Spoofing detection for a wireless system
First Claim
Patent Images
1. An apparatus to detect spoofing, the apparatus comprising:
- a collector device; and
one or more wireless intrusion detection system nodes at known locations in communication with the collector device;
wherein the one or more wireless intrusion detection system nodes are configured to;
detect a wireless access device with an associated device identifier;
determine a first location of the wireless access device at a first time via the device identifier;
determine a second location of the wireless access device at a second time via the device identifier;
compare the first location and the second location to determine whether the first location and the second location are within a possible distance of one another for the wireless access device to travel between the first and second times; and
send an alert in response to determining that the first location and the second location are outside of the possible distance.
9 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting spoofing by wireless access devices. In some embodiments, spoofing can be detected based on locations for a wireless access device having an identifier at first and second times. The locations are compared to determine whether the wireless access device could access the particular network at the locations in the time period between the first and second times. In several embodiments, spoofing can be detected by tracking the activity of wireless access devices and identifying events that that are prohibited by one or more policy elements of the particular network.
183 Citations
16 Claims
-
1. An apparatus to detect spoofing, the apparatus comprising:
- a collector device; and
one or more wireless intrusion detection system nodes at known locations in communication with the collector device;
wherein the one or more wireless intrusion detection system nodes are configured to;
detect a wireless access device with an associated device identifier;
determine a first location of the wireless access device at a first time via the device identifier;
determine a second location of the wireless access device at a second time via the device identifier;
compare the first location and the second location to determine whether the first location and the second location are within a possible distance of one another for the wireless access device to travel between the first and second times; and
send an alert in response to determining that the first location and the second location are outside of the possible distance. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- a collector device; and
-
8. A wireless network comprising:
-
a collector device; a plurality of nodes in communication with the collector device; and wherein the plurality of nodes in communication with the collector device are configured to; receive a first state of a wireless access device and a first communication device to which the wireless access device is communicating over a particular network at a first time at a particular node of the plurality of nodes; receive or generate a first event for the wireless access device identifying the first state and the first communication device; receive a second state of the wireless access device and a second communication device to which the wireless access device is communicating over the particular network at a second time at the particular node of the plurality of nodes; receive or generate a second event for the wireless access device identifying the second state and the second communication device in response to determining that at least one of; the first state and the second state are different, and the first communication device and the second communication device are different; check the first and second events with the collector device for activities prohibited by one or more policy elements of the particular network, wherein the collector device is configured with the one or more policy elements; and send an alert signal in response to determining that the first and second events identify an activity that is prohibited by the one or more policy elements. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus for spoofing detection, the apparatus comprising:
-
one or more wireless intrusion detection system nodes configured to collect data from access points and client machines; and one or more wireless intrusion detection system collectors configured to collect intrusion and status information from the one or more wireless intrusion detection system nodes; wherein intrusion and status information is stored in a state database and the wireless intrusion detection system nodes in communication with the wireless intrusion detection system collectors are configured to; detect a wireless access device with an associated device identifier; determine a first location of the wireless access device at a first time via the device identifier; update the state database with the first location for the wireless access device; and determine a second location of the wireless access device at a second time via the device identifier; and wherein upon detection of the first location and second location being different, one of the wireless intrusion detection system nodes is configured to send an event notification to one of the wireless intrusion detection system collectors that are configured to check for security policy violations and intruders, upon receipt of the event notification.
-
Specification