WO2019086970A1 - Détection d'événements de sécurité dans des réseaux de capteurs sans fil - Google Patents

Détection d'événements de sécurité dans des réseaux de capteurs sans fil Download PDF

Info

Publication number
WO2019086970A1
WO2019086970A1 PCT/IB2018/057138 IB2018057138W WO2019086970A1 WO 2019086970 A1 WO2019086970 A1 WO 2019086970A1 IB 2018057138 W IB2018057138 W IB 2018057138W WO 2019086970 A1 WO2019086970 A1 WO 2019086970A1
Authority
WO
WIPO (PCT)
Prior art keywords
condition monitoring
time
security event
monitoring device
observed
Prior art date
Application number
PCT/IB2018/057138
Other languages
English (en)
Inventor
Apala Ray
Thomas Locher
Aurelien MONOT
Original Assignee
Abb Schweiz Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Schweiz Ag filed Critical Abb Schweiz Ag
Publication of WO2019086970A1 publication Critical patent/WO2019086970A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the present subject matter relates, in general, to detecting security events in wireless sensor networks and, in particular, to detecting security events in wireless sensor networks including condition monitoring devices for electrical machines.
  • a condition monitoring device includes one or more sensors that measure one or more parameters related to the functioning of an associated electrical machine. These parameters may be shared with a portable device, also referred to as a receiving device, for further processing. For this, the condition monitoring device is to be paired with the portable device.
  • industrial systems include several condition monitoring devices in communication with various portable devices over a low power wireless communication network. Since the condition monitoring devices include one or more sensors, the condition monitoring devices are also referred to as sensor devices and the wireless communication network is also referred to as wireless sensor network.
  • condition monitoring devices rely on device advertising, i.e., announcing the existence or availability of a sensor or condition monitoring device that is not paired with a portable device, for pairing.
  • a condition monitoring device can broadcast advertising messages around itself. Any receiving device can connect to the broadcasting condition monitoring device to receive more information.
  • any receiving device whether authorized or not, can be connected to the broadcasting condition monitoring device and can obtain information about the associated electrical machine and interfere with its operations, and then spoof the identity of the condition monitoring device to send false information regarding the electrical machine to authorized receiving devices.
  • any attacker device can be connected to the condition monitoring device by spoofing identify of an authorized receiving device. Once the attacker device is connected to the condition monitoring device, the attacker device can modify and replay the information from the condition monitoring device to any authorized receiving device seeking information from the condition monitoring device, thus performing a man-in the middle attack.
  • FIG. 1 illustrates an industrial system depicting a wireless sensor network including condition monitoring devices, in accordance with example implementations of the present subject matter.
  • FIG. 2 illustrates a block diagram depicting a gateway for detecting security events in wireless sensor networks, in accordance with example implementations of the present subject matter.
  • FIGs. 3A-3H illustrate various example scenarios for detection of security events, in accordance with example implementations of the present subject matter.
  • FIG. 4 illustrates a method for detecting security events in wireless sensor networks, in accordance with example implementations of the present subject matter.
  • the present subject matter relates to detecting security events in wireless sensor networks.
  • security events such as spoofing attacks
  • can be detected in low power wireless sensor network for e.g., Bluetooth low energy (LE) based sensor networks, using a detection module in a gateway device.
  • the detection module continuously monitors the advertising messages in the network to observe time-outs and collision patterns and detect the presence of security events. Once a security event has been detected, the detection module raises an alarm.
  • the condition monitoring device that has been exposed to the security event is flagged as being vulnerable and an operator is requested to investigate the condition monitoring device. For example, the operator may change the address of the condition monitoring device. Further, the spoofed address is blacklisted by the gateway to prevent further attacks.
  • FIG. 1 illustrates an industrial system 100 depicting a wireless sensor network including condition monitoring devices, in accordance with implementations of the present subject matter.
  • the industrial system 100 is also referred to as system 100 hereinafter.
  • the system 100 includes condition monitoring devices 102-1 ,
  • condition monitoring device 102 may be implemented as a computing device comprising a plurality of sensors, one or more processors, memories, network interfaces, and the like.
  • each condition monitoring device 102 may be attached to a respective electrical machine 104-1 , 104-2,..104-n, individually referred to as electrical machine 104.
  • the condition monitoring device 102 can thus monitor a condition of the electrical machine 104.
