Method and system for detecting characteristics of a wireless network
First Claim
1. In a wireless network, a method comprising:
- detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device currently communicating with the wireless access device;
defining a first state of operation of said wireless access device as the type of the first packet and the identity of the at least one device;
creating a state transition table for the wireless access device that includes a first entry indicative of the first state;
observing a sampling of fewer than all of a plurality of packets transmitted or received by the wireless access device to determine a type of the sampled packets and one or more source devices or one or more destination devices of the sampled packets;
defining a current state of operation of the wireless access device as the type of the sampled packets and the one or more source devices or destination devices;
determining, based on said sampling of packets, that a state change has occurred for the wireless access device when the first state differs from the current state, and when said state change has occurred;
identifying said state change in said state transition table,generating an event notification indicating said state change, andchecking, using at least one security policy element, whether the state change corresponds to a prohibited activity based on said event notification; and
sending, based on a result of said checking, an alert indicating that said state change has occurred in the wireless network only when the result of said checking indicates a violation of the at least one security policy element.
9 Assignments
0 Petitions
Accused Products
Abstract
Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.
-
Citations
13 Claims
-
1. In a wireless network, a method comprising:
-
detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device currently communicating with the wireless access device; defining a first state of operation of said wireless access device as the type of the first packet and the identity of the at least one device; creating a state transition table for the wireless access device that includes a first entry indicative of the first state; observing a sampling of fewer than all of a plurality of packets transmitted or received by the wireless access device to determine a type of the sampled packets and one or more source devices or one or more destination devices of the sampled packets; defining a current state of operation of the wireless access device as the type of the sampled packets and the one or more source devices or destination devices; determining, based on said sampling of packets, that a state change has occurred for the wireless access device when the first state differs from the current state, and when said state change has occurred; identifying said state change in said state transition table, generating an event notification indicating said state change, and checking, using at least one security policy element, whether the state change corresponds to a prohibited activity based on said event notification; and sending, based on a result of said checking, an alert indicating that said state change has occurred in the wireless network only when the result of said checking indicates a violation of the at least one security policy element. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting state changes in a wireless network, comprising:
-
means for detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device in communication with the wireless access device via the wireless network; means for defining, based on the type of the first packet and the at least one device, a first state of a session between the wireless access device and the at least one device; means for creating a state transition table for the wireless access device, the state transition table including a first entry indicative of the first state; means for intermittently observing fewer than all of a plurality of packets transmitted or received by said wireless access device to determine types of the observed packets and sources and destinations of the observed packets; means for determining, based on said intermittent observation of said plurality of packets, that a state change has occurred from the first state when at least one of the types of observed packets differs from the type of the first packet and when the observed packets have sources or destinations other than the at least one device; means for identifying said state change in said state transition table when said state change has occurred; means for generating an event notification indicating said state change; means for checking, using at least one security policy element, whether prohibited activity or a permitted activity has occurred in the wireless network based on the event notification; means for sending, based on a result from said means for checking, an alert indicating that said prohibited activity has occurred only when said result indicates a violation of the at least one security policy element. - View Dependent Claims (9, 10)
-
-
11. A computer readable storage medium containing computer program instructions for:
-
creating a state transition table for a wireless access device in a wireless network; parsing a packet to or from the wireless access device to determine a first type of the packet and at least one destination network device or source network device for the packet and thereby form first state information; defining, using the first state information, a first operational state; entering the first operational state in the state transition table; observing a first section of a plurality of packets and a second section of said plurality of packets transmitted or received by said wireless access device; determining, based on said first and second sections of said plurality of packets, a state change has occurred for said wireless access device when the first or second sections of the packets identify a destination network device or source device other than the at least one destination network device or source device; determining, based on said first and second sections of said plurality of packets, the state change has occurred for said wireless access device when the first or second sections of the packets identify a second type of packet that differs from the first type of packet; defining, using information indicative of said state change, a second operational state, and when the state change has occurred; identifying said second operational state in said state transition table, generating an event notification indicating said state change, checking, using at least one security policy element, whether said state change corresponds to a permitted activity or a prohibited activity in the wireless network; and sending, based on a result of said checking, an alert indicating that said prohibited activity has occurred only when said result indicates a violation of the at least one security policy element. - View Dependent Claims (12, 13)
-
Specification