Method and system for detecting characteristics of a wireless network

US 8,122,506 B2
Filed: 05/21/2009
Issued: 02/21/2012
Est. Priority Date: 04/03/2003
Status: Expired due to Term

First Claim

Patent Images

1. A method, performed by one or more components of a node in a wireless network, the method comprising:

detecting, by the one or more components, a first packet associated with a wireless access device and transmitted via the wireless network;

determining, by the one or more components, a type of the first packet;

determining, by the one or more components, an identity of at least one device in communication with the wireless access device;

defining, by the one or more components, a first state of operation, of the wireless access device, corresponding to the type of the first packet and the identity of the at least one device;

detecting, by the one or more components, a second packet associated with the wireless access device and transmitted via the wireless network;

determining, by the one or more components, a type of the second packet;

determining, by the one or more components, one or more source devices and/or one or more destination devices of the second packet;

defining, by the one or more components, a current state of operation, of the wireless access device, corresponding to the type of the second packet and the one or more source devices and/or the one or more destination devices;

identifying, by the one or more components and when the first state of operation differs from the current state of operation, a state change for the wireless access device; and

generating, by the one or more components, an event notification indicating the identified state change.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.

70 Citations

View as Search Results

20 Claims

1. A method, performed by one or more components of a node in a wireless network, the method comprising:
- detecting, by the one or more components, a first packet associated with a wireless access device and transmitted via the wireless network;
  
  determining, by the one or more components, a type of the first packet;
  
  determining, by the one or more components, an identity of at least one device in communication with the wireless access device;
  
  defining, by the one or more components, a first state of operation, of the wireless access device, corresponding to the type of the first packet and the identity of the at least one device;
  
  detecting, by the one or more components, a second packet associated with the wireless access device and transmitted via the wireless network;
  
  determining, by the one or more components, a type of the second packet;
  
  determining, by the one or more components, one or more source devices and/or one or more destination devices of the second packet;
  
  defining, by the one or more components, a current state of operation, of the wireless access device, corresponding to the type of the second packet and the one or more source devices and/or the one or more destination devices;
  
  identifying, by the one or more components and when the first state of operation differs from the current state of operation, a state change for the wireless access device; and
  
  generating, by the one or more components, an event notification indicating the identified state change.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - creating a first entry, corresponding to the first state, in a state transition table for the wireless access device.
  - 3. The method of claim 2, where identifying the state change comprises:
    - comparing the first state of operation with the current state of operation, andcreating, when a result of the comparing determines that the current state of operation differs from first state of operation, a new entry in the state transition table that differs from the first entry.
  - 4. The method of claim 2, further comprising:
    - checking, responsive to the event notification and using at least one security policy element, whether the identified state change corresponds to a prohibited activity; and
      
      sending, only when a result of the checking indicates that the state change corresponds to the prohibited activity, an alert indicating that the state change has occurred in the wireless network.
  - 5. The method of claim 4, where checking whether the identified state change corresponds to the prohibited activity comprises:
    - determining that an unauthorized communication has occurred by the one or more source devices or the one or more destination devices using illegitimate credentials, andsending a notification based on determining that the unauthorized communication has occurred.
  - 6. The method of claim 4, where checking whether the identified state change corresponds to the prohibited activity comprises:
    - comparing the current state of operation with the first entry in the state transition table;
      
      determining, when a result of the comparing indicates that the current state of operation differs from the first state of operation, that an illegal state change has occurred; and
      
      sending a notification based on determining that the illegal state change has occurred.
  - 7. The method of claim 6, where determining that the illegal state change has occurred comprises:
    - determining, based on the current state of operation of the wireless access device, a group of possible prior state values of the wireless access device,determining whether an actual prior state of the wireless access device matches one of the group of possible prior states, andgenerating an alert based on determining that the actual prior state is not among the group of possible prior states.
  - 8. The method of claim 1, where the type of the first packet or the type of the second packet comprises at least one of a generic packet type, a diagnostic packet type, an event packet type, or a configuration packet type.
  - 9. The method of claim 1, where the prohibited activity comprises at least one of a security violation, a communication with an intruder, or an anomalous behavior of the wireless access device.

