Systems and methods for generating, managing, and displaying alarms for wireless network monitoring

US 8,205,244 B2
Filed: 02/27/2007
Issued: 06/19/2012
Est. Priority Date: 02/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method of generating alarms for wireless network monitoring comprising the steps of:

monitoring a wireless local area network;

receiving events responsive to the monitoring step, wherein the events relate to security in the wireless local area network;

correlating received events to triggers;

raising an alarm responsive to one or more triggers being above a pre-defined threshold value;

leaving the raised alarm unaffected by new events and new triggers correlated to the raised alarm thereby avoiding flooding of alarms based on a same event; and

maintaining the alarm for a predetermined time following the one or more triggers being below the pre-defined threshold value;

wherein the triggers are utilized in the method of generating alarms as an intermediate step between the received events and any associated alarm to reduce a volume of the generated alarms by correlating the received events with one another and with the generated alarms.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to systems and methods for generating, managing, and displaying alarms associated with monitoring a wireless network. Advantageously, the present disclosure provides one alarm per security event, and the ability to see an event in context over time and aggregate information. This results in a significant reduction in alarm volume for wireless monitoring which increases manageability and reduces storage requirements. Further, this provides better security by avoiding the “needle in the haystack” problem where you see few actionable alarms rather than being flooded by multiple copies of the same event over time. Finally, the present disclosure provides improved system scalability with large deployments by managing alarms through lesser alarm volume, and through visual representation.

Citations

20 Claims

1. A method of generating alarms for wireless network monitoring comprising the steps of:
- monitoring a wireless local area network;
  
  receiving events responsive to the monitoring step, wherein the events relate to security in the wireless local area network;
  
  correlating received events to triggers;
  
  raising an alarm responsive to one or more triggers being above a pre-defined threshold value;
  
  leaving the raised alarm unaffected by new events and new triggers correlated to the raised alarm thereby avoiding flooding of alarms based on a same event; and
  
  maintaining the alarm for a predetermined time following the one or more triggers being below the pre-defined threshold value;
  
  wherein the triggers are utilized in the method of generating alarms as an intermediate step between the received events and any associated alarm to reduce a volume of the generated alarms by correlating the received events with one another and with the generated alarms.
- View Dependent Claims (2, 3, 4, 5, 6, 19, 20)
- - 2. The method of claim 1, wherein events correspond to custom-coded signatures or are semantically defined.
  - 3. The method of claim 1, wherein the correlating step comprises updating the trigger count corresponding to each received event.
  - 4. The method of claim 3, wherein the trigger count is maintained in a hash table indexed to alarm type and device media access control address.
  - 5. The method of claim 3, wherein each trigger comprises a watch time corresponding to the amount of time events are examined for and a high water threshold corresponding to the number of events in the watch time which corresponds to the trigger being above the pre-defined threshold value.
  - 6. The method of claim 1, wherein the monitoring step is performed by a plurality of sensors, and the receiving, analyzing, and raising steps are performed by a server.
  - 19. The method of claim 1, wherein each of the triggers comprises an alarm related event on the wireless local area network, and each of the triggers relates to a specific device on the wireless local area network.
  - 20. The method of claim 19, wherein the alarm related event comprises any of privacy encryption violation, identification theft, unauthorized rogue Access Point, and wireless local area network Jack signature.

7. A method of managing alarms for wireless network monitoring comprising the steps of:
- receiving events from monitoring of a wireless local area network, wherein the events relate to security in the wireless local area network;
  
  correlating each received event to one or more triggers in which the received event participates, wherein the one or more triggers comprise a count of events of a pre-defined period;
  
  updating one or more trigger sets responsive to the one or more triggers;
  
  generating alarms over the pre-defined period responsive to each trigger being high in the one or more trigger sets;
  
  leaving generated alarms unaffected responsive to newly received events correlated to the generated alarms thereby avoiding flooding of alarms based on a same event; and
  
  handling alarms to update active and inactive alarms;
  
