Method and system for wireless intrusion detection prevention and security management

US 7,295,831 B2
Filed: 02/07/2004
Issued: 11/13/2007
Est. Priority Date: 08/12/2003
Status: Active Grant

First Claim

Patent Images

1. A wireless network intrusion detection and prevention system, comprising:

a plurality of monitor agent applications installed on a plurality of wireless network devices for collecting wireless event data from a wireless network;

a plurality of wireless access points for providing access to the wireless network for the plurality of wireless network devices;

a secure communications link for providing secure communications between the plurality of wireless network devices and other components of the wireless network intrusion detection and prevention system;

a cooperative decision engine for collecting wireless event data from the plurality of monitor agent applications installed on the plurality of wireless network devices the plurality of wireless network devices and the plurality of wireless access points, for screening the wireless event data for normal events and abnormal events, for sending decision data to a response initiator adaptive feedback engine based on processing of the normal event and abnormal events and for receiving state data from the response initiator adaptive feedback engine;

a fuzzy association engine including an adaptive learning detection system for adaptively detecting abnormal events and preventing similar abnormal events based on wireless event data received from the cooperative decision engine; and

a response initiator adaptive feedback engine for receiving decision data from the cooperative decision engine, for sending state information to the cooperative decision engine, for sending response control information to a plurality of wireless access points through the secure communications link, and for maintaining a running mistrust level for the plurality of wireless network devices and the plurality of wireless access points on the wireless network,wherein the running mistrust level of the response initiator adaptive feedback engine includes a plurality of mistrust levels and a plurality of associated response mechanisms,wherein the plurality of response mechanisms include a plurality of security protection suites, andwherein the plurality of security protection suites include an encryption method, a secure hash methods a Diffie-Hellman group method, a method of encryption key authentication and a mistrust level decrement interval.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for wireless intrusion detection, prevention and security management. The method and system provides autonomous wireless intrusion detection and prevention, with minimal or no operator intervention. The method and system integrates a physical layer (e.g., OSI layer 1) a smart wireless radio frequency (RF) antenna subsystem with a data-link layer (e.g., OSI layer 2) wireless security system management platform.

142 Citations

View as Search Results

25 Claims

1. A wireless network intrusion detection and prevention system, comprising:
- a plurality of monitor agent applications installed on a plurality of wireless network devices for collecting wireless event data from a wireless network;
  
  a plurality of wireless access points for providing access to the wireless network for the plurality of wireless network devices;
  
  a secure communications link for providing secure communications between the plurality of wireless network devices and other components of the wireless network intrusion detection and prevention system;
  
  a cooperative decision engine for collecting wireless event data from the plurality of monitor agent applications installed on the plurality of wireless network devices the plurality of wireless network devices and the plurality of wireless access points, for screening the wireless event data for normal events and abnormal events, for sending decision data to a response initiator adaptive feedback engine based on processing of the normal event and abnormal events and for receiving state data from the response initiator adaptive feedback engine;
  
  a fuzzy association engine including an adaptive learning detection system for adaptively detecting abnormal events and preventing similar abnormal events based on wireless event data received from the cooperative decision engine; and
  
