[go: up one dir, main page]

WO2007061167A1 - Wireless access point apparatus and a network traffic intrusion detection and prevention method using the same - Google Patents

Wireless access point apparatus and a network traffic intrusion detection and prevention method using the same Download PDF

Info

Publication number
WO2007061167A1
WO2007061167A1 PCT/KR2006/002364 KR2006002364W WO2007061167A1 WO 2007061167 A1 WO2007061167 A1 WO 2007061167A1 KR 2006002364 W KR2006002364 W KR 2006002364W WO 2007061167 A1 WO2007061167 A1 WO 2007061167A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
wireless
module
access point
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2006/002364
Other languages
French (fr)
Inventor
Hyung-Woo Lee
Chang-Won Choi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hanshin University Industry & Academia Cooperation Foundation
Original Assignee
Hanshin University Industry & Academia Cooperation Foundation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hanshin University Industry & Academia Cooperation Foundation filed Critical Hanshin University Industry & Academia Cooperation Foundation
Publication of WO2007061167A1 publication Critical patent/WO2007061167A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention generally relates to a wireless access point apparatus and a network traffic intrusion detection and prevention method using the same, and more specifically, to a wireless access point apparatus and a network traffic intrusion detection and prevention method using the same for improving the quality of security service in a wireless network by filtering, detecting, and preventing intrusion upon traffic, which is inputted in wireless manner, in the wireless access point apparatus.
  • Background Art
  • AP Access Point
  • access points which are developed so far provide transmission or network supporting functions only for wireless traffic, or in case of access points with additional functions, there are some products that are equipped with filtering functions for packets, etc.
  • Wireless media OFDM and DSSS(including barker coding and CCK for reverse compability with 802.11b).
  • Wired and 128/154-bit WEP encoding WPA AES 256-bit encoding, dynamic security link 128-bit encoding; 802.1 Ix(RADIUS server authentication method); EAP-MD5, EAP-TLS, EAP-TTLS and PEAP authentication; ESSID broadcast control, local MAC authentication; server access control list, dynamic session key management and TKIP, dynamic VLAN assignment, CC(Client-to-Client) and uplink filtering.
  • Network management site search tool, wireless infrastructure device manager, wireless LAN discovery tool, 3NS, and SNMP.
  • the purpose of the passive attack is to obtain an access point apparatus MAC, an SSID, channels, a manufacturer, presence of WEP, and installation position information.
  • MAC access point apparatus
  • SSID station ID
  • channels channels
  • WEP installation position information
  • there are 3 kinds of programs such as a sniffer program for capturing packets, a hiker program for quering to acquire information, and a passive monitor program capable of collecting all network packets since it is not included in any network while there exist no transmitted packets.
  • the illegal AP(Rogue AP) means an unauthorized AP installed on a wire network for the purpose of user convenience, or an AP intentionally positioned by an attacker. It can be a considerable threat, that is, the illegal AP can intrude into the internal wire network without passing through a security policy of a company. So, the rogue AP must be eliminated. If an ad-hoc network is configured by connecting the AP without attending to security matters owing to the user's carelessness, the situation may be more dangerous, and it can also cause a waste of network bandwidths by an unauthorized user.
  • the purpose of the active attack is mainly focused on an attacking aspect such as
  • DoS(Denial of Service) attack rather than the information-collecting side.
  • DoS DoS
  • MITM attacking techniques There are spoofing, DoS, and MITM attacking techniques.
  • the spoofing attack is used to pass through authentication by modulating the MAC, IP, and frames, and is also used for DoS attack.
  • DoS attack a 'deauth' flooding method for sending repeatedly forged disassociation/deauthentication frames and a jamming method for using noise of equipments whose frequency bands are similar to each other are included.
  • the disassociation method may be used for rogue AP separation as well.
  • Man-in-the-middle and session hijack attacks indicate the methods of releasing the existing connection to induce the released connection to an AP of an attacker or intercepting a session by spoofing the MAC. Also, since a DDoS attack is possible like shown in Fig. 2, technology for coping with the attack should be provided.
  • An Airmagnet sensor carries out WLAN management and monitoring functions based on SQL DB. According to this, it proffers rogue AP detection and tracking functions, and targets to obtain stability for wireless networks by coping with DoS attacks.
  • Fig. 3 is a system structure chart of a wireless IPS(refer to an AirDefense system).
  • the AirDefense system consists of a red hat Linux server composed of a wireless AP sensor and a Java-based web console system.
  • the AirDefense web console and the AP sensor perform management and prevention functions for traffic through safe wireless communication with the server.
  • a wireless IPS suggested by the AirDefense system is a policy-based IDS/IPS, establishing management, performance, and safety for networks while providing a security function for WLAN sessions. Furthermore, it is generally developed in open software type on the basis of the Linux operating system, and the research on the IPS is actively ongoing. Now, certain codes like snort- wireless and WIDZ codes have been suggested.
  • the AirDefense system provides a detection function only for attacks, and takes passive measures for external attacks. Therefore, technology for the user to actively detect and prevent attacks and intrusion is urgently needed.
  • the present invention has been developed to show an effect of clearly detecting and preventing intrusion of wireless network traffic by primarily sending an alert message as filtering and detecting the corresponding attacking traffic and secondarily sending a signal that cuts off a connection with a corresponding receiver, from the prior function of simply checking basic matters only of the attacking traffic.
  • FIG. 1 is a conceptual diagram illustrating an attacking type in a general wireless
  • FIG. 2 is a conceptual diagram illustrating a technique of a DDoS attack in a wireless LAN of prior art
  • FIG. 3 is a conceptual diagram roughly illustrating a structure of a wireless IPS
  • FIG. 4 is a rough format diagram of a wireless IDS in accordance with the present invention.
  • FIG. 5 is an external perspective view illustrating a wireless AP(Access Point) apparatus of Fig. 4 and a diagram illustrating an internal PCB(Printed Circuit Board) mounted with components;
  • FIG. 6 is a conceptual diagram roughly illustrating an internal system configuration of a link system firmware equipment used in the present invention
  • FIG. 7 is a format diagram roughly illustrating a system board used in the present invention.
