TW202306404A - Detection method for rogue access points, electronic device and readable storage medium - Google Patents

Detection method for rogue access points, electronic device and readable storage medium Download PDF

Info

Publication number
TW202306404A
TW202306404A TW110127740A TW110127740A TW202306404A TW 202306404 A TW202306404 A TW 202306404A TW 110127740 A TW110127740 A TW 110127740A TW 110127740 A TW110127740 A TW 110127740A TW 202306404 A TW202306404 A TW 202306404A
Authority
TW
Taiwan
Prior art keywords
illegal
rssi
aps
legal
clock offset
Prior art date
Application number
TW110127740A
Other languages
Chinese (zh)
Other versions
TWI799927B (en
Inventor
黃正義
Original Assignee
新加坡商鴻運科股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 新加坡商鴻運科股份有限公司 filed Critical 新加坡商鴻運科股份有限公司
Priority to TW110127740A priority Critical patent/TWI799927B/en
Publication of TW202306404A publication Critical patent/TW202306404A/en
Application granted granted Critical
Publication of TWI799927B publication Critical patent/TWI799927B/en

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

A detection method for rogue access points is disclosed. Timestamps of beacon packets of each access point (AP) in multiple wireless AP are collected. Clock skews of each of the APs are calculated based on the collected timestamps. Clock skew models of each of the APs are established according to the clock skews of each of the APs. It is determined whether a rogue AP is detected. A plurality of legal APs adjacent to the rogue AP are selected if the rogue AP is detected. Received signal strength indicator (RSSI) values relative to the rogue AP are collected via the selected legal APs. The rogue AP is localized according to the collected RSSI values.

Description

非法基地台的偵測方法、電子裝置及電腦可讀儲存媒體Detection method of illegal base station, electronic device and computer readable storage medium

本發明係有關於偵測方法,且特別有關於一種非法基地台的偵測方法、電子裝置及電腦可讀儲存媒體。The present invention relates to a detection method, and in particular to a detection method of an illegal base station, an electronic device and a computer-readable storage medium.

非法無線基地台(Rogue Wi-Fi Access Point(AP),簡稱為Rogue AP)是未經企業網路管理單位合法授權,由惡意攻擊者私自架設的Wi-Fi AP。惡意攻擊者藉由連接非法Wi-Fi AP竊取企業重要的營業機密,讓企業遭受巨大的營業損失。因此,企業無線網路須具備偵測與壓制非法Wi-Fi AP的能力,才能夠確保企業無線網路的安全性。Rogue Wi-Fi Access Point (AP), referred to as Rogue AP for short, is a Wi-Fi AP set up by malicious attackers without the legal authorization of the enterprise network management unit. Malicious attackers steal important business secrets of enterprises by connecting to illegitimate Wi-Fi APs, causing enterprises to suffer huge business losses. Therefore, enterprise wireless networks must have the ability to detect and suppress rogue Wi-Fi APs in order to ensure the security of enterprise wireless networks.

目前企業級無線網路設備主要使用主動掃描(Active Scanning)和被動掃描(Passive Scanning)的方式偵測非法Wi-Fi AP,但無法偵測出假冒合法Wi-Fi AP的媒體存取控制(Media Access Control,MAC)位址的非法Wi-Fi AP,亦缺少定位非法Wi-Fi AP的位置的相關機制。At present, enterprise-level wireless network equipment mainly uses active scanning (Active Scanning) and passive scanning (Passive Scanning) methods to detect illegal Wi-Fi APs, but cannot detect the media access control (Media Access Control (MAC) addresses of rogue Wi-Fi APs, and there is also a lack of relevant mechanisms for locating the location of rogue Wi-Fi APs.

有鑑於此,本發明提供了一種非法基地台的偵測方法、電子裝置及存儲介質,可以快速地偵測和定位非法無線基地台(Wi-Fi AP)。In view of this, the present invention provides a method for detecting an illegal base station, an electronic device and a storage medium, which can quickly detect and locate an illegal wireless base station (Wi-Fi AP).

本發明實施例提供一種非法基地台的偵測方法,應用於電子裝置中,包括下列步驟:收集多個無線基地台(AP)中的每個AP的信標(Beacon)封包的時間戳記;根據收集的時間戳記計算該每個AP的時脈偏移;根據該每個AP的時脈偏移建立該每個AP的時脈偏移模型;判斷是否偵測到一非法AP;若偵測到該非法AP,選擇鄰近該非法AP的複數合法AP;該些被選到的合法AP收集相對於該非法AP的接收訊號強度指示(Received Signal Strength Indicator,RSSI)值;以及根據該些收集到的RSSI值定位該非法AP。An embodiment of the present invention provides a method for detecting an illegal base station, which is applied to an electronic device, and includes the following steps: collecting a time stamp of a beacon (Beacon) packet of each of a plurality of wireless base stations (APs); The collected time stamp calculates the clock offset of each AP; establishes the clock offset model of each AP according to the clock offset of each AP; judges whether an illegal AP is detected; if detected The rogue AP selects a plurality of legitimate APs adjacent to the illegitimate AP; the selected legitimate APs collect received signal strength indicators (Received Signal Strength Indicator, RSSI) values relative to the illegitimate AP; and according to the collected The RSSI value locates the rogue AP.

本發明實施例還提供一種電子裝置,包括:一處理模組,用於收集多個AP中的每個AP的Beacon封包的時間戳記,根據收集的時間戳記計算該每個AP的時脈偏移,及根據該每個AP的時脈偏移建立該每個AP的時脈偏移模型;一偵測模組,用於判斷是否偵測到一非法AP,若偵測到該非法AP,選擇鄰近該非法AP的複數合法AP,並令該些被選到的合法AP收集相對於該非法AP的RSSI值;以及一定位模組,用於根據該些收集到的RSSI值定位該非法AP。The embodiment of the present invention also provides an electronic device, including: a processing module, used to collect the time stamp of the Beacon packet of each AP in a plurality of APs, and calculate the clock offset of each AP according to the collected time stamp , and establish the clock offset model of each AP according to the clock offset of each AP; a detection module is used to determine whether an illegal AP is detected, and if the illegal AP is detected, select A plurality of legitimate APs adjacent to the rogue AP, and causing the selected legitimate APs to collect RSSI values relative to the rogue AP; and a positioning module for locating the rogue AP according to the collected RSSI values.

本發明實施例還提供一種電腦可讀儲存媒體,該電腦可讀儲存媒體上儲存有電腦程式,該電腦程式被執行時實現如前述的非法基地台的偵測方法的步驟。An embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed, the steps of the aforementioned method for detecting an illegal base station are implemented.

以下結合附圖和具體實施例對本發明進行詳細描述,但不作為對本發明的限定。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments, but not as a limitation of the present invention.

為了能夠更清楚地理解本發明的上述目的、特徵和優點,下面結合附圖和具體實施例對本發明進行詳細描述。需要說明的是,在不衝突的情況下,本申請的實施例及實施例中的特徵可以相互組合。In order to more clearly understand the above objects, features and advantages of the present invention, the present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments. It should be noted that, in the case of no conflict, the embodiments of the present application and the features in the embodiments can be combined with each other.

