Systems and methods for detecting potentially illegitimate wireless access points

US 9,882,931 B1
Filed: 02/18/2015
Issued: 01/30/2018
Est. Priority Date: 02/18/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting potentially illegitimate wireless access points, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting, at a current point in time, an attempt by the computing device to automatically connect to a target wireless access point that resembles a known wireless access point with which the computing device has established a previous connection at a previous point in time;

detecting at least one suspicious discrepancy between the target wireless access point and the known wireless access point by;

identifying a set of surrounding access points that were located within a certain range of the computing device when the computing device established the previous connection with the known wireless access point at the previous point in time;

identifying an at least partially different set of surrounding access points that are located within the certain range of the computing device at the current point in time;

determining a number of the surrounding access points from the at least partially different set that do not match any of the surrounding access points from the set;

determining that the number of non-matching surrounding access points exceeds a threshold number;

determining that the target wireless access point is potentially illegitimate based on the number of non-matching surrounding access points exceeding the threshold number.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting potentially illegitimate wireless access points may include (1) detecting, at a current point in time, an attempt by a computing device to automatically connect to a target wireless access point that resembles a known wireless access point with which the computing device has established a previous connection at a previous point in time, (2) detecting at least one suspicious discrepancy between the target wireless access point and the known wireless access point, and then (3) determining, based at least in part on the suspicious discrepancy, that the target wireless access point is potentially illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

35 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting potentially illegitimate wireless access points, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, at a current point in time, an attempt by the computing device to automatically connect to a target wireless access point that resembles a known wireless access point with which the computing device has established a previous connection at a previous point in time;
  
  detecting at least one suspicious discrepancy between the target wireless access point and the known wireless access point by;
  
  identifying a set of surrounding access points that were located within a certain range of the computing device when the computing device established the previous connection with the known wireless access point at the previous point in time;
  
  identifying an at least partially different set of surrounding access points that are located within the certain range of the computing device at the current point in time;
  
  determining a number of the surrounding access points from the at least partially different set that do not match any of the surrounding access points from the set;
  
  determining that the number of non-matching surrounding access points exceeds a threshold number;
  
  determining that the target wireless access point is potentially illegitimate based on the number of non-matching surrounding access points exceeding the threshold number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising identifying a wireless profile that specifies the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point.
  - 3. The method of claim 2, wherein detecting the suspicious discrepancy between the target wireless access point and the known wireless access point comprises:
    - identifying each surrounding access point that is located within the certain range of the computing device at the current point in time;
      
      detecting the discrepancy by comparing each surrounding access point located within the certain range of the computing device at the current point in time with the set of surrounding access points specified in the wireless profile.
  - 4. The method of claim 2, wherein identifying the wireless profile that specifies the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point comprises creating the wireless profile when the computing device established a first connection with the known wireless access point at a first point in time;
    - further comprising updating, at the previous point in time and after the first point in time, the wireless profile to specify each surrounding access point that was located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point.
  - 5. The method of claim 2, further comprising creating, in response to detecting the attempt by the computing device to automatically connect to the target wireless access point, a current wireless profile that specifies each surrounding access point that is located within the certain range of the computing device at the current point in time;
    - wherein detecting the suspicious discrepancy between the target wireless access point and the known wireless access point comprises;
      
      comparing the current wireless profile with the wireless profile that specifies the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point;
      
      determining, based at least in part on the comparison, that the current wireless profile does not match the wireless profile that specifies the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point.
  - 6. The method of claim 2, wherein:
    - the wireless profile further specifies a signal strength of each surrounding access point within the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point;
      
      detecting the suspicious discrepancy between the target wireless access point and the known wireless access point further comprises,identifying at least one signal strength of at least one surrounding access point that is located within the certain range of the computing device at the current point in time;
      
      determining that the signal strength of the surrounding access point does not match a corresponding signal strength of the surrounding access point as specified in the wireless profile.
  - 7. The method of claim 1, wherein detecting the suspicious discrepancy between the target wireless access point and the known wireless access point comprises determining that at least one surrounding access point that is located within the certain range of the computing device at the current point in time was not located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point.
  - 8. The method of claim 1, wherein detecting the suspicious discrepancy between the target wireless access point and the known wireless access point comprises determining that at least one surrounding access point that was located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point is not located within the certain range of the computing device at the current point in time.
  - 9. The method of claim 1, wherein:
    - identifying the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point comprises identifying each surrounding access point that was emitting a signal whose strength reached a certain threshold at the previous point in time;
      