  • FIG. 8 is a conceptual diagram illustrating a network interface of a wireless IPS in accordance with the present invention.
  • FIG. 9 is a rough functional block diagram of a wireless access point apparatus in accordance with the present invention.
  • Fig. 10 is a flow chart illustrating a wireless network intrusion detection and prevention procedure through a wireless access point apparatus in accordance with the present invention.
  • a wireless access point apparatus for transceiving and relaying a wireless signal by wirelessly linking with a user and for detecting and preventing a wireless network traffic signal from an attacker, comprising: a network module including a network interface card, and consisting of a network monitoring module for accepting and detecting attacking traffic of an attacker, and an alert interface module for controlling that an alert message can be transmitted to the attacker; and an analysis and security module consisting of a packet analysis module for filtering the attacking traffic transmitted from the network monitoring module, and an intrusion detection module for deciding whether a packet filtered from the packet analysis module is a network attacking packet, by linking with a rule DB/signature module, and for transmitting the results to the packet analysis module and the alert interface module.
  • the network module further comprises a channel hopping module that channel-hops 802.11b/g packets, synchronizes other setting information, monitors level-2 wireless traffic, and transmits a probe request, a probe response, and a beacon frame.
  • a channel hopping module that channel-hops 802.11b/g packets, synchronizes other setting information, monitors level-2 wireless traffic, and transmits a probe request, a probe response, and a beacon frame.
  • the network monitoring module is a monitoring mode for executing a passive-type sniffing procedure and detecting all network packets, collecting the 802.11 b/g packets collected through the channel hopping module, while a hidden AP network that does not transmit an SSID beacon frame monitors an SSID during AP access of a client, and detects the monitored SSID.
  • the alert interface module transmits a 'deauth' signal that cuts off connection with a network attacking packet sender.
  • the intrusion detection module is composed of a rogue AP detection module for comparing AP information transmitted from the network monitoring module with an applied AP list inputted by a manager in advance, and a spoof/DoS/stumbler/MITM detection module for detecting an MAC spoofing attack by tracking a sequence number, detecting a 'deauth' flooding attack of DoS by confirming whether broadcast disassociate/deauthenticate frames are generated, detecting fingerprints existing according to each stumbler by comparing the detected fingerprints with packets so as to detect a stumbler's attack, and for detecting a man-in-the-middle attack by confirming whether a channel of an AP is changed.
  • a rogue AP detection module for comparing AP information transmitted from the network monitoring module with an applied AP list inputted by a manager in advance
  • a spoof/DoS/stumbler/MITM detection module for detecting an MAC spoofing attack by tracking a sequence number, detecting
  • a wireless network intrusion detection and prevention method using a wireless access point apparatus for detecting and preventing wireless network attacking traffic through the wireless access point apparatus comprising the steps of: analyzing and transmitting accepted wireless traffic; filtering the transmitted wireless traffic; deciding whether a filtered packet is a network attacking packet, by linking with a rule DB/signature module; and if the filtered packet is the network attacking packet, transmitting the results to an attacker as an alert message.
  • the above method further comprises the steps of: deciding whether a receiver confirmed the alert message after the step of transmitting the alert message; and if the receiver confirmed the message, abandoning corresponding data.
  • 'deauth' data that cuts off a connection with the receiver is sent while the alert message is transmitted.
  • the present invention is characterized by detecting sniffing, modulating, and manipulating actions for wireless packets and detecting/preventing a DDoS attack such as AirJack in advance.
  • the present invention features in developing an embedded Linux-based wireless AP which is embedded with packing filtering and network intrusion detection functions in a wireless AP function, at this moment that attacks related to a wireless LAN are gradually growing in recent years.
  • FIG. 4 is a rough format diagram of a wire/wireless integration-type security system using a wireless access point apparatus in accordance with the present invention.
  • wireless IDS apparatuses(100) wireless access point apparatuses, hereinafter, called 'APs'
  • 'APs' wireless access point apparatuses
  • conduct a monitoring function for traffic transmitted on a wireless network and particularly, provide packet filtering and preventing functions through a monitoring function for traffic transmitted through a Wi-Fi apparatus(113)(see Fig. 8).
  • the present invention features in performing a monitoring function for wireless traffic by constructing the wireless AP apparatuses(lOO) functioning as IPS sensors between wire/wireless networks.
  • an embedded-type AP integration high-performance IPS that provides packet sniffing and rule-based intrusion detection/prevention functions in accordance with the present invention is equipped with a wireless IDS(W-IDS) apparatus and a wire/wireless integration-type security apparatus(200)(server), as stated later.
  • the wireless IDS apparatus for detection is directly or indirectly connected to the wire/wireless integration-type security apparatus, and analyzes traffic on a wireless network to send traffic information and alert information to the wire/wireless integration-type security apparatus.
  • the wireless AP apparatuses(lOO) transceive/relay a wireless signal from a user computer, and carry out a function of detecting a wireless network attacking packet from an attacker to prevent the detected packet.
  • FIG. 5 is an external perspective view illustrating the wireless AP apparatus(lOO) of
  • Fig. 4 and an internal PCB mounted with components.
  • Fig. 6 is a conceptual diagram roughly illustrating an internal system configuration of a link system firmware equipment used in the present invention.
  • 802.11 b/g level-2 frame logs generated from the wireless AP apparatuses(lOO) are transmitted to the wire/wireless integration-type security apparatus(200), in order that the wire/wireless integration-type apparatus can monitor all of network traffic related to the wireless network.
  • Fig. 7 is a format diagram roughly illustrating a system board used in the present invention.
  • a wireless AP-based W-IDS structure that is, a wireless AP apparatus(lOO) is mounted with related software in embedded scheme, with the following substantial specification.
  • Linksys WRT54GS is used as hardware specification of the apparatus(lOO).
  • the apparatus(lOO) is composed of MIPS CPU 200MHz, flash 8MB, RAM 32MB, LAN 4-port, WAN 1-port, and WiFi systems.
  • the MIPS system supports both little-endian and big-endian programs, and OpenWRT firmware uses a little-endian type MIPSEL.
