WO2022061586A1 - Using ap information for determining network operations - Google Patents

Using ap information for determining network operations Download PDF

Info

Publication number
WO2022061586A1
WO2022061586A1 PCT/CN2020/117152 CN2020117152W WO2022061586A1 WO 2022061586 A1 WO2022061586 A1 WO 2022061586A1 CN 2020117152 W CN2020117152 W CN 2020117152W WO 2022061586 A1 WO2022061586 A1 WO 2022061586A1
Authority
WO
WIPO (PCT)
Prior art keywords
list
network device
bssid
ssid
network
Prior art date
Application number
PCT/CN2020/117152
Other languages
French (fr)
Inventor
Zoe LIAO
Original Assignee
Arris Enterprises Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arris Enterprises Llc filed Critical Arris Enterprises Llc
Priority to PCT/CN2020/117152 priority Critical patent/WO2022061586A1/en
Publication of WO2022061586A1 publication Critical patent/WO2022061586A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the subject matter of the present disclosure relates to a network device, such as an access point (AP) or a client device, performing an operation based on AP information of another AP meeting predetermined criteria.
  • a network device such as an access point (AP) or a client device, performing an operation based on AP information of another AP meeting predetermined criteria.
  • AP access point
  • client device performing an operation based on AP information of another AP meeting predetermined criteria.
  • the network device may be an AP or a client device.
  • a blocked AP list and an allowed AP list are presented to a client device.
  • the AP obtains AP information. For example, the AP scans for surrounding APs and obtains the Service Set Identifier (SSID) &security mode of other APs. Next, the AP determines that the first AP information meets predetermined criteria by determining whether a scanned AP has a same SSID and security mode as the scanning AP. The AP then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP warn the user to change the Wi-Fi configuration of the scanning AP, i.e., use a different SSID, a different security mode, and a different password.
  • SSID Service Set Identifier
  • the user deletes the Wi-Fi connection configuration of the former SSID saved on the client devices, and use the new configuration to connect to the AP. If an extender is connected to the AP, the BSSIDs of the extender is ignored and removed from the list of scanned APs. Thus, the BSSIDs of the extender do not trigger the warning.
  • the client device analyzes a network to obtain first AP information by obtaining a Basic Service Set Identifier (BSSID) of an AP that it may have previously connected with.
  • BSSID Basic Service Set Identifier
  • the client device determines the first AP information meets predetermined criteria by determining whether the AP is in the blocked AP list or in an allowed AP list.
  • the client device scans for other APs.
  • the client device continues with consideration of the AP.
  • Wi-Fi authentication is completed, and before obtaining the IP address
  • the client device continues to analyze APs that are not in the blocked AP list.
  • the client devices connects with the AP.
  • a warning is displayed to the client device to warn the user of the potential danger, and lets the user determine whether to continue. This process is not used with commonly used hotspots.
  • Options may be provided for controlling connection with the AP.
  • a “Sure” option may be selected to continue with a previous connection procedure, and to add the BSSID of the AP to the allowed AP list.
  • a “Never” option may be selected to add the BSSID of the first AP to the blocked AP list, and to continue to scan for a third AP.
  • a “Yes for now” option may be selected to continue with the previous connection procedure.
  • a “No for now” option may be selected to ignore the AP for a predetermined time period, and to continue to scan for the other APs.
  • Fig. 1 is a schematic diagram of a system.
  • Fig. 2 illustrates broadcasting of SSIDs by APs.
  • Fig. 3 is a block diagram of a client device.
  • Fig. 4 illustrates a block diagram of a network device.
  • Fig. 5 is a flow chart of a method for determining network operations based on access point (AP) information.
  • Fig. 6 is a flow chart of a method for determining network operations based on access point (AP) information.
  • unauthorized ( “rogue” ) wireless access points (APs) may be implemented in a network.
  • An unauthorized AP may be used to deny access of a client device to the network, or to attract traffic and obtain sensitive information from users.
  • An unauthorized AP may spoof the SSID, security mode, and password of a legitimate AP.
  • An unauthorized AP may further set parameters such as the power and channel again to spoof those of a legitimate AP in order to minimize the likelihood of being detected.
  • the subject matter of the present disclosure determines network operations based on access point (AP) information.
  • the network device may be an AP or a client device. Ablocked AP list and an allowed AP list are presented to a client device.
  • the AP obtains AP information. For example, the AP scans for surrounding APs and obtains the Service Set Identifier (SSID) &security mode of other APs. Next, the AP determines that the first AP information meets predetermined criteria by determining whether a scanned AP has a same SSID and security mode as the scanning AP. The AP then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP generates a message that is sent to the client device to warn the user to use a different SSID, a different security mode, and a different password.
  • SSID Service Set Identifier
  • the client device analyzes a network to obtain first AP information by obtaining a Basic Service Set Identifier (BSSID) of an AP that it may have previously connected with.
  • BSSID Basic Service Set Identifier
  • the client device determines the first AP information meets predetermined criteria by determining whether the AP is in the blocked AP list or in an allowed AP list.
  • the client device scans for other APs.
  • the client device continues with consideration of the AP.. After Wi-Fi authentication is completed, and before obtaining the IP address, the client device continues to analyze APs that are not in the blocked AP list.
  • the client devices When the AP is in the allowed list, the client devices connects with the AP. When the AP is not in the allowed list, a warning is displayed to the client device suggesting that the client device scan for other APs to connect with. When the AP is not in the allowed list, a warning is displayed to the client device to warn the user of the potential danger, and lets the user determine whether to continue. This process is not used with commonly used hotspots.
  • Fig. 1 is a schematic diagram of a system 100.
  • the system includes a network device 102 connected to the Internet 106 via an Internet Service Provider (ISP) 101.
  • the network device 102 is also connected to different wireless devices such as wireless extenders 103 and client devices 104 and network device 105.
  • Network device 105 may be a client device.
  • network device 105 will be referred to as client device 105.
  • the system shown in Fig. 1 includes wireless devices (e.g., wireless extenders 103 and client devices 104, 105) that may communicate with network device 102 directly or indirectly via one or more wireless networks 120 (e.g., private, guest, iControl, backhaul network, or Internet of things (IoT) network) .
  • wireless networks 120 e.g., private, guest, iControl, backhaul network, or Internet of things (IoT) network
  • Network devices 104, 105 may obtain AP information via beacons or probe responses without being connected to the wireless network 120. Additionally, there could be some overlap between wireless devices (e.g., wireless extenders 103 and client devices 104, 105) in the different networks. That is, one or more network devices could be located in more than one network. For example, the wireless extenders 103 could be located both in a private network for providing content and information to a client device 104, 105 and also included in a backhaul network or an iControl network.
  • wireless extenders 103 could be located both in a private network for providing content and information to a client device 104, 105 and also included in a backhaul network or an iControl network.
  • the ISP 101 can be, for example, a streaming video provider or any computer for connecting the network device 102 to the Internet 106.
  • the connection 114 between the Internet 106 and the ISP 101 and the connection 113 between the ISP 101 and the network device 102 can be implemented using a wide area network (WAN) , a virtual private network (VPN) , metropolitan area networks (MANs) , system area networks (SANs) , a DOCSIS network, a fiber optics network (e.g., FTTH (fiber to the home) or FTTX (fiber to the x) , or hybrid fiber-coaxial (HFC) ) , a digital subscriber line (DSL) , a public switched data network (PSDN) , a global Telex network, or a 2G, 3G, 4G or 5G network, for example.
  • WAN wide area network
  • VPN virtual private network
  • MANs metropolitan area networks
  • SANs system area networks
  • DOCSIS network e.g., FT
