Method and system for wireless attack detection and mitigation

US 10,075,850 B2
Filed: 12/15/2015
Issued: 09/11/2018
Est. Priority Date: 12/15/2015
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating an unwanted transmission to a wireless network, the wireless network including an antenna array with a plurality of antennas associated with different directions, the antenna array configured to send and receive signals from external devices using established protocols, and a processing device coupled to the antenna array for monitoring and analyzing incoming signals, the method comprising:

(a) receiving at least one incoming signal at the antenna array from the external devices;

(b) monitoring and analyzing the at least one incoming signal by monitoring radio frequency (RF) frames for cell entry connection requests or changes;

(c) determining whether the at least one incoming signal is an anomaly that violates the established protocols;

if the anomaly is detected, then(d) reporting the detected anomaly;

(e) determining which antenna in the antenna array is receiving the detected anomaly; and

(f) if an external device, of the external devices sending the detected anomaly, can be identified and blocked, then(1) blocking the identified external device, otherwise(2) disabling at least one antenna in the antenna array that is receiving the detected anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detection and mitigation of attacks on a wireless network. The wireless network includes a plurality of antennas that are associated with different directions of coverage. The antennas can include an antenna array or an antenna having beamforming capabilities. An intrusion prevention processor or device analyzes incoming signals and determines individual device or aggregate device behavior patterns. The behavior patterns are compared with known attack patterns or triggers to determine if an anomaly has occurred. Attacking signals are blocked, or antennas in the direction of the anomaly are disabled while the system stabilizes. If the system stabilizes and the anomaly clears, the antennas are enabled and monitoring continues.

Citations

18 Claims

1. A method for mitigating an unwanted transmission to a wireless network, the wireless network including an antenna array with a plurality of antennas associated with different directions, the antenna array configured to send and receive signals from external devices using established protocols, and a processing device coupled to the antenna array for monitoring and analyzing incoming signals, the method comprising:
- (a) receiving at least one incoming signal at the antenna array from the external devices;
  
  (b) monitoring and analyzing the at least one incoming signal by monitoring radio frequency (RF) frames for cell entry connection requests or changes;
  
  (c) determining whether the at least one incoming signal is an anomaly that violates the established protocols;
  
  if the anomaly is detected, then(d) reporting the detected anomaly;
  
  (e) determining which antenna in the antenna array is receiving the detected anomaly; and
  
  (f) if an external device, of the external devices sending the detected anomaly, can be identified and blocked, then(1) blocking the identified external device, otherwise(2) disabling at least one antenna in the antenna array that is receiving the detected anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein step (b) includes determining the Internet Protocol (IP) addresses of the external devices.
  - 3. The method according to claim 1, wherein step (c) further comprises:
    - comparing the behavior pattern models of individual external devices to unwanted behavior models to determine if an anomaly has occurred.
  - 4. The method according to claim 3, wherein the unwanted behavior models include attack signatures.
  - 5. The method according to claim 1, wherein step (c) further comprises:
    - comparing aggregate external device behavior patterns to unwanted behavior models to determine if an anomaly has occurred.
  - 6. The method according to claim 5, wherein the unwanted behavior models include trigger sequences.
  - 7. The method according to claim 1, step (f) further comprising:
    - (3) waiting an amount of time after disabling the antenna in step (2);
      
      (4) determining if the wireless network has stabilized;
      
      (5) if the wireless network has not stabilized, then continuing to disable the antenna in accordance with step (2).
  - 8. The method according to claim 7, step (f) further comprising:
    - (6) if the wireless network has stabilized, then determining a direction of the external device that is sending the detected anomaly as derived from a direction of the detected antenna receiving the anomaly;
      
      (7) sending the direction of the sending external device to a wireless network administrator.
  - 9. The method according to claim 8, step (f) further comprising:
    - (8) waiting for the wireless network administrator to reset anomaly conditions;
      
      (9) enabling the previously disabled at least one antenna in the antenna array;
      
      (10) resume monitoring in step (b).

