Systems and methods for wireless security using distributed collaboration of wireless clients

US 7,971,251 B2
Filed: 03/17/2006
Issued: 06/28/2011
Est. Priority Date: 03/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for distributed monitoring of a wireless network using a plurality of wireless client devices in communication with the wireless network to gather wireless data from the wireless network, the method comprising the steps of:

loading a software agent on one or more of a plurality of wireless client devices in communication with a wireless network, wherein the software agent is configured to utilize the one or more of the plurality of wireless devices as distributed monitoring devices in the wireless network, and wherein the plurality of wireless client devices comprise authorized wireless devices on the wireless network comprising any of desktop computers, notebook computers, storage devices, printers, or processor devices equipped with a wireless radio;

directing the one or more of the plurality of wireless client devices to monitor the wireless network and collect data corresponding to wireless traffic from devices transmitting on the wireless network at a predetermined range of frequencies, and to store the data for analysis, wherein the one or more of the plurality of wireless clients are configured to analyze the stored data locally, and wherein the wireless traffic comprising wireless local area network frames;

receiving collected analyzed data from the plurality of wireless client devices at one or more servers, the servers being configured to accumulate the collected data;

storing the received data for analysis and correlation; and

analyzing the stored data received from the plurality of wireless client devices so as to identify traffic corresponding to anomalous wireless activity;

wherein the software agent directs the one or more of the plurality of wireless client devices to locally monitor, locally analyze, and transmit the stored data to the one or more servers over the wireless network based upon predetermined or programmed conditions associated with the one or more of the plurality of wireless client devices.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for distributed monitoring of a wireless network using a plurality of wireless client devices in communication with the wireless network.

186 Citations

26 Claims

1. A method for distributed monitoring of a wireless network using a plurality of wireless client devices in communication with the wireless network to gather wireless data from the wireless network, the method comprising the steps of:
- loading a software agent on one or more of a plurality of wireless client devices in communication with a wireless network, wherein the software agent is configured to utilize the one or more of the plurality of wireless devices as distributed monitoring devices in the wireless network, and wherein the plurality of wireless client devices comprise authorized wireless devices on the wireless network comprising any of desktop computers, notebook computers, storage devices, printers, or processor devices equipped with a wireless radio;
  
  directing the one or more of the plurality of wireless client devices to monitor the wireless network and collect data corresponding to wireless traffic from devices transmitting on the wireless network at a predetermined range of frequencies, and to store the data for analysis, wherein the one or more of the plurality of wireless clients are configured to analyze the stored data locally, and wherein the wireless traffic comprising wireless local area network frames;
  
  receiving collected analyzed data from the plurality of wireless client devices at one or more servers, the servers being configured to accumulate the collected data;
  
  storing the received data for analysis and correlation; and
  
  analyzing the stored data received from the plurality of wireless client devices so as to identify traffic corresponding to anomalous wireless activity;
  