  • connection 113 can further include as some portion thereof a broadband mobile phone network connection, an optical network connection, or other similar connections.
  • the connection 113 can also be implemented using a fixed wireless connection that operates in accordance with, but is not limited to, 3rd Generation Partnership Project (3GPP) Long Term Evolution (LTE) or 5G protocols.
  • 3GPP 3rd Generation Partnership Project
  • LTE Long Term Evolution
  • 5G protocols 5rd Generation Partnership Project
  • connection 113 is capable of providing connections between the network device 102 and a WAN, a LAN, a VPN, MANs, PANs, WLANs, SANs, a DOCSIS network, a fiber optics network (e.g., FTTH, FTTX, or HFC) , a PSDN, a global Telex network, or a 2G, 3G, 4G or 5G network, for example.
  • the network device 102 can be, for example, a hardware electronic device that may be a combination modem and gateway device that combines the functions of a modem, an access point, and/or a router for providing content received from the content provider (e.g., ISP 101) to network devices (e.g., wireless extenders 103 and client devices 104, 105) in the system. It is also contemplated by the present disclosure that the network device 102 can include the function of, but is not limited to, an Internet Protocol/Quadrature Amplitude Modulator (IP/QAM) set-top box (STB) or smart media device (SMD) that is capable of decoding audio/video content, and playing over-the-top (OTT) or multiple system operator (MSO) provided content.
  • IP/QAM Internet Protocol/Quadrature Amplitude Modulator
  • STB Internet Protocol/Quadrature Amplitude Modulator
  • SMD smart media device
  • OTT over-the-top
  • MSO multiple system operator
  • the connections 109 between the network device 102, the wireless extenders 103, and client devices 104, 105 can be implemented using a wireless connection in accordance with any IEEE 802.11 Wi-Fi protocols, Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the citizens broadband radio service (CBRS) band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc.
  • the connections 109 can be implemented using a wireless connection that operates in accordance with, but is not limited to, RF4CE protocol, ZigBee protocol, Z-Wave protocol, or IEEE 802.15.4 protocol. It is also contemplated by the present disclosure that the connections 109 can include connections to a media over coax (MoCA) network.
  • MoCA media over coax
  • One or more of the connections 109 can also be a wired Ethernet connection.
  • the wireless extenders 103 can be, for example, hardware electronic devices such as access points used to extend the wireless network by receiving the signals transmitted by the network device 102 and rebroadcasting the signals to, for example, client devices 104, 105, which may out of range of the network device 102.
  • the wireless extenders 103 can also receive signals from client devices 104, 105 and rebroadcast the signals to the network device 102, or other client devices 104, 105.
  • the connections 111 between the wireless extenders 103 and client devices 104, 105 are implemented through a wireless connection that operates in accordance with any IEEE 802.11 Wi-Fi protocols, Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the CBRS band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc.
  • the connection 111 can be implemented using a wireless connection that operates in accordance with, but is not limited to, RF4CE protocol, ZigBee protocol, Z-Wave protocol, or IEEE 802.15.4 protocol.
  • one or more of the connections 111 can be a wired Ethernet connection.
  • Client devices 104, 105 can be, for example, hand-held computing devices, personal computers, electronic tablets, smart phones, smart speakers, IoT devices, iControl devices, portable music players with smart capabilities capable of connecting to the Internet, cellular networks, and interconnecting with other devices via Wi-Fi and Bluetooth, or other wireless hand-held consumer electronic devices capable of executing and displaying content received through the network device 102. Additionally, client devices 104, 105 can be a TV, an IP/QAM STB or an SMD that is capable of decoding audio/video content and playing over OTT or MSO provided content received through the network device 102.
  • connection 109 between the network device 102 and the client device 104, 105 is implemented through a wireless connection that operates in accordance with, but is not limited to, any IEEE 802.11 protocols. Additionally, the connection 109 between the network device 102 and the client device 104, 105 can also be implemented wirelessly through a VPN, WPANs, WLANs, , or a 2G, 3G, 4G or 5G network, for example.
  • connection 109 can also be implemented using a wireless connection in accordance with Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the CBRS band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc. .
  • BLE Bluetooth Low Energy
  • One or more of the connections 10 can also be a wired Ethernet connection.
  • the network device 102, the wireless extenders 103, and client devices 104, 105 shown in Fig. 1 will be provided in the discussion of Fig 2.
  • the network device 102, the wireless extenders 103, and client devices 104, 105 include electronic components or electronic computing devices operable to receive, transmit, process, store, and/or manage data and information associated with the system, which encompasses any suitable processing device adapted to perform computing tasks consistent with the execution of computer-readable instructions stored in a memory or a computer-readable recording medium.
  • any, all, or some of the computing components in the network device 102, the wireless extenders 103, and client devices 104, 105 may be adapted to execute any operating system, including Linux, UNIX, Windows, MacOS, DOS, and ChromOS as well as virtual machines adapted to virtualize execution of a particular operating system, including customized and proprietary operating systems.
  • the network device 102, the wireless extenders 103, and client devices 104, 105 are further equipped with components to facilitate communication with other computing devices over the one or more network connections to local and wide area networks, wireless and wired networks, public and private networks, and any other communication network enabling communication in the system.
  • connections 109, 111, 113 may provide beacon and probe responses that may be used to provide network information, such as SSID, supported rates, security rates and modes, etc.
  • a spoofing or rogue AP 115 is shown connected to network device 105.
  • the rogue AP 115 may have spoofed the SSID and other information from an AP, such as network device 102 or wireless extenders 103, which allows the client devices 104, 105 to connect to the AP 115 automatically.
  • the subject matter of this disclosure may be implemented by a network device, which may be a network device 102 (e.g., includes an AP, a gateway, a router, a modem, etc.
  • network device 102 When such network device 102 is an AP, network device 102 performs a scan for surrounding APs based on, for example, the mechanisms of a Dynamic Channel Selection feature. Thus, network device 102 may scan all radio channels and find other APs within range, such as AP 115. From the scan, the network device 102 obtains AP information of AP 115, such as the Service Set Identifier (SSID) &security mode of AP 115. Next, the network device 102 determines that the AP information of AP 115 meets predetermined criteria by determining whether AP 115 has the same SSID and security mode as network device 102.
  • SSID Service Set Identifier
  • the network device 102 then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP generates a message that is sent to the client device 104, 105 to warn the user to change the Wi-Fi configurations, e.g., SSID, security mode and password, of the scanning AP 102, and the user would delete the Wi-Fi connection configuration of the old SSID of AP 103 that is saved on client devices 104, 105. The user would then configure the client devices 104, 105 with the new Wi-Fi configurations to connect to AP 102.
  • the Wi-Fi configurations e.g., SSID, security mode and password
  • client device 105 When such network device is a client device, such as client device 105, client device 105 analyzes the network 120 to obtain AP information by obtaining a Basic Service Set Identifier (BSSID) of APs that it may have previously connected with, such as AP 102. Next, the client device 105 determines the AP information of AP 115 meets predetermined criteria by determining whether AP 115 is in a blocked AP list or in an allowed AP list. When AP 115 is in the blocked AP list, the client device 105 scans for other APs in network 120.
  • BSSID Basic Service Set Identifier
  • client device 105 When AP 115 is not in the blocked AP list, client device 105 continues with consideration of AP 115. After Wi-Fi authentication is completed, and before obtaining the IP address, the client device 105 continues to analyze APs that are not in the blocked AP list. When AP 115 is in the allowed list, client device 105 connects with AP 115. When AP 115 is not in the allowed list, a warning is displayed to client device 105 to warn the user of the potential danger, and let the user determine the options to use. This process is not used with commonly used hotspots.
