KR100673825B1 - Wireless local or metropolitan area network with intrusion detection features and related methods - Google Patents

Abstract

The wireless local area or metropolitan area network 10 may include a plurality of stations for transmitting data between stations using a medium access layer (MAC), where individual stations have respective MAC addresses associated with them. The wireless network 10 also detects multiple FCS errors for MAC addresses exceeding a threshold and by monitoring transmissions between multiple stations to detect frame check sequence (FCS) errors from one MAC address. And a polishing station for detecting an intrusion into the wireless communication network by generating an intrusion alert based on the. The polishing station 13 also detects intrusions based on authentication of one or more failed MAC addresses, illegal network allocation vector (NAV) values, and unexpected contention or contentionless operation.

Wireless network, communication security, intrusion alarm,

Description

Wireless local or metropolitan area network with intrusion detection features and methods therefor {Wireless local or metropolitan area network with intrusion detection features and related methods}

The present invention relates to the field of telecommunications networks, and more particularly, to a wireless local area network or a metropolitan area network and a related method.

Wireless networks have experienced gradual development over the past few years. Two particular examples are wireless local area networks (LANs) and wireless metropolitan area networks (MAN). In a basic service set (BBS), such networks are, for example, one or more radio stations (e.g., a wireless network interface card (NIC) that communicate with an access point or base station (i.e., a server) via a radio frequency signal. Laptop) with). The base station performs many functions such as, for example, synchronization and coordination, dispatch of broadcast packets, and provision of bridges between wired communication networks such as wireless LAN / MAN and telecommunication networks.

In the Extended Service Set (ESS), a plurality of base stations are included in a communication network. On the other hand, in some wireless LANs / MANs, there may be no base stations at all, and only wireless stations are involved in peer-to-peer communication. This topology is called an independent basic service set (IBSS), and in IBSS, typically one of the radio stations is chosen to act as a proxy for the missing base station.

The most prominent reason for the popularity of wireless LAN / MAN is that it is easy to deploy, perhaps because such a network is relatively inexpensive and does not require the construction of a wired infrastructure. However, wireless LAN / MAN devices also have some serious drawbacks that are not present in wired networks. For example, because wireless LAN / MAN devices are so widespread, they are likely to break into the network and attempt to compromise the security of the network using unauthorized stations (ie rogue stations). Are easily exposed to people. In addition, wireless LAN / MANs operate too close to each other, so that networks invade each other and cause network confusion, especially if they share common channels.

One of the more prominent standards that have been developed to control communications within wireless LAN / MAN is the IEEE's 802 LAN / MAN Standards Committee, the IEEE Standard for Information Technology-Telecommunications and Information Systems--Local and Metropolitan Area Networks--Specific Requirements--Part 11: Wireless LAN Media Access Control (MAC) and Physical Layer (PHY) Details, which are hereby incorporated by reference in their entirety. . In addition to providing a wireless communication protocol, the 802.11 standard also defines a wired equivalent privacy (WEP) algorithm used to protect wireless signals from eavesdropping. More specifically, WEP provides encryption of messages sent between stations as well as integrity checks to ensure that the integrity of the original message is not compromised.

Although the WEP algorithm provides some means of network security, it does not detect or inform of potential intrusions into the network. Only recently has such an intrusion detection system been possible. Such systems typically include security monitoring software installed at the branch office where intrusion detection is desired. Such software can attempt to prevent intrusion by monitoring and recording medium access control (MAC) addresses or Internet protocol (IP) addresses, and by matching them with known addresses of authorized network stations. Moreover, such systems can observe when WEP is not working.

One particular embodiment of WildPackets, Inc.'s intrusion prevention system is called AeroPeek. Aeropic searches for unauthorized log stations based on ESS and BSS identity certificates (ESSIDs, BSSIDs) used in the network. That is, a list of all authorized BSSIDs and ESSIDs used in the communication network is generated. Then a filter is created to exclude all unauthorized stations. This filter is created by searching and capturing normal network traffic and by determining the data offset of the 802.11 frame that matches the ESSID or BSSID. Aeropic also includes an alert that is triggered based on the frame count. That is, if the frame count exceeds zero, an alert is triggered (ie, if any frame is detected from a log station, the alert is triggered). Moreover, Aeropic can provide alert notification by using a modem to dial (eg, as a pager) via email or outside the system.

