KR101106102B1 - System and method for operating wireless communication network - Google Patents

Abstract

The present invention relates to a system and method for continuously operating a wireless communication network. The present invention provides a wireless network operating system and method for detecting a jamming attack in the physical layer and data link layer in the wireless communication system based on the wireless local area network and warns according to the degree of risk. In particular, the present invention provides a system and method for operating a wireless network that can continuously maintain the communication network by avoiding jamming through channel change or channel hopping when the operation of the channel being used is not possible due to jamming. According to the present invention, it is possible to provide continuous communication network and anti-jamming performance through channel change or channel hopping while actively blocking illegal terminals and unauthorized wireless access points.

Description

System and method for operating wireless communication network {System and method for operating wireless communication network}

The present invention relates to a system and method for operating a wireless communication network. More specifically, the present invention relates to a system and method for continuously operating a wireless communication network.

A system for detecting an attack by monitoring a wireless environment in a conventional wireless local area network includes AirMagnet, AirDefense, and a wireless access point.

AirMagnet is AirMagnet's Wireless Intrusion Detection System (WIDS) for 802.11a / b / g / n, and AirDefense is Motorola's wireless intrusion for 802.11a / b / g / n. Detection system. In addition to the basic scanning capabilities provided by open source, these systems can detect illegal terminals and wireless access points (APs), disconnect sessions, and detect denial of service (Dos) attacks at the datalink layer. It includes the concept of active WIDS. These systems are policy-based systems that establish management, performance, and security for the network and provide security for wireless local area network sessions.

A wireless access point is an AP with WIDS capability that improves the quality of security services in wireless networks by allowing you to filter, detect, and block intrusions into your wireless traffic. These APs, which function as WIDS sensors, are network monitoring modules that receive and detect attacker's attack traffic, alert interface modules that control sending alert messages to attackers, and analysis and security modules that determine whether the filtered packets are network attack packets. Consists of

However, since the AirDefense system and AirMagnet system have developed products mainly on detection of illegal access terminals and rogue APs and detection of DoS attacks at the data link layer, attack detection techniques for jamming at the physical layer and avoiding them The disadvantage is that the method for doing so is weak. The wireless access point described above also has such disadvantages, and furthermore, since all functions for detecting / alarming and disabling illegal terminals are modular in hardware, it is difficult to expand.

In addition, AirMagnet, AirDefense, and Wireless Access Points do not present specific attacks for intrusion detection systems and specific algorithms to detect, so they can take appropriate action against jamming attacks at the physical and datalink layers. It is showing limit that cannot be.

The present invention has been made to solve the above problems, and jamming in the physical layer (Layer1) and data link layer (Layer2) in a wireless communication system based on a wireless local area network (WLAN) It is an object of the present invention to provide a wireless communication network operating system and method for detecting an attack and warning the warning according to the degree of danger. In particular, it is an object of the present invention to provide a wireless communication network operating system and method for continuously maintaining a communication network by avoiding jamming through a channel change or channel hopping when the operation of a channel being used is not possible due to jamming.

The present invention has been made to achieve the above object, the method comprising the steps of: (a) monitoring at least one operating channel to detect jamming; And (b) continuously operating the wireless communication network through channel change or channel hopping according to whether at least one available spare channel is detected when the jamming is detected. do.

Advantageously, step (b) comprises: (ba) searching for at least one spare channel available when the jamming is detected; And (bb) if the available spare channel is searched for, changing the channel to which the jamming is detected is changed to the reserved channel; and if the available spare channel is not searched, channel hopping from the detected operation channel to the wireless communication network. It includes continuing to operate. More preferably, in the case of continuously operating the wireless communication network through channel hopping in the step (bb), (c) when a predetermined time elapses, it is determined whether the operation channel in which the jamming is detected is available or at least available. Searching for one spare channel; And (d) changing the channel to the available operating channel when the jamming detected operation channel is available, and changing the channel to the searched spare channel when at least one available spare channel is found.

Preferably, the step (a) comprises the steps of (aa) collecting all packets circulated in the operation channel to measure the signal strength value; (ab) determining whether the amount of change in signal strength obtained using the measured signal strength value is greater than a first threshold value; (ac) determining whether the number of cyclic redundancy check (CRC) errors is greater than a second predetermined threshold when the amount of change in signal strength is greater than the first threshold; and when the amount of change in signal strength is less than or equal to the first threshold. Determining whether the number of CRC errors is greater than a third predetermined threshold; (ad) if the number of CRC errors is greater than the second threshold or the third threshold, determine that there is jamming in the operational channel; and if the number of CRC errors is less than or equal to the second threshold, adjust the output value of the AP. If the number of CRC errors is less than or equal to the third threshold, determining whether a backoff stage value is greater than a fourth predetermined threshold value; And (ae) if the backoff stage value is greater than the fourth threshold value, determining that there is jamming in the operating channel. If the backoff stage value is less than or equal to the fourth threshold value, changing the protocol layer of the operating channel. Performing the jamming detection. More preferably, the step (a) comprises (af) determining whether a duration average of the transmission frame is larger than a fifth predetermined threshold; (ag) If the duration average value is greater than the fifth threshold value, it is determined that there is jamming in the operation channel. If the duration average value is less than or equal to the fifth threshold value, the number of de-authentication and disconnection is determined. calculating at least one of an association number and a sequence number (SN) to determine whether the number is greater than a sixth predetermined threshold; (ah) If the value obtained by the calculation is greater than the sixth threshold, it is determined that there is jamming in the operating channel. If the value obtained by the calculation is less than or equal to the sixth threshold, the number of probe requests (PR) is predetermined. Determining if greater than a seventh threshold; (ai) if the PR number is greater than the seventh threshold, it is determined that there is jamming in the management channel; and if the PR number is less than or equal to the seventh threshold, the number of authentications or associations is preliminary. Determining whether it is greater than a predetermined eighth threshold; And (aj) if the number of times of authentication or the number of times of connection is greater than the eighth threshold, it is determined that there is jamming in the management channel, and if the number of times of authentication or the number of times of connection is less than or equal to the eighth threshold, Determining that there is no jamming. More preferably, if it is determined that at least one of the steps (ae), (ag), (ah), (ai) and (aj) includes jamming in the operating channel, The method may further include blocking access of the terminal that has jammed or the unregistered AP.

Preferably, at least one of an IP spoofing of the AP, a position value of the AP, and an output change amount of the AP as the step (aa) or an intermediate step between the steps (aa) and (ab). Determining the first threshold value using a.

