Method and system for detecting and preventing access intrusion in a network
First Claim
1. A method of detecting a denial of service attack in a wireless computer network, the method comprising:
- recording, at a plurality of intervals, a number of association or probe requests made by a wireless client device to a plurality of wireless edge devices coupled to a respective plurality of ports of a network switch;
comparing the number of association or probe requests recorded at each interval to a threshold value;
detecting the denial of service attack if the number of association or probe requests exceeds the threshold value; and
monitoring a protocol state machine associated with the wireless client device by a network analysis application running on a server computer, the protocol state machine having one or more wireless attributes of the wireless client device, the network analysis application detecting the denial of service attack by detecting anomalies in the one or more wireless attributes, wherein the one or more wireless attributes comprise the number of association and probe requests.
8 Assignments
0 Petitions
Accused Products
Abstract
A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.
279 Citations
10 Claims
-
1. A method of detecting a denial of service attack in a wireless computer network, the method comprising:
-
recording, at a plurality of intervals, a number of association or probe requests made by a wireless client device to a plurality of wireless edge devices coupled to a respective plurality of ports of a network switch; comparing the number of association or probe requests recorded at each interval to a threshold value; detecting the denial of service attack if the number of association or probe requests exceeds the threshold value; and monitoring a protocol state machine associated with the wireless client device by a network analysis application running on a server computer, the protocol state machine having one or more wireless attributes of the wireless client device, the network analysis application detecting the denial of service attack by detecting anomalies in the one or more wireless attributes, wherein the one or more wireless attributes comprise the number of association and probe requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification