JP6517729B2 - Monitoring device, monitoring method, and monitoring program - Google Patents

Description

  The present invention relates to a wireless access point monitoring device, a monitoring method, and a monitoring program.

  Conventionally, in a wireless access point such as a public wireless LAN (hereinafter appropriately referred to as an “access point”), the firmware may be rewritten to unauthorized firmware, or the access point may be used as a spoofed access point.

  In order to cope with such a problem, there is a technique (technique 1) for confirming that the firmware is in a normal state, using the damper resistant module in the wireless access point as a starting point of trust. In addition, there is also a technique (technique 2) of confirming that the terminal of the connection source is a legitimate communication counterpart by authentication with a certificate or the like issued by a certificate authority at the access point. Further, referring to the database in which the information of the legitimate communication partner (SSID (Service Set IDentifier), channel used for communication, information of fluctuation waveform of frequency, etc.) is registered, the terminal of the connection source is the legitimate communication partner There is also a technology (technique 3) to confirm the

S. Jana and S. K. Kasera, “On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews”, IEEE TRANSACTIONS ON MOBILE COMPUTING (Volume: 9, Issue: 3), MARCH 2010, pp. 449-462 K. Gao, C. Corbett, and R. Beyah, “A Passive Approach to Wireless Device Fingerprinting”, 2010 IEEE International Conference on Dependable Systems on Dependable Systems & Networks (DSN), Aug. 2010, pp. 383-392

  However, among the above-described techniques, in the case of technique 1, it is necessary to use a protocol of MAC layer or higher, and in the case of technique 2, a certificate issued by a certificate authority is required. Further, in the case of the technique 3, there are cases where it can not be confirmed that the communication partner is a legitimate communication partner only by the information (SSID, channel used for communication, information such as fluctuation waveform of frequency) registered in the database. SUMMARY OF THE INVENTION An object of the present invention is to easily and accurately detect that an abnormality has occurred in a wireless access point.

  In order to solve the problems described above, the present invention provides a beacon frame acquisition unit that acquires a beacon frame transmitted from a wireless access point, and a value of a time stamp indicating a transmission time of the beacon frame from the wireless access point; A feature data storage processing unit that stores the difference from the time when the beacon frame acquisition unit acquires the beacon frame in the storage unit as the feature data of the wireless access point, and the wireless access point stored in the storage unit A prediction unit that predicts, from the feature data, a first deviation that is a deviation between a value of a time stamp of a beacon frame transmitted from the wireless access point and a time when the beacon frame acquisition unit acquires the beacon frame; The beacon frame acquisition unit A measurement unit configured to measure a second deviation that is a deviation between a value of a time stamp of the beacon frame and a time when the beacon frame acquisition unit actually acquires the beacon frame when acquired; And a determination unit that determines that an abnormality has occurred in the wireless access point when a difference between the second deviation and the second deviation is measured.

  According to the present invention, occurrence of an abnormality in a wireless access point can be easily and accurately detected.

FIG. 1 is a diagram showing an example of the configuration of a monitoring system. FIG. 2 is a diagram showing a configuration example of a monitoring device. FIG. 3 is a graph showing clock shift for each type of firmware used in the AP. FIG. 4 is a diagram showing an example of feature data stored in a database. FIG. 5 is a flow chart showing a procedure of the monitoring device accumulating the feature data of the AP in the database. FIG. 6 is a flowchart showing a procedure for the monitoring device to detect an abnormality in the AP. FIG. 7 is a diagram showing a computer that executes a monitoring program.

  Hereinafter, embodiments (embodiments) for carrying out the present invention will be described with reference to the drawings. The present invention is not limited to this embodiment.

  First, a configuration example of a monitoring system including the monitoring device of the present embodiment will be described using FIG. 1. The monitoring system includes a wireless access point (AP) 20, a monitoring device 10 that monitors the state of the AP 20, and a database 30. The numbers of APs 20, monitoring devices 10 and databases 30 are not limited to the numbers shown in FIG.

  The AP 20 (20A, 20B) relays communication from a wireless communication terminal such as a PC. For example, upon receiving wireless communication from a PC, the AP 20 transfers the wireless communication to an intranet or the like via a switch. The AP 20 transmits a beacon frame, which is a management frame of the AP 20, at predetermined intervals.

