A computer can communicate via a local area network (LAN) without being physically connected to the LAN. This is achieved by the computer broadcasting messages to, and receiving messages from, the LAN using radio frequency (RF) energy. Such capability is commonly referred to as wireless fidelity or Wi-Fi.
The Institute of Electrical and Electronics Engineers (IEEE) has developed a family of specifications concerning Wi-Fi LANs (WLANs). IEEE Specification 802.11 concerns WLAN transmission of 1 or 2 Megabits per second (Mbps) in the 2.4 GHz band. IEEE Specification 802.11a concerns WLAN transmission up to 54 Mbps in the 5 GHz band. IEEE Specification 802.11b concerns WLAN transmission of 11 Mbps in the 2.4 GHz band. IEEE Specification 802.11g concerns WLAN transmission of 20 Mbps or more in the 2.4 GHz band.
WLAN's have proliferated around the globe and are used in industry, government, and in the home. WLANs provide mobility and the benefits that derive therefrom. However, there is also risk involved in using a WLAN. Computers connected to WLANs are susceptible to attack as are computers connected to LANs, and are susceptible to attacks that are unique to WLANs (e.g., rogue access points that divert computer traffic). Therefore, there is a need to detect intrusions into wireless computer networks. A wireless intrusion detection system (WIDS) is used to provide protection for a WLAN by providing a more secure operating environment. SNORT is a freely available intrusion detection system that comes in a wireless version.
FIG. 1 is a flowchart of SNORT 1. The inputs to SNORT 1 are the rules file 2 and a master configuration file 3 that contains arguments for preprocessors. The function SnortMain 4 is the heart of SNORT 1. SnortMain 4 calls the function SetPktProcessor 5, which makes a decision about which decoder function should be used to process incoming packets. SnortMain 4 also calls InitPreprocessors 6 to initialize preprocessors and ParseRulesFile 7 to parse the rules file 2. Then, SnortMain 4 calls InterfaceThread 8 to create one thread per interface. The InterfaceThread 8 starts a loop that continuously reads all received packets. The loop is handled by the function ProcessPacket 9. ProcessPacket 9 calls Decode 10 to decode the current packet. Once the packet has been decoded, ProcessPacket 9 calls the Preprocess 11. Preprocess 11 sequentially calls various preprocessors 12, 13. Finally Preprocess 11 calls Detect 14, which applies the rules from the rules file 2 to the current packet. If a rule matches the current packet, an alert may be generated or the packet may be logged, depending on what is specified in the rules file 2. The rules file 2 detects suspicious or irregular behavior that could indicate intrusion, based on the values of certain fields in a single packet header. The preprocessors 12, 13 on the other hand, are used to detect suspicious behavior based on information gained from many packets, or based on information gained from a single packet combined with input from the configuration file 3 and a more sophisticated detection algorithm.
