Security in wireless communication systems

US 8,867,744 B1
Filed: 11/07/2011
Issued: 10/21/2014
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method in an access point having a dual-mode antenna for preventing unauthorized messages in a wireless communication network, the method comprising:

receiving authorization information from a network controller that identifies devices that are authorized on the network;

servicing authorized devices that are connected to the access point;

responsive to not servicing authorized devices, switching dynamically to scan for unauthorized devices participating in peer-to-peer communications distinct from the network, comprising;

listening to headers of frames including listening to a transmission of a header of a specific frame that comprises a header and a payload with a first portion of the dual-mode antenna, andcomparing identification information in the header to the authorization information received; and

breaking a payload of the specific fame by disrupting the transmission responsive to determining from the header that the specific frame is associated with an unauthorized device with a second portion of the dual-mode antenna,wherein breaking the payload comprises inserting a noise spike into the payload to change a checksum value of the frame such that the frame payload no longer matches the checksum value.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Wireless security is enforced at L1, in addition to or in lieu of other layers. AP'"'"'s can switch dynamically from serving to scanning. Scanners listen for authorized frame headers. Scanners either receive, or allow authorized frames to be received, at their destination. Scanners kill unauthorized frames while they are still transmitting; scanners continue listening for and killing unauthorized frame headers until frame ending time demands their return to serving, multiplying their effectiveness. AP'"'"'s include dual-mode multi-frequency omni-directional antennae, used to prevent third parties from snooping messages received at those AP'"'"'s.

110 Citations

19 Claims

1. A computer-implemented method in an access point having a dual-mode antenna for preventing unauthorized messages in a wireless communication network, the method comprising:
- receiving authorization information from a network controller that identifies devices that are authorized on the network;
  
  servicing authorized devices that are connected to the access point;
  
  responsive to not servicing authorized devices, switching dynamically to scan for unauthorized devices participating in peer-to-peer communications distinct from the network, comprising;
  
  listening to headers of frames including listening to a transmission of a header of a specific frame that comprises a header and a payload with a first portion of the dual-mode antenna, andcomparing identification information in the header to the authorization information received; and
  
  breaking a payload of the specific fame by disrupting the transmission responsive to determining from the header that the specific frame is associated with an unauthorized device with a second portion of the dual-mode antenna,wherein breaking the payload comprises inserting a noise spike into the payload to change a checksum value of the frame such that the frame payload no longer matches the checksum value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein scanning for the unauthorized devices and breaking the payload of the unauthorized devices are implemented within the L1 layer of a network protocol.
  - 3. The method of claim 1, further comprising:
    - receiving frames with a first portion of an antennae; and
      
      micro-jamming frames with a second portion of the antennae, substantially concurrently with the step of receiving frames.
  - 4. The method of claim 1, wherein scanning for unauthorized devices comprises scanning for unauthorized devices by listening to frame headers comprises comparing a destination indicator of the frame header with the authentication information from the network controller to determine if a destination device of the frame is authorized.
  - 5. The method of claim 1, wherein scanning for unauthorized devices comprises scanning for unauthorized devices by listening to frame headers comprises comparing a source indicator of the frame header with the authentication information from the network controller to determine if a destination device of the frame is authorized.
  - 6. The method of claim 1, wherein breaking the payload comprises inserting the noise spike into the payload.
  - 7. The method of claim 1, wherein the wireless communication network operates according to an IEEE 802.11 type of standard.
  - 8. The method of claim 1, wherein scanning for unauthorized devices comprises scanning more than one channel for unauthorized devices.
  - 9. The method of claim 1, further comprising:
    - detecting a second access point having a radio signal range within an interference zone for which the access point also has a radio signal range,wherein responsive to not servicing authorized devices, scanning for unauthorized devices comprises responsive to not servicing authorized devices due to the second access point servicing authorized devices within the interference zone, scanning for unauthorized devices.

10. A non-transitory computer readable medium storing source code that, when executed by a processor, performs a method in an access point for preventing unauthorized messages in a wireless communication network, the method comprising:
- receiving authorization information from a network controller that identifies devices that are authorized on the network;
  
  servicing authorized devices that are connected to the access point;
  
  responsive to not servicing authorized devices, switching dynamically to scan for unauthorized devices participating in peer-to-peer communications distinct from the network, comprising;
  
  listening to headers of frames includinglistening to a transmission of a header of a specific frame that comprises a header and a payload with a first portion of the dual-mode antenna, andcomparing identification information in the header to the authorization information received; and
  
  breaking a payload of the specific fame by disrupting the transmission responsive to determining from the header that the specific frame is associated with an unauthorized device with a second portion of the dual-mode antenna,wherein breaking the payload comprises inserting a noise spike into the payload to change a checksum value of the frame such that the frame payload no longer matches the checksum value.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable medium of claim 10, wherein scanning for the unauthorized devices and breaking the payload of the unauthorized devices are implemented within the L1 layer of a network protocol.
  - 12. The computer readable medium of claim 10, further comprising:
    - receiving frames with a first portion of an antennae; and
      
      micro-jamming frames with a second portion of the antennae, substantially concurrently with the step of receiving frames.
  - 13. The computer readable medium of claim 10, wherein scanning for unauthorized devices comprises scanning for unauthorized devices by listening to frame headers comprises comparing a destination indicator of the frame header with the authentication information from the network controller to determine if a destination device of the frame is authorized.
  - 14. The computer readable medium of claim 10, wherein scanning for unauthorized devices comprises scanning for unauthorized devices by listening to frame headers comprises comparing a source indicator of the frame header with the authentication information from the network controller to determine if a destination device of the frame is authorized.
  - 15. The computer readable medium of claim 10, wherein breaking the payload comprises inserting the noise spike into the payload.
  - 16. The computer readable medium of claim 10, wherein the wireless communication network operates according to an IEEE 802.11 type of standard.
  - 17. The computer readable medium of claim 10, wherein scanning for unauthorized devices comprises scanning more than one channel for unauthorized devices.
  - 18. The computer readable medium of claim 10, further comprising:
    - detecting a second access point having a radio signal range within an interference zone for which the access point also has a radio signal range,wherein responsive to not servicing authorized devices, scanning for unauthorized devices comprises responsive to not servicing authorized devices due to the second access point servicing authorized devices within the interference zone, scanning for unauthorized devices.

19. A computer-implemented method in an access point for preventing unauthorized messages in a wireless communications network, the method comprising:
- servicing authorized devices that are connected to the access point;
  
  receiving authorization information from a network controller that identifies devices that are authorized on the wireless communications network;
  
  detecting a second access point having a radio signal range within an interference zone for which the access point also has a radio signal range and also in communication with the network controller;
  
  not servicing authorized devices for a period of time during which the second access point servicing authorized devices within the interference zone;
  
  during the period of time, switching dynamically to scanning for unauthorized devices by listening to headers of frames that each comprise a header and a payload;
  
  breaking the payload responsive to determining from the header that a frame is associated with an unauthorized device,wherein breaking the payload comprises inserting a noise spike into the payload to change a checksum value of the frame such that the frame payload no longer matches the checksum value; and
  
  switching to return servicing authorized devices after the period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Meru Networks, Inc. (Fortinet Inc.)
Inventors
Palanisamy, Senthil, Bharghavan, Vaduvur
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Salehi, Helai

Application Number

US13/290,345
Time in Patent Office

1,079 Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 63/02   for separating internal fro...

H04W 12/088   using filters or firewalls

H04W 12/122   Counter-measures against at...

H04W 88/08   Access point devices

Security in wireless communication systems

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security in wireless communication systems

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links