Despite the advances made by the system, some intrusions into the wireless LAN / MAN can still be done without being detected by such systems. That is, for example, if the log station already has access to an authorized address and / or ID, the above approaches may not detect the network intrusion of the log station.

In view of the above background, it is an object of the present invention to provide a wireless LAN / MAN with an intrusion detection feature and a related method.

These and other objects, features, and advantages according to the present invention include a plurality of stations for transmitting data to each other using a medium access (MAC) layer, wherein the individual stations have respective MAC addresses associated therewith. Achieved by a wireless local area or metropolitan area network. The wireless network also includes a policing station for detecting intrusions into the wireless network. This generates an intrusion alert based on monitoring transmissions between a plurality of stations that detect frame check sequence (FCS) errors from a MAC address, and detecting multiple FCS errors for a MAC address that exceeds a threshold. This can be done by.

Moreover, the polishing station monitors transmissions between a plurality of stations to detect attempts that failed to authenticate the MAC address, and generates an intrusion alert based on detecting multiple attempts that failed to authenticate the MAC address. Intrusion into the network can be detected. More specifically, the polishing station may generate an intrusion alert based on detecting the number of attempts that failed to authenticate the MAC address within a predetermined period.

In addition, the plurality of stations may send request to send (RTS) and clear to send (CTS) packets before transmitting data to each other. RTS and CTS packets typically include a network allocation vector (NAV) that indicates a specified duration for data transmission. As such, the polishing station can further detect RTS and CTS packets sent between a plurality of stations to detect illegal NAV values to detect intrusions into the wireless communication network and generate intrusion alerts based thereon.

The plurality of stations may also operate in intermittent contention-free mode during a contention-free period (CFP). Thus, the polishing station may also advantageously detect intrusion into the wireless communication network and generate an intrusion alert based on monitoring transmissions between the plurality of stations to detect (or vice versa) non-contention mode operation outside the CFP.

The wireless communication network may also have at least one service set ID associated therewith, such as, for example, a BSSID and / or an ESSID. Thus, the polishing station can further detect intrusions into the wireless communication network by monitoring transmissions between the plurality of stations to detect service set IDs associated therewith. The polishing station may further generate an intrusion alert based on one of the detected service set IDs being different from at least one service set ID of the wireless communication network. In addition, the plurality of stations may transmit data through at least one channel, and the polishing station may detect transmission on at least one channel not generated from one of the plurality of stations and generate an intrusion alert based thereon. Can be.

The polishing station may advantageously send an intrusion alert to at least one of the plurality of stations in some embodiments. As such, appropriate countermeasures may be employed to respond to intrusions. Furthermore, the polishing station may comprise one or more base stations and / or radio stations.

An aspect of the intrusion detection method of the present invention is for a wireless local area or metropolitan area network including a plurality of stations. The method includes transmitting data between a plurality of stations using a MAC layer, where individual stations have respective MAC addresses associated with them. Furthermore, transmissions between a plurality of stations can be monitored to detect FCS errors from a MAC address, and an intrusion alert is generated based on the number of FCS errors for the MAC address exceeding a threshold.

In addition, the method also monitors transmissions between a plurality of stations to detect attempts that failed to authenticate MAC addresses, and generates an intrusion alert based on detection of multiple attempts that failed to authenticate MAC addresses. Include. In particular, an intrusion alert may be generated based on detecting a number of attempts to fail to authenticate a MAC address within a predetermined period.

Moreover, the method may include transmitting RTS and CTS packets between the plurality of stations prior to transmission of the data. As noted above, RTS and CTS packets typically contain NAV values that indicate the duration specified for data transmission. Moreover, RTS and CTS packets transmitted between multiple stations can be monitored to detect illegal NAV values, and an intrusion alert is generated based on the detected illegal NAV values.

Multiple stations may intermittently operate in a contention-free mode during CFP. Thus, the method may also include monitoring transmissions between the plurality of stations and generating intrusion alerts based thereon to detect contention-free mode operation (or vice versa) outside the CFP.

In addition, the wireless communication network may have at least one service set ID associated with it. Thus, the method further goes based on monitoring transmissions between a plurality of stations to detect correlated service set IDs, and wherein one of the detected service set IDs is different from at least one service set ID of the wireless communication network. And may generate an intrusion alert. Here again, the service set IDs may be ESSID or BSSID, for example. In addition, the plurality of nodes may transmit data through at least one channel. Thus, transmission on at least one channel not generated from one of the plurality of stations is detected, and an intrusion alert is generated based on this. The method may also include sending an intrusion alert to at least one of the plurality of stations.

