Method, system and program product for detecting intrusion of a wireless network

US 8,539,580 B2
Filed: 06/19/2002
Issued: 09/17/2013
Est. Priority Date: 06/19/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting intrusion of a wireless network, comprising:

initially, monitoring for key indicator flags within a data stream, the key indicator flags including at least a time of day indicator that determines whether traffic has occurred outside of normal working hours, wherein an intrusion alert is generated if a key indicator flag is detected;

determining a validity deviation of the data stream received by a wireless network; and

determining an intrusion deviation of the data stream if the validity deviation exceeds a validity threshold, wherein intrusion is detected if the intrusion deviation is less than an intrusion threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the present invention provides a method, system and program product for detecting intrusion of a wireless network. Specifically, under the present invention, a data stream received by a wireless network is monitored. A validity deviation is determined by comparing the data stream to a valid data stream. If the validity deviation exceeds a validity threshold, an intrusion deviation is determined by comparing the data stream to a known intrusion data stream. Then, if the intrusion deviation is less than an intrusion threshold, intrusion is detected and an intrusion alert is generated.

Citations

24 Claims

1. A method for detecting intrusion of a wireless network, comprising:
- initially, monitoring for key indicator flags within a data stream, the key indicator flags including at least a time of day indicator that determines whether traffic has occurred outside of normal working hours, wherein an intrusion alert is generated if a key indicator flag is detected;
  
  determining a validity deviation of the data stream received by a wireless network; and
  
  determining an intrusion deviation of the data stream if the validity deviation exceeds a validity threshold, wherein intrusion is detected if the intrusion deviation is less than an intrusion threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising generating an intrusion alert if the intrusion deviation is less than the intrusion threshold.
  - 3. The method of claim 1, wherein the data stream comprises one data packet.
  - 4. The method of claim 1, wherein the data stream comprises a plurality of data packets.
  - 5. The method of claim 1, wherein the validity deviation is determined by comparing protocols of the data stream to protocols of a valid data stream, and wherein the intrusion deviation is determined by comparing the protocols of the data stream to protocols of a known intrusion data stream.
  - 6. The method of claim 1, further comprising providing a library of valid data streams and known intrusion data streams for determining the validity deviation and the intrusion deviation.

7. A method for detecting intrusion of a wireless network, comprising:
- detecting a data stream received by a wireless network;
  
  initially, monitoring for key indicator flags within the data stream, the monitoring including;
  
  determining whether the data stream matches a predefined traffic pattern;
  
  determining whether the data stream has an invalid service set identifier;
  
  determining whether the data stream has an older service set identifier;
  
  determining whether the data stream has an invalid media access control;
  
  determining whether the data stream occurs outside of normal working hours;
  
  determining whether the data stream includes too many queries from a same sender; and
  
  generating an intrusion alert if a key indicator flag is detected;
  
  determining a validity deviation of the data stream by comparing the data stream to a valid data stream;
  
  determining an intrusion deviation of the data stream if the validity deviation exceeds a validity threshold by comparing the data stream to a known intrusion data stream, wherein intrusion is detected if the intrusion deviation is less than an intrusion threshold or if a key indicator flag is detected; and
  
  generating an intrusion alert if intrusion is detected.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the data stream comprises a single data packet.
  - 9. The method of claim 7, wherein the data stream comprises a plurality of data packets.
  - 10. The method of claim 7, further comprising monitoring for state based intrusion indicators within the data stream, wherein intrusion is detected if state based intrusion indicators are detected.
  - 11. The method of claim 7, further comprising providing a library of valid data streams and known intrusion data streams for determining the validity deviation and the intrusion deviation.
  - 12. The method of claim 7, wherein the validity deviation is determined by comparing protocols of the data stream to protocols of the valid data stream, and wherein the intrusion deviation is determined by comparing the protocols of the data stream to protocols of the known intrusion stream.

13. A system for detecting intrusion of a wireless network, comprising:
- a plurality of invalid access points, each of the plurality of invalid access points for generating data streams in an attempt to entice a sender of an invalid communication to access the access point;
  
  a data stream system for initially monitoring for key indicator flags within a data stream, the monitoring including;
  
  determining whether the data stream matches a predefined traffic pattern;
  
  determining whether the data stream has an invalid service set identifier;
  
  determining whether the data stream has an older service set identifier;
  
  determining whether the data stream has an invalid media access control;
  
  determining whether the data stream occurs outside of normal working hours;
  
  determining whether the data stream includes too many queries from a same sender; and
  
  generating an intrusion alert if a key indicator flag is detected;
  
  a validity deviation system for determining a validity deviation of the data stream received by a wireless network; and
  
  an intrusion deviation system for determining an intrusion deviation of the data stream if the validity deviation exceeds a validity threshold, wherein intrusion is detected if the intrusion deviation is less than an intrusion threshold.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising an intrusion alert system for generating an intrusion alert if the intrusion deviation is less than the intrusion threshold.
  - 15. The system of claim 13, wherein the data stream comprises one data packet.
  - 16. The system of claim 13, wherein the data stream comprises a plurality of data packets.
  - 17. The system of claim 13, wherein the validity deviation is determined by comparing protocols of the data stream to protocols of a valid data stream, and wherein the intrusion deviation is determined by comparing the protocols of the data stream to protocols of a known intrusion data stream.
  - 18. The system of claim 13, further comprising a library of valid data streams and known intrusion data streams for determining the validity deviation and the intrusion deviation.

19. A program product stored on a recordable device for detecting intrusion of a wireless network, which when executed, comprises:
- program code for initially monitoring a data stream for key indicator flags, the key indicator flags including at least a time of day indicator that determines whether traffic has occurred outside of normal working hours, wherein an intrusion alert is generated if a key indicator flag is detected;
  
  program code for determining a validity deviation of the data stream received by a wireless network; and
  
  program code for determining an intrusion deviation of the data stream if the validity deviation exceeds a validity threshold, wherein intrusion is detected if the intrusion deviation is less than an intrusion threshold.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The program product of claim 19, further comprising program code for generating an intrusion alert if the intrusion deviation falls below the intrusion threshold.
  - 21. The program product of claim 19, wherein the data stream comprises one data packet.
  - 22. The program product of claim 19, wherein the data stream comprises a plurality of data packets.
  - 23. The program product of claim 19, wherein the validity deviation is determined by comparing protocols of the data stream to protocols of a valid data stream, and wherein the intrusion deviation is determined by comparing the protocols of the data stream to protocols of a known intrusion data stream.
  - 24. The program product of claim 19, further comprising a library of valid data streams and known intrusion data streams for determining the validity deviation and the intrusion deviation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Denton, Guy S., Lackey, Joshua
Primary Examiner(s)
Rashid, Harunur

Application Number

US10/177,503
Publication Number

US 20030237000A1
Time in Patent Office

4,108 Days
Field of Search

726/23, 726/24, 726/25, 709/224
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

Method, system and program product for detecting intrusion of a wireless network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and program product for detecting intrusion of a wireless network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links