WO2008001972A1 - Method for proactively preventing wireless attacks and apparatus thereof - Google Patents

Method for proactively preventing wireless attacks and apparatus thereof Download PDF

Info

Publication number
WO2008001972A1
WO2008001972A1 PCT/KR2006/003005 KR2006003005W WO2008001972A1 WO 2008001972 A1 WO2008001972 A1 WO 2008001972A1 KR 2006003005 W KR2006003005 W KR 2006003005W WO 2008001972 A1 WO2008001972 A1 WO 2008001972A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless
intrusion
attacking
frame
terminal
Prior art date
Application number
PCT/KR2006/003005
Other languages
French (fr)
Inventor
Hyo Sik Choi
Jae Cheol Ryou
Jong Hu Lee
Original Assignee
The Industry & Academic Cooperation In Chungnam National University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Industry & Academic Cooperation In Chungnam National University filed Critical The Industry & Academic Cooperation In Chungnam National University
Publication of WO2008001972A1 publication Critical patent/WO2008001972A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to a method of proactively detecting and preventing an attack according to an intrusion which may occur in a wireless network, and a system for performing the method.
  • LAN wireless local area network
  • the attacks may occur in the wireless LAN which uses neither an appropriate encryption algorithm nor an authentication mechanism.
  • the attacks may occur in any network which uses the wireless LAN.
  • a measure against the attacks is passive, a serious availability problem may occur in the wireless LAN which is operated based on user convenience.
  • a current signature-based detection may not construct a safe wireless LAN against an intrusion.
  • a wireless intrusion detection system (IDS) and a wireless intrusion prevention system (IPS) have been domestically introduced to detect an attack against a wireless LAN.
  • methods for prevention and intrusion reflect an existing wired policy (detection according to a defined rule, prevention via a Media Access Control (MAC) address, and the like).
  • the methods do not reflect intrusion prevention methods which are specialized for an attack against a wireless LAN.
  • DoS Denial of Service
  • a key technology of an intrusion prevention system associated with a wireless LAN is structured to prevent traffic.
  • a small number of rules for detecting an attack on a wireless LAN are currently available.
  • an attack in the wireless LAN is based on a MAC address, not an Internet Protocol (IP) address, and an attacking location may not be traced due to properties of the wireless LAN.
  • IP Internet Protocol
  • a different policy and technology from a wired line must be reflected in the wireless LAN, for example, the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard.
  • IEEE Institute of Electrical and Electronics Engineers
  • a safety function is based on a Wired Equivalent Privacy (WEP) protocol which has weak encryption, and an authentication protocol is based on 802. Ix.
  • WEP Wired Equivalent Privacy
  • an IPS may not be employed.
  • ESM Enterprise Security Management
  • Bluetooth was in the spotlight as a local communication method, but became unpopular due to a module price.
  • Bluetooth is utilized for various technology developments, such as Enhanced Data Rate (EDR), and the like.
  • EDR Enhanced Data Rate
  • OEM Original Equipment Manufacturer
  • PDA personal digital assistant
  • Bluetooth is being released in an Original Equipment Manufacturer (OEM) form, as a basic communication medium of a notebook computer, a personal digital assistant (PDA), a mobile telephone, and the like.
  • OEM Original Equipment Manufacturer
  • PDA personal digital assistant
  • Bluetooth communication traffic using Bluetooth is also on the rise.
  • a Bluetooth communication technology including a Code Division Multiplex Access (CDMA) network may also be more frequently utilized.
  • CDMA Code Division Multiplex Access
  • the Korean government is required to pay more attention to a wireless LAN and Bluetooth as key local wireless network technologies.
  • the Korean government is required to study technologies which can cope with future possible hacking.
  • Bluetooth has a tendency to be used for a DoS attack in a similar form to a wireless LAN and attack a vulnerable point of an application which is installed in a PDA or a mobile phone.
  • a study about a future safe communication method is required.
  • the hacker may utilize the wireless network without submitting to an authentication process, or interfering with a normal connection of the wireless terminal, which normally receives a wireless service, with the hacker's own developed code or a known open-source-based tool.
  • the conventional wireless intrusion prevention system registers a corresponding MAC address to a blacklist.
  • the conventional wireless intrusion prevention system prevents the hacker from using an Internet service without authentication from the wireless network.
  • such an attempt to use the Internet service without an authentication may be attempted at any time while changing an intrusion method a little. Accordingly, the conventional wireless intrusion prevention system may not become a fundamental solution.
  • the present invention provides a method and system for proactively detecting and preventing a possible intrusion into a wireless network including a wireless LAN and Bluetooth.
  • a method of detecting and preventing an intrusion into a wireless network including: detecting an occurrence of the intrusion, based on a database which stores information associated with the intrusion; acquiring additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guiding the attacking terminal to a predetermined virtual device; preventing the attacking terminal from accessing the wireless network by transmitting a proactive blocking attack to the attacking terminal after storing the additional attack information; and reporting all information associated with the intrusion to a network manager terminal of the wireless network.
  • the wireless network includes a wireless local area network (LAN) or Bluetooth
  • the detecting may include: periodically collecting a frame associated with the wireless network; searching the database to check whether the frame corresponds to an attacking frame; and comparing information associated with the frame, and information associated with the intrusion, which is stored in the database, and when identical, recognizing the frame as the attacking frame and detecting the occurrence of the intrusion.
  • LAN wireless local area network
  • Bluetooth Bluetooth
  • the virtual device includes a wireless honeypot
  • the acquiring may include: guiding an attacking frame to the virtual device by transmitting the attacking frame, which has been received from the attacking terminal, to the virtual device; and acquiring the additional attack information associated with the intrusion via the virtual device, the virtual device providing an attacker of the attacking terminal with an identical service to a normal service which is received in a destination of the attacking terminal.
  • the proactive blocking attack comprises a proactive Denial of Service (DoS) attack
  • the preventing may include: preventing the attacking terminal, which performs the intrusion, from accessing the wireless network via the proactive DoS attack; extracting a Media Access Control (MAC) address, and adding the extracted MAC address to a blacklist; and preventing the attacking terminal from accessing the wireless network by continuously monitoring the wireless network with reference to the blacklist.
