• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:

    公开号:SE0900687A1
    申请号:SE0900687
    申请日:2009-05-20
    公开日:2010-11-21
    发明作者:Andre Rickardsson
    申请人:Bitsec Ab;
    IPC主号:
    专利说明:

    US 6,745,333 discloses a method for detecting a fraudulent attack by detecting data packets sent over the wireless network, which have the same source identity but originate from different segments of the network. In the case of wireless networks, the smallest network segment is the area covered by an access point, ie all clients connected to the same access point belong to the same network segment. A disadvantage of the method shown in US 6,745,333 is thus that a fraudulent attack cannot be detected if both the rogue device and the imitation device communicate with the network via the same access point.
    SUMMARY OF THE INVENTION An object of the present invention is to overcome these problems and to provide an improved detection of wireless intrusions.
    This is achieved by a method for detecting a fraudulent attack according to independent claim 1, by a device for detecting wireless intrusions according to independent claim 7 and by a computer program product according to independent claim 14. Embodiments of the invention are set out in the dependent requirements.
    Thus, according to a first aspect of the present invention, there is provided a method of detecting a fraudulent attack in a wireless network. The method includes the steps of receiving a data packet from the wireless network, determining a signal strength of the received data packet, determining an identity of the sender of the received data packet, and deciding whether a fraudulent attack has been initiated. The decision on whether to initiate a fraudulent attack is based on the signal strength, i.e. the signal strength with which the data packet was received, and the identity of the sender, i.e. the identity of the sender of the received data packet.
    According to a second aspect of the present invention, there is provided a device for detecting wireless intrusions. The device for detecting wireless intrusions comprises a receiver and processing circuits. The receiver receives data packets from the wireless network. The processing circuits are arranged to determine a signal strength of the data packet received from the wireless network, to determine a sender identity for the data packet, and to decide whether a hoax attack has been initiated. The decision on whether to launch a hoax is based on the signal strength and the identity of the sender.
    According to a third aspect of the present invention, there is provided a computer program product. The computer program product comprises a medium for use with a computer, in which a computer readable program code is executed. The computer readable program code is arranged to be executed for implementing the method according to the first aspect of the present invention.
    As far as the description of the present invention is concerned, a data processing apparatus is, for example, a computer, a computer accessory, a network printer, a mobile phone or a PDA, and generally includes a dedicated wireless network interface device for communication over a wireless network. or, more generally, a wireless connection. The wireless communication can be implemented using any kind of radio-based wireless network technology, such as WLAN, Bluetooth, GSM, GPRS, UMTS, LTE and Wi-MAX. In order to be able to identify a particular data processing apparatus as the source or destination of a data transmission, each data processing apparatus participating in wireless communication is assigned an identity. The identities can be, for example, a MAC or IP address (medium access control address or Internet protocol address).
    The present invention is based on the realization that hoax attacks, i.e. disguises based on disguise, in a wireless network can be detected by analyzing the signal strength and sender identity of data packets received via the wireless network. It is advantageous to base the decision on whether a hoax attack takes place on signal strength values to the extent that it is relatively simple and fairly effective. The general idea of the invention is based on the insight that such data packets, which are received via the wireless network by a device for detecting wireless intrusions - or by a data processing apparatus which performs tasks in detecting wireless intrusions - and which originate from two different data processing apparatuses which uses the same identity, will typically be received with separable signal strength values.
    For this purpose, the network traffic is monitored and data packets are received via the wireless network. For each received data packet, the signal strength and the sender identity are determined. It is then decided, on the basis of the signal strength and the sender identity, whether a hoax attack is taking place.
    The present invention has the advantage that fraudulent attacks performed by a rogue device communicating with the same access point as the imitation device, and thus belonging to the same network segment, can be detected. It is also advantageous to base the decision only on whether imitation occurs on identities and signal strengths for the reason that such information is easy to obtain. Furthermore, smaller processing efforts are required compared to intrusion detection systems according to the prior art, which analyze entire data packets.
