Device for and method of wireless intrusion detection

US 8,069,483 B1
Filed: 10/19/2006
Issued: 11/29/2011
Est. Priority Date: 10/19/2006
Status: Active Grant

First Claim

Patent Images

1. A device for detecting intrusion into a wireless network, comprising:

a) a configuration file unit;

b) a rules files unit;

c) a main processing unit connected to the configuration files unit and rules file unit;

d) a set packet preprocessor unit connected to the main processing unit;

e) an initialize preprocessors unit connected to the main processing unit;

f) a parse rules file unit connected to the main processing unit;

g) an interface thread unit connected to the main processing unit;

h) a process packet unit connected to the interface thread unit;

i) a decode unit connected to the process packet unit;

j) a preprocess unit connected to the process packet unit;

k) a plurality of preprocessors connected to the preprocess unit, including a rogue access point and transmit channel preprocessor, a NETSTUMBLER preprocessor, a MAC spoofing preprocessor, a DEAUTH flood preprocessor, an AUTH flood preprocessor, a rogue client preprocessor, a bridged network preprocessor, a rogue client valid access point preprocessor, valid client rogue access point preprocessor, an ad-hoc network preprocessor, a wrong channel preprocessor, a cloaking violation preprocessor, an encryption violation preprocessor, and a null SSID violation preprocessor; and

l) a detect unit connected to the preprocess unit and the process packet unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device for and method of detecting intrusion into a wireless network that includes a configuration file, a rules files, a main processor, a set packet processor, an initialize preprocessor, a parse rules file, an interface thread unit, a process packet unit, a decoder, a preprocess unit connected to the process packet unit; at least one preprocessor consisting of a rogue access point and transmit channel preprocessor, a NETSTUMBLER preprocessor, a MAC spoofing preprocessor, a DEAUTH flood preprocessor, an AUTH flood preprocessor, a rogue client preprocessor, a bridged network preprocessor, a rogue client valid access point preprocessor, valid client rogue access point preprocessor, an ad-hoc network preprocessor, a wrong channel preprocessor, a cloaking policy violation preprocessor, an encryption policy violation preprocessor, and a null SSID association policy violation preprocessor; and a detector.

339 Citations

21 Claims

1. A device for detecting intrusion into a wireless network, comprising:
- a) a configuration file unit;
  
  b) a rules files unit;
  
  c) a main processing unit connected to the configuration files unit and rules file unit;
  
  d) a set packet preprocessor unit connected to the main processing unit;
  
  e) an initialize preprocessors unit connected to the main processing unit;
  
  f) a parse rules file unit connected to the main processing unit;
  
  g) an interface thread unit connected to the main processing unit;
  
  h) a process packet unit connected to the interface thread unit;
  
  i) a decode unit connected to the process packet unit;
  
  j) a preprocess unit connected to the process packet unit;
  
  k) a plurality of preprocessors connected to the preprocess unit, including a rogue access point and transmit channel preprocessor, a NETSTUMBLER preprocessor, a MAC spoofing preprocessor, a DEAUTH flood preprocessor, an AUTH flood preprocessor, a rogue client preprocessor, a bridged network preprocessor, a rogue client valid access point preprocessor, valid client rogue access point preprocessor, an ad-hoc network preprocessor, a wrong channel preprocessor, a cloaking violation preprocessor, an encryption violation preprocessor, and a null SSID violation preprocessor; and
  
  l) a detect unit connected to the preprocess unit and the process packet unit.

2. A method of simultaneous intrusion detection on a plurality of computer communications, comprising:
- a) initializing on a computing device a configuration file;
  
  b) initializing on the computing device a rules files;
  
  c) controlling on the computing device the intrusion detection method using a main processor;
  
  d) setting on the computing device packet preprocessors;
  
  e) initializing on the computing device preprocessors;
  
  f) parsing on the computing device the rules file;
  
  g) creating on the computing device an interface thread that include all packets transmitted on all channels;
  
  h) processing on the computing device the packets by decoding the packets and preprocessing on the computing device the packets using a plurality of preprocessors, including a rogue access point and transmit channel preprocessor, a NETSTUMBLBR preprocessor, a MAC spoofing preprocessor, a DEAUTH flood preprocessor, an AUTH flood preprocessor, a rogue client preprocessor, a bridged network preprocessor, a rogue client valid access point preprocessor, valid client rogue access point preprocessor, an ad-hoc network preprocessor, a wrong channel preprocessor, a cloaking violation preprocessor, an encryption violation preprocessor, and a null SSID violation preprocessor; and
  
