WO2003084255A1 - Detecting a counterfeit access point in a wireless local area network - Google Patents

Detecting a counterfeit access point in a wireless local area network Download PDF

Info

Publication number
WO2003084255A1
WO2003084255A1 PCT/US2003/009914 US0309914W WO03084255A1 WO 2003084255 A1 WO2003084255 A1 WO 2003084255A1 US 0309914 W US0309914 W US 0309914W WO 03084255 A1 WO03084255 A1 WO 03084255A1
Authority
WO
WIPO (PCT)
Prior art keywords
beacon frame
sequence number
received beacon
access point
local area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2003/009914
Other languages
English (en)
French (fr)
Inventor
Chia-Chee Kuan
Miles Wu
Dean Au
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AirMagnet Inc
Original Assignee
AirMagnet Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AirMagnet Inc filed Critical AirMagnet Inc
Priority to AU2003218479A priority Critical patent/AU2003218479A1/en
Priority to KR1020047014527A priority patent/KR100956192B1/ko
Priority to EP03714483A priority patent/EP1491059A4/en
Priority to CA002478402A priority patent/CA2478402A1/en
Priority to JP2003581520A priority patent/JP4284192B2/ja
Publication of WO2003084255A1 publication Critical patent/WO2003084255A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access
    • H04W74/08Non-scheduled access, e.g. ALOHA
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point