1 is a schematic block diagram of a wireless LAN / MAN in accordance with the present invention for providing intrusion detection based on a frame check sequence (FCS).

FIG. 2 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on failed authentications of media access control (MAC) addresses.

3 is a schematic block diagram showing another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on illegal network allocation vectors (NAVs).

4 and 5 are yet another example of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on contention-free mode operation outside a contention-free period (CFP) and intrusion detection based on contention mode operation during CFP. A schematic block diagram showing an embodiment.

6 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on transmissions occurring during an unauthorized period.

7 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on detection of integrity check values that do not match each data packet. .

8 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on detection of use of discontinuous MAC sequence numbers by a station.

9 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on collision detection of packets having a predetermined packet type.

10 is a schematic block diagram illustrating another embodiment of the wireless LAN / MAN of FIG. 1 for providing intrusion detection based on collision detection of the same MAC address.

11 is a flowchart showing an intrusion detection method based on detection of FCS errors, in accordance with the present invention.

12 is a flowchart illustrating an intrusion detection method based on detection of failed authentications of MAC addresses, in accordance with the present invention.

FIG. 13 is a flowchart illustrating an intrusion detection method based on detection of illegal network allocation vector (NAV) values according to the present invention.

14 and 15 are flowcharts illustrating an intrusion detection method based on detection of contention-free mode operation outside of CFP and contention mode operation during CFP, respectively, according to the present invention.

16 is a flowchart illustrating an intrusion detection method based on detection of transmissions occurring during an unauthorized period, in accordance with the present invention.

17 is a flowchart illustrating an intrusion detection method based on detection of integrity check values that do not match each data packet, in accordance with the present invention.

18 is a flowchart illustrating an intrusion detection method based on detection of use of discontinuous MAC sequence numbers by a station in accordance with the present invention.

19 is a flowchart illustrating an intrusion detection method based on collision detection of packets having a predetermined packet type according to the present invention.

20 is a flowchart illustrating an intrusion detection method based on collision detection of the same MAC address according to the present invention.

21 is a flowchart showing aspects of an additional method for intrusion detection of the present invention.

The invention will now be described in more detail with reference to the accompanying drawings which illustrate preferred embodiments of the invention. However, the invention may be embodied in a variety of other forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

In the following discussion, like numbers refer to like elements from beginning to end. Moreover, particularly referring to FIGS. 1 to 10, reference numerals with different tens digits refer to like elements in alternative embodiments. For example, the wireless stations 11, 21, 31, 41, 51, 61, 71, 81, 91, and 101 shown in FIGS. 1 to 10 are all similar components, and the like. As such, these components may be described in detail only when they first appear to avoid inadequate repetition, but they appear to be similar to those described initially.

Referring now to FIG. 1, a wireless LAN / MAN 10 in accordance with the present invention diagrammatically includes a wireless station 11 and a base station (or access point 12). Although only one wireless station 11 and base station 12 are shown for schematic clarity, one of ordinary skill in the art may include any number of wireless and / or base stations in the wireless communication network 10. I will understand.

Before describing the wireless network 10 in more detail, there should be a brief discussion of the wireless LAN / MAN protocol. In particular, the following discussion will assume a network implementation using the 802.11 standard for clarity of explanation. However, one of ordinary skill in the art will understand that many aspects and embodiments described herein may also be used in conjunction with other suitable wireless LAN / MAN standards (eg, Bluetooth, etc.).

The 802.11 standard is for use with the OSI network model for data transmission, which includes seven layers in which some form of data is transmitted using various protocols. These layers include an application layer, a presentation layer, a session layer, a transport layer, a network layer, a data link layer, and a physical layer. The data link layer further comprises media access control (MAC) and logical link control sub-layers. In particular, the radio station 11 and the base station 12 use the MAC layer, in particular for example, mutually, to transmit data to each other. Use each associated MAC address. Of course, the remaining layers of the OSI model can also be used for data transmission. Moreover, data is typically transmitted in packets, and various packet types are used for other types of message data, as described below.