在下面的描述中闡述了很多具體細節以便於充分理解本發明,所描述的實施例僅僅是本發明一部分實施例,而不是全部的實施例。基於本發明中的實施例,本領域普通技術人員在沒有做出創造性勞動前提下所獲得的所有其他實施例,都屬於本發明保護的範圍。Many specific details are set forth in the following description to facilitate a full understanding of the present invention, and the described embodiments are only some of the embodiments of the present invention, rather than all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

除非另有定義,本文所使用的所有的技術和科學術語與屬於本發明的技術領域的技術人員通常理解的含義相同。本文中在本發明的說明書中所使用的術語只是為了描述具體的實施例的目的,不是旨在於限制本發明。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field of the invention. The terms used herein in the description of the present invention are for the purpose of describing specific embodiments only, and are not intended to limit the present invention.

需要說明的是,在本發明中涉及“第一”、“第二”等的描述僅用於描述目的,而不能理解為指示或暗示其相對重要性或者隱含指明所指示的技術特徵的數量。由此,限定有“第一”、“第二”的特徵可以明示或者隱含地包括至少一個該特徵。另外,各個實施例之間的技術方案可以相互結合,但是必須是以本領域普通技術人員能夠實現為基礎,當技術方案的結合出現相互矛盾或無法實現時應當認為這種技術方案的結合不存在,也不在本發明要求的保護範圍之內。It should be noted that the descriptions involving "first", "second", etc. in the present invention are only for descriptive purposes, and should not be understood as indicating or implying their relative importance or implicitly indicating the number of indicated technical features . Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In addition, the technical solutions of the various embodiments can be combined with each other, but it must be based on the realization of those skilled in the art. When the combination of technical solutions is contradictory or cannot be realized, it should be considered that the combination of technical solutions does not exist , nor within the scope of protection required by the present invention.

無線基地台(Wi-Fi Access Point,Wi-Fi AP)的信標(Beacon)封包的時間戳記(Timestamp)的欄位紀錄Beacon封包被傳送時的時間,此時間是由Wi-Fi AP的射頻(Radio Frequency,RF)晶片直接寫入Beacon封包中,與媒體存取控制(Media Access Control,MAC)層的延遲無關。Wi-Fi AP的時脈(Clock)是由振盪器(Oscillator)和計數器(Counter)所產生。The field of the timestamp (Timestamp) of the beacon (Beacon) packet of the wireless base station (Wi-Fi Access Point, Wi-Fi AP) records the time when the Beacon packet was transmitted, which is determined by the radio frequency of the Wi-Fi AP (Radio Frequency, RF) chips are directly written into the Beacon packet, regardless of the delay of the Media Access Control (MAC) layer. The Wi-Fi AP clock (Clock) is generated by an oscillator (Oscillator) and a counter (Counter).

具有相同硬體元件的裝置也會具有不同的時脈偏移(Clock Skew)。時脈偏移的產生原因是電子鐘的石英振蕩器的振盪頻率不一致所致,會隨著裝置開機時間增加而變大。Devices with the same hardware components will also have different clock skew (Clock Skew). The cause of the clock offset is the inconsistency of the oscillation frequency of the quartz oscillator of the electronic clock, and it will become larger as the device's power-on time increases.

通過本發明實施例的非法基地台的偵測方法,無線入侵偵測節點(Wireless Intrusion Detector)接收所有無線傳送通道(Channel)上的所有Beacon封包,並記錄每個AP的Beacon封包內的時間戳記,以建立每個AP的時脈偏移模型。藉由持續更新每個AP的時脈偏移模型,若發現異常的時脈偏移模型,即可判定對應該異常的時脈偏移模型的AP為非法AP。Through the detection method of illegal base stations in the embodiment of the present invention, the wireless intrusion detection node (Wireless Intrusion Detector) receives all Beacon packets on all wireless transmission channels (Channel), and records the time stamp in the Beacon packet of each AP , to establish the clock offset model of each AP. By continuously updating the clock skew model of each AP, if an abnormal clock skew model is found, it can be determined that the AP corresponding to the abnormal clock skew model is an illegal AP.

圖1是本發明實施例的非法基地台的偵測方法的步驟流程圖,應用於電子裝置的微控制器中。根據不同的需求,該流程圖中步驟的順序可以改變,某些步驟可以省略。FIG. 1 is a flow chart of the steps of the method for detecting an illegal base station according to an embodiment of the present invention, which is applied to a microcontroller of an electronic device. According to different requirements, the order of the steps in the flowchart can be changed, and some steps can be omitted.

步驟S11,收集每個AP的Beacon封包的時間戳記。Step S11, collecting the time stamp of each AP's Beacon packet.

無線入侵偵測裝置(Wireless Intrusion Detector)掃描每個無線傳送通道,並且記錄所偵測每個AP的Beacon封包的時間戳記,例如, T 0 T 1 T 2 …,計算每個Beacon封包的時間差異值,例如, X i = T i - T 0 ,以作為建立該些每個AP的時脈偏移模型的資料庫。 The wireless intrusion detection device (Wireless Intrusion Detector) scans each wireless transmission channel, and records the time stamp of the Beacon packet of each AP detected, for example, T 0 , T 1 , T 2 ..., and calculates the time stamp of each Beacon packet The time difference value, for example, Xi = T i - T 0 , is used as a database for building the clock offset model of each AP.

步驟S12,根據收集的時間戳記計算每個AP的時脈偏移。Step S12, calculating the clock offset of each AP according to the collected time stamp.

步驟S13,根據每個AP的時脈偏移建立每個AP的時脈偏移模型Step S13, establishing a clock offset model of each AP according to the clock offset of each AP

假設AP的時脈偏移模型為 ,其中, 為時脈偏移的初始值, 為時脈偏移的增長斜率。經由最小平方法估算出 和 之後,即可得到每個AP的時脈偏移模型,如圖2所示。Assume that the clock offset model of the AP is , where is the initial value of the clock offset, and is the increasing slope of the clock offset. After estimating and by the least square method, the clock offset model of each AP can be obtained, as shown in Figure 2.

步驟S14,判斷是否偵測到非法AP。若沒有偵測到非法AP,回到步驟S13,繼續建立每個AP的時脈偏移模型。Step S14, judging whether an illegal AP is detected. If no illegal AP is detected, go back to step S13 and continue to build the clock offset model of each AP.

步驟S15,若偵測到非法AP,選擇鄰近該非法AP的數個合法AP,選擇至少3個合法AP,例如,選擇至少3個合法AP。Step S15, if an illegal AP is detected, select several legal APs adjacent to the illegal AP, select at least 3 legal APs, for example, select at least 3 legal APs.

步驟S16,被選到的合法AP收集相對於該非法AP的接收訊號強度指示(Received Signal Strength Indicator,RSSI)值。Step S16 , the selected legal AP collects a Received Signal Strength Indicator (RSSI) value relative to the illegal AP.

