Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

US 8,789,191 B2
Filed: 02/17/2012
Issued: 07/22/2014
Est. Priority Date: 02/11/2004
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring for unauthorized wireless access to computer networks, the method comprising:

monitoring wireless communications within a selected geographic region using one or more monitoring devices that are positioned within the selected geographic region, the selected geographic region including a wired portion of a computer network;

detecting an active wireless access point device that transmits wireless signals over a wireless medium within the selected geographic region;

injecting a marker packet into the wired portion of the computer network at least for a purpose of detecting unauthorized access to the wired portion, the marker packet being adapted to be transferred to the wireless medium from the wired portion of the computer network through a wireless access point device which is connected to the wired portion of the computer network and functions as a layer two bridge between its wired and wireless interfaces, wherein the marker packet has a predetermined format, and at least one of the monitoring devices is configured to identify at least a portion of the predetermined format;

identifying, based on the monitored wireless communications, that the marker packet was transferred from the wired portion of the computer network to the wireless medium within the selected geographic region through the active wireless access point device;

determining that the active wireless access point device is connected to the wired portion of the computer network, based at least upon the marker packet being identified as transferred from the wired portion of the computer network to the wireless medium within the selected geographic region through the active wireless access point device;

determining that the active wireless access point device is unauthorized; and

determining that the active wireless access point device provides unauthorized access to the wired portion of the computer network, based at least upon the determination that the active wireless access point device is connected to the wired portion of the computer network and the determination that the active wireless access point is unauthorized.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for wireless communication including an automated intrusion detection process is provided. The apparatus includes a processing unit. It includes a wireless network interface device and an Ethernet (or like) wired network interface device that are coupled to the processing unit. One or more memories are coupled to the processing unit. A code is directed to perform a process for detection of wireless activity within a selected local geographic region. According to a specific embodiment, the wireless activity is derived from a wireless access point device that is operational about the selected local geographic region. A code is directed to performing connectivity test using one or more marker packets to determine connectivity status of the wireless access point device to network to be protected from intrusion. Depending upon the embodiment, other codes may exist to carry out the functionality described herein.

252 Citations

20 Claims

1. A method for monitoring for unauthorized wireless access to computer networks, the method comprising:
- monitoring wireless communications within a selected geographic region using one or more monitoring devices that are positioned within the selected geographic region, the selected geographic region including a wired portion of a computer network;
  
  detecting an active wireless access point device that transmits wireless signals over a wireless medium within the selected geographic region;
  
  injecting a marker packet into the wired portion of the computer network at least for a purpose of detecting unauthorized access to the wired portion, the marker packet being adapted to be transferred to the wireless medium from the wired portion of the computer network through a wireless access point device which is connected to the wired portion of the computer network and functions as a layer two bridge between its wired and wireless interfaces, wherein the marker packet has a predetermined format, and at least one of the monitoring devices is configured to identify at least a portion of the predetermined format;
  
  identifying, based on the monitored wireless communications, that the marker packet was transferred from the wired portion of the computer network to the wireless medium within the selected geographic region through the active wireless access point device;
  
  determining that the active wireless access point device is connected to the wired portion of the computer network, based at least upon the marker packet being identified as transferred from the wired portion of the computer network to the wireless medium within the selected geographic region through the active wireless access point device;
  
  determining that the active wireless access point device is unauthorized; and
  
  determining that the active wireless access point device provides unauthorized access to the wired portion of the computer network, based at least upon the determination that the active wireless access point device is connected to the wired portion of the computer network and the determination that the active wireless access point is unauthorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the determining that the active wireless access point device is unauthorized comprises ascertaining that the active wireless access point device is not among one or more wireless access point devices which are allowed to be connected to the wired portion of the computer network within the selected geographic region.
  - 3. The method of claim 1, wherein the ascertaining that the active wireless access point device is not among the one or more wireless access point devices which are allowed to be connected to the wired portion of the computer network comprises comparing a feature set associated with the active wireless access point device with a feature set associated with each of the one or more wireless access point devices which are allowed to be connected to the wired portion of the computer network.
  - 4. The method of claim 3 wherein the feature set associated with the active wireless access point device comprises one or more features selected from the group consisting of encryption method for wireless link, authentication method for wireless link, and MAC address of a wireless interface of the active wireless access point device.
  - 5. The method of claim 3 wherein the feature set associated with the each of the one or more wireless access point devices which are allowed to be connected to the wired portion of the computer network comprises one or more features selected from the group consisting of encryption method for wireless link, authentication method for wireless link, and MAC address of a wireless interface of the each wireless access point device which is allowed to be connected to the wired portion of the computer network.
  - 6. The method of claim 1 wherein the marker packet is injected into the wired portion of the computer network in response to the detecting of the active wireless access point device that transmits wireless signals within the selected geographic region.
  - 7. The method of claim 1, further comprising injecting periodically a plurality of marker packets into the wired portion of the computer network.
  - 8. The method of claim 1 wherein the predetermined forma a comprises one or more predetermined bit patterns.
  - 9. The method of claim 1 wherein the predetermined format comprises one or more predetermined sizes.
  - 10. The method of claim 1 wherein the marker packet is injected into the wired portion of the computer network from a computing device connected to the wired portion of the computer network using one or more wires.
  - 11. The method of claim 10 wherein the computing device connected to the wired portion of the computer network using the one or more wires includes a monitoring device.