  wherein the software agent directs the one or more of the plurality of wireless client devices to locally monitor, locally analyze, and transmit the stored data to the one or more servers over the wireless network based upon predetermined or programmed conditions associated with the one or more of the plurality of wireless client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein a wireless client device monitors other devices within range and transmitting on the wireless network responsive to the wireless client device not actively communicating on the wireless network.
  - 3. The method of claim 1, wherein the received data comprises events, statistic, and wireless data.
  - 4. The method of claim 3, wherein the analyzing step comprises aggregation and correlation of events and statistics monitored by the plurality of wireless client devices, thereby eliminating duplicative communications that may have been collected by more than one wireless client device.
  - 5. The method of claim 4, further comprising the step of utilizing wireless intrusion detection techniques to identify events and attacks, identify rogue wireless devices, policy violations, and performance degradations.
  - 6. The method of claim 5, wherein the intrusion detection techniques comprise any of anomalous behavior matching, stateful protocol analysis, and signature matching.
  - 7. The method of claim 5, further comprising sending an updated wireless communication policy to the wireless clients responsive to events and attacks, rogue wireless devices, policy violations and performance degradations as detected via the wireless intrusion detection techniques.
  - 8. The method of claim of claim 5, further comprising the step of directing a wireless client device to at least inhibit an identified rogue wireless device'"'"'s communications with the wireless network, the wireless client device using an active defense mechanism to at least inhibit communications.
  - 9. The method of claim 8, wherein the active defense used on the rogue wireless device is any of sending a jamming signal transmission, sending an error signal transmission, and introducing a honeypot trap.
  - 10. The method of claim 1, wherein the wireless data collected by the wireless client devices supplements wireless data obtained via sensors or access points.
  - 11. The method of claim 1, wherein the directing step is based upon the location of the one or more wireless devices, such that the one or more of the plurality of wireless client devices are located in an area of poor stationary sensor coverage.
  - 12. The method of claim 1, wherein the one or more wireless client devices are utilized in a wireless intrusion protection system in combination with a plurality of sensors thereby enabling the wireless intrusion protection system to cover a larger range of channels or frequencies relative to only using the plurality of sensors for coverage.
  - 13. The method of claim 1, wherein the method is used to provide wireless intrusion protection for ad-hoc wireless networks.
  - 14. The method of claim 1, further comprising the steps of:
    - detecting an intruding wireless device based upon the analysis;
      
      directing one or more of a plurality of wireless client devices to approximate a location of a intruding wireless device based upon signal strength of the device at the one or more wireless client devices;
      
      receiving approximate location information from the one or more wireless client devices.
  - 15. The method of claim 1, wherein the plurality of wireless client devices are configured to collect any signals received in a space associated with a wireless network regardless of signal destination, the directing step specifying that the one or more wireless client devices monitor and collect wireless data based upon inactivity of the one or more wireless client devices.
  - 16. The method of claim 1, wherein the wireless client device comprises a wireless network interface configured to operate using one or more of the 802.11 standards.

17. A processor based method for monitoring a wireless network with a client equipped with a wireless device, the method comprising the steps of:
- loading a software agent on the client, wherein the software agent is configured to utilize the client as one of a plurality of distributed monitoring devices in the wireless network, and wherein the client comprises an authorized wireless device on the wireless network comprising any of desktop computers, notebook computers, storage devices, printers, or processor devices equipped with a wireless radio;
  
  monitoring the client for an activation condition associated with the client and operation of the client on the wireless network;
  
  receiving wireless data from the wireless network responsive to the activation condition, the wireless data comprising wireless traffic transmitted to any receiver, wherein the wireless data is transmitted within a receiver range of the wireless device, and wherein the wireless data comprising wireless local area network frames transmitted by devices on the wireless network other than the wireless device;
  
  at the client and based on the activation condition, locally analyzing the data to identify relevant data, events, and statistics, the data, events, and statistics being relevant to a security profile associated with the wireless network;
  
  at the client, locally logging the relevant data, events, and statistics to a log file located on a local data store; and
  
  sending the log file to a server responsive to the wireless device having an available connection to the server, wherein the server is configured to receive a plurality of log files from a plurality of clients.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising the step of receiving configuration updates from the server, wherein the configuration updates comprise any of activation conditions, frequency and time scanning patterns, storage and communication settings, and security profile updates.
  - 19. The method of claim 18, wherein the activation condition comprises one of the wireless devices not communicating on the wireless network, the client being idle, or a predetermined time.
  - 20. The method of claim 17, further comprising the step of waiting for an activation condition responsive to receiving a deactivation condition, wherein the deactivation condition comprises any of the wireless device communicating data on the wireless network and the client becoming active.
  - 21. The method of claim 17, wherein the availability of the connection to the server comprises the wireless interface having one of an available wireless network or a wired network to transmit the log file to the server.
  - 22. The method of claim 17, wherein the wireless device comprises a wireless network interface configured to operate using one or more of the 802.11 standards.
  - 23. The method of claim 17, wherein the server is configured to aggregate and correlate information received from a plurality of clients.

