WO2014081205A1 - Illegal ap detection system and detection method therefor - Google Patents

Illegal ap detection system and detection method therefor Download PDF

Info

Publication number
WO2014081205A1
WO2014081205A1 PCT/KR2013/010597 KR2013010597W WO2014081205A1 WO 2014081205 A1 WO2014081205 A1 WO 2014081205A1 KR 2013010597 W KR2013010597 W KR 2013010597W WO 2014081205 A1 WO2014081205 A1 WO 2014081205A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
packet
illegal
sensor
specific length
Prior art date
Application number
PCT/KR2013/010597
Other languages
French (fr)
Korean (ko)
Inventor
이상준
함성윤
Original Assignee
유넷시스템주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 유넷시스템주식회사 filed Critical 유넷시스템주식회사
Publication of WO2014081205A1 publication Critical patent/WO2014081205A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the present invention relates to an illegal AP detection system and a detection method thereof. More specifically, the present invention relates to an illegal AP detection system and a detection method thereof, which can detect whether an unauthorized illegal AP is connected to its own network even when the wireless environment is a security mode and a router mode.
  • Rapidly expanding wireless networks support the exchange of data by wirelessly connecting user terminals to the network in accordance with the IEEE802.11 standard.
  • Wireless network environment is convenient because it enables users to move easily and exchange data through network connection, while access user terminal is physically separated from the network equipment and transmission data is exposed in the air. / The possibility of leakage can be said to be greater compared to wired networks, especially wired LANs.
  • the most fundamental and fundamental vulnerabilities of the wireless environment are first, the unauthorized person or unauthorized terminal that makes FW, IDS, etc., which is a security device in the wired gateway section obsolete, by easily accessing the wireless AP inside the building from outside the building. It is possible to bypass the network.
  • an external wireless LAN AP using a laptop equipped with a wireless LAN, etc. to which an employee is not authorized, such as a network connected to an internal wired network, an information leakage accident may occur through this.
  • the wireless section data can be easily eavesdropped through air sniffing, so that confidential and personal information of the company can be leaked.
  • the largest area of security vulnerabilities such as wireless APs or routers in Korea, is caused by wireless devices such as wireless LANs that have been left unauthenticated and password-free.
  • security infrastructures such as authentication and encryption are being applied.
  • the conventional techniques for detecting unauthorized AP has a problem that it is not possible to confirm whether the collected unauthorized AP is connected to the internal network by collecting only the information about the unauthorized AP without performing data traffic (data traffic) processing . That is, even if an unauthorized AP is detected, there is a problem that such unauthorized AP cannot check whether it is an AP connected to its network and cannot block it without permission.
  • the present invention was created to solve the above problems, and an object of the present invention is to identify an unauthorized illegal AP connected to its own network regardless of whether the wireless environment is a bridge mode, a router mode, an open mode, and a secure mode.
  • the present invention provides a detection system and a detection method capable of detecting the same.
  • An object of the present invention as described above is a sensor for detecting a data packet that is wirelessly transmitted to a user terminal through at least one AP; And a wireless intrusion prevention system (WIPS) server that receives the detected data packet from a sensor and determines whether the AP is an unauthorized and illegal AP connected to an internal network, wherein the WIPS server includes a specific length of a specific length to be transmitted to a user terminal through the AP.
  • WIPS wireless intrusion prevention system
  • a packet generator for generating a data packet and transmitting the predetermined number of times for a predetermined time;
  • a packet analyzer configured to analyze whether the data packet having a specific length is detected by the sensor for a predetermined time and determine whether the AP is an AP connected to the internal network;
  • a database unit storing MAC address information of the AP.
  • the packet generation unit may generate data packets having different lengths corresponding to the number of APs and transmit the same to the user terminal through each AP.
  • the packet analyzer may determine that the AP is an AP connected to an internal network when the AP determines that the data packet having a specific length is transmitted to the user terminal more than a predetermined number of times for a predetermined time. .
  • the WIPS server may determine that the AP is an unauthorized illegal AP when the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP. You can do
  • the sensor may further include a communication unit for transmitting the detected data packet to the WIPS server.
  • an object of the present invention is another category, the sensor step A for detecting a data packet that is wirelessly transmitted to the user terminal through at least one AP; Transmitting, by the sensor, the detected data packet to a wireless intrusion prevention system (WIPS) server; A step C of generating a data packet having a specific length by the packet generation unit provided in the WIPS server and transmitting the data packet to the user terminal through the AP a specific number of times for a predetermined time; A step D for checking whether a packet analyzer provided in the WIPS server has a data packet having a specific length among the data packets transmitted from the sensor; An E step of checking, by the packet analyzer, the number of times a data packet having a specific length among the data packets transmitted from the sensor is detected for a predetermined time; A step F of determining, by the packet analyzer, whether the AP is an AP connected to the internal network based on the presence and the number of detections of the data packet having a specific length; And a G step of determining, by the
  • the packet generation unit may generate data packets having different lengths corresponding to the number of APs and transmit the number of data packets to the user terminal through each AP.
  • the packet analyzer may determine that the AP is an AP connected to the internal network when a data packet having a specific length is detected more than a predetermined number of times for a predetermined time.
  • step G the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP stored in the database unit provided in the WIPS server.
  • the AP may be determined to be an unauthorized and illegal AP.
  • the present invention has the effect of identifying and detecting whether an unauthorized illegal AP is connected to its network.
  • FIG. 1 is a block diagram showing the configuration of an unauthorized illegal AP detection system according to an embodiment of the present invention
  • FIG. 2 is a block diagram showing the configuration of a WIPS server according to an embodiment of the present invention.
  • FIG. 3 is a flowchart sequentially illustrating a method for detecting an unauthorized illegal AP according to an embodiment of the present invention.
  • FIG. 1 is a block diagram of a system for detecting an illegal AP of a network communication network according to an embodiment of the present invention
  • FIG. 2 is a block diagram showing a configuration of a WIPS server according to an embodiment of the present invention.
  • the present inventors have an illegal AP detection system (hereinafter, referred to as a 'detection system') of a wireless intrusion prevention system (WIPS) server 100, a sensor 200, a communication unit 300, and an AP 400. ) And a user terminal 500.
  • the WIPS server 100 includes a packet generation unit 110, a packet analysis unit 120, and a packet storage unit 130 therein.
  • the unauthorized illegal AP in the present invention refers to an AP (Acess Point) that is unauthorized by an administrator
  • the authorized AP refers to an AP authorized by the administrator
  • the user terminal 500 refers to various devices capable of transmitting and receiving data through the AP 400 connected to the WIPS server 100 such as a laptop or a smartphone equipped with a wireless LAN.
  • the sensor 200 detects a data packet wirelessly transmitted to the user terminal 500 through the AP 400.
  • the sensor 200 and the AP 400 are connected to the WIPS server 100 by wire.
  • the AP 400 may be configured as one or a plurality.
  • a data packet refers to a unit of information transmitted from one device to another device through a communication network in a block.
  • the data packet may include various element fields such as a service set identification address (SSID), a support rate, a timestamp, an indication interval, capacity information, channels, and the like.
  • SSID service set identification address
  • the data packet detected by the sensor 200 is transmitted to the WIPS server 100.
  • the sensor 200 may be provided with a communication unit 300, and the data packet detected through the communication unit 300 may be transmitted to the WIPS server 100.