According to the invention, the wireless communication network 10 diagrammatically comprises a polishing station 13 for detecting intrusion into the wireless communication network by the log station 14. As an example, the log station 14 may be used by future hackers attempting to hack a wireless network, or it may be just a node from another wireless network that operates too close to the wireless network 10. The polishing station 13 may include one or more wireless stations or base stations. In this embodiment, the polishing station 13 monitors transmissions between the stations 11, 12 to detect frame check sequence (FCS) errors from the MAC address. If a number of FCS errors detected for a given MAC address exceeds a threshold, the polishing station 13 generates an intrusion alert based on it.

As used herein, the term "transmission between stations" is intended to mean not only all transmissions within the operating range of the wireless communication network 10, but also direct transmissions to or from one of the stations 11, 12. It should be noted. In other words, the polishing station 13 is directed to or from the stations 11, 12, as well as all other transmissions it receives, whether or not specifically directed to or originating from the station of the communication network 10. You can monitor the transmissions that occur.

In the embodiment described above (and those described below), the polishing station 13 may advantageously send an alert to one or more of the stations 11, 12 of the wireless communication network 10. As one example, the polishing station 13 may send an intrusion alert directly to the base station 12, which may in turn notify all remaining stations of the wireless communication network. Alternatively, the polishing station 13 may broadcast intrusion alerts to all network stations. In either case, appropriate countermeasures may be taken to respond to unauthorized intrusions, as understood by one of ordinary skill in the art. Such countermeasures are beyond the scope of the present invention and thus will not be discussed herein.

Turning now to FIG. 2, a first alternative embodiment of a wireless LAN / MAN 20 is described. In this embodiment, the polishing station 23 detects intrusions into the wireless communication network 20 by monitoring transmissions between stations 21 and 22 to detect attempts that fail to authenticate MAC addresses. Upon detecting a predetermined random number of attempts to fail to authenticate a particular MAC address, the polishing node 23 will generate an intrusion alert.

Any number of failed attempts can be used as a threshold for generating an intrusion alert, but it is generally desirable to allow the station at least one attempt to authenticate the MAC address without generating an intrusion alert. Moreover, in some embodiments, polishing station 23 generates an intrusion alert only when a number of beneficially detected failures occurs within a predetermined period (eg, one hour, one day, etc.).

In accordance with the 802.11 standard, two stations that wish to communicate with each other within a wireless LAN / MAN typically transmit to each other Request RTS and Cancel CTS packets prior to data transmission. The reason is to avoid collisions with other transmissions. That is, because many or all of the other stations in the wireless LAN / MAN may be communicating on a common channel, it is necessary to ensure that the stations are not in simultaneous transmission which may cause interference or network confusion. Moreover, RTS and CTS packets typically include a network allocation vector (NAV) that indicates a specified duration for data transmission. This information will be sent to all other stations in the wireless LAN / MAN, and then the transmission will be stopped for a certain period.                 

Turning now to FIG. 3, a second alternative embodiment of a wireless LAN / MAN 30 is described. Here, the polishing station 33 detects intrusions into the wireless network by monitoring the RTS and CTS packets transmitted between the stations 31 and 32 to detect illegal NAV values. For example, wireless network 30 may be implemented in such a way that data transmission does not exceed any time, which time will be known to all authorized stations participating in the network. Thus, if the polishing station 33 detects an NAV value outside of the allotted time, it will generate an intrusion alert based on this.

Another feature of the 802.11 standard is that stations in a wireless LAN / MAN can operate in contention or contention-free mode. That is, in contention mode all stations need contention for access to the particular channel in use for each data packet being transmitted. During a contention free period (CFP), the use of the medium is controlled by the base station, thus eliminating the need for stations to contend for channel access.

According to a third embodiment of the wireless LAN / MAN 40 shown in FIG. 4, the polishing station 43 wirelessly monitors transmissions between the stations 41, 42 to detect contention-free mode operation outside the CFP. Intrusions into the communication network 40 can be advantageously detected. As such, an intrusion alert may be generated by the polishing station 43 based on such sensing. In other words, because all authorized wireless stations are notified by the base station 42 when the CFP is set up, the detection of the station operating in the contention-free mode outside the CFP indicates that this station is not an authorized station. Of course, this is also the case when contention mode operation is detected during CFP, such an embodiment is shown in FIG. 5. It will be understood by one of ordinary skill in the art that one or both of the above CFP intrusion detection approaches may be implemented in a given application.

