Method and system for monitoring of wireless devices in local area computer networks
First Claim
1. A method for removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the method comprising:
- installing a wireless intrusion monitoring system in a geographic region, the geographic region including a wired portion of a local area network, the wireless intrusion monitoring system being configured to;
detect a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region; and
classify the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network;
detecting a wirelessly active access point (AP1) whose radio coverage intersects with the geographic region, wherein the AP1 is connected to the wired portion of the local area network;
determining a first basic service set identifier (BSSID1) which identifies the AP1;
transferring one or more marker packets to the wired portion of the local area network, the one or more marker packets;
including an authentication information which is a predetermined function of at least the BSSID1,including a format information, andbeing structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining the authentication information and the format information in the outputted one or more wireless frames;
receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1;
ascertaining that the at least the subset of the first one or more wireless frames include the authentication information;
inferring that the AP1 is connected to the wired portion of the local area network;
receiving second one or more wireless frames, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames;
being transmitted during a spoofing attack process, andimitating the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless intrusion monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network;
ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2; and
inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and a system for detecting access point devices that provide unauthorized wireless access to local area computer networks is provided. The method includes transferring one or more marker packets to the wired portion of the local area network. The one or more marker packets include an authentication data that is computed based at least upon identify of the wirelessly active access point device and a secret key. The method includes processing one or more wireless frames transmitted from the wirelessly active access point device to extract and to verify at least a portion of the authentication data.
172 Citations
14 Claims
-
1. A method for removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the method comprising:
-
installing a wireless intrusion monitoring system in a geographic region, the geographic region including a wired portion of a local area network, the wireless intrusion monitoring system being configured to; detect a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region; and classify the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network; detecting a wirelessly active access point (AP1) whose radio coverage intersects with the geographic region, wherein the AP1 is connected to the wired portion of the local area network; determining a first basic service set identifier (BSSID1) which identifies the AP1; transferring one or more marker packets to the wired portion of the local area network, the one or more marker packets; including an authentication information which is a predetermined function of at least the BSSID1, including a format information, and being structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining the authentication information and the format information in the outputted one or more wireless frames; receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1; ascertaining that the at least the subset of the first one or more wireless frames include the authentication information; inferring that the AP1 is connected to the wired portion of the local area network; receiving second one or more wireless frames, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames; being transmitted during a spoofing attack process, and imitating the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless intrusion monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network; ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2; and inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A wireless access monitoring system including a way of removing false alarms resulting from spoofing, in detecting access point devices that provide unauthorized wireless access to local area computer networks, the system comprising:
-
a wired network interface for coupling the system to a wired portion of a local area network within a geographic region; a wireless network interface for receiving wireless signals within the geographic region; a processing unit comprising one or more microprocessor devices; and a memory unit coupled to the processing unit and storing computer readable instructions to be executed by the processing unit to perform steps of; detecting a plurality of wireless access points (APs) whose radio coverage intersects with the selected geographic region, the plurality of the wireless access points including a first wireless access point (AP1) that is connected to the wired portion of the local area network and a second wireless access point (AP2) that is not connected to the wired portion of the local area network; determining a first basic service set identifier (BSSID1) which identifies the AP1; generating one or more marker packets, the one or more marker packets; including an authentication information which is a predetermined function of at least the BSSID1, including a format information, and being structured to be received from the wired portion of the local area network by at least a subset of access points connected to the wired portion of the local area network and to be outputted as first one or more wireless frames by the at least the subset of the access points while maintaining at least a portion of the format information in the outputted one or more wireless frames; transferring the one or more marker packets to the wired portion of the local area network using the wired network interface; receiving at least a subset of the first one or more wireless frames, wherein the at least the subset of the first one or more wireless frames include the BSSID1; ascertaining that the at least the subset of the first one or more wireless frames include the authentication information; inferring that the AP1 is connected to the wired portion of the local area network; receiving second one or more wireless frames using the wireless network interface, the second one or more wireless frames including a second basic service set identifier (BSSID2) different from the BSSID1, wherein the second one or more wireless frames; being transmitted during a spoofing attack process, and imitating the at least the portion of the format information to make an access point identified with the BSSID2 (AP2), which is not connected to the wired portion of the local area network, falsely inferred as connected to the wired portion of the local area network in the wireless access monitoring system to generate a false alarm on unauthorized access to the wired portion of the local are network; ascertaining that the second one or more wireless frames are devoid of an authentication information which is the predetermined function of at least the BSSID2; inferring that the second one or more wireless frames do not indicate that the AP2 is connected to the wired portion of the local area network; and classifying the plurality of the APs into at least one or more unauthorized APs from the plurality of APs that are inferred as connected to the wired portion of the local area network and one or more external APs from the plurality of APs that are inferred as not connected to the wired portion of the local area network. - View Dependent Claims (11, 12, 13, 14)
-
Specification