  • Fig. 2 illustrates broadcasting of SSIDs by APs 200.
  • authentic network device (AP) 210 client device 240, and spoofing network device (AP) 270 are shown.
  • An AP such as AP 210 forms a wireless network, and all nodes or client devices, such as client device 240, connect to AP 210.
  • An AP such as APs 210, 270, are identified by a SSID or service set identifier.
  • the SSID also identifies the name of the network, i.e., Alpha 212, 272.
  • SSID’s are assigned by a network administrator, such as a home user for AP 210 and unauthorized user for AP 270, and are usually given easy to remember and descriptive names, i.e., den, living room, John’s game room, etc.
  • AP 210 has SSID Alpha 212.
  • AP 270 also has SSID Alpha 272 because AP 270 is a spoofing or unauthorized AP that may be trying to obtain private information from client device 240 by convincing client device 240 that AP 270 is authentic AP 240.
  • APs 240, 270 also have a basic service set ID (BSSID) 214, 274, respectively, which are used to identify the particular AP and its clients on a network.
  • the BSSID is usually the MAC address of the AP.
  • the BSSID 214 of AP 210 is 06: 23: 6c: 42: a1: ef.
  • the BSSID 274 of AP 270 is 02: 17: 6a: 81: 2f: d0.
  • AP 210 is shown using Wired Equivalent Privacy (WEP) 216.
  • AP 210 is shown using Wired Equivalent Privacy (WEP) 276.
  • AP 210 sends broadcast message 220 with SSID 212 that is received by client device 240 and broadcast message 222 with SSID 212 that is received by AP 270.
  • AP 270 sends broadcast message 280 with SSID 272 that is received by client device 240 and broadcast message 282 with SSID 272 that is received by AP 210.
  • AP 210 can recognize that its SSID Alpha 212 is the same as the SSID Alpha 274 of AP 270.
  • AP 210 then generates a message that is sent to the client device 240 to warn the user to change the Wi-Fi configurations, e.g., SSID, security mode and password, of the scanning AP 210; and the user would delete the Wi-Fi connection configuration of the old SSID of AP 210 that is saved on client device 240. The user would then configure the client devices 240 with the new Wi-Fi configurations to connect to AP 210.
  • the use of client device 240 can changes the SSID 212, e.g., to Animal, and change the security mode 216 to the more secure Wi-Fi Protected Access (WPA) or WPA2.
  • WPA Wi-Fi Protected Access
  • Client device 240 when connecting to the network, may obtain the BSSID 214 of AP 210 and BSSID 274 of AP 270.
  • the BSSIDs 214, 274 may be obtain from the beacon packet or probe response from which the client device 240 received the SSIDs 212, 272.
  • Client device 240 examines a blocked AP list 250.
  • BSSID 274 of AP 270 is in the blocked AP list250, so the client device 240 scans for other APs.
  • BSSID 214 of AP 210 is not in the blocked AP list, so client device 240 continues with consideration of AP 210.
  • Client device 105 analyzes the allowed AP list 252. The client determines that BSSID 214 of AP 210 is in the allowed list. Thus, client device 210 connects with AP 210. If BSSID 214 of AP 210 was not in the allowed list, a warning is displayed to client device 240 to warn the user of the potential danger, and let the user determine what
  • Fig. 3 is a block diagram of a client device 300.
  • client device 300 includes a processor 310, a communication interface 314, memory 320, a display 330, LEDs 350, speaker 354, and microphone 358.
  • Memory 320 may include an operating system 324 and a rogue AP detection application 326.
  • Display 330 may include a system user interface (UI) 334 that the user may use to setup network access for the client device 300.
  • the display 330 may also display an email component 338, a mobile component 342, and a text messaging component 346.
  • Display 330 may also present other applications and user interfaces.
  • the display 330 may present a connection warning 370. Three options for connection warnings 370 are shown in Fig. 3, but those skilled in the art will recognize that fewer or more options may be implemented.
  • the connection warning may include an indication 372 that that the connection with the current AP is different than APs previously connected to by the client device 300.
  • the connection warning 370 may also display a confirmation UI 374 for the user to confirm whether the client device still wants to connect with the current AP with a yes option 376 and a no option 378.
  • a configuration option menu 380 may be displayed to allow the client device to disable the options with a ” Yes” option 382 and a ” No” option 384. Other choices may also be provided, such as “Yes for Now and “No for Now. ” LEDS 350 and speaker 354 may be used to communicate warnings.
  • Microphone 358 allows audio input to the client device 300.
  • Fig. 4 illustrates a block diagram of a network device 400.
  • Network device 400 may be an AP.
  • network device 400 includes a processor 410, a communication interface 414, memory 420, a display 430, a network interface controller 450, LEDS 460 and speaker 462 for provide warnings for a client device not to connect to an AP.
  • Display 430 may present a system UI 434, an email component 438, a mobile component 442, and a text messaging component 446.
  • Memory includes operating system 422, a database of network information 424, and a rogue AP detection application 426.
  • Network interface controller 450 includes the SSID 452 and password 454.
  • Fig. 5 is a flow chart of a method 500 for determining network operations based on access point (AP) information.
  • method 500 starts (S502) , and the network device analyzes a network to obtain access point (AP) information of a first AP (S510) .
  • the network device determines that the obtained AP information meets predetermined criteria (S514) .
  • the network device performs an operation based on the AP information meeting the predetermined criteria (S518) .
  • the method 500 then ends (650) .
  • Fig. 6 is a flow chart of a method 600 for determining network operations based on access point (AP) information.
  • method 600 starts (S602) , and a determination is made whether network device is an AP or a client device (S622) .
  • the network device is an AP (S626)
  • the AP scans for surrounding APs and obtains SSID and security mode of a scanned AP (S630) .
  • the AP determines the SSID of scanned AP is the same as the SSID of the scanning AP and security mode of scanned AP is the same as security mode of scanning AP (S634) .
  • the method then ends (S690) .
  • the client When the network device is a client device (640) , the client is about to connect to a saved SSID (which may be spoofed by the rogue AP (S642. The client device thus determines whether the BSSID of the AP is in the blocked AP list (S644) . When the BSSID of the AP is in the blocked AP list (S648) , the client device scans for a different AP (S652) . When the BSSID of the AP is not in the blocked AP list (S656) , the client device continues with the connection procedure with the AP (S660) . The client device then determines whether the BSSID of the AP is in the allowed AP list (S664) .
  • the client device When the BSSID of the AP is in the allowed AP list (S668) , the client device continues with connecting to the AP (S672) . When the BSSID of the AP is not in the allowed AP list (S676) , the client device generates a warning indicating the client device has never connected to the AP and provides options for controlling connection with the AP (S680) . The method then ends (S690) .
  • Embodiments may be provided as a computer program product including one or more non-transitory computer-readable storage media having stored thereon instructions (in compressed or uncompressed form) that may be used to program a computer (or other electronic device) to perform processes or methods described herein.
  • the computer-readable storage media may include one or more of an electronic storage medium, a magnetic storage medium, an optical storage medium, a quantum storage medium, or the like.
  • the computer-readable storage media may include, but are not limited to, hard drives, floppy diskettes, optical disks, read-only memories (ROMs) , random access memories (RAMs) , erasable programmable ROMs (EPROMs) , electrically erasable programmable ROMs (EEPROMs) , flash memory, magnetic or optical cards, solid-state memory devices, or other types of physical media suitable for storing electronic instructions.
  • ROMs read-only memories
  • RAMs random access memories
  • EPROMs erasable programmable ROMs
  • EEPROMs electrically erasable programmable ROMs
  • flash memory magnetic or optical cards
  • solid-state memory devices solid-state memory devices
  • machine-readable signals whether modulated using a carrier or unmodulated, include, but are not limited to, signals that a computer system or machine hosting or running a computer program may be configured to access, including signals transferred by one or more networks.
  • a transitory machine-readable signal may comprise transmission of software by the Internet.