  • the apparatus(lOO) supports 4 LAN ports, 1 WAN port, and an antenna, it is possible to associate the apparatus(lOO) with the exterior, and also, it is equipped with an RAM and a flash memory for supporting embedded-type programming functions.
  • filtering modules are compiled in firmware type, and are embedded inside the AP system.
  • FIG. 8 is a conceptual diagram illustrating a network interface of a wireless AP apparatus in accordance with the present invention.
  • Open WRT porting and toolchain will be configured as follows in reference to software matters. If the basic linksys firmware is installed, the user can install the Open WRT firmware(Linux 2.4.30) by accessing the web management screen. Or, it is available to install the firmware at tftp after initializing an NVRAM value. It is possible to access at 192.168.1.1 with telnet after finishing the installation. To use 'ssh', the user can assign a password to the root.
  • a development platform may be constructed by configuring the MIPSEL toolchain in a PC where Linux is installed.
  • FIG. 9 is a rough functional block diagram of a wireless access point apparatus in accordance with the present invention.
  • a wireless access point apparatus(lOO) largely consists of a network module(l l ⁇ ), an analysis and security module(120), and a network interface card(l ⁇ l).
  • the network module(l 10) comprises a channel hopping module(l 12), a network monitoring module(l 14), and an alert interface module(l 16).
  • the channel hopping module(l 12) channel-hops 802.11 b/g packets, and synchronizes other setting information. Also, it monitors level-2 wireless traffic, and more specifically, transmits a probe request, a probe response, and a beacon frame.
  • the network monitoring module(l 14) is a monitoring mode for executing a passive- type sniffing procedure and detecting all network packets, collecting the 802.11 b/g packets collected through the channel hopping module. Also, a hidden AP network that does not transmit an SSID beacon frame monitors an SSID during AP access of a client, and detects the monitored SSID. Besides, the collected packets are transmitted to the security module(120) afterward. Moreover, it periodically checks changes of wireless-related settings of a wire/wireless integration-type apparatus to synchronize the apparatus.
  • the network monitoring module(l 14) collects all the network packets in AP apparatuses.
  • the alert interface module(l 16) is a sort of action module for performing a role of transmitting a messageto a wire/wireless integration-type apparatus(200), logging on a wireless network monitoring procedure, and logging on an alert. In addition, it can produce an alert for a wireless network attack.
  • the analysis and security module(120) comprises a packet analysis module(122), an intrusion detection module(124), and a rule DB/signature module(126).
  • the packet analysis module(122) is a sort of wireless traffic filtering module, capturing a network packet transmitted from the network monitoring module(l 14) while detecting attacking traffic.
  • the intrusion detection module(124) is composed of an illegal AP(rogue AP) detection module( 124-1) and a spoof/DoS/stumbler/MITM detection module( 124-2), being a kind of decision module.
  • the illegal AP(rogue AP) detection module( 124-1) compares AP information transmitted from the network monitoring module(l 14) with an applied AP list inputted by a manager in advance. At this point, the compared information corresponds to MAC/SSID/vendor/media type(802.11 b/a/g)/channel. If an AP is detected as an unauthorized AP, an alert log is transmitted to the wire/wireless integration-type apparatus(200).
  • the spoof/DoS/stumbler/MITM detection module( 124-2) detects an MAC spoofing attack by tracking a sequence number, and detects a 'deauth' flooding attack of DoS by confirming whether broadcast disassociate/deauthenticate frames are generated.
  • To detect a stumbler's attack fingerpints existing according to each stumbler are compared with packets for detection. In case of a representative netstumbler 3.2.3, a character string "All your 802.11b belong to us" is included during query.
  • Detection for a man- in-the-middle attack is conducted by confirming whether a channel of an AP is changed. Such detected alert logs are transmitted to the wire/wireless integration-type apparatus.
  • the rule DB/signature module(126) operates by linking with the intrusion detection module(124), and can search a signature and rules.
  • the reference numeral 101 shows the network interface card, being a transceiving path of various wireless packets.
  • FIG. 10 is a flow chart illustrating a wireless network intrusion detection and prevention procedure through a wireless access point apparatus in accordance with the present invention.
  • wireless traffic is accepted through the channel hopping module(l 12) and the network monitoring module(l 14) of the network module(l 10) of a wireless access point apparatus(100)(ST-2).
  • the accepted wireless traffic is analyzed in the network monitoring module(114), and is transmitted to the packet analysis module(122)(ST-4).
  • the transmitted wireless traffic is filtered in the packet analysis module(122), and is transmitted to the intrusion detection module(124)(ST-6).
  • the intrusion detection module(124) decides whether a filtered packet is a network attacking packet, by linking with the rule DB/signature module(126)(ST-8). If the packet is not the network attacking packet as the decided results of the step 'ST-8', the results are informed to the packet analysis module(122) and the alert interface module(116). Consequently, the corresponding data is bypassed. [110] If the filtered packet is the network attacking packet as the decided results of the step 'ST-8', the results are informed to the packet analysis module(122) and the alert interface module(l 16). [I l l] The alert interface module(l 16) transmits an alert message to the network monitoring module(l 14), so that the alert message can be sent to a receiver(ST-lO).
  • the network monitoring module(l 14) decides whether the receiver who has received the alert message(or, alert message + data) confirmed the alert message(ST-12). If the receiver confirmed the message as the decided results of the step 'ST- 12', the corresponding data is abandoned(ST-14). [113] In the meantime, though not being illustrated in the drawing, if the filtered packet in the step 'ST-8' is the network attacking packet, it is available to transmit 'deauth' data that cuts off a connection with the receiver can be transmitted, without the alert message being transmitted in the step 'ST-10'.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention generally relates to a wireless access point apparatus and a network traffic intrusion detection and prevention method using the same for improving the quality of security service in a wireless network by filtering, detecting, and preventing intrusion upon traffic, which is inputted in wireless manner, in the wireless access point apparatus, thereby showing an effect of clearly detecting and preventing intrusion of wireless network traffic by primarily sending an alert message as filtering and detecting the corresponding attacking traffic and secondarily sending a signal that cuts off a connection with a corresponding receiver.

