Intrusion detection system for wireless networks

US 7,366,148 B2
Filed: 04/11/2003
Issued: 04/29/2008
Est. Priority Date: 04/11/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for detecting intrusion into a wireless network, the system comprising:

a monitoring station comprising;

a first transceiver for receiving and demodulating a first signal and for sending a first communication, anda first processor coupled to the first transceiver for processing the first signal and for controlling the first transceiver; and

a fusion station comprising;

a second transceiver for receiving and demodulating the first communication and for sending a second communication, anda second processor coupled to the second transceiver for processing the first communication from the monitoring station and for controlling the second transceiver, whereinthe second processor stores attributes of an expected signal;

the first processor calculates attributes of the first signal;

the first communication contains the attributes of the first signal;

the second processor compares the attributes of the first signal with the stored attributes of the expected signal to determine whether the attributes of the first signal deviate from the stored attributes of the expected signal; and

the second communication comprises an alert messages if the attributes of the first signal deviate from the stored attributes of the expected signal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system (FIG. 2) for facilitating detection of intruders into a wireless network, through the use of physical layer anomalies. One or more monitoring stations (22, 24, 26) can be distributed across the potential intruder'"'"'s signal transmission region. They process these transmissions and extract attributes of the signals, which can then transmit to one or more fusion stations (28), which correlate the calculated attributes with stored attributes of signals of known, authorized users of the network, and transmit alert messages in the case that these signal attributes do not match those of known, authorized users. Signal attributes in accordance with the instant invention include the carrier frequency, spurious emissions, and power-on and power-down transients. Also in accordance with the instant invention are methods and systems using both direct and multipath received signal strength, signal-to-noise ratio, and geometric characteristics such as direction/angle of arrival (AOA), time of arrival, position/range, time dispersion, Doppler shift and polarization.

Citations

19 Claims

1. A system for detecting intrusion into a wireless network, the system comprising:
- a monitoring station comprising;
  
  a first transceiver for receiving and demodulating a first signal and for sending a first communication, anda first processor coupled to the first transceiver for processing the first signal and for controlling the first transceiver; and
  
  a fusion station comprising;
  
  a second transceiver for receiving and demodulating the first communication and for sending a second communication, anda second processor coupled to the second transceiver for processing the first communication from the monitoring station and for controlling the second transceiver, whereinthe second processor stores attributes of an expected signal;
  
  the first processor calculates attributes of the first signal;
  
  the first communication contains the attributes of the first signal;
  
  the second processor compares the attributes of the first signal with the stored attributes of the expected signal to determine whether the attributes of the first signal deviate from the stored attributes of the expected signal; and
  
  the second communication comprises an alert messages if the attributes of the first signal deviate from the stored attributes of the expected signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the second processor compares a frequency content of power-on transient of the first signal, with a frequency content of power-on transient of the expected signal.
  - 3. The system of claim 1, wherein the second processor compares a stored wavelet transform of power-on transient of the first signal, with a wavelet transform of power-on transient of the expected signal.
  - 4. The system of claim 1, wherein the second processor compares a frequency content of power-down transient of the first signal, with a frequency content of power-down transient of the expected signal.
  - 5. The system of claim 1, wherein the second processor compares a stored wavelet transform of power-down transient of the first signal, with a wavelet transform of power-down transient of the expected signal.
  - 6. The system of claim 1, wherein the second processor compares a median, mean, and standard deviation of an IF signal obtained from the first signal, with a median, mean and standard deviation of an IF signal obtained from the expected signal.
  - 7. The system of claim 1, wherein the second processor compares a direct path received power from the first signal and ratio of (multipath) power received in-chip to the direct path received power from the first signal, with a direct path received power from the expected signal and the ratio of (multipath) power received in-chip to the direct path received power from the expected signal.
  - 8. The system of claim 1, wherein the second processor compares polarization and direction of arrival of the first signal to polarization and direction of arrival of the expected signal.
  - 9. The system of claim 1, wherein the attributes of the first signal are extracted at the physical layer.

10. A method for intrusion detection into a wireless network comprising the steps of:
- storing an attribute of an expected signal;
  
  monitoring a first signal having attributes;
  
  receiving and demodulating a first signal having attributes;
  
  calculating an attribute of the first signal;
  
  transmitting a first communication containing the attribute of the first signal;
  
  comparing the attribute of the first signal with the stored attribute of the expected signal to determine whether the attribute of the first signal deviates from the stored attribute of the expected signal; and
  
  transmitting a second communication comprising an alert message if the attribute of the first signal deviates from the stored attribute of the expected signal.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the attribute is a frequency content of power-on transient of the signal.
  - 12. The method of claim 10, wherein the attribute is a wavelet transform of power-on transient of the signal.
  - 13. The method of claim 10, wherein the attribute is a frequency content of power-down transient of the signal.
  - 14. The method of claim 10, wherein the attribute is a wavelet transform of power-down transient of the signal.
  - 15. The method of claim 10, wherein the attribute is a calculated median, mean, or standard deviation of an IF signal obtained from the first signal.
  - 16. The method of claim 10, wherein the attribute is a calculated direct path received power from the signal and a ratio of (multipath) power received in-chip to the direct path received power from the signal.
  - 17. The method of claim 10, wherein the attribute is a calculated polarization and direction of arrival of the signal.
  - 18. The method of claim 10, wherein an attribute includes one or more attributes.
  - 19. The method of claim 10, wherein the attributes of the first signal are extracted at the physical layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Johns Hopkins University
Original Assignee
Johns Hopkins University
Inventors
Muaddi, Albert B., Tomko, Albert A.
Primary Examiner(s)
Milord; Marceau

Application Number

US10/477,026
Publication Number

US 20040162995A1
Time in Patent Office

1,845 Days
Field of Search

726/23, 726/22, 709/224, 713/200, 713/201, 713/182, 370/245, 370/329, 370/252, 370/352, 370/338, 455/456.1, 455/404.2, 455/161.1, 455/445, 455/88, 455/85, 707/104.1
US Class Current

370/338
CPC Class Codes

H04B 17/26   using historical data, aver...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/79   Radio fingerprint

H04W 24/00   Supervisory, monitoring or ...

H04W 80/04   Network layer protocols, e....

Y02D 30/70   in wireless communication n...

Intrusion detection system for wireless networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system for wireless networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links