| Location-based enhancements for wireless intrusion detection -> Monitor Keywords |
|
|
  Location-based enhancements for wireless intrusion detectionUSPTO Application #: 20060193299Title: Location-based enhancements for wireless intrusion detection Abstract: In a wireless local area network, a method for detecting the presence of an unauthorized device comprises: detecting the presence of neighboring devices from which management frames can be sent; saving a representation of each neighboring device present; receiving a management frame purporting to be from one of the detected device; determining that the received management frame was sent by an unauthorized device; and indicating the presence of the unauthorized device. (end of abstract)
Agent: Sierra Patent Group, Ltd. - Minden, NV, US Inventors: Nancy Cam Winget, Mark Krischer, Timothy S. Olson, Sheausong Yang USPTO Applicaton #: 20060193299 - Class: 370338000 (USPTO) Related Patent Categories: Multiplex Communications, Communication Over Free Space, Having A Plurality Of Contiguous Regions Served By Respective Fixed Stations, Contiguous Regions Interconnected By A Local Area Network The Patent Description & Claims data below is from USPTO Patent Application 20060193299. Brief Patent Description - Full Patent Description - Patent Application Claims
FIELD OF THE INVENTION [0001] The present invention relates broadly to configuration of wireless local area networks. Specifically, the present invention relates to configuring a wireless local area network of client devices. More specifically, the present invention relates to using management frames in a wireless transmission medium to detect unauthorized access to a wireless local area network. BACKGROUND [0002] Use of wireless networks such as wireless local area networks (WLANs) is becoming widespread. With the proliferation of WLANs, network security is also becoming more and more important. WLANs present important network security concerns. [0003] A WLAN may be ad hoc, in that any client device (referred to herein as a client) may communicate directly with any other client, or have an infrastructure in which a client can only communicate with another client via an access point device (AP). Problems specific to WLANs arise from wireless clients requesting access to the various APs. Often in a deployment of a WLAN environment, AP cells' coverages are overlapped to achieve maximum RF coverage to reduce non-service spots. Wireless clients can move between APs, and thus change the RF environment of the WLAN depending on their location. Additionally, WLANs are often required to grow with increased demand as more and more clients require service from the WLAN. Expanding the WLAN requires reconfiguring equipment, adding APs, and placing APs in locations that do not conflict with other APs or otherwise complicate managing the WLAN. [0004] Because wireless is an open medium, anyone can contend for access and send frames over a channel. As 802.11 management frames are sent without any protection, an attacker can easily spoof as a legitimate AP, sending directives to clients as if it were the AP serving the clients. For example, nearly all attacks begin with an attacker spoofing as an AP by sending disassociation or deauthentication requests to a client. [0005] Thus, there is a heartfelt need for methods and equipment to efficiently protect a WLAN and provide WLAN managers with information needed to make management and access control decisions. SUMMARY [0006] The present invention addresses the problems described above and protects WLANs by verifying that management frames purporting to be from a specific AP originate from near a physical location where the specific AP is known to be located. Thus, the present invention requires attackers to be located in close proximity to the AP they wish to spoof, allowing the AP to detect the spoofed frame and alert a WLAN administrator. [0007] In an embodiment, the WLAN administrator deploys a new WLAN as described below. After installing hardware, the APs establish trusted relationships with the campus context manager (CCM). Radio parameters are auto-configured based on AP Radio discovery measurements. If necessary, client walkabouts are performed to gather signal strength measurements, and radio parameters can be re-configured using these measurements. In an embodiment, when a network is first installed, the WLAN administrator positions APs based on heuristic guidance and applies power without any time coordination. Optionally, the WLAN administrator may perform a site survey to optimize the AP placement. Site surveys can range from a quick coverage check using a client utility to detailed signal strength measurements using a third-party tool. After placement and power-up, each AP scans a frequency band to find a usable channel. In an embodiment, the Radio Manager generates a network-wide radio configuration overriding these initial settings. The WLAN administrator initiates radio discovery, auto-configuration and client walkabout measurements at the WLAN