    According to an embodiment of the present invention, a device for detecting wireless intrusions is located at a host computer capable of communicating over the wireless network. The processing circuits are also arranged to compare the sender identity with a host identity, to compare the signal strength with a predetermined signal strength and to decide that the sender is the device initiating the attack, i.e. a villain device, if the sender identity is the same as the host identity and signal the strength is less than a predetermined signal strength.
    This is advantageous because the host computer can monitor the wireless network traffic and detect scam attacks that exploit its own identity, i.e. attacks during which the host computer is imitated. In other words, a data processing apparatus equipped with a wireless network detection device can detect fraudulent attacks within the entire coverage area of the wireless network interface. This is advantageous if there is no centralized system for detecting wireless intrusions, such as in a public WLAN with a low degree of security. It is further understood that the coverage area of a centralized system for detecting wireless intrusions can be expanded by utilizing clients equipped with a device for detecting wireless intrusions. These clients are located at the edge of the coverage area of the wireless network protected by the wireless intrusion detection system.
    According to an embodiment of the invention, a predetermined signal strength is used for the decision of whether a hoax attack has been initiated. This predetermined signal strength is substantially equal to the signal strength of packets transmitted by the host computer itself. The signal strength of such data packets is a measure of the maximum signal strength that can be expected given the proximity between the sender, i.e. the host's wireless network interface, and the receiving device.
    The predetermined signal strength is generally set to a lower value than the maximum value to avoid false alarms.
    According to another embodiment of the present invention, the present device for detecting wireless intruder circuits is arranged to store signal strength information. The processing circuits are further arranged to store the sender identity and signal strength, to retrieve stored signal strength information from a sender with the same identity as the sender identity, to analyze the signal strength information, and to decide whether a hoax attack has been initiated. The decision on whether to initiate a blu 'attack is also based on the signal strength information. This embodiment is advantageous in that attacks in which the identity of devices other than the host device is imitated.
    The device that performs wireless intrusion detection does not necessarily have to be a data processing apparatus capable of communicating, i.e. transmitting and receiving data, via the wireless network. For example, the device may be a dedicated intrusion detection device which is only arranged to monitor wireless network traffic. However, the device may also be a data processing apparatus equipped with a wireless network interface device which can be used for detecting wireless intrusions when inactive or a data processing apparatus having a wireless intrusion detection device installed.
    For this purpose, the wireless network traffic is monitored and a signal information database containing signal strength values and associated sender identities is maintained. For each received fl data packet, previously received signal strength values are retrieved from the database which relate to the same identity as the identity of the sender of the received data packet. The variation over time of these values is analyzed in order to decide whether a scam thank you exists. For example, a sudden variation in an “otherwise substantially constant signal strength” may be an indication of a hoax. It will further be appreciated that the signal strength information may be analyzed at other times than when a data packet is being received from the wireless network. For example, such an analysis can be initiated by an external trigger, for example by a user or by a device in the wireless network, such as a centralized intrusion detection system. Furthermore, the analysis can also be performed periodically or randomly. As an alternative to analyzing the overall signal strength information, only parts of the information can be analyzed. In particular, signal strength information relating to the most recently received data packet from the network can be excluded.
    If no sender identity is established for the latest data packet, for example if the analysis is started independently of the reception of a data packet from the wireless network, then the signal strength maintenance regarding an arbitrary identity can be taken into account. This is advantageous in that the steps of analyzing signal strength information and deciding whether to initiate a fraudulent attack can be performed separately from the steps of receiving data packets from the wireless network and establishing a signal strength and a sender identity. For example, this may be the case in an intrusion detection system that includes sensors for receiving data packets and in which the analysis is performed by other devices. In accordance with another embodiment of the present invention, the processing circuits are further arranged to calculate a variation in the signal strength information, to compare the variation with a predetermined variation and to decide whether a bluff attack is considered to have been initiated if the calculated variation is greater than the predetermined one. the variation.
