US20100132040A1 - Automated method and system for monitoring local area computer networks for unauthorized wireless access - Google Patents

Automated method and system for monitoring local area computer networks for unauthorized wireless access Download PDF

Info

Publication number
US20100132040A1
US20100132040A1 US12/419,300 US41930009A US2010132040A1 US 20100132040 A1 US20100132040 A1 US 20100132040A1 US 41930009 A US41930009 A US 41930009A US 2010132040 A1 US2010132040 A1 US 2010132040A1
Authority
US
United States
Prior art keywords
lan
wireless
sniffer
packet
aps
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/419,300
Inventor
Pravin Bhagwat
Shantanu Gogate
David C. King
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mojo Networks LLC
Original Assignee
Airtight Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=40636101&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20100132040(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Airtight Networks Inc filed Critical Airtight Networks Inc
Priority to US12/419,300 priority Critical patent/US20100132040A1/en
Publication of US20100132040A1 publication Critical patent/US20100132040A1/en
Priority to US13/399,626 priority patent/US8789191B2/en
Priority to US13/533,674 priority patent/US9003527B2/en
Priority to US14/307,351 priority patent/US20140298467A1/en
Assigned to WESTERN ALLIANCE BANK reassignment WESTERN ALLIANCE BANK SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOJO NETWORKS, INC.
Assigned to MOJO NETWORKS, INC., FORMERLY KNOWN AS AIRTIGHT NETWORKS, INC reassignment MOJO NETWORKS, INC., FORMERLY KNOWN AS AIRTIGHT NETWORKS, INC RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: WESTERN ALLIANCE BANK
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/102Route integrity, e.g. using trusted paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Definitions