10. A system comprising:
- a network device to;
  
  detect a first packet identifying a wireless access device;
  
  determine a type of the first packet;
  
  determine at least one device in communication with the wireless access device via a wireless network;
  
  define, based on the at least one device and the type of the first packet, a first state of a session between the wireless access device and the at least one device;
  
  detect a plurality of packets associated with the wireless access device;
  
  determine types of the plurality of packets;
  
  determine sources and/or destinations of the plurality of packets;
  
  determine that a state change has occurred, from the first state, when at least one of the types of the plurality of packets differs from the type of the first packet or the sources or the destinations comprise devices other than the at least one device; and
  
  generate an event notification of the state change.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, where the network device is further to:
    - create a state transition table for the wireless access device, the state transition table including a first entry indicative of the first state; and
      
      identify the state change in the state transition table when the state change has occurred.
  - 12. The system of claim 10, where the network device is further to:
    - check, using at least one security policy element, whether a prohibited activity or a permitted activity has occurred in the wireless network based on the event notification; and
      
      send, based on checking whether the prohibited activity or the permitted activity has occurred, an alert indicating that the prohibited activity has occurred.
  - 13. The system of claim 12, where the prohibited activity comprises at least one of a security violation, a communication with an intruder, or an anomalous behavior of the wireless access device.
  - 14. The system of claim 10, where the type of the first packet or the type of the detected packets comprises at least one of a generic packet type, a diagnostic packet type, an event packet type, or a configuration packet type.

15. A non-transitory computer-readable storage medium storing computer program comprising:
- instructions to define a first operational state associated with a wireless access device based on a first type of a packet detected via the wireless network and at least one destination network device and/or source network device for the packet;
  
  instructions to monitor a plurality of packets transmitted by the wireless access device and/or received at the wireless access device;
  
  instructions to determine that a state change from a first operational state has occurred when a destination network device and/or a source network device, other than the at least one destination network device and/or the source network device is identified based on the observation;
  
  instructions to determine that a state change from the first operational state has occurred when a second type of packet that differs from the first type of packet is identified based on the observation;
  
  instructions to define, using information indicative of the state change, a second operational state; and
  
  instructions to generate an event notification indicating the state change.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, further comprising:
    - instructions to create a state transition table for a wireless access device in a wireless network; and
      
      instructions to store the first operational state in the state transition table.
  - 17. The non-transitory computer-readable storage medium of claim 16, further comprising:
    - instructions to store the second operational state in the state transition table; and
      
      instructions to check, using at least one security policy element, whether the state change corresponds to a permitted activity or a prohibited activity in the wireless network.
  - 18. The non-transitory computer-readable storage medium of claim 17, further comprising:
    - instructions to send, based on a result of the checking, an alert indicating that the prohibited activity has occurred only when the result indicates a violation of the at least one security policy element.
  - 19. The non-transitory computer-readable storage medium of claim 15, where the prohibited activity comprises at least one of a security violation, a communication with an intruder, or an anomalous behavior of the wireless access device.
  - 20. The non-transitory computer-readable storage medium of claim 15, where the first type of packet and the second type of packet comprise at least one of a generic packet type, a diagnostic packet type, an event packet type, or a configuration packet type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ozmo Licensing LLC
Original Assignee
MCI Communications Services Incorporated (Verizon Communications Inc.)
Inventors
Harvey, Elaine, Walnock, Matthew
Primary Examiner(s)
Pich, Ponnoreay

Application Number

US12/470,195
Publication Number

US 20090296598A1
Time in Patent Office

1,006 Days
Field of Search

726 22- 24
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

Method and system for detecting characteristics of a wireless network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting characteristics of a wireless network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links