Abstract

A network device for managing a network. The network device analyzes a network to obtain access point (AP) information, determines the AP information meets predetermined criteria, andperforms an operation based on the AP information meeting the predetermined criteria. The network device may be an AP having the same SSID and security mode as the scanned AP. The AP generates a message that is sent to the client device to warn the user to change Wi-Fi configurations, such as using a different SSID, security mode, and password. When the network device is a client device, the client device determines whether a BSSID of an AP is in a blocked AP list or an allowed AP list. The client device may connect with the AP when the BSSID of the AP is in the allowed AP list. The client device may look for another AP when the BSSID is in the blocked list.

Description

USING AP INFORMATION FOR DETERMINING NETWORK OPERATIONS BACKGROUND
The subject matter of the present disclosure relates to a network device, such as an access point (AP) or a client device, performing an operation based on AP information of another AP meeting predetermined criteria.
SUMMARY
Aspects of the present disclosure are drawn to a network device that determines network operations based on access point (AP) information. The network device may be an AP or a client device. A blocked AP list and an allowed AP list are presented to a client device.
When the network device is an AP, the AP obtains AP information. For example, the AP scans for surrounding APs and obtains the Service Set Identifier (SSID) &security mode of other APs. Next, the AP determines that the first AP information meets predetermined criteria by determining whether a scanned AP has a same SSID and security mode as the scanning AP. The AP then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP warn the user to change the Wi-Fi configuration of the scanning AP, i.e., use a different SSID, a different security mode, and a different password. The user deletes the Wi-Fi connection configuration of the former SSID saved on the client devices, and use the new configuration to connect to the AP. If an extender is connected to the AP, the BSSIDs of the extender is ignored and removed from the list of scanned APs. Thus, the BSSIDs of the extender do not trigger the warning.
When the network device is a client device, the client device analyzes a network to obtain first AP information by obtaining a Basic Service Set Identifier (BSSID) of an AP that it may have previously connected with. Next, the client device determines the first AP information meets predetermined criteria by determining whether the AP is in the blocked AP list or in an allowed AP list. When the AP is in the blocked AP list, the client device scans for other APs. When the AP is not in the blocked AP list, the client device continues with consideration of the AP. After Wi-Fi authentication is completed, and before obtaining the IP address, the client device continues to analyze APs that are not in the blocked AP list. When the AP is in the allowed list, the client devices connects with the AP. When the AP is not in the allowed list, a  warning is displayed to the client device to warn the user of the potential danger, and lets the user determine whether to continue. This process is not used with commonly used hotspots.
Options may be provided for controlling connection with the AP. A “Sure” option may be selected to continue with a previous connection procedure, and to add the BSSID of the AP to the allowed AP list. A “Never” option may be selected to add the BSSID of the first AP to the blocked AP list, and to continue to scan for a third AP. A “Yes for now” option may be selected to continue with the previous connection procedure. A “No for now” option may be selected to ignore the AP for a predetermined time period, and to continue to scan for the other APs.
BRIEF SUMMARY OF THE DRAWINGS
The accompanying drawings, which are incorporated in and form a part of the specification, illustrate example embodiments and, together with the description, serve to explain the principles of the present disclosure.
Fig. 1 is a schematic diagram of a system.
Fig. 2 illustrates broadcasting of SSIDs by APs.
Fig. 3 is a block diagram of a client device.
Fig. 4 illustrates a block diagram of a network device.
Fig. 5 is a flow chart of a method for determining network operations based on access point (AP) information.
Fig. 6 is a flow chart of a method for determining network operations based on access point (AP) information.
DETAILED DESCRIPTION
While implementations are described herein by way of example, those skilled in the art will recognize that the implementations are not limited to the examples or figures described. It is understood that the figures and detailed description thereto are not intended to limit implementations to the particular form disclosed but, on the contrary, the intention is to cover modifications, equivalents, and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes and are not meant to be used to limit the scope of the description or the claims. As used throughout this  application, the word “may” is used in a permissive sense (i.e., meaning having the potential to) , rather than the mandatory sense (i.e., meaning must) . Similarly, the words “include, ” “including, ” and “includes” mean “including, but not limited to. ”
Wireless networks pose security risks not generally encountered in wired computer networks. For example, unauthorized ( “rogue” ) wireless access points (APs) may be implemented in a network. An unauthorized AP may be used to deny access of a client device to the network, or to attract traffic and obtain sensitive information from users. An unauthorized AP may spoof the SSID, security mode, and password of a legitimate AP. An unauthorized AP may further set parameters such as the power and channel again to spoof those of a legitimate AP in order to minimize the likelihood of being detected.
The subject matter of the present disclosure determines network operations based on access point (AP) information. The network device may be an AP or a client device. Ablocked AP list and an allowed AP list are presented to a client device.
When the network device is an AP, the AP obtains AP information. For example, the AP scans for surrounding APs and obtains the Service Set Identifier (SSID) &security mode of other APs. Next, the AP determines that the first AP information meets predetermined criteria by determining whether a scanned AP has a same SSID and security mode as the scanning AP. The AP then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP generates a message that is sent to the client device to warn the user to use a different SSID, a different security mode, and a different password.
When the network device is a client device, the client device analyzes a network to obtain first AP information by obtaining a Basic Service Set Identifier (BSSID) of an AP that it may have previously connected with. Next, the client device determines the first AP information meets predetermined criteria by determining whether the AP is in the blocked AP list or in an allowed AP list. When the AP is in the blocked AP list, the client device scans for other APs. When the AP is not in the blocked AP list, the client device continues with consideration of the AP.. After Wi-Fi authentication is completed, and before obtaining the IP address, the client device continues to analyze APs that are not in the blocked AP list. When the AP is in the allowed list, the client devices connects with the AP. When the AP is not in the allowed list, a warning is displayed to the client device suggesting that the client device scan for other APs to  connect with. When the AP is not in the allowed list, a warning is displayed to the client device to warn the user of the potential danger, and lets the user determine whether to continue. This process is not used with commonly used hotspots.
Fig. 1 is a schematic diagram of a system 100.
As shown in Fig. 1, the system includes a network device 102 connected to the Internet 106 via an Internet Service Provider (ISP) 101. The network device 102 is also connected to different wireless devices such as wireless extenders 103 and client devices 104 and network device 105. Network device 105 may be a client device. Herein, network device 105 will be referred to as client device 105. The system shown in Fig. 1 includes wireless devices (e.g., wireless extenders 103 and client devices 104, 105) that may communicate with network device 102 directly or indirectly via one or more wireless networks 120 (e.g., private, guest, iControl, backhaul network, or Internet of things (IoT) network) .  Network devices  104, 105 may obtain AP information via beacons or probe responses without being connected to the wireless network 120. Additionally, there could be some overlap between wireless devices (e.g., wireless extenders 103 and client devices 104, 105) in the different networks. That is, one or more network devices could be located in more than one network. For example, the wireless extenders 103 could be located both in a private network for providing content and information to a  client device  104, 105 and also included in a backhaul network or an iControl network.
Starting from the top of Fig. 1, the ISP 101 can be, for example, a streaming video provider or any computer for connecting the network device 102 to the Internet 106. The connection 114 between the Internet 106 and the ISP 101 and the connection 113 between the ISP 101 and the network device 102 can be implemented using a wide area network (WAN) , a virtual private network (VPN) , metropolitan area networks (MANs) , system area networks (SANs) , a DOCSIS network, a fiber optics network (e.g., FTTH (fiber to the home) or FTTX (fiber to the x) , or hybrid fiber-coaxial (HFC) ) , a digital subscriber line (DSL) , a public switched data network (PSDN) , a global Telex network, or a 2G, 3G, 4G or 5G network, for example.
