Wireless local or metropolitan area network with intrusion detection features and related methods

US 20040028001A1
Filed: 08/12/2002
Published: 02/12/2004
Est. Priority Date: 08/12/2002
Status: Active Grant

First Claim

Patent Images

1. A wireless local or metropolitan area network comprising:

a plurality of stations for transmitting data therebetween; and

a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect transmissions during an unauthorized period; and

generating an intrusion alert based upon detecting transmissions during the unauthorized period.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless local or metropolitan area network may include a plurality of stations for transmitting data therebetween and a policing station. The policing station may detect intrusions into the wireless network by monitoring transmissions among the plurality of stations to detect transmissions during an unauthorized period and generate an intrusion alert based thereon. The policing station may also detect intrusions based upon one or more of integrity check values which do not correspond with respective data packets, usage of non-consecutive media access control (MAC) sequence numbers by a station, and collisions of packet types and/or MAC addresses.

Citations

84 Claims

1. A wireless local or metropolitan area network comprising:
- a plurality of stations for transmitting data therebetween; and
  
  a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect transmissions during an unauthorized period; and
  
  generating an intrusion alert based upon detecting transmissions during the unauthorized period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The wireless network of claim 1 wherein said plurality of stations transmit data in packets and generate respective integrity check values for transmission with each packet;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect integrity check values which do not correspond with their respective data packets; and
      
      generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
  - 3. The wireless network of claim 1 wherein said plurality of stations transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
  - 4. The wireless network of claim 1 wherein said plurality of stations transmit data in packets each having a packet type associated therewith;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 5. The wireless network of claim 4 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 6. The wireless network of claim 4 wherein the threshold number of collisions is greater than about three.
  - 7. The wireless network of claim 4 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 8. The wireless network of claim 1 wherein said plurality of stations transmit data via a medium access control (MAC) layer;
    - wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 9. The wireless network of claim 8 wherein the threshold number of collisions is greater than about three.
  - 10. The wireless network of claim 1 wherein the wireless network has at least one service set identification (ID) associated therewith;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect service set IDs associated therewith; and
      
      generating an intrusion alert based upon one of the detected service set IDs being different than the at least one service set ID of the wireless network.
  - 11. The wireless network of claim 1 wherein said plurality of stations transmit over at least one channel;
    - and wherein said policing station further detects transmissions over the at least one channel not originating from one of the plurality of stations and generates an intrusion alert based thereon.
  - 12. The wireless network of claim 1 wherein said policing station further transmits an intrusion alert to at least one of said plurality of stations.
  - 13. The wireless network of claim 1 wherein said policing station comprises a base station.
  - 14. The wireless network of claim 1 wherein said policing station comprises a wireless station.

15. A wireless local or metropolitan area network comprising:
- a plurality of stations for transmitting data in packets and generating respective integrity check values for transmission with each packet; and
  
  a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect integrity check values which do not correspond with their respective data packets; and
  
  generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The wireless network of claim 15 wherein said plurality of stations transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
  - 17. The wireless network of claim 15 wherein said plurality of stations transmit data in packets each having a packet type associated therewith;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 18. The wireless network of claim 17 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 19. The wireless network of claim 17 wherein the threshold number of collisions is greater than about three.
  - 20. The wireless network of claim 17 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 21. The wireless network of claim 15 wherein said plurality of stations transmit data via a medium access control (MAC) layer;
    - wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 22. The wireless network of claim 20 wherein the threshold number of collisions is greater than about three.
  - 23. The wireless network of claim 15 wherein said policing station further transmits an intrusion alert to at least one of said plurality of stations.
  - 24. The wireless network of claim 15 wherein said policing station comprises at least one of a base station and a wireless station.

25. A wireless local or metropolitan area network comprising:
- a plurality of stations for transmitting data in packets via a medium access control (MAC) layer and also for transmitting a respective MAC sequence number with each data packet data; and
  
  a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
  
  generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The wireless network of claim 25 wherein said plurality of stations transmit data in packets each having a packet type associated therewith;
    - and wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 27. The wireless network of claim 26 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 28. The wireless network of claim 26 wherein the threshold number of collisions is greater than about three.
  - 29. The wireless network of claim 26 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 30. The wireless network of claim 25 wherein said plurality of stations transmit data via a medium access control (MAC) layer;
    - wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 31. The wireless network of claim 30 wherein the threshold number of collisions is greater than about three.
  - 32. The wireless network of claim 25 wherein said policing station further transmits an intrusion alert to at least one of said plurality of stations.
  - 33. The wireless network of claim 25 wherein said policing station comprises at least one of a base station and a wireless station.

34. A wireless local or metropolitan area network comprising:
- a plurality of stations for transmitting data in packets each having a packet type associated therewith; and
  
  a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect collisions of packets having a predetermined packet type; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
- - 35. The wireless network of claim 34 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 36. The wireless network of claim 34 wherein the threshold number of collisions is greater than about three.
  - 37. The wireless network of claim 34 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 38. The wireless network of claim 34 wherein said plurality of stations transmit data via a medium access control (MAC) layer;
    - wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing station further detects intrusions into the wireless network by;
      
      monitoring transmissions among said plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 39. The wireless network of claim 34 wherein the threshold number of collisions is greater than about three.
  - 40. The wireless network of claim 34 wherein said policing station further transmits an intrusion alert to at least one of said plurality of stations.
  - 41. The wireless network of claim 34 wherein said policing station comprises at least one of a base station and a wireless station.