Referring now to FIG. 6, another embodiment of a wireless LAN / MAN 60 will be described. Here, the polishing station 63 detects intrusions into the wireless communication network 60 by monitoring transmissions between stations 61 and 62 to detect transmissions during unauthorized periods. That is, the wireless communication network 60 may be implemented as if no user is allowed access to the communication network during a certain time (eg, midnight to 6 am). Thus, upon detecting transmissions within this unauthorized period, the polishing station 63 advantageously generates an intrusion alert.

Now additionally switching to FIG. 7, another embodiment of the wireless LAN / MAN 70 is described. In this embodiment, various stations 71, 72 enable the WEP feature described above and thus generate and transmit integrity check values along with data packets transmitted from them. Thus, the polishing station 73 detects intrusions into the wireless communication network 70 by monitoring transmissions between stations 71 and 72 to detect integrity check values that do not match the respective data packets. That is, if the wrong key stream is used to generate the message ciphertext, or if the message has been changed by the log station 74, the integrity check value will most likely be an error. As will be appreciated by one of ordinary skill in the art, the polishing station 73 may generate an intrusion alert when such a false integrity check value is detected.                 

Another wireless LAN / MAN 80 according to the present invention will now be described with reference to FIG. Typically, when the noted OSI network model is used, each MAC sequence number is generated and sent with individual data packets from stations 81 and 82. That is, the MAC sequence number is incremented with each successive data packet, so each packet has a unique MAC sequence number associated with it. As such, the polishing station 83 detects intrusions into the wireless communication network 80 by monitoring the transmission between the stations 81 and 82 to detect the use of discontinuous MAC sequence numbers by one station. An intrusion alert can be generated based on this.

Turning now additionally to FIG. 9, yet another embodiment of a wireless LAN / MAN 90 is shown, where the polishing station 93 is configured to detect collisions of packets having a predetermined packet form. 92) to detect intrusions into the wireless network by monitoring the transmissions between them. In particular, the predetermined packet type includes management frame packets (eg, authentication, federation, and beacon packets), control frame packets (eg, RTS and CTS packets), and / or data frame packets. do. The polishing station 93 may thus generate an intrusion alert based on detecting a predetermined number of times of predetermined packet type collisions.

As used herein, "collision" is meant to include the transmission of simultaneous packets as well as transmissions within a certain time of each other. That is, if a certain type of packet has a time delay between transmissions (e.g., a few seconds, etc.), if two such packet types are transmitted too close to each other, this would be considered a collision. As an example, the limit number of collisions may be greater than about 3, for example, although other limit values may also be used. Moreover, the limit number may be based on the particular packet type in question, ie the limit number may differ for other packet types.

In addition, the limit number may be based on a percentage of the total number of watched packets having a predetermined packet type. For example, if any percentage (eg, greater than 10%) of packets transmitted during a period (eg 1 hour) is associated with a collision, an intrusion alert may be generated. In general, if a percentage of certain packets (eg, 3 out of 10) out of the total number of packets monitored are related to a collision, other suitable limit counts and methods of the same purpose may also be used.

Another embodiment of the wireless LAN / MAN 100 will now be described with reference to FIG. 10. Here, the polishing station 103 detects an intrusion into the wireless communication network by monitoring the transmissions between the stations 101 and 102 to detect collisions of the same MAC address. That is, if multiple terminals claim the same MAC address simultaneously or relatively close to each other, an error has occurred or one of the stations is a log station 104. As such, the polishing station 103 generates an intrusion alert based on detecting a limit number of such collisions, for example greater than three. Here again, other limit numbers can also be used, and the limit number can be based on a percentage as described above.

The aspect of the collision detection method of the present invention for the wireless communication network 10 will now be described with reference to FIG. Beginning at block 110, the method includes data transmission between the plurality of stations 11, 12 using the MAC layer at block 111, as noted above. At block 112, transmissions between stations 11 and 12 are monitored to detect FCS errors from one of the MAC addresses. If a number of FCS errors for that MAC address at block 113 exceed the threshold, then an intrusion alert is generated based on this at block 114, thus terminating the method (block 115). If not, the transmission will continue to be monitored as shown.