The connection 113 can further include as some portion thereof a broadband mobile phone network connection, an optical network connection, or other similar connections. For example, the connection 113 can also be implemented using a fixed wireless connection that operates in accordance with, but is not limited to, 3rd Generation Partnership Project (3GPP) Long Term Evolution (LTE) or 5G protocols. It is also contemplated by the present disclosure  that connection 113 is capable of providing connections between the network device 102 and a WAN, a LAN, a VPN, MANs, PANs, WLANs, SANs, a DOCSIS network, a fiber optics network (e.g., FTTH, FTTX, or HFC) , a PSDN, a global Telex network, or a 2G, 3G, 4G or 5G network, for example.
The network device 102 can be, for example, a hardware electronic device that may be a combination modem and gateway device that combines the functions of a modem, an access point, and/or a router for providing content received from the content provider (e.g., ISP 101) to network devices (e.g., wireless extenders 103 and client devices 104, 105) in the system. It is also contemplated by the present disclosure that the network device 102 can include the function of, but is not limited to, an Internet Protocol/Quadrature Amplitude Modulator (IP/QAM) set-top box (STB) or smart media device (SMD) that is capable of decoding audio/video content, and playing over-the-top (OTT) or multiple system operator (MSO) provided content.
The connections 109 between the network device 102, the wireless extenders 103, and  client devices  104, 105 can be implemented using a wireless connection in accordance with any IEEE 802.11 Wi-Fi protocols, Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the citizens broadband radio service (CBRS) band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc. Additionally, the connections 109 can be implemented using a wireless connection that operates in accordance with, but is not limited to, RF4CE protocol, ZigBee protocol, Z-Wave protocol, or IEEE 802.15.4 protocol. It is also contemplated by the present disclosure that the connections 109 can include connections to a media over coax (MoCA) network. One or more of the connections 109 can also be a wired Ethernet connection.
The wireless extenders 103 can be, for example, hardware electronic devices such as access points used to extend the wireless network by receiving the signals transmitted by the network device 102 and rebroadcasting the signals to, for example,  client devices  104, 105, which may out of range of the network device 102. The wireless extenders 103 can also receive signals from  client devices  104, 105 and rebroadcast the signals to the network device 102, or  other client devices  104, 105.
The connections 111 between the wireless extenders 103 and  client devices  104, 105 are implemented through a wireless connection that operates in accordance with any IEEE 802.11 Wi-Fi protocols, Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the CBRS band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc. Additionally, the connection 111 can be implemented using a wireless connection that operates in accordance with, but is not limited to, RF4CE protocol, ZigBee protocol, Z-Wave protocol, or IEEE 802.15.4 protocol. Also, one or more of the connections 111 can be a wired Ethernet connection.
Client devices  104, 105 can be, for example, hand-held computing devices, personal computers, electronic tablets, smart phones, smart speakers, IoT devices, iControl devices, portable music players with smart capabilities capable of connecting to the Internet, cellular networks, and interconnecting with other devices via Wi-Fi and Bluetooth, or other wireless hand-held consumer electronic devices capable of executing and displaying content received through the network device 102. Additionally,  client devices  104, 105 can be a TV, an IP/QAM STB or an SMD that is capable of decoding audio/video content and playing over OTT or MSO provided content received through the network device 102.
The connection 109 between the network device 102 and the  client device  104, 105 is implemented through a wireless connection that operates in accordance with, but is not limited to, any IEEE 802.11 protocols. Additionally, the connection 109 between the network device 102 and the  client device  104, 105 can also be implemented wirelessly through a VPN, WPANs, WLANs, , or a 2G, 3G, 4G or 5G network, for example.
The connection 109 can also be implemented using a wireless connection in accordance with Bluetooth protocols, Bluetooth Low Energy (BLE) , or other short range protocols that operate in accordance with a wireless technology standard for exchanging data over short distances using any licensed or unlicensed band such as the CBRS band, 2.4 GHz bands, 5 GHz bands, 6 GHz bands, 60 GHz bands, etc. . One or more of the connections 10 can also be a wired Ethernet connection.
A detailed description of the exemplary internal components of the network device 102, the wireless extenders 103, and  client devices  104, 105 shown in Fig. 1 will be provided in the discussion of Fig 2. However, in general, it is contemplated by the present  disclosure that the network device 102, the wireless extenders 103, and  client devices  104, 105 include electronic components or electronic computing devices operable to receive, transmit, process, store, and/or manage data and information associated with the system, which encompasses any suitable processing device adapted to perform computing tasks consistent with the execution of computer-readable instructions stored in a memory or a computer-readable recording medium.
Further, any, all, or some of the computing components in the network device 102, the wireless extenders 103, and  client devices  104, 105 may be adapted to execute any operating system, including Linux, UNIX, Windows, MacOS, DOS, and ChromOS as well as virtual machines adapted to virtualize execution of a particular operating system, including customized and proprietary operating systems. The network device 102, the wireless extenders 103, and  client devices  104, 105 are further equipped with components to facilitate communication with other computing devices over the one or more network connections to local and wide area networks, wireless and wired networks, public and private networks, and any other communication network enabling communication in the system.
In Fig. 1,  connections  109, 111, 113 may provide beacon and probe responses that may be used to provide network information, such as SSID, supported rates, security rates and modes, etc. A spoofing or rogue AP 115 is shown connected to network device 105. The rogue AP 115 may have spoofed the SSID and other information from an AP, such as network device 102 or wireless extenders 103, which allows the  client devices  104, 105 to connect to the AP 115 automatically. The subject matter of this disclosure may be implemented by a network device, which may be a network device 102 (e.g., includes an AP, a gateway, a router, a modem, etc. ) , or a client device, such as client device 105. When such network device 102 is an AP, network device 102 performs a scan for surrounding APs based on, for example, the mechanisms of a Dynamic Channel Selection feature. Thus, network device 102 may scan all radio channels and find other APs within range, such as AP 115. From the scan, the network device 102 obtains AP information of AP 115, such as the Service Set Identifier (SSID) &security mode of AP 115. Next, the network device 102 determines that the AP information of AP 115 meets predetermined criteria by determining whether AP 115 has the same SSID and security mode as network device 102. The network device 102 then performs an operation based on the AP information of the scanned AP meeting the predetermined criteria. For example, the scanning AP generates a  message that is sent to the  client device  104, 105 to warn the user to change the Wi-Fi configurations, e.g., SSID, security mode and password, of the scanning AP 102, and the user would delete the Wi-Fi connection configuration of the old SSID of AP 103 that is saved on  client devices  104, 105. The user would then configure the  client devices  104, 105 with the new Wi-Fi configurations to connect to AP 102.
When such network device is a client device, such as client device 105, client device 105 analyzes the network 120 to obtain AP information by obtaining a Basic Service Set Identifier (BSSID) of APs that it may have previously connected with, such as AP 102. Next, the client device 105 determines the AP information of AP 115 meets predetermined criteria by determining whether AP 115 is in a blocked AP list or in an allowed AP list. When AP 115 is in the blocked AP list, the client device 105 scans for other APs in network 120.
When AP 115 is not in the blocked AP list, client device 105 continues with consideration of AP 115. After Wi-Fi authentication is completed, and before obtaining the IP address, the client device 105 continues to analyze APs that are not in the blocked AP list. When AP 115 is in the allowed list, client device 105 connects with AP 115. When AP 115 is not in the allowed list, a warning is displayed to client device 105 to warn the user of the potential danger, and let the user determine the options to use. This process is not used with commonly used hotspots.
Fig. 2 illustrates broadcasting of SSIDs by APs 200.
In Fig. 2, authentic network device (AP) 210, client device 240, and spoofing network device (AP) 270 are shown. An AP, such as AP 210 forms a wireless network, and all nodes or client devices, such as client device 240, connect to AP 210.