    According to yet another embodiment of the present invention, the processing circuits are further arranged to compile a distribution of signal strength values from the signal strength information, to evaluate said distribution modality, and to decide that a hoax attack is considered to have been initiated if the distribution is multimodal. Although advantages of the present invention have in some cases been described with reference to embodiments of the wireless intrusion detection device according to the second aspect of the invention, the same rationale applies to embodiments of the method according to the first aspect of the invention. For example, a computer equipped with a wireless network interface device, or an access point in a WLAN, may be arranged to perform tasks in detecting wireless intrusions. It will also be appreciated that the corresponding reasoning applies to embodiments of the computer program product according to the third aspect of the invention. Such a computer software product can, for example, be used to adapt existing hardware to perform tasks in detecting wireless intrusions. The client or an access point in a WLAN may, for example, be arranged to perform detection of wireless intrusion while it is idle provided it is provided with a suitable computer program.
    Further objects, features and advantages of the present invention will become apparent upon study of the following detailed description, the drawings and the appended claims. Those skilled in the art will appreciate that various features of the present invention may be combined to create embodiments other than those described.
    Brief Description of the Drawings The above features and advantages of the present invention will be better understood from the following illustrative and non-limiting detailed description of embodiments of the present invention and its references to the accompanying drawings.
    Figure 1 shows an embodiment of the method for detecting a hoax attack.
    Figure 2 shows another embodiment of the method for detecting a hoax attack.
    Figure 3 shows a hypothetical variation over time in signal strength and the resulting distribution of signal strength care.
    Figure 4 shows an embodiment of the device for detecting wireless intrusions.
    Figure 5 shows another embodiment of the wireless intrusion detection device.
    Figure 6 shows a wireless network interface device that includes a device for detecting wireless intrusions.
    All figures are schematic, not necessarily to scale and generally show only parts which are necessary to illustrate the invention, whereby other parts may be excluded or only hinted at.
    Detailed Description As far as the description of the present invention is concerned, it is assumed that the clients in a wireless network, for example a WLAN, have access to the network and its resources through one or more of your access points. In general, access to restricted clients is restricted only, and this access control is based at least in part on the identity of the clients requesting access to the network.
    In a disguise attack, a rogue client imitates the identity of an authorized client, for example by cutting off the authorized client's connection to an access point, and declares his own identity with the imitated identity.
    The rogue client thereby gains access to the network through an access point with the help of the authorized client's imitated identity.
    Referring to Figure 1, a method 100 for detecting a hoax attack is described. For the purpose of exemplifying the present invention, it is assumed that the method 100 is performed by an authorized client in the WLAN, i.e. the client can legitimately connect to any of the WLAN's access points and can use the WLAN's resources.
    The method 100 begins in step 101, either periodically or through an external trigger, such as a user request, a system administrator or other device in the network, such as a centralized intrusion detection system that utilizes clients connected to the network for intrusion detection purposes. Initially, in step 110, a data packet is received from the wireless network. In the next step 120, a signal strength with which the data packet was received is determined.
    The signal strength can usually be obtained from the receiver but can also be measured by any other means known per se. For the purposes of the present invention, the signal strength may be a relative number. In the case of WLAN, the received signal strength indication (RSSI) can be used. The data packet is then analyzed, in step 130, for the purpose of determining the identity of the device from which the data packet originates. The type of identity used, as well as the way in which the identity is obtained from the data packet, depends on the network technology used and on whether the network traffic is encrypted or not. In the case of WLAN, the source field of the data packet contains the MAC address of the transmitting device. However, other identifiers can also be used, including the IP address. Then, in step 140, a decision is made as to whether a scam attack has been initiated. If a fraudulent attack is considered to take place, the procedure is terminated in step 102 and, if desired, measures are taken which are known per se. For example, a warning may be issued to the client's user or to a wireless network administrator; likewise, the attack can be logged. The client that detects the attack, or the network's centralized system for wireless intrusions, can also initiate countermeasures, such as interrupting traffic to parts of the network.
    If no attack is considered to have been initiated, the process proceeds in step 110 to receive an additional data packet from the network. However, the method can also be terminated here and start again after a certain time interval or when it is initiated by an external trigger, for example by a user or another device in the network, such as a centralized intrusion detection system. In general, the procedure can be performed periodically, randomly or on request.