      identifying the at least partially different set of surrounding access points that are located within the certain range of the computing device at the current point in time comprises identifying each surrounding access point that is emitting a signal whose strength reaches a certain threshold at the current point in time.
  - 10. The method of claim 9, wherein at least one of the certain threshold at the previous point in time and the certain threshold at the current point in time comprises any measurable level of signal strength.
  - 11. The method of claim 1, wherein detecting the attempt by the computing device to automatically connect to the target wireless access point that resembles the known wireless access point comprises detecting an attempt by the computing device to automatically connect to a wireless access point purporting to be the known wireless access point.
  - 12. The method of claim 11, wherein detecting the attempt to automatically connect to the wireless access point purporting to be the known wireless access point comprises:
    - transmitting, from the computing device, a request to connect to the known wireless access point;
      
      receiving, from the wireless access point and in response to the transmitted request, a communication in which the wireless access point purports to be the known wireless access point.
  - 13. The method of claim 1, further comprising blocking access to the target wireless access point in response to determining that the target wireless access point is potentially illegitimate.
  - 14. The method of claim 1, further comprising prompting a user of the computing device to manually decide whether to connect to the target wireless access point in response to determining that the target wireless access point is potentially illegitimate.
  - 15. The method of claim 1, wherein determining that the target wireless access point is potentially illegitimate comprises determining that the target wireless access point is masquerading as the known wireless access point.
  - 16. The method of claim 1, further comprising:
    - detecting an attempt by the computing device to automatically connect to an additional target wireless access point that resembles the known wireless access point at an additional point in time;
      
      identifying a set of surrounding access points that are located within the certain range of the computing device at the additional point in time;
      
      determining that the set of surrounding access points that are located within the certain range of the computing device at the additional point in time match the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point;
      
      in response to determining that the set of surrounding access points that are located within the certain range of the computing device at the additional point in time match the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point, enabling the computing device to connect to the additional target wireless access point.

17. A system for detecting potentially illegitimate wireless access points, the system comprising:
- a detection module, stored in memory, that;
  
  detects, at a current point in time, an attempt by a computing device to automatically connect to a target wireless access point that resembles a known wireless access point with which the computing device has established a previous connection at a previous point in time;
  
  detects at least one suspicious discrepancy between the target wireless access point and the known wireless access point by;
  
  identifying a set of surrounding access points that were located within a certain range of the computing device when the computing device established the previous connection with the known wireless access point at the previous point in time;
  
  identifying an at least partially different set of surrounding access points that are located within the certain range of the computing device at the current point in time;
  
  a determination module, stored in memory, that;
  
  determines a number of the surrounding access points from the at least partially different set that do not match any of the surrounding access points from the set;
  
  determines that the number of non-matching surrounding access points exceeds a threshold number;
  
  determines that the target wireless access point is potentially illegitimate based on the number of non-matching surrounding access points exceeding the threshold number;
  
  at least one physical processor that executes the detection module and the determination module.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, further comprising a profile module, stored in memory, that identifies a wireless profile that specifies the set of surrounding access points that were located within the certain range of the computing device when the computing device established the previous connection with the known wireless access point;
    - wherein the physical processor further executes the profile module.
  - 19. The system of claim 18, wherein the detection module detects the suspicious discrepancy between the target wireless access point and the known wireless access point by:
    - identifying each surrounding access point that is located within the certain range of the computing device at the current point in time;
      
      compares each surrounding access point located within the certain range of the computing device at the current point in time with the set of surrounding access points specified in the wireless profile.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect, at a current point in time, an attempt by the computing device to automatically connect to a target wireless access point that resembles a known wireless access point with which the computing device has established a previous connection at a previous point in time;
  
  detect at least one suspicious discrepancy between the target wireless access point and the known wireless access point by;
  
  identifying a set of surrounding access points that were located within a certain range of the computing device when the computing device established the previous connection with the known wireless access point at the previous point in time;
  
  identifying an at least partially different set of surrounding access points that are located within the certain range of the computing device at the current point in time;
  
  determine a number of the surrounding access points from the at least partially different set that do not match any of the surrounding access points from the set;
  
  determine that the number of non-matching surrounding access points exceeds a threshold number;
  
  determine that the target wireless access point is potentially illegitimate based on the number of non-matching surrounding access points exceeding the threshold number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Harmon, Justin
Primary Examiner(s)
Giddins, Nelson

Application Number

US14/625,075
Time in Patent Office

1,077 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

Systems and methods for detecting potentially illegitimate wireless access points

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting potentially illegitimate wireless access points

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links