  i) detecting on the computing device intrusion based on the results of the last step.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 3. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a rogue access point and transmit channel preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame type contains a basic service set identifier (BSSID) or is an acknowledgement message (ACK);
      
      c) if the frame does not contain a BSSID and is not an ACK then setting on the computing device global variable Transmit_Channel equal to zero and returning to step (h) in claim 2;
      
      d) if the frame contains a BSSID or is an ACK then determining on the computing device if the packet is a beacon frame or a probe response;
      
      e) if either frame type is identified then identifying on the computing device the BSSID and the channel in its header;
      
      f) determining on the computing device if the BSSID is in a rogue AP list;
      
      g) if the BSSID is not in the rogue AP list then determining on the computing device if the BSSID is on a valid AP list;
      
      h) if the BSSID is not on the valid AP list then adding on the computing device the BSSID and its channel to the rogue AP list, setting on the computing device global variable Transmit_Channel equal to the BSSID channel, and returning to step (h) in claim 2;
      
      i) if the BSSID is in the rogue AP list or the BSSID is not in the rogue AP list but is in the valid AP list then updating on the computing device the channel information in the corresponding rogue and valid AP list entry, setting on the computing device global variable Transmit_Channel equal to the BSSID channel, and returning to step (h) in claim 2;
      
      j) if the frame is neither a beacon frame nor a probe response then finding on the computing device the BSSID in the header;
      
      k) determining on the computing device if the BSSID or destination address is in a rogue AP list;
      
      l) if the BSSID or the destination address are in the rogue AP list then determining on the computing device its channel in the rogue AP list, setting on the computing device global variable Transmit_Channel equal to the BSSID channel, and returning to step (h) in claim 2;
      
      m) if the BSSID and the destination address are not in the rogue AP list then determining on the computing device if the BSSID or destination address are on the valid AP list;
      
      n) if the BSSID and the destination address are on the valid AP list then determining on the computing device the BSSID channel in the valid AP list, setting on the computing device the global variable Transmit_Channel equal to the BSSID channel, and returning to step (h) in claim 2; and
      
      o) if the BSSID and the destination address are not on the valid AP list then adding on the computing device the BSSID to the rogue AP list with channel equal to zero, setting on the computing device the global variable Transmit_Channel equal to zero, and returning to step (h) in claim 2.
  - 4. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a rogue client preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame type contains a source address;
      
      c) if the frame type does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then finding on the computing device the source address in its header;
      
      e) determining on the computing device if the packet is from an access point;
      
      f) if the packet is from an access point then returning to step (h) in claim 2;
      
      g) determining on the computing device if the source address is in a rogue client list;
      
      h) if the source address is not on the rogue client list then determining on the computing device if the source address is on a valid client list;
      
      i) if the source address is on the valid client list then returning to step (h) in claim 2;
      
      j) if the packet is not on the valid client list then adding on the computing device the source address to the rogue client list, generating on the computing device an alert message to indicate that a rogue client has been detected, and returning to step (h) in claim 2;
      
      k) if the source address is on the rogue client list then determining on the computing device if a user-defined time period has expired;
      
      l) if the user-definable time-period has not expired then returning to step (h) in claim 2; and
      
      m) if the user-definable time-period has expired then adding on the computing device the source address to the rogue client list, generating on the computing device an alert message to indicate that a rogue client had been detected, and returning to step (h) in claim 2.
  - 5. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a bridged network preprocessor is comprised of the steps of:
    - a) finding on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame type does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is a data frame;
      
      e) if the frame is not a data frame then returning to step (h) in claim 2;
      
      f) if the frame is a data frame then determining on the computing device if to_ds and from_ds are each set to one;
      
      g) if to_ds and from_ds are not both set to one then returning to step (h) in claim 2;
      
      h) if to_ds and from_ds are each set to one then determining on the computing device if the source and destination addresses are on an alert list;
      
      l) if the source and destination addresses are on the alert list then determining on the computing device if a user-definable time-period has expired;
      
      j) if the user-definable time-period has not expired then returning to step (h) in claim 2; and
      
