System and method for remotely monitoring wireless networks

US 20040049699A1
Filed: 09/06/2002
Published: 03/11/2004
Est. Priority Date: 09/06/2002
Status: Active Grant

First Claim

Patent Images

1. A system for monitoring a wireless network, comprising:

a security network including a plurality of monitoring devices coupled to a centralized security manager, the security network operable to manage access to a data network associated with a plurality of authorized devices;

wherein each monitoring device comprises;

a packet sniffing module operable to receive packets communicated from one or more wireless device, each packet associated with a communication session; and

a packet routing module operable to communicate one or more of the packets to the centralized security manager; and

wherein the centralized security manager comprises;

a packet collection module operable to receive the one or more packets communicated from each monitoring device;

a packet analysis module operable to;

analyze the one or more packets; and

determine whether a particular communication session is valid based on the analysis of at least one particular packet associated with a particular wireless device; and

an alert module operable to communicate an alert if the particular communication session is not valid.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for monitoring a wireless network is provided. The system includes a security network including a plurality of monitoring devices coupled to a centralized security manager. The security network is operable to manage access to a data network associated with a plurality of authorized devices. Each monitoring device is operable to receive packets communicated from one or more wireless device and communicate one or more of the packets to the centralized security manager. Each packet is associated with a communication session. The centralized security manager is operable to receive and analyze the one or more packets communicated from each monitoring device. The centralized security manager is further operable to determine whether a particular communication session is valid based on the analysis of at least one particular packet associated with a particular wireless device, and to communicate an alert if the particular communication session is not valid.

Citations

52 Claims

1. A system for monitoring a wireless network, comprising:
- a security network including a plurality of monitoring devices coupled to a centralized security manager, the security network operable to manage access to a data network associated with a plurality of authorized devices;
  
  wherein each monitoring device comprises;
  
  a packet sniffing module operable to receive packets communicated from one or more wireless device, each packet associated with a communication session; and
  
  a packet routing module operable to communicate one or more of the packets to the centralized security manager; and
  
  wherein the centralized security manager comprises;
  
  a packet collection module operable to receive the one or more packets communicated from each monitoring device;
  
  a packet analysis module operable to;
  
  analyze the one or more packets; and
  
  determine whether a particular communication session is valid based on the analysis of at least one particular packet associated with a particular wireless device; and
  
  an alert module operable to communicate an alert if the particular communication session is not valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein each monitoring device further comprises a packet filtering module operable to select the one or more packets to communicate to the centralized security manager.
  - 3. The system of claim 1, wherein the packet analysis module of the centralized security manager is further operable to determine whether the particular communication session is a new session or an existing session based on the analysis of the at least one particular packet.
  - 4. The system of claim 1, wherein:
    - the plurality of authorized devices includes a plurality of authorized wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network; and
      
      the centralized security manager further comprises a countermeasure module operable to prevent the wireless device access to the data network via each of the plurality of wireless access points if the wireless device is not one of the plurality of authorized devices.
  - 5. The system of claim 1, wherein the centralized security manager further comprises a countermeasure module operable to direct the wireless device to a honey pot if the particular wireless device is not one of the plurality of authorized devices.
  - 6. The system of claim 1, wherein the centralized security manager further comprises a countermeasure module operable to update a session database based on the determination of whether the particular communication session is valid.
  - 7. The system of claim 1, wherein:
    - the plurality of authorized devices includes a plurality of wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network;
      
      the packet analysis module of the centralized security manager is further operable to determine whether the particular wireless device is a wireless access point or a wireless client based on the analysis of the at least one particular packet; and
      
      the packet analysis module of the centralized security manager is operable to determine whether the particular wireless device is one of the plurality of authorized devices by;
      
      determining whether the wireless access point is one of the plurality of authorized wireless access points if the particular wireless device is a wireless access point; and
      
      determining whether the wireless client is one of the plurality of authorized wireless clients if the particular wireless device is a wireless client.
  - 8. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless client is one of the plurality of authorized wireless clients at least by:
    - determining the manufacturer of the wireless client; and
      
      determining whether the manufacturer of the wireless client matches the manufacturer of at least one of the plurality of authorized wireless clients.
  - 9. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless client is one of the plurality of authorized wireless clients at least by determining whether the wired equivalency privacy (WEP) associated with the wireless client is turned on.
  - 10. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless client is one of the plurality of authorized wireless clients at least by determining whether the MAC address of the wireless client matches the MAC address of any of the plurality of authorized wireless clients.
  - 11. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless access point is one of the plurality of authorized wireless access points at least by:
    - determining the manufacturer of the wireless access point; and
      
