This disclosure relates to wireless network content filtering systems and methods, and more particularly to systems and methods for analyzing frames transmitted over a wireless network to determine the content based on statistical pattern analysis.
Wireless networks, also known as Wireless Local Area Networks (WLANs), offer a quick and effective extension of a wired network or a standard local area network (LAN). Wireless networks have been able to achieve transmission rates close to traditional wired networks such as 11 Mb/s and 54 Mb/s. As such, users can execute the same applications using wireless networks as can be executed using wired networks.
Wireless networks can include nodes such as wireless access points (APs) and wireless client devices. A wireless AP is a device that connects wireless communications devices together to form a wireless network. The AP can connect to a wired network, and can relay data between wireless devices and wired devices. Wireless client devices can include laptop and desktop computers, and other devices capable of networked communication that are equipped with wireless capability. Nodes can communicate to another node or broadcast on the wireless network.
Wireless networks operated based on standards such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of protocols. Such standards define wireless frames for transmission over the wireless link. Wireless frames are packets which have been encoded for transmission over the wireless network. Frames include delimiters to distinguish the start of a frame, address and control fields in overhead specific to the standard, the payload, and checksums to detect errors. Frames may vary in size depending on the type of payload and the overhead.
Wireless frames can include data frames used for data transmission, control frames used for access, and management frames transmitted similarly to data frames but not forwarded to upper levels. Each wireless frame can have a different length in terms of number of bits included in the frame. The lengths can vary as a function of the frame payload, the hardware configuration, or the network operating environment. For example, a control frame can be 112 bits and a data frame could be up to 18,768 bits.
Wireless frames typically include encryption to prevent monitoring or unauthorized viewing of the transmission. Examples of encryption used include, for example, among others: WEP, TKIP, AES, both static keys as well as rotating encryption techniques such as WPA-TKIP, WPA2-AES (e.g., WPA-Personal, WPA2-Personal, WPA-Enterprise, WPA2-Enterprise). Encryption methods and techniques are described in the IEEE 802.11i and amendments to 802.11i, all of which are hereby incorporated by reference. Encryption prevents a monitoring system from discovering the contents of the frame body.
Applications operating on a node in the wireless network can transmit and receive data in the form of wireless frames on a wireless network. Applications can include web traffic such as HTTP or HTTPS, steaming video or audio, updates of programs such as an antivirus program, file sharing such as peer-to-peer or SMB/NMB Windows file sharing, virtual private networks such as IPSEC or SSL, and UDP-based Internet application including networked games, video streaming tools and audio/video conferencing tools.
Systems and methods exist for monitoring the transmission of frames on wireless networks. For example, various “sniffer” programs exist allowing a user to monitor and capture frames transmitted on a wireless network. Sniffer programs can operate on a computer equipped with a wireless client device. In the case of encrypted frames, sniffer programs can capture the encrypted frame and view the frame size and direction (e.g., source and destination address), but cannot view the encrypted frame body. Additionally, monitoring programs can capture frame arrival statistics between nodes.
Further, monitoring systems have been developed to provide intrusion detection and prevention in wireless networks. A typical wireless intrusion prevention system (WIPS) includes multiple distributed monitoring devices, such as sensors, APs, or software agents, and one or more servers connected to the distributed monitoring devices. WIPS are configured to detect unauthorized devices and attacks on the network, to prevent attacks, and to terminate unauthorized devices.
WIPS distributed monitoring devices are configured to monitor the wireless network and to transmit data, events, and statistics to the servers. The WIPS can determine if a device is authorized or not based on the wireless network policy (e.g., authorized MAC addresses). However, a WIPS system cannot monitor the frame contents of encrypted frames. In the case of an unauthorized device operating on the wireless network with encryption, the WIPS cannot monitor the activity of that device.
Additionally, an authorized device can operate unauthorized applications over the wireless network. For example, an authorized MAC address could be running a peer-to-peer file sharing network, online game, or streaming video, against network policy. A WIPS or monitoring system would not be able to detect these applications if the transmission is encrypted. For unencrypted frames, a monitoring system could determine the frame contents. However, this would involve detailed inspection of the frame contents. These systems and methods use processing ability and would not typically be suited for large scale wireless deployments.
In various examples, this disclosure provides systems and methods for wireless content filtering to determine the content of frames transmitted between two nodes on a network using data link layer statistics such as, for example, frame length and frame direction. Specific applications can exhibit unique frame length and direction patterns during initial handshakes and during streaming of content. These unique patterns can be used to perform statistical pattern matching to monitored frames to determine the content. Wireless content filtering systems and methods can facilitate a content determination without detailed frame inspection and for encrypted frames. Such systems and methods can further be used in wireless security systems to terminate unauthorized applications and in general to determine quality-of-service statistics without detailed frame inspection.
Methods of determining the content of frames transmitted on a wireless network can include: monitoring a plurality of frames transmitted between two nodes on the wireless network; and matching the frame lengths and the direction between the two nodes of the plurality of frames to known statistical patterns.
Methods for characterizing patterns of frame lengths corresponding to an application can include: providing a first hardware configuration comprising two wireless devices; operating the application on one of the wireless devices; monitoring the lengths and directions of frames by the application between the two wireless devices; repeating the providing, operating, and monitoring steps for a second or more hardware configuration; and analyzing the lengths and directions of frames responsive to one or more hardware configurations to determined a statistical frame pattern.
Methods of determining the content of frames by matching to known statistical patterns can include: loading a content analysis engine and a plurality of known statistical patterns; starting a data source, the data source receives incoming frames transmitted between two nodes on a network; checking if a frame matches a first line in the plurality of known statistical patterns; and if a match is found in the checking step, loading a detection thread, the detection thread comprises the steps of receiving subsequent incoming frames transmitted between two nodes on the network and matching the subsequent incoming frames to subsequent lines in the plurality of known statistical patterns until a predetermined frame count is met.
Systems for determining the content of wireless frames transmitted between two nodes on a wireless network can include: a monitoring device operable to monitor and capture frame lengths and frame directions of a plurality of frames transmitted between nodes on the wireless network; a data store loaded with known statistical patterns corresponding to different applications; and a computer operable to receive the frame lengths and frame directions of the plurality of frames and operable to perform statistical matching of the frame lengths and frame directions to the known statistical patterns in the data store.