Definitions

  • the present invention generally relates to wireless local area networks. More particularly, the present invention relates to detecting a counterfeit access point in a wireless local area network.
  • WLANs wireless local area networks
  • the IEEE 802.11 standard was developed as an international standard for WLANs. Generally, the IEEE 802.11 standard was designed to present users with the same interface as an IEEE 802 wired LAN, while allowing data to be transported over a wireless medium.
  • WLANs provide users with increased mobility over wired LANs
  • the security of communications over a WLAN can vary for reasons that are not present in wired LANs.
  • a counterfeit access can pose as an authorized access point in the WLAN.
  • Stations in the WLAN can mistakenly associate with the counterfeit access point and can send confidential information to the counterfeit access point, without knowing that the counterfeit access point is unsecure. Consequently, the counterfeit access point can obtain confidential information from stations in the WLAN. Accordingly, the presence of a counterfeit access point can present security problems in a WLAN.
  • a counterfeit access point in a wireless local area network is detected by receiving beacon frames at a detector in the wireless local area network, where the beacon frames are transmitted over the wireless local area network by one or more access points.
  • the received beacon frames are analyzed at the detector to detect the counterfeit access point.
  • Fig. 1 shows an exemplary Open Systems Interconnection (OSI) seven layer model
  • FIG. 2 shows an exemplary extended service set in a wireless local area network ("WLAN");
  • WLAN wireless local area network
  • FIG. 3 is an exemplary flow diagram illustrating various states of stations in a WLAN
  • FIG. 4 shows an exemplary embodiment of an access point sending a beacon frame
  • Fig. 5 shows an exemplary embodiment of an access point and a counterfeit access point sending beacon frames
  • FIG. 6 shows an exemplary flow diagram of a process for detecting a counterfeit access point in a WLAN
  • FIG. 7 shows another exemplary flow diagram of a process for detecting a counterfeit access point in a WLAN.
  • FIG. 8 shows another exemplary flow diagram of a process for detecting a counterfeit access point in a WLAN.
  • an exemplary Open Systems Interconnection (OSI) seven layer model is shown, which represents an abstract model of a networking system divided into layers according to their respective functionalities.
  • the seven layers include physical layer 102 corresponding to layer 1, data link layer 104 corresponding to layer 2, network layer 106 corresponding to layer 3, transport layer 108 corresponding to layer 4, session layer 110 corresponding to layer 5, presentation layer 112 corresponding to layer 6, and application layer 114 corresponding to layer 7.
  • Each layer in the OSI model only interacts directly with the layer immediately above or below it, and different computers 100 and 116 can communicate directly with each other only at the physical layer 102. However, different computers 100 and 116 can effectively communicate at the same layer using common protocols.
  • computer 100 can communicate with computer 116 at application layer 114 by propagating a frame from application layer 114 of computer 100 through each layer below it until the frame reaches physical layer 102. The frame can then be transmitted to physical layer 102 of computer 116 and propagated through each layer above physical layer 102 until the frame reaches application layer 114 of computer 116.
  • the IEEE 802.11 standard for wireless local area networks operates at the data link layer 104, which corresponds to layer 2 of the OSI seven layer model, as described above. Because IEEE 802.11 operates at layer 2 of the OSI seven layer model, layers 3 and above can operate according to the same protocols used with IEEE 802 wired LANs.
  • layers 3 and above can be unaware of the network actually transporting data at layers 2 and below. Accordingly, layers 3 and above can operate identically in the IEEE 802 wired LAN and the IEEE 802.11 WLAN. Furthermore, users can be presented with the same interface, regardless of whether a wired LAN or WLAN is used.
  • an exemplary extended service set 200 which forms a WLAN according to the IEEE 802.11 standard, is depicted having basic service sets ("BSS") 206, 208, and 210.
  • BSS basic service sets
  • Each BSS can include an access point (“AP”) 202 and stations 204.
  • a station 204 is a component that can be used to connect to the WLAN, which can be mobile, portable, stationary, and the like, and can be referred to as the network adapter or network interface card.
  • a station 204 can be a laptop computer, a personal digital assistant, and the like.
  • a station 204 can support station services such as authentication, deauthentication, privacy, delivery of data, and the like.
  • Each station 204 can communicate directly with an AP 202 through an air link, such as by sending a radio or infrared signal between WLAN transmitters and receivers.
  • Each AP 202 can support station services, as described above, and can additionally support distribution services, such as association, disassociation, distribution, integration, and the like. Accordingly, an AP 202 can communicate with stations 204 within its BSS 206, 208, and 210, and with other APs 202 through medium 212, called a distribution system, which forms the backbone of the WLAN.
  • This distribution system 212 can include both wireless and wired connections.
  • each station 204 must be authenticated to and associated with an AP 202 in order to become a part of a BSS 206, 208, or 210. Accordingly, with reference to Fig. 3, a station 204 begins in State 1 (300), where station 204 is unauthenticated to and unassociated with an AP 202. In State 1 (300), station 204 can only use a limited number of frame types, such as frame types that can allow station 204 to locate and authenticate to an AP 202, and the like.