  • the present invention also relates to U.S. Ser. No. ______ (Attorney Docket No. 022384-000620US) filed on the same date, which claims priority to U.S. Provisional Application No. 60/543,631, titled “An Automated Method and an RF Sensor System for Wireless Unauthorized Transmission, Intrusion Detection and Prevention,” filed Feb. 10, 2004, commonly assigned, and each of which is hereby incorporated by reference for all purposes.
  • the present invention relates generally to wireless computer networking techniques. More particularly, the invention provides a method and a system for providing intrusion detection for local area wireless networks according to a specific embodiment.
  • the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability.
  • the invention can be applied to Ultra Wide Band (“UWB”), IEEE 802.16 commonly known as “WiMAX”, Bluetooth, and others.
  • UWB Ultra Wide Band
  • WiMAX IEEE 802.16
  • Bluetooth Bluetooth
  • Such systems include personal computers, which are often called “PCs” for short, to large mainframe and server class computers.
  • Powerful mainframe and server class computers run specialized applications for banks, small and large companies, e-commerce vendors and governments. Smaller personal computers can be found in many if not all offices, homes, and even local coffee shops.
  • These computers interconnect with each other through computer communication networks based on packet switching technology such as the Internet protocol or IP.
  • IP Internet protocol
  • the computer systems located within a specific local geographic area such as office, home or other indoor and outdoor premises interconnect using a Local Area Network, commonly called, LAN. Ethernet is by far the most popular networking technology for LANs.
  • the LANs interconnect with each other using a Wide Area Network called “WAN” such as the famous Internet.
  • WAN Wide Area Network
  • the conventional LAN is usually deployed using an Ethernet based infrastructure comprising cables, hubs switches, and other elements.
  • a number of connection ports (e.g., Ethernet ports) are used to couple various computer systems to the LAN.
  • a user can connect to the LAN by physically attaching a computing device such as laptop, desktop or handheld computer to one of the connection ports using physical wires or cables.
  • Other computer systems such as database computers, server computers, routers and Internet gateways also connect to the LAN to provide specific functionalities and services.
  • Once physically connected to the LAN the user often accesses a variety of services such as file transfer, remote login, email, WWW, database access, and voice over IP. Security of the LAN often occurs by controlling access to the physical space where the LAN connection ports are located.
  • wireless communication technologies wirelessly connect users to the computer communication networks.
  • a typical application of these technologies provides wireless access to the local area network in the office, home, public hot-spots, and other geographical locations.
  • the IEEE 802.11 family of standards commonly called WiFi
  • WiFi is the common standard for such wireless application.
  • the 802.11b standard-based WiFi often operates at 2.4 GHz unlicensed radio frequency spectrum and offers wireless connectivity at speeds up to 11 Mbps.
  • the 802.11g compliant WiFi offers even faster connectivity at about 54 Mbps and operates at 2.4 GHz unlicensed radio frequency spectrum.
  • the 802.11a provides speeds up to 54 Mbps operating in the 5 GHz unlicensed radio frequency spectrum.
  • the WiFi enables a quick and effective way of providing wireless extension to the existing LAN.
  • WiFi access points In order to provide wireless extension of the LAN using WiFi, one or more WiFi access points (APs) connect to the LAN connection ports either directly or through intermediate equipment such as WiFi switch.
  • a user now wirelessly connects to the LAN using a device equipped with WiFi radio, commonly called wireless station, which communicates with the AP.
  • the connection is free from cable and other physical encumbrances and allows the user to “Surf the Web”, check e-mail or use enterprise computer applications in an easy and efficient manner.
  • certain limitations still exist with WiFi. That is, the radio waves often cannot be contained in the physical space bounded by physical structures such as the walls of a building. Hence, wireless signals often spill outside the area of interest.
  • Unauthorized users can wirelessly connect to the AP and hence gain access to the LAN from the spillage areas such as the street, parking lot, and neighbor's premises. Consequently, the conventional security measure of controlling access to the physical space where the LAN connection ports are located is now inadequate.
  • the AP can employ certain techniques. For example, the user is required to carry out authentication handshake with the AP (or a WiFi switch that resides between the AP and the existing LAN) before being able to connect to the LAN. Examples of such handshake are Wireless Equivalent Privacy (WEP) based shared key authentication, 802.1x based port access control, 802.11i based authentication.
  • WEP Wireless Equivalent Privacy
  • the AP can provide additional security measures such as encryption, firewall.
  • Other techniques also exist to enhance security of the LAN over WiFi.
  • a threat of an unauthorized AP being connected to the LAN often remains with the LANs.
  • the unauthorized AP creates security vulnerability.
  • the unauthorized AP allows wireless intruders to connect to the LAN through itself. That is, the intruder accesses the LAN and any proprietary information on computers and servers on the LAN without the knowledge of the owner of the LAN.
  • Soft APs, ad hoc networks, and misconfigured APs connected to the LAN also pose similar threats. Appropriate security mechanisms are thus needed to protect the LAN resources from wireless intruders.
  • the invention provides a method and a system for providing intrusion detection for local area wireless networks.
  • the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability.
  • the invention can be applied to UWB, WiMAX (802.16), Bluetooth, and others.
  • the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks.
  • the method includes monitoring a selected local geographic region using one or more sniffer devices.
  • Each of the sniffer devices is spatially disposed within the selected local geographic region and/or within a vicinity of the selected local region.
  • the selected local geographic region is occupied by connection points to a local area computer network, e.g., Ethernet, wireless LAN, and IP.
  • the method includes initiating a wireless activity.
  • the method also includes detecting the wireless activity within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices.
  • the wireless activity is derived from at least one authorized device, at least one unauthorized device, or at least one external device.
  • the method includes receiving identity information (e.g., source information, destination information, MAC address) associated with the wireless activity in a classification process and labeling the identity information into at least one of a plurality of categories.
  • the method includes transferring an indication associated with the identify information to a prevention process.
  • the present invention provides a method for monitoring a wireless communication space occupied by one or more computer networks using one or more marker packets.
  • the method includes monitoring a selected local geographic region using one or more sniffer devices.
  • Each of the sniffer devices is spatially disposed within the selected local geographic region, the selected local geographic region occupied by connection points to a local area computer network.
  • the method includes providing a marker packet from an originating device, which is coupled to the local area computer network.
  • the originating device can include a server, a computer system, a sniffer, or any combination of these, and the like.
  • the method includes transferring the marker packet through the local area network to an access point.
  • the method outputs the marker packet from the access point to a wireless medium and captures a wireless activity (e.g., information associated with the wireless activity) associated with the marker packet within the selected local area using at least one of the sniffer devices.
  • the method includes processing the wireless activity to identify the marker packet and determining identity information associated with the wireless activity associated with the marker packet.
  • the access point does not receive the marker packet transferred through the local area network and consequently the marker packet is not output to the wireless medium. Then the wireless activity associated with the marker packet cannot be detected on the wireless medium by any of the sniffer devices.
  • the invention provides an automated system (e.g., fully-automated) for monitoring a wireless communication space occupied by one or more computer networks.
  • the system comprises one or more sniffer devices adapted to monitor a selected local geographic region.
  • Each of the sniffer devices is spatially disposed within the selected local geographic region, which is occupied by connection points to a local area computer network.
  • the system has one or more computer executable codes in one or more memories in preferred embodiments.
  • a code is directed to perform a process for detection of a wireless activity within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices.
  • the wireless activity is derived from at least one authorized device, or at least one unauthorized device, or at least one external device, or other like devices.
  • a code is directed to receiving identity information associated with the wireless activity from the detection process in a classification process and a code is directed to labeling the identity information into at least one of a plurality of categories in the classification process.
  • the system also has a code directed to transferring an indication associated with the identify information to a prevention process.
  • the present invention provides computer based system for monitoring a wireless communication space using one or more marker packets occupied by one or more computer networks.
  • the system has one or more sniffer devices adapted to monitor a selected local geographic region. Each of the sniffer devices is spatially disposed within the selected local geographic region. The selected local geographic region is occupied by connection points to a local area computer network.
  • the system also has one or more computer memories storing one or more computer executable codes. One or more codes is directed to providing a marker packet from an originating device, which is coupled to the local area computer network. One or more codes is directed to transferring the marker packet through the local area network to an access point, which is coupled to the local area network.
  • One or more codes is directed to outputting the marker packet from the access point to a wireless medium.
  • One or more codes is directed to receiving a wireless activity information associated with the marker packet within the selected local area using at least one of the sniffer devices.
  • One or more codes is directed to processing the wireless activity information associated with the marker packet to identify the marker packet and one or more codes is directed to determining identity information associated with the wireless activity associated with the marker packet.
  • there may be other codes or combination of codes which may be in software, firmware, and/or hardware, to carry out other functionality described herein and outside of the present specification.
  • the wireless activity in a geographic area containing LAN connection ports is monitored using one or more sniffers.
  • one or more APs that are operating in said geographic area are identified.
  • the active APs so identified are automatically classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN).
  • the sniffers continue to monitor the selected geographic area to detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs.
  • an intrusion alert is generated and actions are taken to disable or disrupt any communication between unauthorized AP and intruding wireless station.
  • one or more tests are performed to identify if a given AP is connected to the LAN of interest.
  • a packet called marker packet is transmitted to the AP through the LAN.
  • the AP if indeed connected to the LAN, in turn transmits the marker packet onto the wireless medium.
  • the sniffer detects the transmission of the marker packet by the AP on the wireless medium, said AP is identified as connected to the LAN of interest.
  • a marker packet is transmitted by the sniffer to the AP over a wireless medium.
  • the marker packet is addressed to a destination address. If the AP is indeed connected to the LAN, it transfers the marker packet to the LAN and the marker packet is finally received at the destination address.
  • the information about the identity of the AP to which the marker packet is transmitted by the sniffer and the fact that said marker packet is received at the destination address are used to infer that said AP is connected to the LAN.
  • one or more tests are performed to identify if a given AP is an authorized AP.
  • these tests are directed to compare the feature set of an AP derived from the observations made by one or more sniffers with the feature set known to be of the authorized APs.
  • the sniffers perform passive monitoring and/or active probing to capture the AP behavior which in turn is used in determining its feature set.
  • the present invention provides a method for monitoring a wireless communication space using one or more marker packets occupied by one or more computer networks.
  • the method includes monitoring a selected local geographic region using one or more sniffer devices.
  • Each of the sniffer devices is spatially disposed within the selected local geographic region, which is occupied by one or more connection points to a local area computer network.
  • the method includes detecting a wireless activity associated with a trigger packet within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices and providing a marker packet based upon at least information from the trigger packet from an originating device, which is coupled to the local area computer network.
  • the method includes transferring the marker packet through the local area network to an access point and outputting the marker packet from the access point to a wireless medium.
  • the method also includes capturing a wireless activity associated with the marker packet within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices and processing the wireless activity associated with the marker packet to identify the marker packet.
  • the method includes determining identity information associated with the wireless activity associated with the marker packet and/or trigger packet.
  • the present invention provides a method for testing connectivity of a wireless communication space using one or more marker packets occupied by one or more computer networks.
  • the method includes providing a marker packet from an originating device, which is coupled to the local area computer network.
  • the local area network being within a selected local geographic region, which includes one or more sniffer devices, which are spatially disposed within the selected local geographic region.
  • the selected local geographic region is occupied by one or more connection points to the local area computer network.
  • the method includes transferring the marker packet through the local area network to one or more access point, which may or may not be connected to the local area network.
  • the method includes outputting the marker packet from the one or more access point only if the one or more access points are connected to the local area computer networks and capturing a wireless activity associated with the marker packet within the selected local area using at least one of the sniffer devices.
  • the method processes the wireless activity to identify the marker packet and determines identity information associated with the wireless activity associated with the marker packet.
  • the present technique provides an easy to use process that relies upon conventional computer hardware and software technologies.
  • the method and system are fully automated and can be used to prevent unauthorized wireless access of local area computer networks.
  • the automated operation minimizes the human effort required during the system operation and improves the system response time and accuracy.
  • the method and system advantageously reduce or eliminate the false positives on intrusion events thereby eliminating the nuisance factor during the system operation. This is because the technique of the invention intelligently distinguishes between unauthorized APs and external APs, the latter usually being the source of false positives.
  • the method and system of invention provide alternatives of client-server implementation or standalone appliance implementation thereby providing intrusion detection solution to suit the cost, the network size and the management effort requirements. Additionally, the invention is compatible with conventional wireless and wired networking technologies without substantial modifications to conventional equipment and processes according to a specific embodiment. Depending upon the embodiment, one or more of these benefits may be achieved. These and other benefits will be described in more throughout the present specification and more particularly below.
  • FIG. 1 shows a simplified LAN architecture that supports wireless intrusion detection according to an embodiment of the present invention.
  • FIG. 1A illustrates a simplified flow diagram of an intrusion detection method according to an embodiment of the present invention.
  • FIG. 2 shows a simplified logical flow of steps according to a method of an embodiment of the present invention.
  • FIG. 3 shows a simplified logical flow of steps for maintaining the list of active APs according to an embodiment of the present invention.
  • FIG. 4 shows a simplified logical flow of steps in an embodiment of the LAN connectivity test according to the present invention.
  • FIG. 5 shows a simplified logical flow of steps in another embodiment of the LAN connectivity test according to the present invention.
  • FIG. 6 shows a simplified logical flow of steps in yet another embodiment of the LAN connectivity test according to the present invention.
  • FIG. 7 is a simplified system diagram according to an embodiment of the present invention.
  • FIG. 8 is a simplified system diagram according to an alternative embodiment of the present invention.
  • FIG. 9 is a simplified system diagram according to a distributed implementation embodiment of the present invention.
  • FIG. 10 is a simplified system diagram of a standalone implementation according to an embodiment of the present invention.
  • the invention provides a method and a system for providing intrusion detection for local area wireless networks.
  • the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability.
  • the invention can be applied to UWB, WiMAX (802.16), Bluetooth, and others.
  • FIG. 1 shows the LAN architecture that supports the intrusion detection according to one embodiment of the invention.
  • the core transmission infrastructure 102 for the LAN 101 comprises of Ethernet cables, hubs and switches. Other devices may also be included.
  • Plurality of connection ports e.g., Ethernet ports
  • One or more end user devices 103 such as desktop computers, notebook computers, telemetry sensors etc. are connected to the LAN 101 via one or more connection ports 104 using wires (Ethernet cable) or other suitable devices.
  • One or more database computers 105 may be connected to the LAN via one or more connection ports 108 .
  • Examples of information stored in database computers include customer accounts, inventory, employee accounts, financial information etc.
  • One or more server computers 106 may be connected to the LAN via one or more connection ports 109 .
  • Examples of services provided by server computers include database access, email storage, HTTP proxy service, DHCP service, SIP service, authentication, network management etc.
  • the router 107 is connected to the LAN via connection port 110 and it acts as a gateway between the LAN 101 and the Internet 111 .
  • the firewall/VPN gateway 112 protects computers in the LAN against hacking attacks from the Internet 111 . It may additionally also enable remote secure access to the LAN.
  • WiFi is used to provide wireless extension of the LAN.
  • one or more authorized WiFi APs 113 A, 113 B are connected to the LAN via WiFi switch 114 .
  • the WiFi switch is connected to the LAN connection port 115 .
  • the WiFi switch enables offloading from APs some of the complex procedures for authentication, encryption, QoS, mobility, firewall etc., and also provides centralized management functionality for APs.
  • One or more authorized WiFi AP 116 may also be directly connected to the LAN connection port 117 . In this case AP 116 may itself perform necessary security procedures such as authentication, encryption, firewall, etc.
  • One or more end user devices 118 such as desktop computers, laptop computers, handheld computers (PDAs) equipped with WiFi radio can now wirelessly connect to the LAN via authorized APs 113 A, 113 B and 116 .
  • WiFi has been provided according to the present embodiment, there can also be other types of wireless network formats such as UWB, WiMax, Bluetooth, and others.
  • One or more unauthorized APs can be connected to the LAN.
  • the figure shows unauthorized AP 119 connected to the LAN connection port 120 .
  • the unauthorized AP may not employ the right security policies.
  • traffic through this AP may bypass security policy enforcing elements such as, for example, WiFi switch 114 .
  • the AP 119 thus poses a security threat as intruders such as wireless station 126 can connect to the LAN and launch variety of attacks through this AP.
  • the unauthorized AP can be a rogue AP, a misconfigured AP, a soft AP, and the like.
  • a rogue AP can be an AP such as for example openly available in the market that is brought in by the person having physical access to the facility and connected to the LAN via the LAN connection port without the permission of the network administrator.
  • a misconfigured AP can be the AP otherwise allowed by the network administrator, but whose security parameters are, usually inadvertently, incorrectly configured. Such an AP can thus allow wireless intruders to connect to it.
  • Soft AP is usually a “WiFi” enabled computer system connected to the LAN connection port that also functions as an AP under the control of software. The software is either deliberately run on the computer system or inadvertently in the form of a virus program.
  • the figure also shows neighbor's AP 121 whose radio coverage spills into the area covered by LAN.
  • the AP 121 is however not connected to the concerned LAN 101 and is harmless from the intrusion standpoint.
  • the neighbor's AP can be an AP in the neighboring office, an AP is the laboratory not connected to the concerned LAN but used for standalone development or experimentation, an AP on the street providing free “WiFi” access to passersby and other APs, which co-exist with the LAN and share the airspace without any significant and/or harmful interferences.
  • a WiFi AP delivers data packets between the wired LAN and the wireless transmission medium.
  • the AP performs this function either by acting as a layer 2 bridge or as a network address translator (NAT).
  • the layer 2 bridge type AP simply transmits the Ethernet packet received on its wired interface to the wireless link after translating it to 802.11 style packet and vice versa.
  • the NAT AP acts as a layer 3 (IP) router that routes IP packets received on its wired interface to the stations connected to its wireless interface and vice versa.
  • IP layer 3
  • the intrusion detection system is provided to protect the LAN 101 from unauthorized APs and/or wireless intruders.
  • the system involves one or more sensor devices 122 A, 122 B (i.e., sniffers) placed throughout a geographic region or a portion of geographic region including the connection points to the LAN 101 .
  • the sniffer is able to monitor the wireless activity in the selected geographic region. For example, the sniffer listens to the radio channel and captures packets being transmitted on the channel. The sniffer cycles through the radio channels on which wireless communication can take place. On each radio channel, it waits and listens for any ongoing transmission.
  • the sniffer is able to operate on a plurality of radio channels simultaneously. Whenever transmission is detected, the relevant information about that transmission is collected and recorded.
  • This information comprises of all or a subset of information that can be gathered from various fields in the captured packet such as 802.11 MAC (medium access control) header, 802.2 LLC (i.e., logical link control) header, IP header, transport protocol (e.g., TCP, UDP, HTTP, RTP etc.) headers, packet size, packet payload and other fields.
  • Receive signal strength i.e., RSSI
  • Other information such as the day and the time of the day when said transmission was detected may also be recorded.
  • the sniffer device can be any suitable receiving/transmitting device capable of detecting wireless activity.
  • the sniffer often has a smaller form factor.
  • the sniffer device has a processor, a flash memory (where the software code for sniffer functionality resides), a RAM, two 802.11a/b/g wireless network interface cards (NICs), one Ethernet port (with optional power over Ethernet or POE), a serial port, a power input port, a pair of dual-band (2.4 GHz and 5 GHz) antennas, and at least one status indicator light emitting diode.
  • the sniffer can be built using the hardware platform similar to one used to build wireless access point, although functionality and software will be different for the sniffer device. Of course, one of ordinary skill in the art would recognize other variations, modifications, and alternatives. Further details of the sniffers are provided throughout the present specification and more particularly below.
  • One or more sniffers 122 A and 122 B may also be provided with radio transmit interface.
  • the radio transmit interface is used to transmit packets on the wireless medium.
  • the transmitted packets can be marker packets, probe packets, packets directed to perform intrusion prevention, and the like.
  • the sniffer is a dual slot device which has two wireless NICs. These NICs can be used in a variety of combinations, for example both for monitoring, both form transmitting, one for monitoring and the other for transmitting etc., under the control of software.
  • the sniffer has only one wireless NIC. The same NIC is shared in a time division multiplexed fashion to carry out monitoring as well as defense against intrusion.
  • Each sniffer 122 A, 122 B is also connected to the LAN via the connection ports 123 A, 123 B.
  • the sniffers can be spatially disposed at appropriate locations in the geographic area to be monitored for intrusion by using one or more of heuristics, strategy and calculated guess.
  • a more systematic approach using an RF (radio frequency) planning tool is used to determine physical locations where said sniffers need to be deployed according to an alternative embodiment of the present invention.
  • Each sniffer conveys information about the detected wireless transmission to data collection server for analysis, storage, processing and rendering.
  • the sniffer may filter and/or summarize the information before conveying it to the data collection server.
  • the sniffer receives configuration information from the data collection server. It may also receive specific instructions form the server as regards tuning to specific radio channel, detecting transmission of specific packet on the radio channel, launching defense against intrusion etc.
  • the sniffer connects to the data collection server over the LAN through the wired connection port.
  • the sniffer connects to the data collection server over the LAN through the wireless connection.
  • the sniffer device captures wireless activity.
  • wireless activity includes, among others, transmission of control, management or data packet between an AP and a wireless station or among wireless stations, and communication for establishing wireless connection between an AP and a wireless station often called association.
  • the configuration information from the data collection server includes, among others, the operating system software code and the operation parameters such as frequency spectrum and radio channels to be scanned, types of wireless activities to be detected etc.
  • the invention also provides certain methods for monitoring wireless activity in selected geographic regions.
  • the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks which may be outlined as follows.
  • a wireless communication space e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.
  • the method uses a combination of steps including a way of detecting for an intrusion in the wireless computer networks.
  • the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like.
  • Many other methods and system are also included.
  • steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives. Further details of the present method can be found throughout the present specification and more particularly below.
  • FIG. 1A illustrates a simplified flow diagram of an intrusion detection method according to an embodiment of the present invention.
  • the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks, e.g., wired, wireless.
  • the method includes providing a geographic region, step 1.
  • the geographic region can be within a building, outside of a building, or a combination of these.
  • the region can be provided in an office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities, etc.
  • the method includes operating a local area network in a selected portion of the geographic region.
  • the local area network (step 2) is commonly an Ethernet based network for private use and may be for public use or any combination of these.
  • the method monitors (step 3) a selected local geographic region in the geographic region using one or more sniffer devices.
  • the method includes detecting (step 4) a wireless activity from at least one authorized device, or at least one unauthorized device, or at least one external device, within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices.
  • the unauthorized device is one that is physically connected to the network but does not belong to the network. That is, the unauthorized device has intruded the network according to preferred embodiments.
  • the method includes receiving (step 5) at least identity information (e.g., source information, destination information, MAC address) associated with the wireless activity in a classification process.
  • the method also includes labeling (step 6) the identity information into at least one of a plurality of categories, e.g., authorized, not authorized, external, connected, not connected, and any combination of these.
  • identity information e.g., source information, destination information, MAC address
  • the method transfers (step 7) an indication associated with the identify information to a prevention process.
  • the method sends an indication of the unauthorized access point to the prevention process.
  • the indication is sent almost immediately or before the transmission of one or more packets to or from the unauthorized access point, which is virtually instantaneously.
  • the method sends the indication via an inter process signal between various processes, which can be provided in computer codes.
  • the method performs a selected function within the same process code to implement the prevention process. Certain details of the prevention process can be found throughout the present specification and more particularly below. Depending upon the embodiment, the method can perform other steps, as desired.
  • the method uses a combination of steps including a way of detecting for an intrusion using wireless computer networks.
  • the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like.
  • Many other methods and system are also included.
  • steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives.
  • FIG. 2 shows the logical flow of steps for wireless intrusion detection according to the method of the invention.
  • This diagram is merely an example, which should not unduly limit the scope of the claims herein.
  • One of ordinary skill in the art would recognize other variations, modifications, and alternatives.
  • the first step 201 is to maintain the list of active APs called the Active_AP_List.
  • An active AP is defined as the AP that was recently involved in the wireless transmission as the sender or the receiver.
  • An active AP can be detected by analyzing the wireless transmission on the radio channel captured by the sniffer. For example, every AP in the WiFi network periodically transmits a beacon packet for the client wireless stations to be able to connect to it.
  • the beacon packet contains information such as clock synchronization data, AP's MAC address (BSSID), supported data rates, service set identifiers (SSIDs), parameters for the contention and contention-free access to the wireless medium, capabilities as regards QoS, security policy etc.
  • detection of beacon packet transmission from an AP is used to identify said AP to be an active AP.
  • Beacon packet can be recognized from the type and subtype fields in the 802.11 MAC header of the beacon packet.
  • active AP can also be detected when any other wireless transmission (data, control or management packet) directed to or generating from it is observed by the sniffer. Whenever an active AP is detected, it is added to the Active_AP_List.
  • the Active_AP_List already contains entry for said AP, the corresponding entry is refreshed. Associated with each entry in the Active_AP_List are a short timeout and a long timeout values. After a short timeout, the corresponding entry is marked “inactive” and after a long timeout it is marked “historic”. The logical flow of steps for maintaining the Active_AP_List is shown in FIG. 3 . This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives.
  • the second step 202 is to classify the APs in Active_AP_List into at least three categories, namely “authorized”, “unauthorized” and “external”.
  • the authorized APs are defined to be the APs which are allowed to be connected to the LAN by the network administrator.
  • the unauthorized APs are defined to be the APs that are not allowed to be connected to the LAN, but are still connected to the LAN.
  • the unauthorized APs pose a security threat.
  • the external APs are defined to be the APs whose active presence can be detected by the sniffers but they are not connected to the LAN. For example, these can be neighbor's APs whose radio coverage spills into the physical space of interest.
  • the external APs do not pose a security threat.
  • One or more tests are performed to classify APs in the Active_AP_List into these categories.
  • the third step 203 is intrusion detection.
  • intrusion alert is generated.
  • the method sends an indication of the AP and/or intruding wireless station to a prevention process.
  • the indication is sent almost immediately or before the transmission of one or few more packets by intruders.
  • the method sends the indication via an inter process signal between various processes, which can be provided in computer codes.
  • the method performs a selected function within the same process code to implement the prevention process. Further details of the prevention process can be found throughout the present specification and more particularly below.
  • the fourth step 204 is intrusion prevention wherein subsequent to intrusion alert; action is taken to disable or disrupt any communication between unauthorized AP and intruding wireless station.
  • One embodiment of this step works by preventing or breaking the “association” between unauthorized AP and intruding wireless station. Association is the procedure defined in 802.11 standard wherein the wireless station and the AP establish a wireless connection between them.
  • Techniques for preventing or breaking the association include but are not limited to sending one or more spoofed “deauthentication” packets from one or more sniffers with AP's MAC address as source address with a reason code “Authentication Expired” to a particular intruding wireless station or to a broadcast address, sending one or more spoofed De-Authentication packets from one or more sniffers to unauthorized AP with intruding wireless station's MAC address as source address with reason code “Auth Leave”, sending one or more spoofed “disassociation” packets from one or more sniffers with AP's MAC address as source address to a particular intruding wireless station or to a broadcast address and sending one or more spoofed disassociation packets from one or more sniffers to unauthorized AP with intruding wireless station's MAC address as source address.
  • Another embodiment of this step involves continuously sending frames from one or more sniffers with BSSID field containing MAC address of unauthorized AP and a high value in network allocation vector (NAV) field. All client wireless stations of said AP including said intruding wireless station then defer access to radio channel for the duration specified in NAV field. This causes disruption to the communication between said AP and said intruding wireless station.
  • a number of other embodiments such as inflicting acknowledgement (ACK) or packet collisions via transmissions from the sniffer, destabilizing or desynchronizing the wireless stations within the BSS (basic service set) of unauthorized AP by sending confusing beacon frames from the sniffer can also be used.
  • a test called the “LAN connectivity test” is used to distinguish the APs in the Active_AP_List that are connected to the LAN (e.g., authorized or unauthorized) from those that are not connected to the LAN (e.g., external).
  • the logical flow of steps according to an embodiment of the LAN connectivity test is shown in FIG. 4 .
  • This diagram is merely an example, which should not unduly limit the scope of the claims herein.
  • one or more marker packets are transmitted to the LAN by the originating device.
  • the originating device can be a sniffer, a data collection server or any computer system whose transmission can reach the concerned LAN over one or more computer networks.
  • the sniffer or the data collection server can transmit the marker packet to the concerned LAN via the Ethernet port.
  • the marker packet has a peculiar format using which it can later be identified by the intrusion detection system. The format can be different for different marker packets.
  • the marker packet may contain a sequence number using which it can later be compared against the known marker packets.
  • the marker packet may contain identity of the originating device.
  • the marker packet is received by all or a subset of APs connected to the concerned LAN and transmitted by all or a subset of them on the wireless medium.
  • one or more sniffers listen to one or more radio channels on which wireless communication can take place.
  • At least one sniffer detects the transmission of at least one marker packet on the radio channel.
  • the marker packet is detected by analyzing the format of the captured packet. If the AP transmits marker packet on the radio channel without modifying it via encryption procedure all the format information in the detected packet is available to the intrusion detection system for analysis for identifying marker packet. If the AP transmits marker packet on the radio channel after modifying it via encryption procedure the intrusion detection system may not be able to analyze all the format information in the detected packet. In this case, certain features of the packet format that are unaffected by encryption procedure are used for analysis. For example, the encryption procedure does not change the size of the data being encrypted. Thus the size of detected packets can be used as a format parameter to identify said packet as the marker packet.
  • the identity of the AP that transmits the marker packet is determined from the 802.11 MAC header (for example from the transmitter address or BSSID fields) of the packet transmitted on the radio channel.
  • step 405 the AP that transmits the marker packet is declared to be connected to the LAN.
  • the corresponding entry in the Active_AP_List is marked as “connected to the LAN”.
  • the marker packet is an Ethernet style packet addressed to the broadcast address, i.e., the value of hexadecimal ff:ff:ff:ff:ff in the destination address field of Ethernet MAC header.
  • This packet will be received by all APs that are connected in the LAN broadcast domain. The APs among these acting as layer 2 bridges then transmit this broadcast packet on the wireless medium after translating it to the 802.11 style packet.
  • the marker packet is an Ethernet style unicast packet addressed to the MAC address of a wireless station associated with an AP.
  • Said MAC address is inferred by analyzing the prior communication between said wireless station and said AP that is captured by one or more sniffers. This packet will be received by said AP if it is connected to the concerned LAN.
  • Said AP acting as layer 2 bridge then transmits the marker packet on the wireless medium after translating it to the 802.11 style packet.
  • the marker packet is an IP packet addressed to the IP address of a wireless station associated with an AP. Said IP address is inferred by analyzing the prior communication between said wireless station and said AP that is captured by one or more sniffers. This packet will be received by said AP if it is connected to the concerned LAN and transmitted by said AP on the wireless medium after translating it to the 802.11 style packet.
  • the marker packet is an IP packet addressed to the broadcast IP address of the LAN.
  • the marker packet is not actively injected in the LAN by the intrusion detection system. Rather, one or more broadcast/multicast/unicast packets from the data traffic on the LAN are used as marker packets.
  • the logic being if an AP is connected to the same LAN as the sniffer, then at least the subset of the data traffic seen by the Ethernet port of the sniffer will be same as the data traffic captured by the sniffer on the radio channel.
  • the sniffer compares the packet captured on the radio channel with the packets transmitted over the wired LAN and captured by the sniffer's LAN connection port (Ethernet NIC) to identify a matching format.
  • the sniffer can detect the appearance of the marker packet on a specific radio channel only if the sniffer is tuned to said radio channel during the interval of transmission of the marker packet on said radio channel. It may thus be necessary to send marker packets in the LAN periodically and preferably at randomized intervals, so as to maximize the probability that at least one sniffer gets an opportunity to detect at least one marker packet transmitted by each AP connected to the LAN.
  • FIG. 5 The logical flow of steps according to another embodiment of the LAN connectivity test is shown in FIG. 5 .
  • This diagram is merely an example, which should not unduly limit the scope of the claims herein.
  • This embodiment is particularly useful to detect unauthorized APs that implement NAT (i.e., network address translation) functionality unlike layer 2 bridge functionality though it is also useful for the latter.
  • the test is also useful to detect unauthorized layer 2 bridge type APs (e.g., soft APs) that block forwarding of broadcast packets from the wired LAN onto the wireless medium so as to evade detection by previous embodiment of the LAN connectivity test.
  • NAT i.e., network address translation
  • the sniffer is tuned to the radio channel on which an AP operates.
  • the sniffer establishes wireless connection with said AP. This typically involves listening to AP's beacon packet and subsequently performing “association” procedure with said AP as described in IEEE 802.11 standard. Subsequent to association, the parameters for IP connection are assigned to the radio interface of the sniffer.
  • a preferred method to assign IP connection parameters is for the sniffer to perform DHCP (i.e., dynamic host configuration protocol) request/response transactions over the wireless connection established with AP. These parameters comprise at least of the IP address for the radio interface of the sniffer.
  • DHCP is described in RFC 2131 standard of the Internet Engineering Task Force (IETF).
  • the sniffer reuses an existing association between the AP and a wireless station associated with the AP. For this, the sniffer detects the parameters of an existing association between the AP and the wireless station associated with the AP. The parameters include, among others, the MAC address of the associated wireless station. The sniffer may also determine the IP address and the TCP or UDP port number of the wireless station by monitoring the packets transmitted or received by the station.
  • the sniffer sends one or more marker packets to the AP over the wireless connection newly established or already existing as applicable depending on the embodiment of step 502 .
  • the marker packet is addressed to the sniffer itself, the data collection server, another sniffer, any other network entity or a broadcast address. Various preferred embodiments for this step are now described.
  • the marker packet is UDP (i.e., user datagram protocol) packet.
  • UDP is the transport layer protocol used by computers in the IP network to exchange data. It is described in RFC 768 standard of the IETF.
  • UDP marker packet has source IP address as the IP address of the radio interface of the sniffer.
  • the UDP marker packet has the source IP address and the source UDP port number same as the corresponding values detected in the packets transmitted by the wireless station whose association is being reused by the sniffer.
  • the destination IP address in the UDP packet can be the IP address of the wired (Ethernet) interface of the sniffer or the IP address of the data collection server.
  • the marker packet is a TCP (i.e., transmission control protocol) packet.
  • the TCP is a transport protocol described in RFC 793 standard of the IETF. It is used by computers in IP network for reliable exchange of data.
  • TCP marker packet is TCP SYN packet. In alternate embodiment, it can be any packet in TCP format.
  • TCP marker packet has source IP address as the IP address of the radio interface of the sniffer.
  • the TCP marker packet has the source IP address and the source TCP port number same as the corresponding values detected in the packets transmitted by the wireless station whose association is being reused by the sniffer.
  • the destination IP address in the TCP packet can be the IP address of the wired (e.g., Ethernet) interface of said sniffer or the IF address of the data collection server.
  • the marker packet is any layer 2 style frame.
  • the source address in said layer 2 frame is the MAC address of the radio interface of the sniffer.
  • the source address in the layer 2 frame is the MAC address of the wireless station whose association is being reused by the sniffer.
  • the destination address in the layer 2 frame is the MAC address of the wired (e.g., Ethernet) interface of the sniffer or the MAC address of the wired interface of data collection server.
  • the marker packet is addressed to the broadcast address. If the sniffer detects that the IP address assigned to its radio interface is in the domain of addresses assigned to the wired LAN, the marker packet can be addressed to IP broadcast address in said domain of addresses.
  • the IP broadcast address is constructed by using all binary ones in the host address part and using the network number of said wired LAN in the network address part of the IP address.
  • layer 2 format marker packet can be addressed to the MAC broadcast address, which is hexadecimal ff:ff:ff:ff:fff.
  • said AP If said AP is indeed connected to the LAN, it will forward marker packet from the wireless connection to the LAN and thus the marker packet will be received at destination in step 504 .
  • said AP is declared to be connected to the LAN in step 505 .
  • the marker packet will not be received at the destination and said AP is then declared unconnected to the LAN in step 506 according to a specific embodiment.
  • FIG. 6 The logical flow of steps according to another embodiment of the LAN connectivity test is shown in FIG. 6 .
  • This diagram is merely an example, which should not unduly limit the scope of the claims herein.
  • One of ordinary skill in the art would recognize other variations, modifications, and alternatives.
  • the sniffer is tuned to a radio channel.
  • the sniffer listens to the radio channel to detect the transmission of one or more “trigger” packets.
  • the trigger packets indicate the current state of ongoing communication between an AP and a wireless station. Knowing this enables preparing and sending marker packet so that it is almost indistinguishable from the packets constituting the ongoing communication between the AP and the wireless station. This makes it difficult for certain APs, for example compromised, software controlled or non-standard, to evade detection by marker packet test.
  • the identity of the AP that is the source or destination of the trigger packets is determined in step 603 from the transmitter address or the receiver address in the 802.11 MAC header of the trigger packets.
  • an optional step 604 is performed to determine if said AP is suspected to be not authorized (i.e. it can be unauthorized or external). For example an AP in the Active_AP_List that has not previously responded to any LAN connectivity test is suspected to be not authorized. Or, an AP whose behavior (contents of beacon frame, MAC address, authentication and encryption methods etc.) does not match the behavior known of the authorized APs is suspected to be not authorized.
  • step 605 one or more marker packets are constructed based on the type of trigger packets and information contained therein.
  • the marker packets are transmitted in the LAN in step 606 .
  • the sniffer continues to listen to the same radio channel to detect the transmission of at least one marker packet on the radio channel by said AP. If the marker packet transmission is detected before a timeout occurs, said AP is declared to be connected to the LAN. Alternatively, the AP is declared unconnected to the LAN according to a specific embodiment.
  • the trigger packets and the marker packets are TCP packets.
  • TCP is used by computers in Internet Protocol (IP) network for reliable exchange of data.
  • IP Internet Protocol
  • TCP provides acknowledgement-based data delivery wherein lost pieces of data are recovered via retransmissions.
  • the TCP also uses window-based congestion control algorithm so as to dynamically adapt to the available bandwidth between the communicating computers.
  • a number of desirable Internet applications such as HTTP, file transfer, email, remote login etc. are performed using TCP as transport protocol.
  • the sniffer detects transmission of a TCP packet from a wireless station to the AP (called uplink direction) that is suspected to be not authorized.
  • TCP packet is identified by examining the header fields of detected packet transmission. Specifically, for the TCP packet the value of “Type” field in 802.2 frame header is hexadecimal 0800 and the value of “Protocol” field in the IP header is hexadecimal 06. Then the marker packet is constructed as a TCP packet and in one embodiment the various fields in the marker packet (step 605 above) are set as follows:
  • x1 denote the value of “sequence number” field in the TCP header of trigger packet and x2 denote the number of octets of TCP payload in the trigger packet. Then set “acknowledgement number” field in the TCP header of marker packet equal to (x1+x2).
  • x3 denote the value of “acknowledgement number” field and x4 denote the value of “window” field in the TCP header of trigger packet. Then set the value of “sequence number” field in the TCP header of marker packet to a value that is between (x3 ⁇ 1) and (x3+x4 ⁇ L).
  • Other fields in the marker packet are set according to standard practice used by various implementations of corresponding protocols. Among these, values for some of the fields can be more judiciously chosen if the sniffer has also recently captured a TCP packet of the same flow transmitted by said AP to said wireless station (downlink). For example, the value of “window” field in the marker packet can be set equal to or close to the value of “window” field in the recently captured downlink TCP packet. Similarly, the value of “Identification” field in the IP header of marker packet can be set greater than the value of “Identification” field in the recently captured downlink TCP packet.
  • the sniffer detects downlink TCP packet.
  • the marker packet is constructed as a TCP packet and in one embodiment the various fields in the marker packet (step 605 above) are set as follows:
  • the trigger packet is DHCP request packet and the marker packet is DHCP response packet.
  • one or more feature criteria are used distinguish the APs in the Active_AP_List that are authorized by the network administrator from those that are not authorized.
  • the latter include unauthorized and external APs.
  • the method of invention works by inferring one or more features of an AP via analysis of the packets captured by the sniffer and comparing them with the features of the authorized APs. If the discrepancy is detected, said AP is deemed to be not authorized.
  • a number of features of an AP can be inferred by analyzing one or more beacon packets transmitted by the AP. These features include but not limited to the vendor information (indicated by the first three bytes of the MAC address of the AP), the observed beacon interval and values of various fields (according to basic 802.11 and its enhancements including 802.11e, 802.11i, 802.11k and others) in the beacon packet such as beacon interval, SSID, capabilities information, radio parameters, various information elements (IEs) etc.
  • Some other features of an AP can be inferred by analyzing the sequence of packets flowing between the AP and a wireless station. Most notably, the flow of authentication and association procedure can be monitored by the sniffer to determine if it is consistent with that of an authorized AP.
  • the flow of authentication and association procedure may conform to technologies such as wired equivalent privacy (WEP), wireless protected access (WPA), temporal key integrity protocol (TKIP), robust security network (RSN), extensible authentication protocol (EAP), and the like.
  • the feature set of authorized APs can be provided to the intrusion detection system by the network administrator.
  • the intrusion detection system can learn the authorized feature set by detecting APs and their associated feature set in the operational network or laboratory environment.
  • the network administrator merely indicates to the intrusion detection system as to which of the detected APs are authorized APs.
  • the sniffer may perform active probing to infer the features of an AP. For example, the sniffer attempts to establish a wireless connection with the AP which typically involves authentication and association procedure.
  • the sniffer is provided with the credentials to be used during the authentication procedure. For example, the credentials include but not limited to password, digital certificate, security key etc. If the sniffer succeeds in establishing the wireless connection with the AP, the AP may be declared as authorized. This test is even more effective for the authentication schemes, such as extensible authentication protocol transport layer security (EAP TLS), which perform mutual authentication.
  • EAP TLS extensible authentication protocol transport layer security
  • the present invention can implement the various methods using certain systems, which are described in more detail below.
  • the system comprises a detection module 702 , a classification module 704 and a prevention module 706 , each of the modules comprising one or more computer executable codes.
  • the various codes can be running in one or more computer processes. Further, the various codes may run in a single computer system or distributed across plurality of computer systems coupled together by one or more computer networks.
  • the detection module 702 is directed to performing tasks associated with detecting wireless activity.
  • the detecting comprises capturing, decoding and processing the wireless activity.
  • the detecting may further comprise filtering and summarizing the information associated with or derived from the wireless activity.
  • the detection module is further directed to transferring at least identity information associated with the detected wireless activity to the classification module.
  • the detection module transfers additional information associated with the detected activity such as information derived from beacon packet, marker packet, authentication packet and other packets to the classification module.
  • the classification module 704 is directed to performing tasks associated with receiving and labeling the identity information associated with the wireless activity into at least one of a plurality of categories.
  • the classification module analyzes the additional information associated with the wireless activity received from the detection module for the sake of labeling the identity information.
  • the classification module is further directed to performing tasks associated with transferring indication associated with the identity information to the prevention module 706 .
  • the indication is an intrusion alert.
  • intrusion alert is generated when an unauthorized AP and/or intruding wireless station is detected by the classification process.
  • the system comprises a providing module 801 , a transferring module 802 , an outputting module 803 , a receiving module 804 , a processing module 805 and an identifying module 806 .
  • Each of the modules comprises one or more computer executable codes.
  • the providing module 801 prepares the marker packet with a given format.
  • the providing module resides within the originating device.
  • the transferring module 802 transmits the marker packet to one or more APs over the LAN.
  • the transferring module resides within the originating device.
  • the transferring module resides within a computer system coupled to the local area network.
  • the outputting module 803 transmits the marker packet from the AP to the wireless medium.
  • the outputting module resides within the AP.
  • the receiving module 804 is directed to receiving wireless activity associated with the marker packet using at least one sniffer.
  • the processing module 805 is directed to processing the wireless activity information to identify the marker packet.
  • the processing module analyzes the format information in the received wireless activity to identify the marker packet.
  • the identifying module 806 is directed to determining the identity information associated with the wireless activity associated with the marker packet.
  • the identifying module determines the source AP of the wireless activity associated with the marker packet.
  • the receiving module, the processing module and the identifying module are provided within the sniffer device.
  • the receiving module is provided within the sniffer device while the processing and identifying module are provided within the data collection server. Other embodiments are also possible.
  • the data collection server is provided as software that can be run on a PC or server computer 902 .
  • said PC or server computer is connected to the LAN 900 .
  • Input required from the network administrator is provided to the data collection server using web-based or command line interface (CLI) console.
  • One or more sniffer devices 904 A, 904 B, 904 C etc. are provided to monitor the wireless communication space.
  • any sniffer for example sniffer 904 A
  • sniffer 904 A When any sniffer, for example sniffer 904 A, is connected to the LAN, it sends multicast or broadcast query over the LAN to discover the data collection server.
  • the data collection server 902 responds to the query with information required for the sniffer 904 A to connect to the server 902 .
  • This information comprises at least of the IP address of the server.
  • the IP address of the data collection server is preconfigured in the sniffers.
  • the sniffer 904 A then communicates with the server.
  • the sniffer 904 A establishes a connection 906 A with the server using protocols such as transport control protocol (TCP), hypertext transfer protocol (HTTP), secure HTTP, file transfer protocol (FTP), remote login protocol such as telnet and the like.
  • TCP transport control protocol
  • HTTP hypertext transfer protocol
  • FTP file transfer protocol
  • UDP remote login protocol
  • connectionless protocol such as user datagram protocol (UDP) can be used for communication between the sniffer and the server.
  • the server 902 and the sniffer 904 A authenticate each other at the time of initiation of communication and preferably also during the communication.
  • the server sends configuration information to the sniffer. This information may comprise of the operating system software code and the various operational configuration parameters.
  • the sniffer 904 A listens to the radio channels and reports information about detected wireless activity to the data collection server 902 for analysis, storage, processing and rendering.
  • the data collection server displays the information about the state of the network graphically on the computer screen.
  • the sniffer may filter or summarize this information before reporting it to the server.
  • the sniffer may also receive instructions from the server, for example, as regards tuning to specific radio channel, detecting transmission of specific packet such as the marker packet on the radio channel, detecting wireless activity derived from a specific station or an access point etc.
  • the sniffer 904 A initiates LAN connectivity test, i.e., by originating a marker packet.
  • the LAN connectivity test is initiated by the data collection server.
  • the data collection server 902 selects one or more sniffer devices to perform preventive actions against the intrusion and sends a message to said sniffer devices to perform preventive actions.
  • the detection, classification and prevention modules are provided within the sniffer device.
  • the sniffer also provides and transfers a maker packet.
  • the sniffer further receives the wireless activity associated with the marker packet, processes said activity to identify the marker packet and identifies the AP that transmits marker packet on the wireless medium.
  • This embodiment in particularly advantageous because it allows deployment of standalone sniffer devices, i.e., as appliances not requiring a separate data collection server entity.
  • the sniffer appliance device comprises a CPU 1001 adapted to executing computer codes and a memory 1002 that stores computer codes and data.
  • the computer codes stored in the memory comprise at least the codes for detection, classification and prevention modules and the codes adapted to perform communication between said modules.
  • the computer codes stored in the memory further comprise the codes for providing a marker packet, transferring a marker packet, receiving a wireless activity associated with the marker packet, processing said wireless activity to identify the marker packet and identifying the AP that transmits the marker packet on the wireless medium.
  • the sniffer appliance device comprises one or more WiFi NICs 1003 connected to one or more antennas 1004 .
  • the WiFi NICs performs the tasks associated with receiving the wireless activity (e.g., listening to and capturing the packet transmissions occurring over the wireless medium in accordance with 802.11 standard) as well as initiating the wireless activity (e.g., transmitting packets in accordance with 802.11 standard).
  • the Ethernet NIC 1005 is also provided that enables connecting the sniffer appliance device to the LAN via Ethernet jack 1006 .
  • the Ethernet jack 1006 may alternatively and additionally be used to connect the sniffer appliance to a PC for configuration purposes.
  • a serial communication interface (e.g., RS-232) 1012 is used to connect the sniffer appliance to a PC for configuration purposes.
  • the various electronic components are connected together using data transfer bus 1007 .
  • the sniffer device can provide visual indication about detected wireless activity by means of one or more light bulbs or light emitting diodes 1008 provided on the device panel 1010 .
  • an electronic screen such as for example LCD screen 1009 is provided on the device panel for providing visual indication and/or textual messages.
  • the light bulb 1008 After the sniffer device is powered on, the light bulb 1008 turns white in color if Active_AP_List is empty. The bulb turns green when at least one active AP is detected. The sensor exhibits above behavior even if it is not connected to the wired LAN. After the sensor device is connected to the wired LAN (e.g., using Ethernet jack 1006 ), it can start executing steps 202 and beyond shown in FIG. 2 according to the specific embodiment of the method of invention. If the unauthorized AP is detected in step 202 , the light bulb turns red in color. If the wireless station attempting to connect or connected to the unauthorized AP is detected in step 203 , the light bulb turns flashing red.
  • the wired LAN e.g., using Ethernet jack 1006
  • the various visual indications are provided via combination of light bulbs from a plurality of light bulbs provided on the device panel. Yet alternately, such indications can also be given in audio form, for example via different types of alarm sounds from the speaker (not shown in FIG. 10 ).
  • An on/off switch 1011 may be provided on the sniffer device panel that enables turning the intrusion defense step 204 on or off. Alternatively, the on/off switch for activating and deactivating the intrusion defense is software controlled. Yet alternatively, the step 204 is executed automatically after intrusion detection.
  • the method uses a combination of steps including a way of detecting for an intrusion using wireless computer networks.
  • the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like.
  • Many other methods and system are also included.
  • steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