    Referring to Figure 1, an embodiment of the method 100 is shown, in particular step 140. The decision as to whether a fraudulent attack is considered to have begun begins with step 141 comparing the sender identity, i.e. the identity of the sender of the data packet received from the wireless network, with the identity at the data processing apparatus performing the procedure, termed the host. Then, in step 142, the signal strength, i.e. the signal strength with which the data packet was received, is compared with a predetermined signal strength. Finally, in step 143, the decision is made that a hoax attack is considered to exist if the sender identity is the same as the host identity and the signal strength is less than the predetermined signal strength, in which case the procedure ends in step 102. Otherwise a hoax attack is not considered and the procedure continues in step 110.
    The method described with reference to Figure 1 can be used to detect attacks that imitate the client itself, i.e. the host data processing apparatus performing the method. If the client receives a data packet via the wireless network which pretends to come from the client itself, ie which has the same sender identity as the host identity, and if the data packet is received with a signal strength lower than the predetermined signal strength, then a fake attack is considered initiated and the sender of the data packet is considered to be a rogue device that imitates the client. The predetermined signal strength is essentially the same as the signal strength with which the client would receive its own data packets. For example, a data processing apparatus, which is a competent client in a wireless network and which is provided with a wireless network interface device and a device for detecting wireless intrusions, can monitor the network traffic in its vicinity. In particular, the wireless network detection device can receive data packets sent by its own wireless network interface device. The signal strength of data packets originating from the client constitutes the greatest possible signal strength in view of the proximity between sender and receiver. Data packets originating from other devices are typically received with a lower signal strength. In order to avoid false alarms, the predetermined signal strength is set to a slightly lower value.
    The predetermined signal strength is usually specified by a network administrator or by means of a centralized intrusion detection system that sends the monitoring request to the clients.
    Referring to Figure 2, an alternative embodiment of the method for detecting a fraudulent attack is described. The method 200 is similar to the method 100 described with reference to Figure 1 in that it comprises the steps of receiving 210 a data packet via the wireless network, determining 220 a signal strength with which the data packet was received, determining 230 an identity of the data packet sender, and to decide 240 on whether there is a breach of infringement. In addition, the method 200 includes the step of storing 235 the signal strength and the corresponding sender identity for use in subsequent analysis of the variation over time in signal strength. Furthermore, the step of deciding 240 whether a fraudulent attack takes place differs from the step 140 described with reference to Figure 1. With reference to Figure 2, the step 240 comprises the steps of reading 241 signal strength information, i.e. signal strength values for data packets which are supposed to originate from the same sender, for example from a sender with the same identity as the sender identity. The retrieved signal strength information is then used, in step 240, to decide whether a hoax attack has been initiated. This is accomplished by analyzing the signal strength history, i.e. the sequence of signal strength values derived from a transmitter with the same identity. For example, an otherwise substantially constant signal strength that suddenly changes value can be interpreted as suspicious and attributed to a rogue device in a different position than the imitation device, ie the identity's legitimate holder, whereby the different position gives rise to a signal strength at the receiver which is different from that of the imitation device.
    The retrieved signal strength history can be analyzed, for example, by calculating 242 a variation of the signal strengths and by comparing 243 the calculated variation with a predetermined variation. The predetermined variation is usually specified by a user of the client or by an administrator of the wireless network or a centralized intrusion detection system.
    The number of signal strength values below which such values are taken into account can also be set. In an alternative embodiment, the current signal strength and the retrieved signal strength history can also be compiled into a distribution of signal strength values, as shown in Figure 3. The left diagram in Figure 3 shows a hypothetical variation in the received signal strength s over time t. the values are then compiled into a distribution f (s), ie the frequency fv signal strength values s during a certain time interval .t. The resulting distribution of signal strength values is then analyzed in order to decide whether a hoax attack takes place. If the distribution is multimodal, ie includes more than one local maximum, then a hoax attack is considered to have been initiated. The distribution shown in Figure 3 is bimodal, as it includes two local maxima, due to the fact that two different senders use the same identity. If more than two clients communicate with an access point using the same identity, for example if an authorized client is imitated by more than one rogue device, the resulting distribution may include more than two local maxima.