Preferably, the step (b) performs the preliminary channel search when the value obtained by weighted average of the first to eighth thresholds is greater than a ninth predetermined threshold.

Preferably, the step of (a) and the step (b), further comprising the step of (a ') determining the type of the jamming detected. More preferably, step (a ') determines the type of jamming detected in consideration of the OSI layer of the channel where the jamming has occurred. More preferably, when the layer is a physical layer, the step (a ') may include jamming and physical layer convergence that generate traffic in excess of a reference value in the operation channel when determining the detected jamming type. Protocol jamming to send sync signal of header continuously, Jamming to send Start Frame Delimiter (SFD) signal, Jamming to generate traffic exceeding reference value every time data frame is transmitted, periodically exceeding reference value One of the following: jamming to generate traffic that is infrequently exceeded, jamming to generate irregularly exceeding thresholds, jamming to continuously transmit specific signals, and jamming to send out more packets than shorter than short interframe space (SIFS). Select to determine. Alternatively, when the layer is a data link layer, the step (a ') may include a jamming to transmit a de-authentication frame or a dis-association frame when determining the type of the detected jamming. Jamming to set Network Allocation Vector (NAV) longer than reference time, Jamming to continuously transmit Probe Request (PR) signal, and Authentication request or Association request of greater amount than AP can handle ), One jamming is selected from among jamming for transmitting to the AP.

Preferably, the step between (a) and (b), when the jamming is detected, alerting a person who has connected to the operating channel the jamming detection fact; Or, if the jamming is detected, blocking access of the terminal that generated the jamming or the unregistered AP.

Preferably, as an intermediate step between the step (a) and the step (b), determining the detected jamming type and determining the time in the step (c) according to the determined jamming type. It further includes.

In addition, the present invention monitors at least one operating channel jamming detection unit for detecting jamming (jamming); And a wireless network operating unit continuously operating the wireless communication network through channel change or channel hopping according to whether at least one available spare channel is detected when the jamming is detected. .

Advantageously, the wireless communication network manager comprises: a channel searching unit searching for at least one spare channel available when the jamming is detected; A channel changing unit configured to change a channel into which the jamming is detected when the available spare channel is found, into the spare channel; And a channel hopping unit for channel hopping from the operation channel in which the jamming is detected when the available spare channel is not found. More preferably, the wireless network management system further includes an available determination unit for determining whether the operating channel detected the jamming is available, and if the wireless network is continuously operated through channel hopping, An available determining unit performs the determination or the channel searching unit performs the searching, and the channel changing unit changes the channel to the available operating channel or the found spare channel according to the determination.

Preferably, the jamming detector comprises: a signal strength measurement unit for collecting all the packets circulated in the operation channel to measure the signal strength value; A first discriminating unit determining whether the amount of change in signal strength obtained using the measured signal strength value is greater than a first threshold value; If the amount of change in signal strength is greater than the first threshold, determine whether the number of cyclic redundancy check (CRC) errors is greater than a second predetermined threshold; and if the amount of change in signal strength is less than or equal to the first threshold, the CRC error. A second determination unit that determines whether the number of times is greater than a third predetermined threshold value; If the number of CRC errors is greater than the second threshold or the third threshold, it is determined that there is jamming in the operating channel. If the number of CRC errors is less than or equal to the second threshold, the output value of the AP is adjusted. A third determining unit determining whether a backoff stage value is greater than a fourth threshold value when the number of CRC errors is less than or equal to the third threshold value; And when the backoff stage value is greater than the fourth threshold, it is determined that jamming occurs in the operating channel. When the backoff stage value is less than or equal to the fourth threshold value, the protocol layer of the operating channel is changed to jamming. And a fourth discriminating unit for performing detection. More preferably, the jamming detection unit includes: a fifth determination unit that determines whether a duration average value of the transmission frame is larger than a fifth predetermined threshold value; If the duration average value is greater than the fifth threshold value, the operation channel is determined to be jammed. If the duration average value is less than or equal to the fifth threshold value, the number of de-authentication and disconnection is determined. A sixth judging unit which calculates at least one of a number of times and a sequence number (SN) to determine whether the number is greater than a sixth predetermined threshold; If the value of the calculation is greater than the sixth threshold, it is determined that there is jamming in the operating channel. If the value of the calculation is less than or equal to the sixth threshold, the seventh threshold of the predetermined number of probe requests (PR) is predetermined. A seventh determining unit which determines whether the value is larger than the value; If the number of PRs is greater than the seventh threshold, it is determined that jamming occurs in the management channel. If the number of PRs is less than or equal to the seventh threshold, an eighth predetermined number of authentications or associations is determined. An eighth determining unit which determines whether the threshold value is larger than the threshold value; And if the number of times of authentication or the number of times of access is greater than the eighth threshold, it is determined that there is jamming in the management channel. If the number of times of authentication or the number of times of connection is less than or equal to the eighth threshold, there is no jamming in the management channel. And a ninth discriminating unit for discriminating. More preferably, at least one of the fourth discriminating unit, the sixth discriminating unit, the seventh discriminating unit, the eighth discriminating unit, and the ninth discriminating unit is included in the operating channel. If it is determined that there is jamming, the terminal further includes an access blocking unit for blocking access of the terminal or the unregistered AP that caused the jamming.

Preferably, the wireless network management system further includes a threshold determination unit for determining the first threshold value using at least one of an IP spoofing of the AP, a position value of the AP, and an output change amount of the AP. do.

Preferably, the wireless communication network manager performs the preliminary channel search when a value obtained by weighted average of the first to eighth thresholds is greater than a predetermined ninth threshold.

Preferably, the wireless network operation system further comprises a jamming type determination unit for determining the type of the detected jamming. More preferably, the jamming type determination unit determines the detected jamming type in consideration of the OSI layer of the channel where the jamming is generated. More preferably, when the layer is a physical layer, the jamming type determination unit generates jamming traffic exceeding a reference value in the operating channel when determining the detected jamming type, and a physical layer convergence protocol (PLCP). Jamming to send the sync signal in the header continuously, Jamming to send the Start Frame Delimiter (SFD) signal, Jamming to generate traffic exceeding the reference value every time a data frame is transmitted, Traffic exceeding the reference value periodically Select one of the following jamming: jamming to generate traffic, jamming to generate irregularly exceeding the reference value, jamming to send a specific signal continuously, and jamming to send out more packets than the shorter than Short Interframe Space (SIFS). To determine. Alternatively, when the layer is a data link layer, the jamming type determination unit sends a de-authentication frame or a dis-association frame when determining the type of the detected jamming. Jamming for setting (Network Allocation Vector) longer than the reference time, jamming for continuously sending a Probe Request (PR) signal, and authentication request or association request of a larger amount than the AP can handle One jamming is selected from among jamming transmitted to the AP to determine the jamming.