  • the electrical machine 104 may be, for example, a motor, a generator, and the like.
  • the condition of the electrical machine 104 may include values of various parameters monitored such as current, voltage, power, noise and amplitude distortion, magnetic field, vibration, temperature, and the like.
  • the system 100 further includes a gateway 106, one or more servers, such as server 108, and one or more portable devices, such as mobile device 1 10.
  • the gateway 106 can be any computing device capable of receiving, processing, and transmitting low power wireless communication signals.
  • the mobile device 1 10 can be implemented as any portable computing device, such as a mobile phone, a personal digital assistant (PDA), a notebook, a proprietary device, or the like, that is capable of receiving, processing, and transmitting low power wireless communication signals.
  • PDA personal digital assistant
  • the mobile device 1 10 and the gateway 106 can communicate with the condition monitoring devices 102-1 ... 102-n using low power wireless communication signals.
  • the server 108 may be communicatively coupled to the mobile device 1 10 and the gateway 106 over a wired or wireless network, such as a wide area network (WAN), local area network (LAN), a mobile phone network, a short-range wireless network, and the like.
  • the server 108 may also be able to communicate over the low power wireless network used by the mobile device 1 10 and the gateway 106.
  • the system 100 can include a mix of wired and wireless networks, though the condition monitoring devices 102-1 ..102-n would communicate predominantly over a wireless network.
  • the mobile device 1 10 is shown to be in communication with a single condition monitoring device 102-1 , it will be understood that the mobile device 1 10 may communicate with multiple condition monitoring devices. Moreover, while a single mobile device 1 10 is shown in the figure for ease of discussion, it will be understood that there may be a plurality of mobile devices present in the system 100.
  • a condition monitoring device 102 such as device 102-2, may determine that it is not paired with a portable device and may advertise its availability by transmitting advertising messages. For example, as shown in the figure, since the condition monitoring device 102-1 is already paired with the mobile device 1 10, it will not transmit an advertising message. However, the other condition monitoring devices 102-2... 102-n that are not paired with any other device will send out advertising messages.
  • the condition monitoring device 102 may transmit the advertising messages at a predetermined frequency with a predetermined time-out, the predetermined time-out being a predetermined time period between consecutive advertising messages sent by the condition monitoring device 102.
  • the condition monitoring device 102-2 may send an advertising message at a frequency of one message per 10 milliseconds and hence its predetermined time-out may be ten milliseconds
  • the condition monitoring device 102-3 may send an advertising message at a frequency of one message per twenty milliseconds and hence its predetermined time-out may be twenty milliseconds.
  • the condition monitoring device 102 can utilize Bluetooth Low Energy (LE) protocol and act as a Bluetooth Peripheral/Slave or Generic Attribute (GATT) Server to advertise and let other devices in its vicinity know that it is active.
  • the condition monitoring device 102 can send advertising packets or messages with its Media Access Control (MAC) address and service information.
  • the advertising message can also include the predetermined time-out information.
  • the advertising messages can be received by other devices capable of communicating using the Bluetooth LE protocol in the system 100, such as the other condition monitoring devices 102-1 , 102-3,..102-n, the gateway 106, and the mobile device 1 10.
  • the mobile device 1 10 or gateway 106 can act as Bluetooth Central/Master or GATT Client and can send a connection request to establish a connection in response to the advertising messages and can get paired with the condition monitoring device 102.
  • the gateway 106 may include a detection module (not shown in this figure).
  • the detection module can monitor the advertising messages to determine an observed time-out, the observed time-out being an observed time period between consecutive advertising messages received by the gateway 106 from the same condition monitoring device 102.
  • the detection module can further monitor collisions in the wireless sensor network to detect collision patterns and can detect the occurrence of a security event based on at least one of: a variation in the observed time-out, a difference between the observed time-out and the predetermined timeout, and a collision pattern. Further, based on detection of the security event, the detection module can generate an alarm.
  • FIG. 2 illustrates an example block diagram of a gateway 106 communicating with condition monitoring devices 102-1 ..102-n and portable/ mobile devices 1 10-1 ... 1 10-n over a wireless sensor network 200.
  • the wireless sensor network 200 is also referred to as network 200 hereinafter.
  • an example gateway 106 includes one or more processors 202, network interfaces 204, memory 206, detection module 208, and other modules and data 210.
  • the network interfaces 204 can include a low power wireless network interface, such as a Bluetooth LE network interface, for sending and receiving communications using low power wireless signals. Additionally, the network interfaces 204 can include other wired and/or wireless network interfaces.