  • station 204 can be elevated to State 2 (302), where station 204 is authenticated to and unassociated with the AP 202. In State 2 (302), station 204 can use a limited number of frame types, such as frame types that can allow station 204 to associate with an AP 202, and the like. [0022] If station 204 then successfully associates or reassociates 308 with AP 202, then station 204 can be elevated to State 3 (304), where station 204 is authenticated to and associated with AP 202. In State 3 (304), station 204 can use any frame types to communicate with AP 202 and other stations 204 in the WLAN.
  • station 204 can be transitioned to State 2. Furthermore, if station 204 then receives deauthentication notification 312, then station 204 can be transitioned to State 1. Under the IEEE 802.11 standard, a station 204 can be authenticated to different APs 202 simultaneously, but can only be associated with one AP 202 at any time. [0023] With reference again to Fig. 2, once a station 204 is authenticated to and associated with an AP 202, the station 204 can communicate with another station 204 in the WLAN. In particular, a station 204 can send a message having a source address, a basic service set identification address ("BSSED"), and a destination address, to its associated AP 202.
  • BSSED basic service set identification address
  • the AP 202 can then distribute the message to the station 204 specified as the destination address in the message.
  • This destination address can specify a station 204 in the same BSS 206, 208, or 210, or in another BSS 206, 208, or 210 that is linked to the AP 202 through distribution system 212.
  • Fig. 2 depicts an extended service set 200 having three BSSs 206, 208, and 210, each of which include three stations 204, it should be recognized that an extended service set 200 can include any number of BSSs 206, 208, and 210, which can include any number of stations 204.
  • station 204 first locates the AP 202.
  • an exemplary system that can be used to locate an AP 202 using beacon frames in a WLAN is shown. More particularly, according to the current IEEE 802.11 standard, AP 202 can transmit beacon frames 400 across transmission range 402.
  • beacon frames 400 can include information such as frame type, beacon frame interval/rate, sequence number, timestamp, capability information, SSID, supported rates, one or more PHY parameter sets, direct sequence (DS) parameter set, frequency hopping (FH) parameter set, and the like.
  • sending beacon frames 400 from AP 202 can be optional. However, some functionality in the WLAN can be lost if AP 202 does not send beacon frames 400.
  • station 204 may not be able to locate AP 202 by passively listening for signals from AP 202. Instead, station 204 can send a probe request to locate AP 202. However, more bandwidth and time can be required if each station 204 in the WLAN individually sends a probe request to locate AP 202. Furthermore, for roaming stations 204, if AP 202 does not send beacon frames 400 periodically, the roaming stations 204 can send probe requests periodically in order to locate the AP. However, periodically sending probe requests from these roaming stations 204 can consume even more bandwidth and time.
  • sending beacon frames 400 from AP 202 can be optional, sending beacon frames 400 from AP 202 can improve the functionality of the WLAN.
  • sending beacon frames from APs in a WLAN can also compromise the security of communications over the WLAN.
  • WLANs can provide users with increased mobility, in comparison to wired LANs, but the security of communications over a WLAN can vary for reasons that are not present in wired LANs.
  • a counterfeit AP 500 can obtain confidential information from a station 204 by posing as an authorized AP 202. More particularly, counterfeit AP 500 can transmit beacon frame 504 across a transmission range 502. Beacon frame 504 can include information such as frame type, beacon frame interval/rate, sequence number, timestamp, and the like. Stations 204 located within this transmission range 502 can detect beacon frame 504. After detecting beacon frame 504, station 204 can associate with counterfeit AP 500, without realizing that counterfeit AP 500 is not an authorized AP 202. Once associated with counterfeit AP 500, station 204 can transmit confidential information to counterfeit AP 500.
  • a counterfeit AP 500 can pose as an authorized AP 202.
  • counterfeit AP 500 can determine information about authorized AP 202, such as the SSID for authorized AP 202, the MAC address for authorized AP 202, and the like.
  • Counterfeit AP 500 can then be configured with the same SSID as authorized AP 202.
  • counterfeit AP 500 can obtain and use the MAC address of authorized AP 202.
  • counterfeit AP 500 can locate itself near authorized AP 202 to avoid detection in the WLAN.
  • counterfeit AP 500 can transmit a stronger signal across the WLAN in order to entice stations 204 to associate with it instead of authorized AP 202.
  • counterfeit APs 500 can obtain confidential information from stations 204 by posing as authorized APs 202, counterfeit APs 500 can create unacceptable security problems in a WLAN. Accordingly, detecting counterfeit APs 500 in a WLAN can be used to improve security in the WLAN.
  • detecting counterfeit APs 500 in a WLAN can be used to improve security in the WLAN.
  • FIG. 6 an exemplary process for detecting a counterfeit AP is depicted. With reference to Fig. 5, assume for the sake of example that AP 202 is an authorized AP and that counterfeit AP 500 is an unauthorized AP attempting to pose as authorized AP 202. As described above, AP 202 sends beacon frames 400 and counterfeit AP 500 sends beacon frames 504 in an effort to associate with stations that would associate with authorized AP 202.
  • beacon frames 504 can include similar information as beacon frames 400 in an effort to pose as beacon frames 400.
  • beacon frames 504 can have the same sender MAC address (i.e., the MAC address of authentic AP 202) and the same beacon frame rate.
  • detector 506 receives frames from APs having transmission ranges that include detector 506. As such, in the exemplary scenario depicted in Fig. 5, detector 506 receives beacon frames 400 and 504 from authorized AP 202 and unauthorized counterfeit AP 500, respectively.
