Mobile ad-hoc network with intrusion detection features and related methods

US 20040028016A1
Filed: 08/12/2002
Published: 02/12/2004
Est. Priority Date: 08/12/2002
Status: Active Grant

First Claim

Patent Images

1. A mobile ad-hoc network (MANET) comprising:

a plurality of nodes for transmitting data therebetween; and

a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect transmissions during an unauthorized period; and

generating an intrusion alert based upon detecting transmissions during the unauthorized period.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile ad-hoc network (MANET) may include a plurality of nodes for transmitting data therebetween and a policing node. The policing node may detect intrusions into the MANET by monitoring transmissions among the plurality of nodes to detect transmissions during an unauthorized period and generate an intrusion alert based thereon. The policing node may also detect intrusions based upon one or more of integrity check values which do not correspond with respective data packets, usage of non-consecutive media access control (MAC) sequence numbers by a node, and collisions of packet types and/or MAC addresses.

Citations

78 Claims

1. A mobile ad-hoc network (MANET) comprising:
- a plurality of nodes for transmitting data therebetween; and
  
  a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect transmissions during an unauthorized period; and
  
  generating an intrusion alert based upon detecting transmissions during the unauthorized period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The MANET of claim 1 wherein said plurality of nodes transmit data in packets and generate respective integrity check values for transmission with each packet;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect integrity check values which do not correspond with their respective data packets; and
      
      generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
  - 3. The MANET of claim 1 wherein said plurality of nodes transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
  - 4. The MANET of claim 1 wherein said plurality of nodes transmit data in packets each having a packet type associated therewith;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 5. The MANET of claim 4 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 6. The MANET of claim 4 wherein the threshold number of collisions is greater than about three.
  - 7. The MANET of claim 4 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 8. The MANET of claim 1 wherein said plurality of nodes transmit data via a medium access control (MAC) layer;
    - wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 9. The MANET of claim 8 wherein the threshold number of collisions is greater than about three.
  - 10. The MANET of claim 1 wherein the MANET has at least one service set identification (ID) associated therewith;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect service set IDs associated therewith; and
      
      generating an intrusion alert based upon one of the detected service set IDs being different than the at least one service set ID of the MANET.
  - 11. The MANET of claim 1 wherein said plurality of nodes transmit over at least one channel;
    - and wherein said policing node further detects transmissions over the at least one channel not originating from one of the plurality of nodes and generates an intrusion alert based thereon.
  - 12. The MANET of claim 1 wherein said policing node further transmits an intrusion alert to at least one of said plurality of nodes.

13. A mobile ad-hoc network (MANET) comprising:
- a plurality of nodes for transmitting data in packets and generating respective integrity check values for transmission with each packet; and
  
  a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect integrity check values which do not correspond with their respective data packets; and
  
  generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The MANET of claim 13 wherein said plurality of nodes transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
  - 15. The MANET of claim 13 wherein said plurality of nodes transmit data in packets each having a packet type associated therewith;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 16. The MANET of claim 15 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 17. The MANET of claim 15 wherein the threshold number of collisions is greater than about three.
  - 18. The MANET of claim 15 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 19. The MANET of claim 13 wherein said plurality of nodes transmit data via a medium access control (MAC) layer;
    - wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 20. The MANET of claim 19 wherein the threshold number of collisions is greater than about three.
  - 21. The MANET of claim 13 wherein said policing node further transmits an intrusion alert to at least one of said plurality of nodes.

22. A mobile ad-hoc network (MANET) comprising:
- a plurality of nodes for transmitting data in packets via a medium access control (MAC) layer and also for transmitting a respective MAC sequence number with each data packet data; and
  
  a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
  
  generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The MANET of claim 22 wherein said plurality of nodes transmit data in packets each having a packet type associated therewith;
    - and wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 24. The MANET of claim 23 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 25. The MANET of claim 23 wherein the threshold number of collisions is greater than about three.
  - 26. The MANET of claim 23 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 27. The MANET of claim 22 wherein said plurality of nodes transmit data via a medium access control (MAC) layer;
    - wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 28. The MANET of claim 27 wherein the threshold number of collisions is greater than about three.
  - 29. The MANET of claim 22 wherein said policing node further transmits an intrusion alert to at least one of said plurality of nodes.