An AP, such as  APs  210, 270, are identified by a SSID or service set identifier. The SSID also identifies the name of the network, i.e.,  Alpha  212, 272. SSID’s are assigned by a network administrator, such as a home user for AP 210 and unauthorized user for AP 270, and are usually given easy to remember and descriptive names, i.e., den, living room, John’s game room, etc. AP 210 has SSID Alpha 212. AP 270 also has SSID Alpha 272 because AP 270 is a spoofing or unauthorized AP that may be trying to obtain private information from client device 240 by convincing client device 240 that AP 270 is authentic AP 240.  APs  240, 270 also have a basic service set ID (BSSID) 214, 274, respectively, which are used to identify the particular AP and its clients on a network. The BSSID is usually the MAC address of the AP. The BSSID 214  of AP 210 is 06: 23: 6c: 42: a1: ef. The BSSID 274 of AP 270 is 02: 17: 6a: 81: 2f: d0. AP 210 is shown using Wired Equivalent Privacy (WEP) 216. AP 210 is shown using Wired Equivalent Privacy (WEP) 276.
As shown in Fig. 2, AP 210 sends broadcast message 220 with SSID 212 that is received by client device 240 and broadcast message 222 with SSID 212 that is received by AP 270. AP 270 sends broadcast message 280 with SSID 272 that is received by client device 240 and broadcast message 282 with SSID 272 that is received by AP 210. AP 210 can recognize that its SSID Alpha 212 is the same as the SSID Alpha 274 of AP 270. AP 210 then generates a message that is sent to the client device 240 to warn the user to change the Wi-Fi configurations, e.g., SSID, security mode and password, of the scanning AP 210; and the user would delete the Wi-Fi connection configuration of the old SSID of AP 210 that is saved on client device 240. The user would then configure the client devices 240 with the new Wi-Fi configurations to connect to AP 210. The use of client device 240 can changes the SSID 212, e.g., to Animal, and change the security mode 216 to the more secure Wi-Fi Protected Access (WPA) or WPA2.
Client device 240, when connecting to the network, may obtain the BSSID 214 of AP 210 and BSSID 274 of AP 270. The  BSSIDs  214, 274 may be obtain from the beacon packet or probe response from which the client device 240 received the  SSIDs  212, 272. Client device 240 examines a blocked AP list 250. BSSID 274 of AP 270 is in the blocked AP list250, so the client device 240 scans for other APs. BSSID 214 of AP 210 is not in the blocked AP list, so client device 240 continues with consideration of AP 210. Client device 105 analyzes the allowed AP list 252. The client determines that BSSID 214 of AP 210 is in the allowed list. Thus, client device 210 connects with AP 210. If BSSID 214 of AP 210 was not in the allowed list, a warning is displayed to client device 240 to warn the user of the potential danger, and let the user determine what options to execute.
Fig. 3 is a block diagram of a client device 300.
In Fig. 3, client device 300 includes a processor 310, a communication interface 314, memory 320, a display 330, LEDs 350, speaker 354, and microphone 358. Memory 320 may include an operating system 324 and a rogue AP detection application 326. Display 330 may include a system user interface (UI) 334 that the user may use to setup network access for the client device 300. The display 330 may also display an email component 338, a mobile component 342, and a text messaging component 346. Display 330 may also present other  applications and user interfaces. The display 330 may present a connection warning 370. Three options for connection warnings 370 are shown in Fig. 3, but those skilled in the art will recognize that fewer or more options may be implemented. The connection warning may include an indication 372 that that the connection with the current AP is different than APs previously connected to by the client device 300. The connection warning 370 may also display a confirmation UI 374 for the user to confirm whether the client device still wants to connect with the current AP with a yes option 376 and a no option 378. A configuration option menu 380 may be displayed to allow the client device to disable the options with a ” Yes” option 382 and a ” No” option 384. Other choices may also be provided, such as “Yes for Now and “No for Now. ” LEDS 350 and speaker 354 may be used to communicate warnings. Microphone 358 allows audio input to the client device 300.
Fig. 4 illustrates a block diagram of a network device 400.
Network device 400 may be an AP. In Fig. 4, network device 400 includes a processor 410, a communication interface 414, memory 420, a display 430, a network interface controller 450, LEDS 460 and speaker 462 for provide warnings for a client device not to connect to an AP. Display 430 may present a system UI 434, an email component 438, a mobile component 442, and a text messaging component 446. Memory includes operating system 422, a database of network information 424, and a rogue AP detection application 426. Network interface controller 450 includes the SSID 452 and password 454.
Fig. 5 is a flow chart of a method 500 for determining network operations based on access point (AP) information.
In Fig. 5, method 500 starts (S502) , and the network device analyzes a network to obtain access point (AP) information of a first AP (S510) . The network device determines that the obtained AP information meets predetermined criteria (S514) . The network device performs an operation based on the AP information meeting the predetermined criteria (S518) . The method 500 then ends (650) .
Fig. 6 is a flow chart of a method 600 for determining network operations based on access point (AP) information.
In Fig. 6, method 600 starts (S602) , and a determination is made whether network device is an AP or a client device (S622) . When the network device is an AP (S626) , the AP scans for surrounding APs and obtains SSID and security mode of a scanned AP (S630) . The AP  determines the SSID of scanned AP is the same as the SSID of the scanning AP and security mode of scanned AP is the same as security mode of scanning AP (S634) . The operation performed by generating a message that is sent to the client device to warn the user to change the Wi-Fi configurations (e.g., SSID, security mode and password) of the scanning AP, delete the Wi-Fi connection configuration of the old SSID of the AP saved on the client device, and then use the new configurations to connect to the AP (S636) . The method then ends (S690) .
When the network device is a client device (640) , the client is about to connect to a saved SSID (which may be spoofed by the rogue AP (S642. The client device thus determines whether the BSSID of the AP is in the blocked AP list (S644) . When the BSSID of the AP is in the blocked AP list (S648) , the client device scans for a different AP (S652) . When the BSSID of the AP is not in the blocked AP list (S656) , the client device continues with the connection procedure with the AP (S660) . The client device then determines whether the BSSID of the AP is in the allowed AP list (S664) .
When the BSSID of the AP is in the allowed AP list (S668) , the client device continues with connecting to the AP (S672) . When the BSSID of the AP is not in the allowed AP list (S676) , the client device generates a warning indicating the client device has never connected to the AP and provides options for controlling connection with the AP (S680) . The method then ends (S690) .
The processes discussed in this disclosure may be implemented in hardware, software, or a combination thereof. In the context of software, the described operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more hardware processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. Those having ordinary skill in the art will readily recognize that certain steps or operations illustrated in the figures above may be eliminated, combined, or performed in an alternate order. Any steps or operations may be performed serially or in parallel. Furthermore, the order in which the operations are described is not intended to be construed as a limitation.
Embodiments may be provided as a computer program product including one or more non-transitory computer-readable storage media having stored thereon instructions (in compressed or uncompressed form) that may be used to program a computer (or other electronic  device) to perform processes or methods described herein. The computer-readable storage media may include one or more of an electronic storage medium, a magnetic storage medium, an optical storage medium, a quantum storage medium, or the like. For example, the computer-readable storage media may include, but are not limited to, hard drives, floppy diskettes, optical disks, read-only memories (ROMs) , random access memories (RAMs) , erasable programmable ROMs (EPROMs) , electrically erasable programmable ROMs (EEPROMs) , flash memory, magnetic or optical cards, solid-state memory devices, or other types of physical media suitable for storing electronic instructions. Further, embodiments may also be provided as a computer program product including a transitory machine-readable signal (in compressed or uncompressed form) . Examples of machine-readable signals, whether modulated using a carrier or unmodulated, include, but are not limited to, signals that a computer system or machine hosting or running a computer program may be configured to access, including signals transferred by one or more networks. For example, a transitory machine-readable signal may comprise transmission of software by the Internet.
Separate instances of these programs can be executed on or distributed across any number of separate computer systems. Thus, although certain steps have been described as being performed by certain devices, software programs, processes, or entities, this need not be the case. A variety of alternative implementations will be understood by those having ordinary skill in the art.
Additionally, those having ordinary skill in the art readily recognize that the techniques described above can be utilized in a variety of devices, environments, and situations. Although the subject matter has been described in language specific to structural features or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claims.