  • detector 506 measures the rate at which frames are received to determine a measured frame rate. For example, in one configuration, detector 506 can count the number of beacon frames received during a period of time. For the sake of example, assume that detector 506 counts a total of 100 beacon frames, which in the exemplary scenario depicted in Fig. 5 would include beacon frames 400 and 504, during a 5 second interval. As such, in this example, the measured beacon frame rate is 20 frames per second.
  • step 604 detector 506 compares the measured frame rate to the stated frame rate.
  • the stated frame rate can be obtained from the information provided in the frame itself.
  • the stated beacon frame rate in beacon frame 400 is 10 frames per second.
  • the measured frame rate is 20 frames per second.
  • step 606 detector 506 determines if a counterfeit AP is detected based on the comparison of the measured frame rate to the stated frame rate. Again, in the present example, the measured frame rate is 20 frames per second and the stated frame rate is 10 frames per second. As such, in the present example, detector 506 determines that a counterfeit AP has been detected based on the difference in the measured frame rate and the stated frame rate.
  • Fig. 7 another exemplary process for detecting a counterfeit AP is depicted.
  • AP 202 is an authorized AP and that counterfeit AP 500 is an unauthorized AP attempting to pose as authorized AP 202.
  • unauthorized counterfeit AP 500 can obtain the MAC address of authorized AP 202.
  • Counterfeit AP 500 can then use the MAC address of authorized AP 202 as the sender MAC address in beacon frames 504 in an effort to associate with stations that would associate with authorized AP 202.
  • detector 506 receives frames from APs having transmission ranges that include detector 506. As such, in the exemplary scenario depicted in Fig. 5, detector 506 receives beacon frames 400 and 504 from authorized AP 202 and unauthorized counterfeit AP 500, respectively.
  • detector 506 compares the sequence number of a received frame to the sequence number of a previously received frame with the same sender MAC address. More specifically in the present example, when detector 506 receives a beacon frame, it determines the sender MAC address of the beacon frame. If the sender MAC address of the received beacon frame matches the sender MAC address of an authorized AP, detector 506 compares the sequence number of the received beacon frame to the sequence number of a previously received beacon frame from the same authorized AP, which was stored earlier.
  • step 704 detector 506 determines if a counterfeit AP is detected based on the comparison of the sequence number of the received frame to the sequence number of a previously received frame. If the sequence number of the received frame is consistent with that of the previously received frame, then detector 506 saves the sequence number of the received frame as the sequence number of a previously received frame. However, if the sequence number of the received frame is not consistent with that of the previously received frame, then detector 506 determines that a counterfeit AP has been detected. [0041] More particularly, in accordance with current IEEE 802.11 standard, APs send frames with sequence numbers that follow an incremental pattern.
  • beacon frames 400 having sequence numbers in ascending order such as 100, 101, 102, and the like.
  • detector 506 first receives beacon frame 400 having sequence number 100.
  • detector 506 examines the sender MAC address of beacon frame 400 to confirm that the sender MAC address matches that of an authorized AP, which in this example is that of authorized AP 202.
  • beacon frame 400 having sequence number 100 is the first beacon frame received from AP 202.
  • the sequence number of the received beacon frame 400 is stored as the new sequence number of a previously received beacon frame 400.
  • detector 506 receives a beacon frame 504 from counterfeit AP 500, which is unauthorized and attempting to pose as authorized AP 202. Also assume that counterfeit AP 500 has sent beacon frame 504 using the sender MAC address of authorized AP 202. However, assume that the sequence number for beacon frame 504 sent by counterfeit AP 500 is 50. Accordingly, when detector 506 compares the sequence number of the received beacon frame, which in this example is 50, to the sequence number of the previously received beacon frame, which in this example is 100, they are not consistent. As such, detector 506 determines that a counterfeit AP 500 has been detected.
  • detector 506 determines that the sequence number of the received frame and the sequence number of the previously received frame are consistent, then the sequence number of the received frame replaces the sequence number of the previously received frame, and the new sequence number is stored. For example, if the sequence number of the received frame is 101, then 506 stores 101 as the new sequence number of a previously received frame.
  • the IEEE 802.11 standard is a family of specifications, which includes the 802.11, 802.11a, 802.11b, and 802.1 lg specifications.
  • the 802.11 specification provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
  • FHSS frequency hopping spread spectrum
  • DSSS direct sequence spread spectrum
  • the 802.1 la specification which is an extension to the 802.11 specification, provides up to 54 Mbps in the 5GHz band using an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.
  • the 802.1 lb specification which is also an extension of the 802.11 specification and commonly referred to as 802.11 High Rate or Wi-Fi, provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mpbs) in the 2.4 GHz band using DSSS.
  • the 802.1 lg specification which is the most recent extension of the 802.11 specification, provides 20+ Mbsp in the 2.4 GHz band. Undoubtedly, further extensions and therefore additional 802.11 specifications are likely to be established and available in the future.
  • channels 36, 40, 44, 48, 52, 56, 60, 64 are used.
  • channels 34, 38, 42, and 46 are used.
  • channels 1-14 a total of 14 channels are defined (i.e., channels 1-14).
  • channels 1-11 are used.
  • channels 1-13 are used.
