1. Technical Field
The present invention relates to an apparatus and a method for identifying a rouge device, and more particularly, to an apparatus and a method for identifying a rogue device having a media access control (MAC) address forged in wireless LAN environment.
2. Description of the Related Art
Generally, a media access control (MAC) address is an address owned by a network device in a MAC layer of network architecture and is generally stored in a ROM of a network card.
A wireless intrusion prevention system (WIPS) is an intrusion prevention system in wireless LAN environment. Main functions of the wireless intrusion prevention system have a function of detecting an access point (AP) and a user terminal which are not applied within a management domain to control an access thereto and a function of detecting/blocking a security threat in a wireless section such as DoS. The wireless intrusion prevention system is configured of a wireless intrusion prevention sensor which gathers and analyzes an RF signal of a wireless LAN and performs a counterattack to block an intrusion and a wireless intrusion prevention server which overall manages security of wireless LAN infrastructure.
The wireless intrusion prevention system uses a device unique MAC address for identifying the AP and the user terminal which are not applied. It is determined whether the terminal is applied, based on a method for managing MAC addresses of a pre-registered AP and terminal in a white list form and when a new device is detected, analyzing an RF signal (generally, signals such as beacon and probe response) of the detected device to extract the MAC addresses and then check whether the extracted MAC addresses are present in the white list.
However, the white list based method may not detect when the terminal (AP or user terminal) has the MAC address forged. At present, the following methods for detecting whether the MAC is forged are present but a function thereof is restrictive.
A first method pre-registers MAC values of the AP and RSSI values (wireless signal strength) of the AP at a present position in the case of the terminal (for example, AP for enterprise) at a fixed position and then compares the RSSI values when another AP has the MAC of the applied AP forged to determine whether the MAC addresses are forged. In this case, the first method may not detect when the terminal having MAC addresses forged is installed at the same position as the applied AP. Further, even when directions (top, bottom, left, right) are different, the same RSSI values may be measured and therefore the accuracy thereof is not high.
A second method, in the case of AP, pre-registers MAC addresses and set values of the AP (for example, use of security setting values—AES2 encryption, and the like) and then compares the set values of the AP when another AP has the MAC of the applied AP forged. Because the second method may arbitrarily manipulate the set values and change the set values even in the case of the applied AP, this method does not have the high accuracy.
As the related art, a method for pre-registering MAC values of an AP at a fixed position and RSSI values (wireless signal strength) of the AP at a present position and then determining whether MAC addresses are forged by comparing the RSSI values when another AP has a MAC of an applied AP forged has been disclosed in U.S. Patent Application Publication No. 2007-0025313.
The foregoing invention of U.S. Patent Application Publication No. 2007-0025313 focused on detection of the MAC forgery for the AP at the fixed position and utilized only the MAC and RSSI.