      k) if either the user-definable time-period has expired or if the source and destination addresses are not on the alert list then adding on the computing device the source and destination addresses to the alert list, generating on the computing device an alert that indicates that a bridged network has been detected, and returning to step (h) in claim 2.
  - 6. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a rogue client valid access point preprocessor is comprised of the steps of:
    - a) finding on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is an authentication request;
      
      e) if the frame is an authentication request then determining on the computing device if the source address is on a rogue client list;
      
      f) if the frame is not an authentication request then returning to step (h) in claim 2;
      
      g) if the source address is not on the rogue client list then determining on the computing device if the source address is on the valid client list;
      
      h) if the source address is on the valid client list then returning to step (h) in claim 2;
      
      i) if the source address is either on the rogue client list or not on the rogue client list or the valid client list then determining on the computing device if the destination access point address is valid;
      
      j) if the destination access point address is not valid then returning to step (h) in claim 2;
      
      k) if the destination access point address is valid then determining on the computing device if the source address is on a bad authentication request list;
      
      l) if the source address is on the bad authentication request list then returning to step (h) in claim 2; and
      
      m) if the source address is not on the bad authentication request list then adding on the computing device the source address to the bad authentication request list, generating on the computing device an alert to indicate that an unauthorized client is attempting to connect to a valid access point, and returning to step (h) in claim 2.
  - 7. The method of claim 2, wherein the step of preprocessing on the computing device a packet using valid client rogue access point preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the tame is an authentication request;
      
      e) if the frame is not an authentication request then returning to step (h) in claim 2;
      
      f) if the frame is an authentication request then determining on the computing device if the source address is on a rogue client list;
      
      g) if the source address is on a rogue client address then returning to step (h) in claim 2;
      
      h) if the source address is not on a rogue client address then determining on the computing device if the source address is on a valid client list;
      
      i) if the source address is not on the valid client list then returning to step (h) in claim 2;
      
      j) if the source address is on the valid client list then determining on the computing device if the destination address is rogue;
      
      k) if the destination address is not rogue then returning to step (h) in claim 2;
      
      l) if the destination address is rogue then determining on the computing device if the source address is on a bad authentication request list;
      
      m) if the source address is on a bad authentication request list then returning to step (h) in claim 2; and
      
      n) if the source address is not on the bad authentication request list then adding on the computing device the source address to the bad authentication request list, generating on the computing device an alert to indicate that an authorized client is attempting to connect to a rogue access point, and returning to step (h) in claim 2.
  - 8. The method of claim 2, wherein the step of preprocessing on the computing device a packet using an ad-hoc network preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is a beacon or a probe response;
      
      e) if the frame is a beacon or probe response than determining on the computing device if ESS is equal to zero and IBSS is equal to one;
      
      f) if ESS is not equal to zero or IBSS is not equal to one then returning to step (h) in claim 2;
      
      g) if ESS is equal to zero and IBSS is equal to one then adding on the computing device the source address to the ad-hoc beacon alert list, generating an ad-hoc beacon detected alert, and returning to step (h) in claim 2;
      
      h) if the frame is neither a beacon nor a probe request then determining on the computing device if the frame is a data frame;
      
      i) if the frame is not a data frame then returning to step (h) in claim 2;
      
      j) if the frame is a data frame then determining on the computing device if to_ds and from_ds are each set to zero;
      
      k) if to_ds and from_ds are not both set to zero then returning to step (h) in claim 2;
      
      l) if to_ds and from_ds are each set to zero then determining on the computing device if the source and destination addresses are on an active ad-hoc network alert list;
      
      m) if the source and destination addresses are on the active ad-hoc network alert list then returning to step (h) in claim 2;
      
      n) if the source and destination addresses are not on the active ad-hoc network alert list then adding on the computing device the source and destination addresses to the alert list and generating on the computing device an active ad-hoc network detected alert;
      
      o) determining on the computing device if the source address is on a valid client list;
      
      p) if the source address is not on the valid client list then determining on the computing device if the destination address is on the valid client list;
      
      q) if the destination address is not on the valid client list then returning to step (h) in claim 2;
      
      r) if the destination address is on the valid client list then generating on the computing device an authorized client in ad-hoc conversation with rogue client alert, and returning to step (h) in claim 2;
      
      s) if the source address is on the valid client list then determining on the computing device if the destination address is on the valid client list;
      
      t) if the destination address is not on the valid client list then generating on the computing device an authorized client in ad-hoc conversation with rogue client alert, and returning to step (h) in claim 2; and
      
