Intrusion Detection System For Wireless Networks

US 20080295171A1
Filed: 05/23/2007
Published: 11/27/2008
Est. Priority Date: 05/23/2007
Status: Abandoned Application

First Claim

Patent Images

1. An intrusion detection system comprising:

a plurality of wireless nodes operating to transport packets between end devices over a wireless medium, wherein each wireless node in said plurality of wireless nodes examines a received data packet for the presence of one or more anomalies, and transmits a message packet upon the presence of said one or more anomalies; and

a sentinel device processing said message packet to determine whether a transmitter of said received data packet is a potential intruder, and causing a spy routine to be activated if said transmitter is determined to be said potential intruder,wherein operation of said spy routine communicates further with said transmitter to facilitate a determination of whether said transmitter is an actual intruder.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless node in a wireless network examines data packets directed to itself (i.e., value in destination address field indicates that the wireless node is an intended recipient)for presence of anomalies that suggest intrusion. The data packet is examined as part of the normal course of operation of the node. Upon detection of an anomaly, the wireless node sends a message packet containing details of the anomaly to a sentinel device. The sentinel device processes the anomalies to determine if a possibility of intrusion is indicated, and activates a spy routine in the wireless node. The spy routine enables further investigation into the intrusion. As components (such as wireless nodes) in the wireless network operate normally (normal operations) until an anomalous condition/event occurs, the additional power requirements for intrusion detection are reduced. If intrusion is detected, appropriate actions, such as alerting an operator, are taken to mitigate the intrusion.

33 Citations

View as Search Results

30 Claims

1. An intrusion detection system comprising:
- a plurality of wireless nodes operating to transport packets between end devices over a wireless medium, wherein each wireless node in said plurality of wireless nodes examines a received data packet for the presence of one or more anomalies, and transmits a message packet upon the presence of said one or more anomalies; and
  
  a sentinel device processing said message packet to determine whether a transmitter of said received data packet is a potential intruder, and causing a spy routine to be activated if said transmitter is determined to be said potential intruder,wherein operation of said spy routine communicates further with said transmitter to facilitate a determination of whether said transmitter is an actual intruder.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The intrusion detection system of claim 1, wherein each wireless node examines only a set of packets for said one or more anomalies, wherein each of said set of packets has a destination address indicating that the packet is directed to the wireless node.
  - 3. The intrusion detection system of claim 2, wherein a first node determines an anomaly by examining a first packet contained in said set of packets, wherein said first packet contains the address of said first node in said destination address field.
  - 4. The intrusion detection system of claim 1, wherein a second wireless node contained in said plurality of wireless nodes detects a first anomaly and sends a first message to said sentinel to indicate presence of said first anomaly, wherein said sentinel sends a reply packet to said second wireless node to activate said spy routine.
  - 5. The intrusion detection system of claim 1, wherein a third wireless node contained in said plurality of wireless nodes detects a third anomaly and sends a third message to said sentinel to indicate presence of said third anomaly, wherein said sentinel sends a reply packet to a fourth wireless node, different from said third wireless node, to activate said spy routine.
  - 6. The intrusion detection system of claim 5, wherein said sentinel determines that said fourth wireless node is closer than said third wireless node to said transmitter.
  - 7. The intrusion detection system of claim 1, wherein said sentinel communicates with a decision system to determine that said transmitter is said potential intruder.
  - 8. The intrusion detection system of claim 1, wherein said one or more anomalies comprises one or more of reception of said data packet in non-scheduled time slot, an absence of a destination address in said data packet, an incorrect packet size of said data packet, an incorrect message integrity code in said data packet, an incorrect nonce value in said data packet, observation of repeated change in a connection status.
  - 9. The intrusion detection system of claim 1, wherein said end devices comprise a control station and a plurality of wireless field devices, wherein said control station and said plurality of field devices are designed to implement a corresponding control strategy in a process control plant.
  - 10. The intrusion detection system of claim 1, wherein said sentinel alerts a human operator to intrusion by said potential intruder if said processing of said message packet determines that said transmitter of said received data packet is a potential intruder, said sentinel also providing a location information of said intruder to said human operator.

11. A method of detecting intrusion by a transmitter in a wireless network, said wireless network comprising a plurality of wireless nodes, said method being implemented in each of said plurality of wireless nodes, said method comprising:
- receiving a data packet from said transmitter in a first wireless node, wherein said data packet is directed to said first wireless node, wherein said first wireless node is contained in said plurality of wireless nodes;
  
  examining in said first wireless node said data packet to determine presence of one or more anomalies; and
  
  sending from said first wireless node a message packet to a sentinel device if said one or more anomalies are present.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - receiving a response packet from said sentinel; and
      
      activating operation of a spy routine upon a reception of said response packet.
  - 13. The method of claim 12, further comprising:
    - receiving a plurality of packets; and
      
      forwarding each of said plurality of packets to a next wireless node or an end device to which the packet is destined to.
  - 14. The method of claim 12, wherein said data packet contains an address of said first wireless node in a destination address field.
  - 15. The method of claim 12, further comprising communicating further with said transmitter to facilitate a determination of whether said transmitter is an actual intruder.