  The monitoring device 10 acquires a beacon frame transmitted by the AP 20, and monitors the state of the AP 20 by the value of the time stamp of the beacon frame (a value indicating the transmission time from the AP 20).

  Specifically, the monitoring device 10 acquires a beacon frame transmitted by the AP 20 ((1): acquisition of a beacon frame). Then, the monitoring device 10 stores the difference between the time indicated by the acquired beacon frame time stamp and the time when the monitoring device 10 acquires the beacon frame in the database 30 as feature data of the AP 20 ((2): Feature data storage). As the monitoring device 10 repeats such processing, data (feature data) indicating the shift of the clock between the AP 20 and the monitoring device 10 in chronological order is accumulated in the database 30.

  Then, the monitoring device 10 determines the time shift (first shift) between the AP 20 and the monitoring device 10 predicted from the feature data stored in the database 30, and the time stamp of the beacon frame actually acquired from the AP 20. The difference between the time indicated by and the time when the monitoring device 10 acquires the beacon frame (the second difference) is compared ((3): the difference between the predicted time and the actually measured time is compared) . And the monitoring apparatus 10 determines with the abnormality having generate | occur | produced in the said AP20, when the shift | offset | difference of the time more than the threshold value set beforehand is detected as a result of comparison.

  The database 30 stores feature data of each AP 20. The database 30 uses, for example, a database used in WIPS (wireless intrusion prevention system). The database 30 may be provided in the monitoring device 10.

  Next, the configuration of the monitoring device 10 will be described using FIG. The monitoring apparatus 10 includes an input / output unit 11, a control unit 12, and an outside air temperature measurement unit 13.

  The input / output unit 11 is an interface that controls input and output of data with an external device (for example, the AP 20, the database 30, and the like). The input / output unit 11 is realized by, for example, a communication interface for performing wireless communication with an external device.

  The control unit 12 controls the entire monitoring device 10, and here mainly detects an abnormality of the AP 20 based on the value of the time stamp of the beacon frame acquired from the AP 20.

  The outside air temperature measurement unit 13 measures the outside air temperature of the monitoring device 10. The outside air temperature is used to predict the clock deviation between the AP 20 and the monitoring device 10.

  The control unit 12 includes a beacon frame acquisition unit 121, a feature data storage processing unit 122, a prediction unit 123, a measurement unit 124, and a determination unit 125. The AP load information acquisition unit 126 indicated by a broken line may or may not be equipped, and will be described later.

  The beacon frame acquisition part 121 acquires the beacon frame which AP20 transmits. For example, the beacon frame acquisition unit 121 sequentially monitors each channel used for wireless communication, and acquires beacon frames transmitted from the surrounding APs 20 in the promiscuous mode.

  The feature data storage processing unit 122 creates feature data of the AP 20 and stores the feature data in the database 30. For example, when the beacon frame acquisition unit 121 acquires a beacon frame, the feature data storage processing unit 122 identifies the identification information (for example, MAC address) of the AP 20 that is the transmission source of the beacon frame and the time of the beacon frame added by the AP 20 Feature data is created in which the value of the stamp, the time when the beacon frame acquisition unit 121 acquires the beacon frame, and the outside temperature at the time of acquisition of the beacon frame measured by the outside air temperature measurement unit 13 are associated. Then, the feature data storage processing unit 122 transmits the created feature data to the database 30.

  The prediction unit 123 determines the value of the time stamp added to the beacon frame transmitted by the AP 20 based on the feature data of the AP 20 accumulated in the database 30, and the time at which the beacon frame acquisition unit 121 acquires the beacon frame. Predict the deviation (first deviation).

  Generally, there is a gap between the value of the time stamp that the AP 20 adds to the beacon frame and the value of the time when the monitoring device 10 acquires the beacon frame. That is, the clocks of the AP 20 and the monitoring device 10 are deviated. And this shift becomes large with progress of time. Therefore, the prediction unit 123 uses such a property, and based on the feature data of the AP 20 stored in the database 30, the time indicated by the value of the time stamp of the beacon frame transmitted by the AP 20 and the beacon The deviation from the time of receiving (acquiring) a frame is predicted.