12. A system for monitoring for unauthorized wireless access to computer networks, the system comprising:
- a wired network interface for coupling the system to a wired portion of a computer network;
  
  a first portion of computer memory coupled to the wired network interface, the first portion of computer memory comprising computer-readable code executable to inject one or more marker packets into the wired portion of the computer network using the wired network interface at least for a purpose of detecting unauthorized access to the wired portion, the one or more marker packets being adapted to be transferred to a wireless medium from the wired portion of the computer network through one or more wireless access point devices which are connected to the wired portion of the computer network and function as layer two bridges between their wired and wireless interfaces, a predetermined format being associated with the one or more marker packets;
  
  a wireless network interface for monitoring wireless communication activity;
  
  a second portion of computer memory coupled to the wireless network interface, the second portion of computer memory comprising computer-readable code executable to identify, based on the monitored wireless communication activity, at least one marker packet from the one or more marker packets that was transferred to the wireless medium from the wired portion of the computer network through a first wireless access point device;
  
  a third portion of computer memory comprising computer-readable code executable to determine that the first wireless access point device is connected to the wired portion of the computer network, based at least upon the at least one marker packet being identified as transferred to the wireless medium from the wired portion of the computer network through the first wireless access point device;
  
  a fourth portion of computer memory comprising computer-readable code executable to determine that the first wireless access point is unauthorized; and
  
  a fifth portion of computer memory comprising computer-readable code executable to determine unauthorized access to the wired portion of the computer network based at least upon the determination that the first wireless access point device is connected to the wired portion of the computer network and the determination that the first wireless access point is unauthorized.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the computer-readable code in the fourth portion of the computer memory is executable to:
    - compare an identity of the first wireless access point device against identities of one or more wireless access point devices that are authorized to be connected to the wired portion of the computer network.
  - 14. The system of claim 12 wherein the wired network interface, the first portion of computer memory, the wireless network interface, and the second portion of computer memory are all provided within a monitoring device.
  - 15. The system of claim 14 wherein at least one of the third portion, the fourth portion and the fifth portion of computer memory is provided within a server device which communicates with the monitoring device over one or more computer networks.
  - 16. The system of claim 12 whereinthe wired network interface and the first portion of computer memory are provided within a first monitoring device;
    - andthe wireless network interface and the second portion of computer memory are provided within a second monitoring device, the second monitoring device being different from the first monitoring device.
  - 17. The system of claim 12 wherein the computer-readable code in the second portion of computer memory is executable to detect at least a portion of the predetermined format in one more packets in at least a portion of the wireless communication activity.
  - 18. The system of claim 12 wherein the wired network interface and at least a portion of the first portion of computer memory are provided within a computer system connected to the computer network using an Ethernet cable.
  - 19. The system of claim 12 wherein the wireless network interface and at least a portion of the second portion of computer memory are provided within a monitoring device.

20. A method for monitoring unauthorized wireless access to a network, the method comprising:
- monitoring wireless communications in the network by one or more monitoring devices, wherein the network comprises a wired portion and a wireless medium;
  
  detecting a wireless access point that transmits wireless signals over the wireless medium in the network;
  
  injecting a marker packet into the wired potion of the network at least for a purpose of detecting unauthorized access to the wired portion;
  
  determining that the wireless access point is connected to the wired portion of the network if at least one of the monitoring devices detects that the marker packet was transferred from the wired portion to the wireless medium of the network through the wireless access point;
  
  determining that the wireless access point is unauthorized; and
  
  determining that the wireless access point provides unauthorized access to the wired portion of the network based upon the determination that the wireless access point is unauthorized and is connected to the wired portion of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arista Networks, Inc.
Original Assignee
Airtight Networks Incorporated (Arista Networks, Inc.)
Inventors
Bhagwat, Pravin, Gogate, Shantanu, King, David C.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US13/399,626
Publication Number

US 20120240196A1
Time in Patent Office

886 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

H04W 12/03   Protecting confidentiality,...

H04W 12/069   using certificates or pre-s...

H04W 12/088   using filters or firewalls

H04W 12/102   Route integrity, e.g. using...

H04W 12/122   Counter-measures against at...

Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

252 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

252 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links