According to an embodiment of the present invention, the wireless activity in a geographic area containing LAN connection ports is monitored using one or more sensor devices, called sniffers. By analyzing said wireless activity, one or more APs that are operating in said geographic area are identified. The active APs so identified are classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN) by conducting one or more tests. The sniffers continue to monitor the selected geographic area to detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs. Upon identifying unauthorized AP and/or intruding wireless station an indication is transferred to the prevention process.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This present application claims priority to U.S. Provisional Application No. 60/543,631, titled “An Automated Method and an RF Sensor System for Wireless Unauthorized Transmission, Intrusion Detection and Prevention,” filed Feb. 10, 2004, commonly assigned, and hereby incorporated by reference for all purposes.
  • The present invention also relates to U.S. Ser. No. ______ (Attorney Docket No. 022384-000620US) filed on the same date, which claims priority to U.S. Provisional Application No. 60/543,631, titled “An Automated Method and an RF Sensor System for Wireless Unauthorized Transmission, Intrusion Detection and Prevention,” filed Feb. 10, 2004, commonly assigned, and each of which is hereby incorporated by reference for all purposes.
  • BACKGROUND OF THE INVENTION
  • The present invention relates generally to wireless computer networking techniques. More particularly, the invention provides a method and a system for providing intrusion detection for local area wireless networks according to a specific embodiment. Merely by way of example, the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability. For example, the invention can be applied to Ultra Wide Band (“UWB”), IEEE 802.16 commonly known as “WiMAX”, Bluetooth, and others.
  • Computer systems proliferated from academic and specialized science applications to day to day business, commerce, information distribution and home applications. Such systems include personal computers, which are often called “PCs” for short, to large mainframe and server class computers. Powerful mainframe and server class computers run specialized applications for banks, small and large companies, e-commerce vendors and governments. Smaller personal computers can be found in many if not all offices, homes, and even local coffee shops. These computers interconnect with each other through computer communication networks based on packet switching technology such as the Internet protocol or IP. The computer systems located within a specific local geographic area such as office, home or other indoor and outdoor premises interconnect using a Local Area Network, commonly called, LAN. Ethernet is by far the most popular networking technology for LANs. The LANs interconnect with each other using a Wide Area Network called “WAN” such as the famous Internet. Although much progress occurred with computers and networking, we now face a variety of security threats on many computing environments from the hackers connected to the computer network. The application of wireless communication to computer networking further accentuates these threats.
  • As merely an example, the conventional LAN is usually deployed using an Ethernet based infrastructure comprising cables, hubs switches, and other elements. A number of connection ports (e.g., Ethernet ports) are used to couple various computer systems to the LAN. A user can connect to the LAN by physically attaching a computing device such as laptop, desktop or handheld computer to one of the connection ports using physical wires or cables. Other computer systems such as database computers, server computers, routers and Internet gateways also connect to the LAN to provide specific functionalities and services. Once physically connected to the LAN, the user often accesses a variety of services such as file transfer, remote login, email, WWW, database access, and voice over IP. Security of the LAN often occurs by controlling access to the physical space where the LAN connection ports are located.
  • Although conventional wired networks using Ethernet technology proliferated, wireless communication technologies are increasing in popularity. That is, wireless communication technologies wirelessly connect users to the computer communication networks. A typical application of these technologies provides wireless access to the local area network in the office, home, public hot-spots, and other geographical locations. As merely an example, the IEEE 802.11 family of standards, commonly called WiFi, is the common standard for such wireless application. Among WiFi, the 802.11b standard-based WiFi often operates at 2.4 GHz unlicensed radio frequency spectrum and offers wireless connectivity at speeds up to 11 Mbps. The 802.11g compliant WiFi offers even faster connectivity at about 54 Mbps and operates at 2.4 GHz unlicensed radio frequency spectrum. The 802.11a provides speeds up to 54 Mbps operating in the 5 GHz unlicensed radio frequency spectrum. The WiFi enables a quick and effective way of providing wireless extension to the existing LAN.
  • In order to provide wireless extension of the LAN using WiFi, one or more WiFi access points (APs) connect to the LAN connection ports either directly or through intermediate equipment such as WiFi switch. A user now wirelessly connects to the LAN using a device equipped with WiFi radio, commonly called wireless station, which communicates with the AP. The connection is free from cable and other physical encumbrances and allows the user to “Surf the Web”, check e-mail or use enterprise computer applications in an easy and efficient manner. Unfortunately, certain limitations still exist with WiFi. That is, the radio waves often cannot be contained in the physical space bounded by physical structures such as the walls of a building. Hence, wireless signals often spill outside the area of interest. Unauthorized users can wirelessly connect to the AP and hence gain access to the LAN from the spillage areas such as the street, parking lot, and neighbor's premises. Consequently, the conventional security measure of controlling access to the physical space where the LAN connection ports are located is now inadequate.
  • In order to prevent unauthorized access to the LAN over WiFi, the AP can employ certain techniques. For example, the user is required to carry out authentication handshake with the AP (or a WiFi switch that resides between the AP and the existing LAN) before being able to connect to the LAN. Examples of such handshake are Wireless Equivalent Privacy (WEP) based shared key authentication, 802.1x based port access control, 802.11i based authentication. The AP can provide additional security measures such as encryption, firewall. Other techniques also exist to enhance security of the LAN over WiFi.
  • Despite these measures, many limitations still exist. As merely an example, a threat of an unauthorized AP being connected to the LAN often remains with the LANs. The unauthorized AP creates security vulnerability. The unauthorized AP allows wireless intruders to connect to the LAN through itself. That is, the intruder accesses the LAN and any proprietary information on computers and servers on the LAN without the knowledge of the owner of the LAN. Soft APs, ad hoc networks, and misconfigured APs connected to the LAN also pose similar threats. Appropriate security mechanisms are thus needed to protect the LAN resources from wireless intruders.
  • Accordingly, techniques for improving security for local area network environments are highly desirable.
  • BRIEF SUMMARY OF THE INVENTION
  • According to the present invention, techniques directed to wireless computer networking are provided. More particularly, the invention provides a method and a system for providing intrusion detection for local area wireless networks. Merely by way of example, the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability. For example, the invention can be applied to UWB, WiMAX (802.16), Bluetooth, and others.
  • In a specific embodiment, the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks. The method includes monitoring a selected local geographic region using one or more sniffer devices. Each of the sniffer devices is spatially disposed within the selected local geographic region and/or within a vicinity of the selected local region. The selected local geographic region is occupied by connection points to a local area computer network, e.g., Ethernet, wireless LAN, and IP. The method includes initiating a wireless activity. The method also includes detecting the wireless activity within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices. According to a specific embodiment, the wireless activity is derived from at least one authorized device, at least one unauthorized device, or at least one external device. The method includes receiving identity information (e.g., source information, destination information, MAC address) associated with the wireless activity in a classification process and labeling the identity information into at least one of a plurality of categories. The method includes transferring an indication associated with the identify information to a prevention process.
  • In an alternative specific embodiment, the present invention provides a method for monitoring a wireless communication space occupied by one or more computer networks using one or more marker packets. The method includes monitoring a selected local geographic region using one or more sniffer devices. Each of the sniffer devices is spatially disposed within the selected local geographic region, the selected local geographic region occupied by connection points to a local area computer network. The method includes providing a marker packet from an originating device, which is coupled to the local area computer network. Preferably, the originating device can include a server, a computer system, a sniffer, or any combination of these, and the like. The method includes transferring the marker packet through the local area network to an access point. If said access point is coupled to the local area network, the method outputs the marker packet from the access point to a wireless medium and captures a wireless activity (e.g., information associated with the wireless activity) associated with the marker packet within the selected local area using at least one of the sniffer devices. The method includes processing the wireless activity to identify the marker packet and determining identity information associated with the wireless activity associated with the marker packet. One the other hand, if said access point is not coupled to the local area network, the access point does not receive the marker packet transferred through the local area network and consequently the marker packet is not output to the wireless medium. Then the wireless activity associated with the marker packet cannot be detected on the wireless medium by any of the sniffer devices.
  • In yet an alternative specific embodiment, the invention provides an automated system (e.g., fully-automated) for monitoring a wireless communication space occupied by one or more computer networks. The system comprises one or more sniffer devices adapted to monitor a selected local geographic region. Each of the sniffer devices is spatially disposed within the selected local geographic region, which is occupied by connection points to a local area computer network. The system has one or more computer executable codes in one or more memories in preferred embodiments. A code is directed to perform a process for detection of a wireless activity within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices. Preferably, the wireless activity is derived from at least one authorized device, or at least one unauthorized device, or at least one external device, or other like devices. A code is directed to receiving identity information associated with the wireless activity from the detection process in a classification process and a code is directed to labeling the identity information into at least one of a plurality of categories in the classification process. According to a preferred embodiment, the system also has a code directed to transferring an indication associated with the identify information to a prevention process.
  • In yet a further alternative specific embodiment, the present invention provides computer based system for monitoring a wireless communication space using one or more marker packets occupied by one or more computer networks. The system has one or more sniffer devices adapted to monitor a selected local geographic region. Each of the sniffer devices is spatially disposed within the selected local geographic region. The selected local geographic region is occupied by connection points to a local area computer network. The system also has one or more computer memories storing one or more computer executable codes. One or more codes is directed to providing a marker packet from an originating device, which is coupled to the local area computer network. One or more codes is directed to transferring the marker packet through the local area network to an access point, which is coupled to the local area network. One or more codes is directed to outputting the marker packet from the access point to a wireless medium. One or more codes is directed to receiving a wireless activity information associated with the marker packet within the selected local area using at least one of the sniffer devices. One or more codes is directed to processing the wireless activity information associated with the marker packet to identify the marker packet and one or more codes is directed to determining identity information associated with the wireless activity associated with the marker packet. Depending upon the embodiments, there may be other codes or combination of codes, which may be in software, firmware, and/or hardware, to carry out other functionality described herein and outside of the present specification.
  • According to an alternative embodiment of the present invention, the wireless activity in a geographic area containing LAN connection ports is monitored using one or more sniffers. By analyzing said wireless activity, one or more APs that are operating in said geographic area are identified. The active APs so identified are automatically classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN). The sniffers continue to monitor the selected geographic area to detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs. When the presence of unauthorized AP is detected and/or the presence of intruding wireless station is detected, an intrusion alert is generated and actions are taken to disable or disrupt any communication between unauthorized AP and intruding wireless station.
  • In yet an alternative embodiment, one or more tests are performed to identify if a given AP is connected to the LAN of interest. In one embodiment of the LAN connectivity test, a packet called marker packet is transmitted to the AP through the LAN. The AP, if indeed connected to the LAN, in turn transmits the marker packet onto the wireless medium. When the sniffer detects the transmission of the marker packet by the AP on the wireless medium, said AP is identified as connected to the LAN of interest.
  • In another embodiment of the LAN connectivity test, a marker packet is transmitted by the sniffer to the AP over a wireless medium. The marker packet is addressed to a destination address. If the AP is indeed connected to the LAN, it transfers the marker packet to the LAN and the marker packet is finally received at the destination address. The information about the identity of the AP to which the marker packet is transmitted by the sniffer and the fact that said marker packet is received at the destination address are used to infer that said AP is connected to the LAN.
  • In another alternative embodiment, one or more tests are performed to identify if a given AP is an authorized AP. In a specific embodiment, these tests are directed to compare the feature set of an AP derived from the observations made by one or more sniffers with the feature set known to be of the authorized APs. The sniffers perform passive monitoring and/or active probing to capture the AP behavior which in turn is used in determining its feature set.
  • In yet an alternative embodiment, the present invention provides a method for monitoring a wireless communication space using one or more marker packets occupied by one or more computer networks. The method includes monitoring a selected local geographic region using one or more sniffer devices. Each of the sniffer devices is spatially disposed within the selected local geographic region, which is occupied by one or more connection points to a local area computer network. The method includes detecting a wireless activity associated with a trigger packet within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices and providing a marker packet based upon at least information from the trigger packet from an originating device, which is coupled to the local area computer network. The method includes transferring the marker packet through the local area network to an access point and outputting the marker packet from the access point to a wireless medium. The method also includes capturing a wireless activity associated with the marker packet within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices and processing the wireless activity associated with the marker packet to identify the marker packet. The method includes determining identity information associated with the wireless activity associated with the marker packet and/or trigger packet.
  • In an alternative specific embodiment, the present invention provides a method for testing connectivity of a wireless communication space using one or more marker packets occupied by one or more computer networks. The method includes providing a marker packet from an originating device, which is coupled to the local area computer network. Preferably, the local area network being within a selected local geographic region, which includes one or more sniffer devices, which are spatially disposed within the selected local geographic region. The selected local geographic region is occupied by one or more connection points to the local area computer network. The method includes transferring the marker packet through the local area network to one or more access point, which may or may not be connected to the local area network. The method includes outputting the marker packet from the one or more access point only if the one or more access points are connected to the local area computer networks and capturing a wireless activity associated with the marker packet within the selected local area using at least one of the sniffer devices. Preferably, the method processes the wireless activity to identify the marker packet and determines identity information associated with the wireless activity associated with the marker packet.
  • Certain advantages and/or benefits may be achieved using the present invention. For example, the present technique provides an easy to use process that relies upon conventional computer hardware and software technologies. In some embodiments, the method and system are fully automated and can be used to prevent unauthorized wireless access of local area computer networks. The automated operation minimizes the human effort required during the system operation and improves the system response time and accuracy. In some embodiments, the method and system advantageously reduce or eliminate the false positives on intrusion events thereby eliminating the nuisance factor during the system operation. This is because the technique of the invention intelligently distinguishes between unauthorized APs and external APs, the latter usually being the source of false positives. According to specific embodiments, the method and system of invention provide alternatives of client-server implementation or standalone appliance implementation thereby providing intrusion detection solution to suit the cost, the network size and the management effort requirements. Additionally, the invention is compatible with conventional wireless and wired networking technologies without substantial modifications to conventional equipment and processes according to a specific embodiment. Depending upon the embodiment, one or more of these benefits may be achieved. These and other benefits will be described in more throughout the present specification and more particularly below.
  • Other features and advantages of the invention will become apparent through the following detailed description, the drawings, and the claims.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 shows a simplified LAN architecture that supports wireless intrusion detection according to an embodiment of the present invention.
  • FIG. 1A illustrates a simplified flow diagram of an intrusion detection method according to an embodiment of the present invention.
  • FIG. 2 shows a simplified logical flow of steps according to a method of an embodiment of the present invention.
  • FIG. 3 shows a simplified logical flow of steps for maintaining the list of active APs according to an embodiment of the present invention.
  • FIG. 4 shows a simplified logical flow of steps in an embodiment of the LAN connectivity test according to the present invention.
  • FIG. 5 shows a simplified logical flow of steps in another embodiment of the LAN connectivity test according to the present invention.
  • FIG. 6 shows a simplified logical flow of steps in yet another embodiment of the LAN connectivity test according to the present invention.
  • FIG. 7 is a simplified system diagram according to an embodiment of the present invention.
  • FIG. 8 is a simplified system diagram according to an alternative embodiment of the present invention.
  • FIG. 9 is a simplified system diagram according to a distributed implementation embodiment of the present invention.
  • FIG. 10 is a simplified system diagram of a standalone implementation according to an embodiment of the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • According to the present invention, techniques for wireless computer networking are provided. More particularly, the invention provides a method and a system for providing intrusion detection for local area wireless networks. Merely by way of example, the invention has been applied to a computer networking environment based upon the IEEE 802.11 family of standards, commonly called “WiFi.” But it would be recognized that the invention has a much broader range of applicability. For example, the invention can be applied to UWB, WiMAX (802.16), Bluetooth, and others.
  • FIG. 1 shows the LAN architecture that supports the intrusion detection according to one embodiment of the invention. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives. As shown in FIG. 1, the core transmission infrastructure 102 for the LAN 101 comprises of Ethernet cables, hubs and switches. Other devices may also be included. Plurality of connection ports (e.g., Ethernet ports) are provided for the various computer systems to be able to connect to the LAN. One or more end user devices 103 such as desktop computers, notebook computers, telemetry sensors etc. are connected to the LAN 101 via one or more connection ports 104 using wires (Ethernet cable) or other suitable devices. Other computer systems that provide specific functionalities and services are also connected to the LAN. For example, one or more database computers 105 may be connected to the LAN via one or more connection ports 108. Examples of information stored in database computers include customer accounts, inventory, employee accounts, financial information etc. One or more server computers 106 may be connected to the LAN via one or more connection ports 109. Examples of services provided by server computers include database access, email storage, HTTP proxy service, DHCP service, SIP service, authentication, network management etc. The router 107 is connected to the LAN via connection port 110 and it acts as a gateway between the LAN 101 and the Internet 111. The firewall/VPN gateway 112 protects computers in the LAN against hacking attacks from the Internet 111. It may additionally also enable remote secure access to the LAN.
  • WiFi is used to provide wireless extension of the LAN. For this, one or more authorized WiFi APs 113A, 113B are connected to the LAN via WiFi switch 114. The WiFi switch is connected to the LAN connection port 115. The WiFi switch enables offloading from APs some of the complex procedures for authentication, encryption, QoS, mobility, firewall etc., and also provides centralized management functionality for APs. One or more authorized WiFi AP 116 may also be directly connected to the LAN connection port 117. In this case AP 116 may itself perform necessary security procedures such as authentication, encryption, firewall, etc. One or more end user devices 118 such as desktop computers, laptop computers, handheld computers (PDAs) equipped with WiFi radio can now wirelessly connect to the LAN via authorized APs 113A, 113B and 116. Although WiFi has been provided according to the present embodiment, there can also be other types of wireless network formats such as UWB, WiMax, Bluetooth, and others.
  • One or more unauthorized APs can be connected to the LAN. The figure shows unauthorized AP 119 connected to the LAN connection port 120. The unauthorized AP may not employ the right security policies. Also traffic through this AP may bypass security policy enforcing elements such as, for example, WiFi switch 114. The AP 119 thus poses a security threat as intruders such as wireless station 126 can connect to the LAN and launch variety of attacks through this AP. According to a specific embodiment, the unauthorized AP can be a rogue AP, a misconfigured AP, a soft AP, and the like. A rogue AP can be an AP such as for example openly available in the market that is brought in by the person having physical access to the facility and connected to the LAN via the LAN connection port without the permission of the network administrator. A misconfigured AP can be the AP otherwise allowed by the network administrator, but whose security parameters are, usually inadvertently, incorrectly configured. Such an AP can thus allow wireless intruders to connect to it. Soft AP is usually a “WiFi” enabled computer system connected to the LAN connection port that also functions as an AP under the control of software. The software is either deliberately run on the computer system or inadvertently in the form of a virus program.
  • The figure also shows neighbor's AP 121 whose radio coverage spills into the area covered by LAN. The AP 121 is however not connected to the concerned LAN 101 and is harmless from the intrusion standpoint. According to a specific embodiment, the neighbor's AP can be an AP in the neighboring office, an AP is the laboratory not connected to the concerned LAN but used for standalone development or experimentation, an AP on the street providing free “WiFi” access to passersby and other APs, which co-exist with the LAN and share the airspace without any significant and/or harmful interferences.
  • A WiFi AP delivers data packets between the wired LAN and the wireless transmission medium. Typically, the AP performs this function either by acting as a layer 2 bridge or as a network address translator (NAT). The layer 2 bridge type AP simply transmits the Ethernet packet received on its wired interface to the wireless link after translating it to 802.11 style packet and vice versa. The NAT AP on the other hand acts as a layer 3 (IP) router that routes IP packets received on its wired interface to the stations connected to its wireless interface and vice versa. The wired side and wireless side interfaces of the NAT AP thus usually reside on different subnets.
  • The intrusion detection system according to the present invention is provided to protect the LAN 101 from unauthorized APs and/or wireless intruders. The system involves one or more sensor devices 122A, 122B (i.e., sniffers) placed throughout a geographic region or a portion of geographic region including the connection points to the LAN 101. The sniffer is able to monitor the wireless activity in the selected geographic region. For example, the sniffer listens to the radio channel and captures packets being transmitted on the channel. The sniffer cycles through the radio channels on which wireless communication can take place. On each radio channel, it waits and listens for any ongoing transmission. In one embodiment, the sniffer is able to operate on a plurality of radio channels simultaneously. Whenever transmission is detected, the relevant information about that transmission is collected and recorded. This information comprises of all or a subset of information that can be gathered from various fields in the captured packet such as 802.11 MAC (medium access control) header, 802.2 LLC (i.e., logical link control) header, IP header, transport protocol (e.g., TCP, UDP, HTTP, RTP etc.) headers, packet size, packet payload and other fields. Receive signal strength (i.e., RSSI) may also be recorded. Other information such as the day and the time of the day when said transmission was detected may also be recorded.
  • According to a specific embodiment, the sniffer device can be any suitable receiving/transmitting device capable of detecting wireless activity. As merely an example, the sniffer often has a smaller form factor. The sniffer device has a processor, a flash memory (where the software code for sniffer functionality resides), a RAM, two 802.11a/b/g wireless network interface cards (NICs), one Ethernet port (with optional power over Ethernet or POE), a serial port, a power input port, a pair of dual-band (2.4 GHz and 5 GHz) antennas, and at least one status indicator light emitting diode. The sniffer can be built using the hardware platform similar to one used to build wireless access point, although functionality and software will be different for the sniffer device. Of course, one of ordinary skill in the art would recognize other variations, modifications, and alternatives. Further details of the sniffers are provided throughout the present specification and more particularly below.
  • One or more sniffers 122A and 122B may also be provided with radio transmit interface. The radio transmit interface is used to transmit packets on the wireless medium. As an example the transmitted packets can be marker packets, probe packets, packets directed to perform intrusion prevention, and the like. In one specific embodiment, the sniffer is a dual slot device which has two wireless NICs. These NICs can be used in a variety of combinations, for example both for monitoring, both form transmitting, one for monitoring and the other for transmitting etc., under the control of software. In another specific embodiment, the sniffer has only one wireless NIC. The same NIC is shared in a time division multiplexed fashion to carry out monitoring as well as defense against intrusion. Each sniffer 122A, 122B is also connected to the LAN via the connection ports 123A, 123B.
  • The sniffers can be spatially disposed at appropriate locations in the geographic area to be monitored for intrusion by using one or more of heuristics, strategy and calculated guess. Alternatively, a more systematic approach using an RF (radio frequency) planning tool is used to determine physical locations where said sniffers need to be deployed according to an alternative embodiment of the present invention.
  • One or more data collection servers 124 are connected to the LAN connection ports 125. Each sniffer conveys information about the detected wireless transmission to data collection server for analysis, storage, processing and rendering. The sniffer may filter and/or summarize the information before conveying it to the data collection server. The sniffer receives configuration information from the data collection server. It may also receive specific instructions form the server as regards tuning to specific radio channel, detecting transmission of specific packet on the radio channel, launching defense against intrusion etc. In a preferred embodiment, the sniffer connects to the data collection server over the LAN through the wired connection port. In an alternate embodiment, the sniffer connects to the data collection server over the LAN through the wireless connection.
  • In a specific embodiment, the sniffer device captures wireless activity. Such wireless activity includes, among others, transmission of control, management or data packet between an AP and a wireless station or among wireless stations, and communication for establishing wireless connection between an AP and a wireless station often called association. Additionally, the configuration information from the data collection server includes, among others, the operating system software code and the operation parameters such as frequency spectrum and radio channels to be scanned, types of wireless activities to be detected etc. Depending upon the embodiment, the invention also provides certain methods for monitoring wireless activity in selected geographic regions.
  • According to a specific embodiment, the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks which may be outlined as follows.
    • 1. Provide a geographic region;
    • 2. Operate a local area network in a selected portion of the geographic region;
    • 3. Monitor a selected local geographic region in the geographic region using one or more sniffer devices;
    • 4. Detect a wireless activity from at least one authorized device, or at least one unauthorized device, or at least one external device, within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices;
    • 5. Receive at least identity information (e.g., source information, destination information, MAC address) associated with the wireless activity in a classification process;
    • 6. Label the identity information into at least one of a plurality of categories;
    • 7. Transfer an indication associated with the identify information to a prevention process; and
    • 8. Perform other steps, as desired.
  • The above sequence of steps provides methods according to an embodiment of the present invention. As shown, the method uses a combination of steps including a way of detecting for an intrusion in the wireless computer networks. In preferred embodiments, the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like. Many other methods and system are also included. Of course, other alternatives can also be provided where steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein. Additionally, the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives. Further details of the present method can be found throughout the present specification and more particularly below.
  • FIG. 1A illustrates a simplified flow diagram of an intrusion detection method according to an embodiment of the present invention. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives. As shown, the present invention provides a method for monitoring a wireless communication space (e.g., office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities etc.) occupied by one or more computer networks, e.g., wired, wireless. As shown, the method includes providing a geographic region, step 1. According to a specific embodiment, the geographic region can be within a building, outside of a building, or a combination of these. As an example, the region can be provided in an office space, home, apartments, government buildings, warehouses, hot-spots, commercial facilities, etc. The method includes operating a local area network in a selected portion of the geographic region. The local area network (step 2) is commonly an Ethernet based network for private use and may be for public use or any combination of these.
  • In a specific embodiment, the method monitors (step 3) a selected local geographic region in the geographic region using one or more sniffer devices. The method includes detecting (step 4) a wireless activity from at least one authorized device, or at least one unauthorized device, or at least one external device, within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices. Preferably, the unauthorized device is one that is physically connected to the network but does not belong to the network. That is, the unauthorized device has intruded the network according to preferred embodiments.
  • The method includes receiving (step 5) at least identity information (e.g., source information, destination information, MAC address) associated with the wireless activity in a classification process. The method also includes labeling (step 6) the identity information into at least one of a plurality of categories, e.g., authorized, not authorized, external, connected, not connected, and any combination of these. Of course, one of ordinary skill in the art would recognize variations, modifications, and alternatives.
  • According to a specific embodiment, the method transfers (step 7) an indication associated with the identify information to a prevention process. As merely an example, once the unauthorized access point has been detected, the method sends an indication of the unauthorized access point to the prevention process. Preferably, the indication is sent almost immediately or before the transmission of one or more packets to or from the unauthorized access point, which is virtually instantaneously. Depending upon the embodiment, the method sends the indication via an inter process signal between various processes, which can be provided in computer codes. Alternatively, the method performs a selected function within the same process code to implement the prevention process. Certain details of the prevention process can be found throughout the present specification and more particularly below. Depending upon the embodiment, the method can perform other steps, as desired.
  • The above sequence of steps provides methods according to an embodiment of the present invention. As shown, the method uses a combination of steps including a way of detecting for an intrusion using wireless computer networks. In preferred embodiments, the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like. Many other methods and system are also included. Of course, other alternatives can also be provided where steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein. Additionally, the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives.