FIG. 2 is a flowchart of Wireless SNORT 21, which is basically SNORT 1 described in FIG. 1 with a new decoder to interpret IEEE Specification 802.11 headers, a new Wi-Fi rules file for signature-based detection, new data structures to store IEEE Specification 802.11 header information, new logging and alerting functions for IEEE Specification 802.11, and new preprocessors to detect intrusions specific to wireless networks. The inputs to wireless SNORT 21 are the rules file 22 and a master configuration file 23 that contains arguments for preprocessors. The function SnortMain 24 is the heart of wireless SNORT 21. SnortMain 24 calls the function SetPktProcessor 25, which makes a decision about which decoder function should be used to process incoming packets. SnortMain 24 also calls InitPreprocessors 26 to initialize preprocessors and ParseRulesFile 27 to parse the rules file 22. Then, SnortMain 24 calls InterfaceThread 28 to create one thread per interface. The InterfaceThread 28 starts a loop that continuously reads all received packets. The loop is handled by the function ProcessPacket 29. ProcessPacket 29 calls Decode 30 to decode the current packet. Once the packet has been decoded, ProcessPacket 29 calls the Preprocess 31: Preprocess 31 sequentially calls various preprocessors 32-36. The new preprocessors include a preprocessor to detect a rogue access point (AP) 32, a reprocessor to detect a client using the program Netstumbler 33, a preprocessor to detects Media Access Control (MAC) address spoofing 34, a preprocessor to detect denial-of-service attacks that use DEAUTH flooding 35, and a preprocessor to detect denial-of-service attacks that use AUTH flooding 36. Preprocessors in SNORT 1 of FIG. 1 that are compatible with wireless SNORT 21 of FIG. 2 may also be included in wireless SNORT 21. Finally Preprocess 31 calls Detect 37, which applies the rules from the rules file 22 to the current packet. If a rule matches the current packet, an alert may be generated or the packet may be logged, depending on what is specified in the rules file 22. The rules file 22 detects suspicious or irregular behavior that could indicate intrusion, based on the values of certain fields in a single packet header. The preprocessors 32-36 on the other hand, are used to detect suspicious behavior based on information gained from many packets, or based on information gained from a single packet combined with input from the configuration file 23 and a more sophisticated detection algorithm.
U.S. Pat. No. 7,042,852, entitled “SYSTEM AND METHOD FOR WIRELESS LAN DYNAMIC CHANNEL CHANGE WITH HONEYPOT TRAP”, discloses an intrusion detection device and method that communicates with an intruder by emulating the identification characteristics of a potentially compromised access point. The present invention does not communicate with an intruder by emulating the identification characteristics of a potentially compromised access point as does U.S. Pat. No. 7,042,852. U.S. Pat. No. 7,042,852 hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 7,058,796, entitled “METHOD AND SYSTEM FOR ACTIVELY DEFENDING A WIRELESS LAN AGAINST ATTACKS”, discloses a method of and device for defending a wireless LAN by transmitting a jamming signal, a signal to introduce CRC errors, or a signal to make it more difficulty to break encryption used by the network. The present invention does not transmit a jamming signal, a signal to introduce CRC errors, or a signal to make it more difficulty to break encryption used by the network as does U.S. Pat. No. 7,058,796. U.S. Pat. No. 7,058,796 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 7,086,089, entitled “SYSTEMS AND METHODS FOR NETWORK SECURITY,” discloses devices and methods of detecting security violations by applying one or more tests to received data, including signature test, protocol test, statistical anomaly test, policy test, and defending the network by jamming, generating CRC errors, transmitting random frames, locking down the network, and changing channels. The present invention does not defend a network by jamming, generating CRC errors, transmitting random frames, locking down the network, and changing channels as does U.S. Pat. No. 7,086,089. U.S. Pat. No. 7,086,089 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 7,089,586, entitled “FIREWALL PROTECTION FOR WIRELESS USERS,” discloses a system for protecting a mobile wireless user via a firewall employed at the wired line, or ISP side, of the wireless link in a wireless network. The present invention does not employ a firewall at the wired line, or ISP side, of the wireless link in a wireless network as does U.S. Pat. No. 7,089,586. U.S. Pat. No. 7,089,586 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20030135762, entitled “WIRELESS NETWORKS SECURITY SYSTEM,” discloses a system for monitoring wireless networks using a directional antenna for locating unauthorized or threatening devices. The