Claims (20)

  1. A network device, comprising:
    memory; and
    a processor configured to execute instructions stored on said memory to cause the network device to:
    analyze a network to obtain first access point (AP) information of a first AP;
    determine the first AP information meets predetermined criteria; and
    perform an operation based on the first AP information meeting the predetermined criteria.
  2. The network device of claim 1, wherein the first AP information comprises a first SSID and a first security mode, and the network device is a second AP having second AP information comprising a second SSID and a second security mode, and wherein the processor is further configured to determine the first AP information meets the predetermined criteria by determining that the first SSID is same as the second SSID, and that the first security mode is same as the second security mode.
  3. The network device of claim 2, wherein the processor is further configured to perform the operation by generating a warning to inform a client device to use a third SSID, to use a third security mode, and to change a password to establish a connection with the second AP, wherein the generating the warning further comprises at least one of turning LEDs on and off, generating a tone using a speaker, issuing a warning on a system user interface presented on the network device, sending a warning to a mobile component presenting a user interface on the network device, transmitting a call message to a phone, sending a text message, and transmitting an e-mail.
  4. The network device of claim 1, wherein the network device comprises a client device and the memory includes a blocked AP list, wherein the processor is further configured to:
    before connecting to a saved SSID automatically, determine the BSSID of the first AP is in the blocked AP list and perform the operation by scanning for a third AP.
  5. The network device of claim 1, wherein the network device comprises a client device and the memory includes a blocked AP list and an allowed AP list, wherein the processor is further configured to:
    determine the BSSID of the first AP is not in the blocked AP list;
    perform the operation by continuing with the connection procedure;
    determine the BSSID of the first AP is in the allowed list and continue with connecting to the first AP; and
    determine the BSSID of the first AP is not in the allowed list and generate a warning when the BSSID of the first AP is not in the allowed list.
  6. The network device of claim 5, wherein the processor presents options for warnings when about to connect with the first AP.
  7. The network device of claim 6, wherein the processor is further configured to provide options for controlling connection with the first AP by providing:
    a “Sure” option to cause the processor to continue with a previous connection procedure, and to add the BSSID of the first AP to the allowed AP list;
    a “Never” option to add the BSSID of the first AP to the blocked AP list, and to continue to scan for a third AP;
    a “Yes for now” option to continue with the previous connection procedure; and
    a “No for now” option to ignore the first AP for a predetermined time period, and to continue to scan for the third AP.
  8. A method for managing a network, comprising:
    analyzing, by a network device, a network to obtain first access point (AP) information of a first AP;
    determining, by the network device, the first AP information meets predetermined criteria; and
    performing, by the network device, an operation based on the first AP information meeting the predetermined criteria.
  9. The method of claim 8, wherein the first AP information comprises a first SSID and a first security mode, and the network device is a second AP having second AP information comprising a second SSID and a second security mode, and wherein the determining the first AP information meets the predetermined criteria further comprises determining that the first SSID is same as the second SSID, and that the first security mode is same as the second security mode.
  10. The method of claim 9, wherein the performing the operation further comprises generating a warning to inform a client device to use a third SSID, to use a third security mode, and to change a password to establish a connection with the second AP, wherein the generating the warning further comprises at least one of turning LEDs on and off, generating a tone using a speaker, issuing a warning on a system user interface in a browser presented on the network device, sending a warning to a mobile component presenting a user interface on the network device, transmitting a call message to a phone, sending a text message, and transmitting an e-mail.
  11. The method of claim 8 further comprising providing a blocked AP list, wherein the analyzing the network to obtain the first AP information further comprises before connecting to a saved SSID automatically, determining a BSSID of the first AP is in the blocked AP list, and performing the operation by scanning for a third AP.
  12. The method of claim 8 further comprising providing a blocked AP list and an allowed AP list, determining the BSSID of the first AP is not in a blocked AP list, determining the BSSID of the first AP is in the allowed AP list and continuing with connecting to the first AP, determining the BSSID of the first AP is not in the allowed list and generating a warning when the BSSID of the fist AP is not in the allowed list.
  13. The method of claim 12, further comprising presenting options for a warning when about to connect with the first AP.
  14. The method of claim 13, wherein the presenting options further comprises providing:
    a “Sure” option to cause the network device to continue with a previous connection procedure, and to add the BSSID of the first AP to the allowed AP list;
    a “Never” option to add the BSSID of the first AP to a blocked AP list, and to continue to scan for a third AP;
    a “Yes for now” option to continue with the previous connection procedure; and
    a “No for now” option to ignore the first AP for a predetermined time period, and to continue to scan for the third AP.
  15. A non-transitory, computer-readable media having computer-readable instructions stored thereon, the computer-readable instructions being capable of being read by a network device, wherein the computer-readable instructions are capable of instructing the network device to perform a method to manage a network, the method comprising:
    analyzing, by the network device, a network to obtain first access point (AP) information of a first AP;
    determining, by the network device, the first AP information meets predetermined criteria; and
    performing, by the network device, an operation based on the first AP information meeting the predetermined criteria.
  16. The non-transitory, computer-readable media of claim 15, wherein the network device is a second AP and the first AP information comprises a first SSID and a first security mode of the second AP, wherein the analyzing the network to obtain the first AP information of a first AP further comprises obtaining a second SSID and a second security mode of the first AP, and wherein the determining the first AP information meets the predetermined criteria comprises determining that the first SSID is same as the second SSID, and determining that the first security mode is same as the second security mode.
  17. The non-transitory, computer-readable media of claim 16, wherein the performing the operation further comprises generating a warning to inform a client device to use a third SSID, to use a third security mode, and to change a password to establish a connection with the second AP, wherein the generating the warning further comprises at least one of turning LEDs on and off, generating a tone using a speaker, issuing a warning on a system user interface presented on the network device, sending a warning to a mobile component presenting a user interface on the network device, transmitting a call message to a phone, sending a text message, and transmitting an e-mail.
  18. The non-transitory, computer-readable media of claim 15 further comprising providing a blocked AP list, before connect to a saved SSID automatically, determining the BSSID of the first AP is in the blocked AP list and performing the operation by scanning for a third AP.
  19. The non-transitory, computer-readable media of claim 15, wherein the network device is a client device, the method further comprising storing a blocked AP list and an allowed AP list, determining the BSSID of the first AP is in the allowed AP list and continuing with connect to the first AP, and determining the BSSID of the first AP is not in the allowed AP list and generating a warning.
  20. The non-transitory, computer-readable media of claim 19 further comprising presenting options for generating the warning on the client device for the user to use to determine whether to connect to an AP, wherein the presenting options further comprises providing a “Sure” option to cause the network device to continue with a previous connection procedure and to add the BSSID of the first AP to the allowed AP list, a “Never” option to add the BSSID of the first AP to a blocked AP list and to continue to scan for a third AP, a “Yes for now” option to continue with the previous connection procedure, and a “No for now” option to ignore the first AP for a predetermined time period and to continue to scan for the third AP.
PCT/CN2020/117152 2020-09-23 2020-09-23 Using ap information for determining network operations WO2022061586A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/117152 WO2022061586A1 (en) 2020-09-23 2020-09-23 Using ap information for determining network operations