Preferably, the wireless network management system includes a warning unit for alerting a person accessing the operation channel to the fact that the jamming detection, when the jamming is detected; Or, when the jamming is detected, further comprising an access blocking unit for blocking access of the terminal or the unregistered AP that caused the jamming.

Preferably, the wireless communication network operation system includes a jamming type determination unit for determining the type of the detected jamming; And a time determiner configured to determine the predetermined time according to the determined jamming type.

According to the present invention, after detecting a jamming attack that may occur in the physical layer and data link layer that can occur in the wireless local area network, and alerts the user and network administrators to enable appropriate measures, actively illegal terminal and unauthorized wireless If the jamming environment continues while blocking the access point, channel change and channel hopping can provide continuous network and anti-jamming performance. In addition, the gains are as follows.

First, to analyze jamming in the physical layer and the data link layer, it is possible to determine the type of jamming by detecting elements that can determine jamming in a packet transmitted on a wireless medium. An algorithm called Jamming Detection and Avoidance System (J-DAS) can detect and classify jamming attacks at the physical layer using RSSI, CRC error counts, retransmission counts, and backoff stage thresholds. Using threshold values such as the number of times, the number of abnormal de-authentication, the number of abnormal disconnection (dis-association), the number of abnormal SN (sequence number), the number of probe requests, the number of authentications, and the number of associations By detecting, classifying, and alerting to jamming attacks at the data link layer, it is possible to enable the network operator to determine the operation of the wireless local area network.

Second, if the jamming attack continues, it can actively provide new network and change the channel or hop the channel to provide continuous network and anti-jamming service. According to the present invention, even if jamming continues, the communication service can be continued. When jamming exceeds the threshold, the sensor quickly searches all channels, and the search results are compared with previous search results stored in the DB to find the best channel and change the channel. If you can't find the best channel, you can hop all channels quickly and communicate to improve the reliability of essential traffic and network survivability. Especially, if you use this feature for military purpose, anti-jamming effect can be achieved. have.

Third, the high-capacity data communication is possible by releasing the channel hopping by the release algorithm after the channel hopping. By using the channel hopping method, it is possible to improve the reliability of the required traffic and the survivability of the network by providing a minimum communication service, but it is difficult to communicate large data because the communication capacity is reduced. Therefore, if a channel is searched again after a certain time to search for the best channel, the channel is changed to that channel to operate normally to support high capacity traffic.

1 is a block diagram schematically illustrating a wireless communication network operating system according to a preferred embodiment of the present invention.
2 is a diagram illustrating a jamming attack in the physical layer and the data link layer.
3 is a diagram for a Physical Layer Convergence Protocol (PLCP) header.
4 is a diagram illustrating a state change of 802.11.
5 is a diagram illustrating NAV configuration of an 802.11 system.
FIG. 6 is a diagram illustrating a network component of a jamming detection & avoidance system (J-DAS) as an exemplary view of a wireless communication network operating system according to an exemplary embodiment of the present invention.
7 is a flowchart schematically illustrating a method for operating a wireless communication network according to an exemplary embodiment of the present invention.
FIG. 8 is a flowchart illustrating a method for operating a wireless communication network according to a preferred embodiment of the present invention in detail, and illustrates an algorithm for detecting, alarming, and avoiding a J-DAS (Jamming Detection & Avoidance System).
9 is a diagram illustrating an jamming avoidance algorithm.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. First, in adding reference numerals to the components of each drawing, it should be noted that the same reference numerals are assigned to the same components as much as possible even if displayed on different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. In addition, the following will describe a preferred embodiment of the present invention, but the technical idea of the present invention is not limited thereto and may be variously modified and modified by those skilled in the art.

1 is a block diagram schematically illustrating a wireless communication network operating system according to a preferred embodiment of the present invention. According to FIG. 1, the wireless communication network operation system 100 includes a jamming detector 110, a wireless communication network operator 120, and a main control unit 130.

The jamming detector 110 monitors at least one operating channel to detect jamming. The jamming detector 110 includes a signal strength measurer, a first determiner, a second determiner, a third determiner, and a fourth determiner.

The signal strength measurement unit collects all packets distributed in the operation channel to measure the signal strength. The first determination unit performs a function of determining whether the amount of change in the signal strength obtained using the measured signal strength value is greater than the first threshold value. The second determiner determines whether the number of cyclic redundancy check (CRC) errors is greater than a second predetermined threshold when the amount of change in signal strength is greater than the first threshold, and the number of CRC errors when the amount of change in signal strength is less than or equal to the first threshold. Performs a function of determining whether is greater than a predetermined third threshold value. The third determining unit determines that there is jamming in the operating channel when the number of CRC errors is greater than the second threshold value or the third threshold value, and adjusts the output value of the AP when the number of CRC errors is less than or equal to the second threshold value, and the number of CRC error counts. Is less than or equal to the third threshold, a function of determining whether the backoff stage value is greater than the fourth predetermined threshold value. If the backoff stage value is greater than the fourth threshold value, the fourth determination unit determines that the operating channel has jamming. If the backoff stage value is less than or equal to the fourth threshold value, the fourth determination unit changes the protocol layer of the operating channel to perform jamming detection. It performs the function.

The jamming detector may further include a fifth determiner, a sixth determiner, a seventh determiner, an eighth determiner, and a ninth determiner.

The fifth determination unit performs a function of determining whether a duration average value of the transmission frame is larger than a predetermined fifth threshold value. The sixth determination unit determines that there is jamming in the operation channel when the duration average value is greater than the fifth threshold value. When the duration average value is less than or equal to the fifth threshold value, the sixth discriminator determines the number of de-authentication and the number of dis-association. And calculating at least one of a sequence number (SN) to determine whether the number is greater than a sixth predetermined threshold. The seventh determination unit determines that there is jamming in the operating channel when the value obtained by the calculation is greater than the sixth threshold value. When the value obtained by the calculation is less than or equal to the sixth threshold value, the seventh threshold value in which the number of probe requests (PR) is predetermined is predetermined. Performs a function to determine if it is larger. The eighth determination unit determines that there is jamming in the operation channel when the PR number is greater than the seventh threshold value. If the PR number is less than or equal to the seventh threshold value, the eighth threshold determines a predetermined number of times of authentication or association; This function determines whether it is larger than the value. The ninth determination unit determines that there is jamming in the operating channel when the number of times of authentication or the number of accesses is greater than the eighth threshold, and determines that there is no jamming in the operating channel when the number of times of authentication or the number of accesses is less than or equal to the eighth threshold. do.