  • the WIPS server 100 determines whether the AP 400 is an unauthorized illegal AP connected to the internal network based on the data packet transmitted from the sensor 200. Specifically, it is determined whether the AP 400 is an AP connected to the internal network through the packet generator 110 and the packet analyzer 120 provided in the WIPS server 100, and then the WIPS server 100 It is determined whether the AP 400 connected to the internal network is an authorized AP 400a or 400c or an unauthorized illegal AP 400b or 400d.
  • the packet generator 110 and the packet analyzer 120 provided in the WIPS server 100 will be described in detail below. Meanwhile, the data packet transmitted from the sensor 200 may be stored in the packet storage unit 130 provided in the WIPS server 100.
  • the packet generator 110 generates a data packet of a specific length to be transmitted to the user terminal 500 through the AP 400 and transmits the data packet a specific number of times for a predetermined time.
  • the packet generator 110 may periodically generate a data packet having a specific length and transmit the data packet to the user terminal 500.
  • the packet generator 100 a probe capable of searching for and verifying a computer and a running service on a network in a security field may be used.
  • the data packet of a specific length generated by the packet generator 110 may be generated by various known packet conversion methods.
  • a predetermined time may be set by an administrator, and preferably set in seconds.
  • the number of times of transmitting the data packet can also be adjusted by the administrator. For example, an administrator may set whether to transmit a data packet of a specific length 10 times in 1 second or 100 times in 1 second.
  • the packet generator 110 when there are a plurality of APs 400, the packet generator 110 generates data packets having different lengths corresponding to the number of APs 400 so as to generate a user terminal 500 through each AP 400. Can be sent to. That is, when several APs 400 are connected to the internal network, the APs 400 may simultaneously detect multiple APs 400 connected to the internal network by transmitting data packets having different lengths. . For example, if there are four APs 400, four types of data packets having different lengths may be generated and transmitted separately for each AP.
  • the packet analyzer 120 determines whether the AP 400 is connected to the internal network by analyzing the number of times a data packet having a specific length is detected by the sensor 200. That is, when the packet analyzer 120 determines that the AP 400 transmits a data packet having a specific length to the user terminal 500 more than a preset number of times, the AP 400 transmits the AP 400 to the internal network. It is determined by the AP 400 connected. In this case, the preset number of times may be set in consideration of the number of times the packet generator 110 generates and transmits a data packet having a specific length.
  • the WIPS server 100 determines that the MAC address of the AP 400 determined to be connected to the internal network by the packet analyzer 120 is not included in the MAC address information of the authorized AP, the AP 400b, 400d) is determined to be an unauthorized illegal AP. That is, the WIPS server 100 is provided therein, and searches for a database unit (not shown) that stores MAC address information of the authorized APs 400a and 400b and determines that the AP 400 determined to be connected to the internal network is unauthorized. It is determined whether or not the illegal AP (400b, 400d) or the authorized AP (400a, 400c).
  • FIG. 3 is a flowchart sequentially illustrating a method for detecting an unauthorized illegal AP according to an embodiment of the present invention.
  • a method of detecting an unauthorized AP hereinafter, referred to as a 'detection method'
  • a 'detection method' a method of detecting an unauthorized AP
  • the sensor 200 refers to a step of detecting a data packet wirelessly transmitted to the user terminal 500 through the at least one AP 400 (S610).
  • the sensor 200 transmits the detected data packet to the WIPS server 100.
  • the data packet detected by the sensor 200 may be transmitted to the WIPS server 100 through the communication unit 300.
  • the data packet transmitted to the WIPS server 100 may be stored in the packet storage unit 300 provided in the WIPS server 100 (S625).
  • the packet generation unit 110 included in the WIPS server 100 generates a data packet having a specific length and transmits the data packet to the user terminal 500 through the AP 400 a predetermined number of times for a predetermined time (S630). .
  • the packet generation unit 110 when there are a plurality of APs 400, the packet generation unit 110 generates data packets having different lengths corresponding to the number of APs 400 and through each AP 400a, 400b, 400c, 400d.
  • a data packet having a length of 64 bits (Bit) is generated for the first unlicensed AP 400b among the AP 400 and transmitted 10 times for 1 second, and 640 for the second unlicensed AP 400d.
  • a predetermined number of times of a 64-bit long data packet and a number of 640-bit long data packets detected by the sensor for one second are set in advance. If it is confirmed that the number of times or more, it can be determined simultaneously that the first unlicensed AP (400b) and the second unlicensed AP (400d) is connected to the internal network.
  • the packet analyzer 120 of the WIPS server 100 refers to a step of checking whether a data packet having a specific length is present among the data packets transmitted from the sensor 200 (S640).
  • the packet analyzer 120 of the WIPS server 100 refers to a step of checking the number of times a data packet having a specific length among the data packets transmitted from the sensor 200 is detected for a predetermined time (S650).
  • the predetermined time may be set differently from the predetermined time set in the data packet transmission step (S630) of the specific length, but is preferably set to the same time.
  • the packet analysis unit 120 included in the WIPS server 100 refers to a step of determining whether the AP 400 is connected to the internal network based on the presence and detection frequency of a data packet having a specific length (S660). ).
  • the packet analyzer 120 determines that the AP 400 is an AP connected to the internal network when a data packet having a specific length is detected more than a preset number of times for a predetermined time.
  • the set number of times refers to the number of times preset by the administrator in consideration of the number of times that the packet generation unit 110 generates and transmits a data packet having a specific length.
  • the packet generator 110 transmits ten data packets of a specific length for one second, eight data packets of a specific length transmitted to the user terminal 500 through the AP 500 are detected.
  • the AP 500 may be configured to determine that the AP 500 is connected to the internal network.
  • the WIPS server 100 refers to a step of determining whether the AP 400 is an unauthorized illegal AP by searching a database unit that stores MAC address information of the authorized AP (S670).
  • the packet analysis unit 120 is MAC address information of the authorized AP is stored in the database unit (not shown) provided in the WIPS server 100 MAC address of the AP 400 is determined to be connected to the internal network If not determined to be included in, the AP (400b, 400d) is determined to be an unauthorized illegal AP.
  • the prior art can detect the unauthorized AP (400b, 400d), it is not confirmed whether the detected unauthorized AP (400b, 400d) is an AP connected to its network communication network, AP (400)
  • AP 400
  • the data packet transmitted and received between the terminal 500 and the terminal 500 is encrypted
  • the data packet generated by the packet generator 110 and transmitted is detected through the number of times that the data packet of a specific length is detected. Since the AP 400 can determine whether the AP 400 is connected, there is an advantage of detecting an unauthorized illegal AP in all wireless environments in both open and secure modes.
  • Bridge mode refers to a method in which two medium access control (MAC) devices having the same logical connection control protocol (LLC protocol) but having the same or different interconnection information networks (LANs) can exchange data.
  • the bridge includes a local bridge (LB) that connects LANs in the same premises or local area, and a remote bridge that connects LANs in remote areas. Data is exchanged by sending frames by MAC addresses (MACA) between bridges.
  • MACA MAC addresses
  • a router is a device that extracts the location of a packet and specifies the best path for that location, and redirects the data packet to the next device along the path.
  • Routers connect two or more logical subnets, which do not match the physical interface of the router.
  • the MAC address is changed in the router mode. That is, the conventional technology has a limitation in detecting unauthorized APs 400b and 400d in the case of the router mode in which the MAC address is continuously changed.
  • the AP 400 connected to the WIPS server 100 is changed. Through detecting the unauthorized AP by using the number of times the data packet of a specific length transmitted to the user terminals 500 through the advantage that can be used in router mode.