  • the memory 206 can be of any type, such as RAM, ROM, EPROM, and the like.
  • the detection module 208 can be implemented in hardware, software, or combination of hardware and software. If implemented in software, the detection module 208 may include instructions executable by the one or more processors 202. Further, the other modules and data 210 can include various modules and data usable by the gateway 106 for its operations though not explicitly mentioned herein.
  • the detection module 208 may monitor all the packets/ messages in the wireless sensor network 200 and, in particular, the messages received from the condition monitoring devices 102-1 ... 102- n.
  • the detection module 208 can check the packet characteristics, such as MAC address of the condition monitoring device 102 from which the packet is received, and packet contents, such as the type of sensor data provided, for each packet/message.
  • the MAC address of the condition monitoring device 102 is also referred to as the originating address.
  • the detection module 208 can maintain different profiles and sequences for each condition monitoring device 200 in the system 100.
  • the detection module 208 may store the profiles and the sequences in the memory 206.
  • a profile may be stored for each condition monitoring device 102 and can include the identification details, such as MAC address, of the condition monitoring device.
  • Each profile may be associated with a sequence of advertising messages received from the condition monitoring device 102 over a time interval of two or more packets.
  • the detection module 208 may analyze the sequences in each profile for detecting an anomaly in the advertising messages and their arrival rates. In other words, the detection module 208 can analyze the advertising messages received form the same originating address. In one example, the detection module 208 may analyze the sequence in a profile whenever a new advertising message is received in the sequence. In another example, the detection module 208 may analyze the sequence in a profile at predetermined time instances. Additionally, the detection module 208 may continuously analyze collisions in the network 200 to detect an anomalies in collision pattern. On analysis, if an anomaly is found in the advertising messages or their arrival rates or collision pattern, it is indicative of the occurrence of a security event. Thus, by detecting an anomaly, the detection module 208 can detect that a security event has occurred. [0028] Moreover, by analyzing the advertisement packets the detection module 208 can identify the condition monitoring device associated with the anomaly based on the MAC address in the advertisement packets.
  • a security event or attack refers to an unauthorized device sending out the advertising messages using the same MAC address as an authorized device. Such a MAC address is then said to have been spoofed.
  • the advertising messages sent by an authorized device are referred to as true advertising messages and the advertising messages sent by an unauthorized device are referred to as false advertising messages.
  • the detection module 208 receives all advertising messages in the network 200, which includes both true and false advertising messages, and looks for presence of false advertising messages, which constitutes an anomaly.
  • the detection module 208 can detect the anomaly based on one or more prerequisites not being fulfilled.
  • the prerequisites may include, for example, the observed time-out between advertising messages for the condition monitoring device 102 does not vary, the observed time-out between advertising messages for the condition monitoring device 102 corresponds to the predetermined time-out, and no collisions are detected when advertising messages are expected.
  • each condition monitoring device 102 sends its advertising message at a constant predetermined frequency having a predetermined time-out.
  • the condition monitoring device 102- 1 may send advertising messages at a frequency of one message per 25 milliseconds and thus has a predetermined time-out of 25 milliseconds.
  • the detection module 208 may analyze the sequence of advertising messages for the condition monitoring device 102-1 to determine an observed time-out and may determine that the advertising messages received over a predefined time interval, such as over the last 2 minutes, have a varying observed time-out. This would indicate that the sequence includes messages not sent by the condition monitoring device 102-2 and is thus indicative of an attack or security event.
  • the detection module 208 may analyze the sequence of advertising messages for the condition monitoring device 102-1 and may determine that the advertising messages received over the predefined time interval, such as over the last 2 minutes, have a constant observed time-out, but that constant observed time-out is different from the predetermined time-out as mentioned in the advertising messages. For example, if the predetermined time-out is 25 milliseconds, the sequence may include advertising messages having an observed time-out of 12.5 milliseconds as an attacker may be sending false advertising messages with the same predetermined time-out, but in the middle of the true advertising messages. Thus, a variation between the observed time-out and the predetermined time-out would also indicate that the sequence includes advertising messages not sent by the condition monitoring device 102-1 and is thus indicative of an attack or security event.