      determining whether the manufacturer of the wireless access point matches the manufacturer of at least one of the plurality of authorized wireless access points.
  - 12. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless access point is one of the plurality of authorized wireless access points at least by determining whether the wired equivalency privacy (WEP) associated with the wireless access point is turned on.
  - 13. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless access point is one of the plurality of authorized wireless access points at least by determining whether the MAC address of the wireless access point matches the MAC address of any of the plurality of authorized wireless access points.
  - 14. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless access point is one of the plurality of authorized wireless access points at least by determining whether the service set identifier (SSID) of the wireless access point matches the service set identifier of each of the plurality of authorized wireless access points.
  - 15. The system of claim 7, wherein the packet analysis module of the centralized security manager is operable to determine whether the wireless access point is one of the plurality of authorized wireless access points at least by determining whether the wireless access point is broadcasting packets.

16. A method of monitoring a wireless network, comprising:
- receiving one or more packets communicated from a wireless device at one of a plurality of monitoring devices operable to monitor at least a portion of a network associated with a plurality of authorized devices;
  
  wherein the one or more packets are associated with a communication session;
  
  communicating at least one particular packet of the one or more packets to a centralized manager coupled to each of the plurality of monitoring devices;
  
  analyzing the at least one particular packet;
  
  determining whether the communication session is valid based on the analysis of the at least one particular packet; and
  
  communicating an alert if the communication session is not valid.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16, further comprising selecting the at least one particular packet from the one or more packets.
  - 18. The method of claim 16, wherein the plurality of authorized devices includes a plurality of authorized wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network;
    - and wherein the method further comprises preventing the wireless device access to the network via each of the plurality of wireless access points if the communication session is not valid.
  - 19. The method of claim 16, further comprising directing the wireless device to a honey pot if the communication session is not valid.
  - 20. The method of claim 16, further comprising determining whether the communication session is a new session or an existing session based on the analysis of the at least one particular packet.
  - 21. The method of claim 16, further comprising updating a session database associated with the centralized security manager based on the determination of whether the communication session is valid.
  - 22. The method of claim 16, wherein the plurality of authorized devices includes a plurality of wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network;
    - and wherein the method further comprises;
      
      determining whether the wireless device is a wireless access point or a wireless client based on the analysis of the at least one data packet; and
      
      wherein determining whether the communication session is valid comprises;
      
      if the wireless device is a wireless access point, determining whether the wireless access point is one of the plurality of authorized wireless access points; and
      
      if the wireless device is a wireless client, determining whether the wireless client is one of the plurality of authorized wireless clients.
  - 23. The method of claim 22, wherein determining whether the wireless client is one of the plurality of authorized wireless clients comprises:
    - determining the manufacturer of the wireless client; and
      
      determining whether the manufacturer of the wireless client matches the manufacturer of at least one of the plurality of authorized wireless clients.
  - 24. The method of claim 22, wherein determining whether the wireless client is one of the plurality of authorized wireless clients comprises determining whether the wired equivalency privacy (WEP) associated with the wireless client is turned on.
  - 25. The method of claim 22, wherein determining whether the wireless client is one of the plurality of authorized wireless clients comprises determining whether the MAC address of the wireless client matches the MAC address of any of the plurality of authorized wireless clients.
  - 26. The method of claim 22, wherein determining whether the wireless access point is one of the plurality of authorized wireless access points comprises:
    - determining the manufacturer of the wireless access point; and
      
      determining whether the manufacturer of the wireless access point matches the manufacturer of at least one of the plurality of authorized wireless access points.
  - 27. The method of claim 22, wherein determining whether the wireless access point is one of the plurality of authorized wireless access points comprises determining whether the wired equivalency privacy (WEP) associated with the wireless access point is turned on.
  - 28. The method of claim 22, wherein determining whether the wireless access point is one of the plurality of authorized wireless access points comprises determining whether the MAC address of the wireless access point matches the MAC address of any of the plurality of authorized wireless access points.
  - 29. The method of claim 22, wherein determining whether the wireless access point is one of the plurality of authorized wireless access points comprises determining whether the service set identifier (SSID) of the wireless access point matches the service set identifier of each of the plurality of authorized wireless access points.
  - 30. The method of claim 22, wherein determining whether the wireless access point is one of the plurality of authorized wireless access points comprises determining whether the wireless access point is broadcasting packets.

