Method and system for detecting characteristics of a wireless network

US 7,603,710 B2
Filed: 04/03/2003
Issued: 10/13/2009
Est. Priority Date: 04/03/2003
Status: Active Grant

First Claim

Patent Images

1. In a wireless network, a method comprising:

detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device currently communicating with the wireless access device;

defining a first state of operation of said wireless access device as the type of the first packet and the identity of the at least one device;

creating a state transition table for the wireless access device that includes a first entry indicative of the first state;

observing a sampling of fewer than all of a plurality of packets transmitted or received by the wireless access device to determine a type of the sampled packets and one or more source devices or one or more destination devices of the sampled packets;

defining a current state of operation of the wireless access device as the type of the sampled packets and the one or more source devices or destination devices;

determining, based on said sampling of packets, that a state change has occurred for the wireless access device when the first state differs from the current state, and when said state change has occurred;

identifying said state change in said state transition table,generating an event notification indicating said state change, andchecking, using at least one security policy element, whether the state change corresponds to a prohibited activity based on said event notification; and

sending, based on a result of said checking, an alert indicating that said state change has occurred in the wireless network only when the result of said checking indicates a violation of the at least one security policy element.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.

Citations

13 Claims

1. In a wireless network, a method comprising:
- detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device currently communicating with the wireless access device;
  
  defining a first state of operation of said wireless access device as the type of the first packet and the identity of the at least one device;
  
  creating a state transition table for the wireless access device that includes a first entry indicative of the first state;
  
  observing a sampling of fewer than all of a plurality of packets transmitted or received by the wireless access device to determine a type of the sampled packets and one or more source devices or one or more destination devices of the sampled packets;
  
  defining a current state of operation of the wireless access device as the type of the sampled packets and the one or more source devices or destination devices;
  
  determining, based on said sampling of packets, that a state change has occurred for the wireless access device when the first state differs from the current state, and when said state change has occurred;
  
  identifying said state change in said state transition table,generating an event notification indicating said state change, andchecking, using at least one security policy element, whether the state change corresponds to a prohibited activity based on said event notification; and
  
  sending, based on a result of said checking, an alert indicating that said state change has occurred in the wireless network only when the result of said checking indicates a violation of the at least one security policy element.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as in claim 1, where said determining further comprises:
    - comparing said first state with said current state of said wireless access device; and
      
      creating a new entry in said state transition table if said current state of said wireless access device is different than said first state of said wireless access device.
  - 3. A method as in claim 1, where said checking further comprises:
    - determining if an unauthorized communication has occurred with the one or more source devices or the one or more destination devices utilizing illegitimate credentials; and
      
      sending a notification if it has been determined that an unauthorized communication with the one or more source devices or the one or more destination devices utilizing illegitimate credentials has occurred.
  - 4. A method as in claim 1, where said checking further comprises:
    - comparing the current state of said wireless access device with the first entry in said state transition table, where the first entry is indicative of said first state;
      
      if said current state and said first state are different based on the comparing, determining if an illegal state change has occurred; and
      
      sending a notification if it has been determined that an illegal state change has occurred.
  - 5. A method as in claim 4, where said determining if an illegal state change has occurred further comprises:
    - determining a group of possible prior state values of the wireless access device based on the current state of said wireless access device;
      
      determining whether the actual previous state of said wireless access device matches one of said group of possible prior states; and
      
      generating the notification if said actual previous state is not among said group of possible prior states.
  - 6. A method as in claim 1, where the prohibited activity comprises at least one of a security violation, communication with an intruder, or anomalous behavior of the wireless access device.
  - 7. A method as in claim 1, where the type of the first packet or the type of the sampled packets comprises at least one of a generic packet type, a diagnostic packet type, an event packet type, or a configuration packet type.

8. A system for detecting state changes in a wireless network, comprising:
- means for detecting a first packet identifying a wireless access device, a type of the first packet, and at least one device in communication with the wireless access device via the wireless network;
  
  means for defining, based on the type of the first packet and the at least one device, a first state of a session between the wireless access device and the at least one device;
  
  means for creating a state transition table for the wireless access device, the state transition table including a first entry indicative of the first state;
  
  means for intermittently observing fewer than all of a plurality of packets transmitted or received by said wireless access device to determine types of the observed packets and sources and destinations of the observed packets;
  
  means for determining, based on said intermittent observation of said plurality of packets, that a state change has occurred from the first state when at least one of the types of observed packets differs from the type of the first packet and when the observed packets have sources or destinations other than the at least one device;
  
  means for identifying said state change in said state transition table when said state change has occurred;
  
  means for generating an event notification indicating said state change;
  
  means for checking, using at least one security policy element, whether prohibited activity or a permitted activity has occurred in the wireless network based on the event notification;
  
  means for sending, based on a result from said means for checking, an alert indicating that said prohibited activity has occurred only when said result indicates a violation of the at least one security policy element.
- View Dependent Claims (9, 10)
- - 9. A system as in claim 8, where the prohibited activity comprises at least one of a security violation, communication with an intruder, or anomalous behavior of the wireless access device.
  - 10. A system as in claim 8, where the type of the first packet or the type of the observed packets comprises at least one of a generic packet type, a diagnostic packet type, an event packet type, or a configuration packet type.

11. A computer readable storage medium containing computer program instructions for:
- creating a state transition table for a wireless access device in a wireless network;
  
  parsing a packet to or from the wireless access device to determine a first type of the packet and at least one destination network device or source network device for the packet and thereby form first state information;
  
  defining, using the first state information, a first operational state;
  
  entering the first operational state in the state transition table;
  
  observing a first section of a plurality of packets and a second section of said plurality of packets transmitted or received by said wireless access device;
  
  determining, based on said first and second sections of said plurality of packets, a state change has occurred for said wireless access device when the first or second sections of the packets identify a destination network device or source device other than the at least one destination network device or source device;
  
  determining, based on said first and second sections of said plurality of packets, the state change has occurred for said wireless access device when the first or second sections of the packets identify a second type of packet that differs from the first type of packet;
  
  defining, using information indicative of said state change, a second operational state, and when the state change has occurred;
  
  identifying said second operational state in said state transition table,generating an event notification indicating said state change,checking, using at least one security policy element, whether said state change corresponds to a permitted activity or a prohibited activity in the wireless network; and
  
  sending, based on a result of said checking, an alert indicating that said prohibited activity has occurred only when said result indicates a violation of the at least one security policy element.
- View Dependent Claims (12, 13)
- - 12. A computer readable storage medium as in claim 11, where the prohibited activity comprises at least one of a security violation, communication with an intruder, or anomalous behavior of the wireless access device.
  - 13. A computer readable storage medium as in claim 11, where the first and the second types of packets comprise at least one of a generic packet type, a diagnostic packet type, and event packet type, or a configuration packet type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ozmo Licensing LLC
Original Assignee
Network Security Technologies, Inc. (Verizon Communications Inc.)
Inventors
Harvey, Elaine, Walnock, Matthew
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US10/405,473
Publication Number

US 20040252837A1
Time in Patent Office

2,385 Days
Field of Search

713/168, 713/455, 713/410, 713/161, 713200-201, 713150-152, 713/155, 709/249, 709220-227, 709/228, 709/202, 380/247, 380/270
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

Method and system for detecting characteristics of a wireless network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting characteristics of a wireless network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links