      u) if the destination address is on the valid client list then returning to step (h) in claim 2.
  - 9. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a wrong channel preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device the source address in its header;
      
      e) determining on the computing device if the source address is in a valid client list;
      
      f) if the source address is not in the valid client list then determining on the computing device if the source address is in a valid access point list;
      
      g) if the source address is not in the valid access point list then returning to step (h) in claim 2;
      
      h) if the source address is in the valid client list or not in the valid client list but in the valid access point list then determining and recording on the computing device the designated operating channel;
      
      i) determining on the computing device if the source address is in a wrong channel alert list;
      
      j) if the source address is in the wrong channel alert list then returning to step (h) in claim 2;
      
      k) if the source address is not in the wrong channel alert list then determining on the computing device if a transmit channel on which the packet was transmitted is a designated operating channel for the source address;
      
      l) if the transmit channel is equal to the designated operating channel then returning to step (h) in claim 2; and
      
      m) if the transmit channel is not equal to the designated operating channel then adding on the computing device the source address to the wrong channel alert list, generating a device operating on the wrong channel alert, and returning to step (h) in claim 2.
  - 10. The method of claim 2, wherein the step of preprocessing on the computing device a packet using a cloaking violation preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame is a beacon;
      
      c) if the frame is not a beacon then returning to step (h) in claim 2;
      
      d) if the frame is a beacon then determining on the computing device if cloaking_required is equal to a one;
      
      e) if cloaking_required is not equal to a one then returning to step (h) in claim 2;
      
      f) if cloaking_required is equal to a one then determining on the computing device if SSID is null;
      
      g) if SSID is null then returning to step (h) in claim 2;
      
      h) if SSID is not null then determining on the computing device if the source address of the packet is on a cloaking policy alert list;
      
      i) if the source address of the packet is on the cloaking policy alert list then returning to step (h) in claim 2; and
      
      j) if the source address of the packet is not on the cloaking policy alert list then adding on the computing device the source address to the cloaking policy alert list, generating on the computing device a SSID cloaking policy violation detected alert, and returning to step (h) in claim 2.
  - 11. The method of claim 2, wherein the step of preprocessing on the computing device a packet using an encryption violation preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame is a probe response or a beacon frame;
      
      c) if the frame is neither a probe response nor a beacon frame then determining on the computing device if the frame is a data frame or an authentication frame;
      
      d) if the frame is neither a data frame nor an authentication frame then returning to step (h) in claim 2;
      
      e) if the frame is a probe response, beacon frame, data frame, or authentication frame then determining on the computing device if encryption_required is set to a one;
      
      f) if encryption . . . required is not set to a one then returning to step (h) in claim 2;
      
      g) if encryption_required is set to a one and the frame is a data frame or an authentication frame then determining on the computing device if wep is a one;
      
      h) if wep is a one then returning to step (h) in claim 2;
      
      i) if wep is not a one then determining on the computing device if the source address of the packet is on an encryption policy alert list;
      
      j) if the source address of the packet is on the encryption policy alert list then returning to step (h) in claim 2;
      
      k) if the source address of the packet is not on the encryption policy alert list then adding on the computing device the source address to the encryption policy alert list, generating on the computing device an encryption policy violation detection alert, and returning to step (h) in claim 2;
      
      l) if encryption_required is set to a one and the frame is a beacon or a probe response frame then determining on the computing device if a privacy field is set to a one;
      
      m) if the privacy field is set to a one then returning to step (h) in claim 2;
      
      n) if the privacy field is not set to a one then determining on the computing device if the source address is on the encryption policy alert list;
      
      o) if the source address is on the encryption policy alert list then returning to step (h) in claim 2; and
      
      p) if the source address is not on the encryption policy alert list then adding on the computing device the source address to the encryption policy alert list, generating on the computing device an encryption policy violation detection alert, and returning to step (h) in claim 2.
  - 12. The method of claim 2, wherein the step of preprocessing a packet using a null SSID violation preprocessor is comprised of the steps ofa) determining on the computing device a frame type of the packet;
    - b) determining on the computing device if the frame is a probe request;
      
      c) if the frame is a probe request then determining on the computing device if null_ssid_assoc is set to a zero;
      
      d) if null_ssid_assoc is not set to a zero then returning to step (h) in claim 2;
      