30. A mobile ad-hoc network (MANET) comprising:
- a plurality of nodes for transmitting data in packets each having a packet type associated therewith; and
  
  a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect collisions of packets having a predetermined packet type; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The MANET of claim 30 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 32. The MANET of claim 30 wherein the threshold number of collisions is greater than about three.
  - 33. The MANET of claim 30 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 34. The MANET of claim 30 wherein said plurality of nodes transmit data via a medium access control (MAC) layer;
    - wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom; and
      
      wherein said policing node further detects intrusions into the MANET by;
      
      monitoring transmissions among said plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 35. The MANET of claim 30 wherein the threshold number of collisions is greater than about three.
  - 36. The MANET of claim 30 wherein said policing node further transmits an intrusion alert to at least one of said plurality of nodes.

37. A mobile ad-hoc network (MANET) comprising:
- a plurality of nodes for transmitting data via a medium access control (MAC) layer, each node having a MAC address associated therewith to be transmitted with data sent therefrom; and
  
  a policing node for detecting intrusions into the MANET by monitoring transmissions among said plurality of nodes to detect collisions of a same MAC address; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
- View Dependent Claims (38, 39)
- - 38. The MANET of claim 37 wherein the threshold number of collisions is greater than about three.
  - 39. The MANET of claim 37 wherein said policing node further transmits an intrusion alert to at least one of said plurality of nodes.

40. An intrusion detection method for a mobile ad-hoc network (MANET) comprising a plurality of nodes, the method comprising:
- transmitting data between the plurality of nodes;
  
  monitoring transmissions among the plurality of nodes to detect transmissions during an unauthorized period; and
  
  generating an intrusion alert based upon detecting transmissions during the unauthorized period.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 41. The method of claim 40 wherein the plurality of nodes transmit data in packets and generate respective integrity check values for transmission with each packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect integrity check values which do not correspond with their respective data packets; and
      
      generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
  - 42. The method of claim 40 wherein the plurality of nodes transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
  - 43. The method of claim 40 wherein the plurality of nodes transmit data in packets each having a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 44. The method of claim 43 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 45. The method of claim 43 wherein the threshold number of collisions is greater than about three.
  - 46. The method of claim 43 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 47. The method of claim 40 wherein the plurality of nodes transmit data via a medium access control (MAC) layer, and wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 48. The method of claim 47 wherein the threshold number of collisions is greater than about three.
  - 49. The method of claim 40 wherein the MANET has at least one service set identification (ID) associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect service set IDs associated therewith; and
      
      generating an intrusion alert based upon one of the detected service set IDs being different than the at least one service set ID of the MANET.
  - 50. The MANET of claim 40 wherein the plurality of nodes transmit over at least one channel;
    - and further comprising detecting transmissions over the at least one channel not originating from one of the plurality of nodes and generating an intrusion alert based thereon.
  - 51. The MANET of claim 40 further comprising transmitting the intrusion alert to at least one of the plurality of nodes.

52. An intrusion detection method for a mobile ad-hoc network (MANET) comprising a plurality of nodes, the method comprising:
- transmitting data between the plurality of nodes in packets and generating respective integrity check values for transmission with each packet;
  
  monitoring transmissions among the plurality of nodes to detect integrity check values which do not correspond with their respective data packets; and
  
  generating an intrusion alert based upon detecting an integrity check value which does not correspond with its respective data packet.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
- - 53. The method of claim 52 wherein the plurality of nodes transmit data in packets via a medium access control (MAC) layer and also transmit a respective MAC sequence number with each data packet;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
      
      generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
  - 54. The method of claim 52 wherein the data packets each have a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 55. The method of claim 54 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 56. The method of claim 54 wherein the threshold number of collisions is greater than about three.
  - 57. The method of claim 54 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 58. The method of claim 52 wherein the plurality of nodes transmit data packets via a medium access control (MAC) layer, and wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 59. The method of claim 58 wherein the threshold number of collisions is greater than about three.
  - 60. The method of claim 52 further comprising transmitting the intrusion alert to at least one of the plurality of nodes.

