Active defense against wireless intruders

US 7,779,476 B2
Filed: 10/20/2006
Issued: 08/17/2010
Est. Priority Date: 05/20/2002
Status: Active Grant

First Claim

Patent Images

1. A network security system the system comprising:

a system data store capable of storing network default and configuration data;

a network interface configured to communicate with a plurality of wireless devices operating on a wireless network;

a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and the wireless transmitter and wherein the system processor is programmed or adapted to perform the steps comprising of;

receiving an active defense request signal, wherein the active defense request signal comprises a notification corresponding to a potentially compromised access point in the wireless computer network and is triggered responsive to detection of unauthorized wireless activity in an airspace; and

responsive to receipt of the active defense request signal, selecting one or more active defense routines, the selection of the one or more active defense routines being based upon the active defense request signal;

causing the selected one or more active defense routines to be executed, wherein the selected one or more active defense routines can be executed by the plurality of wireless devices, by the system processor, or by combinations thereof;

wherein the selected one or more active defense routines are designed to selectively inhibit the detected unauthorized wireless activity from transmitting on the network.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Citations

36 Claims

1. A network security system the system comprising:
- a system data store capable of storing network default and configuration data;
  
  a network interface configured to communicate with a plurality of wireless devices operating on a wireless network;
  
  a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and the wireless transmitter and wherein the system processor is programmed or adapted to perform the steps comprising of;
  
  receiving an active defense request signal, wherein the active defense request signal comprises a notification corresponding to a potentially compromised access point in the wireless computer network and is triggered responsive to detection of unauthorized wireless activity in an airspace; and
  
  responsive to receipt of the active defense request signal, selecting one or more active defense routines, the selection of the one or more active defense routines being based upon the active defense request signal;
  
  causing the selected one or more active defense routines to be executed, wherein the selected one or more active defense routines can be executed by the plurality of wireless devices, by the system processor, or by combinations thereof;
  
  wherein the selected one or more active defense routines are designed to selectively inhibit the detected unauthorized wireless activity from transmitting on the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the selected active defense routine comprises one or more of:
    - jamming wireless transmissions;
      
      introducing CRC errors;
      
      transmitting frames comprising random data;
      
      or, transmitting spoofed link management frames to disrupt unauthorized wireless communication between two wireless devices.
  - 3. The system of claim 1, wherein the selected active defense routine comprises one or more of:
    - locking-down the wireless network;
      
      disabling one or more network interfaces on a device;
      
      disabling access of the wireless network to the wired distribution system;
      
      restricting access of one or more wireless devices to a limited portion of the network;
      
      or, quarantining one or more wireless devices.
  - 4. The system of claim 1, wherein the selected active defense routine comprises disabling wired network access port to which a wireless device is connected.
  - 5. The system of claim 1, wherein the selected active defense routine comprises one or more of disabling one or more network interfaces on a device;
    - disabling access of the wireless network to the wired distribution system;
      
      or, restricting access of one or more wireless devices to a limited portion of the network.
  - 6. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of mapping station identity.
  - 7. The system of claim 1 wherein the system processor is further programmed or adapted to perform the step comprising of monitoring a computer associated with the detected unauthorized wireless activity.
  - 8. The system of claim 1 wherein the system processor is further programmed or adapted to perform the step comprising of monitoring the wireless computer network using the wireless receiver.
  - 9. The system of claim 8, wherein the system processor is further programmed or adapted to perform the step comprising of detecting unauthorized wireless activity in an airspace, thereby providing a wireless intrusion prevention system.
  - 10. The system of claim 1, further comprising a wired communication interface via which the system processor communicates with the access point and wherein the system processor is programmed or adapted to transmit an active defense activation signal via the wired communication interface.
  - 11. The system of claim 1, further comprising a wired communication interface via which the system processor communicates with an intrusion detection system and wherein the system processor is programmed or adapted to receive the configuration data associated with the access point from the intrusion detection system via the wired communication interface.
  - 12. The system of claim 1, wherein the system processor is further programmed or adapted to perform ti-e step comprising of requesting the configuration data associated with an access point.
  - 13. The system of claim 12, wherein the system processor is further programmed or adapted to perform the step comprising of receiving an active defense request signal and wherein the system processor requests the configuration data associated with the access point in response to the received active defense request signal.
  - 14. The system of claim 12, wherein the system processor is further programmed or adapted to request the configuration data associated with the access point from the access point or from an intrusion detection system.