Description

Description
WIRELESS ACCESS POINT APPARATUS AND A NETWORK
TRAFFIC INTRUSION DETECTION AND PREVENTION
METHOD USING THE SAME
Technical Field
[I] The present invention generally relates to a wireless access point apparatus and a network traffic intrusion detection and prevention method using the same, and more specifically, to a wireless access point apparatus and a network traffic intrusion detection and prevention method using the same for improving the quality of security service in a wireless network by filtering, detecting, and preventing intrusion upon traffic, which is inputted in wireless manner, in the wireless access point apparatus. Background Art
[2] In general, equipment called an AP( Access Point) is installed for wireless Internet communication. However, access points which are developed so far provide transmission or network supporting functions only for wireless traffic, or in case of access points with additional functions, there are some products that are equipped with filtering functions for packets, etc.
[3] The specification of 3Com access point among the prior access point apparatuses developed so far is as follows:
[4] * For user support: up to 253 users can be simultaneously accessible.
[5] * Standard: Wi-Fi authentication, IEEE 802.1 Ig, IEEE 802.1 la(using the upgrade kits).
[6] * Data rate: 54, 48, 36, 24, 18, 11, 9, 5.5, 2, 1 Mbps.
[7] * Frequency band: 2.4 GHz
[8] * Wireless media: OFDM and DSSS(including barker coding and CCK for reverse compability with 802.11b).
[9] * Medium access communication protocol: CSMA/CA, operating channels;
1-11(US and Canada), l-13(worldwide; usable channel ranges will be determined by legislation on the spot).
[10] * Working range: 100 meters to the maximum(328 ft.), transceiving.
[I I] * Transmission power setting: 17 dBm(determined by bit rates). [12] * Power consumption: average 7.1W, 8.4W to the maximum. [13] * Receive sensitivity: 1 Mbps; -96 dBm.
[14] * 2 Mbps: -94 dBm.
[15] * 5.5 Mbps: -92 dBm.
[16] * 11 Mbps: -88 dBm. [17] * 12 Mbps: -86 dBm.
[18] * 24 Mbps: -85 dBm.
[19] * 36 Mbps: -80 dBm.
[20] * 54 Mbps: -73 dBm.
[21] * Security: 40/64-bit and 128/154-bit WEP encoding: WPA AES 256-bit encoding, dynamic security link 128-bit encoding; 802.1 Ix(RADIUS server authentication method); EAP-MD5, EAP-TLS, EAP-TTLS and PEAP authentication; ESSID broadcast control, local MAC authentication; server access control list, dynamic session key management and TKIP, dynamic VLAN assignment, CC(Client-to-Client) and uplink filtering.
[22] * Performance: clear channel select, automatic network connection, dynamic rate shifting.
[23] * Network management: site search tool, wireless infrastructure device manager, wireless LAN discovery tool, 3NS, and SNMP.
[24] That is, the prior access point apparatuses are mounted with the following security modules only, in order to ensure stability for packets.
[25] * Security: 40/64-bit and 128/154-bit WEP encoding; WPA AES 256-bit encoding, dynamic security link 128-bit encoding; 802.1 Ix(RADIUS server authentication method); EAP-MD5, EAP-TLS, EAP-TTLS and PEAP authentication; ESSID broadcast control, local MAC authentication; server access control list, dynamic session key management and TKIP, dynamic VLAN assignment, CC(Client-to-Client) and uplink filtering.
[26] But, there may be various attacks on the prior access point apparatuses, and any equipment that includes functions of coping with the attacks has not be developed yet.
[27] From now on, attacking methods on access points which are open to the public up to now will be described below.
[28] Summary of Network attacking Technology
[29] * Wireless network attacks
[30] Cyber- attacking methods by malicious users are getting more various, and as the automated and intelligent hacking tools are distributed in open owing to the development of hacking techniques, frequency of the generation of domestic/international hackings is tending to rapidly increase. Especially, vulnerability of networks is continuously increasing, and while DDoS(Distributed Denial of Service) attacks which can paralyze the newtork service by fatal attacks such as worm viruses grow rapidly, wireless LAN attacks on wireless networks can be classified into passive, active, and rogue AP attacks like shown in Fig. 1.
[31] A. Passive attack
[32] The purpose of the passive attack is to obtain an access point apparatus MAC, an SSID, channels, a manufacturer, presence of WEP, and installation position information. To do this, there are 3 kinds of programs such as a sniffer program for capturing packets, a stumbler program for quering to acquire information, and a passive monitor program capable of collecting all network packets since it is not included in any network while there exist no transmitted packets.
[33] For representative sniffer programs, there are airopeek, ethereal, and tcpdump programs, and for the stumbler program, a netstumbler exists, then a kismet program is used as the passive monitor program.
[34] B. Illegal AP(Rogue AP) attack
[35] The illegal AP(Rogue AP) means an unauthorized AP installed on a wire network for the purpose of user convenience, or an AP intentionally positioned by an attacker. It can be a considerable threat, that is, the illegal AP can intrude into the internal wire network without passing through a security policy of a company. So, the rogue AP must be eliminated. If an ad-hoc network is configured by connecting the AP without attending to security matters owing to the user's carelessness, the situation may be more dangerous, and it can also cause a waste of network bandwidths by an unauthorized user.
[36] C. Active Attack
[37] The purpose of the active attack is mainly focused on an attacking aspect such as
DoS(Denial of Service) attack, rather than the information-collecting side. There are spoofing, DoS, and MITM attacking techniques. In detail, the spoofing attack is used to pass through authentication by modulating the MAC, IP, and frames, and is also used for DoS attack. For the DoS attack, a 'deauth' flooding method for sending repeatedly forged disassociation/deauthentication frames and a jamming method for using noise of equipments whose frequency bands are similar to each other are included. At this time, the disassociation method may be used for rogue AP separation as well. Man-in-the-middle and session hijack attacks indicate the methods of releasing the existing connection to induce the released connection to an AP of an attacker or intercepting a session by spoofing the MAC. Also, since a DDoS attack is possible like shown in Fig. 2, technology for coping with the attack should be provided.
[38] Thus, suggestions for the technolgy and modules for coping with various attacks like above are highly required.
[39] At present, the results of research conducted to offer wireless IDS/IPS functions are shown at AirMagnet(Borque, Lyne, " Wi-Fi Security Review; AirMagnet", http://www.enterpriseitplanet.com/security, 2004), AirDefense(http://www. airdefense.com), etc.
[40] An Airmagnet sensor carries out WLAN management and monitoring functions based on SQL DB. According to this, it proffers rogue AP detection and tracking functions, and targets to obtain stability for wireless networks by coping with DoS attacks.
[41] Fig. 3 is a system structure chart of a wireless IPS(refer to an AirDefense system).
[42] Referring to Fig. 3, the AirDefense system consists of a red hat Linux server composed of a wireless AP sensor and a Java-based web console system. The AirDefense web console and the AP sensor perform management and prevention functions for traffic through safe wireless communication with the server.
[43] A wireless IPS suggested by the AirDefense system is a policy-based IDS/IPS, establishing management, performance, and safety for networks while providing a security function for WLAN sessions. Furthermore, it is generally developed in open software type on the basis of the Linux operating system, and the research on the IPS is actively ongoing. Now, certain codes like snort- wireless and WIDZ codes have been suggested.
[44] However, according to the above structure, the AirDefense system provides a detection function only for attacks, and takes passive measures for external attacks. Therefore, technology for the user to actively detect and prevent attacks and intrusion is urgently needed.
Disclosure of Invention Technical Problem
[45] It is therefore an object of the present invention to provide a wireless access point apparatus capable of detecting and preventing attacks from the exterior.
[46] It is another object of the present invention to provide a wireless access point apparatus for improving the quality of security service in a wireless network by adding a module that proffers decision fucntions for abnormal traffic of the access point apparatus.
[47] Furthermore, it is another object of the present invention to provide a method of detecting abnormal traffic by using a wireless access point apparatus to detect a case a network attack such as a DDoS attack is made in the access point apparatus.