Abstract

The present invention provides the advantages of confirming and detecting whether an unauthorized illegal AP is connected to a user's communication network even in a wireless environment of a secure mode and a router mode. To this end, disclosed is an illegal AP detection system comprising: a sensor for detecting a data packet wirelessly transmitted to a user terminal through at least one AP; and a wireless intrusion prevention system (WIPS) server for determining whether the AP is an unauthorized illegal AP connected to an internal network by receiving the detected data packet from the sensor, wherein the WIPS server comprises: a packet generation unit which generates a data packet of specific length that is to be transmitted to the user terminal through the AP so as to transmit the data packet a specific number of times for a predetermined time; a packet analysis unit for determining whether the AP is an AP connected to the internal network by analyzing the number of times at which the data packet of the specific length has been detected by the sensor for a predetermined time; and a database unit for storing MAC address information of the AP.

Description

불법 AP 검출 시스템 및 그의 검출 방법Illegal Ap Detection System and Its Detection Method
본 발명은 불법 AP 검출 시스템 및 그의 검출 방법에 관한 것이다. 보다 상세하게는 무선 환경이 보안 모드 및 라우터 모드인 경우에도 비인가 불법 AP가 자신의 네트워크에 연결되어 있는지를 검출할 수 있는 불법 AP 검출 시스템 및 그의 검출 방법에 관한 것이다.The present invention relates to an illegal AP detection system and a detection method thereof. More specifically, the present invention relates to an illegal AP detection system and a detection method thereof, which can detect whether an unauthorized illegal AP is connected to its own network even when the wireless environment is a security mode and a router mode.
급속히 확장되고 있는 무선 네트워크, 특히, 무선 랜(Wireless LAN)은 IEEE802.11의 표준에 따라 무선으로 사용자 단말기가 네트워크에 연결되어 데이터교환이 가능하도록 지원한다. 무선 네트워크 환경은 사용자가 편리하게 이동하면서 네트워크 접속을 통한 데이터 교환이 가능하도록 지원하기 때문에 편리한 반면, 접속 사용자 단말기가 네트워크 장비에 물리적으로 떨어져 있고 전송 데이터 역시 공기 중에 노출되므로 악의적인 접근 및 데이터의 훼손/유출의 가능성이 유선 네트워크, 특히, 유선 랜(Wired LAN)에 비해 크다고 할 수 있다. Rapidly expanding wireless networks, particularly wireless LANs, support the exchange of data by wirelessly connecting user terminals to the network in accordance with the IEEE802.11 standard. Wireless network environment is convenient because it enables users to move easily and exchange data through network connection, while access user terminal is physically separated from the network equipment and transmission data is exposed in the air. / The possibility of leakage can be said to be greater compared to wired networks, especially wired LANs.
이러한 무선 환경의 가장 근본적이고 원초적인 취약점으로는 첫째, 건물 밖 외부에서 건물 내부의 무선 AP에 손쉽게 접근할 수 있어 유선관문 구간의 보안장비인 FW, IDS 등을 무용지물로 만드는 비인가자 또는 비인가단말기가 내부 네트워크로 우회 접속할 수 있다는 점이다. 또한, 사내 유선망으로 연결된 네트워크에 직원 등이 인가되지 않은 무선랜 등이 장착된 노트북 등을 이용하여 외부 무선랜 AP에 접속하는 경우, 이를 통해서도 정보유출 사고가 발생할 수 있다는 점이 문제점으로 부각되고 있다. The most fundamental and fundamental vulnerabilities of the wireless environment are first, the unauthorized person or unauthorized terminal that makes FW, IDS, etc., which is a security device in the wired gateway section obsolete, by easily accessing the wireless AP inside the building from outside the building. It is possible to bypass the network. In addition, when accessing an external wireless LAN AP using a laptop equipped with a wireless LAN, etc., to which an employee is not authorized, such as a network connected to an internal wired network, an information leakage accident may occur through this.
둘째, AP에 접속하여 사내 무선 네트워크에 접속하지 않아도 무선 도청(Air Sniffing)을 통하여 손쉽게 무선 구간 데이터를 도청할 수 있어 사내 기밀 및 개인정보 등이 유출될 수 있다는 점이다. 현재 국내에 있는 무선 AP 또는 공유기 등의 보안 취약점 중 가장 큰 영역을 차지하고 있는 부분이 바로 무인증·무암호로 방치되어 사용되고 있는 무선랜 등의 무선장비 때문에 발생하고 있는 실정이며, 이를 해결하기 위한 무선랜 보안대책으로 인증(Authentication), 암호화(Encryption) 등의 보안 인프라 적용이 시도되고 있다.Second, even without accessing the in-house wireless network by accessing the AP, the wireless section data can be easily eavesdropped through air sniffing, so that confidential and personal information of the company can be leaked. Currently, the largest area of security vulnerabilities, such as wireless APs or routers in Korea, is caused by wireless devices such as wireless LANs that have been left unauthenticated and password-free. As security measures, security infrastructures such as authentication and encryption are being applied.
한편, 종래 비인가 AP를 탐지하는 기술들은 유선데이터 트래픽(data traffic) 처리를 하지 않고 단지 비인가 AP에 대한 정보만을 수집함으로써, 수집된 비인가 AP들이 내부 네트워크 망에 접속되어 있는지를 확인할 수 없는 문제점이 있었다. 즉, 비인가 AP가 감지되더라도, 이러한 비인가 AP가 자신의 네트워크 망에 접속되어 있는 AP인지를 확인할 수 없어 이를 함부로 차단할 수 없는 문제점이 있었다. On the other hand, the conventional techniques for detecting unauthorized AP has a problem that it is not possible to confirm whether the collected unauthorized AP is connected to the internal network by collecting only the information about the unauthorized AP without performing data traffic (data traffic) processing . That is, even if an unauthorized AP is detected, there is a problem that such unauthorized AP cannot check whether it is an AP connected to its network and cannot block it without permission.
또한, 종래 기술은 개방 모드 및 브릿지 모드 상태의 AP에 대한 정보를 수집할 수 있었지만, 보안 모드 및 라우터 모드 상태의 AP에 대한 정보를 수집할 수 없는 문제점이 있었다. In addition, the prior art was able to collect information about the AP in the open mode and bridge mode state, but there was a problem that can not collect information about the AP in the security mode and router mode state.
본 발명은 상기와 같은 문제점을 해결하기 위해 창출된 것으로서, 본 발명의 목적은 무선 환경이 브릿지 모드, 라우터 모드, 개방 모드 및 보안 모드인 경우에 관계없이 자신의 네트워크에 연결되어 있는 비인가 불법 AP를 탐지할 수 있는 검출 시스템 및 검출 방법을 제공하는 데 있다.The present invention was created to solve the above problems, and an object of the present invention is to identify an unauthorized illegal AP connected to its own network regardless of whether the wireless environment is a bridge mode, a router mode, an open mode, and a secure mode. The present invention provides a detection system and a detection method capable of detecting the same.
상기와 같은 본 발명의 목적은 적어도 하나의 AP를 통해 사용자단말기로 무선 전송되는 데이터 패킷을 검출하는 센서; 및 검출된 데이터 패킷을 센서로부터 전송받아 AP가 내부 네트워크에 연결된 비인가 불법 AP인지를 판단하는 WIPS(Wireless intrusion prevention system) 서버;를 포함하되, WIPS 서버는, AP를 통해 사용자단말기로 전송할 특정 길이의 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 전송하는 패킷 생성부; 센서에 의해 특정 길이를 갖는 데이터 패킷이 일정시간 동안 검출된 횟수를 분석하여, AP가 내부 네트워크에 연결되어 있는 AP인지 여부를 판단하는 패킷 분석부; 및 AP의 MAC 주소 정보를 저장하고 있는 데이터베이스부;를 포함하는 것을 특징으로 하는 불법 AP 검출 시스템을 제공하는 데 있다.An object of the present invention as described above is a sensor for detecting a data packet that is wirelessly transmitted to a user terminal through at least one AP; And a wireless intrusion prevention system (WIPS) server that receives the detected data packet from a sensor and determines whether the AP is an unauthorized and illegal AP connected to an internal network, wherein the WIPS server includes a specific length of a specific length to be transmitted to a user terminal through the AP. A packet generator for generating a data packet and transmitting the predetermined number of times for a predetermined time; A packet analyzer configured to analyze whether the data packet having a specific length is detected by the sensor for a predetermined time and determine whether the AP is an AP connected to the internal network; And a database unit storing MAC address information of the AP.
또한, 패킷 생성부는, AP가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 AP의 개수와 대응되는 개수만큼 생성하여 각 AP를 통해 사용자단말기로 전송하는 것을 특징으로 할 수 있다.In addition, when there are a plurality of APs, the packet generation unit may generate data packets having different lengths corresponding to the number of APs and transmit the same to the user terminal through each AP.
또한, 패킷 분석부는, AP가 특정 길이를 갖는 데이터 패킷을 사용자단말기로 일정시간 동안 미리 설정된 횟수 이상 전송한 것으로 확인한 경우에, AP를 내부 네트워크에 연결되어 있는 AP로 판단하는 것을 특징으로 할 수 있다.The packet analyzer may determine that the AP is an AP connected to an internal network when the AP determines that the data packet having a specific length is transmitted to the user terminal more than a predetermined number of times for a predetermined time. .
또한, WIPS 서버는, 패킷 분석부에 의해 내부 네트워크에 연결되어 있는 것으로 판단된 AP의 MAC 주소가 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 확인한 경우, AP를 비인가 불법 AP로 판단하는 것을 특징으로 할 수 있다.The WIPS server may determine that the AP is an unauthorized illegal AP when the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP. You can do
