Method for detecting rogue devices operating in wireless and wired computer network environments

US 9,137,670 B2
Filed: 03/10/2009
Issued: 09/15/2015
Est. Priority Date: 02/18/2003
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving, at a computing device connected to a network, a wireless Media Access Control (MAC) address for a wireless device connected to the network, wherein the wireless MAC address for the wireless device corresponds to a manufacturer for the wireless device;

determining that the wireless device is a rogue wireless device, wherein determining includes comparing the wireless MAC address for the wireless device with a list of valid wireless MAC addresses used by authorized wireless devices connected to the network;

determining a list of wired MAC addresses used by devices connected to the network using wired connections;

determining that elements of the wireless MAC address for the rogue wireless device match elements of a wired MAC address, wherein determining includes comparing elements of the wireless MAC address for the rogue wireless device with elements of the wired MAC addresses on the list of wired MAC addresses;

determining that the rogue wireless device is connected to the network over a wired connection based on the match;

assigning a security risk score to the rogue wireless device, wherein assigning includes using the wireless MAC address corresponding to the manufacturer; and

displaying the security risk score.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management of wireless and wired computer network environments in which rogue and other devices that may affect the performance and/or security of the wireless computer network can be detected. Specifically, the present invention discloses a method and system of detecting all interfaces, Media Access Control (MAC) addresses and radio MAC addresses (BSSIDs) affiliated with a rogue device and compiling this information into a database. As a result, the present invention reduces the number of alerts that one rogue device can generate and increases the accuracy and speed of locating the rogue device within a network.

Citations

21 Claims

1. A computer implemented method, comprising:
- receiving, at a computing device connected to a network, a wireless Media Access Control (MAC) address for a wireless device connected to the network, wherein the wireless MAC address for the wireless device corresponds to a manufacturer for the wireless device;
  
  determining that the wireless device is a rogue wireless device, wherein determining includes comparing the wireless MAC address for the wireless device with a list of valid wireless MAC addresses used by authorized wireless devices connected to the network;
  
  determining a list of wired MAC addresses used by devices connected to the network using wired connections;
  
  determining that elements of the wireless MAC address for the rogue wireless device match elements of a wired MAC address, wherein determining includes comparing elements of the wireless MAC address for the rogue wireless device with elements of the wired MAC addresses on the list of wired MAC addresses;
  
  determining that the rogue wireless device is connected to the network over a wired connection based on the match;
  
  assigning a security risk score to the rogue wireless device, wherein assigning includes using the wireless MAC address corresponding to the manufacturer; and
  
  displaying the security risk score.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - identifying a network address for a wired network connection of the rogue wireless device.
  - 3. The method of claim 2, further comprising:
    - probing the network address to identify an operating system for the rogue wireless device; and
      
      updating the security score for the rogue wireless device based on the operating system.
  - 4. The method of claim 3, further comprising:
    - updating or creating a record associated with the rogue wireless device, wherein the record includes the wireless MAC address for the wireless device, the network address for the wired connection of the rogue wireless device, the operating system for the rogue wireless device, and the security score for the rogue wireless device.
  - 5. The method of claim 1, further comprising:
    - determining a location of the rogue wireless device, wherein determining the location of the rogue wireless device includes using a wireless triangulation method to locate the rogue wireless device; and
      
      displaying the location of the rogue wireless device.
  - 6. The method of claim 1, wherein determining that the rogue wireless device is connected to the network over a wired connection includes matching a manufacturer for the wireless device with a manufacturer corresponding to one or more wired MAC addresses in the list.
  - 7. The method of claim 1, wherein determining the list includes reading bridge forwarding tables or address resolution protocol tables of one or more network devices connected to the network.