步驟S17,根據收集到的RSSI值定位非法AP。Step S17, locating illegal APs according to the collected RSSI values.

步驟S18,判斷該非法AP是否被移除。若該非法AP還未被移除,則回到步驟S16,繼續讓被選到的合法AP收集相對於該非法AP的RSSI值。Step S18, judging whether the illegal AP has been removed. If the illegal AP has not been removed, go back to step S16, and let the selected legitimate AP collect the RSSI value relative to the illegal AP.

步驟S19,若該非法AP被移除,停止收集RSSI值與定位AP的操作。Step S19, if the illegal AP is removed, stop collecting RSSI values and locating the AP.

圖3是本發明實l施例的定位非法AP的步驟流程圖,應用於電子裝置的微控制器中。根據不同的需求,該流程圖中步驟的順序可以改變,某些步驟可以省略。FIG. 3 is a flow chart of steps for locating an illegal AP according to an embodiment of the present invention, which is applied to a microcontroller of an electronic device. According to different requirements, the order of the steps in the flowchart can be changed, and some steps can be omitted.

步驟S21,定義一網路服務區的合法AP的虛擬座標。Step S21, defining the virtual coordinates of legal APs in a network service area.

將企業無線網路的服務區規劃成具有虛擬座標的平面空間,並且為每個合法AP配置虛擬座標{ X 1 , X 2 , X 3 , …, X n },以利用合法AP偵測非法AP的相對位置與預測座標。 Plan the service area of the enterprise wireless network as a planar space with virtual coordinates, and configure virtual coordinates { X 1 , X 2 , X 3 , …, X n } for each legal AP to detect illegal APs by using legal APs The relative position and predicted coordinates of .

步驟S22,在該網路服務區中定義至少一個參考觀測點(Reference Monitor Point)。Step S22, defining at least one reference monitor point (Reference Monitor Point) in the network service area.

選擇前述虛擬座標的平面空間中的一個或多個觀測點{ P 1 , P 2 , P 3 , …, P n },以作為量測每個合法AP的RSSI值之參考基準點。 One or more observation points { P 1 , P 2 , P 3 , ..., P n } in the plane space of the aforementioned virtual coordinates are selected as reference points for measuring the RSSI value of each legitimate AP.

步驟S23,量測和紀錄每個合法AP的RSSI值,以取得該參考觀測點相對所有合法AP的RSSI向量值。Step S23, measure and record the RSSI value of each legal AP, so as to obtain the RSSI vector value of the reference observation point relative to all legal APs.

在安裝無線網路時,通過觀測點上的終端裝置測量並記錄每台合法AP的訊號強度,以建立合法AP與每個虛擬座標的RSSI向量。另外,在每個觀測點上測量所有合法AP的訊號強度,以建立每個合法AP對所有觀測點(M1、M2)的RSSI關聯向量,如圖4所示。表1紀錄觀測點相對所有合法AP的RSSI關聯向量。 表1 觀測點 合法AP P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) AP 1 ( x 1 , y 1 ) -35 -45 -55 AP 2 ( x 2 , y 2 ) -45 -55 -35 . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 When installing the wireless network, measure and record the signal strength of each legal AP through the terminal device on the observation point to establish the RSSI vector of the legal AP and each virtual coordinate. In addition, the signal strength of all legal APs is measured at each observation point to establish the RSSI correlation vector of each legal AP to all observation points (M1, M2), as shown in Figure 4. Table 1 records the RSSI correlation vectors of the observation points relative to all legal APs. Table 1 Legal AP of the observation point P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) AP 1 ( x 1 , y 1 ) -35 -45 -55 AP 2 ( x 2 , y 2 ) -45 -55 -35 . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65

步驟S24,儲存量測到的RSSI向量值到資料庫。Step S24, storing the measured RSSI vector value into a database.

步驟S25,根據取得的RSSI向量值建立與觀測點相關的合法AP的RSSI關聯模型(Correlation Model)。In step S25, an RSSI correlation model (Correlation Model) of a legal AP related to the observation point is established according to the obtained RSSI vector value.

步驟S26,根據建立的RSSI關聯模型偵測到非法AP。In step S26, an illegal AP is detected according to the established RSSI correlation model.

藉由該無線入侵偵測裝置持續掃描所有無線通道和收集AP的Beacon封包訊息。在建立每個AP的時脈偏移模型之後,比對每個AP的時脈偏移的增長斜率 𝑏 1 。若是存在未知的 𝑏 1 ,即可判定該AP為非法AP,如圖5所示。 The wireless intrusion detection device continuously scans all wireless channels and collects Beacon packet information of APs. After the clock skew model of each AP is established, the growth slope 𝑏 1 of the clock skew of each AP is compared. If there is an unknown 𝑏 1 , it can be determined that the AP is an illegal AP, as shown in Figure 5.

當偵測到非法AP時,無線網路控制器會通知每個合法AP回報偵測到的非法AP的RSSI向量值,使得無線網路控制器可以定位非法AP的座標( P r ( a n+1 , b n+1 )),如表2與圖6所示。 表2 觀測點 合法AP P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) P r ( a n+1 , b n+1 ) AP 1 ( x 1 , y 1 ) -35 -45 -55 -65 AP 2 ( x 2 , y 2 ) -45 -55 -35 -55 . . . . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 -45 When an illegal AP is detected, the wireless network controller will notify each legal AP to report the RSSI vector value of the detected illegal AP, so that the wireless network controller can locate the coordinates of the illegal AP ( P r ( a n+ 1 , b n+1 )), as shown in Table 2 and Figure 6. Table 2 Legal AP of the observation point P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) P r ( a n+1 , b n+1 ) AP 1 ( x 1 , y 1 ) -35 -45 -55 -65 AP 2 ( x 2 , y 2 ) -45 -55 -35 -55 . . . . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 -45

無線網路控制器收到每個合法AP偵測的非法AP的RSSI向量值,將重新建構合法AP的RSSI向量並且傳送給非法AP的時脈偏移模型,以計算非法AP的座標。After receiving the RSSI vector value of the rogue AP detected by each legitimate AP, the wireless network controller will reconstruct the RSSI vector of the legitimate AP and send it to the clock offset model of the rogue AP to calculate the coordinates of the rogue AP.

非法AP的時脈偏移模型是採用計算非法AP與每個觀測點之間的「 餘弦距離(Cosine Distance)」'd',以獲得距離非法AP最近的觀測點及預測非法AP的座標,如圖7所示。The clock offset model of the illegal AP is to calculate the "cosine distance (Cosine Distance)" 'd' between the illegal AP and each observation point to obtain the observation point closest to the illegal AP and predict the coordinates of the illegal AP, such as Figure 7 shows.

步驟S27,將該非法AP的RSSI向量值與目前建立的RSSI關聯模型比對。Step S27, comparing the RSSI vector value of the illegal AP with the currently established RSSI correlation model.

步驟S28,根據比對結果評估該非法AP的位置。Step S28, evaluating the position of the illegal AP according to the comparison result.