그리고, 센서는, 검출된 데이터 패킷을 WIPS 서버로 전송하기 위한 통신부;를 더 포함하는 것을 특징으로 할 수 있다.The sensor may further include a communication unit for transmitting the detected data packet to the WIPS server.
한편, 본 발명의 목적은 다른 카테고리로서, 센서가 적어도 하나의 AP를 통해 사용자단말기로 무선 전송되는 데이터 패킷을 검출하는 A단계; 센서가 검출된 데이터 패킷을 WIPS(Wireless intrusion prevention system) 서버로 전송하는 B단계; WIPS 서버에 구비된 패킷 생성부가 특정 길이를 갖는 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 AP를 통해 사용자단말기로 전송하는 C단계; WIPS 서버에 구비된 패킷 분석부가 센서로부터 전송된 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 존재하는지 여부를 확인하는 D단계; 패킷 분석부가 센서로부터 전송된 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 일정시간 동안 검출된 횟수를 확인하는 E단계; 패킷 분석부가 특정 길이를 갖는 데이터 패킷의 존재 여부 및 검출 횟수를 바탕으로 AP가 내부 네트워크에 연결되어 있는 AP인지 여부를 판단하는 F단계; 및 WIPS 서버가 인가 AP의 MAC 주소 정보를 저장하고 있는 데이터베이스부를 검색하여 AP가 비인가 불법 AP인지 여부를 판단하는 G단계;를 포함하는 것을 특징으로 하는 불법 AP 검출 방법을 제공하는 데 있다.On the other hand, an object of the present invention is another category, the sensor step A for detecting a data packet that is wirelessly transmitted to the user terminal through at least one AP; Transmitting, by the sensor, the detected data packet to a wireless intrusion prevention system (WIPS) server; A step C of generating a data packet having a specific length by the packet generation unit provided in the WIPS server and transmitting the data packet to the user terminal through the AP a specific number of times for a predetermined time; A step D for checking whether a packet analyzer provided in the WIPS server has a data packet having a specific length among the data packets transmitted from the sensor; An E step of checking, by the packet analyzer, the number of times a data packet having a specific length among the data packets transmitted from the sensor is detected for a predetermined time; A step F of determining, by the packet analyzer, whether the AP is an AP connected to the internal network based on the presence and the number of detections of the data packet having a specific length; And a G step of determining whether the AP is an unauthorized illegal AP by searching a database unit in which the WIPS server stores MAC address information of the authorized AP.
또한, C단계에서, 패킷 생성부는, AP가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 AP의 개수와 대응되는 개수만큼 생성하여 각 AP를 통해 사용자단말기로 전송하는 것을 특징으로 할 수 있다.In addition, in step C, when there are a plurality of APs, the packet generation unit may generate data packets having different lengths corresponding to the number of APs and transmit the number of data packets to the user terminal through each AP.
또한, F단계에서, 패킷 분석부는, 특정 길이를 갖는 데이터 패킷이 일정시간 동안 미리 설정된 횟수 이상으로 검출된 경우에, AP가 내부 네트워크에 연결되어 있는 AP로 판단하는 것을 특징으로 할 수 있다.Also, in step F, the packet analyzer may determine that the AP is an AP connected to the internal network when a data packet having a specific length is detected more than a predetermined number of times for a predetermined time.
그리고, G단계에서, 패킷 분석부는, 내부 네트워크에 연결되어 있는 것으로 판단된 AP의 MAC 주소가 WIPS 서버에 구비된 데이터베이스부에 저장되어 있는 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 판단된 경우, AP를 비인가 불법 AP로 판단하는 것을 특징으로 할 수 있다.In step G, the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP stored in the database unit provided in the WIPS server. For example, the AP may be determined to be an unauthorized and illegal AP.
본 발명의 일 실시예에 의하면, 본 발명은 비인가 불법 AP가 자신의 네트워크 통신망에 연결되어 있는지를 확인 및 검출할 수 있는 효과가 있다.According to one embodiment of the present invention, the present invention has the effect of identifying and detecting whether an unauthorized illegal AP is connected to its network.
또한, 비인가 불법 AP와 사용자단말기 사이에 주고 받는 데이터 패킷이 암호화되어 있는 보안 모드인 경우에도 자신의 네트워크 통신망에 연결되어 있는 비인가 불법 AP인지 여부를 확인할 수 있는 효과가 있다.In addition, even in a secure mode in which data packets transmitted and received between an unauthorized illegal AP and a user terminal are encrypted, there is an effect of confirming whether the unauthorized AP is connected to its own network communication network.
아울러, 브릿지 모드 및 라우터 모드의 무선 환경 모두에서 자신의 네트워크 통신망에 연결되어 있는 비인가 불법 AP를 검출할 수 있는 효과가 있다.In addition, there is an effect that can detect an unauthorized illegal AP connected to its network communication network in both the bridge mode and router mode wireless environment.
도 1은 본 발명의 일실시예에 따른 비인가 불법 AP 검출 시스템의 구성을 나타낸 구성도,1 is a block diagram showing the configuration of an unauthorized illegal AP detection system according to an embodiment of the present invention;
도 2는 본 발명의 일실시예에 따른 WIPS 서버의 구성을 나타낸 블록도,2 is a block diagram showing the configuration of a WIPS server according to an embodiment of the present invention;
도 3은 본 발명의 일실시예에 따른 비인가 불법 AP 검출 방법을 순차적으로 나타낸 순서도이다.3 is a flowchart sequentially illustrating a method for detecting an unauthorized illegal AP according to an embodiment of the present invention.
<부호의 설명><Description of the code>
100 : WIPS 서버100: WIPS server
110 : 패킷 생성부110: packet generation unit
120 : 패킷 분석부120: packet analysis unit
130 : 패킷 저장부130: packet storage unit
200 : 센서200: sensor
300 : 통신부300: communication unit
400 : AP400: AP
500 : 사용자단말기500: user terminal
이하, 본 발명의 바람직한 실시예를 첨부된 도면들을 참조하여 상세히 설명한다. 도면들 중 동일한 구성요소들에 대해서는 비록 다른 도면상에 표시되더라도 가능한 한 동일한 참조번호들 및 부호들로 나타내고 있음에 유의해야 한다. 또한, 하기에서 본 발명을 설명함에 있어, 관련된 공지기능 또는 구성에 대한 구체적인 설명이 본 발명의 요지를 불필요하게 흐릴 수 있다고 판단되는 경우에는 그 상세한 설명을 생략한다.Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the same elements among the drawings are denoted by the same reference numerals and symbols as much as possible even though they are shown in different drawings. In addition, in the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.
<비인가 불법 AP 검출 시스템의 구성><Configuration of unauthorized illegal AP detection system>
도 1은 본 발명의 일실시예에 따른 네트워크 통신망의 불법 AP 검출 시스템의 구성도이고, 도 2는 본 발명의 일실시예에 따른 WIPS 서버의 구성을 나타낸 블록도이다. 도1에 도시된 바와 같이, 본 발명인 불법 AP 검출 시스템(이하, '검출 시스템'이라 함)은 WIPS(Wireless intrusion prevention system) 서버(100), 센서(200), 통신부(300), AP(400) 및 사용자단말기(500)로 구성된다. 또한, 도 2에 도시된 바와 같이, WIPS 서버(100)는 내부에 패킷 생성부(110), 패킷 분석부(120) 및 패킷 저장부(130)를 구비하고 있다. 한편, 본 발명에서의 비인가 불법 AP는 관리자에 의해 비승인(Unauthorized)된 AP(Acess Point)를 말하고, 인가된 AP는 관리자에 의해 승인(Authorized)된 AP를 말한다. 또한, 사용자단말기(500)는 무선랜이 구비된 노트북, 스마트폰 등 WIPS 서버(100)와 연결된 AP(400)를 통해 데이터를 주고 받을 수 있는 다양한 장치를 말한다.1 is a block diagram of a system for detecting an illegal AP of a network communication network according to an embodiment of the present invention, and FIG. 2 is a block diagram showing a configuration of a WIPS server according to an embodiment of the present invention. As shown in FIG. 1, the present inventors have an illegal AP detection system (hereinafter, referred to as a 'detection system') of a wireless intrusion prevention system (WIPS) server 100, a sensor 200, a communication unit 300, and an AP 400. ) And a user terminal 500. In addition, as shown in FIG. 2, the WIPS server 100 includes a packet generation unit 110, a packet analysis unit 120, and a packet storage unit 130 therein. Meanwhile, the unauthorized illegal AP in the present invention refers to an AP (Acess Point) that is unauthorized by an administrator, and the authorized AP refers to an AP authorized by the administrator. In addition, the user terminal 500 refers to various devices capable of transmitting and receiving data through the AP 400 connected to the WIPS server 100 such as a laptop or a smartphone equipped with a wireless LAN.
센서(200)는 AP(400)를 통해 사용자단말기(500)로 무선 전송되는 데이터 패킷을 검출한다. 센서(200) 및 AP(400)는 WIPS 서버(100)에 유선으로 연결되어 있다. 여기서 AP(400)는 한 개 또는 복수 개로 구성될 수 있다. 데이터 패킷(data packet)은 통신망을 통하여 하나의 장치에서 다른 장치로 블록으로 송신되는 정보의 단위를 말한다. 여기서, 데이터 패킷은 서비스 세트 식별 어드레스(SSID), 지원 속도, 타임스탬프, 표지 간격, 용량정보, 채널들 등과 같은 다양한 엘리먼트 필드들을 포함할 수 있다. 센서(200)에 의해 검출된 데이터 패킷은 WIPS 서버(100)로 전송된다. 이때, 센서(200)에는 통신부(300)가 마련되어 있을 수 있으며, 통신부(300)를 통해 검출된 데이터 패킷이 WIPS 서버(100)로 전송될 수 있다. The sensor 200 detects a data packet wirelessly transmitted to the user terminal 500 through the AP 400. The sensor 200 and the AP 400 are connected to the WIPS server 100 by wire. Here, the AP 400 may be configured as one or a plurality. A data packet refers to a unit of information transmitted from one device to another device through a communication network in a block. Here, the data packet may include various element fields such as a service set identification address (SSID), a support rate, a timestamp, an indication interval, capacity information, channels, and the like. The data packet detected by the sensor 200 is transmitted to the WIPS server 100. In this case, the sensor 200 may be provided with a communication unit 300, and the data packet detected through the communication unit 300 may be transmitted to the WIPS server 100.
