Method and system for detecting address rotation and related events in communication networks
First Claim
1. A method for detecting address rotation by a device in a communication network, the method comprising:
- receiving, at a first time, a first message transmitted by the device;
receiving, at a second time, a second message transmitted by the device;
processing the first message to determine a first sequence number included in the first message and a first transmitter address included in the first message;
processing the second message to determine a second sequence number included in the second message and a second transmitter address included in the second message;
determining that the second transmitter address is different from the first transmitter address;
determining a time gap between the first time and the second time;
determining, based, in part, on the time gap, a sequence threshold value;
determining a sequence difference between the first sequence number and the second sequence number;
determining that the sequence difference is less than the sequence threshold value; and
providing an indication of address rotation by the device,wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively.
8 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting address rotation by a device in a communication network includes receiving, at a first time, a first message transmitted by the device, receiving, at a second time, a second message transmitted by the device, and processing the first message to determine a first sequence number and a first transmitter address. The method also includes processing the second message to determine a second sequence number and a second transmitter address, determining that the second transmitter address is different from the first transmitter address, determining a time gap between the first time and the second time, and determining, based, in part, on the time gap, a sequence threshold value. The method further includes determining a sequence difference between the first sequence number and the second sequence number, determining that the sequence difference is less than the sequence threshold value, and providing an indication of address rotation by the device.
-
Citations
16 Claims
-
1. A method for detecting address rotation by a device in a communication network, the method comprising:
-
receiving, at a first time, a first message transmitted by the device; receiving, at a second time, a second message transmitted by the device; processing the first message to determine a first sequence number included in the first message and a first transmitter address included in the first message; processing the second message to determine a second sequence number included in the second message and a second transmitter address included in the second message; determining that the second transmitter address is different from the first transmitter address; determining a time gap between the first time and the second time; determining, based, in part, on the time gap, a sequence threshold value; determining a sequence difference between the first sequence number and the second sequence number; determining that the sequence difference is less than the sequence threshold value; and providing an indication of address rotation by the device, wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for reducing false alarms during detection of address spoofing in a communication network, the address spoofing being characterized by a plurality of devices in the communication network claiming a common transmitter address, the method comprising:
-
receiving two messages transmitted over wireless network, the wireless network being characterized by a denial of service attack process which includes transmitting of spoofed messages from an attacker device, the two messages including a first message and a second message; processing the two messages to determine a first sequence number and a second sequence number included in the first message and the second message, respectively; processing the two messages to determine a first transmitter address and a second transmitter address included in the first message and the second message, respectively; ascertaining that the second transmitter address is the same as the first transmitter address; determining a time gap between the two messages; determining, based at least on the time gap, a range within which the second sequence number is expected to lie with respect to the first sequence number; and
generating an indication of the address spoofing if the second sequence number lies outside the range within which the second sequence number is expected to lie,wherein the first sequence number is indicative of an order in which the first message is transmitted with respect to other messages that are transmitted by transmitter device of the first message and the second sequence number is indicative of an order in which the second message is transmitted with respect to other messages that are transmitted by transmitter device of the second message. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for detecting address rotation by a device in a communication network, the system comprising:
-
a receiver module including one or more wireless communication receiving interfaces for receiving a plurality of messages transmitted over a wireless network; a storage module including one or more computer memory devices for storing computer executable code, the computer executable code comprising; a first portion of the code for identifying transmitter addresses within the plurality of messages received by the receiver module, respectively; a second portion of the code for computing one or more receiving time gaps associated with one or more message pairs, respectively, the one or more message pairs comprising messages from the plurality of messages received by the receiver module, wherein two messages in each of the one or more message pairs include transmitter addresses which are different from one another; a third portion of the code for computing one or more sequence number threshold values associated with the one or more receiving time gaps, respectively; a fourth portion of the code for computing one or more sequence number differences associated with the one or more message pairs, respectively; and a fifth portion of the code for comparing the one or more sequence number differences with the one or more sequence number threshold values, respectively; and a processor module including one or more micro processing devices for executing the first, the second, the third, the fourth, the fifth, the sixth, and the seventh portions of the code to detect the address rotation by the device, wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively; and a sixth portion of the code for identifying that a sequence number difference for at least one message pair from the one or more message pairs is less than a sequence number threshold value associated with the at least one message pair; and a seventh portion of the code for ascertaining that transmitter addresses for messages within the at least one message pair are distinct. - View Dependent Claims (12)
-
-
13. A system for reducing false alarms during detection of address spoofing in a communication network, the address spoofing being characterized by a plurality of devices in the communication network claiming a common transmitter address, the method comprising:
-
a receiver module including one or more wireless communication receiving interfaces for receiving a plurality of messages transmitted over a wireless network; a processor module; and a storage module which stores computer readable instructions, which are executable by the processor module to perform steps of; receiving a first message and a second message transmitted over the wireless network, the wireless network being characterized by a denial of service attack process which includes transmitting of spoofed messages from an attacker device; processing the first and the second messages to determine a first sequence number and a second sequence number included in the first message and the second message, respectively; processing the first and the second messages to determine a first transmitter address and a second transmitter address included in the first message and the second message, respectively; ascertaining that the second transmitter address is the same as the first transmitter address; determining a time gap between the two messages; determining, based at least on the time gap, a range within which the second sequence number is expected to lie with respect to the first sequence number; and generating an indication of the address spoofing if the second sequence number lies outside the range within which the second sequence number is expected to lie, wherein the first sequence number is indicative of an order in which the first message is transmitted with respect to other messages that are transmitted by transmitter device of the first message and the second sequence number is indicative of an order in which the second message is transmitted with respect to other messages that are transmitted by transmitter device of the second message. - View Dependent Claims (14, 15, 16)
-
Specification