    Referring to Figure 4, there is now described a device 400 for detecting wireless intrusions which is intended to detect hoax attacks in a wireless network. The device 400 comprises a receiver 401, an antenna 402 and processing circuits 403. The antenna 402 may be built-in but may also be connectable to the receiver 401 via a connector. The processing circuits 403 are arranged to perform the steps in the method 100 described with reference to Figure 1. Typically, the processing circuits also include an input / output interface 405 for communication between the intrusion detection device and the host data processing apparatus. The input / output interface 405 can be, for example, PCI, PCMCIA, USB or FireWire.
    However, the wireless intrusion detection device may also cooperate with the data processing apparatus, a centralized intrusion detection system or a user via any other means, such as a wireless connection or a visual or audible indicator.
    With reference to Figure 5, an alternative embodiment of the device for detecting wireless intrusions is described. The wireless intrusion detection device 500 is similar to the device 400 described with reference to Figure 4 and includes a receiver 501, an antenna 502, processing circuits 503 and an input / output interface 505. Furthermore, the device 500 comprises circuits 504 arranged to store signal strength information, ie signal strengths and corresponding sender identities, analogous to the step 235 described with reference to Figure 2. The storage circuits 504 may be, for example, a random access memory (RAM), a hard disk drive or any other type of memory capable of store information. The stored signal strength information includes a database of sender identities and received signal strengths. The processing circuits 503 are arranged to perform the steps in the method 200, which is described with reference to Figure 2. In particular, the step 241 means reading stored signal strength information to retrieve stored signal strengths from the database regarding data packets originating from the same sender, e.g. for the sender of the data packet received from the wireless network.
    Referring to Figure 6, an embodiment of a wireless network interface device 600 is described. The wireless network interface device 600 includes a wireless intrusion detection device according to an embodiment of the second aspect of the present invention, the wireless intrusion detection device. includes a receiver 601, an antenna 602 and processing circuits 603, as well as circuits 604 for performing the wireless communication. Although the wireless network interface device 600, as described herein, includes a receiver 601 13 and an antenna 602 shared between the circuits 603 and 604, it may also include separate receivers and / or antennas for the wireless intrusion detection device. respectively for the circuits that perform the wireless communication. The wireless network interface device 600 may further include input / output interfaces 606 and 607 for communication with the data processing unit hosted by the wireless network interface device 600. Alternatively, the device 600 may include a common input / output interface 60. and 604. The embodiment shown in Figure 6 further comprises an interface 608 for communicating the identity of the wireless network interface device from the circuits 604 to the circuits 603. For example, in the case of WLAN, the device 600 is a WLAN interface device and the circuits 604 may be standard. dard WLAN circuits. the identity may be, for example, a MAC address with which the WLAN circuits 604 are configured, and this is communicated to the wireless intrusion detection device 603 via the interface 608. However, the identity may also be provided to the processing circuits 604 by other means, e.g. input / output interface 607. It will also be appreciated that circuits 603 and 604, which are described herein as separate, may be implemented as a single circuit arrangement.
    The circuits described above can be implemented in the form of electronic components, integrated circuits (ICs), application-specific integrated circuits (ASICs, application-specific integrated circuits), electrically programmable gate arrays (FPGAs) and / or programmable gate arrays. or complex programmable logic devices (CPLDs) or any combination of these. It will also be appreciated that any kind of circuitry may, at least in part, be replaced by processing means, such as a processor executing suitable software.
    Those skilled in the art will appreciate that the present invention is in no way limited to the embodiments described above. On the contrary, many changes and variations are possible within the scope of the appended claims. For example, the steps of the methods described above may be performed in a different order from that described herein. Furthermore, several data packets can be received from the wireless network before signal strength values and sender identities are determined. It is also understood that the methods can be performed at network devices other than clients, such as access points, routers, firewalls or a centralized intrusion detection system. The components of a wireless intrusion detection device, as well as the associated data, may also be distributed. For example, sensors or clients can collect information and a centralized intrusion detection system can analyze the collected information. The analysis can also be performed by distributed resources in the network in a YETI-at-home-like way, ie by utilizing inactive clients' computing resources. For example, a centralized intrusion detection system may require clients to monitor certain channels during certain time intervals. A client may also be set to monitor the network and perform the procedure for inconvenient periods, i.e. when the client's WLAN interface device does not communicate with the WLAN. Furthermore, a wireless intrusion detection device, or a data processing apparatus performing tasks in detecting wireless intrusion, can monitor only one channel or multiple channels, either by including fl your receivers or by switching between channels.