  • DoS proactive Denial of Service
  • a proactive wireless intrusion preventing system including: a collection unit periodically collecting attack signature information which is included in a frame for Bluetooth equipment, a wireless terminal, and an access point corresponding to components of a wireless network; a database storing the collected attack signature information; a search unit searching the database to check whether the frame corresponds to an attacking frame; a comparison unit comparing the attack signature information, which is stored in the database, and information associated with the frame; a guide unit guiding the frame, which is determined as the attacking frame, to a wireless honeypot; a processing unit preventing a wireless terminal from accessing the wireless network by transmitting a proactive blocking frame to the wireless terminal which transmits the attacking frame; a reporting unit reporting information associated with the attacking frame to a network manager terminal of the wireless network via an email and/or a Short Message Service (SMS) message; and a storage unit storing information about the intrusion associated with the attacking frame, and information about an additional intrusion, which is not stored in the database, to provide additional attack signature
  • SMS Short Message Service
  • FIG. 1 is a schematic diagram illustrating a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention
  • FIG. 2 is a flowchart illustrating a method of detecting an intrusion into a wireless network and proactively preventing the detected intrusion according to an exemplary embodiment of the present invention
  • FIG. 3 is a flowchart illustrating an example of a proactive wireless intrusion preventing method according to an exemplary embodiment of the present invention
  • FIG. 4 is a block diagram illustrating a configuration of a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention.
  • FIG. 1 is a schematic diagram illustrating a proactive wireless intrusion preventing system 110 according to an exemplary embodiment of the present invention.
  • the proactive wireless intrusion preventing system 110 includes a frame capture module 111, a frame analysis module 112, a proactive intrusion prevention module 113, and an alarm module 114.
  • the frame capture module 111 captures a frame which is transmitted from a wireless LAN terminal and a Bluetooth terminal within a range of the proactive wireless intrusion preventing system 110.
  • the frame includes a control frame and a management frame which are used for transmitting data. Also, the frame is mapped with a wireless vulnerability database 121, and captured and utilized to determine whether the frame is transmitted for an attack against an access point or a wireless terminal which are corresponding components of a wireless network. In addition, the frame goes through a common formatting process, to be easily analyzed by the frame analysis module 112 when capturing the frame.
  • the frame analysis module 112 determines whether the frame, which went through the formatting process and was received from the frame capture module 111, was transmitted for a normal wireless use.
  • an analysis target i.e. the frame
  • the frame of the frame analysis module 112 includes a frame which is associated with Layer 2 in an Open Systems Interconnection (OSI) 7 Layer-Model, and a packet which is associated with a layer higher than Layer 3 that is transmitted from a wireless LAN or Bluetooth.
  • the frame analysis module 112 determines whether the frame corresponds to an attacking frame of an attacker via the wireless vulnerability database 121. When the frame does not correspond to the attacking frame, the frame analysis module 112 allows a corresponding wireless LAN terminal to use the access point, and connect a Bluetooth terminal to another Bluetooth terminal which requests a connection. However, when the frame corresponds to the attacking frame, the frame analysis module 112 transmits information to the intrusion prevention module 113 to notify the same of the intrusion.
  • OSI Open Systems Interconnection
  • the intrusion prevention module 113 proactively removes a frame, which is determined as an attacking terminal by the frame analysis module 112, from a network.
  • the intrusion prevention module 113 forwards a corresponding connection to a wireless honeypot 130, and provides an environment as if the attacking terminal of the attacker associated with the attack is normally connected to the wireless network.
  • the attacker may continue to perform an attack via the attacking terminal.
  • the proactive wireless intrusion preventing system 110 acquires detailed information about the attack.
  • the attacking frame includes a Denial of Service (DoS) attack which is provided by the intrusion prevention module 113.
  • DoS Denial of Service
  • information of the prevented attacking terminal is registered to a list of access denial hosts so as to fundamentally prevent a continuous attack of the attacking terminal.
  • DoS Denial of Service
  • the alarm module 114 transmits information associated with a current status of a serious attack to a terminal of a network manager 140, so that the network manager 140 may prepare against an additional attack.
  • the information may be transferred from the alarm module 114 to a terminal of the network manager 140 via an email and/or a Short Messaging Service (SMS).
  • SMS Short Messaging Service
  • the proactive wireless intrusion preventing system of the present invention functions to incapacitate any access attempt of an attacking terminal by proactively performing a DoS attack against the attacking terminal, based on a great amount of detection rules.
  • the detection rules are more systematically arranged than an existing system with respect to a wireless intrusion.
  • the proactive wireless intrusion preventing system guides the attacking terminal to a wireless honeypot by using a honeypot technology, so as to prevent future attacks and acquire detailed information about the attack.
  • the proactive wireless intrusion preventing system may prevent an attempt for using the Internet without authentication, and also prevent the attack of the attacking terminal which may be connected to a DoS attack against components, for example, an access point and a wireless terminal, of the wireless network. Accordingly, when applying the proactive wireless intrusion preventing system, it is possible to construct a wireless LAN which is safe from the attack.
  • the proactive wireless intrusion preventing system may similarly operate to detect and prevent an attack of the attacking terminal.
  • the proactive wireless intrusion preventing system may be manufactured as a single hardware chip or expanded into a single sensor of a sensor network in a mobile environment.
  • the proactive wireless intrusion preventing system generally includes four components.
  • a first component may be a wireless vulnerability database.
  • the wireless vulnerability database is a systematically well-arranged wireless attack detection rule, and may detect an attack against almost all wireless LANs and Bluetooth. Patterns of attacks against the wireless LANs may be classified into a Wired Equivalent Privacy (WEP) cracking attack, a DoS attack, a session hijacking attack, a fake access point (AP) attack, and a sniffing attack. Each of the classified attacks may be further classified. Also, patterns of attacks against Bluetooth may be classified into a DoS attack and an application vulnerability attack.
  • WEP Wired Equivalent Privacy
  • attacks which may be expanded from a wired line into a wireless line are included in the proactive wireless intrusion preventing system. The attacks may be utilized as a tool for preventing an additional attack from expanding into the wired line.
  • a second component may be a reporting system including a reporting tool.
  • the reporting system may report data, which is arranged with respect to an intrusion into the wireless LAN, to a management system.
  • a network manager may make a determination on the intrusion and make a preparation against future attacks, based on the reported data.
  • a third component may be a proactive wireless prevention module.
  • the proactive wireless prevention module is utilized to perform a proactive DoS attack against a detected wireless attack, and thereby maintain the wireless network to be safe from the intrusion.