15. A method of providing a wireless intrusion prevention system for a wireless network, the method comprising the steps of:
- receiving an active defense request signal from an intrusion detection system, wherein the received request signal comprises an indicator corresponding to a wireless device that is potentially compromised by an intruder;
  
  requesting configuration data associated with the wireless device from the wireless device or the intrusion detection system;
  
  receiving the configuration data associated with the wireless device;
  
  storing identification information associated with the wireless device based on the received configuration data; and
  
  executing an active defense routine responsive receiving an active defense request signal from the intrusion detection system, the active defense routine is configured to selectively inhibit unauthorized wireless activity associated with the intruder.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, wherein the step of executing an active defense routine responsive to receiving an active defense request signal comprises selectively removing a wireless device associated with the intruder from the wireless network.
  - 17. The method of claim 15, wherein the step of executing an active defense routine comprises instructing access points associated with the wireless network to disassociate with a wireless device associated with the intruder.
  - 18. The method of claim 15, wherein the selected active defense routine comprises jamming wireless transmissions;
    - introducing CRC errors;
      
      transmitting spoofed link management frames comprising random data;
      
      transmitting spoofed link management frames to disrupt unauthorized wireless communication between two wireless devices;
      
      (disabling one or in more network interfaces on a device;
      
      disabling access of the wireless network to the wired distribution system;
      
      restricting access of one or more wireless devices to a limited portion of the network;
      
      or, quarantining one or more wireless devices.
  - 19. The method of claim 15, wherein the selected active defense routine comprises disabling a wired network access port to which a wireless device associated with the intruder is connected.
  - 20. The method of claim 15, further comprising detecting unauthorized wireless activity associated with at least a portion of the wireless network;
    - asserting an active defense request signal responsive to detecting unauthorized activity.
  - 21. The method of claim 20, wherein the step of detecting comprises testing communications against a predefined network usage policy;
    - and signaling a violation responsive to test results.
  - 22. The method of claim 21, wherein the step of detecting further comprises testing communications for a statistical anomaly occurring in the communications.
  - 23. The method of claim 22, wherein the step of detecting further comprises testing communications for a protocol violation.
  - 24. The method of claim 23, wherein the stop of detecting further comprises testing communications for a threshold match to a signature associated with cm attack.
  - 25. The method of claim 21, further comprising determining whether to assert the active defense request signal in response to test results from the policy, anomaly, protocol and signature tests.

26. Computer readable storage media storing instructions that upon execution by a system processor causes the system processor to perform steps comprising:
- receiving an active defense request signal from an intrusion detection system, wherein the received request signal comprises an indicator corresponding to a wireless device that is potentially compromised by an intruder;
  
  requesting configuration data associated with the wireless device from the wireless device or the intrusion detection system;
  
  receiving the configuration data associated with the wireless device;
  
  storing identification information associated with the wireless device based on the received configuration data; and
  
  executing an active defense routine responsive receiving an active defense request signal from the intrusion detection system, wherein the active defense routine is configured to selectively inhibit unauthorized wireless activity associated, with the intruder.

27. A method for actively defending a wireless network against intrusion, comprising:
- receiving a plurality of wireless frames transmitted in a wireless airspace located proximate to a wireless or wired network to be protected;
  
  performing a plurality of tests on the plurality of wireless frames;
  
  detecting an intrusion to the wireless network based upon patterns, statistics, content, or policy violations identified by the plurality of tests performed on the plurality of wireless frames;
  
  storing any of the plurality of wireless frames associated with the intrusion;
  
  independently initiating and executing one or more active defense mechanisms responsive to the detection of an intrusion, wherein the one or more active defense mechanisms are designed to selectively obstruct unauthorized wireless activity associated with the intrusion.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The method of claim 27, further comprising generating a report based upon the plurality of tests.
  - 29. The method of claim 28, wherein the report is delivered at a predefined frequency.
  - 30. The method of claim 28, wherein the report comprises a summary of any detected statistics, alarms, events or issues.
  - 31. The method of claim 27, further comprising receiving updated security settings from a central server.
  - 32. The method of claim 31, wherein the updated security settings comprise one or more updated tests.
  - 33. The method of claim 31, wherein the updated security settings comprise updated patterns, statistics, content, or policy violations.
  - 34. The method of claim 27, further comprising receiving software upgrades from a central server.
  - 35. The method of claim 27, wherein the active defense mechanism comprises terminating a connection between the wireless network and a wireless device associated with the intrusion.
  - 36. The method of claim 27 wherein the active defense mechanism comprises terminating a connection between the wireless network and a wired device associated with the intrusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Hrastar, Scott E., Lynn, Michael T.
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US11/551,315
Publication Number

US 20070094741A1
Time in Patent Office

1,397 Days
Field of Search

726/26, 726 12- 14, 726/23, 713/150, 713/151, 713/161, 713/168, 380/255, 380/270
US Class Current

726/26
CPC Class Codes

H04K 2203/18   for wireless local area net...

H04K 2203/22   for communication related t...

H04K 3/224   with countermeasures at tra...

H04K 3/45   characterized by including ...

H04K 3/65   using deceptive jamming or ...

H04K 3/825   by jamming

H04K 3/86   related to preventing decep...

H04L 41/0681   Configuration of triggering...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

H04W 12/122   Counter-measures against at...

H04W 84/12   WLAN [Wireless Local Area N...

Active defense against wireless intruders

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Active defense against wireless intruders

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links