  Here, in addition to the individual difference of each apparatus, environmental factors, such as external temperature, also influence as a cause by which each timepiece of AP20 and the monitoring apparatus 10 shifts | deviates. Therefore, the prediction unit 123 predicts the deviation of the clock in consideration of information on environmental factors such as the outside air temperature of the monitoring device 10 measured by the outside air temperature measurement unit 13. By doing this, the prediction unit 123 can improve the prediction accuracy of the clock shift of each of the AP 20 and the monitoring device 10.

  Since the beacon frame acquired by the monitoring device 10 is transmitted from the AP 20 in the vicinity (within a predetermined distance) of the monitoring device 10, the outside air temperature measured by the outside air temperature measurement unit 13 and the outside air of the AP 20 It seems that there is no big difference with the temperature.

  The measurement unit 124 measures a deviation (second deviation) between the time when the beacon frame acquisition unit 121 actually acquires the beacon frame and the time when the AP 20 acquires the beacon frame.

  The determination unit 125 determines whether the difference between the first deviation predicted by the prediction unit 123 and the second deviation measured by the measurement unit 124 is equal to or larger than a predetermined threshold, and the difference is equal to or larger than the predetermined threshold. If there is, it is determined that an abnormality has occurred in the AP 20. That is, when the deviation of the clock between the AP 20 and the monitoring device 10 is different from the deviation predicted from the feature data on the AP 20 accumulated so far, the determination unit 125 determines that some abnormality has occurred in the AP 20 .

  This will be described with reference to FIG. FIG. 3 is a graph showing a clock shift for each type of firmware used in the AP 20.

  In the graph shown in FIG. 3, the horizontal axis shows the passage of time in the receiving device (PC in this case) of the frame (beacon frame), and the vertical axis shows the value of the timestamp of AP20 with respect to the clock of that device (that is, Indicates how many milliseconds the clock is advancing. Here, the difference between the case where pure firmware is used for AP 20 and the case where dd-wrt which is open source firmware is used is measured with respect to the clock of each PC. The model of the AP 20 used in each case is the same.

  As shown in FIG. 3, the difference between the AP 20 using genuine firmware and the AP 20 using open source firmware increases with the passage of time with the clock of the PC. However, depending on the type of firmware used by the AP 20, the increase rate (slope) of the shift with the passage of time differs. For example, as shown in FIG. 3, when the AP 20 uses genuine firmware and open source firmware, when comparing the difference between the PC and the clock at 100 seconds after the start of measurement, it is approximately between the two. A difference of 250 microseconds has occurred.

  As described above, the shift of the clock between the transmitting device (for example, the AP 20) of the frame and the receiving device (for example, the monitoring apparatus 10) becomes a unique value due to the firmware or the like used by the transmitting device. Therefore, the determination unit 125 compares the feature data of the AP 20 stored in the database 30 with the shift of the clock between the AP 20 measured by the measurement unit 124 and the monitoring device 10, and a significant difference (for example, If there is a difference (equal to or more than a predetermined threshold value), it is determined that an abnormality has occurred in the AP 20 due to rewriting to unauthorized firmware or the like.

  For example, based on the measurement result of the clock shift generated in the AP using the genuine firmware shown in FIG. 3, for example, the prediction unit 123 measures 1.0 ms between the AP 20 and the monitoring device 10 in 150 seconds from the start of measurement. Consider the case where it is predicted that a clock shift of. In this case, the predicted feature amount X of the deviation is 6.67 [ns / s] as shown in the following equation (1).

  Therefore, a predetermined threshold value is defined for the feature amount X, and the determination unit 125 determines that the estimated deviation (first deviation) and the actually measured deviation (second deviation) are If the difference is equal to or more than the above threshold, it is determined that an abnormality has occurred in the AP 20.

  The database 30 stores the feature data of the AP 20 transmitted from the monitoring apparatus 10 as described above. For example, as shown in FIG. 4, in the database 30, for each MAC address of the AP 20, the value (“Beacon frame time stamp A”) of the time stamp of the beacon frame added by the AP 20; The beacon frame is stored in association with the time when the beacon frame is acquired (“time stamp B of beacon frame”) and the outside air temperature (“environmental factor”) when the beacon frame is acquired by the monitoring device 10. When the database 30 accumulates feature data of a plurality of monitoring devices 10, identification information of the monitoring device 10 as a transmission source of each feature data is also accumulated.

  According to the monitoring system described above, occurrence of an abnormality in the AP 20 can be detected easily and accurately.