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/117152 WO2022061586A1 (en) 2020-09-23 2020-09-23 Using ap information for determining network operations

Publications (1)

Publication Number Publication Date
WO2022061586A1 true WO2022061586A1 (en) 2022-03-31

Family

ID=80844558

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/117152 WO2022061586A1 (en) 2020-09-23 2020-09-23 Using ap information for determining network operations

Country Status (1)

Country Link
WO (1) WO2022061586A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120304297A1 (en) * 2011-05-20 2012-11-29 Chung Jaeho Detecting malicious device
EP2600648A1 (en) * 2011-11-30 2013-06-05 British Telecommunications public limited company Rogue access point detection
CN103327484A (en) * 2013-06-27 2013-09-25 深圳市共进电子股份有限公司 Method for clearing illegal AP in wireless local area network
CN106792707A (en) * 2016-12-13 2017-05-31 迈普通信技术股份有限公司 The detection method and device of counterfeit WAP
CN106851646A (en) * 2016-12-31 2017-06-13 北京红山瑞达科技有限公司 A kind of wifi accesses safety detection method and device, wifi access systems
US20190036951A1 (en) * 2017-07-28 2019-01-31 Seedgen Co., Ltd. System and method for detecting rogue access point and user device and computer program for the same

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120304297A1 (en) * 2011-05-20 2012-11-29 Chung Jaeho Detecting malicious device
EP2600648A1 (en) * 2011-11-30 2013-06-05 British Telecommunications public limited company Rogue access point detection
CN103327484A (en) * 2013-06-27 2013-09-25 深圳市共进电子股份有限公司 Method for clearing illegal AP in wireless local area network
CN106792707A (en) * 2016-12-13 2017-05-31 迈普通信技术股份有限公司 The detection method and device of counterfeit WAP
CN106851646A (en) * 2016-12-31 2017-06-13 北京红山瑞达科技有限公司 A kind of wifi accesses safety detection method and device, wifi access systems
US20190036951A1 (en) * 2017-07-28 2019-01-31 Seedgen Co., Ltd. System and method for detecting rogue access point and user device and computer program for the same

Similar Documents

Publication Publication Date Title
EP2561708B1 (en) Method and apparatus for determining access point service capabilities
EP3585107A1 (en) Multi-access management implementation method and device, and computer storage medium
US20050147073A1 (en) Method and apparatus for indicating service set identifiers to probe for
CN106358189B (en) Method and device for accessing wireless local area network
US20080025321A1 (en) Method and System for Synchronizing Access Points in a Wireless Network
JP5468601B2 (en) Apparatus and associated method for facilitating access to a home network or other public network
CN114828115B (en) Method, access point and system for guiding station
US11019483B2 (en) Access point supporting at least two virtual networks and method performed thereby for communicating with wireless device
EP3305010B1 (en) Method of creating and deleting vwlan dynamically in a fixed access network sharing environment
US9794119B2 (en) Method and system for preventing the propagation of ad-hoc networks
US11871223B2 (en) Authentication method and apparatus and device
CN109587823B (en) Method for accessing WiFi camera to Internet by intelligent code scanning
US8295223B2 (en) Wireless connection method and device
CN110324790B (en) Network connection method, node device, network system and storage medium
CN104066083B (en) Method and device for accessing wireless local area network
KR102064389B1 (en) Method and apparatus for scanning an access point in wireless communication system
WO2022061586A1 (en) Using ap information for determining network operations
US11057770B2 (en) Method and apparatus for dynamically changing connection in wireless LAN
KR20170089735A (en) The automatic Cell Phone bell mode changing service to vibration mode and the method of realizing it's service through IEEE802.11 standard protocol frame and its application software
EP4195756A1 (en) Measurement method, measurement apparatus, terminal and network device
JP2010239572A (en) Terminal and control program of terminal
US20230262787A1 (en) Providing wi-fi protected setup (wps) by sending a code to a network device using a phone
WO2018010160A1 (en) Mobile data sharing method and mobile terminal
WO2022016393A1 (en) Fast access to local area network (lan) graphical user interface (gui) by client device
US20100113039A1 (en) Wireless macro cell overlay

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20954440

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20954440

Country of ref document: EP

Kind code of ref document: A1