[48] Still, it is another object of the present invention to provide a method of preventing an attack of detected abnormal traffic by using a wireless access point apparatus.
[49] Moreover, it is another object of the present invention to provide a method of cutting off corresponding traffic connection with a network where attack/intrusion is detected, by using a wireless access point apparatus.
[50] Additionally, it is another object of the present invention to provide a method of cutting off a connection with an attacker's system by making an access point apparatus transmit De-Auth flooding packets to a corresponding host, with the use of the wireless access point apparatus. Advantageous Effects
[51] Like mentioned above, according to a wireless access point apparatus and a wireless network traffic intrusion detection and prevention method using the same in accordance with the present invention, the present invention has been developed to show an effect of clearly detecting and preventing intrusion of wireless network traffic by primarily sending an alert message as filtering and detecting the corresponding attacking traffic and secondarily sending a signal that cuts off a connection with a corresponding receiver, from the prior function of simply checking basic matters only of the attacking traffic. Brief Description of the Drawings
[52] The accompanying drawings illustrate the invention. In such drawings:
[53] Fig. 1 is a conceptual diagram illustrating an attacking type in a general wireless
LAN;
[54] Fig. 2 is a conceptual diagram illustrating a technique of a DDoS attack in a wireless LAN of prior art;
[55] Fig. 3 is a conceptual diagram roughly illustrating a structure of a wireless IPS;
[56] Fig. 4 is a rough format diagram of a wireless IDS in accordance with the present invention;
[57] Fig. 5 is an external perspective view illustrating a wireless AP(Access Point) apparatus of Fig. 4 and a diagram illustrating an internal PCB(Printed Circuit Board) mounted with components;
[58] Fig. 6 is a conceptual diagram roughly illustrating an internal system configuration of a link system firmware equipment used in the present invention;
[59] Fig. 7 is a format diagram roughly illustrating a system board used in the present invention;
[60] Fig. 8 is a conceptual diagram illustrating a network interface of a wireless IPS in accordance with the present invention;
[61] Fig. 9 is a rough functional block diagram of a wireless access point apparatus in accordance with the present invention; and
[62] Fig. 10 is a flow chart illustrating a wireless network intrusion detection and prevention procedure through a wireless access point apparatus in accordance with the present invention.
Mode for the Invention
[63] According to the preferred embodiment of the present invention to accomplish the above object, a wireless access point apparatus for transceiving and relaying a wireless signal by wirelessly linking with a user and for detecting and preventing a wireless network traffic signal from an attacker, comprising: a network module including a network interface card, and consisting of a network monitoring module for accepting and detecting attacking traffic of an attacker, and an alert interface module for controlling that an alert message can be transmitted to the attacker; and an analysis and security module consisting of a packet analysis module for filtering the attacking traffic transmitted from the network monitoring module, and an intrusion detection module for deciding whether a packet filtered from the packet analysis module is a network attacking packet, by linking with a rule DB/signature module, and for transmitting the results to the packet analysis module and the alert interface module.
[64] Desirably, the network module further comprises a channel hopping module that channel-hops 802.11b/g packets, synchronizes other setting information, monitors level-2 wireless traffic, and transmits a probe request, a probe response, and a beacon frame.
[65] And, desirably, the network monitoring module is a monitoring mode for executing a passive-type sniffing procedure and detecting all network packets, collecting the 802.11 b/g packets collected through the channel hopping module, while a hidden AP network that does not transmit an SSID beacon frame monitors an SSID during AP access of a client, and detects the monitored SSID.
[66] More desirably, the alert interface module transmits a 'deauth' signal that cuts off connection with a network attacking packet sender.
[67] Furthermore, desirably, the intrusion detection module is composed of a rogue AP detection module for comparing AP information transmitted from the network monitoring module with an applied AP list inputted by a manager in advance, and a spoof/DoS/stumbler/MITM detection module for detecting an MAC spoofing attack by tracking a sequence number, detecting a 'deauth' flooding attack of DoS by confirming whether broadcast disassociate/deauthenticate frames are generated, detecting fingerprints existing according to each stumbler by comparing the detected fingerprints with packets so as to detect a stumbler's attack, and for detecting a man-in-the-middle attack by confirming whether a channel of an AP is changed.
[68] According to another aspect of the present invention, a wireless network intrusion detection and prevention method using a wireless access point apparatus for detecting and preventing wireless network attacking traffic through the wireless access point apparatus, comprising the steps of: analyzing and transmitting accepted wireless traffic; filtering the transmitted wireless traffic; deciding whether a filtered packet is a network attacking packet, by linking with a rule DB/signature module; and if the filtered packet is the network attacking packet, transmitting the results to an attacker as an alert message.
[69] Also, desirably, the above method further comprises the steps of: deciding whether a receiver confirmed the alert message after the step of transmitting the alert message; and if the receiver confirmed the message, abandoning corresponding data.
[70] And, desirably, in case the filtered packet is the network attacking packet, 'deauth' data that cuts off a connection with the receiver is sent while the alert message is transmitted.
[71] With regards to the prior 802. lx-based WLAN which shows vulnerability of being easily attacked, the present invention is characterized by detecting sniffing, modulating, and manipulating actions for wireless packets and detecting/preventing a DDoS attack such as AirJack in advance.
[72] Namely, even though a wireless method has been introduced to the most prior network conditions, an AP( Access Point) cannot detect hacking attacks with the prior method. On the contrary, the present invention features in developing an embedded Linux-based wireless AP which is embedded with packing filtering and network intrusion detection functions in a wireless AP function, at this moment that attacks related to a wireless LAN are gradually growing in recent years.
[73] From now on, a wireless access point apparatus and an attack/intrusion detection and prevention method of a wireless network system using the same in accordance with the present invention will be described in detail by referring to the accompanied drawings.
[74] Fig. 4 is a rough format diagram of a wire/wireless integration-type security system using a wireless access point apparatus in accordance with the present invention.
[75] In a wire/wireless integration-type security system(lOOO) in accordance with the present invention, wireless IDS apparatuses(100)(wireless access point apparatuses, hereinafter, called 'APs') conduct a monitoring function for traffic transmitted on a wireless network, and particularly, provide packet filtering and preventing functions through a monitoring function for traffic transmitted through a Wi-Fi apparatus(113)(see Fig. 8).
[76] Referring to Fig. 4, the present invention features in performing a monitoring function for wireless traffic by constructing the wireless AP apparatuses(lOO) functioning as IPS sensors between wire/wireless networks.
[77] That is to say, an embedded-type AP integration high-performance IPS that provides packet sniffing and rule-based intrusion detection/prevention functions in accordance with the present invention is equipped with a wireless IDS(W-IDS) apparatus and a wire/wireless integration-type security apparatus(200)(server), as stated later.
[78] The wireless IDS apparatus for detection is directly or indirectly connected to the wire/wireless integration-type security apparatus, and analyzes traffic on a wireless network to send traffic information and alert information to the wire/wireless integration-type security apparatus. [79] The wireless AP apparatuses(lOO) transceive/relay a wireless signal from a user computer, and carry out a function of detecting a wireless network attacking packet from an attacker to prevent the detected packet.
[80] Through the above system, it is possible to integratedly detect and prevent an attacking packet irrespective of wire or wireless network.