  • channels 1- 14 are used.
  • an authorized AP 202 operates in a single channel in a given 802.11 specification. For example, if authorized AP 202 operates using the 802.1 la specification, authorized AP 202 uses one of the defined channels in the 802.11a specification (i.e., channels 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 60, 64, 159, 153, 157, and 161). Similarly, if authorized AP 202 operates using the 802.1 lb specification, authorized AP 202 uses one of the defined channels in the 802.1 lb specification (i.e., channels 1-14). Authorized AP 202 can also operate in dual-mode in which case it uses both the 802.1 la and 802.1 lb specification.
  • authorized AP 202 uses one channel in the 802.1 la specification and one channel in the 802.1 lb specification.
  • FIG. 8 another exemplary process for detecting a counterfeit AP is depicted.
  • AP 202 is an authorized AP and that counterfeit AP 500 is an unauthorized AP attempting to pose as authorized AP 202.
  • unauthorized counterfeit AP 500 can obtain the MAC address of authorized AP 202.
  • Counterfeit AP 500 can then use the MAC address of authorized AP 202 as the sender MAC address in beacon frames 504 in an effort to associate with stations that would associate with authorized AP 202.
  • step 800 (Fig. 8) of the present exemplary process, detector 506 receives frames from APs having transmission ranges that include detector 506. As such, in the exemplary scenario depicted in Fig. 5, detector 506 receives beacon frames 400 and 504 from authorized AP 202 and unauthorized counterfeit AP 500, respectively.
  • detector 506 determines the channels used to send the beacon frames. More specifically, when detector 506 receives beacon frames, it determines the sender MAC addresses of the beacon frames. If the sender MAC addresses of the beacon frames are the same, then detector 506 determines the channels used to send the beacon frames. In accordance with the 802.1 lb specification, the channel used to send the beacon frame is included in the beacon frame. Thus, detector 506 can examine the channel field in the beacon fame to determine the channel used to send the beacon frame. Alternatively, detector 506 can determine the channel on which the beacon frame was received to determine the channel used to send the beacon frame. In accordance with the 802.1 la specification, the channel used to send the beacon frame is not included in the beacon frame.
  • detector 506 can determine the channel on which the beacon frame was received to determine the channel used to send the beacon frame. [0053] In step 804 (Fig. 8), detector 506 determines if a counterfeit AP is detected based on the channels used to send the beacon frames. More specifically, as noted above, authorized AP 202 operates using a single channel. Thus, in one embodiment, detector 506 determines that a counterfeit AP has been detected when at least two beacon frames with the same MAC addresses are detected that were sent using two different channels.
  • detector 500 is configured to operate in multiple modes. More specifically, in a first mode, detector 506 determines that a counterfeit AP has been detected when at least two beacon frames with the same MAC addresses are detected that were sent using two different channels without regard to whether the two different channels are in different 802.11 specifications. In a second mode, detector 506 determines that a counterfeit AP has been detected when at least two beacon frames with the same MAC addresses are detected that were sent using two different channels and the two different channels are in the same 802.11 specification. [0055] In the present exemplary embodiment, the mode in which detector 500 operates can be selected based on whether authorized AP 202 operates in dual mode.
  • detector 500 can be selected to operate in the first mode described above (i.e., determining that a counterfeit AP has been detected when at least two beacon frames with the same MAC addresses are detected that were sent using two different channels without regard to whether the two different channels are in different 802.11 specifications). If authorized AP 202 is known to operate in dual mode, detector 500 can be selected to operate in the second mode described above (i.e., determining that a counterfeit AP has been detected when at least two beacon frames with the same MAC addresses are detected that were sent using two different channels and the two different channels are in the same 802.11 specification).
  • the exemplary processes described above for detecting a counterfeit AP in a wireless local area network can be performed using software and/or hardware installed on a detector in the wireless local area network.
  • the detector is a station in the wireless local area network.
  • the station can be mobile, portable, stationary, and the like.
  • the station can be a laptop computer, a personal digital assistant, and the like.
  • the station can be used by a user as a diagnostic tool, by an administrator as an administrative tool, and the like, to assess the quality of communications in the WLAN.
  • One advantage of the present embodiment includes allowing the station to passively monitor the WLAN to detect a counterfeit AP. By passively monitoring the WLAN in this manner, the station can detect a counterfeit AP in the WLAN without burdening AP 202, consuming bandwidth, or interfering with traffic over the WLAN.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
PCT/US2003/009914 2002-03-29 2003-03-28 Detecting a counterfeit access point in a wireless local area network Ceased WO2003084255A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
AU2003218479A AU2003218479A1 (en) 2002-03-29 2003-03-28 Detecting a counterfeit access point in a wireless local area network
KR1020047014527A KR100956192B1 (ko) 2002-03-29 2003-03-28 무선 근거리 통신망에서 무단 액세스 포인트를 검출하기위한 방법 및 장치
EP03714483A EP1491059A4 (en) 2002-03-29 2003-03-28 RECOGNIZE A FALSE MONEY ACCESS POINT IN A WIRELESS LOCAL NETWORK
CA002478402A CA2478402A1 (en) 2002-03-29 2003-03-28 Detecting a counterfeit access point in a wireless local area network
JP2003581520A JP4284192B2 (ja) 2002-03-29 2003-03-28 無線ローカルエリアネットワーク中の偽造アクセスポイントの検出