10. A method for minimizing an unwanted transmission to a wireless network, the wireless network including at least one antenna having beamforming capabilities, the at least one antenna configured to send and receive signals from external devices using established protocols, and a processing device coupled to the antenna for monitoring and analyzing incoming signals, the method comprising:
- (a) receiving at least one incoming signal at the least one antenna from the external devices;
  
  (b) monitoring and analyzing the at least one incoming signal;
  
  (c) determining whether the at least one incoming signal is an anomaly that violates the established protocols;
  
  if the anomaly is detected, then,(d) logging the detected anomaly and reporting the detected anomaly;
  
  (e) using the beamforming capabilities of the antenna to determine a direction of the external device that is sending the anomaly; and
  
  (f) if an external device, of the external devices sending the anomaly, can be identified and blocked, then(1) blocking the identified external device; and
  
  (2) disabling a receiving of incoming signals in a direction of the detected anomaly using the beamforming capabilities of the at least one antenna;
  
  (3) waiting an amount of time after disabling the antenna in the direction of the detected anomaly in step (2);
  
  (4) determining if the wireless network has stabilized;
  
  (5) if the wireless network has not stabilized, then continuing to disable the antenna in the direction of the detected anomaly in accordance with step (2);
  
  (6) if the wireless network has stabilized, then(i) sending the direction of the external device to a wireless network administrator;
  
  (ii) waiting for the wireless network administrator to reset anomaly conditions;
  
  (iii) enabling the previously disabled beamforming antenna in the direction of the detected anomaly;
  
  (iv) resume monitoring in step (b).
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method according to claim 10, wherein step (c) further comprises:
    - comparing the behavior pattern of individual external devices to unwanted behavior models to determine if an anomaly has occurred.
  - 12. The method according to claim 11, wherein the unwanted behavior models include attack signatures.
  - 13. The method according to claim 11, wherein step (c) further comprises:
    - comparing aggregate external device behavior patterns to unwanted behavior models to determine if an anomaly has occurred.
  - 14. The method according to claim 13, wherein the unwanted behavior models include trigger sequences.

15. A system for mitigating the reception of unwanted signals in a wireless network from external devices, the system comprising:
- an antenna array having a plurality of individual antennas, with each individual antenna associated with a different signal direction, and at least one antenna for receiving incoming signals associated with a transmission direction;
  
  a mechanism for disabling at least a portion of the at least one antenna associated with the transmission direction; and
  
  a processor coupled to the at least one antenna for analyzing the incoming signals, the analysis including behavior patterns of the external devices; and
  
  a storage device for storing behavior patterns of the external devices and signature patterns of unwanted signals,wherein the behavior patterns of the external devices are compared to the signature patterns of the unwanted signals to determine if an anomaly has occurred, and if the anomaly is detected, then at least a portion of the at least one antenna is disabled in a direction associated with the detected anomaly.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the portion of the at least one antenna is disabled for an amount of time until the wireless network has stabilized and the detected anomaly is no longer being received.
  - 17. The system of claim 16, wherein the behavior patterns of the external devices include known attack signatures.

18. A system for mitigating the reception of unwanted signals in a wireless network from external devices, the system comprising:
- at least one antenna for receiving incoming signals associated with a transmission direction having beam forming capabilities for selectively receiving signals in different directions;
  
  a mechanism for disabling at least a portion of the at least one antenna associated with the transmission direction;
  
  a processor coupled to the at least one antenna for analyzing the incoming signals, the analysis including behavior patterns of the external devices; and
  
  a storage device for including behavior patterns of the external devices and signature patterns of unwanted signals,wherein the behavior patterns of the external devices are compared to the signature patterns of the unwanted signals to determine if an anomaly has occurred, and if the anomaly is detected, then at least a portion of the at least one antenna having beam forming capabilities is disabled in the direction associated with the detected anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Smith, Brian J.
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/970,353
Publication Number

US 20170171757A1
Time in Patent Office

1,001 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04W 12/082   using revocation of authori...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Method and system for wireless attack detection and mitigation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for wireless attack detection and mitigation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links