Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices

US 7,966,660 B2
Filed: 09/11/2007
Issued: 06/21/2011
Est. Priority Date: 05/23/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of wireless devices configured to receive data packets over a wireless medium, at least one of the wireless devices configured to detect one or more anomalies associated with a received data packet; and

a sentinel device configured to communicate a spy routine to one or more of the wireless devices in response to the detection of the one or more anomalies;

wherein the one or more wireless devices are further configured to execute the spy routine to facilitate at least one of;

a determination of whether a transmitter of the received data packet is an intruder and isolation of the transmitter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Wireless devices, such as field devices or repeater/relay nodes, detect the presence of anomalies in data packets that suggest intrusion. Upon detection of an anomaly, a wireless device sends a notification to a sentinel device, which determines if intrusion may be occurring. If so, the sentinel device downloads a spy routine to at least one of the wireless devices, which enables further investigation into and/or isolation of the intrusion. Since the spy routine is downloaded to the wireless devices, the spy routine can be used in conjunction with memory-constrained wireless devices. Memory-constrained wireless devices may lack adequate memory for storing both a main application executed during normal operation and the spy routine. The spy routine could overwrite one or more modules of the main application. Once executed, the spy routine could itself be overwritten by the one or more modules, allowing the wireless device to return to normal operation.

44 Citations

View as Search Results

31 Claims

1. A system comprising:
- a plurality of wireless devices configured to receive data packets over a wireless medium, at least one of the wireless devices configured to detect one or more anomalies associated with a received data packet; and
  
  a sentinel device configured to communicate a spy routine to one or more of the wireless devices in response to the detection of the one or more anomalies;
  
  wherein the one or more wireless devices are further configured to execute the spy routine to facilitate at least one of;
  
  a determination of whether a transmitter of the received data packet is an intruder and isolation of the transmitter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the sentinel device is further configured to determine whether one of the wireless devices is a memory-constrained wireless device before communicating the spy routine to that wireless device.
  - 3. The system of claim 2, wherein the memory-constrained wireless device is further configured to:
    - execute a main application during normal operation, the main application comprising multiple modules; and
      
      replace at least one of the multiple modules with the spy routine.
  - 4. The system of claim 3, wherein:
    - the at least one module is not required for steady-state operation of the memory-constrained wireless device; and
      
      the at least one module is replaced without taking the memory-constrained wireless device offline.
  - 5. The system of claim 3, wherein the memory-constrained wireless device is further configured to:
    - receive the at least one module from an external source; and
      
      replace the spy routine with the at least one received module to return the memory-constrained wireless device to normal operation without taking the memory-constrained wireless device offline.
  - 6. The system of claim 1, wherein:
    - the sentinel device is configured to communicate the spy routine to a first subset of the wireless devices; and
      
      the spy routine resides on a second subset of the wireless devices, the sentinel device configured to activate the spy routine in the second subset of the wireless devices.
  - 7. The system of claim 1, wherein:
    - the sentinel device is configured to receive a notification associated with the one or more anomalies from a first of the wireless devices; and
      
      the sentinel device is configured to communicate the spy routine to a second of the wireless devices.
  - 8. The system of claim 7, wherein the second wireless device is located closer to the transmitter than the first wireless device.
  - 9. The system of claim 1, wherein the plurality of wireless devices comprise at least one of:
    - one or more wireless repeater or relay nodes in a wireless network; and
      
      one or more wireless field devices configured to communicate with the wireless network.
  - 10. The system of claim 1, wherein the one or more anomalies comprise at least one of:
    - reception of the received data packet in a non-scheduled time slot;
      
      an absence of a destination address in the received data packet;
      
      an incorrect packet size of the received data packet;
      
      an incorrect message integrity code in the received data packet;
      
      an incorrect nonce value in the received data packet; and
      
      observation of repeated changes in a connection status.

11. A method comprising:
- receiving a data packet from a transmitter at a wireless device;
  
  detecting one or more anomalies associated with the data packet;
  
  communicating a notification in response to detecting the one or more anomalies;
  
  receiving a spy routine at the wireless device; and
  
  executing the spy routine to facilitate at least one of;
  
  a determination of whether the transmitter is an intruder and isolation of the transmitter.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the wireless device is a memory-constrained wireless device having an inadequate amount of memory for storing both a main application used during normal operation and the spy routine.
  - 13. The method of claim 12, further comprising:
    - executing the main application at the wireless device during normal operation, the main application comprising multiple modules; and
      
      replacing at least one of the multiple modules with the spy routine.
  - 14. The method of claim 13, wherein:
    - the at least one module is not required for steady-state operation of the memory-constrained wireless device; and
      
      the at least one module is replaced without taking the memory-constrained wireless device offline.
  - 15. The method of claim 13, further comprising:
    - receiving the at least one module from an external source; and
      
      replacing the spy routine with the at least one received module to return the wireless device to normal operation without taking the memory-constrained wireless device offline.