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/112,402 US7236460B2 (en) 2002-03-29 2002-03-29 Detecting a counterfeit access point in a wireless local area network
US10/112,402 2002-03-29

Publications (1)

Publication Number Publication Date
WO2003084255A1 true WO2003084255A1 (en) 2003-10-09

Family

ID=28453323

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/009914 Ceased WO2003084255A1 (en) 2002-03-29 2003-03-28 Detecting a counterfeit access point in a wireless local area network

Country Status (8)

Country Link
US (2) US7236460B2 (enExample)
EP (1) EP1491059A4 (enExample)
JP (1) JP4284192B2 (enExample)
KR (1) KR100956192B1 (enExample)
CN (1) CN1650642A (enExample)
AU (1) AU2003218479A1 (enExample)
CA (1) CA2478402A1 (enExample)
WO (1) WO2003084255A1 (enExample)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7042852B2 (en) 2002-05-20 2006-05-09 Airdefense, Inc. System and method for wireless LAN dynamic channel change with honeypot trap
US7058796B2 (en) 2002-05-20 2006-06-06 Airdefense, Inc. Method and system for actively defending a wireless LAN against attacks
US7086089B2 (en) 2002-05-20 2006-08-01 Airdefense, Inc. Systems and methods for network security
JP2007513579A (ja) * 2003-12-01 2007-05-24 カーディナル ヘルス 303、インコーポレイテッド ネットワーク発見と接続管理のためのシステムおよび方法
JP2007515883A (ja) * 2003-12-05 2007-06-14 カーディナル ヘルス 303、インコーポレイテッド 移動型システム・マネージャによる発見および接続管理
US7257107B2 (en) 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US7277404B2 (en) 2002-05-20 2007-10-02 Airdefense, Inc. System and method for sensing wireless LAN activity
US7322044B2 (en) 2002-06-03 2008-01-22 Airdefense, Inc. Systems and methods for automated network policy exception detection and correction
US7324804B2 (en) 2003-04-21 2008-01-29 Airdefense, Inc. Systems and methods for dynamic sensor discovery and selection
US7355996B2 (en) 2004-02-06 2008-04-08 Airdefense, Inc. Systems and methods for adaptive monitoring with bandwidth constraints
US7359676B2 (en) 2003-04-21 2008-04-15 Airdefense, Inc. Systems and methods for adaptively scanning for wireless communications
US7383577B2 (en) 2002-05-20 2008-06-03 Airdefense, Inc. Method and system for encrypted network management and intrusion detection
US7522908B2 (en) 2003-04-21 2009-04-21 Airdefense, Inc. Systems and methods for wireless network site survey
US7577424B2 (en) 2005-12-19 2009-08-18 Airdefense, Inc. Systems and methods for wireless vulnerability analysis
US7715800B2 (en) 2006-01-13 2010-05-11 Airdefense, Inc. Systems and methods for wireless intrusion detection using spectral analysis
US7899441B2 (en) 2003-10-22 2011-03-01 Huawei Technologies Co., Ltd. Method for resolving and accessing selected service in wireless local area network
US7970013B2 (en) 2006-06-16 2011-06-28 Airdefense, Inc. Systems and methods for wireless network content filtering
US7971251B2 (en) 2006-03-17 2011-06-28 Airdefense, Inc. Systems and methods for wireless security using distributed collaboration of wireless clients
CN101631358B (zh) * 2009-07-28 2011-12-21 杭州华三通信技术有限公司 一种无线局域网中数据传输的方法和设备
US8196199B2 (en) 2004-10-19 2012-06-05 Airdefense, Inc. Personal wireless monitoring agent
US8281392B2 (en) 2006-08-11 2012-10-02 Airdefense, Inc. Methods and systems for wired equivalent privacy and Wi-Fi protected access protection
US8694624B2 (en) 2009-05-19 2014-04-08 Symbol Technologies, Inc. Systems and methods for concurrent wireless local area network access and sensing