  • the wireless prevention module includes an attack function against the detected wireless terminal, and also includes a function of adding the wireless terminal to a blacklist.
  • the wireless prevention module functions to prevent the wireless terminal from accessing the wireless network via the DoS attack, and thereby prevent an additional intrusion of the wireless terminal.
  • MAC Media Access Control
  • a fourth component may be a wireless honeypot module.
  • the wireless honeypot module provides an environment as if the attacking terminal is connected to a corresponding wireless device, while preventing an attacker of the attacking terminal from recognizing the provided environment.
  • the wireless honeypot module may store attack information of the attacker and also acquire information about a predictable attack pattern.
  • FIG. 2 is a flowchart illustrating a method of detecting an intrusion into a wireless network and proactively preventing access by the detected intrusion according to an exemplary embodiment of the present invention.
  • a proactive wireless intrusion preventing system detects an occurrence of the intrusion, based on a database which stores information associated with the intrusion.
  • the database may include a wireless vulnerability database which includes an abnormal traffic database, a detailed wireless LAN intrusion detection database, and a detailed Bluetooth intrusion detection database.
  • the intrusion may include attack signature information which includes all harmful actions to the wireless network or components of the wireless network.
  • operation S210 may include operations S211 through S215.
  • the proactive wireless intrusion preventing system periodically collects a frame associated with a wireless LAN and Bluetooth, and the attack signature information.
  • the attack signature information may include a packet which includes substantial attacking pattern data as information associated with the intrusion.
  • the proactive wireless intrusion preventing system searches the database to check whether the frame corresponds to an attacking frame.
  • the proactive wireless intrusion preventing system determines whether a search result is identical to the attack signature information which is stored in the database. When identical, the proactive wireless intrusion preventing system performs operation S214. Also, when not identical, the proactive wireless intrusion preventing system performs operation S215.
  • the proactive wireless intrusion preventing system compares information associated with the frame, and information associated with the intrusion, which is stored in the database, and when identical, recognizes the frame as the attacking frame and detects an occurrence of the intrusion.
  • the proactive wireless intrusion preventing system forwards the frame to a destination of the frame.
  • the proactive wireless intrusion preventing system allows the frame access in Layer 2 with respect to a Bluetooth device.
  • the proactive wireless intrusion preventing system allows the frame for an association with respect to an access point.
  • the proactive wireless intrusion preventing system acquires additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guides the attacking terminal to a predetermined virtual device.
  • the proactive wireless intrusion preventing system guides the attacking frame to the wireless honeypot, and provides the attacking frame with information identical to information which may be provided in a normal service.
  • the proactive wireless intrusion preventing system misleads a user of the attacking terminal into thinking that the normal service is available, and thus transmit an additional attacking frame via the attacking terminal.
  • the additional attack information may be acquired.
  • the proactive wireless intrusion preventing system stores the additional attack information, which is acquired via the guided attacking frame to the wireless honeypot, in the database.
  • the additional attack information may be utilized as detailed information to determine an integrate Internet threat.
  • the proactive wireless intrusion preventing system prevents an access of the attacking terminal by transmitting a proactive blocking frame to the attacking terminal transmitting an attacking frame to the wireless honeypot.
  • the proactive wireless intrusion preventing system may prevent the attacking terminal, which performs the intrusion, from accessing the wireless network via the proactive DoS attack against the attacking terminal.
  • the proactive wireless intrusion preventing system may extract a MAC address of the attacking terminal, and add the extracted MAC address to a blacklist, and prevent the attacking terminal from accessing the wireless network by continuously monitoring the wireless network with reference to the blacklist.
  • the proactive wireless intrusion preventing system reports all information associated with the intrusion into a network manager terminal of the wireless network.
  • the all information may include the additional attack information which is stored in operation S230.
  • the all information may be reported to the network manager terminal via an email and/or an SMS message.
  • the proactive wireless intrusion preventing system repeats operations S210 through S250 until a termination command is transmitted from the network manager terminal in operation S260.
  • the proactive wireless intrusion preventing system may prevent an attacking terminal from accessing a wireless network by using a proactive DoS attack against the attacking terminal. Also, the proactive wireless intrusion preventing system may improve the safety of the wireless network.
  • a proactive wireless intrusion preventing method which can include attack detection technology for Bluetooth in a wireless LAN intrusion detection system, expand a wireless attack detection rule, and thereby can prevent an intrusion into a wireless LAN and a Bluetooth environment.
  • FIG. 3 is a flowchart illustrating an example of a proactive wireless intrusion preventing method according to an exemplary embodiment of the present invention.
  • a proactive wireless intrusion preventing system collects a frame in a wireless network, searches a database including attack signature information, recognizes the frame including the attack signature information as an attacking frame, and thereby, detects an intrusion into the wireless network.
  • the wireless network includes a wireless LAN and Bluetooth.
  • the attack signature information may include information associated with a WEP cracking attack, a DoS attack, a session hijacking attack, a fake AP attack, and a sniffing attack. Also, each of the attacks may be further classified. Patterns of attacks against Bluetooth may be classified into a DoS attack and an application vulnerability attack.
  • attacks which may be expanded from a wired line to a wireless line may be included in the proactive wireless intrusion preventing system.
  • the attacks may be utilized as a tool capable of preventing an additional attack from expanding into the wired line.
  • the proactive wireless intrusion preventing system performs operation S325. Also, when the attacking frame is detected, the proactive wireless intrusion preventing system performs operation S330. In operation S325, when the attacking frame is not detected, the proactive wireless intrusion preventing system allows the frame to access to Bluetooth equipment or an access point, so that the frame may normally access the wireless network.
  • the proactive wireless intrusion preventing system guides the attacking frame to a wireless honeypot.
  • the wireless honeypot provides a service identical to a service which is provided in a destination of the attacking frame. Specifically, the wireless honeypot provides the attacker of the attacking terminal with the same environment as a normal service and induces the attacker continue to perform an additional attack.
  • the proactive wireless intrusion preventing system extracts additional attack information from the attacking frame which is transmitted for an additional attack, and also extracts attack information, which is included in an additionally transmitted attacking frame, from the attacking terminal of the attacker.
  • the proactive wireless intrusion preventing system prevents an access of the attacking terminal by transmitting a proactive frame to the attacking terminal.
  • the proactive wireless intrusion preventing system maintains a wireless network to be safe from the intrusion via a proactive DoS attack against the detected attacking terminal.