16. A method of detecting intrusion by a transmitter in a wireless network, said wireless network comprising a plurality of wireless nodes, said method being implemented in a sentinel device, said method comprising:
- receiving a message packet from a first wireless node contained in said plurality of wireless nodes, wherein said message packet indicates one or more anomalies observed in a data packet received by said first wireless node; and
  
  transmitting a response packet indicating that a spy routine is to be activated to investigate further if a processing of said message packet indicates that said transmitter is a potential intruder.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, further comprising alerting a human operator to intrusion by said transmitter if said processing of said message packet indicates that said transmitter is a potential intruder.
  - 18. The method of claim 16, further comprising:
    - determining a physical location of said potential intruder; and
      
      providing information indicating said physical location to an operator.
  - 19. The method of claim 18, wherein said determining comprises:
    - examining a content of said message packet to determine a first wireless node which received said message packet from said potential intruder;
      
      checking a location information to identify a zone in which said first wireless node is located, wherein said physical location comprises said zone.
  - 20. The method of claim 16, further comprising:
    - determining a closest one of said plurality of wireless nodes to said transmitter by examining said message packet, wherein said response packet is designed to cause said closest one of said plurality of wireless nodes to execute said spy routine.
  - 21. The method of claim 20, wherein said message packet contains a plurality of time stamps, each from a corresponding wireless node forwarding said data packet., wherein said closest wireless node is the wireless node with the earliest time stamp.

22. A machine readable medium storing one or more sequences of instructions for enabling a wireless node in a wireless network to detect intrusion by a transmitter in said wireless network, said wireless network containing a plurality of wireless nodes, said wireless node being contained in said plurality of wireless nodes, wherein execution of said one or more sequences of instructions by one or more processors contained in said wireless node causes said wireless node to perform the actions of:
- receiving a data packet from said transmitter, wherein said data packet is directed to said wireless node;
  
  examining said data packet to determine presence of one or more anomalies; and
  
  sending a message packet to a sentinel device if said one or more anomalies are present.
- View Dependent Claims (23, 24, 25)
- - 23. The machine readable medium of claim 22, wherein said wireless node receives a response packet from said sentinel, and activates operation of a spy routine upon a reception of said response packet.
  - 24. The machine readable medium of claim 22, wherein said wireless node receives a plurality of packets, and forwards each of said plurality of packets to a next wireless node contained in said plurality of wireless nodes or an end device to which said plurality of packets are destined to.
  - 25. The machine readable medium of claim 22, wherein said data packet contains an address of said wireless node in a destination address field.

26. A machine readable medium storing one or more sequences of instructions for enabling a sentinel device to detect intrusion by a transmitter in a wireless network, said sentinel device being connected to said wireless network over a wireless medium, said wireless network containing a plurality of wireless nodes, wherein execution of said one or more sequences of instructions by one or more processors contained in said sentinel device causes said sentinel device to perform the actions of:
- receiving a message packet from a first wireless node contained in said plurality of wireless nodes, wherein said message packet indicates one or more anomalies observed in data packets received by said first wireless node; and
  
  transmitting a response packet indicating that a spy routine is to be activated to investigate further if a processing of said message packet indicates that said transmitter is a potential intruder.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The machine readable medium of claim 26, wherein said sentinel device alerts a human operator to intrusion by said transmitter if said processing of said message packet indicates that said transmitter is a potential intruder.
  - 28. The machine readable medium of claim 26, wherein said sentinel device determines a physical location of said potential intruder, and provides information indicating said physical location to an operator.
  - 29. The machine readable medium of claim 28, wherein said determining a physical location comprises:
    - examining a content of said message packet to determine a first wireless node which received said message packet from said potential intruder;
      
      checking a location information to identify a zone in which said first wireless node is located, wherein said physical location comprises said zone.
  - 30. The machine readable medium of claim 26, wherein said sentinel device determines a closest one of said plurality of wireless nodes to said transmitter by examining said message packet, wherein said response packet is designed to cause said closest one of said plurality of wireless nodes to execute said spy routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Foo Kune, Denis, Yermal, Sudarshan, Raravi, Channabasavaraj, Kumar, Gaurav, Ramanathan, Kartikeya Sriniwas, Singh, Abhishek Kumar

Application Number

US11/752,308
Publication Number

US 20080295171A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

H04W 12/125   Protection against power ex...

H04W 24/00   Supervisory, monitoring or ...

H04W 52/0219   where the power saving mana...

H04W 52/0238   where the received signal i...

H04W 52/0258   controlling an operation mo...

H04W 84/14   WLL [Wireless Local Loop]; ...

H04W 88/02   Terminal devices

Y02D 30/70   in wireless communication n...

Intrusion Detection System For Wireless Networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Intrusion Detection System For Wireless Networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others