  • FIG. 2 shows the logical flow of steps for wireless intrusion detection according to the method of the invention. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives. As shown, the first step 201 is to maintain the list of active APs called the Active_AP_List. An active AP is defined as the AP that was recently involved in the wireless transmission as the sender or the receiver. An active AP can be detected by analyzing the wireless transmission on the radio channel captured by the sniffer. For example, every AP in the WiFi network periodically transmits a beacon packet for the client wireless stations to be able to connect to it. The beacon packet contains information such as clock synchronization data, AP's MAC address (BSSID), supported data rates, service set identifiers (SSIDs), parameters for the contention and contention-free access to the wireless medium, capabilities as regards QoS, security policy etc. In one embodiment, detection of beacon packet transmission from an AP is used to identify said AP to be an active AP. Beacon packet can be recognized from the type and subtype fields in the 802.11 MAC header of the beacon packet. In alternate embodiments, active AP can also be detected when any other wireless transmission (data, control or management packet) directed to or generating from it is observed by the sniffer. Whenever an active AP is detected, it is added to the Active_AP_List. If the Active_AP_List already contains entry for said AP, the corresponding entry is refreshed. Associated with each entry in the Active_AP_List are a short timeout and a long timeout values. After a short timeout, the corresponding entry is marked “inactive” and after a long timeout it is marked “historic”. The logical flow of steps for maintaining the Active_AP_List is shown in FIG. 3. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives.
  • The second step 202 is to classify the APs in Active_AP_List into at least three categories, namely “authorized”, “unauthorized” and “external”. The authorized APs are defined to be the APs which are allowed to be connected to the LAN by the network administrator. The unauthorized APs are defined to be the APs that are not allowed to be connected to the LAN, but are still connected to the LAN. The unauthorized APs pose a security threat. The external APs are defined to be the APs whose active presence can be detected by the sniffers but they are not connected to the LAN. For example, these can be neighbor's APs whose radio coverage spills into the physical space of interest. The external APs do not pose a security threat. One or more tests are performed to classify APs in the Active_AP_List into these categories.
  • The third step 203 is intrusion detection. When an unauthorized AP is detected, intrusion alert is generated. Whenever any wireless station attempting connection to or connected to unauthorized AP is detected, intrusion alert is generated. Once the intrusion alert is generated, the method sends an indication of the AP and/or intruding wireless station to a prevention process. Preferably, the indication is sent almost immediately or before the transmission of one or few more packets by intruders. Depending upon the embodiment, the method sends the indication via an inter process signal between various processes, which can be provided in computer codes. Alternatively, the method performs a selected function within the same process code to implement the prevention process. Further details of the prevention process can be found throughout the present specification and more particularly below.
  • The fourth step 204 is intrusion prevention wherein subsequent to intrusion alert; action is taken to disable or disrupt any communication between unauthorized AP and intruding wireless station. One embodiment of this step works by preventing or breaking the “association” between unauthorized AP and intruding wireless station. Association is the procedure defined in 802.11 standard wherein the wireless station and the AP establish a wireless connection between them. Techniques for preventing or breaking the association include but are not limited to sending one or more spoofed “deauthentication” packets from one or more sniffers with AP's MAC address as source address with a reason code “Authentication Expired” to a particular intruding wireless station or to a broadcast address, sending one or more spoofed De-Authentication packets from one or more sniffers to unauthorized AP with intruding wireless station's MAC address as source address with reason code “Auth Leave”, sending one or more spoofed “disassociation” packets from one or more sniffers with AP's MAC address as source address to a particular intruding wireless station or to a broadcast address and sending one or more spoofed disassociation packets from one or more sniffers to unauthorized AP with intruding wireless station's MAC address as source address. Another embodiment of this step involves continuously sending frames from one or more sniffers with BSSID field containing MAC address of unauthorized AP and a high value in network allocation vector (NAV) field. All client wireless stations of said AP including said intruding wireless station then defer access to radio channel for the duration specified in NAV field. This causes disruption to the communication between said AP and said intruding wireless station. A number of other embodiments such as inflicting acknowledgement (ACK) or packet collisions via transmissions from the sniffer, destabilizing or desynchronizing the wireless stations within the BSS (basic service set) of unauthorized AP by sending confusing beacon frames from the sniffer can also be used.
  • In the preferred embodiment of the method of invention, in step 202 a test called the “LAN connectivity test” is used to distinguish the APs in the Active_AP_List that are connected to the LAN (e.g., authorized or unauthorized) from those that are not connected to the LAN (e.g., external). The logical flow of steps according to an embodiment of the LAN connectivity test is shown in FIG. 4. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives. As shown in step 401, one or more marker packets are transmitted to the LAN by the originating device. The originating device can be a sniffer, a data collection server or any computer system whose transmission can reach the concerned LAN over one or more computer networks. For example, the sniffer or the data collection server can transmit the marker packet to the concerned LAN via the Ethernet port. The marker packet has a peculiar format using which it can later be identified by the intrusion detection system. The format can be different for different marker packets. The marker packet may contain a sequence number using which it can later be compared against the known marker packets. The marker packet may contain identity of the originating device. The marker packet is received by all or a subset of APs connected to the concerned LAN and transmitted by all or a subset of them on the wireless medium.
  • In step 402, one or more sniffers listen to one or more radio channels on which wireless communication can take place.
  • In step 403, preferably at least one sniffer detects the transmission of at least one marker packet on the radio channel. The marker packet is detected by analyzing the format of the captured packet. If the AP transmits marker packet on the radio channel without modifying it via encryption procedure all the format information in the detected packet is available to the intrusion detection system for analysis for identifying marker packet. If the AP transmits marker packet on the radio channel after modifying it via encryption procedure the intrusion detection system may not be able to analyze all the format information in the detected packet. In this case, certain features of the packet format that are unaffected by encryption procedure are used for analysis. For example, the encryption procedure does not change the size of the data being encrypted. Thus the size of detected packets can be used as a format parameter to identify said packet as the marker packet.
  • Then in step 404 the identity of the AP that transmits the marker packet is determined from the 802.11 MAC header (for example from the transmitter address or BSSID fields) of the packet transmitted on the radio channel.
  • In step 405, the AP that transmits the marker packet is declared to be connected to the LAN. In a preferred embodiment, the corresponding entry in the Active_AP_List is marked as “connected to the LAN”.
  • In one embodiment of the above method, the marker packet is an Ethernet style packet addressed to the broadcast address, i.e., the value of hexadecimal ff:ff:ff:ff:ff:ff in the destination address field of Ethernet MAC header. This packet will be received by all APs that are connected in the LAN broadcast domain. The APs among these acting as layer 2 bridges then transmit this broadcast packet on the wireless medium after translating it to the 802.11 style packet.
  • In alternate embodiment, the marker packet is an Ethernet style unicast packet addressed to the MAC address of a wireless station associated with an AP. Said MAC address is inferred by analyzing the prior communication between said wireless station and said AP that is captured by one or more sniffers. This packet will be received by said AP if it is connected to the concerned LAN. Said AP acting as layer 2 bridge then transmits the marker packet on the wireless medium after translating it to the 802.11 style packet.
  • In another alternate embodiment, the marker packet is an IP packet addressed to the IP address of a wireless station associated with an AP. Said IP address is inferred by analyzing the prior communication between said wireless station and said AP that is captured by one or more sniffers. This packet will be received by said AP if it is connected to the concerned LAN and transmitted by said AP on the wireless medium after translating it to the 802.11 style packet.
  • In yet an alternate embodiment, the marker packet is an IP packet addressed to the broadcast IP address of the LAN.
  • In one embodiment, the marker packet is not actively injected in the LAN by the intrusion detection system. Rather, one or more broadcast/multicast/unicast packets from the data traffic on the LAN are used as marker packets. The logic being if an AP is connected to the same LAN as the sniffer, then at least the subset of the data traffic seen by the Ethernet port of the sniffer will be same as the data traffic captured by the sniffer on the radio channel. Thus the sniffer compares the packet captured on the radio channel with the packets transmitted over the wired LAN and captured by the sniffer's LAN connection port (Ethernet NIC) to identify a matching format.
  • The sniffer can detect the appearance of the marker packet on a specific radio channel only if the sniffer is tuned to said radio channel during the interval of transmission of the marker packet on said radio channel. It may thus be necessary to send marker packets in the LAN periodically and preferably at randomized intervals, so as to maximize the probability that at least one sniffer gets an opportunity to detect at least one marker packet transmitted by each AP connected to the LAN.
  • The logical flow of steps according to another embodiment of the LAN connectivity test is shown in FIG. 5. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives. This embodiment is particularly useful to detect unauthorized APs that implement NAT (i.e., network address translation) functionality unlike layer 2 bridge functionality though it is also useful for the latter. The test is also useful to detect unauthorized layer 2 bridge type APs (e.g., soft APs) that block forwarding of broadcast packets from the wired LAN onto the wireless medium so as to evade detection by previous embodiment of the LAN connectivity test.
  • In step 501, the sniffer is tuned to the radio channel on which an AP operates. In step 502, the sniffer establishes wireless connection with said AP. This typically involves listening to AP's beacon packet and subsequently performing “association” procedure with said AP as described in IEEE 802.11 standard. Subsequent to association, the parameters for IP connection are assigned to the radio interface of the sniffer. A preferred method to assign IP connection parameters is for the sniffer to perform DHCP (i.e., dynamic host configuration protocol) request/response transactions over the wireless connection established with AP. These parameters comprise at least of the IP address for the radio interface of the sniffer. The DHCP is described in RFC 2131 standard of the Internet Engineering Task Force (IETF).
  • In an alternate embodiment, in step 502 rather than establishing a new association with the AP, the sniffer reuses an existing association between the AP and a wireless station associated with the AP. For this, the sniffer detects the parameters of an existing association between the AP and the wireless station associated with the AP. The parameters include, among others, the MAC address of the associated wireless station. The sniffer may also determine the IP address and the TCP or UDP port number of the wireless station by monitoring the packets transmitted or received by the station.
  • In step 503, the sniffer sends one or more marker packets to the AP over the wireless connection newly established or already existing as applicable depending on the embodiment of step 502. The marker packet is addressed to the sniffer itself, the data collection server, another sniffer, any other network entity or a broadcast address. Various preferred embodiments for this step are now described.
  • In one embodiment of step 503, the marker packet is UDP (i.e., user datagram protocol) packet. UDP is the transport layer protocol used by computers in the IP network to exchange data. It is described in RFC 768 standard of the IETF. In a preferred embodiment, UDP marker packet has source IP address as the IP address of the radio interface of the sniffer. In an alternative embodiment wherein step 502 reuses existing association, preferably the UDP marker packet has the source IP address and the source UDP port number same as the corresponding values detected in the packets transmitted by the wireless station whose association is being reused by the sniffer. The destination IP address in the UDP packet can be the IP address of the wired (Ethernet) interface of the sniffer or the IP address of the data collection server.
  • In another embodiment of step 503, the marker packet is a TCP (i.e., transmission control protocol) packet. The TCP is a transport protocol described in RFC 793 standard of the IETF. It is used by computers in IP network for reliable exchange of data. In a preferred embodiment, TCP marker packet is TCP SYN packet. In alternate embodiment, it can be any packet in TCP format. In a preferred embodiment, TCP marker packet has source IP address as the IP address of the radio interface of the sniffer. In an alternative embodiment wherein step 502 reuses existing association, preferably the TCP marker packet has the source IP address and the source TCP port number same as the corresponding values detected in the packets transmitted by the wireless station whose association is being reused by the sniffer. The destination IP address in the TCP packet can be the IP address of the wired (e.g., Ethernet) interface of said sniffer or the IF address of the data collection server.
  • In yet another embodiment of step 503, the marker packet is any layer 2 style frame. In a preferred embodiment, the source address in said layer 2 frame is the MAC address of the radio interface of the sniffer. In an alternative embodiment wherein step 502 reuses existing association, preferably the source address in the layer 2 frame is the MAC address of the wireless station whose association is being reused by the sniffer. The destination address in the layer 2 frame is the MAC address of the wired (e.g., Ethernet) interface of the sniffer or the MAC address of the wired interface of data collection server.
  • In yet another embodiment of step 503, the marker packet is addressed to the broadcast address. If the sniffer detects that the IP address assigned to its radio interface is in the domain of addresses assigned to the wired LAN, the marker packet can be addressed to IP broadcast address in said domain of addresses. The IP broadcast address is constructed by using all binary ones in the host address part and using the network number of said wired LAN in the network address part of the IP address. Alternatively, layer 2 format marker packet can be addressed to the MAC broadcast address, which is hexadecimal ff:ff:ff:ff:ff:ff.
  • If said AP is indeed connected to the LAN, it will forward marker packet from the wireless connection to the LAN and thus the marker packet will be received at destination in step 504.
  • Subsequently, said AP is declared to be connected to the LAN in step 505. Alternatively, if the AP is not connected to the LAN, the marker packet will not be received at the destination and said AP is then declared unconnected to the LAN in step 506 according to a specific embodiment.
  • The logical flow of steps according to another embodiment of the LAN connectivity test is shown in FIG. 6. This diagram is merely an example, which should not unduly limit the scope of the claims herein. One of ordinary skill in the art would recognize other variations, modifications, and alternatives.
  • For this, in step 601 the sniffer is tuned to a radio channel. The sniffer listens to the radio channel to detect the transmission of one or more “trigger” packets. In a specific embodiment, the trigger packets indicate the current state of ongoing communication between an AP and a wireless station. Knowing this enables preparing and sending marker packet so that it is almost indistinguishable from the packets constituting the ongoing communication between the AP and the wireless station. This makes it difficult for certain APs, for example compromised, software controlled or non-standard, to evade detection by marker packet test.
  • When the transmission of one or more trigger packets is detected in step 602, the identity of the AP that is the source or destination of the trigger packets is determined in step 603 from the transmitter address or the receiver address in the 802.11 MAC header of the trigger packets.
  • Depending upon the type of trigger packets an optional step 604 is performed to determine if said AP is suspected to be not authorized (i.e. it can be unauthorized or external). For example an AP in the Active_AP_List that has not previously responded to any LAN connectivity test is suspected to be not authorized. Or, an AP whose behavior (contents of beacon frame, MAC address, authentication and encryption methods etc.) does not match the behavior known of the authorized APs is suspected to be not authorized.
  • In step 605 one or more marker packets are constructed based on the type of trigger packets and information contained therein. The marker packets are transmitted in the LAN in step 606. The sniffer continues to listen to the same radio channel to detect the transmission of at least one marker packet on the radio channel by said AP. If the marker packet transmission is detected before a timeout occurs, said AP is declared to be connected to the LAN. Alternatively, the AP is declared unconnected to the LAN according to a specific embodiment.
  • In one embodiment of the LAN connectivity test using trigger packets, the trigger packets and the marker packets are TCP packets. TCP is used by computers in Internet Protocol (IP) network for reliable exchange of data. TCP provides acknowledgement-based data delivery wherein lost pieces of data are recovered via retransmissions. The TCP also uses window-based congestion control algorithm so as to dynamically adapt to the available bandwidth between the communicating computers. A number of desirable Internet applications such as HTTP, file transfer, email, remote login etc. are performed using TCP as transport protocol.
  • Suppose the sniffer detects transmission of a TCP packet from a wireless station to the AP (called uplink direction) that is suspected to be not authorized. TCP packet is identified by examining the header fields of detected packet transmission. Specifically, for the TCP packet the value of “Type” field in 802.2 frame header is hexadecimal 0800 and the value of “Protocol” field in the IP header is hexadecimal 06. Then the marker packet is constructed as a TCP packet and in one embodiment the various fields in the marker packet (step 605 above) are set as follows:
  • Swap the source and destination addresses in the Ethernet, IP and TCP headers of trigger packet to get source and destination addresses in the corresponding headers of marker packet.
  • Set the TCP payload in marker packet such that it can later be identified by the intrusion detection. Let L denote the size of payload in number of octets.
  • Let x1 denote the value of “sequence number” field in the TCP header of trigger packet and x2 denote the number of octets of TCP payload in the trigger packet. Then set “acknowledgement number” field in the TCP header of marker packet equal to (x1+x2).
  • Let x3 denote the value of “acknowledgement number” field and x4 denote the value of “window” field in the TCP header of trigger packet. Then set the value of “sequence number” field in the TCP header of marker packet to a value that is between (x3−1) and (x3+x4−L).
  • Other fields in the marker packet are set according to standard practice used by various implementations of corresponding protocols. Among these, values for some of the fields can be more judiciously chosen if the sniffer has also recently captured a TCP packet of the same flow transmitted by said AP to said wireless station (downlink). For example, the value of “window” field in the marker packet can be set equal to or close to the value of “window” field in the recently captured downlink TCP packet. Similarly, the value of “Identification” field in the IP header of marker packet can be set greater than the value of “Identification” field in the recently captured downlink TCP packet.
  • Suppose that the sniffer detects downlink TCP packet. Then the marker packet is constructed as a TCP packet and in one embodiment the various fields in the marker packet (step 605 above) are set as follows:
    • a. Swap source and destination addresses in the Ethernet, IP and TCP headers of trigger packet to get source and destination addresses in the corresponding headers of marker packet.
    • b. Set the TCP payload in marker packet such that it can later be identified by the intrusion detection. Let L denote the size of payload in number of octets.
    • c. Let x1 denote the value of “sequence number” field in the TCP header of trigger packet and x2 denote the number of octets of TCP payload in the trigger packet. Then set sequence number field in the TCP header of marker packet to a value greater than (x1+x2−1). If the sniffer has recently captured uplink TCP packet of the same flow and thus the intrusion detection has the knowledge of value of “window” field in recent uplink packet, the value of “sequence number” field in marker packet should be chosen so that it is also less than (x1+window−L+1).
    • d. Other fields in the marker packet are set according to standard practice used by various implementations of corresponding protocols. Among these, values for some of the fields such as “window” field in TCP header and “Identification field in IP header can be more judiciously chosen if the sniffer has also recently captured uplink TCP packet of the same flow.
  • In another embodiment of the LAN connectivity test using trigger packets, the trigger packet is DHCP request packet and the marker packet is DHCP response packet.
  • In the preferred embodiment of the method of invention, in step 202 one or more feature criteria are used distinguish the APs in the Active_AP_List that are authorized by the network administrator from those that are not authorized. The latter include unauthorized and external APs. The method of invention works by inferring one or more features of an AP via analysis of the packets captured by the sniffer and comparing them with the features of the authorized APs. If the discrepancy is detected, said AP is deemed to be not authorized.
  • A number of features of an AP can be inferred by analyzing one or more beacon packets transmitted by the AP. These features include but not limited to the vendor information (indicated by the first three bytes of the MAC address of the AP), the observed beacon interval and values of various fields (according to basic 802.11 and its enhancements including 802.11e, 802.11i, 802.11k and others) in the beacon packet such as beacon interval, SSID, capabilities information, radio parameters, various information elements (IEs) etc.
  • Some other features of an AP can be inferred by analyzing the sequence of packets flowing between the AP and a wireless station. Most notably, the flow of authentication and association procedure can be monitored by the sniffer to determine if it is consistent with that of an authorized AP. A merely an example, the flow of authentication and association procedure may conform to technologies such as wired equivalent privacy (WEP), wireless protected access (WPA), temporal key integrity protocol (TKIP), robust security network (RSN), extensible authentication protocol (EAP), and the like.
  • The feature set of authorized APs can be provided to the intrusion detection system by the network administrator. Alternatively, the intrusion detection system can learn the authorized feature set by detecting APs and their associated feature set in the operational network or laboratory environment. In the former case, the network administrator merely indicates to the intrusion detection system as to which of the detected APs are authorized APs.
  • The sniffer may perform active probing to infer the features of an AP. For example, the sniffer attempts to establish a wireless connection with the AP which typically involves authentication and association procedure. The sniffer is provided with the credentials to be used during the authentication procedure. For example, the credentials include but not limited to password, digital certificate, security key etc. If the sniffer succeeds in establishing the wireless connection with the AP, the AP may be declared as authorized. This test is even more effective for the authentication schemes, such as extensible authentication protocol transport layer security (EAP TLS), which perform mutual authentication. Depending upon the embodiment, the present invention can implement the various methods using certain systems, which are described in more detail below.
  • One embodiment of the intrusion detection system according to present invention is described with reference to FIG. 7. The system comprises a detection module 702, a classification module 704 and a prevention module 706, each of the modules comprising one or more computer executable codes. The various codes can be running in one or more computer processes. Further, the various codes may run in a single computer system or distributed across plurality of computer systems coupled together by one or more computer networks.
  • The detection module 702 is directed to performing tasks associated with detecting wireless activity. In a specific embodiment the detecting comprises capturing, decoding and processing the wireless activity. The detecting may further comprise filtering and summarizing the information associated with or derived from the wireless activity. The detection module is further directed to transferring at least identity information associated with the detected wireless activity to the classification module. In a specific embodiment the detection module transfers additional information associated with the detected activity such as information derived from beacon packet, marker packet, authentication packet and other packets to the classification module. The classification module 704 is directed to performing tasks associated with receiving and labeling the identity information associated with the wireless activity into at least one of a plurality of categories. In a specific embodiment, the classification module analyzes the additional information associated with the wireless activity received from the detection module for the sake of labeling the identity information. The classification module is further directed to performing tasks associated with transferring indication associated with the identity information to the prevention module 706. In one specific embodiment, the indication is an intrusion alert. In a specific embodiment, intrusion alert is generated when an unauthorized AP and/or intruding wireless station is detected by the classification process.
  • Another embodiment of the intrusion prevention system according to present invention is described with reference to FIG. 8. The system comprises a providing module 801, a transferring module 802, an outputting module 803, a receiving module 804, a processing module 805 and an identifying module 806. Each of the modules comprises one or more computer executable codes. The providing module 801 prepares the marker packet with a given format. In a specific embodiment, the providing module resides within the originating device. The transferring module 802 transmits the marker packet to one or more APs over the LAN. In a specific embodiment the transferring module resides within the originating device. In an alternate embodiment, the transferring module resides within a computer system coupled to the local area network. The outputting module 803 transmits the marker packet from the AP to the wireless medium. In a specific embodiment, the outputting module resides within the AP. The receiving module 804 is directed to receiving wireless activity associated with the marker packet using at least one sniffer. The processing module 805 is directed to processing the wireless activity information to identify the marker packet. In a specific embodiment, the processing module analyzes the format information in the received wireless activity to identify the marker packet. The identifying module 806 is directed to determining the identity information associated with the wireless activity associated with the marker packet. In a specific embodiment, the identifying module determines the source AP of the wireless activity associated with the marker packet. In one specific embodiment, the receiving module, the processing module and the identifying module are provided within the sniffer device. In another specific embodiment, the receiving module is provided within the sniffer device while the processing and identifying module are provided within the data collection server. Other embodiments are also possible.
  • Another alternative embodiment of the intrusion detection system is described below with respect to FIG. 9. In this embodiment, the data collection server is provided as software that can be run on a PC or server computer 902. In a specific embodiment said PC or server computer is connected to the LAN 900. Input required from the network administrator is provided to the data collection server using web-based or command line interface (CLI) console. One or more sniffer devices 904A, 904B, 904C etc. are provided to monitor the wireless communication space. When any sniffer, for example sniffer 904A, is connected to the LAN, it sends multicast or broadcast query over the LAN to discover the data collection server. The data collection server 902 responds to the query with information required for the sniffer 904A to connect to the server 902. This information comprises at least of the IP address of the server. In an alternate embodiment, the IP address of the data collection server is preconfigured in the sniffers.
  • The sniffer 904A then communicates with the server. In a specific embodiment, the sniffer 904A establishes a connection 906A with the server using protocols such as transport control protocol (TCP), hypertext transfer protocol (HTTP), secure HTTP, file transfer protocol (FTP), remote login protocol such as telnet and the like. In alternate embodiment, connectionless protocol such as user datagram protocol (UDP) can be used for communication between the sniffer and the server. In a specific embodiment, the server 902 and the sniffer 904A authenticate each other at the time of initiation of communication and preferably also during the communication. The server sends configuration information to the sniffer. This information may comprise of the operating system software code and the various operational configuration parameters.
  • The sniffer 904A listens to the radio channels and reports information about detected wireless activity to the data collection server 902 for analysis, storage, processing and rendering. In a specific embodiment, the data collection server displays the information about the state of the network graphically on the computer screen. The sniffer may filter or summarize this information before reporting it to the server. The sniffer may also receive instructions from the server, for example, as regards tuning to specific radio channel, detecting transmission of specific packet such as the marker packet on the radio channel, detecting wireless activity derived from a specific station or an access point etc. In a specific embodiment, the sniffer 904A initiates LAN connectivity test, i.e., by originating a marker packet. In alternate embodiment, the LAN connectivity test is initiated by the data collection server.
  • Upon the detection of an unauthorized AP and/or intruding wireless station, in a specific embodiment the data collection server 902 selects one or more sniffer devices to perform preventive actions against the intrusion and sends a message to said sniffer devices to perform preventive actions.
  • Another yet an alternative embodiment of the intrusion detection system is described below with reference to FIG. 10. In this embodiment, the detection, classification and prevention modules are provided within the sniffer device. The sniffer also provides and transfers a maker packet. The sniffer further receives the wireless activity associated with the marker packet, processes said activity to identify the marker packet and identifies the AP that transmits marker packet on the wireless medium. This embodiment in particularly advantageous because it allows deployment of standalone sniffer devices, i.e., as appliances not requiring a separate data collection server entity.
  • Accordingly, the sniffer appliance device comprises a CPU 1001 adapted to executing computer codes and a memory 1002 that stores computer codes and data. The computer codes stored in the memory comprise at least the codes for detection, classification and prevention modules and the codes adapted to perform communication between said modules. The computer codes stored in the memory further comprise the codes for providing a marker packet, transferring a marker packet, receiving a wireless activity associated with the marker packet, processing said wireless activity to identify the marker packet and identifying the AP that transmits the marker packet on the wireless medium. The sniffer appliance device comprises one or more WiFi NICs 1003 connected to one or more antennas 1004. The WiFi NICs performs the tasks associated with receiving the wireless activity (e.g., listening to and capturing the packet transmissions occurring over the wireless medium in accordance with 802.11 standard) as well as initiating the wireless activity (e.g., transmitting packets in accordance with 802.11 standard). The Ethernet NIC 1005 is also provided that enables connecting the sniffer appliance device to the LAN via Ethernet jack 1006. The Ethernet jack 1006 may alternatively and additionally be used to connect the sniffer appliance to a PC for configuration purposes. Alternatively, a serial communication interface (e.g., RS-232) 1012 is used to connect the sniffer appliance to a PC for configuration purposes. The various electronic components are connected together using data transfer bus 1007. The sniffer device can provide visual indication about detected wireless activity by means of one or more light bulbs or light emitting diodes 1008 provided on the device panel 1010. Optionally or in addition to, an electronic screen such as for example LCD screen 1009 is provided on the device panel for providing visual indication and/or textual messages.
  • After the sniffer device is powered on, the light bulb 1008 turns white in color if Active_AP_List is empty. The bulb turns green when at least one active AP is detected. The sensor exhibits above behavior even if it is not connected to the wired LAN. After the sensor device is connected to the wired LAN (e.g., using Ethernet jack 1006), it can start executing steps 202 and beyond shown in FIG. 2 according to the specific embodiment of the method of invention. If the unauthorized AP is detected in step 202, the light bulb turns red in color. If the wireless station attempting to connect or connected to the unauthorized AP is detected in step 203, the light bulb turns flashing red. Alternatively, the various visual indications are provided via combination of light bulbs from a plurality of light bulbs provided on the device panel. Yet alternately, such indications can also be given in audio form, for example via different types of alarm sounds from the speaker (not shown in FIG. 10). An on/off switch 1011 may be provided on the sniffer device panel that enables turning the intrusion defense step 204 on or off. Alternatively, the on/off switch for activating and deactivating the intrusion defense is software controlled. Yet alternatively, the step 204 is executed automatically after intrusion detection.
  • The above sequence of steps provides methods according to an embodiment of the present invention. As shown, the method uses a combination of steps including a way of detecting for an intrusion using wireless computer networks. In preferred embodiments, the present invention also includes an automated method for transferring an indication of an intrusion to a prevention process, which would preferably stop the intruding device before any security problems or the like. Many other methods and system are also included. Of course, other alternatives can also be provided where steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein. Additionally, the various methods can be implemented using a computer code or codes in software, firmware, hardware, or any combination of these. Depending upon the embodiment, there can be other variations, modifications, and alternatives.
  • It is also understood that the examples and embodiments described herein are for illustrative purposes only and that various modifications or changes in light thereof will be suggested to persons skilled in the art and are to be included within the spirit and purview of this application and scope of the appended claims.