  • the proactive wireless intrusion preventing system includes a function of adding the attacking terminal to a blacklist.
  • the proactive wireless intrusion preventing system prevents the attacking terminal from accessing the wireless network via the DoS attack and thereby prevents an additional intrusion of the attacking terminal.
  • the proactive wireless intrusion preventing system transmits information of the prevented attacking terminal and all other information associated with the intrusion to a terminal of a network manager via an email and/or an SMS message.
  • the proactive wireless intrusion preventing system transmits information of the prevented attacking terminal and all other information associated with the intrusion to a terminal of a network manager via an email and/or an SMS message.
  • the proactive wireless intrusion preventing system may prevent the attacking terminal from accessing the wireless network by transmitting a proactive frame to the detected attacking terminal and using the DoS attack.
  • the proactive wireless intrusion preventing system may prevent the attacking terminal from accessing the wireless network by transmitting a proactive frame to the detected attacking terminal and using the DoS attack.
  • FIG. 4 is a block diagram illustrating an internal configuration of a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention.
  • the proactive wireless intrusion preventing system includes a collection unit 410, a database 420, a comparison unit 430, a guide unit 440, a processing unit 450, a reporting unit 460, and a storage unit 470.
  • the collection unit 410 periodically collects attack signature information which is included in a frame for a Bluetooth equipment, a wireless terminal, and an access point corresponding to components of a wireless network.
  • the database 420 stores the collected attack signature information.
  • the database 420 may be a wireless vulnerability database which includes an abnormal traffic database, a detailed wireless LAN intrusion detection database, and a detailed Bluetooth intrusion detection database.
  • the proactive wireless intrusion preventing system may further include a search unit (not shown).
  • the search unit searches the database 420 to check whether an attacking frame exists via the wireless frame.
  • the comparison unit 430 compares the attack signature information, which is stored in the database 420, and information associated with the frame. When identical, the frame may be determined as the attacking frame.
  • the guide unit 440 guides the frame, which is determined as the attacking frame in the comparison unit 430, to a wireless honeypot.
  • the wireless honeypot may mislead a user of the attacking terminal into thinking the user receives a normal service and thus, continues to perform an intrusion, by providing a service identical to a service which is provided in a destination of the attacking frame.
  • Attack information including additional attack signature information may be acquired from the continuous intrusion.
  • the processing unit 450 prevents a wireless terminal from accessing the wireless network by transmitting a blocking frame to the wireless terminal which transmits the attacking frame.
  • the blocking frame includes a proactive DoS attack against the attacking terminal.
  • the reporting unit 460 reports information associated with the attacking frame to a network manager terminal of the wireless network via an email and an SMS message. Through the above-described process, the network manager may prepare against an additional attack.
  • the storage unit 470 stores information about an attack including the attacking frame in the database 420.
  • the information when the information is not stored in the database 420, i.e. additional attack signature information, the information may be utilized as reference data for providing the additional attack signature information.
  • the embodiments of the present invention include computer-readable media including program instructions to implement various operations embodied by a computer.
  • the media may also include, alone or in combination with the program instructions, data files, data structures, tables, and the like.
  • the media and program instructions may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.
  • Examples of computer-readable media include magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks; magneto-optical media such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read- only memory devices (ROM) and random access memory (RAM).
  • the media may also be a transmission medium such as optical or metallic lines, wave guides, etc. including a carrier wave transmitting signals specifying the program instructions, data structures, etc.
  • Examples of program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
  • a proactive wireless intrusion preventing method which can include an attack detection technology for Bluetooth in a wireless LAN intrusion detection system, expand a wireless attack detection rule, and thereby can prevent an intrusion into a wireless LAN and a
  • the present invention it is possible to prevent a possible intrusion from occurring in a wireless network and improve a safety of the wireless network by introducing a proactive wireless intrusion preventing system for performing the proactive wireless intrusion preventing method, and preventing an attacking terminal from accessing the wireless network via a proactive DoS attack against the attacking terminal.
  • the present invention it is possible to acquire detailed information about an attacker's act and thereby, analyze and prepare against an integrated Internet threat by providing a detection function and a prevention function for an attack based on a Bluetooth technology, and monitoring an attack of an attacker associated with an attacking terminal with a wireless honeypot technology.

Abstract

A method of detecting and preventing an intrusion into a wireless network, the method including: detecting an occurrence of the intrusion, based on a database which stores information associated with the intrusion; acquiring additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guiding the attacking terminal to a predetermined virtual device; preventing the attacking terminal from accessing the wireless network by transmitting a proactive blocking attack to the attacking terminal after storing the additional attack information; and reporting all information associated with the intrusion to a network manager terminal of the wireless network is provided.

Description

METHOD FOR PRO ACTIVELY PREVENTING WIRELESS ATTACKS AND
APPARATUS THEREOF
Technical Field The present invention relates to a method of proactively detecting and preventing an attack according to an intrusion which may occur in a wireless network, and a system for performing the method.
Background Art Attacks against a wireless local area network (LAN) generally include attacks against an access point and a wireless LAN terminal which constitute the wireless LAN. The attacks may occur in the wireless LAN which uses neither an appropriate encryption algorithm nor an authentication mechanism. Also, the attacks may occur in any network which uses the wireless LAN. Thus, when a measure against the attacks is passive, a serious availability problem may occur in the wireless LAN which is operated based on user convenience. Also, a current signature-based detection may not construct a safe wireless LAN against an intrusion.
A wireless intrusion detection system (IDS) and a wireless intrusion prevention system (IPS) have been domestically introduced to detect an attack against a wireless LAN. However, methods for prevention and intrusion reflect an existing wired policy (detection according to a defined rule, prevention via a Media Access Control (MAC) address, and the like). Specifically, the methods do not reflect intrusion prevention methods which are specialized for an attack against a wireless LAN. Thus, an attacker who uses a Denial of Service (DoS) attack by abusing the wireless LAN or a fundamental solution for the attacker may not be found.
A study about a detection method, based on a well-known detection rule, puts an emphasis on a response of a safety life-cycle. Also, a study about a method of proactively attacking and preventing an attacking host based on a detection rule puts an emphasis on a prevention. Considering that latest information protection technology has a proactive trend, the prevention is more important than the response.