圖8是本發明實施例的合法AP的運作狀態機的示意圖。FIG. 8 is a schematic diagram of an operating state machine of a legal AP according to an embodiment of the present invention.

合法AP在沒有收到非法AP的事件通知時,都是處於服務無線客戶端的正常狀態(SERVING)。若是收到有非法AP存在於公司無線網路環境中的事件通知後,則會進入掃描非法AP的狀態(SCANNING)。若是收到有合法客戶端連線到非法AP的事件通知,則會進入De-auth狀態(De-auth),利用發送De-auth封包的方式,中斷合法無線客戶端和非法AP的連線。When the legal AP does not receive the event notification from the illegal AP, it is in the normal state of serving the wireless client (SERVING). If it receives an event notification that an illegal AP exists in the company's wireless network environment, it will enter the state of scanning for illegal APs (SCANNING). If it receives an event notification that a legitimate client connects to an illegal AP, it will enter the De-auth state (De-auth), and use the method of sending De-auth packets to interrupt the connection between the legitimate wireless client and the illegal AP.

當該合法AP收到非法AP的事件通知後則由閒置狀態(IDLE)進入掃描狀態(SCANNING)時,表示要偵測非法AP,則取得鄰近AP的RSSI值,並且偵測是否有非法AP。When the legitimate AP receives the event notification from the illegal AP, it enters the scanning state (SCANNING) from the idle state (IDLE), indicating that it wants to detect illegal APs, then obtains the RSSI value of the neighboring APs, and detects whether there are illegal APs.

當該合法AP收到有合法客戶端連線到非法AP的事件通知後,則由閒置狀態(IDLE)進入非法連接狀態(De-auth)時,利用發送De-auth封包的方式,中斷合法無線客戶端和非法AP的連線。When the legitimate AP receives an event notification that a legitimate client connects to an illegal AP, it will enter the illegal connection state (De-auth) from the idle state (IDLE), and use the method of sending De-auth packets to interrupt the legal wireless network. The connection between the client and the rogue AP.

當該合法AP欲由掃描狀態(SCANNING)進入閒置狀態(IDLE)時,表示要結束偵測非法AP的操作,則停止掃瞄鄰近AP的RSSI值,並且發送報告給無線網路管理系統(Wireless Network Management System,WNMS)。When the legal AP intends to enter the idle state (IDLE) from the scanning state (SCANNING), it means that the operation of detecting illegal APs will be completed, and then stop scanning the RSSI values of neighboring APs, and send a report to the wireless network management system (Wireless Network Management System, WNMS).

當該合法AP欲由掃描狀態(SCANNING)進入非法連接狀態(De-auth)時,表示收到有合法客戶端連線到非法AP的事件通知,則由閒置狀態(IDLE)進入非法連接狀態(De-auth)時,利用發送De-auth封包的方式,中斷合法無線客戶端和非法AP的連線。When the legal AP intends to enter the illegal connection state (De-auth) from the scanning state (SCANNING), it means that it receives an event notification that a legitimate client is connected to the illegal AP, and then enters the illegal connection state (IDLE) from the idle state (IDLE) De-auth), use the method of sending De-auth packets to interrupt the connection between the legitimate wireless client and the illegal AP.

當該合法AP已經中斷合法無線客戶端和非法AP的連線之後,則由非法連接狀態(De-auth)進入服務狀態(SERVING)時,會切換為正常運作狀態。When the legal AP has interrupted the connection between the legal wireless client and the illegal AP, it will switch to the normal operation state when it enters the service state (SERVING) from the illegal connection state (De-auth).

當該合法AP欲由服務狀態(SERVING)進入閒置狀態(IDLE)時,則不執行任何操作。When the legal AP intends to enter the idle state (IDLE) from the service state (SERVING), no operation is performed.

當該合法AP欲由服務狀態(SERVING)進入掃描狀態(SCANNING)時,表示要偵測非法AP,則取得鄰近AP的RSSI值,並且偵測是否有非法AP。When the legal AP intends to enter the scanning state (SCANNING) from the service state (SERVING), it means to detect illegal APs, then obtain the RSSI value of the neighboring APs, and detect whether there are illegal APs.

本發明實施的非法基地台的偵測方法可以即時性地在企業無線網路中偵測出是否有非法AP。此外,本發明實施使用的時脈偏移地偵測方法,可以防止非法AP假冒企業無線網路中合法AP的MAC。此外,本發明實施例的非法基地台的偵測方法不僅可以透過觀測點的資料自我學習而增進定位模型的準確度,也可以快速定位非法AP的位置進,大幅提高企業無線網路的安全性。The detection method of the illegal base station implemented by the invention can detect whether there is an illegal AP in the wireless network of the enterprise in real time. In addition, the clock offset detection method implemented in the present invention can prevent illegal APs from pretending to be the MAC of legal APs in the enterprise wireless network. In addition, the detection method of illegal base stations in the embodiment of the present invention can not only improve the accuracy of the positioning model through self-learning of observation point data, but also quickly locate the location of illegal APs, greatly improving the security of enterprise wireless networks .

圖9係顯示本發明實施例的行動電子裝置的硬體架構示意圖。電子裝置200,但不僅限於,可通過系統匯流排相互通信連接處理器210、記憶體220以及非法基地台的偵測系統230,圖9僅示出了具有元件210-230的電子裝置200,但是應理解的是,並不要求實施所有示出的元件,可以替代的實施更多或者更少的元件。FIG. 9 is a schematic diagram showing the hardware architecture of the mobile electronic device according to the embodiment of the present invention. The electronic device 200 is, but not limited to, the processor 210, the memory 220, and the detection system 230 of an illegal base station that can communicate with each other through the system bus. FIG. 9 only shows the electronic device 200 with components 210-230, but It should be understood that implementation of all illustrated elements is not required and that more or fewer elements may instead be implemented.

該記憶體220至少包括一種類型的可讀存儲介質,該可讀存儲介質包括快閃記憶體、硬碟、多媒體卡、卡型記憶體(例如,SD或DX記憶體等)、隨機訪問記憶體(RAM)、靜態隨機訪問記憶體(SRAM)、唯讀記憶體(ROM)、電可擦除可程式設計唯讀記憶體(EEPROM)、可程式設計唯讀記憶體(PROM)、磁性記憶體、磁片、光碟等。在一些實施例中,該記憶體220可以是該電子裝置10的內部存儲單元,例如電子裝置200的硬碟或記憶體。在另一些實施例中,該記憶體也可以是該電子裝置200的外部存放裝置,例如該電子裝置200上配備的插接式硬碟,智慧存儲卡(Smart Media Card,SMC),安全數位(Secure Digital,SD)卡,快閃記憶體卡(Flash Card)等。當然,該記憶體220還可以既包括該電子裝置200的內部存儲單元也包括其外部存放裝置。本實施例中,該記憶體220通常用於存儲安裝於該電子裝置200的作業系統和各類應用軟體,例如非法基地台的偵測系統230的程式碼等。此外,該記憶體220還可以用於暫時地存儲已經輸出或者將要輸出的各類資料。The memory 220 includes at least one type of readable storage medium, which includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Programmable Read Only Memory (PROM), Magnetic Memory , Diskettes, CDs, etc. In some embodiments, the memory 220 may be an internal storage unit of the electronic device 10 , such as a hard disk or a memory of the electronic device 200 . In some other embodiments, the memory can also be an external storage device of the electronic device 200, such as a plug-in hard disk equipped on the electronic device 200, a smart memory card (Smart Media Card, SMC), a secure digital ( Secure Digital, SD) card, flash memory card (Flash Card), etc. Of course, the memory 220 may also include both the internal storage unit of the electronic device 200 and its external storage device. In this embodiment, the memory 220 is usually used to store the operating system and various application software installed in the electronic device 200 , such as the program code of the illegal base station detection system 230 . In addition, the memory 220 can also be used to temporarily store various types of data that have been output or will be output.