Claims (2)

1. A method for monitoring a wireless communication space occupied by one or more computer networks, the method comprising:
monitoring a selected local geographic region using one or more sniffer devices, each of the sniffer devices being spatially disposed within the selected local geographic region, the selected local geographic region being occupied by one or more connection points to a local area computer network;
detecting a wireless activity within the selected local geographic region using at least one of the sniffer devices from the one or more sniffer devices, the wireless activity being derived from at least one authorized device, or at least one unauthorized device, or at least one external device;
receiving at least identity information associated with the wireless activity in a classification process;
labeling the identity information into at least one of a plurality of categories; and
transferring at least an indication associated with the identify information to a prevention process.
2-50. (canceled)
US12/419,300 2004-02-11 2009-04-07 Automated method and system for monitoring local area computer networks for unauthorized wireless access Abandoned US20100132040A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US12/419,300 US20100132040A1 (en) 2004-02-11 2009-04-07 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US13/399,626 US8789191B2 (en) 2004-02-11 2012-02-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US13/533,674 US9003527B2 (en) 2004-02-11 2012-06-26 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US14/307,351 US20140298467A1 (en) 2004-02-11 2014-06-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US54363104P 2004-02-11 2004-02-11
US10/931,926 US7536723B1 (en) 2004-02-11 2004-08-31 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US12/419,300 US20100132040A1 (en) 2004-02-11 2009-04-07 Automated method and system for monitoring local area computer networks for unauthorized wireless access