For an attack pattern that is identical to a maintained rule based on a well- known intrusion detection rule, a key technology of an intrusion prevention system associated with a wireless LAN is structured to prevent traffic. However, only a small number of rules for detecting an attack on a wireless LAN are currently available. Also, an attack in the wireless LAN is based on a MAC address, not an Internet Protocol (IP) address, and an attacking location may not be traced due to properties of the wireless LAN. Thus, preventing an access by a wireless terminal is performed based on a blacklist using a MAC address list.
A different policy and technology from a wired line must be reflected in the wireless LAN, for example, the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard. However, for service convenience, a safety function is based on a Wired Equivalent Privacy (WEP) protocol which has weak encryption, and an authentication protocol is based on 802. Ix. Also, an IPS may not be employed. In addition, since a wireless IPS is integrated into Enterprise Security Management (ESM) technology which is used in a wired line, a domestic understanding about the wireless LAN safety is quite behind to appropriately respond to a general threat. In this circumstance, the current wireless IPS has a small number of detection rules to appropriately handle various types of attacks against the wireless LAN. Also, since the current wireless IPS has a comparatively underdeveloped prevention method, it may take a great amount of time to detect and respond to even a well-known attack.
In early 2000, Bluetooth was in the spotlight as a local communication method, but became unpopular due to a module price. Currently, Bluetooth is utilized for various technology developments, such as Enhanced Data Rate (EDR), and the like. Also, Bluetooth is being released in an Original Equipment Manufacturer (OEM) form, as a basic communication medium of a notebook computer, a personal digital assistant (PDA), a mobile telephone, and the like. Thus, communication traffic using Bluetooth is also on the rise. In addition, since various types of services are expected to be provided based on a mobile phone, a Bluetooth communication technology including a Code Division Multiplex Access (CDMA) network may also be more frequently utilized. Specifically, in the United States, a great number of studies on virus cycles and/or hacking technologies are in progress. Accordingly, the Korean government is required to pay more attention to a wireless LAN and Bluetooth as key local wireless network technologies. Specifically, the Korean government is required to study technologies which can cope with future possible hacking. Bluetooth has a tendency to be used for a DoS attack in a similar form to a wireless LAN and attack a vulnerable point of an application which is installed in a PDA or a mobile phone. Thus, a study about a future safe communication method is required.
Hereinafter, a method of operating a wireless intrusion prevention system according to a conventional art will be described. When a hacker who desires to attack a wireless terminal or an access point among components of a wireless network does so, the hacker may utilize the wireless network without submitting to an authentication process, or interfering with a normal connection of the wireless terminal, which normally receives a wireless service, with the hacker's own developed code or a known open-source-based tool. In this case, when an attack is detected based on a maintained detection rule, the conventional wireless intrusion prevention system registers a corresponding MAC address to a blacklist. When the attack is subsequently attempted, the conventional wireless intrusion prevention system prevents the hacker from using an Internet service without authentication from the wireless network. However, such an attempt to use the Internet service without an authentication may be attempted at any time while changing an intrusion method a little. Accordingly, the conventional wireless intrusion prevention system may not become a fundamental solution.
Disclosure of Invention Technical Goals
The present invention provides a method and system for proactively detecting and preventing a possible intrusion into a wireless network including a wireless LAN and Bluetooth.
It is an aspect of the present invention to provide a proactive wireless intrusion preventing method which can include an attack detection technology for Bluetooth in a wireless LAN intrusion detection system, expand a wireless attack detection rule, and thereby can prevent an intrusion into a wireless LAN and a Bluetooth environment.
It is another aspect of the present invention to prevent a possible intrusion from occurring in a wireless network and improve a safety of the wireless network by introducing a proactive wireless intrusion preventing system for performing the proactive wireless intrusion preventing method, and preventing an attacking terminal from accessing the wireless network via a proactive DoS attack against the attacking terminal.
It is still another aspect of the present invention to acquire detailed information about an attacker's act and thereby, analyze and prepare against an integrated Internet threat by providing a detection function and a prevention function for an attack based on a Bluetooth technology, and monitoring an attack of an attacker associated with an attacking terminal with a wireless honeypot technology.
Technical solutions
According to an aspect of the present invention, there is provided a method of detecting and preventing an intrusion into a wireless network, the method including: detecting an occurrence of the intrusion, based on a database which stores information associated with the intrusion; acquiring additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guiding the attacking terminal to a predetermined virtual device; preventing the attacking terminal from accessing the wireless network by transmitting a proactive blocking attack to the attacking terminal after storing the additional attack information; and reporting all information associated with the intrusion to a network manager terminal of the wireless network.
According to another aspect of the present invention, the wireless network includes a wireless local area network (LAN) or Bluetooth, and the detecting may include: periodically collecting a frame associated with the wireless network; searching the database to check whether the frame corresponds to an attacking frame; and comparing information associated with the frame, and information associated with the intrusion, which is stored in the database, and when identical, recognizing the frame as the attacking frame and detecting the occurrence of the intrusion.
According to still another aspect of the present invention, the virtual device includes a wireless honeypot, and the acquiring may include: guiding an attacking frame to the virtual device by transmitting the attacking frame, which has been received from the attacking terminal, to the virtual device; and acquiring the additional attack information associated with the intrusion via the virtual device, the virtual device providing an attacker of the attacking terminal with an identical service to a normal service which is received in a destination of the attacking terminal. According to yet another aspect of the present invention, the proactive blocking attack comprises a proactive Denial of Service (DoS) attack, and the preventing may include: preventing the attacking terminal, which performs the intrusion, from accessing the wireless network via the proactive DoS attack; extracting a Media Access Control (MAC) address, and adding the extracted MAC address to a blacklist; and preventing the attacking terminal from accessing the wireless network by continuously monitoring the wireless network with reference to the blacklist.
According to still another aspect of the present invention, there is provided a proactive wireless intrusion preventing system including: a collection unit periodically collecting attack signature information which is included in a frame for Bluetooth equipment, a wireless terminal, and an access point corresponding to components of a wireless network; a database storing the collected attack signature information; a search unit searching the database to check whether the frame corresponds to an attacking frame; a comparison unit comparing the attack signature information, which is stored in the database, and information associated with the frame; a guide unit guiding the frame, which is determined as the attacking frame, to a wireless honeypot; a processing unit preventing a wireless terminal from accessing the wireless network by transmitting a proactive blocking frame to the wireless terminal which transmits the attacking frame; a reporting unit reporting information associated with the attacking frame to a network manager terminal of the wireless network via an email and/or a Short Message Service (SMS) message; and a storage unit storing information about the intrusion associated with the attacking frame, and information about an additional intrusion, which is not stored in the database, to provide additional attack signature information.