WIPS 서버(100)는 센서(200)로부터 전송된 데이터 패킷을 바탕으로 AP(400)가 내부 네트워크에 연결된 비인가 불법 AP인지를 판단한다. 구체적으로, WIPS 서버(100)에 구비된 패킷 생성부(110), 패킷 분석부(120)를 통해 AP(400)가 내부 네트워크에 연결된 AP인지 여부를 판단하고, 이후에 WIPS 서버(100)는 내부 네트워크에 연결되어 있는 AP(400)가 인가 AP인지(400a, 400c) 또는 비인가 불법 AP(400b, 400d)인지를 판단한다. WIPS 서버(100)에 구비된 패킷 생성부(110) 및 패킷 분석부(120)에 대해서는 이하에서 상세히 설명한다. 한편, 센서(200)로부터 전송된 데이터 패킷은 WIPS 서버(100)에 구비된 패킷 저장부(130)에 저장될 수 있다. The WIPS server 100 determines whether the AP 400 is an unauthorized illegal AP connected to the internal network based on the data packet transmitted from the sensor 200. Specifically, it is determined whether the AP 400 is an AP connected to the internal network through the packet generator 110 and the packet analyzer 120 provided in the WIPS server 100, and then the WIPS server 100 It is determined whether the AP 400 connected to the internal network is an authorized AP 400a or 400c or an unauthorized illegal AP 400b or 400d. The packet generator 110 and the packet analyzer 120 provided in the WIPS server 100 will be described in detail below. Meanwhile, the data packet transmitted from the sensor 200 may be stored in the packet storage unit 130 provided in the WIPS server 100.
패킷 생성부(110)는 AP(400)를 통해 사용자단말기(500)로 전송할 특정 길이의 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 전송한다. 이때, 패킷 생성부(110)는 주기적으로 특정 길이를 갖는 데이터 패킷을 생성하여 사용자단말기(500)로 전송할 수 있다. 한편, 패킷 생성부(100)로는 보안 분야에서 네트워크상의 컴퓨터 및 가동되는 서비스 등을 탐색 및 확인할 수 있는 프로브(Probe)가 사용될 수 있다. 여기서, 패킷 생성부(110)에 의해 생성되는 특정 길이의 데이터 패킷은 공지의 다양한 패킷 변환 방법에 의해 생성될 수 있다. 아울러, 일정 시간은 관리자에 의해 설정될 수 있으며, 초(Second) 단위로 설정하는 것이 바람직하다. 아울러, 데이터 패킷을 전송하는 횟수도 관리자에 의해 조절될 수 있다. 예를 들어, 특정 길이의 데이터 패킷을 1초 동안에 10번 전송시킬지 또는 1초 동안에 100번 전송시킬지를 관리자가 설정할 수 있다.The packet generator 110 generates a data packet of a specific length to be transmitted to the user terminal 500 through the AP 400 and transmits the data packet a specific number of times for a predetermined time. In this case, the packet generator 110 may periodically generate a data packet having a specific length and transmit the data packet to the user terminal 500. Meanwhile, as the packet generator 100, a probe capable of searching for and verifying a computer and a running service on a network in a security field may be used. Here, the data packet of a specific length generated by the packet generator 110 may be generated by various known packet conversion methods. In addition, a predetermined time may be set by an administrator, and preferably set in seconds. In addition, the number of times of transmitting the data packet can also be adjusted by the administrator. For example, an administrator may set whether to transmit a data packet of a specific length 10 times in 1 second or 100 times in 1 second.
한편, 패킷 생성부(110)는 AP(400)가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 AP(400)의 개수와 대응되는 개수만큼 생성하여 각 AP(400)를 통해 사용자단말기(500)로 전송할 수 있다. 즉, 여러 개의 AP(400)가 내부 네트워크에 연결되어 있는 경우에, AP(400)마다 길이를 달리하는 데이터 패킷을 전송함으로써 내부 네트워크에 연결되어 있는 여러 개의 AP(400)를 동시에 검출할 수 있다. 예를 들어, AP(400)가 4개인 경우, 각각 길이를 달리하는 4가지 종류의 데이터 패킷을 생성하여 각 AP마다 따로 전송시킬 수 있다. On the other hand, when there are a plurality of APs 400, the packet generator 110 generates data packets having different lengths corresponding to the number of APs 400 so as to generate a user terminal 500 through each AP 400. Can be sent to. That is, when several APs 400 are connected to the internal network, the APs 400 may simultaneously detect multiple APs 400 connected to the internal network by transmitting data packets having different lengths. . For example, if there are four APs 400, four types of data packets having different lengths may be generated and transmitted separately for each AP.
패킷 분석부(120)는 센서(200)에 의해 특정 길이를 갖는 데이터 패킷이 검출된 횟수를 분석하여 AP(400)가 내부 네트워크에 연결되어 있는지 여부를 판단한다. 즉, 패킷 분석부(120)는 AP(400)가 특정 길이를 갖는 데이터 패킷을 사용자단말기(500)로 관리자가 미리 설정한 횟수 이상 전송한 것으로 확인된 경우에, AP(400)를 내부 네트워크에 연결되어 있는 AP(400)로 판단한다. 이때, 미리 설정한 횟수는 패킷 생성부(110)가 특정 길이를 갖는 데이터 패킷을 생성하여 전송하는 횟수를 감안하여 설정될 수 있다. The packet analyzer 120 determines whether the AP 400 is connected to the internal network by analyzing the number of times a data packet having a specific length is detected by the sensor 200. That is, when the packet analyzer 120 determines that the AP 400 transmits a data packet having a specific length to the user terminal 500 more than a preset number of times, the AP 400 transmits the AP 400 to the internal network. It is determined by the AP 400 connected. In this case, the preset number of times may be set in consideration of the number of times the packet generator 110 generates and transmits a data packet having a specific length.
WIPS 서버(100)는 패킷 분석부(120)에 의해 내부 네트워크에 연결되어 있는 것으로 판단된 AP(400)의 MAC 주소가 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 확인한 경우, AP(400b, 400d)를 비인가 불법 AP로 판단한다. 즉, WIPS 서버(100)는 내부에 구비되어, 인가 AP(400a, 400b)의 MAC 주소 정보를 저장하고 있는 데이터베이스부(미도시)를 검색하여 내부 네트워크에 연결되어 있다고 판단한 AP(400)가 비인가 불법 AP(400b, 400d)인지 또는 인가된 AP(400a, 400c)인지 여부를 판단한다. If the WIPS server 100 determines that the MAC address of the AP 400 determined to be connected to the internal network by the packet analyzer 120 is not included in the MAC address information of the authorized AP, the AP 400b, 400d) is determined to be an unauthorized illegal AP. That is, the WIPS server 100 is provided therein, and searches for a database unit (not shown) that stores MAC address information of the authorized APs 400a and 400b and determines that the AP 400 determined to be connected to the internal network is unauthorized. It is determined whether or not the illegal AP (400b, 400d) or the authorized AP (400a, 400c).
<비인가 불법 AP 검출 방법><Unauthorized illegal AP detection method>
도 3은 본 발명의 일실시예에 따른 비인가 불법 AP 검출 방법을 순차적으로 나타낸 순서도이다. 이하에서는 비인가 AP 검출 방법(이하, '검출 방법'이라 함)에 대해서 상세히 설명하되, 상기 검출 시스템에서 설명한 내용과 중복되는 내용은 이를 생각한다.3 is a flowchart sequentially illustrating a method for detecting an unauthorized illegal AP according to an embodiment of the present invention. Hereinafter, a method of detecting an unauthorized AP (hereinafter, referred to as a 'detection method') will be described in detail, but the content overlapping with the description of the detection system will be considered.
1. 데이터 패킷 검출단계(S610)1. Data packet detection step (S610)
센서(200)가 적어도 하나의 AP(400)를 통해 사용자단말기(500)로 무선 전송되는 데이터 패킷을 검출하는 단계를 말한다(S610). The sensor 200 refers to a step of detecting a data packet wirelessly transmitted to the user terminal 500 through the at least one AP 400 (S610).
2. 데이터 패킷 전송단계(S620) 2 . Data packet transmission step (S620)
센서(200)가 검출된 데이터 패킷을 WIPS 서버(100)로 전송하는 단계를 말한다(S620). 여기서, 센서(200)에 검출된 데이터 패킷은 통신부(300)를 통해 WIPS 서버(100)로 전송될 수 있다. 한편, WIPS 서버(100)로 전송된 데이터 패킷은 WIPS 서버(100) 내부에 구비된 패킷 저장부(300)에 저장될 수 있다(S625). In operation S620, the sensor 200 transmits the detected data packet to the WIPS server 100. Here, the data packet detected by the sensor 200 may be transmitted to the WIPS server 100 through the communication unit 300. On the other hand, the data packet transmitted to the WIPS server 100 may be stored in the packet storage unit 300 provided in the WIPS server 100 (S625).
3. 특정 길이의 데이터 패킷 전송단계(S630) 3 . Data packet transmission step of a specific length (S630)
WIPS 서버(100)에 구비된 패킷 생성부(110)가 특정 길이를 갖는 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 AP(400)를 통해 사용자단말기(500)로 전송하는 단계를 말한다(S630). 이때 패킷 생성부(110)는 AP(400)가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 AP(400)의 개수와 대응되는 개수만큼 생성하여 각 AP(400a, 400b, 400c, 400d)를 통해 각 사용자단말기(500a, 500b, 500c, 500d))로 전송할 수 있다. 예를 들어, AP(400) 중 제1비인가AP(400b)에 대해서는 64 비트(Bit)의 길이를 갖는 데이터 패킷을 생성하여 1초 동안 10번 전송하는 동시에 제2비인가AP(400d)에 대해서는 640 비트(Bit)의 길이를 갖는 데이터 패킷을 생성하여 1초 동안 10번 전송한 경우, 센서가 1초 동안 검출한 64 비트 길이의 데이터 패킷의 횟수 및 640 비트 길이의 데이터 패킷의 횟수가 미리 설정된 일정 횟수 이상인 것으로 확인되면, 제1비인가AP(400b) 및 제2비인가AP(400d)가 내부 네트워크에 연결되어 있는 것으로 동시에 판단할 수 있다. The packet generation unit 110 included in the WIPS server 100 generates a data packet having a specific length and transmits the data packet to the user terminal 500 through the AP 400 a predetermined number of times for a predetermined time (S630). . In this case, when there are a plurality of APs 400, the packet generation unit 110 generates data packets having different lengths corresponding to the number of APs 400 and through each AP 400a, 400b, 400c, 400d. Each user terminal 500a, 500b, 500c, or 500d). For example, a data packet having a length of 64 bits (Bit) is generated for the first unlicensed AP 400b among the AP 400 and transmitted 10 times for 1 second, and 640 for the second unlicensed AP 400d. When a data packet having a bit length is generated and transmitted ten times in one second, a predetermined number of times of a 64-bit long data packet and a number of 640-bit long data packets detected by the sensor for one second are set in advance. If it is confirmed that the number of times or more, it can be determined simultaneously that the first unlicensed AP (400b) and the second unlicensed AP (400d) is connected to the internal network.