31. A system for monitoring a wireless network, comprising:
- a security network including a plurality of monitoring devices coupled to a centralized security manager, the security network operable to manage access to a data network associated with a plurality of authorized devices;
  
  wherein each monitoring device comprises;
  
  a packet sniffing module operable to receive packets communicated from one or more wireless device; and
  
  a packet routing module operable to communicate one or more of the packets to the centralized security manager; and
  
  wherein the centralized security manager comprises a packet collection module operable to receive the one or more packets communicated from each monitoring device;
  
  a packet analysis module operable to;
  
  analyze the one or more packets; and
  
  determine based on the analysis of at least one particular packet associated with a particular wireless device whether the particular wireless device is one of the plurality of authorized devices; and
  
  an alert module operable to communicate an alert if the particular wireless device is not one of the plurality of authorized devices.
- View Dependent Claims (32)
- - 32. The system of claim 31, wherein:
    - the plurality of authorized devices includes a plurality of wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network;
      
      the packet analysis module of the centralized security manager is further operable to determine whether the particular wireless device is a wireless access point or a wireless client based on the analysis of the at least one particular packet; and
      
      the packet analysis module of the centralized security manager is operable to determine whether the particular wireless device is one of the plurality of authorized devices by;
      
      determining whether the wireless access point is one of the plurality of authorized wireless access points if the particular wireless device is a wireless access point; and
      
      determining whether the wireless client is one of the plurality of authorized wireless clients if the particular wireless device is a wireless client.

33. A method of monitoring a wireless network, comprising:
- receiving one or more packets communicated from a wireless device at one of a plurality of monitoring devices operable to monitor at least a portion of a network comprising a plurality of authorized wireless access points and a plurality of authorized wireless clients;
  
  communicating at least one particular packet of the one or more packets to a centralized manager coupled to each of the plurality of monitoring devices;
  
  analyzing the at least one particular packet;
  
  determining whether the wireless device is one of the plurality of authorized devices based on the analysis of the at least one particular packet; and
  
  communicating an alert if the wireless device is not one of the plurality of authorized devices.
- View Dependent Claims (34)
- - 34. The method of claim 33, further comprising:
    - determining whether the wireless device is a wireless access point or a wireless client based on the analysis of the at least one data packet; and
      
      wherein determining whether the wireless device is one of the plurality of authorized devices comprises;
      
      if the wireless device is a wireless access point, determining whether the wireless access point is one of the plurality of authorized wireless access points; and
      
      if the wireless device is a wireless client, determining whether the wireless client is one of the plurality of authorized wireless clients.

35. A system for monitoring a wireless network, comprising:
- a security network including a plurality of monitoring devices coupled to a centralized security manager, the security network operable to manage access to a data network associated with a plurality of authorized devices;
  
  wherein each monitoring device comprises;
  
  a packet sniffing module operable to receive packets communicated from one or more wireless device, each packet associated with a communication session;
  
  a packet filtering module operable to select one or more of the received packets to be analyzed;
  
  a packet routing module operable to;
  
  determine whether the selected packets are to be analyzed locally or by the centralized security manager; and
  
  communicate the selected packets to the centralized security manager if it is determined that the selected packets are to be analyzed by the centralized security manager;
  
  a packet analysis module operable to;
  
  analyze the selected packets if it is determined that the selected packets are to be analyzed locally; and
  
  determine whether the communication session is valid based on the analysis of the selected packets; and
  
  wherein the centralized security manager comprises;
  
  a packet collection module operable to receive the selected packets from the monitoring device if it is determined that the selected packets are to be analyzed by the centralized security manager; and
  
  a packet analysis module operable to;
  
  analyze the received selected packets; and
  
  determine whether the communication session is valid based on the analysis of the received selected packets.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The system of claim 35, wherein:
    - each monitoring device further comprises a local session database operable to store a record regarding a particular communication session if the monitoring device determines whether or not the particular communication session is valid; and
      
      the centralized security manager is further operable to update a central session database based on the determination of whether the particular communication session is valid.
  - 37. The system of claim 35, wherein the packet routing module is operable to determine whether selected packets are to be analyzed by the monitoring device or by the centralized manager by determining whether a connection is available for communicating the selected packets from the monitoring device to the centralized manager.
  - 38. The system of claim 35, wherein each monitoring device further comprises an local alert module operable to:
    - communicate an alert if it is determined by the monitoring device that the communication session is not valid;
      
      store a record of the alert communicated from the monitoring device; and
      
      communicate the record of the alert to the centralized security manager.
  - 39. The system of claim 35, wherein each monitoring device further comprises an local alert module operable to:
    - store a record regarding the communication session if it is determined by the monitoring device that the communication session is valid; and
      
      communicate the record regarding the communication session to the centralized security manager; and
      
      wherein the centralized security manager is further operable to update a central session database based on the record regarding the communication session.