  a response initiator adaptive feedback engine for receiving decision data from the cooperative decision engine, for sending state information to the cooperative decision engine, for sending response control information to a plurality of wireless access points through the secure communications link, and for maintaining a running mistrust level for the plurality of wireless network devices and the plurality of wireless access points on the wireless network,wherein the running mistrust level of the response initiator adaptive feedback engine includes a plurality of mistrust levels and a plurality of associated response mechanisms,wherein the plurality of response mechanisms include a plurality of security protection suites, andwherein the plurality of security protection suites include an encryption method, a secure hash methods a Diffie-Hellman group method, a method of encryption key authentication and a mistrust level decrement interval.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The wireless network intrusion detection and prevention system of claim 1 further comprising a plurality of smart wireless antenna subsystems associated with the plurality of wireless access points.
  - 3. The wireless network intrusion detection and prevention system of claim 1 wherein the secure communications link includes wireless encrypted communications.
  - 4. The wireless network intrusion detection and prevention system of claim 1 wherein the cooperative decision engine includes a wireless event anomaly profiler, a normal wireless event profile database and a set of wireless event misuse rules.
  - 5. The wireless network intrusion detection and prevention of claim 1 wherein the response initiator adaptive feedback engine sends alarms and wireless event log files to a network administrator, and receives manual control from the network administrator.
  - 6. The wireless network intrusion detection and prevention of claim 1 wherein the plurality of associated response mechanisms includes continuing normal operation, cycling between the plurality of security protection suites, switching radio frequency bands, or excluding a wireless network device or wireless access point from the wireless network and requesting re-authentication and re-login of the wireless network device or wireless access point on the wireless network.
  - 7. The wireless network intrusion detection and prevention of claim 1 where the decision data includes X, Y coordinates for a physical location of a monitor agent application, wireless network or device, wireless access point where an wireless anomaly event has been detected, a confidence level in the detected wireless anomaly event, a type of wireless anomaly and a mistrust level decrement value from a security protection suite.

8. A wireless network intrusion detection and prevention system, comprising:
- a plurality of monitor agent applications installed on a plurality of wireless network devices for collecting wireless event data from a wireless network;
  
  a plurality of wireless access points for providing access to the wireless network for the plurality of wireless network devices;
  
  a secure communications link for providing secure communications between the plurality of wireless network devices and other components of the wireless network intrusion detection and prevention system;
  
  a cooperative decision engine for collecting wireless event data from the plurality of monitor agent application installed on the plurality of wireless network devices the plurality of wireless network devices and the plurality of wireless access points, for screening the wireless event data for normal events and abnormal events, for sending decision data to a response initiator adaptive feedback engine based on processing of the normal event and abnormal events and for receiving state data from the response initiator adaptive feedback engine;
  
  a fuzzy association engine including an adaptive learning detection system for adaptively detecting abnormal events and preventing similar abnormal events based on wireless event data received from the cooperative decision engine;
  
  a response initiator adaptive feedback engine for receiving decision data from thecooperative decision engine, for sending state information to the cooperative decision engine, for sending response control information to a plurality of wireless access points through the secure communications link, and for maintaining a running mistrust level for the plurality of wireless network devices and the plurality of wireless access points on the wireless network and,where a mistrust level is associated with a mistrust level decrement value and is calculated with;
  
  M_new=M+α
  
  β
  
  −
  
  M_dec—
  
  val,where M_newis a new mistrust level, M is an old mistrust level, α
  
  is a confidence level in a detected anomaly, β
  
  is a weight assigned to a type of anomaly and, M_dec—
  
  valis a mistrust level decrement value.

9. An integrated wireless intrusion detection and prevention security system, comprising:
- a smart wireless antenna subsystem at a physical layer in a wireless network infrastructure on a wireless network for detecting a direction of arrival of a wireless signals from a selected wireless network device from a set of a plurality of wireless network devices on a wireless smart antenna subsystem associated with a wireless access point, for analyzing the direction of arrival to determine whether the detected signal is from a rouge wireless network device, and if so, creating a wireless beamform and directing the wireless signal from the rouge wireless network device to a null area in the wireless signal pattern being transmitted by the wireless access point; and
  
  a wireless network intrusion detection and prevention system at a data link layer in the wireless network infrastructure on the wireless network for collecting wireless event data from the wireless network, analyzing the collected wireless event data for normal and abnormal wireless events, and for providing network security response controls to the plurality of wireless network devices and the wireless access point on the wireless network based on the analyzed collected wireless event data.
- View Dependent Claims (10)
- - 10. The integrated wireless intrusion detection and prevention security system of claim 9 wherein the wireless network intrusion detection and prevention system comprises:
    - a plurality of monitor agent applications installed on a plurality of wireless network devices for collecting wireless event data from a wireless network;
      