When jamming is detected, the wireless communication network manager 120 performs a function of continuously operating the wireless communication network through channel change or channel hopping depending on whether at least one available spare channel is searched for. Preferably, the wireless communication network manager 120 performs a preliminary channel search when a value obtained by weighted average of the first to eighth thresholds is larger than a predetermined ninth threshold. The wireless communication network manager 120 includes a channel searching unit 121, a channel changing unit 122, and a channel hopping unit 123.

The channel search unit 121 searches for available at least one spare channel when jamming is detected. The channel changing unit 122 performs a function of changing the channel to which the jamming is detected when the available spare channel is found. The channel hopping unit 123 performs channel hopping from the operation channel where jamming is detected when no available spare channel is found.

The main control unit 130 performs a function of controlling the overall operation of each unit constituting the wireless communication network operation system 100.

The wireless communication network operation system 100 may further include an availability determining unit, a connection blocking unit, a threshold determining unit, a jamming type determining unit, a warning unit, a time determining unit, and the like.

The availability determining unit performs a function of determining whether an operation channel where jamming is detected is available. In the present embodiment, when the wireless communication network is continuously operated through channel hopping, the availability determining unit performs the determination or the channel searching unit 121 performs the search after the predetermined time elapses, and the channel changing unit 122 determines the determination. Change channel to available operation channel or searched spare channel according to

If the jamming is detected, the access blocking unit blocks the access of the terminal that has jammed or the unregistered AP. Preferably, the connection blocking unit may generate a jamming terminal when at least one of the fourth determination unit, the sixth determination unit, the seventh determination unit, the eighth determination unit, and the ninth determination unit determines that the operation channel has jamming. Or block the access of unregistered AP.

The threshold determination unit performs a function of determining a first threshold value using at least one of an IP spoofing of the AP, a position value of the AP, and an output change amount of the AP.

The jamming type determination unit performs a function of determining the type of the detected jamming. Preferably, the jamming type determination unit determines the type of detected jamming in consideration of the OSI layer of the channel where the jamming has occurred. When the OSI layer is a physical layer, the jamming type determination unit determines a type of detected jamming and generates a sync signal of a jamming and physical layer convergence protocol (PLCP) header that generates traffic exceeding a reference value in the operation channel. Jamming that emits continuously, Jamming that emits Start Frame Delimiter (SFD) signals, Jamming that generates traffic that exceeds the threshold each time a data frame is transmitted, Jamming that periodically generates traffic that exceeds the threshold, Irregular threshold One jamming is selected from jamming for generating traffic exceeding, jamming for continuously transmitting a specific signal, and jamming for sending more packets than a reference value shorter than the short interframe space (SIFS). When the OSI layer is a data link layer, the jamming type determination unit sends a de-authentication frame or a dis-association frame when determining the detected jamming type, and a network allocation vector. ) Jamming to set longer than the reference time, jamming to continuously transmit a Probe Request (PR) signal, and sending an authentication request or association request to the AP that is greater than the AP's throughput. The jamming is selected by selecting one of the jamming.

In this embodiment, the jamming attacks in the physical layer and the data link layer are classified as shown in FIG. 2, and the jamming attacks in the physical layer are classified into seven types, and the jamming attacks in the data link layer are classified into two types. It is characterized by having.

Jamming of the physical layer is as follows. First, Resource Unlimited Attack sends a strong signal in the same frequency band. Second, the preamble attack continuously transmits the Sync signal of the Physical Layer Convergence Protocol (PLCP) header of FIG. 3 to prevent synchronization between the AP and the UE. 3 illustrates a frame structure of Layer 1. Third, the SFD attack transmits a 16-bit SFD (Start Frame Delimiter) signal of FIG. 3 to prevent synchronization. Fourth, a Reactive Attack is an intelligently strong signal every time a frame is sent. Fifth, a hit and run (HR) attack sends a strong signal periodically or irregularly. Sixth, symbol attack uses a feature of a frame without error correction to disable all frames by strongly jamming only one signal. Seventh, monopolizing attack monopolizes wireless channel by sending many packets shorter than short interframe space (SIFS).

Jamming of the data link layer is divided into Selective Attacks that disable specific terminals and Complete Attacks that disable wireless access points. Selective Attacks are a De-authentication / Dis-association Attack that breaks the state of the UE by sending a De-authentication / Dis-association frame as shown in FIG. It means a Duration Inflation Attack that increases the time. 4 relates to state transitions in the 802.11 standard, and FIG. 5 relates to the NAV standard. Complete Attacks are concepts that include Probe Request Attacks that paralyze wireless access points by sending consecutive Probe Requests to APs, and Auth / Assoc Request Attacks that send large amounts of Authentication / Association Requests to wireless access points to defeat wireless access points. to be.

The warning unit alerts the person who accesses the operation channel the jamming detection when jamming is detected.

When the jamming type determiner determines the detected jamming type, the time determiner determines a predetermined time according to the determined jamming type.

As described above, the wireless communication network operation system 100 detects a jamming attack at the physical layer and the data link layer in the wireless local area network, classifies the types of attacks, and proposes an algorithm for avoiding them. Particularly, when jamming is not possible due to jamming, the jamming capability is continuously provided by avoiding jamming through channel change or channel hopping, thereby improving anti-jamming capability. It also collects information from sensors to classify and alert to jamming attacks so that users and network operators can make decisions about whether to continue using the wireless local area network. In addition, the present invention provides a method of disconnecting a terminal attacking with an 802.11-based system, and improves the security function of a wireless local area network by blocking a wired port for an unregistered AP.

In the following description, a method of detecting, warning, and avoiding jamming attacks in a physical layer and a data link layer in a wireless communication system based on a wireless local area network is called J-DAS (Jamming Detection & Avoidance Systems). J-DAS monitors the wireless channel environment to detect and alert to a jamming attack, a first step of searching for available channels to evade the determined jamming attack, and a second step of selecting channel change or channel hopping, and channel hopping. After the predetermined time has elapsed, a third step of rescanning the channel and operating normally is included.