  • the detection module 208 may rely on the detection of collision patterns in the received messages.
  • the detection module 208 may determine collision patterns taking into account such random collisions to avoid false alarms. For example, the detection module 208 may determine that whenever a subset of all detected collisions in a certain time interval arrived at a constant rate, this subset is indicative of a security event.
  • the present subject matter provides for identification of security events in various scenarios when the true advertising messages are not jammed and when the true advertising messages are jammed. If the true advertising messages are not jammed, the detection module 208 will detect additional or conflicting advertising messages based on the observed and predetermined time-outs. If only some of the true advertising messages are jammed, the detection module 208 can still detect inconsistencies based on the observed and predetermined time-outs. If all true advertising messages are jammed, the detection module 208 can detect a systematic jamming based on collision patterns.
  • the detection module Upon detection of the security event, the detection module
  • the 208 can raise an alarm to inform the mobile devices ' ! 10-1 ... 1 10-n in the network 200 and the server 108 of a potential attack.
  • the alarm can be, for example, a warning message that a security event has been identified.
  • the detection module 208 can provide the MAC address of the condition monitoring device 102 that may have been spoofed so that an operator can check the condition monitoring device 102.
  • the server 108 and the mobile devices 1 10-1 ... 1 10-n can blacklist the MAC address and not have any communications with it until the issue is resolved. In case a mobile device is already connected, a message may be sent to the mobile device to disconnect from the spoofed device.
  • Figs. 3A-3H illustrate various example scenarios for detection of security events, in accordance with various example implementations of the present subject matter.
  • an example sequence of advertising messages and collisions analyzed by the detection module 208 are represented over a timeline t.
  • the points 1 , 2, etc. are time instances t1 , t2, etc. at which messages are received or collision is detected.
  • the received messages may include true advertising messages, false advertising messages, and other messages.
  • When there is a collision no message is received at that time instance.
  • the time elapsed between two consecutive messages received is the observed time-out, while the time elapsed between two consecutive true advertising messages is the predetermined time-out.
  • sample points are shown in the figures for purposes of discussion and the number of sample points used by the detection module 208 for analysis can be significantly more. The number of sample points used for analysis can be varied based on the time interval over which the analysis is performed.
  • Figs. 3A-3D illustrate various scenarios where anomaly may be detected based on the observed time-out.
  • Fig. 3A illustrates a scenario where there is no attack or collision and the observed advertising messages include only the true advertising messages.
  • the advertising messages are received at regular time instances, i.e., the time between t1 and t2 is the same as that between t2 and t3 and so on.
  • the observed time-outs correspond to the predetermined time-out.
  • Fig. 3B illustrates a scenario where an attacker sends false advertising messages at a different frequency than the true advertising messages.
  • the received advertising messages have varying observed time-outs.
  • the time between t1 and t2 is different from that between t2 and t3.
  • there may be collisions between a true advertising message and a false advertising message but the collisions will occur randomly and not at specific time intervals.
  • an attack can be identified based on the variation in observed time-outs.
  • Fig. 3C illustrates a scenario where an attacker sends false advertising messages at the same frequency as the true advertising messages, but the false advertising message is not sent in the middle of the predetermined time-out.
  • the observed advertising messages have varying observed time-outs even in this case. For example, the time between t1 and t2 is different from that between t2 and t3, and an attack can be identified.
  • Fig. 3D illustrates a scenario where an attacker sends false advertising messages at the same frequency as the true advertising messages and the false advertising message is sent in the middle of the predetermined time-out.
  • the observed advertising messages have constant observed time-outs, but it is different from (half of) the predetermined time-out.
  • the time between t1 and t2 is the same as that between t2 and t3.
  • an attack can be identified.
  • Figs. 3E-3H illustrate various scenarios where anomalies may be detected based on collision pattern
  • Fig. 3E illustrates a scenario where there a few random collisions that occur in the network 200.
  • the random collisions can occur due to various other messages in the network 200. However, it is not indicative of an attack as there is no subset of collisions that occur at a constant rate. Hence, no attack is detected in this case.
  • Fig. 3F illustrates a scenario where an attacker jams the true advertising messages without sending any false advertising message.