      a plurality of wireless access points for providing access to the wireless network for the plurality of wireless network devices;
      
      a secure communications link for providing secure communications between the plurality of wireless network devices and other components of the wireless network intrusion detection and prevention system;
      
      a cooperative decision engine for collecting wireless event data from the plurality of monitor agent applications installed on the plurality of wireless network devices the plurality of wireless network devices and the plurality of wireless access points, for screening the wireless event data for normal events and abnormal events, for sending decision data to a response initiator adaptive, feedback engine based on processing of the normal event and abnormal events and for receiving state data from the response initiator adaptive feedback engine;
      
      a fuzzy association engine including an adaptive learning detection system for adaptively detecting abnormal events and preventing similar abnormal events based on wireless event data received from the cooperative decision engine; and
      
      a response initiator adaptive feedback engine for receiving decision data from the cooperative decision engine, for sending state information to the cooperative decision engine, for sending response control information to a plurality of wireless access points through the secure communications link, and for maintaining a running mistrust level for the plurality of wireless network devices and the plurality of wireless access points on the wireless network.

11. A method for wireless intrusion detection and prevention, comprising:
- detecting a direction of arrival of a wireless signal from a wireless network device on a smart wireless antenna subsystem associated with a wireless access point;
  
  analyzing the direction of arrival to determine whether the wireless signal is from a rouge wireless network device, and if so,adaptively creating a wireless beamform and directing the wireless signal from the rouge wireless network device to a null area in a wireless signal pattern being transmitted by the wireless access point.
- View Dependent Claims (12)
- - 12. The method of claim 11 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method.

13. A method for wireless intrusion detection and protection security, comprising:
- maintaining plural mistrust levels for a plurality of wireless signals for a plurality wireless network devices and for a plurality of wireless access points on a wireless network by a wireless security system;
  
  detecting a wireless signal for a wireless event for a selected wireless network device or selected wireless access point on a smart wireless antenna subsystem;
  
  determining a mistrust level for the detected wireless signal via the wireless security system with an adapting learning system including a neural network using decision data created on the wireless security system from the detected wireless signal from the smart wireless antenna subsystem;
  
  comparing the determined mistrust level to a mistrust level stored for the plural wireless signals for the plural wireless network devices and plural wireless access points; and
  
  applying a selected security response control from the wireless security system based on the determined mistrust level to selected wireless network device or wireless access point,wherein the neural network includes a Back Propagation Neural Network with positive training created with new detected wireless signal data, andwherein the Back Propagation Neural Network includes a training vector;
  
  (SS_cn,X_p,Y_p,X_cn,Y_cn), andwherein SS_cna detected wireless signal strength measured at an associated wireless access point P for a selected wireless network device C_nin a particular position (X_cn,Y_cn) and where X_pis an X location of the selected wireless access point P, Y_p, is a Y location of the selected wireless access point P and X_cn, Y_cnare X,Y coordinates of the selected wireless network device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method.
  - 15. The method of claim 13, wherein the step of determining a mistrust level includes analyzing the detected wireless signal for normal wireless events and abnormal wireless events.
  - 16. The method of claim 15, wherein the step of determining a mistrust level includes analyzing the detected wireless signal for normal wireless events and abnormal wireless events in association with an adaptive learning detection system that collects and analyzes normal wireless events and abnormal wireless events over a time period T using a neural network that is adaptively and dynamically updated based on new detected wireless signals for normal wireless events and abnormal wireless events.
  - 17. The method of claim 13 wherein the decision data in the step of determining a mistrust level includes X,Y coordinates for a wireless network device or a wireless access point, a confidence level for the detected wireless signal, a type of wireless signal anomaly and mistrust level decrement interval from a security protection suite.
  - 18. The method of claim 13 wherein step of applying a selected security response control includes cycling among a plurality of security protection suites, switching wireless bands, requiring re-authentication and/or re-identification, forcing the selected wireless network device or wireless access point off the wireless network.
  - 19. The method of claim 13 wherein step of applying a selected security response control includes cycling among a plurality of security protection suites as mistrust level is changed for a selected wireless network device or a wireless access point based on the determined mistrust level.
  - 20. The method of claim 13 wherein the smart wireless antenna subsystem operates at physical layer in a wireless network infrastructure on the wireless network.
  - 21. The method of claim 13 wherein the wireless security system operates at data-link layer or higher layers in a wireless network infrastructure on the wireless network.