6 is an exemplary view of a wireless communication network operating system according to a preferred embodiment of the present invention. Referring to FIG. 6, the J-DAS system 600 is a J-DAS sensor 610, an AP 620 having a J-DAS sensor function, a J-DAS server 630, and a J-DAS management console 640. It is composed. The J-DAS system 600 is a concept corresponding to the wireless communication network operation system 100 of FIG. 1, and the AP 620 of the J-DAS sensor 610 and the J-DAS sensor function of the jamming detector of FIG. 1 ( 110). The J-DAS server 630 is a concept corresponding to the wireless communication network manager 120 of FIG. 1, and the J-DAS management console 640 is a concept corresponding to the main controller 130 of FIG. 1.

The J-DAS sensor 610 and the AP 620 of the J-DAS sensor function are connected to the J-DAS server 630 not only wirelessly but also by wire. This connection method is used when a jamming attack enters a wireless section. Allows accurate transmission of detection results to the server. Since the present invention aims to detect and avoid jamming attacks at the physical layer and the datalink layer, it is assumed that various attacks at the network layer are protected through an intrusion detection system, an intrusion prevention system, a secure tunneling, and an encryption mechanism. In addition, the J-DAS system 600 devised in the present invention sets the functions of the LAN card and the AP through the API with little physical changes to the existing LAN card and the AP, and uses the collected monitoring elements in a software method. By detecting jamming attacks, the cost of building a system can be reduced.

Next, a wireless communication network operating method of the wireless communication network operating system will be described. 7 is a flowchart schematically illustrating a method for operating a wireless network according to a preferred embodiment of the present invention, and FIG. 8 is a flowchart illustrating a method for operating a wireless network according to a preferred embodiment of the present invention in detail. The following description refers to FIGS. 7 and 8.

First, the jamming detector 110 monitors at least one operating channel to detect jamming (S700). This step is described in detail as follows.

First, the signal strength measurement unit collects all packets distributed in the operation channel to measure the signal strength. Thereafter, the first determiner determines whether the amount of change in the signal strength obtained using the measured signal strength value is greater than the first threshold value. Before the first determination unit performs the determination, the threshold determination unit may determine the first threshold value using at least one of an IP spoofing of the AP, a position value of the AP, and an output change amount of the AP. Subsequently, the second determination unit determines whether the number of cyclic redundancy check (CRC) errors is greater than a second predetermined threshold if the amount of change in signal strength is greater than the first threshold value, and if the amount of change in signal intensity is less than or equal to the first threshold value, the CRC It is determined whether the number of errors is greater than a third predetermined threshold. Thereafter, the third determiner determines that the operation channel has jamming when the number of CRC errors is greater than the second threshold value or the third threshold value, and adjusts the output value of the AP when the number of CRC errors is less than or equal to the second threshold value. If the number of errors is less than or equal to the third threshold, it is determined whether the backoff stage value is greater than the fourth threshold. Thereafter, the fourth determiner determines that the operating channel has jamming when the backoff stage value is larger than the fourth threshold value. If the backoff stage value is less than or equal to the fourth threshold value, the fourth determination unit changes the protocol layer of the operating channel to detect jamming. To perform.

Thereafter, the fifth determiner determines whether the duration average value of the transmission frame is larger than the fifth threshold value. Thereafter, the sixth determination unit determines that there is jamming in the operation channel when the duration average value is greater than the fifth threshold value, and when the duration average value is less than or equal to the fifth threshold value, the number of de-authentication and disconnection is determined. And calculating at least one of the number of times and the number of sequence numbers (SN) to determine whether the number is greater than a sixth predetermined threshold. Subsequently, the seventh determination unit determines that there is jamming in the operation channel when the calculated value is greater than the sixth threshold value, and if the calculated value is less than or equal to the sixth threshold value, a seventh predetermined number of probe requests (PR) is determined. Determine if greater than the threshold Subsequently, the eighth determination unit determines that there is jamming in the operation channel when the PR number is greater than the seventh threshold value, and when the PR number is less than or equal to the seventh threshold value, the authentication number or the association number is predetermined. 8 Determine if greater than the threshold. Thereafter, the ninth determination unit determines that there is jamming in the management channel when the number of times of authentication or the number of times of connection is greater than the eighth threshold value.

Preferably, when at least one of the fourth, sixth, seventh, eighth, and ninth discriminator determines that the operating channel is jammed, the connection breaker causes jamming. Blocks access of the terminal or unregistered AP.

The above step (step S700) is a process of detecting a jamming attack by monitoring a wireless channel environment and then warning. The following description refers to FIG. 8.

The AP with the J-DAS sensor and the J-DAS sensor collects all packets distributed in the wireless section (S800), measures the RSSI (Received Signal Strength Indication) value, and transmits it to the server (S805). The server determines if the amount of change in the RSSI of the equipment is greater than the value of the threshold value 1 (S810). Threshold 1 (ie, the first threshold) is determined using characteristics such as time, output variation, noise variation, and the like. Sudden increase in RSSI means IP spoofing, jamming attack, movement of equipment, change of output, etc., and threshold 1 is set in consideration of these characteristics. If the change amount of RSSI is greater than the threshold 1 but the cyclic redundancy check (CRC) error and retransmission have not occurred (S815), it is determined that the jamming attack is not a jamming action and the output is reduced (S820). And when the number of retransmissions is greater than the threshold 2 (S815), it is determined that the Resource Unlimited Attack and warns the administrator (S825). Threshold 2 (ie, the second threshold) is determined using characteristics such as CRC error rate and retransmission rate.

In the present invention, when the amount of change in the RSSI value is smaller than the value of the threshold 1, the number of CRC errors is checked (S830). If the value is greater than the threshold 3, it determines that it is Preamble / SFD / Reactive, HR / Symbol Attack and alerts the administrator (S835). Threshold 3 (ie, the third threshold) is determined by measuring the CRC error rate according to the type of attack. On the other hand, if the value is smaller than the threshold value 3, it checks the backoff stage (S840) and if the value is larger than the threshold value 4, it determines that it is a monopolizing attack and warns the manager (S845). The threshold 4 (ie, the fourth threshold) is determined using characteristics such as the amount of change in the contention window.

In the present invention, if it is determined that the jamming attack of the physical layer is not a jamming attack of the physical layer by the above procedure, it is determined whether the jamming attack of the data link layer. This case proceeds as follows.