  Next, processing procedures of the monitoring system will be described using FIGS. 5 and 6. First, the procedure in which the monitoring apparatus 10 accumulates feature data of the AP 20 in the database 30 will be described using FIG. 5.

  The beacon frame acquisition part 121 of the monitoring apparatus 10 acquires the beacon frame which AP20 transmits (S1). Then, the feature data accumulation processing unit 122 measures the time indicated by the time stamp added by the AP 20 of this beacon frame, the time when the beacon frame acquisition unit 121 acquires the beacon frame, and the outside air temperature measurement unit 13 Feature data in which the outside air temperature at the time of acquisition of the beacon frame is associated is created (S2). Then, the feature data storage processing unit 122 stores the feature data created in S2 in the database 30 (S3). The monitoring device 10 repeats the above-described process each time a beacon frame is acquired from the AP 20.

  Next, with reference to FIG. 6, a procedure in which the monitoring apparatus 10 detects an abnormality of the AP 20 will be described.

  First, the beacon frame acquisition unit 121 of the monitoring device 10 acquires a beacon frame transmitted by the AP 20 (S11). Then, based on the feature data of the AP 20 stored in the database 30, the prediction unit 123 obtains the value of the time stamp added to the beacon frame transmitted from the AP 20, and the beacon frame acquisition unit 121 the beacon frame. The deviation from time (first deviation) is predicted (S12: prediction of time deviation).

  Next, the measuring unit 124 measures a deviation (second deviation) between the time when the AP 20 acquires the beacon frame and the time when the beacon frame acquiring unit 121 actually acquires the beacon frame (S13: actual time) And measurement of deviation).

  Thereafter, the determination unit 125 determines whether or not the difference between the predicted deviation (first deviation) and the actual time deviation (second deviation) is equal to or greater than a predetermined threshold (S14), and the difference is predetermined. If it is above the threshold (Yes in S14), it is determined that an abnormality has occurred in the AP 20 (S15). On the other hand, if the difference is less than the predetermined threshold (No in S14), it is determined that no abnormality has occurred in the AP 20 (S16). By doing this, the monitoring apparatus 10 can detect that an abnormality has occurred in the AP 20.

(Other embodiments)
Note that, as an environmental factor affecting the deviation of the clock of each of the AP 20 and the monitoring device 10, a communication load at the AP 20, and the like can be considered in addition to the outside air temperature described above. For example, it is known that as the communication load on the AP 20 is larger, the shift of the clock between the AP 20 and the monitoring device 10 is likely to be larger. Therefore, when predicting the shift of the clock between the AP 20 and the monitoring device 10, the prediction unit 123 of the monitoring device 10 may also take into consideration, for example, the communication load on the AP 20 and the like.

  In this case, the monitoring apparatus 10 further includes an AP load information acquisition unit 126 illustrated in FIG. The AP load information acquisition unit 126 acquires communication load information of the AP 20 (the AP 20 monitored by the monitoring device 10). The communication load information is, for example, information indicating the amount of data transmitted and received by the AP 20 per unit time. The prediction unit 123 predicts the shift of the clock between the AP 20 and the monitoring apparatus 10 in consideration of the communication load information of the AP 20 acquired by the AP load information acquisition unit 126. By doing this, the prediction unit 123 can predict the shift of the clock between the AP 20 and the monitoring device 10 more accurately. In addition, when predicting the shift of the clock between the AP 20 and the monitoring device 10, the prediction unit 123 may perform prediction in consideration of both the communication load information and the outside temperature described above, or in consideration of only one of them. It may be predicted.

(program)
Further, it can be realized by installing a monitoring program for realizing the function of the monitoring apparatus 10 described in the above embodiment in a desired information processing apparatus (computer). For example, the information processing apparatus can be functioned as the monitoring apparatus 10 by causing the information processing apparatus to execute the above monitoring program provided as package software or online software. The information processing apparatus referred to here includes a desktop type or laptop type personal computer having a wireless communication function. In addition, the information processing apparatus may be a mobile communication terminal such as a smartphone, a cellular phone, a PHS (Personal Handyphone System) or the like, and further, a PDA (Personal Digital Assistants).