      e) if null_ssid_assoc is set to a zero then determining on the computing device if SSID is null;
      
      f) if SSID is not null then returning to step (h) in claim 2;
      
      g) if SKID is set to null then determining on the computing device if the source address of the packet is in a broadcast probe request senders list;
      
      h) if the source address of the packet is in the broadcast probe request senders list then returning to step (h) in claim 2;
      
      i) if the source address of the packet is not in the broadcast probe request senders list then adding on the computing device the source address to the broadcast probe request senders list and returning to step (h) in claim 2;
      
      j) if the frame is not a probe request then determining on the computing device if the frame is a probe response;
      
      k) if the frame is a probe response then determining on the computing device a destination address in its header;
      
      l) determining on the computing device if the destination address is in the broadcast probe request senders list;
      
      m) if the destination address is not in the broadcast probe request senders list then returning to step (h) in claim 2;
      
      n) if the destination address is on the broadcast probe request senders list then determining on the computing device if the source address is on a broadcast probe alert list;
      
      o) if the source address is on the broadcast probe alert list then returning to step (h) in claim 2;
      
      p) if the source address is not on the broadcast probe alert list then adding on the computing device the source address to the broadcast probe alert list, generating on the computing device a Null SSID association alert, and returning to step (h) in claim 2;
      
      q) if the frame is not a probe response then determining on the computing device if the frame is an association request;
      
      r) if the frame is an association request then determining on the computing device if null_ssid_assoc is set to a zero;
      
      s) if null_ssid_assoc is not set to a zero then returning to step (h) in claim 2;
      
      t) if null_ssid_assoc is set to a zero then determining on the computing device if SSID is set to null;
      
      u) if SSID is not set to null then returning to step (h) in claim 2;
      
      v) if SSID is set to null then determining on the computing device if the source address is on a broadcast association request senders list;
      
      w) if the source address is on the broadcast association request senders list then returning to step (h) in claim 2;
      
      x) if the source address is not on the broadcast association request senders list then adding on the computing device the source address to the broadcast association request senders list, and returning to step (h) in claim 2;
      
      y) if the frame is not an association request then determining on the computing device if the frame is an association response;
      
      z) if the frame is not an association response then returning to step (h) in claim 2;
      
      aa) if the frame is an association response then determining on the computing device a destination address in its header;
      
      bb) determining on the computing device if the destination address is on the broadcast association request senders list;
      
      cc) if the destination address is not on the broadcast association request senders list then returning to step (h) in claim 2;
      
      dd) if the destination address is on the broadcast association request senders list then determining on the computing device if the source address is on a broadcast association alert list;
      
      ee) if the source address is on the broadcast association alert list then returning to step (h) in claim 2; and
      
      ff) if the source address is not on the broadcast association alert list then adding on the computing device the source address to the broadcast association alert list, generating on the computing device a Null SSID association alert, and returning to step (h) in claim 2.
  - 13. The method of claim 3, wherein the step of preprocessing on the computing device a packet using a rogue client preprocessor is comprised of the steps ofa) determining on the computing device a frame type of the packet;
    - b) determining on the computing device if the frame type contains a source address;
      
      c) if the frame type does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then finding on the computing device the source address in its header;
      
      e) determining on the computing device if the packet is from an access point;
      
      f) if the packet is from an access point then returning to step (h) in claim 2;
      
      g) determining on the computing device if the source address is in a rogue clienth) if the source address is not on the rogue client list then determining on the computing device if the source address is on a valid client list;
      
      i) if the source address is on the valid client list then returning to step (h) in claim 2;
      
      j) if the packet is not on the valid client list then adding on the computing device the source address to the rogue client list, generating on the computing device an alert message to indicate that a rogue client has been detected, and returning to step (h) in claim 2;
      
      k) if the source address is on the rogue client list then determining on the computing device if a user-defined time period has expired;
      
      l) if the user-definable time-period has not expired then returning to step (h) in claim 2; and
      
      m) if the user-definable time-period has expired then adding on the computing device the source address to the rogue client list, generating on the computing device an alert message to indicate that a rogue client had been detected, and returning to step (h) in claim 2.
  - 14. The method of claim 13, wherein the step of preprocessing on the computing device a packet using a bridged network preprocessor is comprised of the steps of:
    - a) finding on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame type does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is a data frame;
      
      e) if the frame is not a data frame then returning to step (h) in claim 2;
      
