Method and system for detecting characteristics of a wireless network

US 20040252837A1
Filed: 04/03/2003
Published: 12/16/2004
Est. Priority Date: 04/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting a wireless access device in an area;

creating a state transition table for said detected wireless access device;

observing a plurality of packets transmitted by said detected wireless access device;

determining, based on said plurality of packets, whether a state change has occurred for said detected wireless access device;

identifying said state change in said state transition table; and

checking for security violations as a result of said state change.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.

166 Citations

22 Claims

1. A method comprising:
- detecting a wireless access device in an area;
  
  creating a state transition table for said detected wireless access device;
  
  observing a plurality of packets transmitted by said detected wireless access device;
  
  determining, based on said plurality of packets, whether a state change has occurred for said detected wireless access device;
  
  identifying said state change in said state transition table; and
  
  checking for security violations as a result of said state change.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as in claim 1, wherein said determining further comprises:
    - determining the current state of said detected wireless access device;
      
      retrieving, from said state transition table, the prior state for said detected wireless access device;
      
      comparing said prior state with said current state of said detected wireless access device; and
      
      creating a new entry in said state transition table if said current state of said detected wireless access devices is different than said prior state of said detected wireless access device.
  - 3. A method as in claim 1, wherein said identifying further comprises:
    - entering a first device name in said state transition table;
      
      specifying, in said state transition table, a state in which said first device has been determined to be operating; and
      
      indicating one or more other devices with which said first device has been determined to be communicating.
  - 4. A method as in claim 3, wherein said checking further comprises:
    - for a wireless access device, comparing a device communicating with said wireless access device with an entry in said state transition table indicative of a device with which said wireless access device was previously communicating;
      
      if said current device and said entry are different, determining if an unauthorized communication has occurred with a device utilizing illegitimate credentials; and
      
      sending a notification if it has been determined that an unauthorized communication with a device utilizing illegitimate credentials has occurred.
  - 5. A method as in claim 1, wherein said checking further comprises:
    - for a wireless access device, comparing the current state of said wireless access device with an entry in said state transition table indicative of the prior state of said wireless access device;
      
      if said current state and said prior state are different, determining if an illegal state change has occurred; and
      
      sending a notification if it has been determined that an illegal state change has occurred.
  - 6. A method as in claim 5, wherein said determining of an illegal state change further comprises:
    - determining a group of possible prior state values of a wireless access device based on the current state of said wireless access device;
      
      determining whether the actual previous state of said wireless access device matches one of said group of possible previous states; and
      
      generating an alert if said actual previous state is not among said group of possible previous states.

7. A method of determining whether an ad hoc wireless network exists comprising:
- observing a channel in a wireless network for a predetermined amount of time;
  
  parsing all packets transmitted on said channel;
  
  examining protocol information in each of said packets; and
  
  comparing said protocol information in each of said packets with known patterns associated with an ad hoc network.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. A method as in claim 7 wherein said predetermined amount of time is less than 60 seconds.
  - 9. A method as in claim 8, wherein said predetermined amount of time is approximately two seconds.
  - 10. A method as in claim 7, wherein said protocol information comprises a device identifier.
  - 11. A method as in claim 10, wherein said device identifier is a Basic Service Set Identifier.
  - 12. A method as in claim 7, wherein said protocol information comprises a random number.

13. A system for detecting state changes in a wireless network, comprising:
- means for creating a state transition table for a detected wireless access device in a wireless network;
  
  means for observing a plurality of packets transmitted by said detected wireless access device;
  
  means for determining, based on said plurality of packets, whether a state change has occurred for said detected wireless access device;
  
  means for identifying said state change in said state transition table; and
  
  means for checking for security violations as a result of said state change.

14. A system for detecting an ad hoc network, comprising:
- means for observing a channel in a wireless network for a predetermined amount of time;
  
  means for parsing all packets transmitted on said channel;
  
  means for examining protocol information in each of said packets; and
  
  means for comparing said protocol information in each of said packets with known patterns;
  
  wherein a determination can be made, based on the protocol information from said packets, whether said packets were transmitted over said wireless network or an ad hoc network.

15. A computer readable medium containing computer program instructions for:
- creating a state transition table for a detected wireless access device in a wireless network;
  
  observing a plurality of packets transmitted by said detected wireless access device;
  
  determining, based on said plurality of packets, whether a state change has occurred for said detected wireless access device;
  
  identifying said state change in said state transition table; and
  
  checking for security violations as a result of said state change.

16. A computer readable medium containing computer program instructions for:
- observing a channel in a wireless network for a predetermined amount of time;
  
  parsing all packets transmitted on said channel;
  
  examining protocol information in each of said packets; and
  
  comparing said protocol information in each of said packets with known patterns associated with an ad hoc network.

17. A wireless intrusion detection system node, comprising:
- means for creating a state transition table for one or more detected wireless access devices in a wireless network;
  
  means for observing a plurality of packets sent by each of said one or more detected wireless access devices;
  
  means for determining, based on said plurality of packets, whether a state change has occurred for any of said one or more detected wireless access devices; and
  
  means for reporting any of said state changes to a wireless intrusion detection system collector.

18. A wireless intrusion detection system collector, comprising:
- means for receiving state changes from one or more wireless intrusion detection system nodes; and
  
  means for determining activity within a wireless network based on said state changes.
- View Dependent Claims (19, 20, 21, 22)
- - 19. A method as in claim 18 wherein said activity further comprises determining whether a security violation has occurred.
  - 20. A method as in claim 19 wherein said security violation comprises a spoof attack.
  - 21. A method as in claim 19, wherein said security violation comprises an illegal state change.
  - 22. A method as in claim 18 wherein said activity further comprises determining whether an ad hoc network is present.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ozmo Licensing LLC
Original Assignee
Network Security Technologies, Inc. (Verizon Communications Inc.)
Inventors
Harvey, Elaine, Walnock, Matthew

Granted Patent

US 7,603,710 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

Method and system for detecting characteristics of a wireless network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting characteristics of a wireless network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links