Methods and Apparatuses for Avoiding Denial of Service Attacks By Rogue Access Points

US 20120096519A1
Filed: 06/24/2009
Published: 04/19/2012
Est. Priority Date: 06/24/2009
Status: Abandoned Application

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses are provided for avoiding denial of service attacks by rogue access points. A method may include attempting to verify activation of access stratum security by an access point based at least in part upon integrity protection information included in a received security mode command message sent by the access point, wherein a radio connection has been established with the access point. The method may further include detecting an occurrence of a security activation deadlock. The method may additionally include determining that a predefined number of security activation deadlocks with the access point have occurred. The method may also include identifying the access point as a rogue access point based at least in part upon the determination that a predefined number of security activation deadlocks with the access point have occurred. Corresponding apparatuses are also provided.

36 Citations

View as Search Results

40 Claims

1-20. -20. (canceled)

21. A method comprising:
- attempting to verify activation of access stratum security by an access point based at least in part upon integrity protection information included in a received security mode command message sent by the access point, wherein a radio connection has been established with the access point;
  
  detecting an occurrence of a security activation deadlock;
  
  determining that a predefined number of security activation deadlocks with the access point have occurred; and
  
  identifying the access point as a rogue access point based at least in part upon the determination that the predefined number of security activation deadlocks with the access point have occurred.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21, wherein identifying the access point as a rogue access point further comprises adding the access point to a blacklist such that future connections to the access point will not be attempted while the access point is on the blacklist.
  - 23. The method of claim 21, wherein detecting the occurrence of the security activation deadlock further comprises detecting that a deadlock has occurred while waiting for the access point to release the radio connection following transmission of a security mode failure message to the access point.
  - 24. The method of claim 23, wherein detecting the occurrence of the security activation deadlock further comprises:
    - setting a deadlock timer in response to transmission of the security mode failure message to the access point; and
      
      detecting that a security activation deadlock has occurred when the access point has not released the radio connection upon expiration of the deadlock timer.
  - 25. The method of claim 23, further comprising adjusting a counter value indicating a number of security activation deadlocks with the access point that have occurred following detection of the security activation deadlock;
    - andwherein determining that a predefined number of security activation deadlocks with the access point have occurred further comprises determining the counter value has a predetermined relationship to the predefined number.
  - 26. The method of claim 21, further comprising causing establishment of a radio connection with a different access point following identification of the access point as a rogue access point.
  - 27. The method of claim 21, further comprising maintaining a whitelist of access points which have previously been verified to have activated access stratum security, wherein access points on the whitelist are accorded preference when selecting an access point.

28. An apparatus comprising at least one processor and at least one memory storing computer program code, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to at least:
- attempt to verify activation of access stratum security by an access point based at least in part upon integrity protection information included in a received security mode command message sent by the access point, wherein a radio connection has been established with the access point;
  
  detect an occurrence of a security activation deadlock;
  
  determine that a predefined number of security activation deadlocks with the access point have occurred; and
  
  identify the access point as a rogue access point based at least in part upon the determination that a predefined number of security activation deadlocks with the access point have occurred.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The apparatus of claim 28, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, cause the apparatus to identify the access point as a rogue access point by adding the access point to a blacklist such that future connections to the access point will not be attempted while the access point is on the blacklist.
  - 30. The apparatus of claim 28, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, cause the apparatus to detect the occurrence of the security activation deadlock by detecting that a deadlock has occurred while waiting for the access point to release the radio connection following transmission of a security mode failure message to the access point.
  - 31. The apparatus of claim 30, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, cause the apparatus to detect the occurrence of a security activation deadlock by:
    - setting a deadlock timer in response to transmission of the security mode failure message to the access point; and
      
      detecting that a security activation deadlock has occurred when the access point has not released the radio connection upon expiration of the deadlock timer.
  - 32. The apparatus of claim 30, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, further cause the apparatus to adjust a counter value indicating a number of security activation deadlocks with the access point that have occurred following detection of the security activation deadlock;
    - andwherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to determine that a predefined number of security activation deadlocks with the access point have occurred by determining the counter value has a predefined relationship to the predefined number.
  - 33. The apparatus of claim 28, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, further cause the apparatus to establish a radio connection with a different access point following identification of the access point as a rogue access point.
  - 34. The apparatus of claim 28, wherein the at least one memory and stored computer program code are further configured to, with the at least one processor, further cause the apparatus to maintain a whitelist of access points which have previously been verified to have activated access stratum security, wherein access points on the whitelist are accorded preference when selecting an access point.
  - 35. The apparatus of claim 28, wherein the apparatus comprises or is embodied on a mobile phone, the mobile phone comprising user interface circuitry and user interface software stored on one or more of the at least one memory;
    - wherein the user interface circuitry and user interface software are further configured to;
      
      facilitate user control of at least some functions of the mobile phone through use of a display; and
      
      cause at least a portion of a user interface of the mobile phone to be displayed on the display to facilitate user control of at least some functions of the mobile phone.

36. A computer program product comprising at least one computer-readable storage medium having computer-readable program instructions stored therein, the computer-readable program instructions comprising:
- a program instruction configured for attempting to verify activation of access stratum security by an access point based at least in part upon integrity protection information included in a received security mode command message sent by the access point, wherein a radio connection has been established with the access point;
  
  a program instruction configured for detecting an occurrence of a security activation deadlock;
  
  a program instruction configured for determining that a predefined number of security activation deadlocks with the access point have occurred; and
  
  a program instruction configured for identifying the access point as a rogue access point based at least in part upon the determination that a predefined number of security activation deadlocks with the access point have occurred.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The computer program product of claim 36, wherein the program instruction configured for identifying the access point as a rogue access point further comprises instructions configured for addling the access point to a blacklist such that future connections to the access point will not be attempted while the access point is on the blacklist.
  - 38. The computer program product of claim 36, wherein the program instruction configured for detecting the occurrence of the security activation deadlock further comprises instructions configured for detecting that a deadlock has occurred while waiting for the access point to release the radio connection following transmission of a security mode failure message to the access point.
  - 39. The computer program product of claim 36, further comprising a program instruction configured for causing establishment of a radio connection with a different access point following identification of the access point as a rogue access point.
  - 40. The computer program product of claim 36, further comprising a program instruction configured for maintaining a whitelist of access points which have previously been verified to have activated access stratum security, wherein access points on the whitelist are accorded preference when selecting an access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Alanara, Seppo Matias, Suronen, Antti-Eemeli, Koskinen, Henri Markus

Application Number

US13/378,247
Publication Number

US 20120096519A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

H04L 63/1458   Denial of Service

H04W 12/08   Access security

H04W 12/106   Packet or message integrity

H04W 12/108   Source integrity

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 88/08   Access point devices

Methods and Apparatuses for Avoiding Denial of Service Attacks By Rogue Access Points

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Apparatuses for Avoiding Denial of Service Attacks By Rogue Access Points

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links