History-based downgraded network identification

US 8,769,639 B2
Filed: 02/19/2008
Issued: 07/01/2014
Est. Priority Date: 09/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method for verifying authenticity of a network access point that identifies itself to a client computing device via an identifier, the method comprising:

comparing at least one additional characteristic of network access point that identifies itself using the identifier to stored information that identifies at least one expected value for a corresponding characteristic of an authenticated network access point also identified by the identifier, wherein comparing the at least one additional characteristic of the network access point to the stored information that identifies the at least one expected value comprises determining whether at least one current security setting in use by the network access point reflects at least one expected security setting for the authenticated network access point, wherein the network access point provides access to a managed wireless network, the identifier for the network access point comprises a globally unique identifier (GUID) for the managed wireless network, and the at least one additional characteristic of the network access point comprises a result of an authentication attempt for the managed wireless network; and

connecting, by the client computing device, to the network access point in response to the at least one additional characteristic of the network access point matching the stored information that identifies the at least one expected value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention are directed to increasing security and lowering risk of attack in connecting automatically to networks by enabling client devices to verify the identity of the networks by, for example, confirming the identity of networks and network components such as wireless access points. In some embodiments, a client device may maintain a data store of characteristics of a network—including, for example, characteristics of a wireless access point or other portion of the network and/or characteristics of a connection previously established with the wireless access point and/or network. Stored characteristics may include characteristics other than those minimally necessary to identify a wireless access point and/or wireless network. The stored characteristics may be compared to known good characteristics of a network (including characteristics of a wireless access point or other portion of the wireless network) prior to connection to the network to determine whether the characteristics match.

Citations

20 Claims

1. A method for verifying authenticity of a network access point that identifies itself to a client computing device via an identifier, the method comprising:
- comparing at least one additional characteristic of network access point that identifies itself using the identifier to stored information that identifies at least one expected value for a corresponding characteristic of an authenticated network access point also identified by the identifier, wherein comparing the at least one additional characteristic of the network access point to the stored information that identifies the at least one expected value comprises determining whether at least one current security setting in use by the network access point reflects at least one expected security setting for the authenticated network access point, wherein the network access point provides access to a managed wireless network, the identifier for the network access point comprises a globally unique identifier (GUID) for the managed wireless network, and the at least one additional characteristic of the network access point comprises a result of an authentication attempt for the managed wireless network; and
  
  connecting, by the client computing device, to the network access point in response to the at least one additional characteristic of the network access point matching the stored information that identifies the at least one expected value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - verifying authenticity of another network access point, the other network access point providing access to an unmanaged wireless network based on a Service Set Identifier (SSID) for the unmanaged wireless network, and based on a media access control (MAC) address of a gateway associated with the other network access point.
  - 3. The method of claim 1, further comprising:
    - disallowing connection of the client computing device to the wireless access point in response to the at least one additional characteristic of the network access point not reflecting the stored information that identifies the at least one expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier.
  - 4. The method of claim 1, further comprising:
    - in response to the at least one additional characteristic of the network access point not reflecting the stored information that identifies the at least one expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      establishing a connection to the network access point; and
      
      configuring the connection to be more secure than a connection that would have been established had the at least one additional characteristic of the network access point reflected the stored information that identifies the at least one expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier.
  - 5. The method of claim 4, wherein configuring the connection to be more secure comprises disallowing connections to one or more ports of the client computing device.
  - 6. The method of claim 1, further comprising:
    - in response to the at least one additional characteristic of the network access point not reflecting the stored information that identifies the expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      displaying an indication that the network access point is not verified.
  - 7. The method of claim 1, wherein:
    - determining whether the at least one current security setting reflects the at least one expected security setting includes;
      
      determining whether the network access point using the at least one current security setting is more secure than the authenticated network access point having the at least one expected security setting;
      
      determining that the at least one current security setting reflects the at least one expected security setting if the network access point using the at least one current security setting is at least as secure as the authenticated network access point.
  - 8. The method of claim 1, further comprising:
    - authenticating the client computing device to the network access point by providing information proving the identity of the client computing device to the network access point.
  - 9. The method of claim 1, further comprising:
    - in response to the at least one additional characteristic of the network access point not reflecting the stored information that identifies the expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      storing information regarding the network access point.