8. A system comprising:
- one or more processors;
  
  a non-transitory computer readable medium communicatively coupled to the one or more processors, the non-transitory computer readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  receiving a wireless Media Access Control (MAC) address for a wireless device connected to a network, wherein the wireless MAC address for the wireless device corresponds to a manufacturer for the wireless device;
  
  determining that the wireless device is a rogue wireless device, wherein determining includes comparing the wireless MAC address for the wireless device with a list of valid wireless MAC addresses used by authorized wireless devices connected to the network;
  
  determining a list of wired MAC addresses used by devices connected to the network using wired connections;
  
  determining that elements of the wireless MAC address for the rogue wireless device match matches elements of a wired MAC address, wherein determining includes comparing elements of the wireless MAC address for the rogue wireless device with elements of the wired MAC addresses on the list of wired MAC addresses;
  
  determining that the rogue wireless device is connected to the network over a wired connection based on the match;
  
  assigning a security risk score to the rogue wireless device, wherein assigning includes using the wireless MAC address corresponding to the manufacturer; and
  
  displaying the security risk score.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the operations further include:
    - identifying a network address for a wired network connection of the rogue wireless device.
  - 10. The system of claim 9, wherein the operations further include:
    - probing the network address to identify an operating system for the rogue wireless device; and
      
      updating the security score for the rogue wireless device based on the operating system.
  - 11. The system of claim 10, wherein the operations further include:
    - updating or creating a record associated with the rogue wireless device, wherein the record includes the wireless MAC address for the wireless device, the network address for the wired connection of the rogue wireless device, the operating system for the rogue wireless device, and the security score for the rogue wireless device.
  - 12. The system of claim 8, wherein determining that the rogue wireless device is connected to the network over a wired connection includes matching the manufacturer for the wireless device with a manufacturer corresponding to one or more wired MAC addresses in the list.
  - 13. The system of claim 8, wherein determining the list includes reading bridge forwarding tables or address resolution protocol tables of one or more network devices connected to the network.
  - 14. The system of claim 8, wherein the operations further include:
    - determining a location of the rogue wireless device, wherein determining the location of the rogue wireless device includes using a wireless triangulation method to locate the rogue wireless device; and
      
      displaying the location of the rogue wireless device.

15. A non-transitory computer readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
- receiving a wireless Media Access Control (MAC) address for a wireless device connected to a network, wherein the wireless MAC address for the wireless device corresponds to a manufacturer for the wireless device;
  
  determining that the wireless device is a rogue wireless device, wherein determining includes comparing the wireless MAC address for the wireless device with a list of valid wireless MAC addresses used by authorized wireless devices connected to the network;
  
  determining a list of wired MAC addresses used by devices connected to the network using wired connections;
  
  determining that elements of the wireless MAC address for the rogue wireless device match elements of a wired MAC address, wherein determining includes comparing elements of the wireless MAC address for the rogue wireless device with elements of the wired MAC addresses on the list of wired MAC addresses;
  
  determining that the rogue wireless device is connected to the network over a wired connection based on the match;
  
  assigning a security risk score to the rogue wireless device, wherein assigning includes using the wireless MAC address corresponding to the manufacturer; and
  
  displaying the security risk score.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - identifying a network address for a wired network connection of the rogue wireless device.
  - 17. The non-transitory computer readable medium of claim 15, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - probing the network address to identify an operating system for the rogue wireless device; and
      
      updating the security score for the rogue wireless device based on the operating system.
  - 18. The non-transitory computer readable medium of claim 17, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - updating or creating a record associated with the rogue wireless device, wherein the record includes the wireless MAC address for the wireless device, the network address for the wired connection of the rogue wireless device, the operating system for the rogue wireless device, and the security score for the rogue wireless device.
  - 19. The non-transitory computer readable medium of claim 15, wherein determining that the rogue wireless device is connected to the network over a wired connection includes matching the manufacturer for the wireless device with a manufacturer corresponding to one or more wired MAC addresses in the list.
  - 20. The non-transitory computer readable medium of claim 15, wherein determining the list includes reading bridge forwarding tables or address resolution protocol tables of one or more network devices connected to the network.
  - 21. The non-transitory computer readable medium of claim 15, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - determining a location of the rogue wireless device, wherein determining the location of the rogue wireless device includes using a wireless triangulation method to locate the rogue wireless device; and
      
      displaying the location of the rogue wireless device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Gray, Gordon P., Burke, Anthony Glenn, Luther, Jason E.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Stoica, Adrian

Application Number

US12/401,553
Publication Number

US 20090235354A1
Time in Patent Office

2,380 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04W 12/122   Counter-measures against at...

H04W 24/08   Testing, supervising or mon...

H04W 24/10   Scheduling measurement repo...

H04W 8/005   Discovery of network device...

H04W 88/08   Access point devices

Method for detecting rogue devices operating in wireless and wired computer network environments

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting rogue devices operating in wireless and wired computer network environments

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links