Brief Description of Drawings
FIG. 1 is a schematic diagram illustrating a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method of detecting an intrusion into a wireless network and proactively preventing the detected intrusion according to an exemplary embodiment of the present invention;
FIG. 3 is a flowchart illustrating an example of a proactive wireless intrusion preventing method according to an exemplary embodiment of the present invention; and FIG. 4 is a block diagram illustrating a configuration of a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention.
Best Mode for Carrying Out the Invention
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments are described below in order to explain the present invention by referring to the figures. FIG. 1 is a schematic diagram illustrating a proactive wireless intrusion preventing system 110 according to an exemplary embodiment of the present invention. As shown in FIG. 1, the proactive wireless intrusion preventing system 110 includes a frame capture module 111, a frame analysis module 112, a proactive intrusion prevention module 113, and an alarm module 114. The frame capture module 111 captures a frame which is transmitted from a wireless LAN terminal and a Bluetooth terminal within a range of the proactive wireless intrusion preventing system 110. In this case, the frame includes a control frame and a management frame which are used for transmitting data. Also, the frame is mapped with a wireless vulnerability database 121, and captured and utilized to determine whether the frame is transmitted for an attack against an access point or a wireless terminal which are corresponding components of a wireless network. In addition, the frame goes through a common formatting process, to be easily analyzed by the frame analysis module 112 when capturing the frame.
The frame analysis module 112 determines whether the frame, which went through the formatting process and was received from the frame capture module 111, was transmitted for a normal wireless use. In this case, an analysis target, i.e. the frame, of the frame analysis module 112 includes a frame which is associated with Layer 2 in an Open Systems Interconnection (OSI) 7 Layer-Model, and a packet which is associated with a layer higher than Layer 3 that is transmitted from a wireless LAN or Bluetooth. The frame analysis module 112 determines whether the frame corresponds to an attacking frame of an attacker via the wireless vulnerability database 121. When the frame does not correspond to the attacking frame, the frame analysis module 112 allows a corresponding wireless LAN terminal to use the access point, and connect a Bluetooth terminal to another Bluetooth terminal which requests a connection. However, when the frame corresponds to the attacking frame, the frame analysis module 112 transmits information to the intrusion prevention module 113 to notify the same of the intrusion.
The intrusion prevention module 113 proactively removes a frame, which is determined as an attacking terminal by the frame analysis module 112, from a network. In this instance, when the attack is a connection-oriented attack including data, the intrusion prevention module 113 forwards a corresponding connection to a wireless honeypot 130, and provides an environment as if the attacking terminal of the attacker associated with the attack is normally connected to the wireless network. Thus, the attacker may continue to perform an attack via the attacking terminal. In this case, the proactive wireless intrusion preventing system 110 acquires detailed information about the attack. When a determination is made that a necessary amount of information is collected from packets during a predetermined period of time and, the forwarded connection of the attacking terminal is prevented in the network via another attacking frame. Here, the attacking frame includes a Denial of Service (DoS) attack which is provided by the intrusion prevention module 113. Also, information of the prevented attacking terminal is registered to a list of access denial hosts so as to fundamentally prevent a continuous attack of the attacking terminal.
While the intrusion prevention module 113 automatically prevents most attacking patterns, the alarm module 114 transmits information associated with a current status of a serious attack to a terminal of a network manager 140, so that the network manager 140 may prepare against an additional attack. In this case, the information may be transferred from the alarm module 114 to a terminal of the network manager 140 via an email and/or a Short Messaging Service (SMS).
As described above, when an attack occurs, the proactive wireless intrusion preventing system of the present invention functions to incapacitate any access attempt of an attacking terminal by proactively performing a DoS attack against the attacking terminal, based on a great amount of detection rules. Here, the detection rules are more systematically arranged than an existing system with respect to a wireless intrusion. Also, the proactive wireless intrusion preventing system guides the attacking terminal to a wireless honeypot by using a honeypot technology, so as to prevent future attacks and acquire detailed information about the attack. Also, the proactive wireless intrusion preventing system may prevent an attempt for using the Internet without authentication, and also prevent the attack of the attacking terminal which may be connected to a DoS attack against components, for example, an access point and a wireless terminal, of the wireless network. Accordingly, when applying the proactive wireless intrusion preventing system, it is possible to construct a wireless LAN which is safe from the attack.
Even with respect to Bluetooth, the proactive wireless intrusion preventing system may similarly operate to detect and prevent an attack of the attacking terminal. Also, the proactive wireless intrusion preventing system may be manufactured as a single hardware chip or expanded into a single sensor of a sensor network in a mobile environment.
Also, the proactive wireless intrusion preventing system generally includes four components.
A first component may be a wireless vulnerability database. The wireless vulnerability database is a systematically well-arranged wireless attack detection rule, and may detect an attack against almost all wireless LANs and Bluetooth. Patterns of attacks against the wireless LANs may be classified into a Wired Equivalent Privacy (WEP) cracking attack, a DoS attack, a session hijacking attack, a fake access point (AP) attack, and a sniffing attack. Each of the classified attacks may be further classified. Also, patterns of attacks against Bluetooth may be classified into a DoS attack and an application vulnerability attack. In addition to the above-described unique wireless attacks, attacks which may be expanded from a wired line into a wireless line are included in the proactive wireless intrusion preventing system. The attacks may be utilized as a tool for preventing an additional attack from expanding into the wired line.
A second component may be a reporting system including a reporting tool. The reporting system may report data, which is arranged with respect to an intrusion into the wireless LAN, to a management system. A network manager may make a determination on the intrusion and make a preparation against future attacks, based on the reported data. A third component may be a proactive wireless prevention module. The proactive wireless prevention module is utilized to perform a proactive DoS attack against a detected wireless attack, and thereby maintain the wireless network to be safe from the intrusion. In this instance, the wireless prevention module includes an attack function against the detected wireless terminal, and also includes a function of adding the wireless terminal to a blacklist. Thus, when a wireless terminal corresponding to a Media Access Control (MAC) address, which is included in the blacklist, exists in the wireless network via scanning of the wireless network, the wireless prevention module functions to prevent the wireless terminal from accessing the wireless network via the DoS attack, and thereby prevent an additional intrusion of the wireless terminal.
