Method and system for monitoring of wireless devices in local area computer networks

US 7,970,894 B1
Filed: 11/15/2007
Issued: 06/28/2011
Est. Priority Date: 11/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method for removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the method comprising:

installing a wireless intrusion monitoring system in a geographic region, the geographic region including a wired portion of a local area network, the wireless intrusion monitoring system being configured to;

detect a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region; and

classify the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network;

detecting a wirelessly active access point (AP1) whose radio coverage intersects with the geographic region, wherein the AP1 is connected to the wired portion of the local area network;

determining a first basic service set identifier (BSSID1) which identifies the AP1;

transferring one or more marker packets to the wired portion of the local area network, the one or more marker packets;

including an authentication information which is a predetermined function of at least the BSSID1,including a format information, andbeing structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining the authentication information and the format information in the outputted one or more wireless frames;

receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1;

ascertaining that the at least the subset of the first one or more wireless frames include the authentication information;

inferring that the AP1 is connected to the wired portion of the local area network;

receiving second one or more wireless frames, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames;

being transmitted during a spoofing attack process, andimitating the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless intrusion monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network;

ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2; and

inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for detecting access point devices that provide unauthorized wireless access to local area computer networks is provided. The method includes transferring one or more marker packets to the wired portion of the local area network. The one or more marker packets include an authentication data that is computed based at least upon identify of the wirelessly active access point device and a secret key. The method includes processing one or more wireless frames transmitted from the wirelessly active access point device to extract and to verify at least a portion of the authentication data.

172 Citations

14 Claims

1. A method for removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the method comprising:
- installing a wireless intrusion monitoring system in a geographic region, the geographic region including a wired portion of a local area network, the wireless intrusion monitoring system being configured to;
  
  detect a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region; and
  
  classify the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network;
  
  detecting a wirelessly active access point (AP1) whose radio coverage intersects with the geographic region, wherein the AP1 is connected to the wired portion of the local area network;
  
  determining a first basic service set identifier (BSSID1) which identifies the AP1;
  
  transferring one or more marker packets to the wired portion of the local area network, the one or more marker packets;
  
  including an authentication information which is a predetermined function of at least the BSSID1,including a format information, andbeing structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining the authentication information and the format information in the outputted one or more wireless frames;
  
  receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1;
  
  ascertaining that the at least the subset of the first one or more wireless frames include the authentication information;
  
  inferring that the AP1 is connected to the wired portion of the local area network;
  
  receiving second one or more wireless frames, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames;
  
  being transmitted during a spoofing attack process, andimitating the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless intrusion monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network;
  
  ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2; and
  
  inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the predetermined function is a hash function.
  - 3. The method of claim 1 wherein the predetermined function is a cryptographic hash function.
  - 4. The method of claim 1 wherein the AP2 being an access point within a neighborhood of the geographic region and not connected to the wired portion of the local area network.
  - 5. The method of claim 1, wherein the wireless intrusion monitoring system comprising one or more sniffer devices spatially disposed within the geographic region for receiving and processing wireless signals within the geographic region.
  - 6. The method of claim 5 wherein the detecting the wirelessly active access point device in the geographic region being using a sniffer device from the one or more sniffer devices.
  - 7. The method of claim 5 wherein the receiving the first one or more wireless frames and the second one or more wireless frames being using a first sniffer device and a second sniffer device, respectively, from the one or more sniffer devices.
  - 8. The method of claim 1 wherein the transferring the one or more marker packets to the wired portion of the local area network being using a device connected to the wired portion of the local area network using a wired Ethernet connection.
  - 9. The method of claim 8 wherein the device including at least a sniffer device, at least an Ethernet switch device, or at least a router device.

10. A wireless access monitoring system including a way of removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the system comprising:
- a wired network interface for coupling the system to a wired portion of a local area network within a geographic region;
  
  a wireless network interface for receiving wireless signals within the geographic region;
  
  a processing unit comprising one or more microprocessor devices; and
  
  a memory unit coupled to the processing unit and storing computer readable instructions to be executed by the processing unit to perform steps of;
  
  detecting a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region, the plurality of the wireless access points including a first wireless access point (AP1) that is connected to the wired portion of the local area network and a second wireless access point (AP2) that is not connected to the wired portion of the local area network;
  
  determining a first basic service set identifier (BSSID1) which identifies the AP1;
  
  generating one or more marker packets, the one or more marker packets;
  
  including an authentication information which is a predetermined function of at least the BSSID1,including a format information, andbeing structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining at least a portion of the format information in the outputted one or more wireless frames;
  
  transferring the one or more marker packets to the wired portion of the local area network using the wired network interface;
  
  receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1;
  
  ascertaining that the at least the subset of the first one or more wireless frames include the authentication information;
  
  inferring that the AP1 is connected to the wired portion of the local area network;
  
  receiving second one or more wireless frames using the wireless network interface, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames;
  
  being transmitted during a spoofing attack process, andimitating the at least the portion of the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless access monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network;
  
  ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2;
  
  inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network; and
  
  classifying the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10 wherein the wired network interface including a wired Ethernet interface and the wireless network interface including an IEEE 802.11 network interface.
  - 12. The system of claim 10 wherein the predetermined function is a hash function.
  - 13. The system of claim 10 wherein the predetermined function is a cryptographic hash function.
  - 14. The system of claim 10 wherein the AP2 being an access point within a neighborhood of the geographic region and not connected to the wired portion of the local area network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arista Networks, Inc.
Original Assignee
Airtight Networks Incorporated (Arista Networks, Inc.)
Inventors
Patwardhan, Aniruddha
Primary Examiner(s)
Patel; Ashok B
Assistant Examiner(s)
EDWARDS, LINGLAN E

Application Number

US11/940,339
Time in Patent Office

1,321 Days
Field of Search

709/206, 370/270, 370/338
US Class Current

709/224
CPC Class Codes

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/64   using geofenced areas

H04W 12/73   Access point logical identity

H04W 84/12   WLAN [Wireless Local Area N...

Method and system for monitoring of wireless devices in local area computer networks

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for monitoring of wireless devices in local area computer networks

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links