  wherein the one or more triggers are utilized in the method of managing alarms as an intermediate step between the received events and any associated alarm to reduce a volume of the generated alarms by correlating the received events with one another and with the generated alarms.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, further comprising the step of:
    - loading an alarm configuration;
      
      wherein the alarm configuration defines the each event to one or more triggers, one or more triggers to each trigger set, and each alarm to one or more trigger sets.
  - 9. The method of claim 7, wherein the correlating step comprises updating the one or more triggers in which the received event participates by updating the trigger count.
  - 10. The method of claim 9, wherein the trigger count is maintained by a hash table comprising alarm objects for each alarm type and device media access control address.
  - 11. The method of claim 7, wherein the generating step comprises the steps of:
    - determining if each trigger count exceeds a high threshold over the pre-defined period;
      
      determining if each trigger count in a trigger set exceeds the high threshold for each trigger; and
      
      raising an alarm for each trigger set with all corresponding triggers exceeding the high threshold.
  - 12. The method of claim 7, wherein the handling step comprises the steps of:
    - determining if each trigger count is below a low threshold over the pre-defined period;
      
      if an alarm is active, and one of the triggers in the trigger set corresponding to the alarm is below the low threshold, then setting the alarm to inactive; and
      
      removing all inactive alarms which have been inactive for a duration period.
  - 13. The method of claim 7, wherein the receiving, correlating, generating, and handling steps are performed by a server.

14. An alarm manager display for a wireless network, comprising:
- a server comprising a display;
  
  an alarm table listing alarms in the wireless network, wherein each alarm comprises a criticality, category, type, time, and wireless device;
  
  a network tree comprising logical groupings of wireless network devices;
  
  alarm information comprising detailed information about an alarm selected in the alarm table; and
  
  network alarm totals comprising a count of the total alarms in the wireless network and a pie chart depicting the breakdown of alarms by category and priority;
  
  wherein alarms in the alarm table can be filtered by alarm priority, device type, wireless channel, signal strength, device state, date and time, and alarm category and type;
  
  wherein alarms in the alarm table can be cleared by a user and kept cleared for a configurable time; and
  
  wherein the alarms are generated by the server based on the steps of;
  
  receiving events responsive to monitoring a wireless local area network comprising the wireless network devices, wherein the events relate to security in the wireless local area network;
  
  correlating received events to triggers;
  
  raising an alarm responsive to one or more triggers being above a pre-defined threshold value;
  
  leaving the raised alarm unaffected by new events and new triggers correlated to the raised alarm thereby avoiding flooding of alarms based on a same event; and
  
  maintaining the alarm for a predetermined time following the one or more triggers being below the pre-defined threshold value;
  
  wherein the one or more triggers are utilized as an intermediate step between the received events and any associated alarm to reduce a volume of generated alarms in the alarm manager by correlating the received events with one another and with the generated alarms.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The alarm manager display of claim 14, further comprising an alarm details dialog comprising alarm information, user-editable alarm notes, alarm description, investigation information, and mitigation information.
  - 16. The alarm manager display of claim 14, further comprising an alarm configuration dialog for a user to configure settings for alarms.
  - 17. The alarm manager display of claim 14, wherein the criticality comprises a user-editable threat calculation value between 0 and 100, wherein the threat calculation value is utilized to calculate a threat index for devices, groups, locations, and the wireless network.
  - 18. The alarm manager display of claim 14, wherein the alarm manager display is configure to minimize alarms by utilizing events, triggers, and trigger sets to provide one alarm per a plurality of events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Nightingale, Todd W., Regoti, Lakshmaiah, Kailash, Kailash, Sood, Vikas, Crank, Samuel J.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US11/711,371
Publication Number

US 20080209517A1
Time in Patent Office

1,939 Days
Field of Search

726/3, 726 22- 23, 726/24, 379/44, 709/203, 709/224
US Class Current

726/3
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04W 12/122   Counter-measures against at...

H04W 84/12   WLAN [Wireless Local Area N...

Systems and methods for generating, managing, and displaying alarms for wireless network monitoring

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for generating, managing, and displaying alarms for wireless network monitoring

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links