22. A method for wireless intrusion or detection and protection security, comprising:
- maintaining plural mistrust levels for a plurality of wireless signals for a plurality wireless network devices and for a plurality of wireless access points on a wireless network by a wireless security system;
  
  detecting a wireless signal for a wireless event for a selected wireless network device or selected wireless access point on a smart wireless antenna subsystem;
  
  determining a mistrust level for the detected wireless signal via the wireless security system using decision data created on the wireless security system from the detected wireless signal from the smart wireless antenna subsystem;
  
  comparing the determined mistrust level to a mistrust level stored for the plural wireless signals for the plural wireless network devices and plural wireless access points; and
  
  applying a selected security response control from the wireless security system based on the determined mistrust level to selected wireless network device or wireless access point, including cycling among a plurality of security protection suites, switching wireless bands, requiring re-authentication and/or re-identification, forcing the selected wireless network device or wireless access point off the wireless network,wherein the plurality of security protection suites include an encryption method, a secure hash method, a Diffie-Hellman group method, a method of encryption key authentication and a mistrust level decrement value.
- View Dependent Claims (23)
- - 23. The method of claim 22 further comprising a computer readable medium having stored therein instructions for causing one or more processors to execute the steps of the method.

24. A method for wireless intrusion detection and protection security, comprising:
- maintaining plural mistrust levels for a plurality of wireless signals for a plurality wireless network devices and for a plurality of wireless access points on a wireless network by a wireless security system;
  
  detecting a wireless signal for a wireless event for a selected wireless network device or selected wireless access point on a smart wireless antenna subsystem;
  
  determining a mistrust level for the detected wireless signal via the wireless security system using decision data created on the wireless security system from the detected wireless signal from the smart wireless antenna subsystem;
  
  comparing the determined mistrust level to a mistrust level stored for the plural wireless signals for the plural wireless network devices and plural wireless access points; and
  
  applying a selected security response control from the wireless security system based on the determined mistrust level to selected wireless network device or wireless access point, including directing the selected wireless network device or wireless access point to a wireless null in a wireless signal pattern with the smart wireless antenna subsystem.
- View Dependent Claims (25)
- - 25. The method of claim 24 further comprising a computer readable medium having stored therein instructions for causing one or more processors to execute the steps of the method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
3e Technologies International, Inc. (Ultra Electronics Holdings PLC)
Original Assignee
3e Technologies International, Inc. (Ultra Electronics Holdings PLC)
Inventors
Coleman, Ryon K., Fossaceca, John M., Brown, William J.
Primary Examiner(s)
Feild, Joseph
Assistant Examiner(s)
Peaches, Randy

Application Number

US10/773,866
Publication Number

US 20050037733A1
Time in Patent Office

1,375 Days
Field of Search

455/41.2, 455/456.1, 455/404.2, 455/410, 726/22, 726/25, 726/27
US Class Current

455/410
CPC Class Codes

H04B 7/086   using weights depending on ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/63   Location-dependent; Proximi...

H04W 16/28   using beam steering

H04W 48/02   Access restriction performe...

Method and system for wireless intrusion detection prevention and security management

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Method and system for wireless intrusion detection prevention and security management

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others