      f) if the frame is a data frame then determining on the computing device if to_ds and from_ds are each set to one;
      
      g) if to_ds and from_ds are not both set to one then returning to step (h) in claim 2;
      
      h) if to_ds and from_ds are each set to one then determining on the computing device if the source and destination addresses are on an alert list;
      
      i) if the source and destination addresses are on the alert list then determining on the computing device if a user-definable time-period has expired;
      
      j) if the user-definable time-period has not expired then returning to step (h) in claim 2; and
      
      k) if either the user-definable time-period has expired or if the source and destination addresses are not on the alert list then adding on the computing device the source and destination addresses to the alert list, generating on the computing device an alert that indicates that a bridged network has been detected, and returning to step (h) in claim 2.
  - 15. The method of claim 14, wherein the step of preprocessing on the computing device a packet using a rogue client valid access point preprocessor is comprised of the steps of:
    - a) finding on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is an authentication request;
      
      e) if the frame is an authentication request then determining on the computing device if the source address is on a rogue client list;
      
      f) if the frame is not an authentication request then returning to step (h) in claim 2;
      
      g) if the source address is not on the rogue client list then determining on the computing device if the source address is on the valid client list;
      
      h) if the source address is on the valid client list then returning to step (b) in claim 2;
      
      i) if the source address is on the rogue client list or not on the rogue client list or the valid client list then determining on the computing device if the destination access point address is valid;
      
      j) if the destination access point address is not valid then returning to step (h) in claim 2;
      
      k) if the destination access point address is valid then determining on the computing device if the source address is on a bad authentication request list;
      
      l) if the source address is on the bad authentication request list then returning to step (h) in claim 2; and
      
      m) if the source address is not on the bad authentication request list then adding on the computing device the source address to the bad authentication request list, generating on the computing device an alert to indicate that an unauthorized client is attempting to connect to a valid access point, and returning to step (h) in claim 2.
  - 16. The method of claim 15, wherein the step of preprocessing on the computing device a packet using valid client rogue access point preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is an authentication request;
      
      e) if the frame is not an authentication request then returning to step (h) in claim 2;
      
      f) if the frame is an authentication request then determining on the computing device if the source address is on a rogue client list;
      
      g) if the source address is on a rogue client address then returning to step (h) in claim 2;
      
      h) if the source address is not on a rogue client address then determining on the computing device if the source address is on a valid client list;
      
      i) if the source address is not on the valid client list then returning to step (h) in claim 2;
      
      j) if the source address is on the valid client list then determining on the computing device if the destination address is rogue;
      
      k) if the destination address is not rogue then returning to step (h) in claim 2;
      
      l) if the destination address is rogue then determining on the computing device if the source address is on a bad authentication request list;
      
      m) if the source address is on a bad authentication request list then returning to step (h) in claim 2; and
      
      n) if the source address is not on the bad authentication request list then adding on the computing device the source address to the bad authentication request list, generating on the computing device an alert to indicate that an authorized client is attempting to connect to a rogue access point, and returning to step (h) in claim 2.
  - 17. The method of claim 16, wherein the step of preprocessing on the computing device a packet using an ad-hoc network preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device if the frame is a beacon or a probe response;
      
      e) if the frame is a beacon or probe response then determining on the computing device if ESS is equal to zero and IBSS is equal to one;
      
      f) if ESS is not equal to zero or IBSS is not equal to one then returning to step (h) in claim 2;
      
      g) if ESS is equal to zero and IBSS is equal to one then adding on the computing device the source address to the ad-hoc beacon alert list, generating on the computing device an ad-hoc beacon detected alert, and returning to step (h) in claim 2;
      
      h) if the frame is neither a beacon nor a probe request then determining on the computing device if the frame is a data frame;
      
      i) if the frame is not a data frame then returning to step (h) in claim 2;
      
      j) if the frame is a data frame then determining on the computing device if to_ds and from_ds are each set to zero;
      
      k) if to_ds and from_ds are not both set to zero then returning to step (h) in claim 2;
      
      l) if to_ds and from_ds are each set to zero then determining on the computing device if the source and destination addresses are on an active ad-hoc network alert list;
      
      m) if the source and destination addresses are on the active ad-hoc alert list then returning to step (h) in claim 2;
      
      n) if the source and destination addresses are not on the active ad-hoc network alert list then adding on the computing device the source and destination addresses to the alert list and generating on the computing device an active ad-hoc network detected alert;
      
