Method and system for detecting address rotation and related events in communication networks

US 7,971,253 B1
Filed: 06/29/2007
Issued: 06/28/2011
Est. Priority Date: 11/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting address rotation by a device in a communication network, the method comprising:

receiving, at a first time, a first message transmitted by the device;

receiving, at a second time, a second message transmitted by the device;

processing the first message to determine a first sequence number included in the first message and a first transmitter address included in the first message;

processing the second message to determine a second sequence number included in the second message and a second transmitter address included in the second message;

determining that the second transmitter address is different from the first transmitter address;

determining a time gap between the first time and the second time;

determining, based, in part, on the time gap, a sequence threshold value;

determining a sequence difference between the first sequence number and the second sequence number;

determining that the sequence difference is less than the sequence threshold value; and

providing an indication of address rotation by the device,wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting address rotation by a device in a communication network includes receiving, at a first time, a first message transmitted by the device, receiving, at a second time, a second message transmitted by the device, and processing the first message to determine a first sequence number and a first transmitter address. The method also includes processing the second message to determine a second sequence number and a second transmitter address, determining that the second transmitter address is different from the first transmitter address, determining a time gap between the first time and the second time, and determining, based, in part, on the time gap, a sequence threshold value. The method further includes determining a sequence difference between the first sequence number and the second sequence number, determining that the sequence difference is less than the sequence threshold value, and providing an indication of address rotation by the device.

Citations

16 Claims

1. A method for detecting address rotation by a device in a communication network, the method comprising:
- receiving, at a first time, a first message transmitted by the device;
  
  receiving, at a second time, a second message transmitted by the device;
  
  processing the first message to determine a first sequence number included in the first message and a first transmitter address included in the first message;
  
  processing the second message to determine a second sequence number included in the second message and a second transmitter address included in the second message;
  
  determining that the second transmitter address is different from the first transmitter address;
  
  determining a time gap between the first time and the second time;
  
  determining, based, in part, on the time gap, a sequence threshold value;
  
  determining a sequence difference between the first sequence number and the second sequence number;
  
  determining that the sequence difference is less than the sequence threshold value; and
  
  providing an indication of address rotation by the device,wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein at least one of the first message or the second message comprises an IEEE 802.11 type frame.
  - 3. The method of claim 1 further comprising increasing a counter of the indications of the address rotation by the device.
  - 4. The method of claim 3 further comprising:
    - determining that the counter exceeds a predetermined threshold; and
      
      determining an instance of address rotation.
  - 5. The method of claim 1 wherein the address rotation by the device is associated with at least one of an authentication flood attack, an association flood attack, or an EAPOL START flood attack by the device.

6. A method for reducing false alarms during detection of address spoofing in a communication network, the address spoofing being characterized by a plurality of devices in the communication network claiming a common transmitter address, the method comprising:
- receiving two messages transmitted over wireless network, the wireless network being characterized by a denial of service attack process which includes transmitting of spoofed messages from an attacker device, the two messages including a first message and a second message;
  
  processing the two messages to determine a first sequence number and a second sequence number included in the first message and the second message, respectively;
  
  processing the two messages to determine a first transmitter address and a second transmitter address included in the first message and the second message, respectively;
  
  ascertaining that the second transmitter address is the same as the first transmitter address;
  
  determining a time gap between the two messages;
  
  determining, based at least on the time gap, a range within which the second sequence number is expected to lie with respect to the first sequence number; and
  
  generating an indication of the address spoofing if the second sequence number lies outside the range within which the second sequence number is expected to lie,wherein the first sequence number is indicative of an order in which the first message is transmitted with respect to other messages that are transmitted by transmitter device of the first message and the second sequence number is indicative of an order in which the second message is transmitted with respect to other messages that are transmitted by transmitter device of the second message.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6 wherein the determining the time gap between the two messages includes determining a difference between time instants of the receiving the two messages, respectively.
  - 8. The method of claim 6 wherein the determining the range within which the second sequence number is expected to lie is further based on at least one of a plurality of transmission speeds of the wireless network.
  - 9. The method of claim 6, and further comprising not generating the indication of the address spoofing if the second sequence number lies in the range within which the second sequence number is expected to lie.
  - 10. The method of claim 6 wherein a sequence number included in a message is as per the IEEE 802.11 standard.