  • the attacker can send other messages at the same time instance as the true advertising messages and can cause collisions and jamming. Since the true advertising messages are sent at a constant predetermined rate, the collisions would also occur at the same constant rate.
  • the detection module 208 can detect that there are collisions occurring at a constant rate, and that though there are a number of collisions no advertising message is received. Hence, an attack can be identified.
  • Fig. 3G illustrates a scenario where an attacker jams the true advertising messages and sends false advertising messages at a constant time-out, which may or may not be equal to the predetermined time-out of the true advertising messages.
  • the detection module 208 can detect that there are collisions occurring at a constant rate and though there is no variation in observed time-outs, the collision pattern is indicative of an attack. Hence an attack can be identified.
  • Fig. 3H illustrates a scenario where an attacker jams the true advertising messages and additionally there are random collisions in the network and the attacker sends jamming signals randomly to mask the jamming of the true advertising messages.
  • the attacker also sends false advertising messages at a constant time-out.
  • observed time-outs correspond to the time-outs between the received messages at time instances 3-5-9-1 1 -14, and are a constant.
  • the detection module 208 finds the longest sequence of times when jams/ collisions were detected and the difference between consecutive times was constant. For example, the longest such sequence shown in the figure is 1 - 4- 7-10-13- 16. Since this is a long sequence in a short time window, it is unlikely that it is due to random noise and therefore can be classified as a targeted attack. Thus, though there is no variation in observed time-outs, the collision pattern is indicative of an attack. Hence an attack can be identified.
  • Fig. 4 illustrates an example method for detecting a security event in a wireless sensor network.
  • the method 400 may be implemented by processor(s) or computing device(s) through any suitable hardware, non-transitory machine-readable instructions, or a combination thereof. It may be understood that steps of the method 400 may be performed by programmed computing devices and may be executed based on instructions stored in a non-transitory computer readable medium. Although the method 400 may be implemented in a variety of systems, the method 400 is described in relation to the system 100, for ease of explanation.
  • advertising messages are monitored to determine an observed time-out between advertising messages sent by a condition monitoring device.
  • the advertising messages may be monitored at a gateway, such as gateway 106.
  • the observed time-out is an observed time period between consecutive advertising messages received by the gateway.
  • the collisions occurring in the wireless sensor network are monitored, for example, by the gateway.
  • the occurrence of a security event is detected based on at least one of: a variation in the observed time-out, a difference between the observed time-out and the predetermined time-out, and a collision pattern.
  • the advertising messages received over a predefined time interval such as over the last 2 minutes, have a varying observed time-out, which is indicative of a security event.
  • the observed timeout while constant over the predetermined time interval, is different from a predetermined time-out as advertised in at least some of the advertising messages.
  • the difference between the observed time-out and the predetermined time-out may be an indication of a security event.
  • an alarm is generated based on detection of the security event.
  • an alarm may be sent to a server and each mobile device in the wireless sensor network.
  • the alarm may include information of the condition monitoring device that has been spoofed so that it can checked by an operator. Further the condition monitoring device that has been spoofed may be blacklisted until it is cleared by the operator so that the attack does not propagate in the wireless sensor network.
  • the present subject matter provides robust and efficient systems and methods for detection of spoofing attacks in low power wireless sensor networks even when the sensor devices do not support initial key based authentication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un système de détection d'un événement de sécurité relatif à un dispositif de surveillance d'état. Le dispositif de surveillance d'état transmet des messages d'annonce lorsqu'il détermine qu'il n'est pas apparié à un dispositif portable. Les messages d'annonce sont transmis avec une temporisation prédéterminée. Le système comprend une passerelle comportant un module de détection pour surveiller des messages reçus et des collisions dans le réseau. Le module de détection détecte la survenue d'un événement de sécurité sur la base d'au moins un des éléments suivants : une variation de la temporisation observée, une différence entre la temporisation observée et la temporisation prédéterminée, et un motif de collision; et génère une alarme sur la base de la détection de l'événement de sécurité.
PCT/IB2018/057138 2017-11-01 2018-09-18 Détection d'événements de sécurité dans des réseaux de capteurs sans fil WO2019086970A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN201741038819 2017-11-01
IN201741038819 2017-11-01