[81] Since a wireless LAN attacking frame is detected in a wireless AP only, a method of adding functions by selecting equipments of an enterprise whose firmware is open to the public is used in the present invention. If mass production is necessary by making products, it is essential to select an embedded board for appropriate AP development.
[82] Fig. 5 is an external perspective view illustrating the wireless AP apparatus(lOO) of
Fig. 4 and an internal PCB mounted with components. Fig. 6 is a conceptual diagram roughly illustrating an internal system configuration of a link system firmware equipment used in the present invention.
[83] Practically, according to the present invention, porting is conducted for Open WRT that includes minimum functions only among various firmware functions which are open to the public, while an intrusion detection function is added. In case of attacks unrelated to the wireless network, the wire/wireless integration-type apparatus(200) detects and prevents the attacks even though the apparatus(200) is connected to wireless APs.
[84] According to the present invention, 802.11 b/g level-2 frame logs generated from the wireless AP apparatuses(lOO) are transmitted to the wire/wireless integration-type security apparatus(200), in order that the wire/wireless integration-type apparatus can monitor all of network traffic related to the wireless network.
[85] Fig. 7 is a format diagram roughly illustrating a system board used in the present invention. Referring to Fig. 7, a wireless AP-based W-IDS structure, that is, a wireless AP apparatus(lOO) is mounted with related software in embedded scheme, with the following substantial specification.
[86] Linksys WRT54GS is used as hardware specification of the apparatus(lOO). The apparatus(lOO) is composed of MIPS CPU 200MHz, flash 8MB, RAM 32MB, LAN 4-port, WAN 1-port, and WiFi systems. The MIPS system supports both little-endian and big-endian programs, and OpenWRT firmware uses a little-endian type MIPSEL.
[87] Since the apparatus(lOO) supports 4 LAN ports, 1 WAN port, and an antenna, it is possible to associate the apparatus(lOO) with the exterior, and also, it is equipped with an RAM and a flash memory for supporting embedded-type programming functions. In the present invention, filtering modules are compiled in firmware type, and are embedded inside the AP system.
[88] Fig. 8 is a conceptual diagram illustrating a network interface of a wireless AP apparatus in accordance with the present invention.
[89] In other words, it shows association among a controlled 140), a WiFi antenna(130), and a switch(150). By applying snort-type packet filtering and sniffing modules to the present system, a controlling function for wireless traffic can be provided.
[90] When using the wireless AP apparatus(lOO), Open WRT porting and toolchain will be configured as follows in reference to software matters. If the basic linksys firmware is installed, the user can install the Open WRT firmware(Linux 2.4.30) by accessing the web management screen. Or, it is available to install the firmware at tftp after initializing an NVRAM value. It is possible to access at 192.168.1.1 with telnet after finishing the installation. To use 'ssh', the user can assign a password to the root. A development platform may be constructed by configuring the MIPSEL toolchain in a PC where Linux is installed.
[91] Fig. 9 is a rough functional block diagram of a wireless access point apparatus in accordance with the present invention.
[92] Referring to Fig. 9, a wireless access point apparatus(lOO) largely consists of a network module(l lθ), an analysis and security module(120), and a network interface card(lθl).
[93] The network module(l 10) comprises a channel hopping module(l 12), a network monitoring module(l 14), and an alert interface module(l 16).
[94] The channel hopping module(l 12) channel-hops 802.11 b/g packets, and synchronizes other setting information. Also, it monitors level-2 wireless traffic, and more specifically, transmits a probe request, a probe response, and a beacon frame.
[95] The network monitoring module(l 14) is a monitoring mode for executing a passive- type sniffing procedure and detecting all network packets, collecting the 802.11 b/g packets collected through the channel hopping module. Also, a hidden AP network that does not transmit an SSID beacon frame monitors an SSID during AP access of a client, and detects the monitored SSID. Besides, the collected packets are transmitted to the security module(120) afterward. Moreover, it periodically checks changes of wireless-related settings of a wire/wireless integration-type apparatus to synchronize the apparatus.
[96] The network monitoring module(l 14) collects all the network packets in AP apparatuses.
[97] The alert interface module(l 16) is a sort of action module for performing a role of transmitting a messageto a wire/wireless integration-type apparatus(200), logging on a wireless network monitoring procedure, and logging on an alert. In addition, it can produce an alert for a wireless network attack.
[98] The analysis and security module(120) comprises a packet analysis module(122), an intrusion detection module(124), and a rule DB/signature module(126). [99] The packet analysis module(122) is a sort of wireless traffic filtering module, capturing a network packet transmitted from the network monitoring module(l 14) while detecting attacking traffic.
[100] The intrusion detection module(124) is composed of an illegal AP(rogue AP) detection module( 124-1) and a spoof/DoS/stumbler/MITM detection module( 124-2), being a kind of decision module.
[101] The illegal AP(rogue AP) detection module( 124-1) compares AP information transmitted from the network monitoring module(l 14) with an applied AP list inputted by a manager in advance. At this point, the compared information corresponds to MAC/SSID/vendor/media type(802.11 b/a/g)/channel. If an AP is detected as an unauthorized AP, an alert log is transmitted to the wire/wireless integration-type apparatus(200).
[102] The spoof/DoS/stumbler/MITM detection module( 124-2) detects an MAC spoofing attack by tracking a sequence number, and detects a 'deauth' flooding attack of DoS by confirming whether broadcast disassociate/deauthenticate frames are generated. To detect a stumbler's attack, fingerpints existing according to each stumbler are compared with packets for detection. In case of a representative netstumbler 3.2.3, a character string "All your 802.11b belong to us" is included during query. Detection for a man- in-the-middle attack is conducted by confirming whether a channel of an AP is changed. Such detected alert logs are transmitted to the wire/wireless integration-type apparatus.
[103] The rule DB/signature module(126) operates by linking with the intrusion detection module(124), and can search a signature and rules.
[104] The reference numeral 101 shows the network interface card, being a transceiving path of various wireless packets.
[105] Fig. 10 is a flow chart illustrating a wireless network intrusion detection and prevention procedure through a wireless access point apparatus in accordance with the present invention.
[106] Referring to Fig. 10, first, wireless traffic is accepted through the channel hopping module(l 12) and the network monitoring module(l 14) of the network module(l 10) of a wireless access point apparatus(100)(ST-2).
[107] Then, the accepted wireless traffic is analyzed in the network monitoring module(114), and is transmitted to the packet analysis module(122)(ST-4).
[108] The transmitted wireless traffic is filtered in the packet analysis module(122), and is transmitted to the intrusion detection module(124)(ST-6).
[109] The intrusion detection module(124) decides whether a filtered packet is a network attacking packet, by linking with the rule DB/signature module(126)(ST-8). If the packet is not the network attacking packet as the decided results of the step 'ST-8', the results are informed to the packet analysis module(122) and the alert interface module(116). Consequently, the corresponding data is bypassed. [110] If the filtered packet is the network attacking packet as the decided results of the step 'ST-8', the results are informed to the packet analysis module(122) and the alert interface module(l 16). [I l l] The alert interface module(l 16) transmits an alert message to the network monitoring module(l 14), so that the alert message can be sent to a receiver(ST-lO).
Meanwhile, in the step 'ST-IO', data received together with the alert message can be transmitted as well. [112] Then, the network monitoring module(l 14) decides whether the receiver who has received the alert message(or, alert message + data) confirmed the alert message(ST-12). If the receiver confirmed the message as the decided results of the step 'ST- 12', the corresponding data is abandoned(ST-14). [113] In the meantime, though not being illustrated in the drawing, if the filtered packet in the step 'ST-8' is the network attacking packet, it is available to transmit 'deauth' data that cuts off a connection with the receiver can be transmitted, without the alert message being transmitted in the step 'ST-10'.