A fourth component may be a wireless honeypot module. The wireless honeypot module provides an environment as if the attacking terminal is connected to a corresponding wireless device, while preventing an attacker of the attacking terminal from recognizing the provided environment. Thus, the wireless honeypot module may store attack information of the attacker and also acquire information about a predictable attack pattern.
FIG. 2 is a flowchart illustrating a method of detecting an intrusion into a wireless network and proactively preventing access by the detected intrusion according to an exemplary embodiment of the present invention. Referring to FIG. 2, in operation S210, a proactive wireless intrusion preventing system detects an occurrence of the intrusion, based on a database which stores information associated with the intrusion. In this case, the database may include a wireless vulnerability database which includes an abnormal traffic database, a detailed wireless LAN intrusion detection database, and a detailed Bluetooth intrusion detection database. Also, the intrusion may include attack signature information which includes all harmful actions to the wireless network or components of the wireless network. Also, operation S210 may include operations S211 through S215.
In operation S211, the proactive wireless intrusion preventing system periodically collects a frame associated with a wireless LAN and Bluetooth, and the attack signature information. In this case, the attack signature information may include a packet which includes substantial attacking pattern data as information associated with the intrusion. In operation S212, the proactive wireless intrusion preventing system searches the database to check whether the frame corresponds to an attacking frame.
In operation S213, the proactive wireless intrusion preventing system determines whether a search result is identical to the attack signature information which is stored in the database. When identical, the proactive wireless intrusion preventing system performs operation S214. Also, when not identical, the proactive wireless intrusion preventing system performs operation S215.
In operation S214, the proactive wireless intrusion preventing system compares information associated with the frame, and information associated with the intrusion, which is stored in the database, and when identical, recognizes the frame as the attacking frame and detects an occurrence of the intrusion.
In operation S215, when not identical, the proactive wireless intrusion preventing system forwards the frame to a destination of the frame. In this case, when the frame is associated with Bluetooth, the proactive wireless intrusion preventing system allows the frame access in Layer 2 with respect to a Bluetooth device. Also, when the frame is associated with the wireless LAN, the proactive wireless intrusion preventing system allows the frame for an association with respect to an access point.
In operation S220, the proactive wireless intrusion preventing system acquires additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guides the attacking terminal to a predetermined virtual device. In this instance, as the occurrence of the intrusion is detected, the proactive wireless intrusion preventing system guides the attacking frame to the wireless honeypot, and provides the attacking frame with information identical to information which may be provided in a normal service. Also, the proactive wireless intrusion preventing system misleads a user of the attacking terminal into thinking that the normal service is available, and thus transmit an additional attacking frame via the attacking terminal. Through a process as described above, the additional attack information may be acquired.
In operation S230, the proactive wireless intrusion preventing system stores the additional attack information, which is acquired via the guided attacking frame to the wireless honeypot, in the database. The additional attack information may be utilized as detailed information to determine an integrate Internet threat. In operation S240, the proactive wireless intrusion preventing system prevents an access of the attacking terminal by transmitting a proactive blocking frame to the attacking terminal transmitting an attacking frame to the wireless honeypot. In this instance, the proactive wireless intrusion preventing system may prevent the attacking terminal, which performs the intrusion, from accessing the wireless network via the proactive DoS attack against the attacking terminal. Also, the proactive wireless intrusion preventing system may extract a MAC address of the attacking terminal, and add the extracted MAC address to a blacklist, and prevent the attacking terminal from accessing the wireless network by continuously monitoring the wireless network with reference to the blacklist.
In operation S250, the proactive wireless intrusion preventing system reports all information associated with the intrusion into a network manager terminal of the wireless network. In this case, the all information may include the additional attack information which is stored in operation S230. Also, the all information may be reported to the network manager terminal via an email and/or an SMS message.
The proactive wireless intrusion preventing system repeats operations S210 through S250 until a termination command is transmitted from the network manager terminal in operation S260.
As described above, when using the proactive wireless intrusion preventing system for performing the proactive wireless intrusion preventing method, the proactive wireless intrusion preventing system may prevent an attacking terminal from accessing a wireless network by using a proactive DoS attack against the attacking terminal. Also, the proactive wireless intrusion preventing system may improve the safety of the wireless network. Thus, it is possible to provide a proactive wireless intrusion preventing method which can include attack detection technology for Bluetooth in a wireless LAN intrusion detection system, expand a wireless attack detection rule, and thereby can prevent an intrusion into a wireless LAN and a Bluetooth environment.
Also, according to the present invention, it is possible to acquire detailed information about an attacker's act and thereby, analyze and prepare against an integrate Internet threat by providing a detection function and a prevention function for an attack based on a Bluetooth technology, and monitoring an attack of an attacker associated with an attacking terminal with a wireless honeypot technology. FIG. 3 is a flowchart illustrating an example of a proactive wireless intrusion preventing method according to an exemplary embodiment of the present invention.
Referring to FIG. 3, in operation S310, a proactive wireless intrusion preventing system collects a frame in a wireless network, searches a database including attack signature information, recognizes the frame including the attack signature information as an attacking frame, and thereby, detects an intrusion into the wireless network. Here, the wireless network includes a wireless LAN and Bluetooth. Also, the attack signature information may include information associated with a WEP cracking attack, a DoS attack, a session hijacking attack, a fake AP attack, and a sniffing attack. Also, each of the attacks may be further classified. Patterns of attacks against Bluetooth may be classified into a DoS attack and an application vulnerability attack. In addition to the above-described unique wireless attacks, attacks which may be expanded from a wired line to a wireless line may be included in the proactive wireless intrusion preventing system. The attacks may be utilized as a tool capable of preventing an additional attack from expanding into the wired line.
As a result of operation S320, when the attacking frame is not detected, the proactive wireless intrusion preventing system performs operation S325. Also, when the attacking frame is detected, the proactive wireless intrusion preventing system performs operation S330. In operation S325, when the attacking frame is not detected, the proactive wireless intrusion preventing system allows the frame to access to Bluetooth equipment or an access point, so that the frame may normally access the wireless network.
In operation S330, when the attacking frame is detected, i.e. not in a safe status, the proactive wireless intrusion preventing system guides the attacking frame to a wireless honeypot. The wireless honeypot provides a service identical to a service which is provided in a destination of the attacking frame. Specifically, the wireless honeypot provides the attacker of the attacking terminal with the same environment as a normal service and induces the attacker continue to perform an additional attack.
