Detecting unauthorized wireless devices on a wired network

US 20060123133A1
Filed: 01/27/2006
Published: 06/08/2006
Est. Priority Date: 10/19/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting unauthorized devices, the method comprising the steps of:

capturing a plurality of wireless packets;

compiling a list of transmitter and receiver addresses from the plurality of wireless packets captured;

inspecting a wireless packet from the plurality of wireless packets to determine whether a transmitter or receiver address from the list is associated with an unauthorized wireless device; and

inspecting the wireless packet to determine whether a source or destination associated with the packet is on an authorized wired list; and

issuing an alarm responsive to a determination that an unauthorized wireless device is transmitting to an authorized wired device associated with the authorized wired list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting unauthorized wireless devices on a network. Systems and methods include determining when an unauthorized wireless device is communicating with a wired device and can signal an alarm responsive to such condition.

Citations

21 Claims

1. A method of detecting unauthorized devices, the method comprising the steps of:
- capturing a plurality of wireless packets;
  
  compiling a list of transmitter and receiver addresses from the plurality of wireless packets captured;
  
  inspecting a wireless packet from the plurality of wireless packets to determine whether a transmitter or receiver address from the list is associated with an unauthorized wireless device; and
  
  inspecting the wireless packet to determine whether a source or destination associated with the packet is on an authorized wired list; and
  
  issuing an alarm responsive to a determination that an unauthorized wireless device is transmitting to an authorized wired device associated with the authorized wired list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising the step of capturing a plurality of wireless packets over a period of time.
  - 3. The method of claim 2, wherein the plurality of wireless packets is greater than a threshold number of wireless packets.
  - 4. The method of claim 1, further comprising the step of issuing an unauthorized device alarm responsive to detecting a packet from an unauthorized wireless device which is transmitting or receiving packets from a wired device not on the authorized wired list.
  - 5. The method of claim 1, wherein the authorized wired list comprises a plurality of devices physically connected to an internal network.
  - 6. The method of claim 5, further comprising the step of blocking communications from the unauthorized wireless device to the internal network.
  - 7. The method of claim 1, further comprising compiling the authorized wired list with targeted destination addresses to which the authorized transmitters are transmitting data and originating source addresses from which the receivers are receiving data.
  - 8. The method of claim 1, wherein the wireless packets comprise an 802.11 media access control (MAC) frame format including up to four address fields selected from the group:
    - wireless receiver address, wireless transmitter address, originating source address, and targeted destination address.
  - 9. The method of claim 8, wherein the step of compiling a list of transmitter and receiver addresses from a plurality of wireless packets captured, comprises the steps of:
    - parsing the plurality of wireless packets;
      
      compiling a wireless list of wireless transmitter and wireless receivers; and
      
      compiling a wired address list comprising device addresses only appearing in the originating source address field or the targeted destination address field.

10. A security system operable to detect unauthorized devices on a wireless network, the system comprising:
- a wireless receiver operable to intercept a plurality of wireless packets transmitted over a wireless network;
  
  a data store configured to record the plurality of wireless packets, and to compile a wireless list comprising transmitter and receiver addresses; and
  
  a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to execute;
  
  parsing logic operable to parse the address of a wireless frame to determine an originating source address field, a targeted destination address field, a transmitter address field, and a receiver address field;
  
  comparison logic operable to determine whether an address on the list of transmitter and receiver addresses is on an unauthorized transmitter/receiver list, the comparison logic being further operable to determine whether a source or destination associated with a packet is on an authorized wired list; and
  
  alarm logic operable to issue an alarm responsive to the results of the comparison logic.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the system processor is further programmed or adapted to execute capture logic operable to capture a threshold sampling of wireless packets comprising the plurality of wireless communications over a period of time.
  - 12. The system of claim 10, wherein the alarm logic is operable to issue an unauthorized device on network alarm responsive to an unauthorized device not on the authorized transmitter/receiver list transmitting data to or receiving data from a device on the authorized wired list.
  - 13. The system of claim 12, wherein the alarm logic is operable to issue an unauthorized device in area alarm responsive to determining that an unauthorized device is transmitting in the area to a device not on the authorized wired list.
  - 14. The system of claim 10, wherein the data store compiles the wireless list including each of a plurality of wireless transmitters and wireless receivers appearing in the transmitter address field and the receiver address field, and the data store is further operable to compile a wired address list comprising device addresses that appear only in one of the originating source address field or the targeted destination address field.
  - 15. The system of claim 14, wherein the authorized wired list is compiled by collecting the originating source address fields of the plurality of communications transmitted to a device on the authorized transmitter/receiver list and the targeted destination address fields of the plurality of communications received from a device on the authorized transmitter/receiver list.
  - 16. The system of claim 15, wherein the authorized transmitter/receiver list comprises those devices that have been registered to operate on the wireless network.
  - 17. The system of claim 10, wherein the system processor is further programmed or adapted to execute filtering logic operable to block communications from an unauthorized wireless device from propagating on an internal network responsive to the alarm logic.
  - 18. The system of claim 10, wherein the wireless frame comprises an 802.11 media access control (MAC) frame format, and each of the address fields comprise a six-byte hexadecimal number uniquely assigned to each device.
  - 19. The system of claim 10, further comprising active defense logic operable to actively defend the wireless network from the unauthorized wireless device.

20. A method of detecting unauthorized devices accessing a network, said network having a connection to one or more wired devices;
- the method comprising the steps of;
  
  determining whether wireless devices are authorized to access the network;
  
  examining first network traffic patterns associated with authorized wireless devices in order to determine whether any wired devices are present in the first network traffic patterns;
  
  examining second network traffic patterns associated with unauthorized wireless devices in order to determine whether any wired devices are present in the second network traffic patterns;
  
  detecting a first type of unauthorized access if a wired device is present in both the first and second network traffic patterns; and
  
  detecting a different type of unauthorized access if a wired device is not present in both the first and second network traffic patterns.

21. A method of detecting unauthorized devices accessing a network, said network having a connection to one or more wired devices;
- the method comprising the steps of;
  
  querying a wired-side switch to obtain a list of device addresses observed by the switch;
  
  filtering the list of addresses to identify wireless devices based on prefixes associated with wireless device addresses;
  
  comparing the identified wireless device addresses with a list of authorized wireless device addresses;
  
  detecting an unauthorized access if an identified wireless device address is not present in the list of authorized wireless device addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Hrastar, Scott E.

Application Number

US11/342,021
Publication Number

US 20060123133A1
Time in Patent Office

Days
Field of Search
US Class Current

709/238
CPC Class Codes

G06F 15/173   using an interconnection ne...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 24/00   Supervisory, monitoring or ...

Detecting unauthorized wireless devices on a wired network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting unauthorized wireless devices on a wired network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links