Method and system for actively defending a wireless LAN against attacks

US 7,526,808 B2
Filed: 03/08/2006
Issued: 04/28/2009
Est. Priority Date: 05/20/2002
Status: Expired due to Term

First Claim

Patent Images

1. A network security system, the system comprising:

a system data store configured to store risk criteria data, network default data, and network performance and usage data;

a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;

a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising;

receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;

detecting a violation by applying a plurality of intrusion detection tests that each compare the received data with data in the system data store or information derived therefrom;

generating an alarm signal upon detecting a violation.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Citations

26 Claims

1. A network security system, the system comprising:
- a system data store configured to store risk criteria data, network default data, and network performance and usage data;
  
  a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
  
  a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising;
  
  receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;
  
  detecting a violation by applying a plurality of intrusion detection tests that each compare the received data with data in the system data store or information derived therefrom;
  
  generating an alarm signal upon detecting a violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The system of claim 1, wherein the system data store comprises a statistics data store that stores historical data regarding the wireless computer network.
  - 3. The system of claim 2, wherein the system processor applies a statistical anomaly test during violation detection that compares the received data with network default data in the system data store, information derived therefrom, data in the statistics data store, information derived therefrom, or risk criteria data stored in the system data store.
  - 4. The system of claim 2, wherein the system processor is further programmed or adapted to perform the step comprising updating the statistics data store based upon the received data.
  - 5. The system of claim 1, wherein the first communication interface'"'"'s receiver receives signals corresponding to a frame transmitted between stations and access points within the wireless computer network and forwards data corresponding to the frame to the system processor.
  - 6. The system of claim 5, wherein the first communication interface'"'"'s receiver is a wireless receiver.
  - 7. The system of claim 5, wherein the signals received by the first communication interface'"'"'s receiver originate from an access point within the wireless computer network, from a station within the wireless computer network, or from one or more sensors located within an area serviced by the wireless computer network.
  - 8. The system of claim 7, further comprising one or more sensors located within an area serviced by the wireless network, wherein each of the one or more sensors comprise a wireless receiver capable of receiving frames transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received frames over the communication channel to the first communication interface.
  - 9. The system of claim 8, wherein each sensor further comprise at least one processing element of the system processor and wherein the at least one processing element is programmed or adapted to cause the sensor'"'"'s transmitter to forward data associated with received frames in response to reception of received frames by the sensor'"'"'s wireless receiver.
  - 10. The system of claim 9, wherein each sensor'"'"'s transmitter is a wireless transmitter or wherein each sensor further comprises a wireless transmitter, and wherein each sensor'"'"'s at least one processor is further programmed or adapted to perform the step comprising triggering an active defense of the wireless computer network in response to a generated alarm.
  - 11. The system of claim 5, wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel.
  - 12. The system of claim 11, further comprising a device housing that houses the first communication interface and at least one processing element of the system processor, thereby forming a first device, and one or more additional devices, wherein each additional device comprises a housing, a device communication interface allowing communication via the communication channel and at least one processing element of the system processor, wherein the signals received by any of the first or the additional devices'"'"' respective communication interface originate from an access point within the wireless computer network, from a station within the wireless computer network, or from a different device.
  - 13. The system of claim 12, further comprising one or more sensors located within an area serviced by the wireless network, wherein each of the one or more sensors comprise a wireless receiver capable of receiving frames transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received frames over the communication channel to the first communication interface, wherein the signals received by any of the first or the additional devices'"'"' respective communication interface may also originate from one of the one or more sensors.
  - 14. The system of claim 1, wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel and wherein the system processor is programmed or adapted to perform the steps comprising triggering an active defense of the wireless computer network in response to a generated alarm.
  - 15. The system of claim 14, wherein each generated alarm comprises a type or a severity and wherein the system processor'"'"'s triggering of an active defense comprises the step of selecting an active defense based upon the type or the severity of the generated alarm to which the triggering step was responsive.
  - 16. The system of claim 1, wherein the system processor is further programmed or adapted to perform the steps comprising:
    - receiving configuration information; and
      
      storing the received configuration information in the system data store.
  - 17. The system of claim 16, wherein the configuration information is received by the system processor from a configuration file, from an interactive data entry interface or from a command line.
  - 18. The system of claim 16, wherein the received configuration information comprises network default data and risk criteria.
  - 19. The system of claim 1, wherein the system data store comprises a station data store and wherein the system processor is further programmed or adapted to perform the step comprising updating the station data store based upon the received data.
  - 20. The system of claim 1, wherein the system data store comprises an access point data store and wherein the system processor is further programmed or adapted to perform the step comprising updating the access point data store based upon the received data.
  - 21. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising notifying an administrator of the generated alarm if a violation was detected.
  - 22. The system of claim 1, wherein the plurality of test applied by the system processor comprises two or more tests selected from the group consisting of signature test, protocol test, statistical anomaly test and policy test.
  - 23. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising mapping a station'"'"'s logical identity.
  - 24. The system of claim 23, wherein the system processor is further programmed or adapted to perform the step comprising mapping station'"'"'s physical location.

25. A method for detecting wireless intruders, the wireless intruders having the potential to compromise a wired network, the method comprising:
- establishing risk criteria data, network default data and network performance and usage data based upon one or more of;
  
  a system administrator, a wireless network survey, or baseline wireless traffic levels;
  
  receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;
  
  detecting a policy violation by applying a plurality of intrusion detection tests, the intrusion detection tests being configured to compare the received data with one or more of the risk criteria data, the network default data, the network performance and usage data, or information derived therefrom; and
  
  generating an alarm signal upon detecting a violation, the alarm signal indicating that a potential intruder has been detected, the alarm signal being operable to alert an active defense system to defend the network against the potential intruder.

26. One or more computer readable media storing instructions configured to detect a wireless intruder, the instructions comprising:
- policy establishment instructions configured to establish a policy based upon risk criteria data, network default data, and network performance and usage data, wherein the risk criteria data, network default data, and network performance and usage data being based upon one or more of;
  
  input from a system administrator, a wireless network survey, or baseline wireless traffic levels;
  
  network interface logic configured to receive data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;
  
  policy violation detection instructions configured to detect a policy violation by applying a plurality of intrusion detection tests, the intrusion detection tests being configured to compare the received data with one or more of the risk criteria data, the network default data, the network performance and usage data, or information derived therefrom; and
  
  alarm instructions configured to generate an alarm signal responsive to the policy violation detection instructions, the alarm signal indicating that a potential intruder has been detected, the alarm signal being operable to alert an active defense system to defend the network against the potential intruder.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Hrastar, Scott, Lynn, Michael T.
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US11/370,611
Publication Number

US 20070192870A1
Time in Patent Office

1,147 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04K 2203/18   for wireless local area net...

H04K 2203/22   for communication related t...

H04K 3/224   with countermeasures at tra...

H04K 3/45   characterized by including ...

H04K 3/65   using deceptive jamming or ...

H04K 3/825   by jamming

H04K 3/86   related to preventing decep...

H04L 41/0681   Configuration of triggering...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

H04W 12/122   Counter-measures against at...

H04W 84/12   WLAN [Wireless Local Area N...

Method and system for actively defending a wireless LAN against attacks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for actively defending a wireless LAN against attacks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links