Families Citing this family (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6754488B1 (en) * 2002-03-01 2004-06-22 Networks Associates Technologies, Inc. System and method for detecting and locating access points in a wireless network
US7532895B2 (en) * 2002-05-20 2009-05-12 Air Defense, Inc. Systems and methods for adaptive location tracking
US6957067B1 (en) * 2002-09-24 2005-10-18 Aruba Networks System and method for monitoring and enforcing policy within a wireless network
KR20040072747A (ko) * 2003-02-10 2004-08-19 삼성전자주식회사 억세스 포인트 장치 및 이 장치의 채널 설정 방법
US7634252B2 (en) * 2003-03-07 2009-12-15 Computer Assocaites Think, Inc. Mobility management in wireless networks
US7385948B2 (en) * 2003-04-03 2008-06-10 Airmagnet, Inc. Determining the state of a station in a local area network
US7002943B2 (en) * 2003-12-08 2006-02-21 Airtight Networks, Inc. Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US7856209B1 (en) 2003-12-08 2010-12-21 Airtight Networks, Inc. Method and system for location estimation in wireless networks
KR100818915B1 (ko) * 2004-01-28 2008-04-04 삼성전자주식회사 무선 신호의 출력을 제어하기 위한 시스템, 장치 및 제어 방법
US7440434B2 (en) * 2004-02-11 2008-10-21 Airtight Networks, Inc. Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods
US7536723B1 (en) 2004-02-11 2009-05-19 Airtight Networks, Inc. Automated method and system for monitoring local area computer networks for unauthorized wireless access
US7447184B1 (en) 2004-09-08 2008-11-04 Airtight Networks, Inc. Method and system for detecting masquerading wireless devices in local area computer networks
FR2881312A1 (fr) * 2005-01-26 2006-07-28 France Telecom Procede, dispositif et programme de detection d'usurpation d'adresse dans un reseau sans fil
JP4695893B2 (ja) * 2005-02-17 2011-06-08 パナソニック株式会社 測定期間の決定方法
US8437263B2 (en) * 2005-03-11 2013-05-07 Airmagnet, Inc. Tracing an access point in a wireless network
US7710933B1 (en) 2005-12-08 2010-05-04 Airtight Networks, Inc. Method and system for classification of wireless devices in local area computer networks
JP4833779B2 (ja) * 2006-09-13 2011-12-07 株式会社リコー 無線lan機器
US8817813B2 (en) 2006-10-02 2014-08-26 Aruba Networks, Inc. System and method for adaptive channel scanning within a wireless network
US7971253B1 (en) 2006-11-21 2011-06-28 Airtight Networks, Inc. Method and system for detecting address rotation and related events in communication networks
WO2008083632A1 (fr) * 2007-01-10 2008-07-17 Huawei Technologies Co., Ltd. Procédé, dispositif et système de partage du spectre
US8155662B2 (en) * 2007-02-19 2012-04-10 Microsoft Corporation Self-configuring wireless network location system
US7516049B2 (en) * 2007-02-19 2009-04-07 Microsoft Corporation Wireless performance analysis system
CN101388678B (zh) 2007-09-10 2013-02-06 北京三星通信技术研究有限公司 无线麦克风信标系统中保护设备的初始化方法及保护设备
US7970894B1 (en) 2007-11-15 2011-06-28 Airtight Networks, Inc. Method and system for monitoring of wireless devices in local area computer networks
US20090296671A1 (en) * 2008-05-29 2009-12-03 Symbol Technologies, Inc. Communications between a client device and an infrastruture device
US20090296672A1 (en) * 2008-05-29 2009-12-03 Symbol Technologies, Inc. Methods for wirelessly communicating information between a client device and an infrastructure device
US20090296673A1 (en) * 2008-05-29 2009-12-03 Symbol Technologies, Inc. Apparatus for implementing a pseudo-basic service set (bss)-like network over an independent basic service set (ibss) mode air interface
US8537721B2 (en) * 2008-08-11 2013-09-17 Koninklijke Philips N.V. Method for scheduling transmissions of global beacons in body area networks
CN101667947B (zh) * 2008-09-04 2011-11-30 鸿富锦精密工业(深圳)有限公司 移动站、基地台及其侦测攻击的方法
JP4763819B2 (ja) * 2009-05-22 2011-08-31 株式会社バッファロー 無線lanアクセスポイント装置、不正マネジメントフレーム検出方法
US8138916B1 (en) 2009-06-04 2012-03-20 Carlos Andres Gonzalez Counterfeit detection system and method of utilizing same
CN102577261A (zh) * 2009-07-31 2012-07-11 惠普发展公司,有限责任合伙企业 用于检测欺骗无线接入点的方法
JP2011155521A (ja) * 2010-01-27 2011-08-11 Kyocera Corp 移動局装置および基地局装置の認証方法
JP5202684B2 (ja) * 2011-05-12 2013-06-05 株式会社バッファロー 無線lanアクセスポイント装置、不正マネジメントフレーム検出方法
US8489679B2 (en) 2011-08-16 2013-07-16 Fluke Corporation Method and apparatus for monitoring network traffic and determining the timing associated with an application
CN103108391B (zh) * 2011-11-09 2015-09-23 华为终端有限公司 一种分配标识的方法及装置
KR101807523B1 (ko) * 2011-12-13 2017-12-12 삼성전자주식회사 무선 통신 시스템에서 무선 망 제공자를 확인하기 위한 장치 및 방법
US9699667B2 (en) * 2012-01-09 2017-07-04 Qualcomm Incorporated Systems and methods to transmit configuration change messages between an access point and a station
US9279878B2 (en) 2012-03-27 2016-03-08 Microsoft Technology Licensing, Llc Locating a mobile device
CN102781002A (zh) * 2012-07-30 2012-11-14 深圳市易聆科信息技术有限公司 一种自动获取加密无线网络密钥的方法及系统
CN103856957B (zh) * 2012-12-04 2018-01-12 航天信息股份有限公司 探测无线局域网中仿冒ap的方法和装置
US9612121B2 (en) 2012-12-06 2017-04-04 Microsoft Technology Licensing, Llc Locating position within enclosure
CN102984707B (zh) * 2012-12-17 2018-12-18 上海寰创通信科技股份有限公司 一种无线网络中钓鱼ap的识别与处理方法
US9628993B2 (en) * 2013-07-04 2017-04-18 Hewlett Packard Enterprise Development Lp Determining a legitimate access point response
CN103401732A (zh) * 2013-08-12 2013-11-20 东南大学 一种伪无线接入点数据分析系统及其方法
CN104754651A (zh) * 2013-12-25 2015-07-01 任子行网络技术股份有限公司 一种基于伪ap诱联的wlan无线数据捕获方法及系统
CN103997782B (zh) * 2014-04-24 2018-06-05 湘潭大学 一种基于信号强度和抓包速率的无线ap探测定位的方法
CN104270366B (zh) * 2014-09-30 2017-09-29 北京金山安全软件有限公司 检测karma攻击的方法及装置
CN104410972A (zh) * 2014-10-30 2015-03-11 苏州德鲁森自动化系统有限公司 一种无线局域网运行状态监测方法
CN105611534B (zh) * 2014-11-25 2020-02-11 阿里巴巴集团控股有限公司 无线终端识别伪WiFi网络的方法及其装置
EP3255951B1 (en) * 2015-03-05 2019-09-25 Huawei Technologies Co., Ltd. Pseudo access method, pseudo access direct-connection scheduling method, stations and access point
CN105992198B (zh) * 2015-06-15 2019-09-17 中国银联股份有限公司 一种确定无线局域网安全程度的方法及装置
CN105376857A (zh) * 2015-11-27 2016-03-02 湘潭大学 基于压缩采样的超宽带传感器网络异步定位方法
KR102389576B1 (ko) * 2016-01-08 2022-04-22 삼성전자주식회사 무선 통신 시스템에서 위조 광고자 검출 장치 및 방법
JP6690326B2 (ja) * 2016-03-14 2020-04-28 富士通株式会社 無線通信プログラム、方法及び装置
CN105657713A (zh) * 2016-03-25 2016-06-08 珠海网博信息科技股份有限公司 一种伪ap检测阻断方法、无线装置及路由器
JP6688191B2 (ja) * 2016-08-17 2020-04-28 日本電信電話株式会社 管理外の無線送信局の検出装置、検出方法および検出プログラム
CN106792715B (zh) * 2017-04-14 2019-10-08 杭州亚古科技有限公司 非法无线ap检测方法及装置
CN108174383B (zh) * 2017-12-13 2020-11-20 北京大学 一种网格化无线电信号监测系统的监测站部署方法及盲源分离方法
KR102378515B1 (ko) 2018-05-28 2022-03-24 삼성전자주식회사 단말 장치 및 이에 의한 악성 ap의 식별 방법
US12063234B2 (en) * 2019-09-26 2024-08-13 Forescout Technologies, Inc. Anomaly detection including property changes
US11418956B2 (en) * 2019-11-15 2022-08-16 Panasonic Avionics Corporation Passenger vehicle wireless access point security system
CN112105029B (zh) * 2020-08-07 2022-07-12 新华三技术有限公司 一种反制非法设备的方法及设备
KR20220039051A (ko) * 2020-09-21 2022-03-29 삼성전자주식회사 무선 연결 가능한 외부 장치를 검색하기 위한 전자 장치 및 이의 동작 방법