      o) determining on the computing device if the source address is on a valid client list;
      
      p) if the source address is not on the valid client list then determining on the computing device if the destination address is on the valid client list;
      
      q) if the destination address is not on the valid client list then returning to step (h) in claim 2;
      
      r) if the destination address is on the valid client list then generating on the computing device an authorized client in ad-hoc conversation with rogue client alert, and returning to step (h) in claim 2;
      
      s) if the source address is on the valid client list then determining on the computing device if the destination address is on the valid client list;
      
      t) if the destination address is not on the valid client list then generating on the computing device an authorized client in ad-hoc conversation with rogue client alert, and returning to step (h) in claim 2; and
      
      u) if the destination address is on the valid client list then returning to step (h) in claim 2.
  - 18. The method of claim 17, wherein the step of preprocessing on the computing device a packet using a wrong channel preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame contains a source address;
      
      c) if the frame does not contain a source address then returning to step (h) in claim 2;
      
      d) if the frame contains a source address then determining on the computing device the source address in its header;
      
      e) determining on the computing device if the source address is in a valid client list;
      
      f) if the source address is not in the valid client list then determining on the computing device if the source address is in a valid access point list;
      
      g) if the source address is not in the valid access point list then returning to step (h) in claim 2;
      
      h) if the source address is in the valid client list or not in the valid client list but in the valid access point list then determining and recording on the computing device the designated operating channel;
      
      i) determining on the computing device if the source address is in a wrong channel alert list;
      
      j) if the source address is in the wrong channel alert list then returning to step (h) in claim 2;
      
      k) if the source address is not in the wrong channel alert list then determining on the computing device if a transmit channel on which the packet was transmitted is a designated operating channel for the source address;
      
      l) if the transmit channel is equal to the designated operating channel then returning to step (h) in claim 2; and
      
      m) if the transmit channel is not equal to the designated operating channel then adding on the computing device the source address to the wrong channel alert list, generating on the computing device a device operating on the wrong channel alert, and returning to step (h) in claim 2.
  - 19. The method of claim 18, wherein the step of preprocessing on the computing device a packet using a cloaking violation preprocessor is comprised of the steps ofa) determining on the computing device a frame type of the packet;
    - b) determining on the computing device if the frame is a beacon;
      
      c) if the frame is not a beacon then returning to step (h) in claim 2;
      
      d) the frame is a beacon then determining on the computing device if cloaking_required is equal to a one;
      
      e) if cloaking_required is not equal to a one then returning to step (h) in claim 2;
      
      f) if cloaking_required is equal to a one then determining on the computing device if SSID is null;
      
      g) if SSID is null then returning to step (h) in claim 2;
      
      h) if SSID is not null then determining on the computing device if the source address of the packet is on a cloaking policy alert list;
      
      i) if the source address of the packet is on the cloaking policy alert list then returning to step (h) in claims 2; and
      
      j) if the source address of the packet is not on the cloaking policy alert list then adding on the computing device the source address to the cloaking policy alert list, generating on the computing device a SSID cloaking policy violation detected alert, and returning to step (h) in claim 2.
  - 20. The method of claim 19, wherein the step of preprocessing on the computing device a packet using an encryption violation preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame is a probe response or a beacon frame;
      
      c) if the frame is neither a probe response nor a beacon frame then determining on the computing device if the frame is a data frame or an authentication frame;
      
      d) if the frame is neither a data frame nor an authentication frame then returning to step (h) in claim 2;
      
      e) if the frame is a probe response, beacon frame, data frame, or authentication frame then determining on the computing device if encryption_required is set to a one;
      
      f) if encryption_required is not set to a one then returning to step (h) in claim 2;
      
      g) if encryption_required is set to a one and the frame is a data frame or an authentication frame then determining on the computing device if wep is a one;
      
      h) if wep is a one then returning to step (h) in claim 2;
      
      i) if wep is not a one then determining on the computing device if the source address of the packet is on an encryption policy alert list;
      
      j) if the source address of the packet is on the encryption policy alert list then returning to step (h) in claim 2;
      
      k) if the source address of the packet is not on the encryption policy list then adding on the computing device the source address to the encryption policy alert list, generating on the computing device an encryption policy violation detection alert, and returning to step (h) in claim 2;
      