present invention does not employ a directional antenna as does U.S. Pat. Appl. No. 20030135762. U.S. Pat. Appl. No. 20030135762 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20030217289, entitled “METHOD AND SYSTEM FOR WIRELESS INTRUSION DETECTION,” discloses a method of and system for monitoring authorized and unauthorized access to wireless network using one or more nodes that communicate via an out of band means that is separate from the network. The present invention does not employ an out of band means that is separate from the network as does U.S. Pat. Appl. No. 20030217289. U.S. Pat. Appl. No. 20030217289 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20030237000, entitled “METHOD, SYSTEM AND PROGRAM PRODUCT FOR DETECTING INTRUSION OF A WIRELESS NETWORK,” discloses a method of and system for detecting intrusion of a wireless network by comparing a received data stream to a valid data stream. If the received data stream deviates from the valid data stream, the data stream is compared to a known intrusion data stream. The present invention includes more methods and devices than U.S. Pat. Appl. No. 20030237000. U.S. Pat. Appl. No. 20030237000 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20040028001, entitled “WIRELESS LOCAL OR METROPOLITAN AREA NETWORK WITH INTRUSION DETECTION FEATURES AND RELATED METHODS,” discloses a method of and system for detecting intrusion of a wireless network that includes a policing station that is separate from the wireless station. The present invention includes more devices and methods than does U.S. Pat. Appl. No. 20040028001. U.S. Pat. Appl. No. 20040028001 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20040107219, entitled “SYSTEM AND METHOD FOR WIRELESS LOCAL AREA NETWORK MONITORING AND INTRUSION DETECTION,” discloses a method of and system for detecting intrusion of a wireless network by profiling wireless devices, determining threat levels posed by wireless devices, and prevents traffic from being received by a wireless device from a wireless device determined to pose too great a threat. The present invention includes more devices and methods than does U.S. Pat. Appl. No. 20040107219. U.S. Pat. Appl. No. 20040107219 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20040162995, entitled “INTRUSION DETECTION SYSTEM FOR WIRELESS NETWORKS,” discloses a method of and system for detecting intrusion of a wireless network using monitoring stations and fusion stations to monitor and correlate attributes of signals, including carrier frequency, spurious emissions, power-on and power-down transients, direct and multipath received signal strength, signal-to-noise ration, direction and angle of arrival, time of arrival, position, range, time dispersion, and Doppler shift and polarization. The present invention does not employ monitoring and fusion stations to receive and correlate signals as does U.S. Pat. Appl. No. 20040162995. U.S. Pat. Appl. No. 20040162995 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20040235453, entitled “ACCESS POINT INCORPORATING A FUNCTION OF MONITORING ILLEGAL WIRELESS COMMUNICATIONS,” discloses a device for detecting the presence of unauthorized wireless communications at an access point by including an additional receiver to receive and monitor all channels to determine if unauthorized wireless communications are present. The present invention does more than does U.S. Pat. Appl. No. 20040235453. U.S. Pat. Appl. No. 20040235453 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20050037733, entitled “METHOD AND SYSTEM FOR WIRELESS INTRUSION DETECTION PREVENTION AND SECURITY MANAGEMENT,” discloses a device for and method of wireless intrusion detection that integrates Open System Interconnection (OSI) Layer 1 (i.e., the physical layer) and a smart wireless RF antenna with an OSI Layer 2 (i.e., a data link layer) wireless security system management platform. The present invention does not integrate OSI Layer 1 and a smart wireless RF antenna with an OSI Layer 2 wireless security system management platform as does U.S. Pat. Appl. No. 20050037733. U.S. Pat. Appl. No. 20050037733 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20050054326, entitled “METHOD AND SYSTEM FOR SECURING AND MONITORING A WIRELESS NETWORK,” discloses a device for and method of securing and monitoring a wireless network by scanning a wireless network, building a profile for each detected node, requiring an administrator to determine if the detected node may access the network or not, detecting unauthorized nodes, and limiting an unauthorized node's access to the network. The present invention does more than does U.S. Pat. Appl. No. 20050054326. U.S. Pat. Appl. No. 20050054326 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. Nos. 20050136891, 20050202800, and 20050213553, entitled “WIRELESS LAN INTRUSION DETECTION BASED ON LOCATION,” “SYSTEM AND METHOD FOR CLIENT-SERVER-BASED WIRELESS