16. An apparatus comprising:
- a wireless interface configured to receive a data packet from a transmitter; and
  
  at least one processor configured to;
  
  detect one or more anomalies associated with the data packet;
  
  initiate communication of a notification in response to detecting the one or more anomalies;
  
  receive a spy routine; and
  
  execute the spy routine to facilitate at least one of;
  
  a determination of whether the transmitter is an intruder and isolation of the transmitter.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, further comprising:
    - at least one memory configured to store a main application used during normal operation and the spy routine.
  - 18. The apparatus of claim 17, wherein the at least one processor is further configured to:
    - execute the main application during normal operation, the main application comprising multiple modules; and
      
      replace at least one of the multiple modules with the spy routine.
  - 19. The apparatus of claim 18, wherein:
    - the at least one module is not required for steady-state operation of the apparatus; and
      
      the at least one module is replaced without taking the apparatus offline.
  - 20. The apparatus of claim 18, wherein the at least one processor is further configured to:
    - receive the at least one module from an external source; and
      
      replace the spy routine with the at least one received module to return the apparatus to normal operation without taking the apparatus offline.

21. A non-transitory computer readable medium encoded with a computer program, the computer program comprising computer readable program code for:
- receiving a data packet from a transmitter;
  
  detecting one or more anomalies associated with the data packet;
  
  communicating a notification in response to detecting the one or more anomalies;
  
  receiving a spy routine; and
  
  executing the spy routine to facilitate at least one of;
  
  a determination of whether the transmitter is an intruder and isolation of the transmitter.

22. A method comprising:
- receiving a notification from one of a plurality of wireless devices, the notification associated with one or more anomalies detected by the wireless device, the one or more anomalies associated with a data packet received by the wireless device; and
  
  communicating a spy routine to at least one of the wireless devices, the spy routine facilitating at least one of;
  
  a determination of whether a transmitter of the data packet is an intruder and isolation of the transmitter.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, further comprising:
    - determining that the at least one wireless device is a memory-constrained wireless device having an inadequate amount of memory for storing both a main application used during normal operation and the spy routine.
  - 24. The method of claim 22, wherein:
    - receiving the notification comprises receiving the notification from a first of the wireless devices; and
      
      communicating the spy routine comprises communicating the spy routine to a second of the wireless devices.
  - 25. The method of claim 24, wherein the second wireless device is located closer to the transmitter than the first wireless device.

26. An apparatus comprising:
- an interface configured to receive a notification from one of a plurality of wireless devices, the notification associated with one or more anomalies detected by the wireless device, the one or more anomalies associated with a data packet received by the wireless device; and
  
  at least one processor configured to identify at least one of the wireless devices and to initiate communication of a spy routine to the at least one wireless device, the spy routine facilitating at least one of;
  
  a determination of whether a transmitter of the data packet is an intruder and isolation of the transmitter.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The apparatus of claim 26, wherein the at least one processor is further configured to determine that the at least one wireless device is a memory-constrained wireless device having an inadequate amount of memory for storing both a main application used during normal operation and the spy routine.
  - 28. The apparatus of claim 26, wherein the at least one processor is configured to:
    - receive the notification from a first of the wireless devices; and
      
      communicate the spy routine to a second of the wireless devices.
  - 29. The apparatus of claim 28, wherein the second wireless device is located closer to the transmitter than the first wireless device.
  - 30. The apparatus of claim 26, wherein:
    - the at least one processor is configured to communicate the spy routine to a first subset of the wireless devices; and
      
      the spy routine resides on a second subset of the wireless devices, the at least one processor configured to activate the spy routine in the second subset of the wireless devices.

31. A non-transitory computer readable medium encoded with a computer program, the computer program comprising computer readable program code for:
- receiving a notification from one of a plurality of wireless devices, the notification associated with one or more anomalies detected by the wireless device, the one or more anomalies associated with a data packet received by the wireless device; and
  
  communicating a spy routine to at least one of the wireless devices, the spy routine facilitating at least one of;
  
  a determination of whether a transmitter of the data packet is an intruder and isolation of the transmitter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Ramanathan, Kartikeya S., Singh, Abhishek K., Yermal, Sudarshan
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/900,623
Publication Number

US 20080291017A1
Time in Patent Office

1,379 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

H04W 24/00   Supervisory, monitoring or ...

H04W 84/14   WLL [Wireless Local Loop]; ...

H04W 88/02   Terminal devices

Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others