Checking the duration of the transmitted frame (S850), if the average value is greater than the threshold 5, it is confirmed that the Duration Inflation Attack and alerts the administrator (S855). The threshold value 5 (ie, the fifth threshold value) is determined using characteristics such as an average rate of change and a maximum value of each frame duration value. When the number of abnormal De-authentication and Dis-association and the number of abnormal SN (Sequence Number) are calculated (S860), if it is greater than the threshold 6, it is confirmed that it is a De-authentication and Dis-association Attack and alerts the administrator (S865). The threshold 6 (ie, the sixth threshold) is determined by using characteristics such as the number of abnormal De-authentication, the number of Dis-association frames and the number of SNs. If the number of Probe Requests is greater than the threshold 7 (S870), it is confirmed that the Probe Request Attack and alerts the administrator (S875). The threshold 7 (ie, the seventh threshold) is determined using characteristics such as the average probe request rate and the probe request rate according to the characteristics of the attack. If the number of authentication and association is greater than the threshold 8 (S880), it is determined that the Authentication / Association Attack is made and the administrator is alerted (S885). The threshold value 8 (ie, the eighth threshold value) is determined by using characteristics such as authentication, association count and transmission / reception address according to the attack characteristic.

On the other hand, if the attacker is a terminal or a wireless access point using an 802.11 system, the terminal sends a dis-association frame to disconnect the session, classifies the MAC as a black list, and blocks future access. Blocks the wired port to prevent additional jamming (S890).

This will be described with reference to FIG. 7 again.

When jamming is detected, the wireless communication network manager 120 continuously operates the wireless communication network through channel change or channel hopping according to whether at least one spare channel available is searched for (S710). In detail, when jamming is detected, the channel searching unit 121 searches for at least one reserved channel available (S711). In this case, the channel search unit 121 may perform a preliminary channel search when the value obtained by weighted average of the first to eighth threshold values is larger than the predetermined ninth threshold value. Subsequently, when the available spare channel is found, the channel changer 122 changes the operating channel from which jamming is detected to a spare channel to continuously operate the wireless communication network (S712). If an available reserved channel is not found, the channel hopping unit 123 channel-hops from the operating channel where the jamming is detected to continuously operate the wireless communication network (S713).

This step is a process of selecting a channel change or channel hopping after searching for available channels to avoid the determined jamming attack. As shown in FIG. 9, the weighted average value of the threshold 1 to the threshold 8 according to the jamming detection result is called a J-DAS threshold, and when the value is larger than the threshold 9, the channel is changed through channel search. And channel hopping is attempted (S900).

When the server analyzes the result of detecting the jamming in the first step, it commands the channel search to the AP with J-DAS sensor and J-DAS sensor function through the wire. The channel search result is transmitted to the J-DAS server (S910). The J-DAS server discovers the best channel by comparing the information on the existing channel with newly collected information and propagates the channel change command to the AP and the sensor by wire (S920). The AP propagates the channel to be changed by using the beacon and probe response frames before changing the channel. If the Beacon and Probe Response could not be transmitted due to the deterioration of the channel condition, the AP changes the channel first, and after a certain period of time, the UE checks the Beacon of the corresponding AP through a channel search and accesses it.

When the empty channel is selected, normal operation may be performed after the change, but when no channel capable of ensuring a certain level or more of quality can be found, the survivability of the network is increased through fast channel hopping (S930). Channel hopping propagates a predetermined pattern through the Beacon and Probe Response frames, and if it is impossible to transmit due to the deterioration of the channel state, the AP first performs channel hopping, and the terminals hopping by the predetermined pattern after a predetermined time elapses. Connect to connect. Fast channel hopping without changing the wireless local area network chipset reduces communication capacity, but can maintain a minimal network, resulting in improved survivability.

In the case where the wireless communication network is continuously operated through channel hopping in step S710 (specifically, step S713), the method for operating a wireless network according to the present embodiment may additionally perform the following process.

That is, when a predetermined time elapses, the availability determining unit determines whether an operation channel in which jamming is detected is available, or searches for at least one spare channel available by the channel search unit 121. Subsequently, the channel changing unit 122 changes the channel to the available operating channel when the operating channel on which jamming is detected is available, and changes the channel to the searched spare channel when at least one available spare channel is found (S720).

This step is a process in which the channel is rescanned and operated normally after a certain period of time after channel hopping.

The channel change selected in step S710 may transmit a large amount of data, but since channel hopping is aimed at the survivability of the network, a limitation occurs in transmitting a large amount of data. Therefore, after a certain time elapses, if a channel is searched again and a good channel is found in the existing channel and other channels, the channel is changed to normal operation, and the procedure is the same as in the step S710.

Meanwhile, in the present embodiment, after the jamming detection unit 110 performs jamming detection, the step of determining the type of jamming detected by the jamming type determination unit may be performed. This step may preferably determine the type of detected jamming in consideration of the OSI layer of the channel where the jamming occurred.

If the OSI layer is a physical layer, when determining the type of detected jamming, jamming generates traffic exceeding a reference value in the operating channel, and jamming continuously transmitting a sync signal of a physical layer convergence protocol (PLCP) header. Jamming that emits a Start Frame Delimiter (SFD) signal, jamming that generates traffic that exceeds the threshold each time a data frame is transmitted, jamming that generates traffic that exceeds the threshold periodically, and traffic that randomly exceeds the threshold. One jamming can be selected from jamming to generate, jamming to continuously transmit a specific signal, and jamming to send more packets than a reference value shorter than the short interframe space (SIFS).

If the OSI layer is a datalink layer, when determining the type of detected jamming, a jamming, NAV (Network Allocation Vector) for transmitting a de-authentication frame or a dis-association frame, is determined. Jamming that sets a long setting, jamming that continuously sends a Probe Request (PR) signal, and jamming that sends an authentication request or an association request to the AP that is larger than the AP can handle. This can be determined by selecting.

Meanwhile, in the present embodiment, after the jamming type determiner determines the type of jamming, the time determiner may determine a predetermined time in step S720 according to the type of jamming determined.

Meanwhile, in the present embodiment, after the jamming detection unit 110 performs the jamming detection, the warning unit may warn the person who connected the operation channel to the jamming detection fact, and the connection blocking unit may not register the terminal or jammed. The access of the AP can be blocked.

The above description is merely illustrative of the technical idea of the present invention, and various modifications, changes, and substitutions may be made by those skilled in the art without departing from the essential characteristics of the present invention. will be. Accordingly, the embodiments disclosed in the present invention and the accompanying drawings are not intended to limit the technical spirit of the present invention but to describe the present invention, and the scope of the technical idea of the present invention is not limited by the embodiments and the accompanying drawings. . The scope of protection of the present invention should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present invention.