INTRUSION DETECTION,” and “METHOD FOR WIRELESS LAN INTRUSION DETECTION BASED ON PROTOCOL ANOMALY ANALYSIS” disclose devices for determining intrusion into a wireless network by locating transmitters using signals transmitted thereby, recording the locations of the transmitters that were assigned by an administrator, subsequently detecting signals from these transmitters, determining the locations of the transmitters using the received signals, comparing the determined locations to the recorded location, and initiating an alarm if a location derived from a signal does not match the corresponding recorded location. The present invention does not determine, record, and compare locations as does U.S. Pat. Appl. Nos. 20050136891, 20050202800, and 20050213553. U.S. Pat. Appl. Nos. 20050136891, 20050202800, and 20050213553 are hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20050144544, entitled “MECHANISM FOR DETECTION OF ATTACK BASED ON IMPERSONATION IN A WIRELESS NETWORK,” discloses a device for determining an attack based on impersonation by receiving a transmission via a secure link and via wireless transmission, comparing the two, and determining that an attack by impersonation is present if the two transmissions are not identical. The present invention does not employ a secure link and compare function as does U.S. Pat. Appl. No. 20050144544. U.S. Pat. Appl. No. 20050144544 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20060085543, entitled “PERSONAL WIRELESS MONITORING AGENT,” discloses a device for monitoring a wireless device by comparing communications against policy guidelines, determining whether a violation has occurred, and informing an authorized user of any violation. The present invention does more than does U.S. Pat. Appl. No. 20060085543. U.S. Pat. Appl. No. 20060085543 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. Nos. 20060002331 and 20060193300, entitled “AUTOMATED SNIFFER APPARATUS AND METHOD FOR WIRELESS LOCAL AREA NETWORK SECURITY” and “METHOD AND APPARATUS FOR MONITORING MULTIPLE NETWORK SEGMENTS IN LOCAL AREA NETWORKS FOR COMPLIANCE WITH WIRELESS SECURITY POLICY”, disclose a device for securing a wireless network by using a plurality of sniffers spatially arranged in a selected geographic region to provide substantial radio coverage over at least a portion of the geographic location. The present invention employs more devices and methods than does U.S. Pat. Appl. Nos. 20060002331 and 20060193300. U.S. Pat. Appl. Nos. 20060002331 and 20060193300 are hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20060193299, entitled “LOCATION-BASED ENHANCEMENTS FOR WIRELESS INTRUSION DETECTION,” discloses a device for wireless intrusion detection by identifying the physical location of each access point, generating a message integrity code for each access point that indicates the location of the access point, determining the signal strength of a received transmission, and determining whether or not the location in message integrity code is consistent with the identity of the corresponding access point and whether or not the signal strength is consistent with the corresponding location. The present invention does not employ a message integrity code and a signal strength measurement as does U.S. Pat. Appl. No. 20060193299. U.S. Pat. Appl. No. 20060193299 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20060197702, entitled “WIRELESS HOST INTRUSION DETECTION SYSTEM,” discloses a device for wireless intrusion detection by identifying a signal from a wireless access point involving a full hand-off procedure or a change in signal such as a change in signal strength or a change in the direction of arrival. Upon the detection of any of these events, an intrusion alert is made. The present invention does not identify a full hand-off procedure or a change in signal as does U.S. Pat. Appl. No. 20060197702. U.S. Pat. Appl. No. 20060197702 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. Appl. No. 20060200862, entitled “METHOD AND APPARATUS FOR LOCATING ROGUE ACCESS POINT SWITCH PORTS IN A WIRELESS NETWORK RELATED PATENT APPLICATIONS,” discloses a device for locating and disabling a rogue access point by detecting the presence of a rogue wireless access point, instructing a special client to associate with the rogue access point and send a discover packet through the rogue access point to a network management device, locating the switch to which the rogue access point is connected, and disabling the switch port. The present invention does not instruct a special client to associate with a rogue access point and send a discover packet through the rogue access point to a network management device, locate the switch to which the rogue access point is connected, and disable the switch port as does U.S. Pat. Appl. No. 20060200862. U.S. Pat. Appl. No. 20060200862 is hereby incorporated by reference into the specification of the present invention.