According to an aspect of the first alternative method of the present invention now described with reference to FIG. 12, the method begins (block 120) by transferring data between stations 21, 22 at block 121. As noted above, the transmissions are monitored for detection of attempts to fail to authenticate MAC addresses at block 122. If a number of attempts to fail to authenticate the MAC address are detected at block 123, an intrusion alert is generated at block 124, thus terminating the method (block 125). If not, monitoring of the intrusion will continue as shown.

Referring now to FIG. 13, aspects of a second alternative method of the invention are described. The method begins with sending RTS and CTS packets between stations 31 and 32 at block 131 (block 130) and then transmits data. As described above, the RTS and CTS packets transmitted between stations 31 and 32 at block 132 are monitored to detect illegal NAV values therein. If an illegal NAV value is detected at block 133, an intrusion alert is generated based on this at block 134, thus terminating the method (block 135). If not, monitoring of the intrusion will continue as shown.

Turning now to FIG. 14, a third alternative method according to the present invention is described. The method begins with transferring data between stations 41 and 42 at block 141 (block 140), and detects contention-free mode operation outside of CFP at block 142, as described above. To monitor the transmissions. If such an operation is detected outside the CFP at block 143, an intrusion alert is generated based on it at block 144, thus terminating the method (block 145). If not, monitoring of the intrusion will continue as shown. The opposite case where contention mode operation is monitored during CFP is shown in FIG. 15. Here again, both of these methods can be used in one embodiment, but need not always be so.

Aspects of the fourth method of the present invention will now be described with reference to FIG. 16. The method begins with transferring data between stations 61, 62 at block 161 (block 160), and monitors transmissions during an unauthorized period at block 162, as described above. do. If transmissions are detected during an unauthorized period at block 163, an intrusion alert is generated at block 164 based on this, thus terminating the method (block 165). If not, monitoring of the intrusion will continue as shown.

Aspects of the fourth method of the present invention will now be described with reference to FIG. 17. The method begins with transferring data between stations 71 and 72 at block 171 (block 170), and does not match each data packet at block 172, as described above. Monitor transmissions 172 to detect integrity check values. In this case, an intrusion alert is generated at block 174, thus terminating the method (block 175). If not, monitoring of the intrusion will continue as shown.                 

Turning now to FIG. 18, another aspect of the method of the present invention is described. The method begins with the transfer of data between stations 81 and 82 at block 181 (block 180). Thus, as described above, the method also includes monitoring the transmissions to detect the use of discontinuous MAC sequence numbers by one station at block 182. If such use is detected at block 183, an intrusion alert is generated at block 184, thus terminating the method (block 185). If not, monitoring of the intrusion will continue as shown.

Additionally referring to FIG. 19, another aspect of the method of the present invention begins with the transmission of data between stations 91, 92 at block 191 (block 190), and as noted above. Likewise, at block 192, the transmissions are monitored to detect collisions of packets having a predetermined packet type. If a limit count for collisions of packets with a predetermined packet type is detected at block 193, an intrusion alert is generated at block 194, and the method terminates (block 195). If not, monitoring of the intrusion will continue as shown.

Another aspect of intrusion detection of the present invention will now be described with reference to FIG. 20. The method begins with transferring data between stations 101 and 102 (block 200) and monitors the transmissions to detect collisions of the same MAC address at block 202, as described above. . If a limit count for collisions of the same MAC address is detected at block 203, an intrusion alert is generated at block 204, thus terminating the method (block 205). If not, monitoring of intrusions will continue as shown.

Further aspects of intrusion detection of the present invention will now be described with reference to FIG. As noted above, a wireless LAN / MAN typically has one or more related service set IDs, such as IBSSDs, BSSIDs, and / or ESSISs. As shown, beginning at block 210, data transmissions may be sent between stations 11 and 12 at block 211, where transmissions between a plurality of stations at block 212 may be associated with service set IDs and associated service set IDs. And / or monitored to detect transmissions that did not originate from the authorized station over the designated network channel.

As such, if at block 213 an authorized service set ID of the wireless communication network 10 and a different service set ID are detected and / or a transmission from an unauthorized station of the network channel is detected, block 214 is based on this. Intrusion alerts are triggered in. Moreover, as described above, intrusion alerts may be advantageously sent to one or more stations of the network, or to other sources via modems or the like at block 215. If not, monitoring of the intrusion will continue as shown.