    权利要求:
    Claims (14)
    [1]
    A method (100, 200) for detecting fraudulent attacks in a wireless network, said method comprising the steps of: receiving (110, 210) a data packet from the wireless network; determining (120, 220) a signal strength for said data packet; determining (130, 230) an identity of a sender of said data packet; and deciding (140, 240) on the basis of said signal strength and said sender identity whether a hoax attack has been initiated.
    [2]
    The method of claim 1, performed at a host data processing apparatus capable of communicating via the wireless network, the step of deciding (140) whether to initiate a fraudulent attack comprising the steps of: comparing (141) said transmitter identity with an identity of a host data processing apparatus; comparing (142) said signal strength with a predetermined signal strength, and deciding (143) that said sender is the device initiating the attack if said sender is equal to said identity of the host data processing apparatus and said signal strength is less than said predetermined signal strength.
    [3]
    The method of claim 2, wherein said predetermined signal strength is substantially equal to the signal strength of packets sent by said host data processing unit.
    [4]
    The method of claim 1, further comprising the step of storing (235) said sender identity and said signal strength, the step of deciding (240) whether to initiate a hoax attack comprising the steps of: reading (241) said signal strength information for packets originating from a sender with the same identity as said sender identity; and analyzing said signal strength information, and wherein, in the step of deciding (240) whether a hoax attack has been initiated, said signal strength information is also taken into account.
    [5]
    The method of claim 4, wherein the step of analyzing said signal strength information comprises the steps of: calculating (242) a variation in said signal strength information; and comparing (243) said calculated variation with a predetermined variation, and wherein the step of deciding (240) whether to initiate a hoax attack further comprises the step of deciding (244) that a hoax attack is considered to have been initiated if said calculated variation is greater than said predetermined variation.
    [6]
    The method of claim 4, wherein the step of analyzing said signal strength information comprises the steps of: compiling (242) a distribution of signal strength values from said signal strength information; and evaluating (243) the modality of the distribution, and wherein the step of deciding (240) whether or not a bluff attack is initiated further comprises the step of deciding (244) that a bluff attack is considered to have been initiated if said distribution is multimodal.
    [7]
    An apparatus (400, 500) for detecting wireless intrusions for detecting fraudulent attacks in a wireless network, said apparatus comprising: a receiver (401, 501) for receiving a data packet from the wireless network; and processing circuits (403, 503) arranged: determining a signal strength of said data packet; determining a sender identity for said data packet; and deciding on the basis of said signal strength and said sender identity whether a hoax attack has been initiated. 10 15 20 25 30 17
    [8]
    The wireless intrusion detection device (400) according to claim 7, arranged in a host data processing apparatus capable of communicating via the wireless network, said processing circuits (403) further comprising: comparing said sender identity with an identity of the host data. treatment devices; comparing said signal strength with a predetermined signal strength; and deciding that said sender is the device that initiates the attack if said sender identity is the same as the identity of the host data processing apparatus and said signal strength is less than said predetermined signal strength.
    [9]
    The wireless intrusion detection device (500) of claim 7, further comprising: circuits (504) arranged to store signal strength information, said processing circuits (503) further comprising: storing said sender identity and said signal strength; reading stored signal strength information originating from a sender with the same identity as said sender identity; analyzing said signal strength information; and deciding, on the basis of said signal strength information, whether a hoax attack has been initiated.
    [10]
    The wireless intrusion detection device according to claim 9, wherein said processing circuits (503) are further arranged: calculating a variation in said signal strength information; comparing said variation with a predetermined variation; and deciding that a fraudulent attack is deemed to have been initiated if said calculated variation is greater than said predetermined variation.