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/931,926 Continuation US7536723B1 (en) 2004-02-11 2004-08-31 Automated method and system for monitoring local area computer networks for unauthorized wireless access

Related Child Applications (3)

Application Number Title Priority Date Filing Date
US10/931,585 Continuation US7339914B2 (en) 2004-02-11 2004-08-31 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US13/399,626 Continuation US8789191B2 (en) 2004-02-11 2012-02-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US13/533,674 Continuation US9003527B2 (en) 2004-02-11 2012-06-26 Automated method and system for monitoring local area computer networks for unauthorized wireless access

Publications (1)

Publication Number Publication Date
US20100132040A1 true US20100132040A1 (en) 2010-05-27

Family

ID=40636101

Family Applications (7)

Application Number Title Priority Date Filing Date
US10/931,585 Active 2025-12-08 US7339914B2 (en) 2004-02-11 2004-08-31 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US10/931,926 Active 2027-02-23 US7536723B1 (en) 2004-02-11 2004-08-31 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US11/970,532 Abandoned US20080109879A1 (en) 2004-02-11 2008-01-08 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US12/419,300 Abandoned US20100132040A1 (en) 2004-02-11 2009-04-07 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US13/399,626 Expired - Lifetime US8789191B2 (en) 2004-02-11 2012-02-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US13/533,674 Expired - Lifetime US9003527B2 (en) 2004-02-11 2012-06-26 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US14/307,351 Abandoned US20140298467A1 (en) 2004-02-11 2014-06-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

Family Applications Before (3)

Application Number Title Priority Date Filing Date
US10/931,585 Active 2025-12-08 US7339914B2 (en) 2004-02-11 2004-08-31 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US10/931,926 Active 2027-02-23 US7536723B1 (en) 2004-02-11 2004-08-31 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US11/970,532 Abandoned US20080109879A1 (en) 2004-02-11 2008-01-08 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

Family Applications After (3)

Application Number Title Priority Date Filing Date
US13/399,626 Expired - Lifetime US8789191B2 (en) 2004-02-11 2012-02-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US13/533,674 Expired - Lifetime US9003527B2 (en) 2004-02-11 2012-06-26 Automated method and system for monitoring local area computer networks for unauthorized wireless access
US14/307,351 Abandoned US20140298467A1 (en) 2004-02-11 2014-06-17 Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

Country Status (1)

Country Link
US (7) US7339914B2 (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902744A (en) * 2010-07-28 2010-12-01 南京航空航天大学 Intrusion detection system of wireless sensor network based on sniffer
US20120233694A1 (en) * 2011-03-11 2012-09-13 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US20130081137A1 (en) * 2011-09-23 2013-03-28 Arturo Geigel Simultaneous Determination of a Computer Location and User Identification
US20130212681A1 (en) * 2012-02-15 2013-08-15 Hitachi, Ltd. Security Monitoring System and Security Monitoring Method
US20130252575A1 (en) * 2005-05-10 2013-09-26 Mobile Communication Technologies, Llc Apparatus for and system for enabling a mobile communicator
US20140115663A1 (en) * 2012-10-22 2014-04-24 Fujitsu Limited Method for detecting unauthorized access and network monitoring apparatus
US8789191B2 (en) 2004-02-11 2014-07-22 Airtight Networks, Inc. Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US8995945B2 (en) 2011-08-30 2015-03-31 Mobile Communication Technologies, Llc Mobile communicator and system
US9026780B2 (en) 2011-04-12 2015-05-05 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US9026779B2 (en) 2011-04-12 2015-05-05 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US9215075B1 (en) 2013-03-15 2015-12-15 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
WO2015196185A1 (en) * 2014-06-20 2015-12-23 Arturo Geigel Simultaneous determination of a mobile device and its user identification
US9338816B2 (en) 2008-05-14 2016-05-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9565125B2 (en) 2012-06-14 2017-02-07 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US9674892B1 (en) 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
US9814055B2 (en) 2010-09-07 2017-11-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
CN108668347A (en) * 2012-06-13 2018-10-16 韩国电子通信研究院 WLAN Dynamic link library identity assignments operating method, base station and access point
US10139900B2 (en) 2011-04-12 2018-11-27 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10764322B2 (en) * 2017-03-27 2020-09-01 Nec Corporation Information processing device, information processing method, and computer-readable recording medium
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
US11284345B2 (en) 2012-06-13 2022-03-22 Electronics And Telecommunications Research Institute Method for changing operating mode of wireless LAN system and wireless LAN system

Families Citing this family (176)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8392552B2 (en) * 2000-09-28 2013-03-05 Vig Acquisitions Ltd., L.L.C. System and method for providing configurable security monitoring utilizing an integrated information system
AU2001296925A1 (en) 2000-09-28 2002-04-08 Vigilos, Inc. Method and process for configuring a premises for monitoring
US7480715B1 (en) * 2002-01-25 2009-01-20 Vig Acquisitions Ltd., L.L.C. System and method for performing a predictive threat assessment based on risk factors
JP4174392B2 (en) * 2003-08-28 2008-10-29 日本電気株式会社 Network unauthorized connection prevention system and network unauthorized connection prevention device
EP1685501A1 (en) * 2003-11-18 2006-08-02 Nokia Corporation Method, subject terminal device, target terminal device, data content server, system and computer programs for maintaining and updating data contents
US7002943B2 (en) * 2003-12-08 2006-02-21 Airtight Networks, Inc. Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US7440434B2 (en) * 2004-02-11 2008-10-21 Airtight Networks, Inc. Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US11582065B2 (en) 2007-06-12 2023-02-14 Icontrol Networks, Inc. Systems and methods for device communication
US10721087B2 (en) 2005-03-16 2020-07-21 Icontrol Networks, Inc. Method for networked touchscreen with integrated interfaces
US10142392B2 (en) 2007-01-24 2018-11-27 Icontrol Networks, Inc. Methods and systems for improved system performance
US10237237B2 (en) 2007-06-12 2019-03-19 Icontrol Networks, Inc. Communication protocols in integrated systems
US11916870B2 (en) 2004-03-16 2024-02-27 Icontrol Networks, Inc. Gateway registry methods and systems
US11677577B2 (en) 2004-03-16 2023-06-13 Icontrol Networks, Inc. Premises system management using status signal
US20170118037A1 (en) 2008-08-11 2017-04-27 Icontrol Networks, Inc. Integrated cloud system for premises automation
US11811845B2 (en) 2004-03-16 2023-11-07 Icontrol Networks, Inc. Communication protocols over internet protocol (IP) networks
US11190578B2 (en) 2008-08-11 2021-11-30 Icontrol Networks, Inc. Integrated cloud system with lightweight gateway for premises automation
US10339791B2 (en) 2007-06-12 2019-07-02 Icontrol Networks, Inc. Security network integrated with premise security system
US12063220B2 (en) 2004-03-16 2024-08-13 Icontrol Networks, Inc. Communication protocols in integrated systems
US11489812B2 (en) 2004-03-16 2022-11-01 Icontrol Networks, Inc. Forming a security network including integrated security system components and network devices
US11343380B2 (en) 2004-03-16 2022-05-24 Icontrol Networks, Inc. Premises system automation
US9729342B2 (en) 2010-12-20 2017-08-08 Icontrol Networks, Inc. Defining and implementing sensor triggered response rules
US11244545B2 (en) 2004-03-16 2022-02-08 Icontrol Networks, Inc. Cross-client sensor user interface in an integrated security network
US11368429B2 (en) 2004-03-16 2022-06-21 Icontrol Networks, Inc. Premises management configuration and control
GB2428821B (en) 2004-03-16 2008-06-04 Icontrol Networks Inc Premises management system
US10522026B2 (en) 2008-08-11 2019-12-31 Icontrol Networks, Inc. Automation system user interface with three-dimensional display
US7317914B2 (en) 2004-09-24 2008-01-08 Microsoft Corporation Collaboratively locating disconnected clients and rogue access points in a wireless network
US7603460B2 (en) * 2004-09-24 2009-10-13 Microsoft Corporation Detecting and diagnosing performance problems in a wireless network through neighbor collaboration
US7760654B2 (en) * 2004-09-24 2010-07-20 Microsoft Corporation Using a connected wireless computer as a conduit for a disconnected wireless computer
US7627123B2 (en) * 2005-02-07 2009-12-01 Juniper Networks, Inc. Wireless network having multiple security interfaces
US20060193299A1 (en) * 2005-02-25 2006-08-31 Cicso Technology, Inc., A California Corporation Location-based enhancements for wireless intrusion detection
US7529925B2 (en) 2005-03-15 2009-05-05 Trapeze Networks, Inc. System and method for distributing keys in a wireless network
US11615697B2 (en) 2005-03-16 2023-03-28 Icontrol Networks, Inc. Premise management systems and methods
US11496568B2 (en) 2005-03-16 2022-11-08 Icontrol Networks, Inc. Security system with networked touchscreen
US20170180198A1 (en) * 2008-08-11 2017-06-22 Marc Baum Forming a security network including integrated security system components
US11700142B2 (en) 2005-03-16 2023-07-11 Icontrol Networks, Inc. Security network integrating security system and network devices
US20120324566A1 (en) 2005-03-16 2012-12-20 Marc Baum Takeover Processes In Security Network Integrated With Premise Security System
US10999254B2 (en) 2005-03-16 2021-05-04 Icontrol Networks, Inc. System for data routing in networks
US7783756B2 (en) * 2005-06-03 2010-08-24 Alcatel Lucent Protection for wireless devices against false access-point attacks
US7873998B1 (en) * 2005-07-19 2011-01-18 Trustwave Holdings, Inc. Rapidly propagating threat detection
US7673347B2 (en) * 2005-08-30 2010-03-02 Sap Ag Information control in federated interaction
US9674145B2 (en) 2005-09-06 2017-06-06 Daniel Chien Evaluating a questionable network communication
US8621604B2 (en) * 2005-09-06 2013-12-31 Daniel Chien Evaluating a questionable network communication
US9912677B2 (en) 2005-09-06 2018-03-06 Daniel Chien Evaluating a questionable network communication
US9015090B2 (en) 2005-09-06 2015-04-21 Daniel Chien Evaluating a questionable network communication
US7573859B2 (en) 2005-10-13 2009-08-11 Trapeze Networks, Inc. System and method for remote monitoring in a wireless network
WO2007044986A2 (en) 2005-10-13 2007-04-19 Trapeze Networks, Inc. System and method for remote monitoring in a wireless network
US7724703B2 (en) 2005-10-13 2010-05-25 Belden, Inc. System and method for wireless network monitoring
US8638762B2 (en) 2005-10-13 2014-01-28 Trapeze Networks, Inc. System and method for network integrity
US20070109982A1 (en) * 2005-11-11 2007-05-17 Computer Associates Think, Inc. Method and system for managing ad-hoc connections in a wireless network
US7710933B1 (en) 2005-12-08 2010-05-04 Airtight Networks, Inc. Method and system for classification of wireless devices in local area computer networks
US20070178939A1 (en) * 2006-01-31 2007-08-02 Sbc Knowledge Ventures Lp Method for reducing radio interference between wireless access points
WO2007106902A2 (en) * 2006-03-15 2007-09-20 Daniel Chien Identifying unauthorized access to a network resource
US7729274B2 (en) 2006-03-31 2010-06-01 Ciena Corporation Smart ethernet mesh edge device
CA2648197A1 (en) * 2006-03-31 2007-10-11 Gridpoint Systems Inc. Smart ethernet edge networking system
US7925765B2 (en) * 2006-04-07 2011-04-12 Microsoft Corporation Cooperative diagnosis in a wireless LAN
JP4148526B2 (en) * 2006-04-20 2008-09-10 インターナショナル・ビジネス・マシーンズ・コーポレーション Apparatus and method for detecting a network address translation device.
US7558266B2 (en) 2006-05-03 2009-07-07 Trapeze Networks, Inc. System and method for restricting network access using forwarding databases
US8966018B2 (en) 2006-05-19 2015-02-24 Trapeze Networks, Inc. Automated network device configuration and network deployment
US9191799B2 (en) 2006-06-09 2015-11-17 Juniper Networks, Inc. Sharing data between wireless switches system and method
US8818322B2 (en) 2006-06-09 2014-08-26 Trapeze Networks, Inc. Untethered access point mesh system and method
US9258702B2 (en) 2006-06-09 2016-02-09 Trapeze Networks, Inc. AP-local dynamic switching
TWI314688B (en) * 2006-06-09 2009-09-11 Asustek Comp Inc Computer and main circuit board thereof
US12063221B2 (en) 2006-06-12 2024-08-13 Icontrol Networks, Inc. Activation of gateway device
US10079839B1 (en) 2007-06-12 2018-09-18 Icontrol Networks, Inc. Activation of gateway device
US8520645B2 (en) * 2006-06-30 2013-08-27 Core Wireless Licensing S.A.R.L. Method of controlling a mobile terminal, and an associated mobile terminal
US8929345B2 (en) * 2006-08-22 2015-01-06 Ca, Inc. Method and system for managing devices in a wireless network
US20080056222A1 (en) * 2006-08-29 2008-03-06 Nigel Waites Wireless router connection indicator
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
US8958399B1 (en) * 2006-09-28 2015-02-17 Symantec Corporation Method and apparatus for providing connectivity control
US7873061B2 (en) 2006-12-28 2011-01-18 Trapeze Networks, Inc. System and method for aggregation and queuing in a wireless network
US11706279B2 (en) 2007-01-24 2023-07-18 Icontrol Networks, Inc. Methods and systems for data communication
EP2109986A2 (en) * 2007-02-05 2009-10-21 Bandspeed, Inc. Approach for mitigating the effects of rogue wireless access points
US7516049B2 (en) * 2007-02-19 2009-04-07 Microsoft Corporation Wireless performance analysis system
US8155662B2 (en) * 2007-02-19 2012-04-10 Microsoft Corporation Self-configuring wireless network location system
US7633385B2 (en) 2007-02-28 2009-12-15 Ucontrol, Inc. Method and system for communicating with and controlling an alarm system from a remote server
US8451986B2 (en) 2007-04-23 2013-05-28 Icontrol Networks, Inc. Method and system for automatically providing alternate network access for telecommunications
WO2008143898A2 (en) * 2007-05-14 2008-11-27 Picongen Wireless Inc. Wireless multimedia system
US9100124B2 (en) 2007-05-24 2015-08-04 Federal Law Enforcement Development Services, Inc. LED Light Fixture
US9414458B2 (en) 2007-05-24 2016-08-09 Federal Law Enforcement Development Services, Inc. LED light control assembly and system
US9455783B2 (en) 2013-05-06 2016-09-27 Federal Law Enforcement Development Services, Inc. Network security and variable pulse wave form with continuous communication
US11265082B2 (en) 2007-05-24 2022-03-01 Federal Law Enforcement Development Services, Inc. LED light control assembly and system
US8188879B2 (en) 2007-05-24 2012-05-29 Federal Law Enforcement Development Services, Inc. LED light global positioning and routing communication system
US7929964B2 (en) * 2007-06-08 2011-04-19 Alcatel-Lucent Usa Inc. Managing mobile station Wi-Fi communications
US11316753B2 (en) 2007-06-12 2022-04-26 Icontrol Networks, Inc. Communication protocols in integrated systems
US12003387B2 (en) 2012-06-27 2024-06-04 Comcast Cable Communications, Llc Control system user interface
US11423756B2 (en) 2007-06-12 2022-08-23 Icontrol Networks, Inc. Communication protocols in integrated systems
US11646907B2 (en) 2007-06-12 2023-05-09 Icontrol Networks, Inc. Communication protocols in integrated systems
US10523689B2 (en) 2007-06-12 2019-12-31 Icontrol Networks, Inc. Communication protocols over internet protocol (IP) networks
US11212192B2 (en) 2007-06-12 2021-12-28 Icontrol Networks, Inc. Communication protocols in integrated systems
US11218878B2 (en) 2007-06-12 2022-01-04 Icontrol Networks, Inc. Communication protocols in integrated systems
US11601810B2 (en) 2007-06-12 2023-03-07 Icontrol Networks, Inc. Communication protocols in integrated systems
US10223903B2 (en) 2010-09-28 2019-03-05 Icontrol Networks, Inc. Integrated security system with parallel processing architecture
US11831462B2 (en) 2007-08-24 2023-11-28 Icontrol Networks, Inc. Controlling data routing in premises management systems
US8902904B2 (en) 2007-09-07 2014-12-02 Trapeze Networks, Inc. Network assignment based on priority
US7970894B1 (en) 2007-11-15 2011-06-28 Airtight Networks, Inc. Method and system for monitoring of wireless devices in local area computer networks
US8238942B2 (en) 2007-11-21 2012-08-07 Trapeze Networks, Inc. Wireless station location detection
US11916928B2 (en) 2008-01-24 2024-02-27 Icontrol Networks, Inc. Communication protocols over internet protocol (IP) networks
US8150357B2 (en) 2008-03-28 2012-04-03 Trapeze Networks, Inc. Smoothing filter for irregular update intervals
US8893252B1 (en) * 2008-04-16 2014-11-18 Meru Networks Wireless communication selective barrier
US20170185278A1 (en) 2008-08-11 2017-06-29 Icontrol Networks, Inc. Automation system user interface
US8978105B2 (en) 2008-07-25 2015-03-10 Trapeze Networks, Inc. Affirming network relationships and resource access via related networks
US11729255B2 (en) 2008-08-11 2023-08-15 Icontrol Networks, Inc. Integrated cloud system with lightweight gateway for premises automation
US11792036B2 (en) 2008-08-11 2023-10-17 Icontrol Networks, Inc. Mobile premises automation platform
US11758026B2 (en) 2008-08-11 2023-09-12 Icontrol Networks, Inc. Virtual device systems and methods
US8238298B2 (en) 2008-08-29 2012-08-07 Trapeze Networks, Inc. Picking an optimal channel for an access point in a wireless network
EP2351296A4 (en) * 2008-10-31 2015-01-07 Hewlett Packard Development Co Method and apparatus for network intrusion detection
JP4672780B2 (en) * 2009-03-18 2011-04-20 株式会社東芝 Network monitoring apparatus and network monitoring method
US20100246416A1 (en) * 2009-03-25 2010-09-30 Amit Sinha Systems and methods for remote testing of wireless lan access points
US8890773B1 (en) 2009-04-01 2014-11-18 Federal Law Enforcement Development Services, Inc. Visible light transceiver glasses
US8638211B2 (en) 2009-04-30 2014-01-28 Icontrol Networks, Inc. Configurable controller and interface for home SMA, phone and multimedia
US8694624B2 (en) * 2009-05-19 2014-04-08 Symbol Technologies, Inc. Systems and methods for concurrent wireless local area network access and sensing
CN101895964B (en) * 2009-05-21 2013-03-20 鸿富锦精密工业(深圳)有限公司 Mobile station and method for scanning service group identification code by mobile station
JP5246034B2 (en) * 2009-05-22 2013-07-24 富士通株式会社 Packet transmission / reception system, packet transmission / reception device, and packet transmission / reception method
EP2460321A1 (en) * 2009-07-31 2012-06-06 Hewlett-Packard Development Company, L. P. Method for detection of a rogue wireless access point
US9531844B2 (en) * 2009-10-01 2016-12-27 Sony Corporation Automatic internet connection sharing among related devices
US20110107417A1 (en) * 2009-10-30 2011-05-05 Balay Rajini I Detecting AP MAC Spoofing
US9197420B2 (en) * 2010-01-06 2015-11-24 International Business Machines Corporation Using information in a digital certificate to authenticate a network of a wireless access point
JP2013523043A (en) 2010-03-22 2013-06-13 エルアールディシー システムズ、エルエルシー How to identify and protect the integrity of a source dataset
US8402516B2 (en) * 2010-05-06 2013-03-19 Jonathan Weizman Apparatus and method for establishing a peer-to-peer communication session with a host device
US8402515B2 (en) * 2010-05-06 2013-03-19 Jonathan Weizman Apparatus and method for establishing a peer-to-peer communication session with a client device
US8836467B1 (en) 2010-09-28 2014-09-16 Icontrol Networks, Inc. Method, system and apparatus for automated reporting of account and sensor zone information to a central station
US11750414B2 (en) 2010-12-16 2023-09-05 Icontrol Networks, Inc. Bidirectional security sensor communication for a premises security system
US9147337B2 (en) 2010-12-17 2015-09-29 Icontrol Networks, Inc. Method and system for logging security event data
US8763075B2 (en) * 2011-03-07 2014-06-24 Adtran, Inc. Method and apparatus for network access control
US8566900B1 (en) * 2011-05-23 2013-10-22 Palo Alto Networks, Inc. Using geographical information in policy enforcement
WO2013036794A1 (en) * 2011-09-08 2013-03-14 Drexel University Reconfigurable antenna based solutions for device authentication and instrusion detection in wireless networks
US9279878B2 (en) 2012-03-27 2016-03-08 Microsoft Technology Licensing, Llc Locating a mobile device
US9166732B2 (en) * 2012-04-19 2015-10-20 At&T Mobility Ii Llc Facilitation of security employing a femto cell access point
CN102752756A (en) * 2012-06-08 2012-10-24 深信服网络科技(深圳)有限公司 Method and device for preventing surfing the Internet by privately connecting wireless access point (AP)
US9612121B2 (en) 2012-12-06 2017-04-04 Microsoft Technology Licensing, Llc Locating position within enclosure
CN102984165B (en) * 2012-12-07 2016-04-13 广州杰赛科技股份有限公司 Wireless network secure supervisory control system and method
US9380644B2 (en) * 2012-12-21 2016-06-28 Hewlett Packard Enterprise Development Lp Access points to provide event notifications
US20140254389A1 (en) * 2013-03-05 2014-09-11 Qualcomm Incorporated Systems and methods for monitoring wireless communications
US10084791B2 (en) 2013-08-14 2018-09-25 Daniel Chien Evaluating a questionable network communication
US20150198941A1 (en) 2014-01-15 2015-07-16 John C. Pederson Cyber Life Electronic Networking and Commerce Operating Exchange
US11405463B2 (en) 2014-03-03 2022-08-02 Icontrol Networks, Inc. Media content management
US9407659B2 (en) * 2014-04-23 2016-08-02 Arbor Networks, Inc. Protecting computing assets from resource intensive querying attacks
RU2695510C2 (en) * 2014-06-13 2019-07-23 Филипс Лайтинг Холдинг Б.В. Localization based on network of wireless nodes
US10085328B2 (en) 2014-08-11 2018-09-25 RAB Lighting Inc. Wireless lighting control systems and methods
US10039174B2 (en) 2014-08-11 2018-07-31 RAB Lighting Inc. Systems and methods for acknowledging broadcast messages in a wireless lighting control network
US10531545B2 (en) 2014-08-11 2020-01-07 RAB Lighting Inc. Commissioning a configurable user control device for a lighting control system
US9661497B2 (en) * 2014-08-28 2017-05-23 Cisco Technology, Inc. Control and enhancement of direct wireless service communications
CN104219670B (en) * 2014-09-03 2018-06-08 珠海市君天电子科技有限公司 Identify method, client and the system of falseness wifi
US20160165449A1 (en) * 2014-12-03 2016-06-09 Intel Corporation Notification of unauthorized wireless network devices
US20160164889A1 (en) * 2014-12-03 2016-06-09 Fortinet, Inc. Rogue access point detection
US9787719B2 (en) 2015-02-26 2017-10-10 Symantec Corporation Trusted third party broker for collection and private sharing of successful computer security practices
US9794290B2 (en) * 2015-02-26 2017-10-17 Symantec Corporation Quantitative security improvement system based on crowdsourcing
US20150339900A1 (en) * 2015-04-27 2015-11-26 Michael Lewis Moravitz Home satellite surveillance defense
US9350759B1 (en) * 2015-06-18 2016-05-24 Hak5 Llc Network security appliance to imitate a wireless access point of a local area network through coordination of multiple radios
US20170048953A1 (en) 2015-08-11 2017-02-16 Federal Law Enforcement Development Services, Inc. Programmable switch and system
GB201521137D0 (en) * 2015-12-01 2016-01-13 Qatar Foundation For Education Science And Community Dev Honeybot: Mobile Honeypot detection and isolation techniques for adhoc malicious communications
US10419458B2 (en) 2016-01-21 2019-09-17 Cyiot Ltd Distributed techniques for detecting atypical or malicious wireless communications activity
US10257226B2 (en) 2016-03-24 2019-04-09 802 Secure, Inc. Identifying and trapping wireless based attacks on networks using deceptive network emulation
US10594731B2 (en) * 2016-03-24 2020-03-17 Snowflake Inc. Systems, methods, and devices for securely managing network connections
US20190199833A1 (en) * 2016-05-18 2019-06-27 Nec Corporation Transmission device, method, program, and recording medium
US10158998B2 (en) * 2016-06-21 2018-12-18 Qualcomm Incorporated Network path probing using available network connections
US10542006B2 (en) 2016-11-22 2020-01-21 Daniel Chien Network security based on redirection of questionable network access
US10382436B2 (en) 2016-11-22 2019-08-13 Daniel Chien Network security based on device identifiers and network addresses
US10348614B2 (en) * 2017-03-02 2019-07-09 International Business Machines Corporation Debugging device with serial and Ethernet console module and hardware bypass
DE102017128615A1 (en) * 2017-12-01 2019-06-06 Balluff Gmbh Device and method for detecting spoofers in a wireless IO-Link communication network
US11336621B2 (en) * 2018-05-08 2022-05-17 Shlomo Touboul WiFiwall
EP3821409A1 (en) * 2018-07-13 2021-05-19 Carrier Corporation Radio frequency presence alert system
EP3841779A1 (en) 2018-08-24 2021-06-30 British Telecommunications public limited company Identification of wireless transmissions carried by a wireless network
GB2576576B (en) * 2018-08-24 2021-03-03 British Telecomm Identification of channels in a wireless network
US11188622B2 (en) 2018-09-28 2021-11-30 Daniel Chien Systems and methods for computer security
US10826912B2 (en) 2018-12-14 2020-11-03 Daniel Chien Timestamp-based authentication
US10848489B2 (en) 2018-12-14 2020-11-24 Daniel Chien Timestamp-based authentication with redirection
CN111435562B (en) * 2019-01-11 2024-05-24 开利公司 Method of processing environmental radio frequency data for activity recognition
US10924786B2 (en) 2019-05-08 2021-02-16 Nanning Fugui Precision Industrial Co., Ltd. Method for shaping video streams and set-up box using the method
US10966140B2 (en) * 2019-06-17 2021-03-30 Nanning Fugui Precision Industrial Co., Ltd. Method for detecting and filtering out unauthorized wireless access point and device using the method
US10958557B2 (en) * 2019-07-31 2021-03-23 International Business Machines Corporation Automated deployment of a private monitoring network
US11677754B2 (en) 2019-12-09 2023-06-13 Daniel Chien Access control systems and methods
US11445423B2 (en) 2020-05-29 2022-09-13 Cisco Technology, Inc. Network environment health monitoring
US11438145B2 (en) 2020-05-31 2022-09-06 Daniel Chien Shared key generation based on dual clocks
US11509463B2 (en) 2020-05-31 2022-11-22 Daniel Chien Timestamp-based shared key generation
US20220322142A1 (en) * 2021-04-05 2022-10-06 Booz Allen Hamilton Inc. Scanning system