It will be understood by those skilled in the art that aspects of the method described above may all be practiced in one or more of the wireless networks described above. In addition, aspects of the additional methods of the present invention will be apparent from those of ordinary skill in the art based on the above description and will not be discussed herein any further.                 

It will also be appreciated that the invention described above may be practiced in a variety of ways. For example, the polishing station 13 may be implemented in one or more independently provided devices that do not always belong to the wireless communication network 10. Alternatively, the present invention may be practiced in software installed in one or more stations that reside in a wireless LAN / MAN where intrusion detection is required.

Furthermore, many of the above-described aspects of the present invention involve wireless network intrusion even when a log station has a privileged network or MAC ID (e.g., contentionless operation outside the CFP, transmission during unauthorized periods, etc.). It can be advantageously used to detect this. Moreover, one or more of the above aspects can be advantageously used to provide a desirable level of intrusion detection in a given application. A further advantage of the present invention is that the present invention can be used to complement existing intrusion detection systems, in particular those that focus on the intrusion of upper OSI network layers.

The present invention can be advantageously used in the field of wireless communication networks, in particular in wireless communication devices having improved security characteristics in the field of wireless local area or metropolitan networks and in the form of methods related thereto.

Claims (6)

A plurality of stations having respective MAC addresses and transmitting data to each other using a medium access layer (MAC); A wireless local area or metropolitan area network, comprising: a polishing station that detects an intrusion into a wireless communication network by monitoring transmissions between the plurality of stations. The polishing station, (a) frame check sequence (FCS) errors from one MAC address; (b) failed attempts to authenticate the MAC address; (c) service set IDs associated with a wireless communication network; (d) A network allocation vector (NAV) which is transmitted between the plurality of stations prior to formation of transmission data and indicates a specified duration for transmission of data generated from RTS and CTS packets. ) Illegal NAV value; (e) contention-free mode operation outside of a contention-free period (CFP) by the plurality of stations; And (f) contention mode operation during CFP; Detect at least one of them, and then (Iii) detection of the number of FCS errors for a MAC address that exceeds a threshold; (Ii) detecting the number of times exceeding the limit of attempts to fail to authenticate the MAC address; (Iii) one of the service set IDs detected differently from the service set ID of the wireless communication network; (IV) detected illegal NAV values; (Iii) sensing contention mode operation during CFP; And (Iii) detection of contention-free mode operation outside of CFP; And generating an intrusion alert based on at least one of the wireless local area or metropolitan area networks. The method of claim 1, The plurality of stations performs data transmission over at least one channel, and the polishing station further comprises at least data transmissions not generated from at least one of the plurality of stations included in the wireless local area network or the metropolitan area network. Detecting on one channel and generating an intrusion alert based on this detection. The method of claim 1, And said polishing station further transmits an intrusion alert to at least one of said plurality of stations. An intrusion detection method for a wireless local area or metropolitan area network including a plurality of stations, Transmitting data between a plurality of stations having respective MAC addresses; and Monitoring the transmission between the plurality of stations; Monitoring the transmission between the plurality of stations, (a) frame check sequence (FCS) errors from one MAC address; (b) failed attempts to authenticate the MAC address; (c) service set IDs associated with a wireless communication network; (e) a network allocation vector (NAV) transmitted between the plurality of stations prior to the formation of transmission data and indicating a specified duration for transmission of data originating from RTS and CTS packets. ) Illegal NAV value; (e) contention-free mode operation outside of a contention-free period (CFP) by the plurality of stations; And (f) contention mode operation during CFP; Monitors transmissions between the plurality of stations to detect at least one of (Iii) detection of the number of FCS errors for a MAC address that exceeds a threshold; (Ii) detecting the number of times exceeding the limit of attempts to fail to authenticate the MAC address; (Iii) one of the service set IDs detected differently from the service set ID of the wireless communication network; (IV) detected illegal NAV values; (Iii) sensing contention mode operation during CFP; And (Iii) detection of contention-free mode operation outside of CFP; An intrusion detection method, based on at least one of the intrusion alarms. The method of claim 4, wherein The data transmission is performed by the plurality of stations over at least one channel, and the polishing station is further configured to transmit data transmissions not generated from at least one of the plurality of stations included in the wireless local area network or the metropolitan area network. Detecting on the at least one channel and generating an intrusion alert based on the detection. The method of claim 4, wherein The polishing station further comprises transmitting an intrusion alert to at least one of the plurality of stations.

Images