Systems and methods for network security

US 7,086,089 B2
Filed: 06/03/2002
Issued: 08/01/2006
Est. Priority Date: 05/20/2002
Status: Expired due to Term

First Claim

Patent Images

1. A network security system, the system comprising:

a) a system data store capable of storing risk criteria data, network default data, and network performance and usage data;

b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;

c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;

i) receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;

ii) detecting a violation by applying a plurality of tests that each compare the received data with data in the system data store or information derived therefrom;

iii) generating an alarm signal if a violation was detected;

wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel and wherein the system processor is programmed or adapted to perform the steps comprising of triggering an active defense of the wireless computer network in response to a generated alarm;

wherein the triggered active defense is one or more of;

     1) jamming wireless transmissions;

     2) CRC errors;

     3) transmitting frames comprising random data;

locking-down the wireless computer network;

or

     4) activating a honeypot defense by;

(a) determining from the received data the channel used for transmitting the signal, an access point to which the signal was directed and a station originating the signal;

(b) reconfiguring the access point and authorized stations to communication using a channel other than the determined channel; and

(c) interacting with the station originating the signal using the determined channel.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system includes a system data store capable of storing a variety of data associated with a wireless computer network and communication transmitted thereon, a communication interface supporting communication over a communication channel and a system processor. Data corresponding communications transmitted over the wireless communication network are received. One or more tests are applied to the received data to determine whether a particular communication represents a potential security violation. An alarm may be generated based upon the results of the applied test or tests.

317 Citations

27 Claims

1. A network security system, the system comprising:
- a) a system data store capable of storing risk criteria data, network default data, and network performance and usage data;
  
  b) a first communication interface comprising a receiver that receives inbound communications from a communication channel associated with the communication interface;
  
  c) a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and wherein the system processor is programmed or adapted to perform the steps comprising of;
  
  i) receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame via the communication interface;
  
  ii) detecting a violation by applying a plurality of tests that each compare the received data with data in the system data store or information derived therefrom;
  
  iii) generating an alarm signal if a violation was detected;
  
  wherein the first communication interface further comprises a transmitter that transmits outbound communications to the communication channel and wherein the system processor is programmed or adapted to perform the steps comprising of triggering an active defense of the wireless computer network in response to a generated alarm;
  
  wherein the triggered active defense is one or more of;
  
       1) jamming wireless transmissions;
  
       2) CRC errors;
  
       3) transmitting frames comprising random data;
  
  locking-down the wireless computer network;
  
  or
  
       4) activating a honeypot defense by;
  
  (a) determining from the received data the channel used for transmitting the signal, an access point to which the signal was directed and a station originating the signal;
  
  (b) reconfiguring the access point and authorized stations to communication using a channel other than the determined channel; and
  
  (c) interacting with the station originating the signal using the determined channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The system of claim 1, wherein the system data store comprises a statistics data store that stores historical data regarding the wireless computer network.
  - 3. The system of claim 2, wherein the system processor applies a statistical anomaly test during violation detection tat compares the received data with network default data in the system data store, information derived therefrom, data in the statistics data store, information derived therefrom, or risk criteria data stored in the system data store.
  - 4. The system of claim 2, wherein the system processor is further programmed or adapted to perform the step comprising of updating the statistics data store based upon the received data.
  - 5. The system of claim 1, wherein the first communication interface'"'"'s receiver receives signals corresponding to a frame transmitted between stations and access points within the wireless computer network and forwards data corresponding to the frame to the system processor.
  - 6. The system of claim 5, wherein the first communication interface'"'"'s receiver is a wireless receiver.
  - 7. The system of claim 5, wherein the signals received by the first communication interface'"'"'s receiver originate from an access point within the wireless computer network, from a station within the wireless computer network, or from one or more sensors located within an area serviced by the wireless computer network.
  - 8. The system of claim 7, further comprising one or more sensors located within an area serviced by the wireless network, wherein each of the one or more sensors comprise a wireless receiver capable of receiving frames transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received frames over the communication channel to the first communication interface.
  - 9. The system of claim 8, wherein each sensor further comprise at least one processing element of the system processor and wherein the at least one processing element is programmed or adapted to cause the sensor'"'"'s transmitter to forward data associated with received frames in response to reception of received frames by the sensor'"'"'s wireless receiver.
  - 10. The system of claim 9, wherein each sensor'"'"'s transmitter is a wireless transmitter or wherein each sensor further comprises a wireless transmitter, and wherein each sensor'"'"'s at least one processor is further programmed or adapted to perform the step comprising of triggering an active defense of the wireless computer network in response to a generated alarm.
  - 11. The system of claim 5, wherein the first communication interface further comprises a transmitter tat transmits outbound communications to the communication channel.
  - 12. The system of claim 11, further comprising a device housing that houses the first communication interface and at least one processing element of the system processor, thereby forming a first device, and one or more additional devices, wherein each additional device comprises a housing, a device communication interface allowing communication via the communication channel and at least one processing element of the system processor, wherein the signals received by any of the first or the additional devices respective communication interface originate from an access point within the wireless computer network, from a station within the wireless computer network, or from a different device.
  - 13. The system of claim 12, further comprising one or more sensors located within an area serviced by the wireless network, wherein each of the one or more sensors comprise a wireless receiver capable of receiving frames transmitted over the wireless computer network and a transmitter capable of transmitting data associated with received frames over the communication channel to the first communication interface, wherein the signals received by any of the first or the additional devices respective communication interface may also originate from one of the one or more sensors.
  - 14. The system of claim 1, wherein each generated alarm comprises a type or a severity and wherein the system processor'"'"'s triggering of an active defense comprises the step of selecting an active defense based upon the type or the severity of the generated alarm to which the triggering step was responsive.
  - 15. The system of claim 1, wherein the system processor is further programmed or adapted to perform the steps comprising of receiving configuration information and storing the received configuration information in the system data store.
  - 16. The system of claim 15, wherein the configuration information is received by the system processor from a configuration file, from an interactive data entry interface or from a command line.
  - 17. The system of claim 15, wherein the received configuration information comprises network default data and risk criteria.
  - 18. The system of claim 1, wherein the system data store comprises a station data store and wherein the system processor is further programmed or adapted to perform the step comprising of updating the station data store based upon the received data.
  - 19. The system of claim 1, wherein the system data store comprises an access point data stare and wherein the system processor is further programmed or adapted to perform the step comprising of updating the access point data store based upon the received data.
  - 20. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of notifying an administrator of the generated alarm if a violation was detected.
  - 21. The system of claim 1, wherein the plurality of test applied by the system processor comprises two or more tests selected from the group consisting of signature test, protocol test, statistical anomaly test and policy test.
  - 22. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of mapping station identity.
  - 23. The system of claim 22, wherein the system processor is further programmed or adapted to perform the step comprising of mapping station location.
  - 24. The system of claim 1, wherein the system processor is further programmed or adapted to perform the step comprising of mapping station location.

