Method and system for detecting and preventing access intrusion in a network

US 8,707,432 B1
Filed: 12/20/2007
Issued: 04/22/2014
Est. Priority Date: 02/06/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a denial of service attack in a wireless computer network, the method comprising:

recording, at a plurality of intervals, a number of association or probe requests made by a wireless client device to a plurality of wireless edge devices coupled to a respective plurality of ports of a network switch;

comparing the number of association or probe requests recorded at each interval to a threshold value;

detecting the denial of service attack if the number of association or probe requests exceeds the threshold value; and

monitoring a protocol state machine associated with the wireless client device by a network analysis application running on a server computer, the protocol state machine having one or more wireless attributes of the wireless client device, the network analysis application detecting the denial of service attack by detecting anomalies in the one or more wireless attributes, wherein the one or more wireless attributes comprise the number of association and probe requests.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

279 Citations

10 Claims

1. A method of detecting a denial of service attack in a wireless computer network, the method comprising:
- recording, at a plurality of intervals, a number of association or probe requests made by a wireless client device to a plurality of wireless edge devices coupled to a respective plurality of ports of a network switch;
  
  comparing the number of association or probe requests recorded at each interval to a threshold value;
  
  detecting the denial of service attack if the number of association or probe requests exceeds the threshold value; and
  
  monitoring a protocol state machine associated with the wireless client device by a network analysis application running on a server computer, the protocol state machine having one or more wireless attributes of the wireless client device, the network analysis application detecting the denial of service attack by detecting anomalies in the one or more wireless attributes, wherein the one or more wireless attributes comprise the number of association and probe requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 performed on non-dedicated, distributed network infrastructure.
  - 3. The method of claim 1 wherein the threshold value is based on a normal rate of association or probe requests.
  - 4. The method of claim 1 further comprising, in response to detecting the denial of service attack, automatically instructing the network switch to shut down a port of the plurality of ports under attack.
  - 5. The method of claim 1 further comprising, in response to detecting the denial of service attack, automatically instructing the network switch to discard packets from a port of the plurality of ports under attack.
  - 6. The method of claim 1 further comprising, in response to detecting the denial of service attack, alerting a network administrator of the attack.
  - 7. The method of claim 1 wherein monitoring further comprises determining a geographic proximity between two or more wireless client devices.
  - 8. The method of claim 7, wherein the geographic proximity of the two or more wireless clients is determined by signal strength of the two or more wireless clients as identified by the network analysis application.
  - 9. The method of claim 1, wherein monitoring further comprises monitoring two or more wireless client devices operating at two or more frequencies in a wireless channel by switching to the two or more frequencies.
  - 10. The method of claim 1, wherein monitoring further comprises determining and comparing MAC addresses of two or more wireless client devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Extreme Networks, Inc.
Inventors
Lin, Victor C., Merchant, Shehzad T., Jain, Vipin K., Rathi, Manish M.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US11/961,677
Time in Patent Office

2,315 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Method and system for detecting and preventing access intrusion in a network

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

279 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Method and system for detecting and preventing access intrusion in a network

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

279 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others