on the wired side and the traffic on the wireless side, the measurement is performed only with the payload excluding OH (Over Head) of the wired frame and the wireless frame. The wired-side traffic volume and the wireless-side traffic volume may be measured using a wired frame and a wireless frame including When measuring wired-side traffic volume and wireless-side traffic volume with wired frames and wireless frames including OH, the threshold for determining the correlation between wired-side traffic and wireless-side traffic is considered OH compared to when OH is excluded. Thus, a lower value may be used.

  In the embodiment, the data distributed in the managed network 1, 1-1 and between the devices connected to the managed network 1, 1-1 is a frame. , Segments, datagrams, messages, etc.

(Effect by Embodiment 2)
According to the second embodiment, the detection of the unauthorized access point connected to each unauthorized access point detection target device and the detection of the unauthorized access point among the unauthorized access points are performed in a concentrated manner. -1 as a whole, the existence of an unauthorized access point can be grasped centrally.

(System and apparatus configuration of the embodiment)
The components of the managed networks 1 and 1-1 shown in FIGS. 1 and 6 and the unauthorized access point detection apparatuses 10 and 10-1 shown in FIGS. 2 and 7 are functionally conceptual and are not necessarily physically illustrated. It is not necessary to be configured like this. That is, the specific forms of the distribution and integration of the functions of the managed networks 1 and 1-1 and the unauthorized access point detection devices 10 and 10-1 are not limited to those shown in the figure, and all or a part of them can be used for various loads and usage conditions. Depending on the above, it can be configured to be functionally or physically distributed or integrated in arbitrary units.

  Moreover, each process performed in the unauthorized access point detection apparatuses 10 and 10-1 may be realized by a program that is analyzed or executed by a CPU (Central Processing Unit) in whole or in any part. Moreover, each process performed in the unauthorized access point detection apparatuses 10 and 10-1 may be realized as hardware based on wired logic.

  In addition, among the processes described in the embodiment, all or a part of the processes described as being automatically performed can be manually performed. Alternatively, among the processes described in the embodiments, all or a part of the processes described as being performed manually can be automatically performed by a known method. In addition, the above-described and illustrated processing procedures, control procedures, specific names, and information including various data and parameters can be changed as appropriate unless otherwise specified.

(About the program)
FIG. 8 is a diagram illustrating an example of a computer in which the unauthorized access point detection apparatus according to the first and second embodiments is realized by executing a program. That is, FIG. 8 is a diagram showing that each process in the unauthorized access point detection apparatuses 10 and 10-1 is specifically realized using a computer. As illustrated in FIG. 8, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. The serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example. The video adapter 1060 is connected to the display 1061, for example.

  The hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the unauthorized access point detection devices 10 and 10-1 is stored in, for example, the hard disk drive 1031 as a program module 1093 in which a command executed by the computer 1000 is described. For example, a program module 1093 for executing information processing similar to the functional configuration in the unauthorized access point detection devices 10 and 10-1 is stored in the hard disk drive 1031.

  Various data used in the processing in the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes them.

  The program module 1093 and the program data 1094 are not limited to being stored in an external storage device such as the hard disk drive 1031 or SSD (Solid State Drive), but are stored in, for example, a removable storage medium, and the disk drive 1041 and the like are stored. Via the CPU 1020. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.) and read by the CPU 1020 via the network interface 1070. .

  The above embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

10, 10-1 Unauthorized access point detection device 11 Storage unit 11a Regular access point list 12, 12-1 Non-regular access point detection unit 13, 13-1 Wireless side traffic measurement unit 14, 14-1 Wired side traffic measurement unit 15 , 15-1 Traffic volume verification unit

Claims (8)

An access point detection device for detecting a wireless LAN (Local Area Network) access point connected to a management network,
A detection unit for detecting an unauthorized wireless LAN access point that is not permitted to connect to the management network;
A wireless-side traffic measurement unit that measures traffic of wireless communication transmitted and received by the non-regular wireless LAN access point detected by the detection unit;
A wired-side traffic measurement unit that measures traffic of wired communication transmitted and received by a device that is a candidate for an unauthorized access point;
The wireless communication traffic and the wired communication traffic are collated to determine whether or not there is a predetermined correlation, and the non-regular wireless LAN access point having a predetermined correlation or more is an unauthorized access point. An access point detection apparatus comprising: a collation unit for judging. The wireless side traffic measurement unit and the wired side traffic measurement unit measure the wireless communication traffic and the wired communication traffic for each predetermined time slot at a predetermined time interval,
The verification unit weights the traffic of the wireless communication obtained by multiplying each of the traffic of the wireless communication for each time slot measured by the wireless-side traffic measuring unit by a weighting factor and adding the weight over a predetermined number of consecutive time slots. And a weighted sum of the traffic of the wired communication obtained by multiplying each of the traffic of the wired communication for each time slot measured by the wired-side traffic measurement unit by a weighting factor and adding the same over the predetermined number of time slots. The access point detection apparatus according to claim 1, wherein: The access point according to claim 1 or 2, wherein the wired-side traffic measurement unit and the wired-side traffic measurement unit measure the wireless communication traffic and the wired communication traffic for each uplink and downlink. Detection device. The wireless side traffic measurement unit and the wired side traffic measurement unit respectively measure the wireless communication traffic and the wired communication traffic based on a payload of a frame. The access point detection device according to 1. An access point detection method executed by an access point detection device that detects a wireless LAN (Local Area Network) access point connected to a management network,
A detection step of detecting an unauthorized wireless LAN access point that is not permitted to connect to the management network;
A wireless traffic measurement step for measuring traffic of wireless communication transmitted and received by the non-regular wireless LAN access point detected by the detection step;
Wired side traffic measurement step for measuring traffic of wired communication transmitted / received by a device that is a candidate for an unauthorized access point;
The wireless communication traffic and the wired communication traffic are collated to determine whether or not there is a predetermined correlation, and the non-regular wireless LAN access point having a predetermined correlation or more is an unauthorized access point. An access point detection method comprising: a verification step for determining. The wireless-side traffic measurement step and the wired-side traffic measurement step include predetermined time intervals and a predetermined number of consecutive time slots, and the wireless communication traffic and the wired communication traffic for each uplink and downlink. Measure each
The collating step weights the wireless communication traffic obtained by multiplying each of the wireless communication traffic for each time slot measured in the wireless side traffic measuring step by a weighting factor and adding the weighted coefficient over the predetermined number of consecutive time slots. And a weighted sum of the traffic of the wired communication obtained by multiplying each of the traffic of the wired communication for each time slot measured by the wired-side traffic measurement step by a weighting factor and adding the same over the predetermined number of time slots. The access point detection method according to claim 5, wherein: The wireless side traffic measurement step and the wired side traffic measurement step respectively measure the wireless communication traffic and the wired communication traffic based on a payload of a frame, respectively. Access point detection method. The access point detection program for functioning a computer as an access point detection apparatus of any one of Claims 1-4.

Images