61. An intrusion detection method for a mobile ad-hoc network (MANET) comprising a plurality of nodes, the method comprising:
- transmitting data in packets via a medium access control (MAC) layer and transmitting a respective MAC sequence number with each data packet data;
  
  monitoring transmissions among the plurality of nodes to detect usage of non-consecutive MAC sequence numbers by a node; and
  
  generating an intrusion alert based upon detecting usage of non-consecutive MAC sequence numbers by a node.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68)
- - 62. The method of claim 61 wherein each data packet has a packet type associated therewith;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of packets having a predetermined packet type; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
  - 63. The method of claim 62 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 64. The method of claim 61 wherein the threshold number of collisions is greater than about three.
  - 65. The method of claim 61 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 66. The method of claim 61 wherein the plurality of nodes transmit data packets via a medium access control (MAC) layer, and wherein each node has a MAC address associated therewith to be transmitted with data sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 67. The method of claim 66 wherein the threshold number of collisions is greater than about three.
  - 68. The method of claim 61 further comprising transmitting the intrusion alert to at least one of the plurality of nodes.

69. An intrusion detection method for a mobile ad-hoc network (MANET) comprising a plurality of nodes, the method comprising:
- transmitting data in packets between the plurality of nodes, each packet having a packet type associated therewith;
  
  monitoring transmissions among the plurality of nodes to detect collisions of packets having a predetermined packet type; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of packets having the predetermined packet type.
- View Dependent Claims (70, 71, 72, 73, 74, 75)
- - 70. The method of claim 69 wherein the predetermined packet type comprises at least one of authentication packets, association packets, beacon packets, request to send (RTS) packets, and clear to send (CTS) packets.
  - 71. The method of claim 69 wherein the threshold number of collisions is greater than about three.
  - 72. The method of claim 69 wherein the threshold number is based upon a percentage of a total number of monitored packets having the predetermined packet type.
  - 73. The method of claim 69 wherein the plurality of nodes transmit data packets via a medium access control (MAC) layer, and wherein each node has a MAC address associated therewith to be transmitted with data packets sent therefrom;
    - and further comprising;
      
      monitoring transmissions among the plurality of nodes to detect collisions of a same MAC address; and
      
      generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
  - 74. The method of claim 73 wherein the threshold number of collisions is greater than about three.
  - 75. The method of claim 69 further comprising transmitting the intrusion alert to at least one of the plurality of nodes.

76. An intrusion detection method for a mobile ad-hoc network (MANET) comprising a plurality of nodes, the method comprising:
- transmitting data via a medium access control (MAC) layer between the plurality of nodes, each node having a MAC address associated therewith to be transmitted with data sent therefrom;
  
  monitoring transmissions among the plurality of nodes to detect collisions of a same MAC address; and
  
  generating an intrusion alert based upon detecting a threshold number of collisions of a same MAC address.
- View Dependent Claims (77, 78)
- - 77. The method of claim 76 wherein the threshold number of collisions of a same MAC address is greater than about three.
  - 78. The method of claim 76 further comprising transmitting the intrusion alert to at least one of the plurality of nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stingray IP Solutions LLC (Acacia Research Corporation)
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Billhartz, Thomas Jay

Granted Patent

US 6,986,161 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04W 12/106   Packet or message integrity

H04W 12/122   Counter-measures against at...

H04W 24/00   Supervisory, monitoring or ...

H04W 8/26   Network addressing or numbe...

H04W 84/18   Self-organising networks, e...

Mobile ad-hoc network with intrusion detection features and related methods

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

78 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile ad-hoc network with intrusion detection features and related methods

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

78 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links