Claims

Claims
[1] A wireless access point apparatus(lOO) for transceiving/relaying a wireless signal by wirelessly linking with a user and detecting/preventing a wireless network traffic signal from an attacker, comprising: a network module(l 10) network module including a network interface card(lθl), and consisting of a network monitoring module(l 14) for accepting and detecting attacking traffic of an attacker, and an alert interface module(l 16) for controlling that an alert message can be transmitted to the attacker; and an analysis and security module(120) consisting of a packet analysis module(122) for filtering the attacking traffic transmitted from the network monitoring module(114), and an intrusion detection module(124) for deciding whether a filtered packet from the packet analysis module(122) is a network attacking packet, by linking with a rule DB/signature module(126), and for transmitting the results to the packet analysis module(122) and the alert interface module(116).
[2] The wireless access point apparatus(lOO) of claim 1, wherein the network module(l 10) further comprises a channel hopping module(l 12) that channel- hops 802.1 lb/g packets, synchronizes setting information, monitors level-2 wireless traffic, and transmits a probe request, a probe response, and a beacon frame.
[3] The wireless access point apparatus(lOO) of claim 1, wherein the network monitoring module(l 14) is a monitoring mode for executing a passive-type sniffing procedure and detecting all network packets, and collects the 802.11 b/g packets collected through the channel hopping module(l 12), while a hidden AP network that does not transmit an SSID beacon frame monitors an SSID during AP access of a client, and detects the monitored SSID.
[4] The wireless access point apparatus(lOO) of claim 1, wherein the alert interface module(l 16) transmits a 'deauth' signal that cuts off a connection with a network attacking packet sender.
[5] The wireless access point apparatus(lOO) of claim 1, wherein the intrusion detection module(124) is composed of an illegal AP(rogue AP) detection module( 124-1) for comparing AP information transmitted from the network monitoring module(l 14) with an applied AP list inputted by a manager in advance, and a spoof/DoS/stumbler/MITM detection module( 124-2) for detecting an MAC spoofing attack by tracking a sequence number, detecting a 'deauth' flooding attack of DoS by confirming whether broadcast disassociate/ deauthenticate frames are generated, detecting fingerprints existing according to each stumbler by comparing the detected fingerprints with packets so as to detect a stumbler's attack, and for detecting a man-in-the-middle attack by confirming whether a channel of an AP is changed. [6] A wireless network intrusion detection and prevention method using a wireless access point apparatus(lOO) for detecting and preventing wireless network attacking traffic through the wireless access point apparatus(lOO), comprising the steps of: analyzing and transmitting accepted wireless traffic; filtering the transmitted wireless traffic; deciding whether a filtered packet is a network attacking packet, by linking with a rule DB/signature module(126); and if the filtered packet is the network attacking packet, transmitting the results to an attacker as an alert message. [7] The wireless network intrusion detection and prevention method using the wireless access point apparatus(lOO) of claim 6, wherein the method further comprises the steps of: deciding whether a receiver confirmed the alert message after the step of transmitting the alert message; and if the receiver confirmed the message, abandoning corresponding data. [8] The wireless network intrusion detection and prevention method using the wireless access point apparatus(lOO) of claim 6, wherein in case the filtered packet is the network attacking packet, 'deauth' data that cuts off a connection with the receiver is sent while the alert message is transmitted.
PCT/KR2006/002364 2005-11-22 2006-06-20 Wireless access point apparatus and a network traffic intrusion detection and prevention method using the same Ceased WO2007061167A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2005-0112061 2005-11-22
KR1020050112061A KR20070054067A (en) 2005-11-22 2005-11-22 Wireless access point device and network traffic intrusion detection and blocking method using same

Publications (1)

Publication Number Publication Date
WO2007061167A1 true WO2007061167A1 (en) 2007-05-31

Family

ID=38067371

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/002364 Ceased WO2007061167A1 (en) 2005-11-22 2006-06-20 Wireless access point apparatus and a network traffic intrusion detection and prevention method using the same

Country Status (2)

Country Link
KR (1) KR20070054067A (en)
WO (1) WO2007061167A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102204170A (en) * 2008-10-31 2011-09-28 惠普开发有限公司 Method and apparatus for network intrusion detection
US8769639B2 (en) 2007-09-04 2014-07-01 Microsoft Corporation History-based downgraded network identification
US20140275017A1 (en) * 2009-03-18 2014-09-18 Merck Sharp & Dohme Corp. Cgrp receptor antagonists
WO2017127164A1 (en) * 2016-01-19 2017-07-27 Qualcomm Incorporated Methods for detecting security incidents in home networks
CN112153649A (en) * 2019-06-28 2020-12-29 北京奇虎科技有限公司 router
CN112839015A (en) * 2019-11-25 2021-05-25 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
US11263320B2 (en) 2017-01-20 2022-03-01 Hewlett-Packard Development Company, L.P. Updating firmware
CN114553580A (en) * 2022-02-28 2022-05-27 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
US12081985B2 (en) 2021-10-27 2024-09-03 Hewlett Packard Enterprise Development Lp Broadcast of intrusion detection information
WO2025053907A1 (en) * 2023-09-05 2025-03-13 Qualcomm Incorporated Threat notifications and remedies for home networks
US12341675B2 (en) 2022-12-06 2025-06-24 Hewlett Packard Enterprise Development Lp Strategy to ensure continual user experience and system performance if an Uplink is stuck