Citations (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6363056B1 (en) * 1998-07-15 2002-03-26 International Business Machines Corporation Low overhead continuous monitoring of network performance
US20030135762A1 (en) * 2002-01-09 2003-07-17 Peel Wireless, Inc. Wireless networks security system
US20030186679A1 (en) * 2002-03-27 2003-10-02 International Business Machines Corporation Methods, apparatus and program product for monitoring network security
US20030217289A1 (en) * 2002-05-17 2003-11-20 Ken Ammon Method and system for wireless intrusion detection
US20030221006A1 (en) * 2002-04-04 2003-11-27 Chia-Chee Kuan Detecting an unauthorized station in a wireless local area network
US6697337B1 (en) * 2001-09-17 2004-02-24 Networks Associates Technology, Inc. Method and apparatus for capture, analysis and display of packet information sent in an IEEE 802.11 wireless network
US6697870B1 (en) * 2000-01-28 2004-02-24 Networks Associates Technology, Inc. Method and apparatus for real-time protocol analysis using an auto-throttling front end process
US20040049695A1 (en) * 2002-09-06 2004-03-11 Choi Yang Seo System for providing a real-time attacking connection traceback using a packet watermark insertion technique and method therefor
US20040049699A1 (en) * 2002-09-06 2004-03-11 Capital One Financial Corporation System and method for remotely monitoring wireless networks
US20040085906A1 (en) * 2001-04-27 2004-05-06 Hisamichi Ohtani Packet tracing system
US20040252837A1 (en) * 2003-04-03 2004-12-16 Elaine Harvey Method and system for detecting characteristics of a wireless network
US20050007961A1 (en) * 2003-07-09 2005-01-13 Fujitsu Network Communications, Inc. Processing data packets using markers
US20050030929A1 (en) * 2003-07-15 2005-02-10 Highwall Technologies, Llc Device and method for detecting unauthorized, "rogue" wireless LAN access points
US20050037733A1 (en) * 2003-08-12 2005-02-17 3E Technologies, International, Inc. Method and system for wireless intrusion detection prevention and security management
US7002943B2 (en) * 2003-12-08 2006-02-21 Airtight Networks, Inc. Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US20060150250A1 (en) * 2004-12-20 2006-07-06 Lee Sok J Intrusion detection sensor detecting attacks against wireless network and system and method of detecting wireless network intrusion
US20060209700A1 (en) * 2005-03-11 2006-09-21 Airmagnet, Inc. Tracing an access point in a wireless network
US20070088981A1 (en) * 2005-05-20 2007-04-19 Noble Gayle L Wireless Diagnostic Systems Management
US20070094741A1 (en) * 2002-05-20 2007-04-26 Airdefense, Inc. Active Defense Against Wireless Intruders
US7216365B2 (en) * 2004-02-11 2007-05-08 Airtight Networks, Inc. Automated sniffer apparatus and method for wireless local area network security
US7248858B2 (en) * 2002-05-04 2007-07-24 Broadcom Corporation Visitor gateway in a wireless network
US20070180244A1 (en) * 2001-07-27 2007-08-02 Halasz David E Rogue access point detection
US20070189194A1 (en) * 2002-05-20 2007-08-16 Airdefense, Inc. Method and System for Wireless LAN Dynamic Channel Change with Honeypot Trap
US7286835B1 (en) * 2004-09-10 2007-10-23 Airespace, Inc. Enhanced wireless node location using differential signal strength metric
US7286833B2 (en) * 2004-02-27 2007-10-23 Airespace, Inc. Selective termination of wireless connections to refresh signal information in wireless node location infrastructure
US7331061B1 (en) * 2001-09-07 2008-02-12 Secureworks, Inc. Integrated computer security management system and method
US7336670B1 (en) * 2003-06-30 2008-02-26 Airespace, Inc. Discovery of rogue access point location in wireless network environments
US20080052779A1 (en) * 2006-08-11 2008-02-28 Airdefense, Inc. Methods and Systems For Wired Equivalent Privacy and Wi-Fi Protected Access Protection
US7339914B2 (en) * 2004-02-11 2008-03-04 Airtight Networks, Inc. Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US7346338B1 (en) * 2003-04-04 2008-03-18 Airespace, Inc. Wireless network system including integrated rogue access point detection
US7370362B2 (en) * 2005-03-03 2008-05-06 Cisco Technology, Inc. Method and apparatus for locating rogue access point switch ports in a wireless network
US7440434B2 (en) * 2004-02-11 2008-10-21 Airtight Networks, Inc. Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US20090034431A1 (en) * 2007-07-31 2009-02-05 Symbol Technologies, Inc. ENTERPRISE NETWORK ARCHITECTURE FOR IMPLEMENTING A VIRTUAL PRIVATE NETWORK FOR WIRELESS USERS BY MAPPING WIRELESS LANs TO IP TUNNELS
US7570625B1 (en) * 2006-01-10 2009-08-04 Tw Acquisition, Inc. Detection of wireless devices
US7646744B2 (en) * 2003-04-07 2010-01-12 Shaolin Li Method of operating multi-antenna wireless data processing system
US7672283B1 (en) * 2006-09-28 2010-03-02 Trend Micro Incorporated Detecting unauthorized wireless devices in a network

Family Cites Families (142)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4914546A (en) 1989-02-03 1990-04-03 Micrel Incorporated Stacked multi-polysilicon layer capacitor
US5354701A (en) 1991-04-18 1994-10-11 Industrial Technology Research Institute Doubled stacked trench capacitor DRAM and method of fabricating
US5187637A (en) 1992-02-14 1993-02-16 At&T Bell Laboratories Monolithic high-voltage capacitor
US5301150A (en) 1992-06-22 1994-04-05 Intel Corporation Flash erasable single poly EPROM device
DE19505081C2 (en) 1994-02-17 1999-11-25 Murata Manufacturing Co High voltage capacitor and process for its manufacture
NO942031L (en) 1994-06-01 1995-12-04 Ericsson As Creative Engineeri System for monitoring telephone networks and / or data communication networks, especially mobile telephone networks
US6411997B1 (en) * 1995-11-16 2002-06-25 Loran Network Systems Llc Method of determining the topology of a network of objects
US5908442A (en) 1996-04-12 1999-06-01 Survivalink Corporation Stepped truncated damped sinusoidal defibrillation waveform
KR100207491B1 (en) 1996-08-21 1999-07-15 윤종용 Liquid crystal display device and its manufacturing method
US6519723B1 (en) 1996-09-27 2003-02-11 Applied Digital Access, Inc. Firewall performance monitoring and limited access system
US6353406B1 (en) 1996-10-17 2002-03-05 R.F. Technologies, Inc. Dual mode tracking system
US5987611A (en) 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
FI971540A (en) 1997-04-11 1998-10-12 Nokia Telecommunications Oy Procedure for determining the effect of radio wave multipath fading
US6463475B1 (en) 1997-09-26 2002-10-08 3Com Corporation Method and device for tunnel switching
US6092110A (en) 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6414634B1 (en) 1997-12-04 2002-07-02 Lucent Technologies Inc. Detecting the geographical location of wireless units
US5926064A (en) 1998-01-23 1999-07-20 National Semiconductor Corporation Floating MOS capacitor
US6252544B1 (en) 1998-01-27 2001-06-26 Steven M. Hoffberg Mobile communication device
US6137153A (en) 1998-02-13 2000-10-24 Advanced Micro Devices, Inc. Floating gate capacitor for use in voltage regulators
US6262469B1 (en) 1998-03-25 2001-07-17 Advanced Micro Devices, Inc. Capacitor for use in a capacitor divider that has a floating gate transistor as a corresponding capacitor
US6049789A (en) * 1998-06-24 2000-04-11 Mentor Graphics Corporation Software pay per use licensing system
US6242989B1 (en) 1998-09-12 2001-06-05 Agere Systems Guardian Corp. Article comprising a multi-port variable capacitor
US6269246B1 (en) 1998-09-22 2001-07-31 Ppm, Inc. Location determination using RF fingerprinting
US6393294B1 (en) 1998-09-22 2002-05-21 Polaris Wireless, Inc. Location determination using RF fingerprinting
US7418504B2 (en) 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US6799047B1 (en) 1999-02-25 2004-09-28 Microsoft Corporation Locating and tracking a user in a wireless network through environmentally profiled data
US6839560B1 (en) 1999-02-25 2005-01-04 Microsoft Corporation Using a derived table of signal strength data to locate and track a user in a wireless network
US6701432B1 (en) 1999-04-01 2004-03-02 Netscreen Technologies, Inc. Firewall including local bus
US6618355B1 (en) 1999-05-07 2003-09-09 Carriercomm, Inc. Service tariffing based on usage indicators in a radio based network
US7307980B1 (en) 1999-07-02 2007-12-11 Cisco Technology, Inc. Change of codec during an active call
US6735702B1 (en) 1999-08-31 2004-05-11 Intel Corporation Method and system for diagnosing network intrusion
DE10021867A1 (en) 2000-05-05 2001-11-15 Infineon Technologies Ag Voltage controlled capacitor for voltage controlled oscillators comprises two voltage dependent capacitors in parallel
WO2001093531A2 (en) 2000-05-31 2001-12-06 Invicta Networks, Inc. Systems and methods for distributed network protection
US7089303B2 (en) 2000-05-31 2006-08-08 Invicta Networks, Inc. Systems and methods for distributed network protection
US6633761B1 (en) * 2000-08-11 2003-10-14 Reefedge, Inc. Enabling seamless user mobility in a short-range wireless networking environment
US7181769B1 (en) * 2000-08-25 2007-02-20 Ncircle Network Security, Inc. Network security system having a device profiler communicatively coupled to a traffic monitor
JP4130525B2 (en) 2000-09-18 2008-08-06 株式会社東芝 Capacitor mounting structure
FI111901B (en) 2000-12-29 2003-09-30 Ekahau Oy Estimation of position in wireless communication networks
US7127524B1 (en) 2000-12-29 2006-10-24 Vernier Networks, Inc. System and method for providing access to a network with selective network address translation
US7016325B2 (en) * 2001-01-18 2006-03-21 Strix Systems, Inc. Link context mobility method and system for providing such mobility, such as a system employing short range frequency hopping spread spectrum wireless protocols
US7536715B2 (en) 2001-05-25 2009-05-19 Secure Computing Corporation Distributed firewall system and method
US7181547B1 (en) * 2001-06-28 2007-02-20 Fortinet, Inc. Identifying nodes in a ring network
US6618005B2 (en) 2001-06-29 2003-09-09 Intel Corporation Determining wireless device locations
US20030009585A1 (en) * 2001-07-06 2003-01-09 Brian Antoine Dynamic policy based routing
US7222359B2 (en) 2001-07-27 2007-05-22 Check Point Software Technologies, Inc. System methodology for automatic local network discovery and firewall reconfiguration for mobile computing devices
US20030033463A1 (en) 2001-08-10 2003-02-13 Garnett Paul J. Computer system storage
US6664909B1 (en) 2001-08-13 2003-12-16 Impinj, Inc. Method and apparatus for trimming high-resolution digital-to-analog converter
US8195950B2 (en) * 2001-08-15 2012-06-05 Optimum Path LLC Secure and seamless wireless public domain wide area network and method of using the same
JP3672889B2 (en) 2001-08-29 2005-07-20 Necエレクトロニクス株式会社 Semiconductor integrated circuit and layout method thereof
JP2005525003A (en) 2001-09-05 2005-08-18 ニューベリイ ネットワークス,インコーポレーテッド Location detection and location tracking in wireless networks
WO2003029916A2 (en) * 2001-09-28 2003-04-10 Bluesocket, Inc. Method and system for managing data traffic in wireless networks
US7035633B2 (en) * 2001-10-23 2006-04-25 Bellsouth Intellectual Property Corporation Apparatus for providing a gateway between a wired telephone and a wireless telephone network
US20030106067A1 (en) * 2001-11-30 2003-06-05 Hoskins Steve J. Integrated internet protocol (IP) gateway services in an RF cable network
US7873985B2 (en) * 2002-01-08 2011-01-18 Verizon Services Corp. IP based security applications using location, port and/or device identifier information
US6788658B1 (en) * 2002-01-11 2004-09-07 Airflow Networks Wireless communication system architecture having split MAC layer
US7508799B2 (en) 2002-01-29 2009-03-24 Arch Wireless Operating Company, Inc. Managing wireless network data
US6745333B1 (en) * 2002-01-31 2004-06-01 3Com Corporation Method for detecting unauthorized network access by having a NIC monitor for packets purporting to be from itself
SE0200311D0 (en) * 2002-01-31 2002-01-31 Ericsson Telefon Ab L M Method and system of channel resource allocation
US20030149891A1 (en) 2002-02-01 2003-08-07 Thomsen Brant D. Method and device for providing network security by causing collisions
US6897776B1 (en) * 2002-02-06 2005-05-24 Intermec Ip Corp. Electronic countermeasure (ECM) system and method
US7650634B2 (en) * 2002-02-08 2010-01-19 Juniper Networks, Inc. Intelligent integrated network security device
US7154888B1 (en) 2002-02-08 2006-12-26 Cisco Technology, Inc. Method for classifying packets using multi-class structures
US20030161265A1 (en) * 2002-02-25 2003-08-28 Jingjun Cao System for end user monitoring of network service conditions across heterogeneous networks
US6754488B1 (en) 2002-03-01 2004-06-22 Networks Associates Technologies, Inc. System and method for detecting and locating access points in a wireless network
BR0215667A (en) * 2002-03-27 2006-06-06 Ibm wireless access point program method, device, and products
US7243368B2 (en) 2002-03-29 2007-07-10 Hewlett-Packard Development Company, L.P. Access control system and method for a networked computer system
US7236460B2 (en) 2002-03-29 2007-06-26 Airmagnet, Inc. Detecting a counterfeit access point in a wireless local area network
GB2389483A (en) 2002-04-11 2003-12-10 Apoapsis Ltd Wireless monitoring for performance and security of network
FI20020733A0 (en) 2002-04-16 2002-04-16 Nokia Corp Method and system for verifying the user of a data transfer device
US6664925B1 (en) 2002-05-02 2003-12-16 Microsoft Corporation Method and system for determining the location of a mobile computer
US20040206999A1 (en) 2002-05-09 2004-10-21 Impinj, Inc., A Delaware Corporation Metal dielectric semiconductor floating gate variable capacitor
US7383577B2 (en) * 2002-05-20 2008-06-03 Airdefense, Inc. Method and system for encrypted network management and intrusion detection
US7277404B2 (en) 2002-05-20 2007-10-02 Airdefense, Inc. System and method for sensing wireless LAN activity
US7532895B2 (en) * 2002-05-20 2009-05-12 Air Defense, Inc. Systems and methods for adaptive location tracking
US20040203764A1 (en) 2002-06-03 2004-10-14 Scott Hrastar Methods and systems for identifying nodes and mapping their locations
US7086089B2 (en) 2002-05-20 2006-08-01 Airdefense, Inc. Systems and methods for network security
US7212837B1 (en) 2002-05-24 2007-05-01 Airespace, Inc. Method and system for hierarchical processing of protocol information in a wireless LAN
US7322044B2 (en) 2002-06-03 2008-01-22 Airdefense, Inc. Systems and methods for automated network policy exception detection and correction
US20030229703A1 (en) * 2002-06-06 2003-12-11 International Business Machines Corporation Method and apparatus for identifying intrusions into a network data processing system
US20050226195A1 (en) 2002-06-07 2005-10-13 Paris Matteo N Monitoring network traffic
US20030232598A1 (en) * 2002-06-13 2003-12-18 Daniel Aljadeff Method and apparatus for intrusion management in a wireless network using physical location determination
US7327697B1 (en) 2002-06-25 2008-02-05 Airespace, Inc. Method and system for dynamically assigning channels across multiple radios in a wireless LAN
US7965842B2 (en) 2002-06-28 2011-06-21 Wavelink Corporation System and method for detecting unauthorized wireless access points
US7042867B2 (en) * 2002-07-29 2006-05-09 Meshnetworks, Inc. System and method for determining physical location of a node in a wireless network during an authentication check of the node
US7068999B2 (en) * 2002-08-02 2006-06-27 Symbol Technologies, Inc. System and method for detection of a rogue wireless access point in a wireless communication network
US7082117B2 (en) 2002-08-12 2006-07-25 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods
US20040203870A1 (en) 2002-08-20 2004-10-14 Daniel Aljadeff Method and system for location finding in a wireless local area network
US20040047356A1 (en) 2002-09-06 2004-03-11 Bauer Blaine D. Network traffic monitoring
AU2003279071A1 (en) 2002-09-23 2004-04-08 Wimetrics Corporation System and method for wireless local area network monitoring and intrusion detection
US6957067B1 (en) * 2002-09-24 2005-10-18 Aruba Networks System and method for monitoring and enforcing policy within a wireless network
EP1406415B1 (en) 2002-10-01 2008-02-20 NEC Infrontia Corporation Bridge apparatus and bridge method
US6963289B2 (en) 2002-10-18 2005-11-08 Aeroscout, Ltd. Wireless local area network (WLAN) channel radio-frequency identification (RFID) tag system and method therefor
US7540028B2 (en) 2002-10-25 2009-05-26 Intel Corporation Dynamic network security apparatus and methods or network processors
US7350077B2 (en) 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7184777B2 (en) 2002-11-27 2007-02-27 Cognio, Inc. Server and multiple sensor system for monitoring activity in a shared radio frequency band
US7526800B2 (en) * 2003-02-28 2009-04-28 Novell, Inc. Administration of protection of data accessible by a mobile device
US20040203910A1 (en) 2002-12-31 2004-10-14 International Business Machines Corporation Spatial boundary admission control for wireless networks
US20040143751A1 (en) 2003-01-17 2004-07-22 Cyrus Peikari Protection of embedded processing systems with a configurable, integrated, embedded firewall
US7460505B2 (en) 2003-02-04 2008-12-02 Polaris Wireless, Inc. Location estimation of wireless terminals through pattern matching of signal-strength differentials
US7342906B1 (en) 2003-04-04 2008-03-11 Airespace, Inc. Distributed wireless network security system
US7941855B2 (en) 2003-04-14 2011-05-10 New Mexico Technical Research Foundation Computationally intelligent agents for distributed intrusion detection system and method of practicing same
US7355996B2 (en) * 2004-02-06 2008-04-08 Airdefense, Inc. Systems and methods for adaptive monitoring with bandwidth constraints
US20040210654A1 (en) * 2003-04-21 2004-10-21 Hrastar Scott E. Systems and methods for determining wireless network topology
US7522908B2 (en) * 2003-04-21 2009-04-21 Airdefense, Inc. Systems and methods for wireless network site survey
US7359676B2 (en) * 2003-04-21 2008-04-15 Airdefense, Inc. Systems and methods for adaptively scanning for wireless communications
US7324804B2 (en) 2003-04-21 2008-01-29 Airdefense, Inc. Systems and methods for dynamic sensor discovery and selection
WO2004095192A2 (en) 2003-04-21 2004-11-04 Airdefense, Inc. Systems and methods for securing wireless computer networks
US20040255167A1 (en) 2003-04-28 2004-12-16 Knight James Michael Method and system for remote network security management
US20040235453A1 (en) 2003-05-23 2004-11-25 Chia-Hung Chen Access point incorporating a function of monitoring illegal wireless communications
US7340247B1 (en) 2003-05-29 2008-03-04 Airespace, Inc. Wireless network infrastructure including wireless discovery and communication mechanism
US20050025182A1 (en) 2003-06-25 2005-02-03 Ala Nazari Systems and methods using multiprotocol communication
US7539169B1 (en) 2003-06-30 2009-05-26 Cisco Systems, Inc. Directed association mechanism in wireless network environments
US7228564B2 (en) * 2003-07-24 2007-06-05 Hewlett-Packard Development Company, L.P. Method for configuring a network intrusion detection system
US7286515B2 (en) 2003-07-28 2007-10-23 Cisco Technology, Inc. Method, apparatus, and software product for detecting rogue access points in a wireless network
US6990428B1 (en) 2003-07-28 2006-01-24 Cisco Technology, Inc. Radiolocation using path loss data
US20050114700A1 (en) 2003-08-13 2005-05-26 Sensory Networks, Inc. Integrated circuit apparatus and method for high throughput signature based network applications
US7676194B2 (en) 2003-08-22 2010-03-09 Rappaport Theodore S Broadband repeater with security for ultrawideband technologies
JP4174392B2 (en) 2003-08-28 2008-10-29 日本電気株式会社 Network unauthorized connection prevention system and network unauthorized connection prevention device
US20050054326A1 (en) 2003-09-09 2005-03-10 Todd Rogers Method and system for securing and monitoring a wireless network
US7110756B2 (en) 2003-10-03 2006-09-19 Cognio, Inc. Automated real-time site survey in a shared frequency band environment
US8179808B2 (en) * 2003-10-31 2012-05-15 Brocade Communication Systems, Inc. Network path tracing method
US8050180B2 (en) * 2003-10-31 2011-11-01 Brocade Communications Systems, Inc. Network path tracing method
US9270643B2 (en) 2003-11-21 2016-02-23 Intel Corporation State-transition based network intrusion detection
US7856209B1 (en) 2003-12-08 2010-12-21 Airtight Networks, Inc. Method and system for location estimation in wireless networks
US7406320B1 (en) 2003-12-08 2008-07-29 Airtight Networks, Inc. Method and system for location estimation in wireless networks
US7302269B1 (en) 2004-03-18 2007-11-27 Cisco Technology, Inc. Radiolocation in a wireless network using time difference of arrival
US7496094B2 (en) 2004-04-06 2009-02-24 Airtight Networks, Inc. Method and system for allowing and preventing wireless devices to transmit wireless signals
US20060165073A1 (en) 2004-04-06 2006-07-27 Airtight Networks, Inc., (F/K/A Wibhu Technologies, Inc.) Method and a system for regulating, disrupting and preventing access to the wireless medium
JP4054341B2 (en) 2004-05-17 2008-02-27 三星電子株式会社 Fast handover method optimized for IEEE 802.11 network
US7447184B1 (en) 2004-09-08 2008-11-04 Airtight Networks, Inc. Method and system for detecting masquerading wireless devices in local area computer networks
US20060058062A1 (en) 2004-09-16 2006-03-16 Airtight Networks, Inc. (Fka Wibhu Technologies, Inc.) Method for wireless network security exposure visualization and scenario analysis
US20060070113A1 (en) 2004-09-16 2006-03-30 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Method for wireless network security exposure visualization and scenario analysis
US20060193300A1 (en) 2004-09-16 2006-08-31 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy
WO2006035140A1 (en) 2004-09-30 2006-04-06 France Telecom Method, device a program for detecting an unauthorised connection to access points
US20060123133A1 (en) 2004-10-19 2006-06-08 Hrastar Scott E Detecting unauthorized wireless devices on a wired network
FR2881312A1 (en) 2005-01-26 2006-07-28 France Telecom Medium access control Internet protocol spoofing detecting method for e.g. corporate network, involves analyzing data fields of frames and triggering alarm in case of variation detected from analyzed data fields
US7746862B1 (en) * 2005-08-02 2010-06-29 Juniper Networks, Inc. Packet processing in a multiple processor system
US7710933B1 (en) 2005-12-08 2010-05-04 Airtight Networks, Inc. Method and system for classification of wireless devices in local area computer networks
US7577424B2 (en) * 2005-12-19 2009-08-18 Airdefense, Inc. Systems and methods for wireless vulnerability analysis
US20070189290A1 (en) * 2006-02-14 2007-08-16 Packethop, Inc. Dynamic multicasting scheme for mesh networks
EP1892913A1 (en) 2006-08-24 2008-02-27 Siemens Aktiengesellschaft Method and arrangement for providing a wireless mesh network
US7970894B1 (en) 2007-11-15 2011-06-28 Airtight Networks, Inc. Method and system for monitoring of wireless devices in local area computer networks

