Detecting malicious device

US 8,898,783 B2
Filed: 05/21/2012
Issued: 11/25/2014
Est. Priority Date: 05/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malicious device in a network, the method comprising:

initiating a malicious device detection mode;

transmitting a test message to neighbor devices in the network;

determining whether a test response message is received from the neighbor devices in response to the test message; and

if so, determining a corresponding neighbor device transmitting the test response message in response to the test message as a non-malicious device;

otherwise, determining the corresponding neighbor device as a malicious device,wherein the transmitting a test message to neighbor devices includes;

detecting, among the neighbor devices, candidate devices that transmit a signal with a specific service set identifier (SSID);

transmitting an associate request message to the detected candidate devices;

receiving an associate response message from the detected candidate devices;

obtaining information on the detected candidate devices from the received associate response message; and

transmitting the test message to the detected candidate devices based on the obtained information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless access point and a method may be provided for detecting a malicious device in a network. The wireless access point may include a controller, a search unit, a message generation unit, and a determination unit. The controller may be configured to initiate a malicious device detection mode regularly at predefined intervals. The search unit may be configured to detect candidate devices broadcasting a signal with the first SSID from neighbor devices in an associated network. The message generation unit may be configured to generate a test message in the malicious device detection mode and transmit the test message to the candidate devices. The determination unit may be configured to determine a corresponding device in the candidate device as a malicious device when a test response message is not received from the corresponding device in response to the test message.

27 Citations

View as Search Results

18 Claims

1. A method for detecting a malicious device in a network, the method comprising:
- initiating a malicious device detection mode;
  
  transmitting a test message to neighbor devices in the network;
  
  determining whether a test response message is received from the neighbor devices in response to the test message; and
  
  if so, determining a corresponding neighbor device transmitting the test response message in response to the test message as a non-malicious device;
  
  otherwise, determining the corresponding neighbor device as a malicious device,wherein the transmitting a test message to neighbor devices includes;
  
  detecting, among the neighbor devices, candidate devices that transmit a signal with a specific service set identifier (SSID);
  
  transmitting an associate request message to the detected candidate devices;
  
  receiving an associate response message from the detected candidate devices;
  
  obtaining information on the detected candidate devices from the received associate response message; and
  
  transmitting the test message to the detected candidate devices based on the obtained information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the malicious device detection mode is regularly initiated at predefined intervals.
  - 3. The method of claim 1, wherein the obtained information include at least one of an Internet protocol (IP) address and a multiple access control (MAC) address of the detected devices.
  - 4. The method of claim 1, comprising storing the obtained information on the detected candidate devices in a memory.
  - 5. The method of claim 1, wherein the specific SSID is at least one of an SSID of a certain service provider, an SSID of a certain device in the related network, and an SSID of a wireless access point performing the malicious device detection mode.
  - 6. The method of claim 1, wherein the detecting candidate devices transmitting a signal with a specific service set identifier (SSID) includes:
    - scanning beacon signals transmitted from the neighbor devices;
      
      extracting an SSID from each scanned beacon signal transmitted from each one of corresponding neighbor devices;
      
      comparing the extracted SSID with the specific SSID; and
      
      determining a corresponding neighbor device as the candidate device when the extractedSSID is identical to the specific SSID based on the comparison result.
  - 7. The method of claim 1, wherein the test message includes at least one of a certain bit sequence or a certain bit pattern.
  - 8. The method of claim 1, wherein the determining whether a test response message is received from the neighbor devices in response to the test message includes:
    - receiving a message from the neighbor devices in response to the corresponding test message;
      
      determining whether the received message includes a predefined bit sequence or not; and
      
      determining the received message as the test response message when the received message includes the predefined bit sequence;
      
      otherwise, determining the received message as a non-test response message.
  - 9. The method of claim 1, further comprising:
    - reporting the determined malicious device to a related server associated with the related network;
      
      blocking access of the determined malicious device from the related network.
  - 10. The method of claim 1, further comprising:
    - initiating a timer upon when the test message is transmitted to the neighbor devices; and
      
      determining a neighbor device as a malicious device when receiving no message from the neighbor device until the timer expires.