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101248601B1 (en) * 2011-05-17 2013-03-28 류연식 Security system for distributed denial of service and method for finding zombie terminal
KR101294280B1 (en) * 2011-08-31 2013-08-23 (주)소만사 System and Method capable of Preventing Individual Information Leakage by Monitoring Encrypted HTTPS-based Communication Data via Network Packet Mirroring
KR101279912B1 (en) * 2011-12-16 2013-07-30 (주)시큐리티존 Intrusion protecting system with smart sensor
KR101186873B1 (en) * 2011-12-16 2012-10-02 주식회사 정보보호기술 Wireless intrusion protecting system based on signature
KR101186874B1 (en) * 2011-12-30 2012-10-02 주식회사 정보보호기술 Method for operating intrusion protecting system for network system connected to wire and wireless integrated environment
KR101437405B1 (en) * 2013-04-04 2014-09-05 건국대학교 산학협력단 An Effective Mechanism and method against Intrusion Attack using Aggregate Traffic Prediction for Wireless Industrial Networks
KR101964148B1 (en) * 2017-03-22 2019-04-02 (주)휴네시온 Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof
CN114095060B (en) * 2022-01-21 2022-04-08 华东交通大学 A smart grid signal safe transmission method, system and readable storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LIM Y.-X. ET AL.: "Wireless intrusion detection and response", INFORMATION ASSURANCE WORKSHOP, 2003. IEEE SYSTEMS, MAND AND CYBERNETICS SOCIETY, 18 June 2003 (2003-06-18) - 20 June 2003 (2003-06-20), pages 68 - 75, XP010658707 *
MOHAMMED L.A. AND ISSAC B.: "DoS Attacks and Defense Mechanisms in Wireless Networks", MOBILE TECHNOLOGY, APPLICATIONS AND SYSTEMS, 2005 2ND INTERNATIONAL CONFERENCE, 15 November 2005 (2005-11-15) - 17 November 2005 (2005-11-17), pages 1 - 8, XP010926851 *
SCHMOYER T.R., YU XI LIM, OWEN H.L.: "Wireless detection and response: a classic study using main-in-the-middle attack", WIRELESS COMMUNICATIONS AND NETWORKING CONFERENCE, 2004. WCNC. 2004 IEEE, vol. 2, March 2004 (2004-03-01), pages 883 - 888, XP010708425 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769639B2 (en) 2007-09-04 2014-07-01 Microsoft Corporation History-based downgraded network identification
CN102204170B (en) * 2008-10-31 2014-04-16 惠普开发有限公司 Method and apparatus for network intrusion detection
US8752175B2 (en) 2008-10-31 2014-06-10 Hewlett-Packard Development Company, L.P. Method and apparatus for network intrusion detection
CN102204170A (en) * 2008-10-31 2011-09-28 惠普开发有限公司 Method and apparatus for network intrusion detection
US20140275017A1 (en) * 2009-03-18 2014-09-18 Merck Sharp & Dohme Corp. Cgrp receptor antagonists
WO2017127164A1 (en) * 2016-01-19 2017-07-27 Qualcomm Incorporated Methods for detecting security incidents in home networks
US11263320B2 (en) 2017-01-20 2022-03-01 Hewlett-Packard Development Company, L.P. Updating firmware
CN112153649A (en) * 2019-06-28 2020-12-29 北京奇虎科技有限公司 router
CN112839015A (en) * 2019-11-25 2021-05-25 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
US12081985B2 (en) 2021-10-27 2024-09-03 Hewlett Packard Enterprise Development Lp Broadcast of intrusion detection information
CN114553580A (en) * 2022-02-28 2022-05-27 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
CN114553580B (en) * 2022-02-28 2024-04-09 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
US12341675B2 (en) 2022-12-06 2025-06-24 Hewlett Packard Enterprise Development Lp Strategy to ensure continual user experience and system performance if an Uplink is stuck
WO2025053907A1 (en) * 2023-09-05 2025-03-13 Qualcomm Incorporated Threat notifications and remedies for home networks

Also Published As

Publication number Publication date
KR20070054067A (en) 2007-05-28

Similar Documents

Publication Publication Date Title
WO2007061167A1 (en) Wireless access point apparatus and a network traffic intrusion detection and prevention method using the same
US7970894B1 (en) Method and system for monitoring of wireless devices in local area computer networks
US7339914B2 (en) Automated sniffer apparatus and method for monitoring computer systems for unauthorized access
US7216365B2 (en) Automated sniffer apparatus and method for wireless local area network security
US7316031B2 (en) System and method for remotely monitoring wireless networks
Ma et al. A hybrid rogue access point protection framework for commodity Wi-Fi networks
US7823199B1 (en) Method and system for detecting and preventing access intrusion in a network
US7856656B1 (en) Method and system for detecting masquerading wireless devices in local area computer networks
US7764648B2 (en) Method and system for allowing and preventing wireless devices to transmit wireless signals
US20090016529A1 (en) Method and system for prevention of unauthorized communication over 802.11w and related wireless protocols
US20130007848A1 (en) Monitoring of smart mobile devices in the wireless access networks
US7710933B1 (en) Method and system for classification of wireless devices in local area computer networks
US7333800B1 (en) Method and system for scheduling of sensor functions for monitoring of wireless communication activity
US7409715B2 (en) Mechanism for detection of attacks based on impersonation in a wireless network
CN101540667A (en) Method and equipment for interfering with communication in wireless local area network
WO2010027121A1 (en) System and method for preventing wireless lan intrusion
Ma et al. RAP: Protecting commodity wi-fi networks from rogue access points
KR101186876B1 (en) Realtime intrusion protecting method for network system connected to wire and wireless integrated environment
Meng et al. Building a wireless capturing tool for WiFi
Issac et al. The art of war driving and security threats-a Malaysian case study
KR102823857B1 (en) Location-based Wi-Fi firewall building system and method
Wright Detecting Detectors: Layer 2 Wireless Intrusion Analysis
Bodhe et al. The RAP: Wireless Security
Yousif Wireless Intrusion Detection Systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06768952

Country of ref document: EP

Kind code of ref document: A1