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6188681B1 (en) * 1998-04-01 2001-02-13 Symbol Technologies, Inc. Method and apparatus for determining alternative second stationary access point in response to detecting impeded wireless connection
US6393261B1 (en) * 1998-05-05 2002-05-21 Telxon Corporation Multi-communication access point

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6957067B1 (en) * 2002-09-24 2005-10-18 Aruba Networks System and method for monitoring and enforcing policy within a wireless network
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US20050060576A1 (en) * 2003-09-15 2005-03-17 Kime Gregory C. Method, apparatus and system for detection of and reaction to rogue access points
US7447184B1 (en) * 2004-09-08 2008-11-04 Airtight Networks, Inc. Method and system for detecting masquerading wireless devices in local area computer networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6188681B1 (en) * 1998-04-01 2001-02-13 Symbol Technologies, Inc. Method and apparatus for determining alternative second stationary access point in response to detecting impeded wireless connection
US6393261B1 (en) * 1998-05-05 2002-05-21 Telxon Corporation Multi-communication access point

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BARDWELL J, ASSESSING WIRELESS SECURITY WITH AIRPEEK, 13 January 2002 (2002-01-13)
IBM RESEARCH DEMONSTRATES INDUSTRY'S FIRST AUDITING TOOL FOR WIRELESS NETWORK SECURITY, 12 July 2001 (2001-07-12)
See also references of EP1491059A4 *
THE IEEE STANDARD FOR INFORMATION TECHNOLOGY - TELECOMMUNICATIONS AND INFORMATION EXCHANGE BETWEEN SYSTEMS - LOCAL AND METROPOLITAN AREA NETWORKS - SPECIFIC REQUIREMENT. PART 11: WIRELESS LAN MEDIUM ACCESS CONTROL (MAC) AND PHYSICAL LAYER (PHY) SPECI, 20 August 1999 (1999-08-20)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7383577B2 (en) 2002-05-20 2008-06-03 Airdefense, Inc. Method and system for encrypted network management and intrusion detection
US7058796B2 (en) 2002-05-20 2006-06-06 Airdefense, Inc. Method and system for actively defending a wireless LAN against attacks
US7086089B2 (en) 2002-05-20 2006-08-01 Airdefense, Inc. Systems and methods for network security
US8060939B2 (en) 2002-05-20 2011-11-15 Airdefense, Inc. Method and system for securing wireless local area networks
US7779476B2 (en) 2002-05-20 2010-08-17 Airdefense, Inc. Active defense against wireless intruders
US7526808B2 (en) 2002-05-20 2009-04-28 Airdefense, Inc. Method and system for actively defending a wireless LAN against attacks
US7277404B2 (en) 2002-05-20 2007-10-02 Airdefense, Inc. System and method for sensing wireless LAN activity
US7042852B2 (en) 2002-05-20 2006-05-09 Airdefense, Inc. System and method for wireless LAN dynamic channel change with honeypot trap
US7322044B2 (en) 2002-06-03 2008-01-22 Airdefense, Inc. Systems and methods for automated network policy exception detection and correction
US7522908B2 (en) 2003-04-21 2009-04-21 Airdefense, Inc. Systems and methods for wireless network site survey
US7359676B2 (en) 2003-04-21 2008-04-15 Airdefense, Inc. Systems and methods for adaptively scanning for wireless communications
US7324804B2 (en) 2003-04-21 2008-01-29 Airdefense, Inc. Systems and methods for dynamic sensor discovery and selection
US7257107B2 (en) 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US7899441B2 (en) 2003-10-22 2011-03-01 Huawei Technologies Co., Ltd. Method for resolving and accessing selected service in wireless local area network
JP2007513579A (ja) * 2003-12-01 2007-05-24 カーディナル ヘルス 303、インコーポレイテッド ネットワーク発見と接続管理のためのシステムおよび方法
JP2007515883A (ja) * 2003-12-05 2007-06-14 カーディナル ヘルス 303、インコーポレイテッド 移動型システム・マネージャによる発見および接続管理
US7355996B2 (en) 2004-02-06 2008-04-08 Airdefense, Inc. Systems and methods for adaptive monitoring with bandwidth constraints
US8196199B2 (en) 2004-10-19 2012-06-05 Airdefense, Inc. Personal wireless monitoring agent
US7577424B2 (en) 2005-12-19 2009-08-18 Airdefense, Inc. Systems and methods for wireless vulnerability analysis
US7715800B2 (en) 2006-01-13 2010-05-11 Airdefense, Inc. Systems and methods for wireless intrusion detection using spectral analysis
US7971251B2 (en) 2006-03-17 2011-06-28 Airdefense, Inc. Systems and methods for wireless security using distributed collaboration of wireless clients
US7970013B2 (en) 2006-06-16 2011-06-28 Airdefense, Inc. Systems and methods for wireless network content filtering
US8281392B2 (en) 2006-08-11 2012-10-02 Airdefense, Inc. Methods and systems for wired equivalent privacy and Wi-Fi protected access protection
US8694624B2 (en) 2009-05-19 2014-04-08 Symbol Technologies, Inc. Systems and methods for concurrent wireless local area network access and sensing
CN101631358B (zh) * 2009-07-28 2011-12-21 杭州华三通信技术有限公司 一种无线局域网中数据传输的方法和设备

Also Published As

Publication number Publication date
AU2003218479A1 (en) 2003-10-13
US7236460B2 (en) 2007-06-26
CA2478402A1 (en) 2003-10-09
JP2005522120A (ja) 2005-07-21
US20030185244A1 (en) 2003-10-02
EP1491059A4 (en) 2011-02-16
US7539146B2 (en) 2009-05-26
JP4284192B2 (ja) 2009-06-24
US20070242610A1 (en) 2007-10-18
KR20040102043A (ko) 2004-12-03
CN1650642A (zh) 2005-08-03
EP1491059A1 (en) 2004-12-29
KR100956192B1 (ko) 2010-05-04

Similar Documents

Publication Publication Date Title
US7236460B2 (en) Detecting a counterfeit access point in a wireless local area network
CA2479792C (en) Detecting an unauthorized station in a wireless local area network
KR100980152B1 (ko) 근거리 통신망을 모니터링하는 방법 및 시스템
CA2479795C (en) Determining the state of a station in a local area network
JP2005522132A5 (enExample)
US7596109B1 (en) Disrupting an ad-hoc wireless network
US7385948B2 (en) Determining the state of a station in a local area network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2478402

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 1020047014527

Country of ref document: KR

WWE Wipo information: entry into national phase

Ref document number: 2003714483

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2003581520

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 20038074176

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 1020047014527

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2003714483

Country of ref document: EP