該處理器210在一些實施例中可以是中央處理器(Central Processing Unit,CPU)、控制器、微控制器、微處理器、或其他資料處理晶片。該處理器210通常用於控制該電子裝置200的總體操作。本實施例中,該處理器210用於運行該記憶體220中存儲的程式碼或者處理資料,例如,運行該非法基地台的偵測系統230等。The processor 210 may be a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chips in some embodiments. The processor 210 is generally used to control the overall operation of the electronic device 200 . In this embodiment, the processor 210 is used to run the program codes stored in the memory 220 or process data, for example, to run the detection system 230 of the illegal base station.

需要說明的是,圖9僅為舉例說明電子裝置200。在其他實施例中,電子裝置200也可以包括更多或者更少的元件,或者具有不同的元件配置。It should be noted that FIG. 9 only illustrates the electronic device 200 as an example. In other embodiments, the electronic device 200 may also include more or less elements, or have different element configurations.

圖10係顯示本發明實施例的電子裝置的功能方塊圖,其用於執行非法基地台的偵測方法。本發明實施例的非法基地台的偵測方法可由儲存媒體中的電腦程式來實現,例如,電子裝置200中的記憶體220。當實現本發明方法的電腦程式由處理器210載入到記憶體220時,驅動行裝置200的處理器210執行本發明實施例的非法基地台的偵測方法。FIG. 10 is a functional block diagram of an electronic device according to an embodiment of the present invention, which is used to implement a method for detecting illegal base stations. The method for detecting an illegal base station in the embodiment of the present invention can be implemented by a computer program in a storage medium, for example, the memory 220 in the electronic device 200 . When the computer program implementing the method of the present invention is loaded into the memory 220 by the processor 210, the processor 210 driving the row device 200 executes the detection method of an illegal base station according to the embodiment of the present invention.

本發明實施例的電子裝置200包括處理模組310、偵測模組320與定位模組330。The electronic device 200 of the embodiment of the present invention includes a processing module 310 , a detection module 320 and a positioning module 330 .

處理模組310收集每個AP的Beacon封包的時間戳記。The processing module 310 collects the time stamp of each AP's Beacon packet.

無線入侵偵測裝置(Wireless Intrusion Detector)掃描每個無線傳送通道,並且記錄所偵測每個AP的Beacon封包的時間戳記,例如, T 0 T 1 T 2 …,計算每個Beacon封包的時間差異值,例如, X i = T i - T 0 ,以作為建立該些每個AP的時脈偏移模型的資料庫。 The wireless intrusion detection device (Wireless Intrusion Detector) scans each wireless transmission channel, and records the time stamp of the Beacon packet of each AP detected, for example, T 0 , T 1 , T 2 ..., and calculates the time stamp of each Beacon packet The time difference value, for example, Xi = T i - T 0 , is used as a database for building the clock offset model of each AP.

處理模組310根據收集的時間戳記計算每個AP的時脈偏移,並根據每個AP的時脈偏移建立每個AP的時脈偏移模型。The processing module 310 calculates the clock offset of each AP according to the collected time stamp, and establishes a clock offset model of each AP according to the clock offset of each AP.

假設AP的時脈偏移模型為 ,其中, 為時脈偏移的初始值, 為時脈偏移的增長斜率。經由最小平方法估算出 和 之後,即可得到每個AP的時脈偏移模型,如圖2所示。Assume that the clock offset model of the AP is , where is the initial value of the clock offset, and is the increasing slope of the clock offset. After estimating and by the least square method, the clock offset model of each AP can be obtained, as shown in Figure 2.

偵測模組320判斷是否偵測到非法AP。若沒有偵測到非法AP,處理模組310繼續建立每個AP的時脈偏移模型。The detection module 320 determines whether an illegal AP is detected. If no illegal AP is detected, the processing module 310 continues to build a clock skew model of each AP.

若偵測到非法AP,偵測模組320選擇鄰近該非法AP的數個合法AP,例如,選擇至少3個合法AP,並通過被選到的合法AP收集相對於該非法AP的RSSI值。If a rogue AP is detected, the detection module 320 selects several legitimate APs adjacent to the rogue AP, for example, selects at least 3 legitimate APs, and collects RSSI values relative to the rogue AP through the selected legitimate APs.

定位模組330根據收集到的RSSI值定位非法AP,判斷該非法AP是否被移除。若該非法AP還未被移除,則偵測模組320繼續讓被選到的合法AP收集相對於該非法AP的RSSI值。若該非法AP被移除,偵測模組320與定位模組330停止收集RSSI值與定位AP的操作。The location module 330 locates the illegal AP according to the collected RSSI value, and judges whether the illegal AP is removed. If the rogue AP has not been removed, the detection module 320 continues to allow the selected legitimate AP to collect RSSI values relative to the rogue AP. If the illegal AP is removed, the detection module 320 and the positioning module 330 stop collecting RSSI values and locating the AP.

圖11是本發明實施例的定位模組的功能方塊圖,其用於定位非法AP。本發明實施例的定位模組330包括定義單元3310、量測單元3320與偵測與定位單元3330。FIG. 11 is a functional block diagram of a positioning module according to an embodiment of the present invention, which is used to locate illegal APs. The positioning module 330 of the embodiment of the present invention includes a definition unit 3310 , a measurement unit 3320 and a detection and positioning unit 3330 .

定義單元3310定義一網路服務區的合法AP的虛擬座標。The defining unit 3310 defines the virtual coordinates of legal APs in a network service area.

將企業無線網路的服務區規劃成具有虛擬座標的平面空間,並且為每個合法AP配置虛擬座標{ X 1 , X 2 , X 3 , …, X n },以利用合法AP偵測非法AP的相對位置與預測座標。 Plan the service area of the enterprise wireless network as a planar space with virtual coordinates, and configure virtual coordinates { X 1 , X 2 , X 3 , …, X n } for each legal AP to detect illegal APs by using legal APs The relative position and predicted coordinates of .

定義單元3310在該網路服務區中定義至少一個參考觀測點(Reference Monitor Point)。The defining unit 3310 defines at least one reference monitor point (Reference Monitor Point) in the network service area.