4. 특정 길이의 데이터 패킷 존재 확인단계(S640) 4 . Step of checking the existence of the data packet of a specific length (S640)
WIPS 서버(100)에 구비된 패킷 분석부(120)가 센서(200)로부터 전송된 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 존재하는지 여부를 확인하는 단계를 말한다(S640).The packet analyzer 120 of the WIPS server 100 refers to a step of checking whether a data packet having a specific length is present among the data packets transmitted from the sensor 200 (S640).
5. 특정 길이의 데이터 패킷 존재 확인단계(S650) 5 . Checking the existence of the data packet of a specific length (S650)
WIPS 서버(100)에 구비된 패킷 분석부(120)가 센서(200)로부터 전송된 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 일정시간 동안 검출된 횟수를 확인하는 단계를 말한다(S650). 여기서, 일정시간은 상기 특정 길이의 데이터 패킷 전송단계(S630)에서 설정된 일정시간과 다르게 설정할 수도 있으나, 같은 시간으로 설정하는 것이 바람직하다. The packet analyzer 120 of the WIPS server 100 refers to a step of checking the number of times a data packet having a specific length among the data packets transmitted from the sensor 200 is detected for a predetermined time (S650). Here, the predetermined time may be set differently from the predetermined time set in the data packet transmission step (S630) of the specific length, but is preferably set to the same time.
6. AP의 내부 네트워크 연결여부 확인단계(S660) 6 . Checking whether the AP is connected to the internal network (S660)
WIPS 서버(100)에 구비된 패킷 분석부(120)가 특정 길이를 갖는 데이터 패킷의 존재 여부 및 검출 횟수를 바탕으로 AP(400)가 내부 네트워크에 연결되어 있는지 여부를 판단하는 단계를 말한다(S660). 여기서, 패킷 분석부(120)는 특정 길이를 갖는 데이터 패킷이 일정시간 동안 미리 설정된 횟수 이상으로 검출된 경우에, AP(400)가 내부 네트워크에 연결되어 있는 AP인 것으로 판단한다. 이때, 설정한 횟수는 패킷 생성부(110)가 특정 길이를 갖는 데이터 패킷을 생성하여 전송하는 횟수를 감안하여 관리자에 의해 미리 설정된 횟수를 말한다. 예를 들어, 패킷 생성부(110)가 1초 동안 10번의 특정 길이의 데이터 패킷을 전송하면 AP(500)를 통해 사용자단말기(500)로 전송된 특정 길이의 데이터 패킷이 8번이 검출된 경우에 AP(500)가 내부 네트워크에 연결되어 있는 것으로 판단하도록 설정할 수 있다. The packet analysis unit 120 included in the WIPS server 100 refers to a step of determining whether the AP 400 is connected to the internal network based on the presence and detection frequency of a data packet having a specific length (S660). ). Here, the packet analyzer 120 determines that the AP 400 is an AP connected to the internal network when a data packet having a specific length is detected more than a preset number of times for a predetermined time. In this case, the set number of times refers to the number of times preset by the administrator in consideration of the number of times that the packet generation unit 110 generates and transmits a data packet having a specific length. For example, when the packet generator 110 transmits ten data packets of a specific length for one second, eight data packets of a specific length transmitted to the user terminal 500 through the AP 500 are detected. The AP 500 may be configured to determine that the AP 500 is connected to the internal network.
7. 비인가 불법 AP 여부 판단단계(S670) 7 . Determination step of unauthorized illegal AP (S670)
WIPS 서버(100)가 인가 AP의 MAC 주소 정보를 저장하고 있는 데이터베이스부를 검색하여 AP(400)가 비인가 불법 AP인지 여부를 판단하는 단계를 말한다(S670). 여기서, 패킷 분석부(120)는 내부 네트워크에 연결되어 있는 것으로 판단된 AP(400)의 MAC 주소가 WIPS 서버(100)에 구비된 데이터베이스부(미도시)에 저장되어 있는 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 판단된 경우, AP(400b, 400d)를 비인가 불법 AP로 판단한다. The WIPS server 100 refers to a step of determining whether the AP 400 is an unauthorized illegal AP by searching a database unit that stores MAC address information of the authorized AP (S670). Here, the packet analysis unit 120 is MAC address information of the authorized AP is stored in the database unit (not shown) provided in the WIPS server 100 MAC address of the AP 400 is determined to be connected to the internal network If not determined to be included in, the AP (400b, 400d) is determined to be an unauthorized illegal AP.
한편, 종래 기술은 비인가 AP(400b, 400d)를 탐지할 수는 있었지만, 탐지된 비인가 AP(400b, 400d)가 자신의 네트워크 통신망에 연결되어 있는 AP인지 여부에 대해서는 확인을 하지 못하고, AP(400)와 단말기(500) 사이에 주고 받는 데이터 패킷이 암호화되어 있는 경우에는 데이터 패킷 정보를 통해 내부 네트워크에 연결되어 있는 AP(500)인지를 확인할 수 없는 한계가 있었다. 반면에, 본 발명은 AP(400)와 사용자단말기(500) 사이에 주고 받는 데이터 패킷이 암호화되어 있어도, 패킷 생성부(110)에 의해 생성되어 전송된 특정 길이의 데이터 패킷이 검출된 횟수를 통해 AP(400)가 연결되어 있는 AP(400) 인지를 확인할 수 있으므로 개방모두 및 보안모드의 모든 무선 환경에서 비인가 불법 AP를 검출할 수 있는 장점이 있다. On the other hand, while the prior art can detect the unauthorized AP (400b, 400d), it is not confirmed whether the detected unauthorized AP (400b, 400d) is an AP connected to its network communication network, AP (400) In the case where the data packet transmitted and received between the terminal 500 and the terminal 500 is encrypted, there is a limitation that it is impossible to determine whether the AP 500 is connected to the internal network through the data packet information. On the other hand, in the present invention, even if a data packet transmitted and received between the AP 400 and the user terminal 500 is encrypted, the data packet generated by the packet generator 110 and transmitted is detected through the number of times that the data packet of a specific length is detected. Since the AP 400 can determine whether the AP 400 is connected, there is an advantage of detecting an unauthorized illegal AP in all wireless environments in both open and secure modes.
아울러, 본 발명은 종래기술과 달리 브릿지 모드, 라우터 모드의 무선환경 모두에서 사용될 수 있는 장점이 있다. 브릿지 모드는 논리 연결 제어 프로토콜(LLC protocol)은 같지만, 매체 접근 제어(MAC)는 같거나 다른 2개의 구내 정보 통신망(LAN)을 상호 접속하여 데이터를 주고받을 수 있게 하는 방식을 말한다. 브릿지에는 동일 구내 또는 근거리에 있는 LAN 상호 간을 연결하는 로컬 브리지(LB)와 원거리에 있는 LAN 상호 간을 연결하는 원격 브리지가 있다. 브리지 상호 간 MAC 주소(MACA)에 의해 프레임을 전달함으로써 데이터를 주고받는다. 한편, 라우터(router)는 패킷의 위치를 추출하여 그 위치에 대한 최상의 경로를 지정하며 이 경로를 따라 데이터 패킷을 다음 장치로 전향시키는 장치이다. 라우터는 2개 이상의 논리적 하위망을 연결하는데, 라우터의 물리적 인터페이스와 일치하지는 않는다. 즉, 라우터 모드에서는 MAC 주소가 변경되게 된다. 즉, 종래기술은 MAC 주소가 계속 변경되는 라우터 모드의 경우에는 비인가 AP(400b, 400d)를 검출하는데 한계가 있었으나, 본 발명은 MAC 주소가 변경되더라도, WIPS 서버(100)에 연결된 AP(400)을 통해 사용자 단말기들(500)로 전송되는 특정 길이의 데이터 패킷이 검출되는 횟수를 이용하여 비인가 불법 AP를 검출하기 때문에 라우터 모드에서도 사용될 수 있는 장점이 있다.In addition, the present invention has the advantage that can be used in both the wireless mode of the bridge mode, router mode, unlike the prior art. Bridge mode refers to a method in which two medium access control (MAC) devices having the same logical connection control protocol (LLC protocol) but having the same or different interconnection information networks (LANs) can exchange data. The bridge includes a local bridge (LB) that connects LANs in the same premises or local area, and a remote bridge that connects LANs in remote areas. Data is exchanged by sending frames by MAC addresses (MACA) between bridges. On the other hand, a router is a device that extracts the location of a packet and specifies the best path for that location, and redirects the data packet to the next device along the path. Routers connect two or more logical subnets, which do not match the physical interface of the router. In other words, the MAC address is changed in the router mode. That is, the conventional technology has a limitation in detecting unauthorized APs 400b and 400d in the case of the router mode in which the MAC address is continuously changed. However, in the present invention, even when the MAC address is changed, the AP 400 connected to the WIPS server 100 is changed. Through detecting the unauthorized AP by using the number of times the data packet of a specific length transmitted to the user terminals 500 through the advantage that can be used in router mode.
이상에서 본 발명에 대한 기술 사상을 첨부 도면과 함께 서술하였지만, 이는 본 발명의 가장 양호한 일 실시예를 예시적으로 설명한 것이지 본 발명을 한정하는 것은 아니다. 또한, 이 기술 분야의 통상의 지식을 가진 자이면 누구나 본 발명의 기술 사상의 범주를 이탈하지 않는 범위 내에서 다양한 변형 및 모방이 가능함은 명백한 사실이다.Although the technical spirit of the present invention has been described above with reference to the accompanying drawings, it is intended to exemplarily describe the best embodiment of the present invention, but not to limit the present invention. In addition, it is obvious that any person skilled in the art may make various modifications and imitations without departing from the scope of the technical idea of the present invention.