  Hereinafter, an example of a computer that executes a monitoring program will be described. FIG. 7 is a diagram showing a computer that executes a monitoring program. As shown in FIG. 7, the computer 1000 includes, for example, a memory 1010, a central processing unit (CPU) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network. And an interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a read only memory (ROM) 1011 and a random access memory (RAM) 1012. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. Disk drive interface 1040 is connected to disk drive 1100. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 7, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. The various data and information described in the above embodiments are stored, for example, in the hard disk drive 1090 or the memory 1010.

  Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the hard disk drive 1090 into the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the monitoring program are not limited to being stored in the hard disk drive 1090, and are stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. It may be done. Alternatively, the program module 1093 and the program data 1094 related to the monitoring program are stored in another computer connected via a network such as a local area network (LAN) or a wide area network (WAN), and via the network interface 1070 It may be read by the CPU 1020.

DESCRIPTION OF SYMBOLS 10 monitoring apparatus 11 input-output part 12 control part 13 outside air temperature measurement part 20 (20A, 20B) wireless access point 30 database 121 beacon frame acquisition part 122 characteristic data storage processing part 123 prediction part 124 measurement part 125 determination part 126 AP load information Acquisition unit

Claims (5)

A beacon frame acquisition unit that acquires a beacon frame transmitted from a wireless access point;
The difference between the time stamp value indicating the transmission time of the beacon frame from the wireless access point and the time when the beacon frame acquisition unit acquires the beacon frame is stored in the storage unit as the feature data of the wireless access point Feature data storage processing unit;
The value of the timestamp of the beacon frame transmitted from the wireless access point using the feature data of the wireless access point stored in the storage unit, and the time at which the beacon frame acquisition unit acquires the beacon frame A prediction unit that predicts a first shift that is a shift;
When the beacon frame acquisition unit acquires a beacon frame transmitted from the wireless access point, with the deviation of the value of the time stamp of the beacon frame, the actual time at which the beacon frame acquisition unit acquires the beacon frame A measuring unit that measures a second deviation;
A determination unit that determines that an abnormality has occurred in the wireless access point if the difference between the predicted first deviation and the measured second deviation is greater than or equal to a predetermined threshold;
A monitoring apparatus comprising: The feature data storage processing unit
The feature data of the wireless access point further includes the outside air temperature near the monitoring device at the time of acquisition of the beacon frame
The prediction unit
The monitoring device according to claim 1, wherein the first deviation is predicted in consideration of the outside air temperature in the vicinity of the monitoring device at the time when the beacon frame is acquired. The monitoring device
The monitoring device according to claim 1, further comprising the storage unit. The monitoring device that monitors the wireless access point
Acquiring a beacon frame transmitted from the wireless access point;
Storing a difference between a time stamp value indicating a transmission time of the beacon frame from the wireless access point and a time when the monitoring device acquires the beacon frame in a storage unit as feature data of the wireless access point When,
By using the feature data of the wireless access point stored in the storage unit, the difference between the value of the time stamp of the beacon frame transmitted from the wireless access point and the time at which the monitoring device acquires the beacon frame Predicting a certain first deviation;
When said monitoring apparatus acquires a beacon frame transmitted from the wireless access point, a value of the time stamp of the beacon frame, actually the monitoring device second is a deviation between time acquired the beacon frame Measuring the deviation;
If the difference between the predicted first deviation and the measured second deviation is greater than or equal to a predetermined threshold, determining that an abnormality has occurred in the wireless access point;
Monitoring method characterized in that. A computer that is a monitoring device that monitors the wireless access point;
Acquiring a beacon frame transmitted from the wireless access point;
Storing a difference between a time stamp value indicating a transmission time of the beacon frame from the wireless access point and a time when the monitoring device acquires the beacon frame in a storage unit as feature data of the wireless access point When,
By using the feature data of the wireless access point stored in the storage unit, the difference between the value of the time stamp of the beacon frame transmitted from the wireless access point and the time at which the monitoring device acquires the beacon frame Predicting a certain first deviation;
When said monitoring apparatus acquires a beacon frame transmitted from the wireless access point, a value of the time stamp of the beacon frame, actually the monitoring device second is a deviation between time acquired the beacon frame Measuring the deviation;
If the difference between the predicted first deviation and the measured second deviation is greater than or equal to a predetermined threshold, determining that an abnormality has occurred in the wireless access point;
A monitoring program that is characterized in that it performs.

Images