      l) if encryption_required is set to a one and the frame is a beacon frame or a probe response frame then determining on the computing device if a privacy field is set to a one;
      
      m) if the privacy field is set to a one then returning to step (h) in claim 2;
      
      n) if the privacy field is not set to a one then determining on the computing device if the source address is on the encryption policy alert list;
      
      o) if the source address is on the encryption policy alert list then returning to step (h) in claim 2; and
      
      p) if the source address is not on the encryption policy alert list then adding on the computing device the source address to the encryption policy alert list, generating on the computing device an encryption policy violation detection alert, and returning to step (h) in claim 2.
  - 21. The method of claim 20, wherein the step of preprocessing on the computing device a packet using a null SSID violation preprocessor is comprised of the steps of:
    - a) determining on the computing device a frame type of the packet;
      
      b) determining on the computing device if the frame is a probe request;
      
      c) if the frame is a probe request then determining on the computing device if null_ssid_assoc is set to a zero;
      
      d) if null_ssid_assoc is not set to a zero then returning to step (h) in claim 2;
      
      e) if null_ssid_assoc is set to a zero then determining on the computing device if SSID is null;
      
      f) if SSID is not null then returning to step (h) in claim 2;
      
      g) if SSID is set to null then determining on the computing device if the source address of the packet is in a broadcast probe request senders list;
      
      h) if the source address of the packet is in the broadcast probe request senders list then returning to step (h) in claim 2;
      
      i) if the source address of the packet is not in the broadcast probe request senders list then adding on the computing device the source address to the broadcast probe request senders list and returning to step (h) in claim 2;
      
      j) if the frame is not a probe request then determining on the computing device if the frame is a probe response;
      
      k) if the frame is a probe response then determining on the computing device a destination address in its header;
      
      l) determining on the computing device if the destination address is in the broadcast probe request senders list;
      
      m) if the destination address is not in the broadcast probe request senders list then returning to step (h) in claim 2;
      
      n) if the destination address is on the broadcast probe request senders list then determining on the computing device if the source address is on a broadcast probe alert list;
      
      o) if the source address is on the broadcast probe alert list then returning to step (h) in claim 2;
      
      p) if the source address is not on the broadcast probe alert list then adding on the computing device the source address to the broadcast probe alert list, generating on the computing device a Null SSID association alert, and returning to step (h) in claim 2;
      
      q) if the frame is not a probe response then determining on the computing device if the frame is an association request;
      
      r) if the frame is an association request then determining on the computing device if null_ssid_assoc is set to a zero;
      
      s) if null_ssid_assoc is not set to a zero then returning to step (h) in claim 2;
      
      t) if null_ssid_assoc is set to a zero then determining on the computing device if SSID is set to null;
      
      u) if SSID is not set to null then returning to step (h) in claim 2;
      
      v) if SSID is set to null then determining on the computing device if the source address is on a broadcast association request senders list;
      
      w) if the source address is on the broadcast association request senders list then returning to step (h) in claim 2;
      
      x) if the source address is not on the broadcast association request senders list then adding on the computing device the source address to the broadcast association request senders list, and returning to step (h) in claim 2;
      
      y) if the frame is not an association request then determining on the computing device if the frame is an association response;
      
      z) if the frame is not an association response then returning to step (h) in claim 2;
      
      aa) if the frame is an association response then determining on the computing device a destination address in its header;
      
      bb) determining on the computing device if the destination address is on the broadcast association request senders list;
      
      cc) if the destination address is not on the broadcast association request senders list then returning to step (h) in claim 2;
      
      dd) if the destination address is on the broadcast association request senders list then determining on the computing device if the source address is on a broadcast association alert list;
      
      ee) if the source address is on the broadcast association alert list then returning to step (h) in claim 2; and
      
      ff) if the source address is not on the broadcast association alert list then adding on the computing device the source address to the broadcast association alert list, generating on the computing device a Null SSID association alert, and returning to step (h) in claim 2.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
National Security Agency
Original Assignee
The United States States of America As Represented By The Director of The National Security Agency
Inventors
Matlock, Kristen L.
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
Okeke; Izunna

Application Number

US11/602,430
Time in Patent Office

1,867 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 726/26, 713/153, 713/154
US Class Current

726/23
CPC Class Codes

H04W 12/122 Counter-measures against at...

H04W 12/126 Anti-theft arrangements, e....

Device for and method of wireless intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

339 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Device for and method of wireless intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

339 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links