選擇前述虛擬座標的平面空間中的一個或多個觀測點{ P 1 , P 2 , P 3 , …, P n },以作為量測每個合法AP的RSSI值的基準點。 One or more observation points { P 1 , P 2 , P 3 , ..., P n } in the plane space of the aforementioned virtual coordinates are selected as the reference point for measuring the RSSI value of each legitimate AP.

量測單元3320量測和紀錄每個合法AP的RSSI值,以取得該觀測點相對所有合法AP的RSSI向量值。The measurement unit 3320 measures and records the RSSI value of each legal AP, so as to obtain the RSSI vector value of the observation point relative to all legal APs.

在安裝無線網路時,通過觀測點上的終端裝置測量並記錄每台合法AP的訊號強度,以建立合法AP與每個虛擬座標的RSSI向量。另外,在每個觀測點上測量所有合法AP的訊號強度,以建立每個合法AP對所有觀測點(M1、M2)的RSSI關聯向量,如圖4所示。表1紀錄觀測點相對所有合法AP的RSSI關聯向量。 表1 觀測點 合法AP P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) AP 1 ( x 1 , y 1 ) -35 -45 -55 AP 2 ( x 2 , y 2 ) -45 -55 -35 . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 When installing the wireless network, measure and record the signal strength of each legal AP through the terminal device on the observation point to establish the RSSI vector of the legal AP and each virtual coordinate. In addition, the signal strength of all legal APs is measured at each observation point to establish the RSSI correlation vector of each legal AP to all observation points (M1, M2), as shown in Figure 4. Table 1 records the RSSI correlation vectors of the observation points relative to all legal APs. Table 1 Legal AP of the observation point P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) AP 1 ( x 1 , y 1 ) -35 -45 -55 AP 2 ( x 2 , y 2 ) -45 -55 -35 . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65

量測單元3320儲存量測到的RSSI向量值到資料庫。The measurement unit 3320 stores the measured RSSI vector value into a database.

量測單元3320根據取得的RSSI向量值建立與觀測點相關的合法AP的RSSI關聯模型(Correlation Model)。The measurement unit 3320 establishes an RSSI correlation model (Correlation Model) of a valid AP related to the observation point according to the obtained RSSI vector value.

偵測與定位單元3330根據建立的RSSI關聯模型偵測到非法AP。The detecting and locating unit 3330 detects illegal APs according to the established RSSI correlation model.

藉由該無線入侵偵測裝置持續掃描所有無線通道和收集AP的Beacon封包訊息。在建立每個AP的時脈偏移模型之後,比對每個AP的時脈偏移的增長斜率 𝑏 1 。若是存在未知的 𝑏 1 ,即可判定該AP為非法AP,如圖5所示。 The wireless intrusion detection device continuously scans all wireless channels and collects Beacon packet information of APs. After the clock skew model of each AP is established, the growth slope 𝑏 1 of the clock skew of each AP is compared. If there is an unknown 𝑏 1 , it can be determined that the AP is an illegal AP, as shown in Figure 5.

當偵測到非法AP時,無線網路控制器會通知每個合法AP回報偵測到的非法AP的RSSI向量值,使得無線網路控制器可以定位非法AP的座標( P r ( a n+1 , b n+1 )),如表2與圖6所示。 表2 觀測點 合法AP P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) P r ( a n+1 , b n+1 ) AP 1 ( x 1 , y 1 ) -35 -45 -55 -65 AP 2 ( x 2 , y 2 ) -45 -55 -35 -55 . . . . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 -45 When an illegal AP is detected, the wireless network controller will notify each legal AP to report the RSSI vector value of the detected illegal AP, so that the wireless network controller can locate the coordinates of the illegal AP ( P r ( a n+ 1 , b n+1 )), as shown in Table 2 and Figure 6. Table 2 Legal AP of the observation point P 1 ( a 1 , b 1 ) P 2 ( a 2 , b 2 ) P n ( a n , b n ) P r ( a n+1 , b n+1 ) AP 1 ( x 1 , y 1 ) -35 -45 -55 -65 AP 2 ( x 2 , y 2 ) -45 -55 -35 -55 . . . . . . . . . . . . . . . AP m ( x m , y m ) -55 -45 -65 -45

無線網路控制器收到每個合法AP偵測的非法AP的RSSI向量值,將重新建構合法AP的RSSI向量並且傳送給非法AP的時脈偏移模型,以計算非法AP的座標。After receiving the RSSI vector value of the rogue AP detected by each legitimate AP, the wireless network controller will reconstruct the RSSI vector of the legitimate AP and send it to the clock offset model of the rogue AP to calculate the coordinates of the rogue AP.

非法AP的時脈偏移模型是採用計算非法AP與每個觀測點之間的「 餘弦距離(Cosine Distance)」'd',以獲得距離非法AP最近的觀測點及預測非法AP的座標,如圖7所示。The clock offset model of the illegal AP is to calculate the "cosine distance (Cosine Distance)" 'd' between the illegal AP and each observation point to obtain the observation point closest to the illegal AP and predict the coordinates of the illegal AP, such as Figure 7 shows.

偵測與定位單元3330將該非法AP的RSSI向量值與目前建立的RSSI關聯模型比對。The detecting and locating unit 3330 compares the RSSI vector value of the rogue AP with the currently established RSSI correlation model.

偵測與定位單元3330根據比對結果評估該非法AP的位置。The detection and location unit 3330 evaluates the location of the illegal AP according to the comparison result.

該電子裝置200集成的模組/單元如果以軟體功能單元的形式實現並作為獨立的產品銷售或使用時,可以存儲在一個電腦可讀取存儲介質中。基於這樣的理解,本發明實現上述實施例方法中的全部或部分流程,也可以通過電腦程式來指令相關的硬體來完成,該的電腦程式可存儲於一電腦可讀存儲介質中,該電腦程式在被處理器執行時,可實現上述各個方法實施例的步驟。其中,該電腦程式包括電腦程式代碼,該電腦程式代碼可以為原始程式碼形式、物件代碼形式、可執行檔或某些中間形式等。該電腦可讀介質可以包括:能夠攜帶該電腦程式代碼的任何實體或裝置、記錄介質、U盤、移動硬碟、磁片、光碟、電腦記憶體、唯讀記憶體、隨機存取記憶體、電載波信號、電信信號以及軟體分發介質等。需要說明的是,該電腦可讀介質包含的內容可以根據司法管轄區內立法和專利實踐的要求進行適當的增減,例如在某些司法管轄區,根據立法和專利實踐,電腦可讀介質不包括電載波信號和電信信號。If the integrated modules/units of the electronic device 200 are implemented in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on such an understanding, the present invention realizes all or part of the processes in the methods of the above-mentioned embodiments, and it can also be completed by instructing related hardware through a computer program. The computer program can be stored in a computer-readable storage medium. The computer When the program is executed by the processor, the steps of the above-mentioned various method embodiments can be realized. Wherein, the computer program includes computer program code, and the computer program code may be in the form of original code, object code, executable file or some intermediate form. The computer readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory, random access memory, Electrical carrier signals, telecommunication signals, and software distribution media, etc. It should be noted that the content contained in the computer readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. Including electrical carrier signals and telecommunication signals.