According to the present invention, the following effects can be expected. First, to analyze jamming in the physical layer and the data link layer, it is possible to determine the type of jamming by detecting elements that can determine jamming in a packet transmitted on a wireless medium. Second, if the jamming attack continues, it can actively provide new network and change the channel or hop the channel to provide continuous network and anti-jamming service. Third, channel hopping enables the transmission of essential traffic in battlefield situations such as command control. Fourthly, by releasing channel hopping by a channel hopping release algorithm, high capacity data communication is enabled.

The present invention is applicable to a wireless communication network based on an 802.11 system. In particular, it can be applied to a wireless local area network based on 802.11a / b / g / n, and is very useful as a military tactical communication system requiring anti-jamming capability. The present invention can protect the wireless network from jamming attacks against the increasing wireless local area network, and satisfy the demand for the wireless local area network system with military anti-jamming capability. Therefore, the present invention is well worth introducing for commercial carriers and defense businesses.

100: wireless communication network operation system 110: jamming detection unit
120: wireless communication network operation unit 121: channel search unit
122: channel changing unit 123: channel hopping unit
130: main control part 600: J-DAS system
610: AP with a J-DAS sensor 620: J-DAS sensor
630: J-DAS Server 640: J-DAS Management Console

Claims (23)

(a) detecting jamming by monitoring at least one operating channel, wherein a first magnitude comparison result between a first threshold value and a change in signal strength in the operational channel is selected according to the first magnitude comparison result; A second magnitude comparison result between any one of a second threshold value and a third threshold value and the number of cyclic redundancy check (CRC) errors, and a third magnitude comparison result between a fourth threshold value and a backoff stage value Detecting whether there is jamming based on the detection; And
(b) if the jamming is detected, continuously operating the wireless communication network through channel change or channel hopping according to whether at least one available spare channel is detected;
Wireless communication network operating method comprising a. The method of claim 1,
In step (b),
(ba) searching for at least one spare channel available when the jamming is detected; And
(bb) if the available spare channel is searched, the channel is changed to the spare channel where the jamming is detected; if the available spare channel is not detected, the channel is hopped from the detected operation channel to the wireless communication network. Continuous operation stage
Wireless communication network operating method comprising a. The method of claim 2,
In the case of continuously operating the wireless communication network through channel hopping in the step (bb),
(c) if a predetermined time elapses, determining whether an operation channel for which jamming is detected is available or searching for at least one spare channel available; And
(d) changing the channel to the available operating channel if the operating channel where the jamming is detected is available; and changing the channel to the searched spare channel when at least one available spare channel is found.
Wireless communication network operating method further comprising. The method of claim 1,
In step (a),
(a) measuring signal strength by collecting all packets distributed in the operation channel;
(ab) determining whether the amount of change in signal strength obtained using the measured signal strength value is greater than the first threshold value;
(ac) determining whether the CRC error count is greater than the second threshold value if the signal strength change amount is greater than the first threshold value; and if the signal strength change amount is less than or equal to the first threshold value, the CRC error number is determined. Determining if greater than the third threshold;
(ad) if the number of CRC errors is greater than the second threshold or the third threshold, determine that there is jamming in the operational channel; and if the number of CRC errors is less than or equal to the second threshold, adjust the output value of the AP. If the number of CRC errors is less than or equal to the third threshold, determining whether the backoff stage value is greater than the fourth threshold; And
(ae) If the backoff stage value is greater than the fourth threshold, it is determined that there is jamming in the operating channel. If the backoff stage value is less than or equal to the fourth threshold, the protocol layer of the operating channel is changed. Performing the jamming detection
Wireless communication network operating method comprising a. The method of claim 4, wherein
In step (a),
(af) determining whether a duration average value of the transmission frame is larger than a fifth predetermined threshold value;
(ag) If the duration average value is greater than the fifth threshold value, it is determined that there is jamming in the operation channel. If the duration average value is less than or equal to the fifth threshold value, the number of de-authentication and disconnection is determined. calculating at least one of an association number and a sequence number (SN) to determine whether the number is greater than a sixth predetermined threshold;
(ah) If the value obtained by the calculation is greater than the sixth threshold, it is determined that there is jamming in the operating channel. If the value obtained by the calculation is less than or equal to the sixth threshold, the number of probe requests (PR) is predetermined. Determining if greater than a seventh threshold;
(ai) if the PR number is greater than the seventh threshold, it is determined that there is jamming in the management channel; and if the PR number is less than or equal to the seventh threshold, the number of authentications or associations is preliminary. Determining whether it is greater than a predetermined eighth threshold; And
(aj) if the number of times of authentication or the number of times of connection is greater than the eighth threshold, it is determined that there is jamming in the management channel; and if the number of times of authentication or the number of times of connection is less than or equal to the eighth threshold, jamming in the management channel. To determine that a file does not exist
Wireless communication network operating method comprising a. The method of claim 5, wherein
The terminal generating the jamming when it is determined that the operation channel has jamming in at least one of the steps (ae), (ag), (ah), (ai), and (aj). Or blocking access of an unregistered AP
Wireless communication network operating method further comprising. The method of claim 4, wherein
Determining the first threshold value using at least one of an IP spoofing of the AP, a position value of the AP, and an output change amount of the AP;
Wireless communication network operating method further comprising. The method of claim 5, wherein
In the step (b), the preliminary channel search is performed when the value obtained by weighted average of the first to eighth thresholds is larger than a predetermined ninth threshold. The method of claim 1,
As an intermediate step between step (a) and step (b),
(a ') determining the type of jamming detected
Wireless communication network operating method further comprising. The method of claim 9,
In the step (a '), the type of the jamming detected is determined in consideration of the OSI layer of the channel where the jamming has occurred. The method of claim 10,
When the layer is a physical layer, the step (a ') may include a sink of a jamming and physical layer convergence protocol (PLCP) header that generates traffic exceeding a reference value in the operation channel when determining the type of the detected jamming. (sync) Jamming that emits a continuous signal, Jamming that emits a Start Frame Delimiter (SFD) signal, Jamming that generates traffic that exceeds the threshold each time a data frame is transmitted, and periodically generates traffic that exceeds the threshold. Jamming is selected by selecting one of jamming, jamming that generates irregularly exceeding the reference value, jamming that continuously transmits a specific signal, and jamming that transmits more packets than the threshold but shorter than the short interframe space (SIFS). Wireless communication network operating method, characterized in that. The method of claim 10,