11. A method for detecting a malicious device in a wireless local area network (WLAN) network by a wireless access point, the method comprising:
- initiating a malicious device detection mode;
  
  transmitting a test message to neighbor devices located within a service area of the wireless access point;
  
  determining whether a test response message is received from the neighbor devices in response to the test message; and
  
  if so, determining a corresponding neighbor device transmitting the test response message as a non-malicious device;
  
  otherwise, determining the corresponding neighbor device as a malicious device,wherein the transmitting a test message includes;
  
  detecting, among the neighbor devices, candidate devices that transmit a signal with a specific service set identifier (SSID);
  
  generating a predefined test bit sequence as the test message;
  
  including the predefined test bit sequence in an associate request message; and
  
  transmitting the associate request message to the detected candidate devices.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the detecting candidate devices includes:
    - scanning beacon signals transmitted from the neighbor devices;
      
      extracting an SSID from the scanned beacon signal transmitted from each one of the neighbor devices;
      
      comparing the extracted SSID with the specific SSID; and
      
      determining a corresponding neighbor as the candidate device when the extracted SSID is identical to the specific SSID based on the comparison result.
  - 13. The method of claim 11, wherein the determining whether a test response message is received includes:
    - determining whether the received associate response message includes a predefined response bit sequence or not;
      
      determining that the received associate response message includes the test response message when the received associate response message includes the predefined response bit sequence; and
      
      determining that the received associate response message does not include the test response message when the received message does not include the predefined response bit sequence.
  - 14. The method of claim 11, wherein the transmitting a test message includes:
    - generating a predefined bit sequence as the test message;
      
      including the predefined bit sequence in a probe request message; and
      
      broadcasting the probe request message to the neighbor devices.
  - 15. The method of claim 11, wherein the determining whether a test response Message is received includes:
    - obtaining information on the neighbor devices;
      
      determining whether a neighbor device is configured with a specific SSID based on the obtained information; and
      
      determining the neighbor device as a non-malicious device when theneighbor device is not configured with the specific SSID;
      
      otherwise, making determination as to whether the received probe response message includes a test response message.
  - 16. The method of claim 15, wherein the determination as to whether the received probe response message includes a test response message includes:
    - determining whether the received probe response message includes a predefined response bit sequence or not;
      
      determining that the received probe response message includes the test response message when the received probe response message includes the predefined response bit sequence; and
      
      determining that the received probe response message does not include the test response message when the received message does not include the predefined response bit sequence.
  - 17. The method of claim 11, further comprising:
    - reporting the determined malicious device to a related server associated with the WLAN network; and
      
      blocking the determined malicious device from access to the WLAN network.

18. A wireless access point comprising:
- a controller configured to initiate a malicious device detection mode regularly at predefined intervals;
  
  a search unit configured to detect candidate devices broadcasting a signal with a first specific service set identifier (SSID) from neighbor devices in an associated network;
  
  a message generation unit configured to generate a predetermined test bit sequence as a test message in the malicious device detection mode, include the predetermined test bit sequence in an associated request message, and transmit the associated request message as the test message to the detected candidate devices;
  
  a determination unit configured to determine a corresponding device in the candidate device as a malicious device when a test response message is not received from the corresponding device in response to the test message; and
  
  a notification unit configured to notify the determined malicious device to a related server so as to block the determined malicious device from access to the associated network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KT Corporation
Original Assignee
KT Corporation
Inventors
Ji, Yung-Ha, Yoon, Joo-Young, Han, Kyu-Jeong, Chung, Jaeho
Primary Examiner(s)
Poltorak, Peter

Application Number

US13/476,347
Publication Number

US 20120304297A1
Time in Patent Office

918 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 84/12   WLAN [Wireless Local Area N...

Detecting malicious device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links