24. One or more computer readable media storing instructions that upon execution by a computer cause the computer to monitor the use of a wireless device with respect to communications that are received at a wireless interface associated with the computer, wherein the monitoring of the wireless interface comprises:
- receiving wireless data from the wireless network at a wireless device responsive to an activation condition associated with the computer and operation of the computer on the wireless network, the wireless data comprising wireless traffic transmitted to any receiver, wherein the wireless data is transmitted within a receiver range of the wireless device, and wherein the wireless data comprises wireless local area network frames transmitted by devices on the wireless network other than the wireless device;
  
  at the computer, locally analyzing the data to identify relevant data, events, and statistics, wherein the data, events, and statistics are relevant based upon a security profile associated with the wireless network;
  
  at the computer, locally logging the relevant data, events, and statistics to a log file located on a local data store;
  
  sending the log file to a server responsive to the wireless device having an available connection to the server over a secure socket link, wherein the server is configured to analyze and correlate data from a plurality of log files; and
  
  without the activation condition, operating the computer over the wireless network;
  
  wherein the computer is configured perform the receiving and locally analyzing based upon predetermined or programmed conditions associated with the computer; and
  
  wherein the computer comprises an authorized wireless device on the wireless network comprising any of desktop computers, notebook computers, storage devices, printers, or processor devices equipped with a wireless radio, the computer executing the instructions in background until the predetermined or programmed conditions.

25. A computer system having an intrusion protection system agent, the system comprising:
- a wireless communication interface operable to receive and transmit data on a wireless network, wherein the data is included in wireless local area network frames compliant to IEEE 802.11 protocols;
  
  a data store operable to store a log file associated with analysis of the wireless network; and
  
  a system processor comprising one or more processing elements, wherein the system processor is in communication with the system data store and the wireless communication interface and wherein the system processor is programmed or adapted to;
  
  access the wireless communication interface to collect wireless data responsive to an activation condition, the wireless data being collected without consideration for the intended recipient of the data;
  
  store the collected wireless data in the data store;
  
  locally perform an analysis of the collected wireless data to identify relevant data, events, and statistics responsive to the activation condition, wherein the identified data, events, and statistics are relevant based upon a security profile associated with the wireless network;
  
  locally store a log file associated with the analysis of the collected wireless data;
  
  alert a centralized server via a network connection comprising a secure socket link based upon the analysis of the information; and
  
  without the activation condition, operate over the wireless network;
  
  wherein the wireless data compliant to IEEE 802.11 protocols is stored locally in the data store, analyzed locally by the processor is in communication with the system data store, and the log file is created and stored locally in the data store based on the analysis, and wherein the centralized server is configured to analyze and correlate data from a plurality of log files from a plurality of computer systems;
  
  wherein the computer system comprises an authorized wireless device on the wireless network comprising any of desktop computers, notebook computers, storage devices, printers, or processor devices equipped with a wireless radio, the computer system executing the intrusion protection system agent in background until the activation condition.
- View Dependent Claims (26)
- - 26. The computer system of claim 25, wherein the centralized server is configured to perform intrusion detection analysis on the wireless network by analyzing information provided by a plurality of computer systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
AirDefense Incorporated (Motorola Solutions, Inc.)
Inventors
Sinha, Amit
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Durham; Imhotep

Application Number

US11/276,925
Publication Number

US 20070217371A1
Time in Patent Office

1,929 Days
Field of Search

726/23, 455/423, 455/410, 455/411, 455/421, 370/388
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04W 12/122   Counter-measures against at...

H04W 84/12   WLAN [Wireless Local Area N...

Systems and methods for wireless security using distributed collaboration of wireless clients

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for wireless security using distributed collaboration of wireless clients

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links