42. A wireless local or metropolitan area network comprising:
- a plurality of stations for transmitting data via a medium access control (MAC) layer, each station having a MAC address associated therewith to be transmitted with data sent therefrom; and
  
  a policing station for detecting intrusions into the wireless network by monitoring transmissions among said plurality of stations to detect collisions of a same MAC address; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
- View Dependent Claims (43, 44, 45)
- - 43. The wireless network of claim 42 wherein the threshold number of collisions is greater than about three.
  - 44. The wireless network of claim 42 wherein said policing station further transmits an intrusion alert to at least one of said plurality of stations.
  - 45. The wireless network of claim 42 wherein said policing station comprises at least one of a base station and a wireless station.

46. An intrusion detection method for a wireless local or metropolitan area network comprising a plurality of stations, the method comprising:
- transmitting data between the plurality of stations;
  
  monitoring transmissions among the plurality of stations to detect transmissions during an unauthorized period; and
  
  generating an intrusion alert based upon detecting transmissions during the unauthorized period.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 47. The method of claim 46 wherein the plurality of stations transmit data in packets and generate respective integrity check values for transmission with each packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect integrity check values which do not correspond with their respective data packets; and
      
      generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
  - 48. The method of claim 46 wherein the plurality of stations transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
  - 49. The method of claim 46 wherein the plurality of stations transmit data in packets each having a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 50. The method of claim 49 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 51. The method of claim 49 wherein the threshold number of collisions is greater than about three.
  - 52. The method of claim 49 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 53. The method of claim 46 wherein the plurality of stations transmit data via a medium access control (MAC) layer, and wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 54. The method of claim 52 wherein the threshold number of collisions is greater than about three.
  - 55. The method of claim 46 wherein the wireless network has at least one service set identification (ID) associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect service set IDs associated therewith; and
      
      generating an intrusion alert based upon one of the detected service set IDs being different than the at least one service set ID of the wireless network.
  - 56. The wireless network of claim 46 wherein the plurality of stations transmit over at least one channel;
    - and further comprising detecting transmissions over the at least one channel not originating from one of the plurality of stations and generating an intrusion alert based thereon.
  - 57. The wireless network of claim 46 further comprising transmitting the intrusion alert to at least one of the plurality of stations.

58. An intrusion detection method for a wireless local or metropolitan area network comprising a plurality of stations, the method comprising:
- transmitting data between the plurality of stations in packets and generating respective integrity check values for transmission with each packet;
  
  monitoring transmissions among the plurality of stations to detect integrity check values which do not correspond with their respective data packets; and
  
  generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66)
- - 59. The method of claim 58 wherein the plurality of stations transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
  - 60. The method of claim 58 wherein the data packets each have a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 61. The method of claim 60 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 62. The method of claim 60 wherein the threshold number of collisions is greater than about three.
  - 63. The method of claim 60 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 64. The method of claim 58 wherein the plurality of stations transmit data packets via a medium access control (MAC) layer, and wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 65. The method of claim 63 wherein the threshold number of collisions is greater than about three.
  - 66. The method of claim 63 further comprising transmitting the intrusion alert to at least one of the plurality of stations.

67. An intrusion detection method for a wireless local or metropolitan area network comprising a plurality of stations, the method comprising:
- transmitting data in packets via a medium access control (MAC) layer and transmitting a respective MAC sequence number with each data packet data;
  
  monitoring transmissions among the plurality of stations to detect usage of non-consecutive MAC sequence numbers by a station; and
  
  generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a station.
- View Dependent Claims (68, 69, 70, 71, 72, 73, 74)
- - 68. The method of claim 67 wherein each data packet has a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 69. The method of claim 68 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 70. The method of claim 67 wherein the threshold number of collisions is greater than about three.
  - 71. The method of claim 67 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 72. The method of claim 67 wherein the plurality of stations transmit data packets via a medium access control (MAC) layer, and wherein each station has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 73. The method of claim 72 wherein the threshold number of collisions is greater than about three.
  - 74. The method of claim 67 further comprising transmitting the intrusion alert to at least one of the plurality of stations.

75. An intrusion detection method for a wireless local or metropolitan area network comprising a plurality of stations, the method comprising:
- transmitting data in packets between the plurality of stations, each packet having a packet type associated therewith;
  
  monitoring transmissions among the plurality of stations to detect collisions of packets having a predetermined packet type; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
- View Dependent Claims (76, 77, 78, 79, 80, 81)
- - 76. The method of claim 75 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 77. The method of claim 75 wherein the threshold number of collisions is greater than about three.
  - 78. The method of claim 75 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 79. The method of claim 75 wherein the plurality of stations transmit data packets via a medium access control (MAC) layer, and wherein each station has a MAC address associated therewith to be transmitted with data packets sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of stations to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 80. The method of claim 79 wherein the threshold number of collisions is greater than about three.
  - 81. The method of claim 75 further comprising transmitting the intrusion alert to at least one of the plurality of stations.

82. An intrusion detection method for a wireless local or metropolitan area network comprising a plurality of stations, the method comprising:
- transmitting data via a medium access control (MAC) layer between the plurality of stations, each station having a MAC address associated therewith to be transmitted with data sent therefrom;
  
  monitoring transmissions among the plurality of stations to detect collisions of a same MAC address; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
- View Dependent Claims (83, 84)
- - 83. The method of claim 82 wherein the threshold number of collisions of a same MAC address is greater than about three.
  - 84. The method of claim 82 further comprising transmitting the intrusion alert to at least one of the plurality of stations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stingray IP Solutions LLC (Acacia Research Corporation)
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Billhartz, Thomas Jay

Granted Patent

US 7,327,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/312
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04W 12/106   Packet or message integrity

H04W 12/122   Counter-measures against at...

Wireless local or metropolitan area network with intrusion detection features and related methods

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

84 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless local or metropolitan area network with intrusion detection features and related methods

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

84 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links