25. A network security method, the method comprising the steps of:
- a) receiving configuration information comprising one or more risk criteria, network default data, network policy, performance and usage data from a configuration file, an interactive data entry interface or a command line;
  
  b) receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame;
  
  c) updating a database containing data corresponding to stations in the wireless computer network based upon the received data,d) updating state information associated with the wireless computer network based upon the received data;
  
  e) if a statistical interval has ended based upon the received data or a fixed time interval, updating a database of statistics associated with the wireless computer network;
  
  f) testing the received data to determine if it represents a signature violation by comparing the received data with configuration intonation or information derived therefrom;
  
  g) testing the received data to determine if it represents a protocol violation by comparing the received data with configuration information or information derived therefrom;
  
  h) testing the received data to determine if it represents a statistical anomaly by comparing the received data with configuration information, information derived therefrom or information in the database of statistics associated with the wireless computer network;
  
  i) testing the received data to determine if it represents a policy violation by comparing the received data with configuration information or information derived therefrom;
  
  j) generating an alarm signal if the received data represents a signature violation, a protocol violation, a statistical anomaly or a policy violation, wherein the generated alarm signal comprises a type and a severity;
  
  k) in response to the generated alarm,i) notifying an administrator of the generated alarm, its type and its severity;
  
  orii) actively defending the wireless computer network based upon the generated alarm'"'"'s type and severity by;
  
  1) jamming wireless transmissions;
  
  2) CRC errors;
  
  3) transmitting frames comprising random data;
  
  4) locking-down the wireless computer network;
  
  or5) activating a boneypot defense by;
  
  (a) from the received data, determining the channel used for transmitting the signal, an access point to which the signal was directed and a station originating the signal;
  
  (b) reconfiguring the access point and authorized stations to communication using a channel other than the determined channel; and
  
  (c) interacting with the station originating the signal using the determined channel; and
  
  l) mapping station identity; and
  
  m) mapping station location.
- View Dependent Claims (26)
- - 26. Computer readable storage media storing instructions that upon execution by a system processor cause the system processor to perform the method of claim 25.

27. A network security system, the system comprising:
- a) storing means for receiving and storing risk criteria data, network default data, and network performance and usage data;
  
  b) configuration means for receiving configuration information and forwarding the received configuration information to the storing means;
  
  c) frame data receiving means for receiving data corresponding to a frame transmitted over a wireless computer network and the signal used to transmit the frame;
  
  d) database update means for transferring updated data to the storing means based upon data received by the frame data receiving means;
  
  e) testing means for applying a plurality of tests to data received by the frame data receiving means, wherein each of the plurality of tests is of a type selected from the group consisting of signature test, protocol test, statistical anomaly test and policy test ad wherein each test compares data received byte frame data receiving means with data in the storing means or information derived therefrom;
  
  f) alarm means for generating an alarm signal if the data received by the frame data receiving means represents a signature violation, a protocol violation, a statistical anomaly or a policy violation as determined by the testing means, wherein the generated alarm signal comprises a type and a severity;
  
  g) notification means for notifying a administrator of an alarm generated by the alarm means, its type and its severity;
  
  h) active defense means for actively defending the wireless computer network based upon the type and severity of an alarm generated by the alarm means by;
  
  i) jamming wireless transmissions;
  
  ii) CRC errors;
  
  iii) transmitting frames comprising random data;
  
  iv) locking-down the wireless computer network;
  
  orv) activating a honeypot defense by;
  
  1) from the received data, determining the channel used for transmitting the signal, en access point to which the signal was directed and a station originating the signal;
  
  2) reconfiguring the access point and authorized stations to communication using a channel other than the determined channel; and
  
  3) interacting with the station originating the signal using the determined channel;
  
  endi) mapping means for mapping station identity or location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Hrastar, Scott, Lynn, Michael T., Sale, Edwin L., Hollingsworth, Dawn M.
Primary Examiner(s)
Zand, Kambiz

Application Number

US10/161,142
Publication Number

US 20030236990A1
Time in Patent Office

1,520 Days
Field of Search

713/200, 713/201, 380/270, 709/223, 709/225, 726/22
US Class Current

726/22
CPC Class Codes

H04L 41/0681   Configuration of triggering...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

Systems and methods for network security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

317 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for network security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

317 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links