40. A method of monitoring a wireless network, comprising:
- receiving packets communicated from a wireless device at one of a plurality of monitoring devices, the one or more packets being associated with a communication session;
  
  selecting one or more of the received packets to be analyzed;
  
  determining whether the selected packets are to be analyzed by the monitoring device or by a centralized manager coupled to each of the plurality of monitoring devices;
  
  if it is determined that the selected packets are to be analyzed by the monitoring device;
  
  analyzing the selected packets by the monitoring device; and
  
  determining whether the communication session is valid based on the analysis of the selected packets; and
  
  if it is determined that the selected packets are to be analyzed by the centralized security manager;
  
  communicating the selected packets to the centralized security manager;
  
  analyzing the selected packets by the centralized security manager; and
  
  determining whether the communication session is valid based on the analysis of the received selected packets.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The method of claim 40, further comprising updating a session database associated with the centralized security manager based on the determination of whether the communication session is valid.
  - 42. The method of claim 40, wherein determining whether the selected packets are to be analyzed by the monitoring device or by the centralized manager comprises determining whether a connection is available for communicating the selected packets from the monitoring device to the centralized manager.
  - 43. The method of claim 40, further comprising:
    - communicating an alert from the monitoring device if it is determined by the monitoring device that the communication session is not valid;
      
      storing a record of the alert communicated from the monitoring device; and
      
      communicating the record of the alert to the centralized security manager.
  - 44. The method of claim 40, further comprising:
    - storing a record regarding the communication session if it is determined by the monitoring device that the communication session is valid;
      
      communicating the record regarding the communication session to the centralized security manager; and
      
      updating a session database associated with the centralized security manager based on the record regarding the communication session.

45. A method of validating a communications session in a wireless network, comprising:
- receiving one or more packets communicated from a wireless device at a monitoring device operable to monitor at least a portion of a network including a plurality of authorized devices, the one or more packets associated with a communication session;
  
  determining whether the communication session is valid, including;
  
  determining the manufacturer of the wireless device based on the one or more packets;
  
  determining whether the manufacturer of the wireless device matches the manufacturer of at least one of the plurality of authorized wireless clients;
  
  determining whether the wired equivalency privacy (WEP) associated with the wireless device is turned on; and
  
  determining whether the MAC address of the wireless device matches the MAC address of any of the plurality of authorized wireless devices.
- View Dependent Claims (46, 47)
- - 46. The method of claim 45, wherein determining whether the communication session is valid further comprises determining whether the service set identifier (SSID) of the wireless device matches the service set identifier of each of the plurality of authorized wireless devices.
  - 47. The method of claim 45, wherein determining whether the communication session is valid further comprises determining whether the wireless device is broadcasting packets.

48. Software for monitoring a wireless network, the software being embodied in computer-readable media and when executed operable to:
- receive one or more packets communicated from a wireless device, the one or more packets associated with a communication session;
  
  determine whether the communication session is valid, including;
  
  determining the manufacturer of the wireless device based on the one or more packets;
  
  determining whether the manufacturer of the wireless device matches the manufacturer of at least one of the plurality of authorized wireless clients;
  
  determining whether the wired equivalency privacy (WEP) associated with the wireless device is turned on; and
  
  determining whether the MAC address of the wireless device matches the MAC address of any of the plurality of authorized wireless devices.
- View Dependent Claims (49, 50)
- - 49. The software of claim 48, wherein determining whether the communication session is valid further comprises determining whether the service set identifier (SSID) of the wireless device matches the service set identifier of each of the plurality of authorized wireless devices.
  - 50. The software of claim 48, wherein determining whether the communication session is valid further comprises determining whether the wireless device is broadcasting packets.

51. Software for monitoring a wireless network, the software being embodied in computer-readable media and when executed operable to:
- receive one or more packets communicated from a wireless device at one of a plurality of monitoring devices operable to monitor at least a portion of a network associated with a plurality of authorized devices;
  
  wherein the one or more packets are associated with a communication session;
  
  communicate at least one particular packet of the one or more packets to a centralized manager coupled to each of the plurality of monitoring devices;
  
  analyze the at least one particular packet;
  
  determine whether the communication session is valid based on the analysis of the at least one particular packet; and
  
  generate an alert if the communication session is not valid.
- View Dependent Claims (52)
- - 52. The software of claim 51, wherein the plurality of authorized devices includes a plurality of authorized wireless access points and a plurality of authorized wireless clients, each of the wireless access points operable to provide one or more of the authorized wireless clients access to the data network;
    - and wherein the software, when executed, is further operable to prevent the wireless device access to the network via each of the plurality of wireless access points if the communication session is not valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Financial Corporation
Inventors
Bragg, John M., Griffith, Terry A., Moran, Stephen M.

Granted Patent

US 7,316,031 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 69/22   Parsing or analysis of headers

H04W 12/122   Counter-measures against at...

H04W 24/00   Supervisory, monitoring or ...

H04W 74/00   Wireless channel access

System and method for remotely monitoring wireless networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for remotely monitoring wireless networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links