10. An apparatus for verifying authenticity of a network access point, the apparatus comprising:
- at least one memory; and
  
  at least one hardware processor, wherein the at least one memory and the at least one hardware processor respectively store and execute instructions that;
  
  compare at least one characteristic of the network access point, other than an identifier used by the network access point, to stored information that identifies at least one expected value for a corresponding characteristic of an authenticated network access point that also uses the identifier, wherein the comparison of the at least one characteristic of the network access point to the stored information that identifies the at least one expected value includes a determination of whether at least one current security setting in use by the network access point matches at least one expected security setting for the authenticated network access point, wherein the network access point provides access to a managed wireless network, the identifier comprises a globally unique identifier (GUID) for the managed wireless network, and the at least one characteristic of the network access point comprises a result of an authentication attempt for the managed wireless network; and
  
  establish a connection with the network access point if the at least one characteristic of the network access point matches the stored information that identifies the at least one expected value.
- View Dependent Claims (11, 12, 13)
- - 11. The apparatus of claim 10, wherein the instructions also:
    - a warning if the at least one characteristic of the network access point does not match the stored information that identifies the expected value for the corresponding characteristic of the authenticated network access point.
  - 12. The apparatus of claim 10, wherein the instructions also:
    - in response to the at least one characteristic of the network access point not matching the stored information that identifies the at least one expected value;
      
      establish a connection to the network access point; and
      
      configure the connection to be more secure than a connection that would have been established had the at least one characteristics of the network access point matched the stored information.
  - 13. The apparatus of claim 12, wherein configuration of the connection to be more secure includes blocking connections to one or more ports of the apparatus.

14. A computer-readable memory having instructions stored therein for performing operations that verify authenticity of a network access point that identifies itself to a client computing device via an identifier, the operations comprising:
- comparing at least one characteristic of the network access point, other than the identifier, to at least one stored expected value of a corresponding characteristic of an authenticated network access point also identified by the identifier, wherein comparing the at least one characteristic of the network access point to the at least one stored expected value comprises determining whether at least one current security setting in use by the network access point reflects at least one expected security setting for the authenticated network access point, wherein the network access point provides access to a managed wireless network, the identifier for the network access point comprises a globally unique identifier (GUID) for the managed wireless network, and the at least one characteristic of the network access point comprises a result of an authentication attempt for the managed wireless network; and
  
  connecting, by the client computing device, to the network access point in response to the at least one characteristic of the network access point reflecting the at least one stored expected value.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-readable memory of claim 14, further comprising:
    - verifying authenticity of another network access point, the other network access point providing access to an unmanaged wireless network based on a Service Set Identifier (SSID) for the unmanaged wireless network, and based on a media access control (MAC) address of a gateway associated with the other network access point.
  - 16. The computer-readable memory of claim 14, further comprising:
    - disallowing connection of the client computing device to the wireless access point in response to the at least one characteristic of the network access point not reflecting the at least one stored expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier.
  - 17. The computer-readable memory of claim 14, further comprising:
    - in response to the at least one characteristic of the network access point not reflecting the at least one stored expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      establishing a connection to the network access point; and
      
      configuring the connection to be more secure than a connection that would have been established had the at least one characteristic of the network access point reflected the at least one stored expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier.
  - 18. The computer-readable memory of claim 17, wherein configuring the connection to be more secure comprises disallowing connections to one or more ports of the client computing device.
  - 19. The computer-readable memory of claim 14, further comprising:
    - in response to the at least one characteristic of the network access point not reflecting the at least one stored expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      displaying an indication that the identity of the network access point is not verified.
  - 20. The computer-readable memory of claim 14, further comprising:
    - in response to the at least one characteristic of the network access point not reflecting the at least one stored expected value for the corresponding characteristic of the authenticated network access point also identified by the identifier;
      
      storing information regarding the network access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Begorre, Bill, Brewis, Deon C., Sinha, Alok
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US12/070,500
Publication Number

US 20090064299A1
Time in Patent Office

2,324 Days
Field of Search

726/5, 726/6, 726/12
US Class Current

726/5
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2129   Authenticate client device ...

H04L 63/1466   Active attacks involving in...

H04W 12/06   Authentication

H04W 12/122   Counter-measures against at...

History-based downgraded network identification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

History-based downgraded network identification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links