11. A system for detecting address rotation by a device in a communication network, the system comprising:
- a receiver module including one or more wireless communication receiving interfaces for receiving a plurality of messages transmitted over a wireless network;
  
  a storage module including one or more computer memory devices for storing computer executable code, the computer executable code comprising;
  
  a first portion of the code for identifying transmitter addresses within the plurality of messages received by the receiver module, respectively;
  
  a second portion of the code for computing one or more receiving time gaps associated with one or more message pairs, respectively, the one or more message pairs comprising messages from the plurality of messages received by the receiver module, wherein two messages in each of the one or more message pairs include transmitter addresses which are different from one another;
  
  a third portion of the code for computing one or more sequence number threshold values associated with the one or more receiving time gaps, respectively;
  
  a fourth portion of the code for computing one or more sequence number differences associated with the one or more message pairs, respectively; and
  
  a fifth portion of the code for comparing the one or more sequence number differences with the one or more sequence number threshold values, respectively;
  
  and a processor module including one or more micro processing devices for executing the first, the second, the third, the fourth, the fifth, the sixth, and the seventh portions of the code to detect the address rotation by the device,wherein the address rotation process including a single wireless device transmitting a plurality of messages including a plurality of distinct transmitter addresses, respectively;
  
  and a sixth portion of the code for identifying that a sequence number difference for at least one message pair from the one or more message pairs is less than a sequence number threshold value associated with the at least one message pair;
  
  and a seventh portion of the code for ascertaining that transmitter addresses for messages within the at least one message pair are distinct.
- View Dependent Claims (12)
- - 12. The system of claim 11 wherein the computer executable code within the storage module comprises an eight portion of the code for generating indication about the address rotation by the device.

13. A system for reducing false alarms during detection of address spoofing in a communication network, the address spoofing being characterized by a plurality of devices in the communication network claiming a common transmitter address, the method comprising:
- a receiver module including one or more wireless communication receiving interfaces for receiving a plurality of messages transmitted over a wireless network;
  
  a processor module; and
  
  a storage module which stores computer readable instructions, which are executable by the processor module to perform steps of;
  
  receiving a first message and a second message transmitted over the wireless network, the wireless network being characterized by a denial of service attack process which includes transmitting of spoofed messages from an attacker device;
  
  processing the first and the second messages to determine a first sequence number and a second sequence number included in the first message and the second message, respectively;
  
  processing the first and the second messages to determine a first transmitter address and a second transmitter address included in the first message and the second message, respectively;
  
  ascertaining that the second transmitter address is the same as the first transmitter address;
  
  determining a time gap between the two messages;
  
  determining, based at least on the time gap, a range within which the second sequence number is expected to lie with respect to the first sequence number; and
  
  generating an indication of the address spoofing if the second sequence number lies outside the range within which the second sequence number is expected to lie,wherein the first sequence number is indicative of an order in which the first message is transmitted with respect to other messages that are transmitted by transmitter device of the first message and the second sequence number is indicative of an order in which the second message is transmitted with respect to other messages that are transmitted by transmitter device of the second message.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13 wherein the determining the time gap between the two messages includes determining a difference between time instants of the receiving the two messages, respectively.
  - 15. The system of claim 13 wherein the determining the range within which the second sequence number is expected to lie is further based on at least one of a plurality of transmission speeds of the wireless network.
  - 16. The system of claim 13 wherein the computer readable instructions are further executable by the processor module to perform step of not generating the indication of the address spoofing if the second sequence number lies in the range within which the second sequence number is expected to lie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arista Networks, Inc.
Original Assignee
Airtight Networks Incorporated (Arista Networks, Inc.)
Inventors
Gupta, Deepak
Primary Examiner(s)
Patel; Nirav B
Assistant Examiner(s)
Moran; Randal D

Application Number

US11/770,760
Time in Patent Office

1,460 Days
Field of Search

726/22, 726/23, 726/11, 726/13, 726/25
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04W 12/122   Counter-measures against at...

Method and system for detecting address rotation and related events in communication networks

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting address rotation and related events in communication networks

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links