Claims (9)

  1. 적어도 하나의 AP를 통해 사용자단말기로 무선 전송되는 데이터 패킷을 검출하는 센서; 및A sensor for detecting a data packet wirelessly transmitted to a user terminal through at least one AP; And
    상기 검출된 데이터 패킷을 상기 센서로부터 전송받아 상기 AP가 내부 네트워크에 연결된 비인가 불법 AP인지를 판단하는 WIPS(Wireless intrusion prevention system) 서버;를 포함하되,A wireless intrusion prevention system (WIPS) server that receives the detected data packet from the sensor and determines whether the AP is an unauthorized illegal AP connected to an internal network;
    상기 WIPS 서버는,The WIPS server,
    상기 AP를 통해 상기 사용자단말기로 전송할 특정 길이의 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 전송하는 패킷 생성부;A packet generation unit generating a data packet of a specific length to be transmitted to the user terminal through the AP and transmitting the specific number of times for a predetermined time;
    상기 센서에 의해 특정 길이를 갖는 데이터 패킷이 일정시간 동안 검출된 횟수를 분석하여, 상기 AP가 내부 네트워크에 연결되어 있는 AP인지 여부를 판단하는 패킷 분석부; 및A packet analyzer configured to analyze the number of times a data packet having a specific length is detected by the sensor for a predetermined time and determine whether the AP is an AP connected to an internal network; And
    인가 AP의 MAC 주소 정보를 저장하고 있는 데이터베이스부;를 포함하는 것을 특징으로 하는 불법 AP 검출 시스템.And a database unit for storing MAC address information of an authorized AP.
  2. 제 1항에 있어서,The method of claim 1,
    상기 패킷 생성부는,The packet generation unit,
    상기 AP가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 상기 AP의 개수와 대응되는 개수만큼 생성하여 각 AP를 통해 상기 사용자단말기로 전송하는 것을 특징으로 하는 불법 AP 검출 시스템.When there are a plurality of APs, illegal AP detection system, characterized in that for generating the number of data packets of different lengths corresponding to the number of APs and transmit them to the user terminal through each AP.
  3. 제 1항에 있어서,The method of claim 1,
    상기 패킷 분석부는,The packet analyzer,
    상기 AP가 특정 길이를 갖는 상기 데이터 패킷을 상기 사용자단말기로 일정시간 동안 미리 설정된 횟수 이상 전송한 것으로 확인한 경우에, 상기 AP를 내부 네트워크에 연결되어 있는 AP로 판단하는 것을 특징으로 하는 불법 AP 검출 시스템.When the AP determines that the data packet having a specific length has been transmitted to the user terminal more than a preset number of times for a predetermined time, the AP is determined to be an AP connected to an internal network. .
  4. 제 1항에 있어서,The method of claim 1,
    상기 WIPS 서버는,The WIPS server,
    상기 패킷 분석부에 의해 상기 내부 네트워크에 연결되어 있는 것으로 판단된 AP의 MAC 주소가 상기 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 확인한 경우, 상기 AP를 비인가 불법 AP로 판단하는 것을 특징으로 하는 불법 AP 검출 시스템.When the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP, the AP is determined to be an unauthorized illegal AP. Illegal AP Detection System.
  5. 제 1항에 있어서,The method of claim 1,
    상기 센서는,The sensor,
    상기 검출된 데이터 패킷을 상기 WIPS 서버로 전송하기 위한 통신부;를 더 포함하는 것을 특징으로 하는 불법 AP 검출 시스템.And a communication unit for transmitting the detected data packet to the WIPS server.
  6. 센서가 적어도 하나의 AP를 통해 사용자단말기로 무선 전송되는 데이터 패킷을 검출하는 A단계; Detecting, by the sensor, a data packet wirelessly transmitted to the user terminal through the at least one AP;
    상기 센서가 상기 검출된 데이터 패킷을 WIPS(Wireless intrusion prevention system) 서버로 전송하는 B단계; Transmitting, by the sensor, the detected data packet to a wireless intrusion prevention system (WIPS) server;
    상기 WIPS 서버에 구비된 패킷 생성부가 특정 길이를 갖는 데이터 패킷을 생성하여 일정시간 동안 특정 횟수만큼 상기 AP를 통해 상기 사용자단말기로 전송하는 C단계;A step C of generating a data packet having a specific length by the packet generator provided in the WIPS server and transmitting the data packet to the user terminal through the AP a specific number of times for a predetermined time;
    상기 WIPS 서버에 구비된 패킷 분석부가 상기 센서로부터 전송된 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 존재하는지 여부를 확인하는 D단계;A step D for checking whether a packet analyzer provided in the WIPS server has a data packet having a specific length among the data packets transmitted from the sensor;
    상기 패킷 분석부가 상기 센서로부터 전송된 상기 데이터 패킷 중 특정 길이를 갖는 데이터 패킷이 일정시간 동안 검출된 횟수를 확인하는 E단계;An E step of checking, by the packet analyzer, the number of times a data packet having a specific length among the data packets transmitted from the sensor is detected for a predetermined time;
    상기 패킷 분석부가 상기 특정 길이를 갖는 데이터 패킷의 존재 여부 및 검출 횟수를 바탕으로 상기 AP가 내부 네트워크에 연결되어 있는 AP인지 여부를 판단하는 F단계; 및 A step F of determining, by the packet analyzer, whether the AP is an AP connected to an internal network based on the presence and the number of detections of the data packet having the specific length; And
    상기 WIPS 서버가 인가 AP의 MAC 주소 정보를 저장하고 있는 데이터베이스부를 검색하여 상기 AP가 비인가 불법 AP인지 여부를 판단하는 G단계;를 포함하는 것을 특징으로 하는 불법 AP 검출 방법.And determining, by the WIPS server, a database unit storing MAC address information of an authorized AP to determine whether the AP is an unauthorized illegal AP.
  7. 제 6항에 있어서,The method of claim 6,
    상기 C단계에서,In step C,
    상기 패킷 생성부는, 상기 AP가 복수 개인 경우, 길이를 달리하는 데이터 패킷을 상기 AP의 개수와 대응되는 개수만큼 생성하여 각 AP를 통해 상기 사용자단말기로 전송하는 것을 특징으로 하는 불법 AP 검출 방법.The packet generation unit, when there are a plurality of APs, illegal AP detection method characterized in that for generating the number of data packets of different lengths corresponding to the number of the AP and transmits to the user terminal through each AP.
  8. 제 6항에 있어서,The method of claim 6,
    상기 F단계에서,In step F,
    상기 패킷 분석부는, 상기 특정 길이를 갖는 데이터 패킷이 일정시간 동안 미리 설정된 횟수 이상으로 검출된 경우에, 상기 AP가 내부 네트워크에 연결되어 있는 AP로 판단하는 것을 특징으로 하는 불법 AP 검출 방법.The packet analyzer may determine that the AP is an AP connected to an internal network when the data packet having the specific length is detected more than a preset number of times for a predetermined time.
  9. 제 6항에 있어서,The method of claim 6,
    상기 G단계에서,In step G,
    상기 패킷 분석부는, 상기 내부 네트워크에 연결되어 있는 것으로 판단된 AP의 MAC 주소가 상기 WIPS 서버에 구비된 데이터베이스부에 저장되어 있는 인가 AP의 MAC 주소 정보에 포함되어 있지 않은 것으로 판단된 경우, 상기 AP를 비인가 불법 AP로 판단하는 것을 특징으로 하는 불법 AP 검출 방법.If the packet analyzer determines that the MAC address of the AP determined to be connected to the internal network is not included in the MAC address information of the authorized AP stored in the database unit provided in the WIPS server, the AP Illegal AP detection method characterized in that it is determined to be an unauthorized illegal AP.
PCT/KR2013/010597 2012-11-23 2013-11-21 Illegal ap detection system and detection method therefor WO2014081205A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020120133371A KR101429177B1 (en) 2012-11-23 2012-11-23 System for detecting unauthorized AP and method for detecting thereof
KR10-2012-0133371 2012-11-23