可以理解的是,以上所描述的模組劃分,僅僅為一種邏輯功能劃分,實際實現時可以有另外的劃分方式。另外,在本申請各個實施例中的各功能模組可以集成在相同處理單元中,也可以是各個模組單獨物理存在,也可以兩個或兩個以上模組集成在相同單元中。上述集成的模組既可以採用硬體的形式實現,也可以採用硬體加軟體功能模組的形式實現。It can be understood that the module division described above is only a logical function division, and there may be another division method in actual implementation. In addition, each functional module in each embodiment of the present application may be integrated into the same processing unit, or each module may exist separately physically, or two or more modules may be integrated into the same unit. The above-mentioned integrated modules can be implemented in the form of hardware, or in the form of hardware plus software function modules.

以上實施例僅用以說明本發明的技術方案而非限制,儘管參照實施例對本發明進行了詳細的說明,本領域的普通技術人員應該理解,可以對本發明的技術方案進行修改或等同替換,而不脫離本發明技術方案的精神和範圍。The above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be modified or equivalently replaced, and Without departing from the spirit and scope of the technical solution of the present invention.

200:電子裝置200: electronic device

210:處理器210: Processor

220:記憶體220: memory

230:非法基地台的偵測系統230: Detection system of illegal base stations

310:處理模組310: processing module

320:偵測模組320: Detection Module

330:定位模組330: Positioning module

3310:定義單元3310: define unit

3320:量測單元3320: Measuring unit

3330:偵測與定位單元3330: Detection and positioning unit

圖1是本發明實施例的非法基地台的偵測方法的步驟流程圖。FIG. 1 is a flow chart of the steps of the method for detecting an illegal base station according to an embodiment of the present invention.

圖2是本發明實施例建立時脈偏移模型的示意圖。FIG. 2 is a schematic diagram of establishing a clock skew model according to an embodiment of the present invention.

圖3是本發明實施例定位非法基地台的步驟流程圖。Fig. 3 is a flow chart of steps for locating an illegal base station according to an embodiment of the present invention.

圖4是本發明實施例量測觀測點與合法AP間的RSSI向量值的示意圖。FIG. 4 is a schematic diagram of measuring RSSI vector values between an observation point and a legal AP according to an embodiment of the present invention.

圖5是本發明實施例偵測非法基地台的示意圖。FIG. 5 is a schematic diagram of detecting illegal base stations according to an embodiment of the present invention.

圖6是本發明實施例定位非法基地台的示意圖。Fig. 6 is a schematic diagram of locating an illegal base station according to an embodiment of the present invention.

圖7是本發明實施例計算觀測點與非法AP間的距離的示意圖。Fig. 7 is a schematic diagram of calculating the distance between an observation point and an illegal AP according to an embodiment of the present invention.

圖8是本發明實施例的合法AP的運作狀態機的示意圖Fig. 8 is a schematic diagram of the operation state machine of the legal AP according to the embodiment of the present invention

圖9是本發明實施例的電子裝置的硬體架構示意圖。FIG. 9 is a schematic diagram of a hardware architecture of an electronic device according to an embodiment of the present invention.

圖10是本發明實施例的電子裝置的功能方塊圖。FIG. 10 is a functional block diagram of an electronic device according to an embodiment of the present invention.

圖11是本發明實施例的定位模組的功能方塊圖。FIG. 11 is a functional block diagram of a positioning module according to an embodiment of the present invention.

none

Claims (10)