Network Manager (WNM) interface. AP Radio discovery involves APs broadcasting beacon signals and simultaneously listening for beacon signals from neighboring APs. The resulting measurements between APs are used to generate an initial radio configuration for the WLAN. Client walkabout measurements are not accompanied by location information, but sets of measurements correspond to specific locations in the WLAN coverage area. The Radio Manager uses these measurement sets to create measurement objects that contain data representing path losses to the strongest controlled APs and received signal strengths from uncontrolled sources at specific locations. A new radio configuration can be generated for the WLAN, using the additional information from the client walkabouts. [0008] Depending on the embodiment of the present invention, the physical location of the APs can be either manually configured or achieved during the discovery or walkabout survey. During normal operation, the locations of the APs do not change as APs in general are not expected to be mobile devices. However, in the event that mobile APs are present, resurveying or manually reconfiguring the WLAN can be performed on a periodic basis. Once an AP's location is determined by physical coordinate location and/or through its relative set of neighbors, the AP's location is not expected to change. [0009] A signature is conveyed for each management frame the AP transmits and is used for checking that management frames that purport to be from a specific AP actually originate from the expected location. Because the signature is unique to each frame, the dynamic nature of the stored signal strength information ensures a reasonably accurate representation of AP placement within the WLAN. As each AP sends management frames that contain a signal strength indication, this signal strength indication is compared to the AP's signal strength recorded in the radio manager's database. If a significant difference between the signal strength indicator of the management frame and the signal strength recorded in the radio manager's database indicates the possibility of an unauthorized user trying to spoof as a legitimate AP. In an embodiment, the actual validation is based on checking the message integrity code (MIC) of each management frame coupled with the signal strength of the AP by the detector to assert whether both the MIC is valid and whether that detector should have been able to detect that AP. [0010] Many other features and advantages of the present invention will be realized by one skilled in the art upon reading the following detailed description when considered with the accompanying drawings, in which: BRIEF DESCRIPTION OF THE DRAWINGS [0011] FIGS. 1A and 1B illustrate placement of APs in a WLAN and measurements taken during radio discovery. [0012] FIG. 2 illustrates a network configuration in which radio measurements are introduced by embodiments of the present invention. [0013] FIG. 3 illustrates an exemplary access point device containing measurement modules used in accordance with embodiments of the present invention. [0014] FIG. 4 illustrates an exemplary access radio manager device used in accordance with embodiments of the present invention DETAILED DESCRIPTION [0015] The WLAN administrator initiates AP radio discovery at deployment and schedules AP radio discovery during brief maintenance periods when the WLAN is not in use (e.g., 2:00 AM each morning). The result of AP radio discovery is a snapshot of the RF interference at each AP and a set of signal strength measurements indicating the strength level at which each AP receives each neighboring AP's signal. Directing attention to FIG. 1A, a WLAN configuration having AP 1, AP 2, AP 3, AP 4, AP 5 and AP 6 and radio manager 10 and wireless network manager (WNM) 14 are shown. When the APs perform radio scans in accordance with the present invention is performed, APs are determined not in terms of physical location, but mapped in terms of signal strength received from each AP's neighboring APs. In other words, each AP is described in terms of what other APs the AP can detect, in terms of signal strength. For example, in accordance with the present invention, AP 4 is defined as AP 1 (50); AP 2 (55); AP 3 (58); AP 5 (56). In this example, AP 6 is not detected by AP 4, and thus is not included in the definition of AP 4. The values defining AP 4 are stored in a database maintained by radio manager 10. Radio manager 10 uses each AP's current transmission signal strength level to compute the path loss between each AP that the APs can detect. The computed path loss is saved in a database to characterize the RF environment, such as potential coverage redundancy in a set of 802.11 stations associated with a single AP (referred to herein as BSS), and overlap on the downlink. When the neighboring AP is not controlled, radio manager 10 saves the received signal strength. Radio manager 10 sets all controlled APs to transmit at their highest power level and then steps down through subsequent levels to