Publications (1)

Publication Number Publication Date
WO2014081205A1 true WO2014081205A1 (en) 2014-05-30

Family

ID=50776316

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/010597 WO2014081205A1 (en) 2012-11-23 2013-11-21 Illegal ap detection system and detection method therefor

Country Status (2)

Country Link
KR (1) KR101429177B1 (en)
WO (1) WO2014081205A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106686580A (en) * 2015-11-06 2017-05-17 北京金山安全软件有限公司 Wireless hotspot name display method and device
US10039174B2 (en) 2014-08-11 2018-07-31 RAB Lighting Inc. Systems and methods for acknowledging broadcast messages in a wireless lighting control network
US10085328B2 (en) 2014-08-11 2018-09-25 RAB Lighting Inc. Wireless lighting control systems and methods
US10531545B2 (en) 2014-08-11 2020-01-07 RAB Lighting Inc. Commissioning a configurable user control device for a lighting control system
CN111479271A (en) * 2020-04-03 2020-07-31 北京锐云通信息技术有限公司 Wireless security detection and protection method and system based on asset attribute mark grouping
CN111479273A (en) * 2020-05-25 2020-07-31 北京字节跳动网络技术有限公司 Method, device, equipment and storage medium for detecting network access security
CN112105029A (en) * 2020-08-07 2020-12-18 新华三技术有限公司 Method and device for countering illegal device
CN113207125A (en) * 2021-04-25 2021-08-03 深圳市科信网安科技有限公司 Illegal wireless AP detection device
CN113438653A (en) * 2021-06-01 2021-09-24 紫光华山科技有限公司 Equipment classification method and device
CN115085979A (en) * 2022-05-30 2022-09-20 浙江大学 Illegal installation and occupation detection method of network camera based on flow analysis

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101626567B1 (en) * 2014-09-24 2016-06-01 주식회사 코닉글로리 Wireless security apparatus and method
JP2018511282A (en) * 2015-03-27 2018-04-19 ユーネット セキュア インコーポレイテッド WIPS sensor and terminal blocking method using the same
KR102285257B1 (en) * 2017-08-14 2021-08-02 주식회사 케이티 Apparatus and method for detection of wireless intrusion detection system using WiFi access point
KR102220877B1 (en) * 2019-07-05 2021-02-26 빅오 주식회사 Device for testing performance of wireless intrusion prevention system and recording medium storing program for performing the same
KR102067046B1 (en) * 2019-10-15 2020-01-17 주식회사 윅스콘 Deformation camera recognition system using network video transmission pattern analysis based on machine learning and the method thereof
KR102374657B1 (en) * 2019-11-29 2022-03-14 주식회사 케이티 Apparatus for detecting of wireless intrusion prevention system and method for wireless intrusion prevention system signal avoidance using the same
KR102168780B1 (en) * 2019-12-31 2020-10-22 충남대학교 산학협력단 Access point identification method and system using machine learning
KR102215390B1 (en) * 2020-06-23 2021-02-16 공경남 Method for detecting hidden camera using a wireless router
KR102366574B1 (en) * 2021-11-29 2022-02-23 주식회사 심플솔루션 Wireless Intrusion Prevention Methods

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060189298A1 (en) * 2003-03-06 2006-08-24 Maurizio Marcelli Method and software program product for mutual authentication in a communications network
JP2011097437A (en) * 2009-10-30 2011-05-12 Toshiba Corp Communication system, mobile terminal of the system, and center of the system
KR20110106125A (en) * 2010-03-22 2011-09-28 아주대학교산학협력단 System and method for operating wireless communication network
KR20110114615A (en) * 2009-01-05 2011-10-19 퀄컴 인코포레이티드 Detection of falsified wireless access points

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060189298A1 (en) * 2003-03-06 2006-08-24 Maurizio Marcelli Method and software program product for mutual authentication in a communications network
KR20110114615A (en) * 2009-01-05 2011-10-19 퀄컴 인코포레이티드 Detection of falsified wireless access points
JP2011097437A (en) * 2009-10-30 2011-05-12 Toshiba Corp Communication system, mobile terminal of the system, and center of the system
KR20110106125A (en) * 2010-03-22 2011-09-28 아주대학교산학협력단 System and method for operating wireless communication network

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11398924B2 (en) 2014-08-11 2022-07-26 RAB Lighting Inc. Wireless lighting controller for a lighting control system
US10039174B2 (en) 2014-08-11 2018-07-31 RAB Lighting Inc. Systems and methods for acknowledging broadcast messages in a wireless lighting control network
US10085328B2 (en) 2014-08-11 2018-09-25 RAB Lighting Inc. Wireless lighting control systems and methods
US10219356B2 (en) 2014-08-11 2019-02-26 RAB Lighting Inc. Automated commissioning for lighting control systems
US10531545B2 (en) 2014-08-11 2020-01-07 RAB Lighting Inc. Commissioning a configurable user control device for a lighting control system
US10855488B2 (en) 2014-08-11 2020-12-01 RAB Lighting Inc. Scheduled automation associations for a lighting control system
US11722332B2 (en) 2014-08-11 2023-08-08 RAB Lighting Inc. Wireless lighting controller with abnormal event detection
CN106686580A (en) * 2015-11-06 2017-05-17 北京金山安全软件有限公司 Wireless hotspot name display method and device
CN111479271A (en) * 2020-04-03 2020-07-31 北京锐云通信息技术有限公司 Wireless security detection and protection method and system based on asset attribute mark grouping
CN111479271B (en) * 2020-04-03 2023-07-25 北京锐云通信息技术有限公司 Wireless security detection and protection method and system based on asset attribute marking grouping
CN111479273A (en) * 2020-05-25 2020-07-31 北京字节跳动网络技术有限公司 Method, device, equipment and storage medium for detecting network access security
CN111479273B (en) * 2020-05-25 2023-04-07 北京字节跳动网络技术有限公司 Method, device, equipment and storage medium for detecting network access security
CN112105029A (en) * 2020-08-07 2020-12-18 新华三技术有限公司 Method and device for countering illegal device
CN112105029B (en) * 2020-08-07 2022-07-12 新华三技术有限公司 Method and device for countering illegal device
CN113207125B (en) * 2021-04-25 2021-12-14 深圳市科信网安科技有限公司 Illegal wireless AP detection device
CN113207125A (en) * 2021-04-25 2021-08-03 深圳市科信网安科技有限公司 Illegal wireless AP detection device
CN113438653A (en) * 2021-06-01 2021-09-24 紫光华山科技有限公司 Equipment classification method and device
CN115085979A (en) * 2022-05-30 2022-09-20 浙江大学 Illegal installation and occupation detection method of network camera based on flow analysis

Also Published As

Publication number Publication date
KR20140066312A (en) 2014-06-02
KR101429177B1 (en) 2014-08-12

Similar Documents

Publication Publication Date Title
WO2014081205A1 (en) Illegal ap detection system and detection method therefor
US7970894B1 (en) Method and system for monitoring of wireless devices in local area computer networks
WO2012153913A1 (en) Method of defending against a spoofing attack by using a blocking server
WO2012108687A2 (en) Method of detecting arp spoofing attacks using arp locking and computer-readable recording medium storing program for executing the method
WO2015129934A1 (en) Command control channel detection device and method
WO2017086613A1 (en) Anti-theft apparatus for smart device
WO2019146956A1 (en) Apparatus and method for acquiring information of device
WO2014038737A1 (en) Network traffic management system using monitoring policy and filtering policy, and method thereof
WO2021261883A1 (en) Method for detecting hidden camera using wireless router and system thereof
WO2015102446A1 (en) Method for detecting bypass connection via anonymous network using changes in round trip times
WO2013024986A2 (en) Network identifier position determining system and method for same
WO2017026840A1 (en) Internet connection device, central management server, and internet connection method
WO2022255619A1 (en) Wireless intrusion prevention system and operating method therefor
WO2016159396A1 (en) Wips sensor and method for blocking terminal using same
KR20120132086A (en) System for detecting unauthorized AP and method for detecting thereof
WO2016035954A1 (en) Dedicated terminal for measuring internet line quality and operating method therefor
WO2019231215A1 (en) Terminal device and method for identifying malicious ap by using same
WO2012057533A2 (en) System and method for dynamic channel allocation for avoiding frequency interference
WO2024029658A1 (en) Access control system in network and method therefor
WO2019182219A1 (en) Blockchain-based trusted network system
WO2023017952A1 (en) Sensing device, wireless intrusion prevention system comprising sensing device, and method for operating same
WO2018056582A1 (en) Method for inspecting packet using secure sockets layer communication
WO2016047843A1 (en) Wireless security apparatus and method
KR101335293B1 (en) System for blocking internal network intrusion and method the same
WO2019107794A1 (en) Communication management apparatus and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13857434

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13857434

Country of ref document: EP

Kind code of ref document: A1