Publications (1)

Publication Number Publication Date
WO2019086970A1 true WO2019086970A1 (fr) 2019-05-09

Family

ID=63720742

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2018/057138 WO2019086970A1 (fr) 2017-11-01 2018-09-18 Détection d'événements de sécurité dans des réseaux de capteurs sans fil

Country Status (1)

Country Link
WO (1) WO2019086970A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11736838B2 (en) 2020-08-07 2023-08-22 Analog Devices, Inc. Secure passive wireless sensor and related methods

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050128989A1 (en) * 2003-12-08 2005-06-16 Airtight Networks, Inc Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US20070171885A1 (en) * 2004-02-11 2007-07-26 AirTight Networks, Inc.(F/K/A Wibhu Technologies, Inc.) Automated sniffer apparatus and method for wireless local area network security
US20170013005A1 (en) * 2015-06-29 2017-01-12 Argus Cyber Security Ltd. System and method for consistency based anomaly detection in an in-vehicle communication network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050128989A1 (en) * 2003-12-08 2005-06-16 Airtight Networks, Inc Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices
US20070171885A1 (en) * 2004-02-11 2007-07-26 AirTight Networks, Inc.(F/K/A Wibhu Technologies, Inc.) Automated sniffer apparatus and method for wireless local area network security
US20170013005A1 (en) * 2015-06-29 2017-01-12 Argus Cyber Security Ltd. System and method for consistency based anomaly detection in an in-vehicle communication network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FRONTLINE TEST EQUIPMENT: "FRONTLINETESTSYSTEM(TM) FTS4BT(TM) USERMANUAL", 31 December 2010 (2010-12-31), XP055528787, Retrieved from the Internet <URL:http://fte.com/docs/FTS4BT%20User%20Guide.pdf> [retrieved on 20181130] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11736838B2 (en) 2020-08-07 2023-08-22 Analog Devices, Inc. Secure passive wireless sensor and related methods

Similar Documents

Publication Publication Date Title
US11250687B2 (en) Network jamming detection and remediation
US20190356692A1 (en) Spoofing Detection
US9092969B2 (en) Method and system for invoking a security function of a device based on proximity to another device
US9736174B2 (en) Method and apparatus for machine to machine network security monitoring in a communications network
US8122506B2 (en) Method and system for detecting characteristics of a wireless network
US20160163185A1 (en) System and method for identifying alarm system problems
US20030188190A1 (en) System and method of intrusion detection employing broad-scope monitoring
US20130305369A1 (en) Detection of threats to networks, based on geographic location
US20140283062A1 (en) Apparatus, system and method for suppressing erroneous reporting of attacks on a wireless network
Kim et al. Online detection of fake access points using received signal strengths
Sriram et al. Detecting and eliminating Rogue Access Points in IEEE-802.11 WLAN-a multi-agent sourcing Methodology
CN101621428A (zh) 一种僵尸网络检测方法及系统以及相关设备
Milliken et al. Impact of metric selection on wireless deauthentication DoS attack performance
US20090088132A1 (en) Detecting unauthorized wireless access points
EP1542406A2 (fr) Mécanisme pour la détection des attaques basées sur l&#39;usurpation d&#39;identité dans un réseau sans fil
Banerjee et al. A review on different Intrusion Detection Systems for MANET and its vulnerabilities
US20210329454A1 (en) Detecting Unauthorized Access to a Wireless Network
Saha et al. Two-level secure re-routing (TSR) in mobile ad hoc networks
WO2019086970A1 (fr) Détection d&#39;événements de sécurité dans des réseaux de capteurs sans fil
Letsoalo et al. Survey of Media Access Control address spoofing attacks detection and prevention techniques in wireless networks
CA3172580A1 (fr) Systeme de cybersecurite pour gerer la securite d&#39;un environnement informatique
Timofte Wireless intrusion prevention systems
Vaidya et al. A review paper on spoofing detection methods in wireless LAN
KR101448091B1 (ko) 보안 공격 감지에 의한 무선 센서네트워크 보안 방법 및 시스템
Panos et al. Securing the 802.11 MAC in MANETs: A specification-based intrusion detection engine

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18780247

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18780247

Country of ref document: EP

Kind code of ref document: A1