Systems and methods for wireless network content filtering

US 7,970,013 B2
Filed: 06/16/2006
Issued: 06/28/2011
Est. Priority Date: 06/16/2006
Status: Active Grant

First Claim

Patent Images

1. A method of determining an application associated with content of frames transmitted on a wireless network, the method comprising the steps of:

associating one or more applications with one or more known statistical patterns;

storing the known statistical patterns in a pattern data store with the associated application, wherein the known statistical patterns are utilized to determine the applications operating over the wireless network;

monitoring a plurality of encrypted frames transmitted between nodes on the wireless network; and

retrieving known statistical patterns from a pattern data store;

matching the known statistical patterns to the frame lengths and direction between the nodes; and

identifying an application associated with the content of frames transmitted on the network based upon a match between the known statistical patterns to the frame lengths and direction, the known statistical patterns being associated with the application.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of determining the content of frames transmitted on a wireless network through comparison of captured frames to predetermined statistical patterns.

Citations

27 Claims

1. A method of determining an application associated with content of frames transmitted on a wireless network, the method comprising the steps of:
- associating one or more applications with one or more known statistical patterns;
  
  storing the known statistical patterns in a pattern data store with the associated application, wherein the known statistical patterns are utilized to determine the applications operating over the wireless network;
  
  monitoring a plurality of encrypted frames transmitted between nodes on the wireless network; and
  
  retrieving known statistical patterns from a pattern data store;
  
  matching the known statistical patterns to the frame lengths and direction between the nodes; and
  
  identifying an application associated with the content of frames transmitted on the network based upon a match between the known statistical patterns to the frame lengths and direction, the known statistical patterns being associated with the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, further comprising the step of outputting an application type responsive to a match of a known statistical pattern based on the matching step, wherein each of the known statistical patterns corresponds to a different application type.
  - 3. The method of claim 1, wherein the known statistical patterns each correspond to the unique frame length pattern of an application operating on the wireless network.
  - 4. The method of claim 1, wherein the wireless network operates using an IEEE 802.11 protocol.
  - 5. The method of claim 1, wherein a match of the known statistical pattern in the matching step occurs within a frame count scope, the frame count scope comprises a predetermined number of frames over which the monitoring step monitors frames on the wireless network for the matching step.
  - 6. The method of claim 5, wherein the known statistical pattern comprises the frame count scope and one or more frames each with a corresponding frame length, frame drift size, and frame direction between nodes.
  - 7. The method of claim 6, wherein the frame drift size is an allowed difference from the frame length and a frame length value within the frame drift size comprises a statistical match.
  - 8. The method of claim 7, wherein the known statistical patterns are determined by operating an application on one or more test hardware configurations and analyzing the frame lengths, frame drift size, and direction.
  - 9. The method of claim 8, wherein the unique pattern of frame lengths varies based on a statistical frame drift size responsive to hardware configuration and wireless network operating conditions.
  - 10. The method of claim 8, wherein the application comprises a computer program operable to transmit and receive frames.
  - 11. The method of claim 9, wherein the application is operable to transmit and receive encrypted frames.
  - 12. The method of claim 10, further comprising the step of terminating an unauthorized application based on the matching step, the unauthorized application comprises an application defined against predetermined network policy.
  - 13. The method of claim 10, further comprising the step of raising an alarm and responsive determining an unauthorized application based on the matching step.
  - 14. The method of claim 10, further comprising the step of determining quality-of-service metrics of the application responsive to inter-arrival statistics of the plurality of frames.
  - 15. The method of claim 10, further comprising the step of determining the mean opinion score responsive to matching the application to a voice application.
  - 16. The method of claim 1, wherein the monitoring step is performed by sensors, access points, clients equipped with software agents, and combinations thereof.
  - 17. The method of claim 16, wherein the matching step is performed by a computer connected to a data store loaded with the known statistical patterns.
  - 18. The method of claim 17, wherein the sensors, access points, clients equipped with software agents, and combinations thereof are configured to perform statistical analysis and communicate the results of the statistical analysis to the computer.
  - 19. The method of claim 17, wherein the data store is operable to be updated with new known statistical patterns.
  - 20. The method of claim 19, wherein the computer comprises a wireless intrusion prevention server.
  - 21. The method of claim 17, wherein the computer is operable to perform multiple of the matching step simultaneously.

22. A method for characterizing patterns of frame lengths corresponding to an application, the method comprising the steps of:
- providing a first hardware configuration comprising a plurality of wireless devices;
  
  operating the application on one of the wireless devices;
  
  monitoring the lengths and directions of encrypted frames by the application between the two wireless devices;
  
  repeating the providing, operating, and monitoring steps for a second or more hardware configuration;
  
  analyzing the lengths and directions of encrypted frames responsive to one or more hardware configurations to determined a statistical frame pattern, wherein the statistical frame pattern is used to determine the application operating between the two wireless devices; and
  
  if the lengths and directions of the encrypted frames in the first and second hardware configurations are similar, associating the application with a pattern comprising the lengths and directions of the monitored frames.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, wherein patterns are determined for a plurality of applications.
  - 24. The method of claim 23, wherein a plurality of patterns are loaded into a data store.

25. A method of determining the content of frames by matching to known statistical patterns, the method comprising the steps of:
- loading a content analysis engine and a plurality of known statistical patterns, wherein the known statistical patterns are used to determine applications operating over a wireless network;
  
  starting a data source, the data source receives incoming frames transmitted between two nodes on a network;
  
  determining whether an encrypted frame matches a first line in the plurality of known statistical patterns; and
  
  it a match is found in the checking step, loading a detection thread, wherein the detection thread comprises the steps of;
  
  receiving subsequent incoming encrypted frames transmitted between two nodes on the network; and
  
  matching the subsequent incoming encrypted frames to subsequent lines in the plurality of known statistical patterns until a predetermined frame count is met.

26. A system for determining an application associated with the content of wireless frames transmitted between two nodes on a wireless network, comprising:
- a monitoring device operable to monitor and capture encrypted frame lengths and encrypted frame directions of a plurality of encrypted frames transmitted between nodes on the wireless network;
  
  a data store loaded with known statistical patterns corresponding to different applications, wherein the known statistical patterns are used to determine the application operating over the wireless network; and
  
  a computer operable to receive the encrypted frame lengths and encrypted frame directions of the plurality of encrypted frames, the computer being further operable to perform statistical matching of the encrypted frame lengths and encrypted frame directions to the known statistical patterns in the data store;
  
  wherein a statistical matching enables the computer to identify an application associated with the content being transmitted over the wireless network.

27. A method of determining an application associated with content of frames transmitted on a wireless network, the method comprising the steps of:
- monitoring a plurality of encrypted frames transmitted between nodes on the wireless networks; and
  
  matching the plurality of encrypted frames to known statistical patterns of encrypted frame lengths and direction between the nodes, wherein the known statistical patterns are used to determine the application operating over the wireless network; and
  
  identifying an application associated with the content of encrypted frames transmitted on the network based upon a match between the known statistical patterns to the encrypted frame lengths and direction, the known statistical patterns being associated with the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Darrow, Nicholas John, Sinha, Amit
Primary Examiner(s)
Addy; Thjuan K

Application Number

US11/424,628
Publication Number

US 20080057913A1
Time in Patent Office

1,838 Days
Field of Search

379/201.12, 714/39, 709/224, 380/258, 380/261, 370/338, 370/466, 370/470, 370/471, 713/155, 455/414.1
US Class Current

370/470
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04W 12/122 Counter-measures against at...

Systems and methods for wireless network content filtering

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for wireless network content filtering

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links