一種非法基地台的偵測方法,應用於電子裝置中,包括下列步驟: 收集多個無線基地台(AP)中的每個AP的信標(Beacon)封包的時間戳記; 根據收集的時間戳記計算該每個AP的時脈偏移; 根據該每個AP的時脈偏移建立該每個AP的時脈偏移模型; 判斷是否偵測到一非法AP; 若偵測到該非法AP,選擇鄰近該非法AP的複數合法AP; 該些被選到的合法AP收集相對於該非法AP的接收訊號強度指示(Received Signal Strength Indicator,RSSI)值;以及 根據該些收集到的RSSI值定位該非法AP。 A detection method for an illegal base station, applied to an electronic device, comprising the following steps: Collect time stamps of beacon (Beacon) packets of each of multiple wireless base stations (APs); Calculate the clock offset of each AP according to the collected timestamp; Establishing a clock offset model of each AP according to the clock offset of each AP; Judging whether an illegal AP is detected; If the illegal AP is detected, select a plurality of legal APs adjacent to the illegal AP; The selected legitimate APs collect received signal strength indicator (Received Signal Strength Indicator, RSSI) values relative to the rogue AP; and Locate the illegal AP according to the collected RSSI values. 如請求項1該的非法基地台的偵測方法,其中,該根據該些收集到的RSSI值定位該非法AP的步驟更包括下列步驟: 定義一網路服務區的合法AP的虛擬座標; 在該網路服務區中定義至少一個參考觀測點(Reference Monitor Point); 量測和紀錄每個合法AP的RSSI值,以取得該參考觀測點相對所有合法AP的RSSI向量值; 儲存該些RSSI向量值到一資料庫; 根據該些RSSI向量值建立與該參考觀測點相關之該些合法AP之複數RSSI關聯模型(Correlation Model); 根據該些RSSI關聯模型偵測該非法AP; 將該非法AP之一RSSI向量值與該些RSSI關聯模型比對;以及 根據比對結果評估該非法AP的位置。 The method for detecting an illegal base station according to claim 1, wherein the step of locating the illegal AP according to the collected RSSI values further includes the following steps: Define the virtual coordinates of legal APs in a network service area; Define at least one Reference Monitor Point in the network service area; Measure and record the RSSI value of each legal AP to obtain the RSSI vector value of the reference observation point relative to all legal APs; storing the RSSI vector values into a database; Establish the complex RSSI correlation model (Correlation Model) of the legal APs related to the reference observation point according to the RSSI vector values; Detecting the illegal AP according to the RSSI correlation models; comparing one of the RSSI vector values of the rogue AP with the RSSI correlation models; and Estimate the location of the illegal AP based on the comparison result. 如請求項2該的非法基地台的偵測方法,其更包括下列步驟: 選擇該虛擬座標的平面空間中之該觀測點作為量測每個合法AP的RSSI值之一參考基準點。 The method for detecting illegal base stations as claimed in claim 2 further includes the following steps: The observation point in the plane space of the virtual coordinates is selected as a reference point for measuring the RSSI value of each legitimate AP. 如請求項1該的非法基地台的偵測方法,其更包括下列步驟: 判斷該非法AP是否被移除;以及 若該非法AP被移除,停止該收集RSSI值與該定位該AP的操作。 The method for detecting illegal base stations as claimed in item 1 further includes the following steps: determine whether the illegal AP is removed; and If the illegal AP is removed, stop the operation of collecting the RSSI value and locating the AP. 如請求項4該的非法基地台的偵測方法,其更包括下列步驟: 若該非法AP還未被移除,則繼續讓該些被選到的合法AP收集相對於該非法AP的RSSI值。 The method for detecting illegal base stations as claimed in item 4 further includes the following steps: If the illegal AP has not been removed, continue to allow the selected legitimate APs to collect RSSI values relative to the illegal AP. 如請求項1該的非法基地台的偵測方法,其中,該收集該些AP中的每個AP的Beacon封包的時間戳記更包括下列步驟: 通過一無線入侵偵測裝置(Wireless Intrusion Detector)掃描該些每個AP的無線傳送通道; 記錄偵測每該些AP之該些Beacon封包的時間戳記;以及 根據該些時間戳記計算每個Beacon封包的時間差異值,以作為建立該些每個AP之該些時脈偏移模型之一資料庫。 The method for detecting illegal base stations as claimed in claim 1, wherein the time stamp of the Beacon packet of each AP in the collection further includes the following steps: Scan the wireless transmission channel of each AP through a wireless intrusion detection device (Wireless Intrusion Detector); record the time stamps of the Beacon packets that detect each of the APs; and The time difference value of each Beacon packet is calculated according to the time stamps as a database for establishing the clock offset models of each AP. 一種電子裝置,包括: 一處理模組,用於收集多個AP中的每個AP的Beacon封包的時間戳記,根據收集的時間戳記計算該每個AP的時脈偏移,及根據該每個AP的時脈偏移建立該每個AP的時脈偏移模型; 一偵測模組,用於判斷是否偵測到一非法AP,若偵測到該非法AP,選擇鄰近該非法AP的複數合法AP,並令該些被選到的合法AP收集相對於該非法AP的RSSI值;以及 一定位模組,用於根據該些收集到的RSSI值定位該非法AP。 An electronic device comprising: A processing module, used to collect the time stamp of the Beacon packet of each AP in the plurality of APs, calculate the clock offset of each AP according to the collected time stamp, and calculate the clock offset of each AP according to the clock offset of each AP Establish a clock offset model of each AP; A detection module, used to determine whether an illegal AP is detected, if the illegal AP is detected, select a plurality of legal APs adjacent to the illegal AP, and make these selected legal APs collect relative to the illegal AP the RSSI value of the AP; and A positioning module is used to locate the illegal AP according to the collected RSSI values. 如請求項7的電子裝置,其中,該定位模組包括: 一定義單元,用於定義一網路服務區的合法AP的虛擬座標,與在該網路服務區中定義至少一個參考觀測點; 一量測單元,用於量測和紀錄每個合法AP的RSSI值,以取得該觀測點相對所有合法AP的RSSI向量值,並儲存該些RSSI向量值到一資料庫;以及 一偵測與定位單元,用於根據該些RSSI向量值建立與該觀測點相關之該些合法AP之複數RSSI關聯模型,根據該些RSSI關聯模型偵測該非法AP,將該非法AP之一RSSI向量值與該些RSSI關聯模型比對,及根據比對結果評估該非法AP的位置。 The electronic device according to claim 7, wherein the positioning module includes: A definition unit, used to define the virtual coordinates of a legal AP in a network service area, and define at least one reference observation point in the network service area; A measurement unit, used to measure and record the RSSI value of each legal AP, so as to obtain the RSSI vector value of the observation point relative to all legal APs, and store these RSSI vector values into a database; and A detecting and locating unit, used to establish complex RSSI association models of the legitimate APs related to the observation point according to the RSSI vector values, detect the illegal APs according to the RSSI association models, and place one of the illegal APs The RSSI vector value is compared with the RSSI correlation models, and the position of the illegal AP is estimated according to the comparison result. 如請求項8的電子裝置,其中,該偵測與定位單元判斷該非法AP是否被移除,以及若該非法AP被移除,停止該收集RSSI值與該定位該AP的操作。The electronic device according to claim 8, wherein the detecting and locating unit determines whether the illegal AP is removed, and if the illegal AP is removed, stops the operation of collecting RSSI values and locating the AP. 一種電腦可讀儲存媒體,包括記憶體、處理器以及存儲在記憶體上並可在處理器上運行的電腦程式,其中,該處理器執行該電腦程式時實現請求項1至6之非法基地台的偵測方法的步驟。A computer-readable storage medium, including a memory, a processor, and a computer program stored in the memory and operable on the processor, wherein, when the processor executes the computer program, the illegal base station of claims 1 to 6 is realized The steps of the detection method.
TW110127740A 2021-07-28 2021-07-28 Detection method for rogue access points, electronic device and readable storage medium TWI799927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110127740A TWI799927B (en) 2021-07-28 2021-07-28 Detection method for rogue access points, electronic device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110127740A TWI799927B (en) 2021-07-28 2021-07-28 Detection method for rogue access points, electronic device and readable storage medium

Publications (2)

Publication Number Publication Date
TW202306404A true TW202306404A (en) 2023-02-01
TWI799927B TWI799927B (en) 2023-04-21

Family

ID=86661458

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110127740A TWI799927B (en) 2021-07-28 2021-07-28 Detection method for rogue access points, electronic device and readable storage medium

Country Status (1)

Country Link
TW (1) TWI799927B (en)

Also Published As

Publication number Publication date
TWI799927B (en) 2023-04-21

Similar Documents

Publication Publication Date Title
US20200204588A1 (en) Spoofing detection
CN1783810B (en) Method used for determining
US9462449B2 (en) Method and device for fingerprinting of wireless communication devices
US11409881B2 (en) Method and apparatus for wireless signal based location security system
US9049225B2 (en) Method and system for detecting unauthorized wireless access points using clock skews
US20120304297A1 (en) Detecting malicious device
US20210344699A1 (en) Wireless communications access security system and method
US20120110635A1 (en) Method and system for detecting characteristics of a wireless network
US20110026506A1 (en) Efficient collection of wireless transmitter characteristic
EP1758303B1 (en) Rogue access point detection and restriction
JP2007089006A (en) Method for cooperatively finding out disconnected client, and unauthorized access point within wireless network
KR20160099182A (en) Method for providing security service for wireless device and apparatus thereof
US8519884B2 (en) Distance estimation
US20230034609A1 (en) Detection method for rogue access points, electronic device and computer readable storage medium
CN107925881B (en) Wireless communication device, wireless communication system, evaluation method, and non-transitory computer-readable medium storing program
CN114928843A (en) Pseudo base station defense method and device, communication equipment and readable storage medium
TW202306404A (en) Detection method for rogue access points, electronic device and readable storage medium
TW201806329A (en) System for detecting interference sources and method thereof
US20220417734A1 (en) Device address rotation method to protect against unconsented tracking
KR20150012154A (en) Apparatus and method for detecting fake access point
CN115696336A (en) Method for detecting unauthenticated base station, electronic device and storage medium
Yurdagul et al. Blekeeper: Response time behavior based man-in-the-middle attack detection
JP2002164899A (en) Network monitoring method and its equipment
CN109743733B (en) Wireless signal control method and device
US11741206B2 (en) Secure electronic devices and methods