    [11]
    The wireless intrusion detecting apparatus according to claim 9, wherein said processing circuits (503) are further arranged: compiling a distribution of signal strength values from said signal strength information; In evaluating the modality of the distribution; and deciding that a fraudulent attack is deemed to have been initiated if said distribution is multimodal.
    [12]
    A wireless network interface device (600) comprising a wireless intrusion detection device according to any one of claims 7 to 11.
    [13]
    A data processing apparatus capable of communicating over the wireless network, which comprises a device for detecting wireless intrusions according to any one of claims 7 to 11.
    [14]
    A computer program product comprising a medium for use with a computer, in which a computer readable program code is executed, said computer readable program code being arranged to be executed so that the method according to any one of claims 1 to 6 is performed.
    类似技术:
    公开号 | 公开日 | 专利标题
    US9870470B2|2018-01-16|Method and apparatus for detecting a multi-stage event
    EP2769571B1|2020-08-12|Mobile risk assessment
    US9398039B2|2016-07-19|Apparatus, system and method for suppressing erroneous reporting of attacks on a wireless network
    US9350758B1|2016-05-24|Distributed denial of service | honeypots
    CN106330944B|2020-01-03|Malicious system vulnerability scanner identification method and device
    EP1542406B1|2008-09-03|Mechanism for detection of attacks based on impersonation in a wireless network
    US8990938B2|2015-03-24|Analyzing response traffic to detect a malicious source
    CN107968791B|2021-08-24|Attack message detection method and device
    EP2854362B1|2019-01-30|Software network behavior analysis and identification system
    KR20150100383A|2015-09-02|Apparatus and method for detecting command and control channels
    CN107197456B|2020-06-02|Detection method and detection device for identifying pseudo AP | based on client
    Kim et al.2012|Online detection of fake access points using received signal strengths
    US20190174452A1|2019-06-06|Detection of mobile transmitters in an office environment
    RU2008139908A|2010-04-20|METHOD AND DEVICE FOR DETECTING ATTEMPTS TO INTROUGHT TO THE COMMUNICATION CHANNEL BETWEEN THE AIRCRAFT AND THE TERRESTRIAL STATION
    SE0900687A1|2010-11-21|Wireless intrusion detection
    US20190312836A1|2019-10-10|Network anti-tampering system
    Yaseen et al.2019|Marc: A novel framework for detecting mitm attacks in ehealthcare ble systems
    EP3803659A1|2021-04-14|Anomalous access point detection
    CN106790189B|2019-12-06|intrusion detection method and device based on response message
    US20090088132A1|2009-04-02|Detecting unauthorized wireless access points
    WO2005065023A3|2005-11-10|Internal network security
    CN110768999B|2022-01-25|Method and device for detecting illegal external connection of equipment
    CN105636052B|2018-12-04|Detection method, node apparatus and the system of wireless sensor network malicious node
    Lu et al.2018|Client-side evil twin attacks detection using statistical characteristics of 802.11 data frames
    CN108243034B|2021-09-03|Fault determination method, receiver and transmitter
    同族专利:
    公开号 | 公开日
    WO2010133634A1|2010-11-25|
    SE534349C2|2011-07-19|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20060193299A1|2005-02-25|2006-08-31|Cicso Technology, Inc., A California Corporation|Location-based enhancements for wireless intrusion detection|US10019703B2|2014-05-13|2018-07-10|Google Llc|Verifying a secure connection between a network beacon and a user computing device|
    US9485243B2|2014-05-23|2016-11-01|Google Inc.|Securing a wireless mesh network via a chain of trust|
    CN105636048B|2014-11-04|2021-02-09|中兴通讯股份有限公司|Terminal and method and device for identifying pseudo base station|
    法律状态:
    2019-01-02| NUG| Patent has lapsed|
    优先权:
    申请号 | 申请日 | 专利标题
    SE0900687A|SE534349C2|2009-05-20|2009-05-20|Wireless intrusion detection|SE0900687A| SE534349C2|2009-05-20|2009-05-20|Wireless intrusion detection|
    PCT/EP2010/056886| WO2010133634A1|2009-05-20|2010-05-19|Wireless intrusion detection|
    [返回顶部]