If the layer is a data link layer, the step (a ') may include a jamming and a NAV for transmitting a de-authentication frame or a dis-association frame when determining the detected jamming type. Jamming for setting (Network Allocation Vector) longer than the reference time, jamming for continuously sending a Probe Request (PR) signal, and authentication request or association request of a larger amount than the AP can handle And selecting and discriminating one of the jamming data transmitted to the AP. The method of claim 1,
As an intermediate step between step (a) and step (b),
If the jamming is detected, alerting a person accessing the operational channel to the jamming detection fact; or
If the jamming is detected, blocking access of the terminal that has caused the jamming or an unregistered AP;
Wireless communication network operating method further comprising. The method of claim 3, wherein
As an intermediate step between step (a) and step (b),
Determining the type of jamming detected and determining the time in step (c) according to the determined type of jamming;
Wireless communication network operating method further comprising. Monitoring at least one operating channel to detect jamming; a second threshold selected according to a first magnitude comparison result between the first threshold value and a signal intensity change amount in the operational channel, and a second threshold value selected according to the first magnitude comparison result Based on a second magnitude comparison result between any one of the threshold values and the third threshold value and the number of cyclic redundancy check (CRC) errors, and a third magnitude comparison result between the fourth threshold value and the backoff stage value. A jamming detector detecting whether the jamming is present; And
When the jamming is detected, the wireless communication network operation unit continuously operating the wireless communication network through channel change or channel hopping depending on whether at least one available spare channel is detected.
Wireless communication network operating system comprising a. The method of claim 15,
The wireless communication network operation unit,
A channel searching unit searching for at least one spare channel available when the jamming is detected;
A channel changing unit configured to change a channel into which the jamming is detected when the available spare channel is found, into the spare channel; And
Channel hopping unit for channel hopping from the operation channel where the jamming is detected if the available spare channel is not found
Wireless communication network operating system comprising a. 17. The method of claim 16,
Availability determination unit for determining whether the operation channel detected the jamming is available
More,
In the case where the wireless communication network is continuously operated through channel hopping, when a predetermined time elapses, the available determination unit performs the determination or the channel search unit performs the search, and the channel change unit operates the available channel according to the determination. Or changing the channel to the found reserved channel. The method of claim 15,
The jamming detection unit,
A signal strength measuring unit for collecting all packets distributed in the operation channel and measuring signal strength values;
A first discriminating unit which determines whether the amount of change in signal strength obtained using the measured signal strength value is greater than the first threshold value;
If the amount of change in signal strength is greater than the first threshold, it is determined whether the number of CRC errors is greater than the second threshold. If the amount of change in signal strength is less than or equal to the first threshold, the number of CRC errors is equal to the third threshold. A second determining unit which determines whether the threshold value is larger than the threshold value;
If the number of CRC errors is greater than the second threshold or the third threshold, it is determined that there is jamming in the operating channel. If the number of CRC errors is less than or equal to the second threshold, the output value of the AP is adjusted. A third determination unit determining whether the backoff stage value is greater than the fourth threshold value when the number of CRC errors is less than or equal to the third threshold value; And
If the backoff stage value is greater than the fourth threshold, it is determined that there is jamming in the operating channel. If the backoff stage value is less than or equal to the fourth threshold, the protocol layer of the operating channel is changed to detect the jamming. Fourth determination unit to perform the operation
Wireless communication network operating system comprising a. The method of claim 18,
The jamming detection unit,
A fifth determination unit for determining whether a duration average value of the transmission frame is larger than a fifth predetermined threshold value;
If the duration average value is greater than the fifth threshold value, the operation channel is determined to be jammed. If the duration average value is less than or equal to the fifth threshold value, the number of de-authentication and disconnection is determined. A sixth judging unit which calculates at least one of a number of times and a sequence number (SN) to determine whether the number is greater than a sixth predetermined threshold;
If the value of the calculation is greater than the sixth threshold, it is determined that there is jamming in the operating channel. If the value of the calculation is less than or equal to the sixth threshold, the seventh threshold of the predetermined number of probe requests (PR) A seventh determining unit which determines whether the value is larger than the value;
If the number of PRs is greater than the seventh threshold, it is determined that jamming occurs in the management channel. If the number of PRs is less than or equal to the seventh threshold, an eighth predetermined number of authentications or associations is determined. An eighth determining unit which determines whether the threshold value is larger than the threshold value; And
If the number of times of authentication or the number of accesses is greater than the eighth threshold, it is determined that there is jamming in the management channel. If the number of times of authentication or the number of times of connection is less than or equal to the eighth threshold value, it is determined that there is no jamming in the management channel. 9th discrimination unit to say
Wireless communication network operating system comprising a. The method of claim 19,
The terminal generating the jamming when at least one of the fourth discriminating unit, the sixth determining unit, the seventh determining unit, the eighth determining unit, and the ninth determining unit determines that the operating channel has jamming. Or access blocker to block access of unregistered AP
Wireless communication network operating system further comprising. The method of claim 19,
And the wireless communication network operating unit performs the preliminary channel search when a value obtained by weighted average of the first to eighth thresholds is larger than a predetermined ninth threshold. The method of claim 15,
A jamming type determination unit determines a type of the detected jamming, and determines the type of the detected jamming in consideration of the OSI layer of the channel where the jamming is generated.
Wireless communication network operating system further comprising. The method of claim 22,
When the layer is a physical layer, the jamming type determination unit generates a traffic exceeding a reference value in the operating channel when determining the type of the detected jamming, and syncs a jamming and physical layer convergence protocol (PLCP) header. ) Jamming to send signals continuously, jamming to send a Start Frame Delimiter (SFD) signal, jamming to generate traffic exceeding the reference value every time a data frame is transmitted, jamming to generate traffic exceeding the reference value periodically, Jamming is selected by selecting one of jamming that generates traffic exceeding a reference value irregularly, jamming that continuously transmits a specific signal, and jamming that transmits more packets than the reference value shorter than the short interframe space (SIFS).
When the layer is a data link layer, the jamming type determination unit transmits a de-authentication frame or a dis-association frame when determining the type of the detected jamming. Jamming to set the Allocation Vector (Llocation Vector) longer than the reference time, jamming to continuously transmit a Probe Request (PR) signal, and the authentication request or the connection request (association request) of a larger amount than the AP can handle the AP A wireless communication network operating system, characterized in that for selecting one of the jamming to transmit to the jamming to determine.

Images