characterize each AP's true power steps. AP Radio discovery is accomplished in the following event sequence. Radio manager 10 commands all APs to scan passively for RF energy over a predetermined time interval and return the results. This action is performed to detect uncontrolled 802.11 WLAN stations and interferers. Radio manager 10 uses the AP scan results to choose one test frequency for all APs in a particular region. Radio manager 10 sets all APs in a particular region to transmit beacons on the selected frequency at maximum transmit power. Each AP is assigned a unique beacon interval to minimize collisions. Radio manager 10 then commands each AP to report beacons that it receives from other APs along with accompanying signal strengths. This action is repeated with APs transmitting at each successively lower power level until reaching the lowest setting. [0016] Directing attention to FIG. 1B, campus context manager (CCM) 15 can be utilized in a similar capacity as radio manager 10, database 12 and WNM 14. In an embodiment, CCM 15 stores the database of location information for each AP. This information can be manually configured or obtained through walkabouts based on signal strengths. As shown in FIG. 1B, AP 2's detected neighbors are AP 1 and AP 3. Similarly, AP 4's detected neighbors are only AP 3 and AP 5. In this embodiment, AP 2 and AP 4 are used to detect and validate all traffic they are able to receive. So if AP 4 receives frames that are from AP 1, then it is suspected to be a spoofed frame and AP 4 can report AP 1 to CCM 15 (or radio manager 10) as a potential rogue AP. [0017] In an embodiment, a trust relationship is established between CCM 15 and all APs. APs issue their unique key used to protect their respective management frames. The management frame is protected, for example, by using a keyed one-way hash function such as HMAC-SHA1 and its resulting value, which serves as a message integrity code (MIC) that is also sent in the management frame. Sensor APs, such as AP2 and AP4 can validate these management frames as they receive them to also ensure that its neighboring APs are not under attack. In an embodiment, if AP 4 receives frames that are from AP 1 it can also validate that received frame using AP 1's key. Since APs may be moved occasionally, or some APs can even be mobile, the combination of location tracking and validation of the MIC provides for a better determination if a rogue is encountered. [0018] The information stored in radio manager 10's database is also useful for checking that management frames that purport to be from a specific AP actually originate from the expected location. Because radio manager 10's database is updated periodically, the dynamic nature of the stored signal strength information associated with individual APs ensures a reasonably accurate representation of AP placement within the WLAN. As each AP sends management frames that contain a signal strength indication as well as the message integrity check (MIC), this signal strength indication is compared to the AP's signal strength recorded in radio manager 10's database. If a difference between the signal strength indicator of the management frame and the signal strength recorded in radio manager 10's database is outside of a threshold amount, this difference indicates the possibility of an unauthorized user trying to spoof as a legitimate AP. In such cases, a warning can be sent to the WLAN administrator to alert the administrator to the possibility of an attack on the WLAN. [0019] In an embodiment, radio manager 10 uses the measured signal strength to calculate path loss information from AP to AP and from client location to AP. With this calculated path loss information and the configured power and channel settings of each AP, neighboring APs suffering from black holes are identified. Continue reading... Full patent description for Location-based enhancements for wireless intrusion detection Brief Patent Description - Full Patent Description - Patent Application Claims Click on the above for other options relating to this Location-based enhancements for wireless intrusion detection patent application. ###  How KEYWORD MONITOR works... a FREE service from FreshPatents1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored. 3. Each week you receive an email with patent applications related to your keywords. Start now! - Receive info on patent apps like Location-based enhancements for wireless intrusion detection or other areas of interest. ### Previous Patent Application: Information processing apparatus Next Patent Application: Method and apparatus for monitoring multiple network segments in local area networks for compliance with wireless security policy Industry Class: Multiplex communications ### FreshPatents.com Support Thank you for viewing the Location-based enhancements for wireless intrusion detection patent info. IP-related news and info Results in 0.11625 seconds Other interesting Feshpatents.com categories: Novartis , Pfizer , Philips , Polaroid , Procter & Gamble , |
||