Patent Citations (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6363056B1 (en) * 1998-07-15 2002-03-26 International Business Machines Corporation Low overhead continuous monitoring of network performance
US6697870B1 (en) * 2000-01-28 2004-02-24 Networks Associates Technology, Inc. Method and apparatus for real-time protocol analysis using an auto-throttling front end process
US20040085906A1 (en) * 2001-04-27 2004-05-06 Hisamichi Ohtani Packet tracing system
US20070180244A1 (en) * 2001-07-27 2007-08-02 Halasz David E Rogue access point detection
US7331061B1 (en) * 2001-09-07 2008-02-12 Secureworks, Inc. Integrated computer security management system and method
US20080115204A1 (en) * 2001-09-07 2008-05-15 Jon Ramsey Intergrated computer security management system and method
US6697337B1 (en) * 2001-09-17 2004-02-24 Networks Associates Technology, Inc. Method and apparatus for capture, analysis and display of packet information sent in an IEEE 802.11 wireless network
US20030135762A1 (en) * 2002-01-09 2003-07-17 Peel Wireless, Inc. Wireless networks security system
US20030186679A1 (en) * 2002-03-27 2003-10-02 International Business Machines Corporation Methods, apparatus and program product for monitoring network security
US20030221006A1 (en) * 2002-04-04 2003-11-27 Chia-Chee Kuan Detecting an unauthorized station in a wireless local area network
US7248858B2 (en) * 2002-05-04 2007-07-24 Broadcom Corporation Visitor gateway in a wireless network
US20030217289A1 (en) * 2002-05-17 2003-11-20 Ken Ammon Method and system for wireless intrusion detection
US20070189194A1 (en) * 2002-05-20 2007-08-16 Airdefense, Inc. Method and System for Wireless LAN Dynamic Channel Change with Honeypot Trap
US20070094741A1 (en) * 2002-05-20 2007-04-26 Airdefense, Inc. Active Defense Against Wireless Intruders
US20040049699A1 (en) * 2002-09-06 2004-03-11 Capital One Financial Corporation System and method for remotely monitoring wireless networks
US20040049695A1 (en) * 2002-09-06 2004-03-11 Choi Yang Seo System for providing a real-time attacking connection traceback using a packet watermark insertion technique and method therefor
US7316031B2 (en) * 2002-09-06 2008-01-01 Capital One Financial Corporation System and method for remotely monitoring wireless networks
US20040252837A1 (en) * 2003-04-03 2004-12-16 Elaine Harvey Method and system for detecting characteristics of a wireless network
US7346338B1 (en) * 2003-04-04 2008-03-18 Airespace, Inc. Wireless network system including integrated rogue access point detection
US7646744B2 (en) * 2003-04-07 2010-01-12 Shaolin Li Method of operating multi-antenna wireless data processing system
US7336670B1 (en) * 2003-06-30 2008-02-26 Airespace, Inc. Discovery of rogue access point location in wireless network environments
US20080101283A1 (en) * 2003-06-30 2008-05-01 Calhoun Patrice R Discovery of Rogue Access Point Location in Wireless Network Environments
US7453840B1 (en) * 2003-06-30 2008-11-18 Cisco Systems, Inc. Containment of rogue systems in wireless network environments
US20050007961A1 (en) * 2003-07-09 2005-01-13 Fujitsu Network Communications, Inc. Processing data packets using markers
US20050030929A1 (en) * 2003-07-15 2005-02-10 Highwall Technologies, Llc Device and method for detecting unauthorized, "rogue" wireless LAN access points
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US20050037733A1 (en) * 2003-08-12 2005-02-17 3E Technologies, International, Inc. Method and system for wireless intrusion detection prevention and security management
US20080102797A1 (en) * 2003-08-12 2008-05-01 3E Technologies, International, Inc. Method and system for wireless intrusion detection, prevention and security management
US20070025313A1 (en) * 2003-12-08 2007-02-01 Airtight Networks, Inc. (F/K/A Wibhu Technologies, Inc.) Method and System for Monitoring a Selected Region of an Airspace Associated with Local Area Networks of computing Devices
US7002943B2 (en) * 2003-12-08 2006-02-21 Airtight Networks, Inc. Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US7440434B2 (en) * 2004-02-11 2008-10-21 Airtight Networks, Inc. Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US20080109879A1 (en) * 2004-02-11 2008-05-08 Airtight Networks, Inc. Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US7339914B2 (en) * 2004-02-11 2008-03-04 Airtight Networks, Inc. Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US20070171885A1 (en) * 2004-02-11 2007-07-26 AirTight Networks, Inc.(F/K/A Wibhu Technologies, Inc.) Automated sniffer apparatus and method for wireless local area network security
US7216365B2 (en) * 2004-02-11 2007-05-08 Airtight Networks, Inc. Automated sniffer apparatus and method for wireless local area network security
US7286833B2 (en) * 2004-02-27 2007-10-23 Airespace, Inc. Selective termination of wireless connections to refresh signal information in wireless node location infrastructure
US7286835B1 (en) * 2004-09-10 2007-10-23 Airespace, Inc. Enhanced wireless node location using differential signal strength metric
US20060150250A1 (en) * 2004-12-20 2006-07-06 Lee Sok J Intrusion detection sensor detecting attacks against wireless network and system and method of detecting wireless network intrusion
US7640585B2 (en) * 2004-12-20 2009-12-29 Electronics And Telecommunications Research Institute Intrusion detection sensor detecting attacks against wireless network and system and method of detecting wireless network intrusion
US7370362B2 (en) * 2005-03-03 2008-05-06 Cisco Technology, Inc. Method and apparatus for locating rogue access point switch ports in a wireless network
US20060209700A1 (en) * 2005-03-11 2006-09-21 Airmagnet, Inc. Tracing an access point in a wireless network
US20070088981A1 (en) * 2005-05-20 2007-04-19 Noble Gayle L Wireless Diagnostic Systems Management
US7570625B1 (en) * 2006-01-10 2009-08-04 Tw Acquisition, Inc. Detection of wireless devices
US20080052779A1 (en) * 2006-08-11 2008-02-28 Airdefense, Inc. Methods and Systems For Wired Equivalent Privacy and Wi-Fi Protected Access Protection
US7672283B1 (en) * 2006-09-28 2010-03-02 Trend Micro Incorporated Detecting unauthorized wireless devices in a network
US20090034431A1 (en) * 2007-07-31 2009-02-05 Symbol Technologies, Inc. ENTERPRISE NETWORK ARCHITECTURE FOR IMPLEMENTING A VIRTUAL PRIVATE NETWORK FOR WIRELESS USERS BY MAPPING WIRELESS LANs TO IP TUNNELS

Cited By (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8789191B2 (en) 2004-02-11 2014-07-22 Airtight Networks, Inc. Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US9003527B2 (en) 2004-02-11 2015-04-07 Airtight Networks, Inc. Automated method and system for monitoring local area computer networks for unauthorized wireless access
US9100794B2 (en) * 2005-05-10 2015-08-04 Mobile Communication Technologies, Llc Apparatus for and system for enabling a mobile communicator
US20130252575A1 (en) * 2005-05-10 2013-09-26 Mobile Communication Technologies, Llc Apparatus for and system for enabling a mobile communicator
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
US9338816B2 (en) 2008-05-14 2016-05-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10880730B2 (en) 2008-05-14 2020-12-29 Extreme Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9787500B2 (en) 2008-05-14 2017-10-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10700892B2 (en) 2008-05-14 2020-06-30 Extreme Networks Inc. Predictive roaming between subnets
US9590822B2 (en) 2008-05-14 2017-03-07 Aerohive Networks, Inc. Predictive roaming between subnets
US10064105B2 (en) 2008-05-14 2018-08-28 Aerohive Networks, Inc. Predictive roaming between subnets
US10181962B2 (en) 2008-05-14 2019-01-15 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9674892B1 (en) 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
US10945127B2 (en) 2008-11-04 2021-03-09 Extreme Networks, Inc. Exclusive preshared key authentication
US9867167B2 (en) 2009-01-21 2018-01-09 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US10772081B2 (en) 2009-01-21 2020-09-08 Extreme Networks, Inc. Airtime-based packet scheduling for wireless networks
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US10219254B2 (en) 2009-01-21 2019-02-26 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
US10412006B2 (en) 2009-07-10 2019-09-10 Aerohive Networks, Inc. Bandwith sentinel
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
CN101902744A (en) * 2010-07-28 2010-12-01 南京航空航天大学 Intrusion detection system of wireless sensor network based on sniffer
US10390353B2 (en) 2010-09-07 2019-08-20 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US10966215B2 (en) 2010-09-07 2021-03-30 Extreme Networks, Inc. Distributed channel selection for wireless networks
US9814055B2 (en) 2010-09-07 2017-11-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US20120233694A1 (en) * 2011-03-11 2012-09-13 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US8695095B2 (en) * 2011-03-11 2014-04-08 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US9026779B2 (en) 2011-04-12 2015-05-05 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US10139900B2 (en) 2011-04-12 2018-11-27 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US9026780B2 (en) 2011-04-12 2015-05-05 Mobile Communication Technologies, Llc Mobile communicator device including user attentiveness detector
US8995945B2 (en) 2011-08-30 2015-03-31 Mobile Communication Technologies, Llc Mobile communicator and system
US20130081137A1 (en) * 2011-09-23 2013-03-28 Arturo Geigel Simultaneous Determination of a Computer Location and User Identification
US8769688B2 (en) * 2011-09-23 2014-07-01 Universidad Politécnica de P.R. Simultaneous determination of a computer location and user identification
US10833948B2 (en) 2011-10-31 2020-11-10 Extreme Networks, Inc. Zero configuration networking on a subnetted network
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
US20130212681A1 (en) * 2012-02-15 2013-08-15 Hitachi, Ltd. Security Monitoring System and Security Monitoring Method
US8850582B2 (en) * 2012-02-15 2014-09-30 Hitachi, Ltd. Security monitoring system and security monitoring method
CN108668347A (en) * 2012-06-13 2018-10-16 韩国电子通信研究院 WLAN Dynamic link library identity assignments operating method, base station and access point
US11284345B2 (en) 2012-06-13 2022-03-22 Electronics And Telecommunications Research Institute Method for changing operating mode of wireless LAN system and wireless LAN system
US9729463B2 (en) 2012-06-14 2017-08-08 Aerohive Networks, Inc. Multicast to unicast conversion technique
US10205604B2 (en) 2012-06-14 2019-02-12 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9565125B2 (en) 2012-06-14 2017-02-07 Aerohive Networks, Inc. Multicast to unicast conversion technique
US10523458B2 (en) 2012-06-14 2019-12-31 Extreme Networks, Inc. Multicast to unicast conversion technique
US20140115663A1 (en) * 2012-10-22 2014-04-24 Fujitsu Limited Method for detecting unauthorized access and network monitoring apparatus
US9203848B2 (en) * 2012-10-22 2015-12-01 Fujitsu Limited Method for detecting unauthorized access and network monitoring apparatus
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US10542035B2 (en) 2013-03-15 2020-01-21 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10841104B2 (en) 2013-03-15 2020-11-17 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
US9215075B1 (en) 2013-03-15 2015-12-15 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
US10305695B1 (en) 2013-03-15 2019-05-28 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
US10027703B2 (en) 2013-03-15 2018-07-17 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9942051B1 (en) 2013-03-15 2018-04-10 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
US11588650B2 (en) 2013-03-15 2023-02-21 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
US11930126B2 (en) 2013-03-15 2024-03-12 Piltorak Technologies LLC System and method for secure relayed communications from an implantable medical device
WO2015196185A1 (en) * 2014-06-20 2015-12-23 Arturo Geigel Simultaneous determination of a mobile device and its user identification
US10764322B2 (en) * 2017-03-27 2020-09-01 Nec Corporation Information processing device, information processing method, and computer-readable recording medium

Also Published As

Publication number Publication date
US8789191B2 (en) 2014-07-22
US20140298467A1 (en) 2014-10-02
US20120240196A1 (en) 2012-09-20
US20130117851A1 (en) 2013-05-09
US20080109879A1 (en) 2008-05-08
US7339914B2 (en) 2008-03-04
US9003527B2 (en) 2015-04-07
US20050259611A1 (en) 2005-11-24
US7536723B1 (en) 2009-05-19

Similar Documents

Publication Publication Date Title
US9003527B2 (en) Automated method and system for monitoring local area computer networks for unauthorized wireless access
US7216365B2 (en) Automated sniffer apparatus and method for wireless local area network security
US7970894B1 (en) Method and system for monitoring of wireless devices in local area computer networks
US7764648B2 (en) Method and system for allowing and preventing wireless devices to transmit wireless signals
US7856656B1 (en) Method and system for detecting masquerading wireless devices in local area computer networks
US7751393B2 (en) Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US7710933B1 (en) Method and system for classification of wireless devices in local area computer networks
US7558253B1 (en) Method and system for disrupting undesirable wireless communication of devices in computer networks
EP1976227B1 (en) Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US7971253B1 (en) Method and system for detecting address rotation and related events in communication networks
US20150040194A1 (en) Monitoring of smart mobile devices in the wireless access networks
US20090016529A1 (en) Method and system for prevention of unauthorized communication over 802.11w and related wireless protocols
US20060193300A1 (en) Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy
US20060165073A1 (en) Method and a system for regulating, disrupting and preventing access to the wireless medium
US7333800B1 (en) Method and system for scheduling of sensor functions for monitoring of wireless communication activity
Tao A novel intrusion detection system for detection of MAC address spoofing in wireless networks

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE

AS Assignment

Owner name: WESTERN ALLIANCE BANK, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNOR:MOJO NETWORKS, INC.;REEL/FRAME:041802/0489

Effective date: 20170329

AS Assignment

Owner name: MOJO NETWORKS, INC., FORMERLY KNOWN AS AIRTIGHT NE

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WESTERN ALLIANCE BANK;REEL/FRAME:046553/0702

Effective date: 20180802