In operation S340, the proactive wireless intrusion preventing system extracts additional attack information from the attacking frame which is transmitted for an additional attack, and also extracts attack information, which is included in an additionally transmitted attacking frame, from the attacking terminal of the attacker. In operation S350, the proactive wireless intrusion preventing system prevents an access of the attacking terminal by transmitting a proactive frame to the attacking terminal. In this case, the proactive wireless intrusion preventing system maintains a wireless network to be safe from the intrusion via a proactive DoS attack against the detected attacking terminal. Also, the proactive wireless intrusion preventing system includes a function of adding the attacking terminal to a blacklist. Thus, when the attacking terminal corresponding to a MAC address, which is included in the blacklist, exists in the wireless network detected via scanning of the wireless network, the proactive wireless intrusion preventing system prevents the attacking terminal from accessing the wireless network via the DoS attack and thereby prevents an additional intrusion of the attacking terminal.
In operation S360, the proactive wireless intrusion preventing system transmits information of the prevented attacking terminal and all other information associated with the intrusion to a terminal of a network manager via an email and/or an SMS message. Thus, it is possible to analyze and prepare against a general Internet threat pattern.
As described above, the proactive wireless intrusion preventing system may prevent the attacking terminal from accessing the wireless network by transmitting a proactive frame to the detected attacking terminal and using the DoS attack. Thus, it is possible to prevent a possible malicious act in the wireless network and improve a safety of the wireless network.
FIG. 4 is a block diagram illustrating an internal configuration of a proactive wireless intrusion preventing system according to an exemplary embodiment of the present invention. As shown in FIG. 4, the proactive wireless intrusion preventing system includes a collection unit 410, a database 420, a comparison unit 430, a guide unit 440, a processing unit 450, a reporting unit 460, and a storage unit 470.
The collection unit 410 periodically collects attack signature information which is included in a frame for a Bluetooth equipment, a wireless terminal, and an access point corresponding to components of a wireless network. The database 420 stores the collected attack signature information. In this instance, the database 420 may be a wireless vulnerability database which includes an abnormal traffic database, a detailed wireless LAN intrusion detection database, and a detailed Bluetooth intrusion detection database.
Also, the proactive wireless intrusion preventing system may further include a search unit (not shown). The search unit searches the database 420 to check whether an attacking frame exists via the wireless frame. The comparison unit 430 compares the attack signature information, which is stored in the database 420, and information associated with the frame. When identical, the frame may be determined as the attacking frame.
The guide unit 440 guides the frame, which is determined as the attacking frame in the comparison unit 430, to a wireless honeypot. As described above, the wireless honeypot may mislead a user of the attacking terminal into thinking the user receives a normal service and thus, continues to perform an intrusion, by providing a service identical to a service which is provided in a destination of the attacking frame.
Attack information including additional attack signature information may be acquired from the continuous intrusion. The processing unit 450 prevents a wireless terminal from accessing the wireless network by transmitting a blocking frame to the wireless terminal which transmits the attacking frame. Here, the blocking frame includes a proactive DoS attack against the attacking terminal.
The reporting unit 460 reports information associated with the attacking frame to a network manager terminal of the wireless network via an email and an SMS message. Through the above-described process, the network manager may prepare against an additional attack.
The storage unit 470 stores information about an attack including the attacking frame in the database 420. In this case, when the information is not stored in the database 420, i.e. additional attack signature information, the information may be utilized as reference data for providing the additional attack signature information.
The embodiments of the present invention include computer-readable media including program instructions to implement various operations embodied by a computer. The media may also include, alone or in combination with the program instructions, data files, data structures, tables, and the like. The media and program instructions may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD ROM disks; magneto-optical media such as optical disks; and hardware devices that are specially configured to store and perform program instructions, such as read- only memory devices (ROM) and random access memory (RAM). The media may also be a transmission medium such as optical or metallic lines, wave guides, etc. including a carrier wave transmitting signals specifying the program instructions, data structures, etc. Examples of program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
Although a few embodiments of the present invention have been shown and described, the present invention is not limited to the described embodiments. Instead, it would be appreciated by those skilled in the art that changes may be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
Industrial Applicability
According to the present invention, it is possible to provide a proactive wireless intrusion preventing method which can include an attack detection technology for Bluetooth in a wireless LAN intrusion detection system, expand a wireless attack detection rule, and thereby can prevent an intrusion into a wireless LAN and a
Bluetooth environment.
Also, according to the present invention, it is possible to prevent a possible intrusion from occurring in a wireless network and improve a safety of the wireless network by introducing a proactive wireless intrusion preventing system for performing the proactive wireless intrusion preventing method, and preventing an attacking terminal from accessing the wireless network via a proactive DoS attack against the attacking terminal.
Also, according to the present invention, it is possible to acquire detailed information about an attacker's act and thereby, analyze and prepare against an integrated Internet threat by providing a detection function and a prevention function for an attack based on a Bluetooth technology, and monitoring an attack of an attacker associated with an attacking terminal with a wireless honeypot technology.

Claims

1. A method of detecting and preventing an intrusion into a wireless network, the method comprising: detecting an occurrence of the intrusion, based on a database which stores information associated with the intrusion; acquiring additional attack information associated with the intrusion by recognizing a wireless terminal, which generates the intrusion, as an attacking terminal and guiding the attacking terminal to a predetermined virtual device; preventing the attacking terminal from accessing the wireless network by transmitting a proactive blocking attack to the attacking terminal after storing the additional attack information; and reporting all information associated with the intrusion to a network manager terminal of the wireless network.
2. The method of claim 1, wherein: the wireless network includes a wireless local area network (LAN) or Bluetooth, and the detecting comprises: periodically collecting a frame associated with the wireless network; searching the database to check whether the frame corresponds to an attacking frame; and comparing information associated with the frame, and information associated with the intrusion which is stored in the database, and when identical, recognizing the frame as the attacking frame, and detecting the occurrence of the intrusion.
3. The method of claim 1, wherein: the virtual device includes a wireless honeypot, and the acquiring comprises: guiding an attacking frame to the virtual device by transmitting the attacking frame, which has been received from the attacking terminal, to the virtual device; and acquiring the additional attack information associated with the intrusion via the virtual device, the virtual device providing an attacker of the attacking terminal with an identical service to a normal service which is received in a destination of the attacking terminal.
4. The method of claim 1 , wherein: the proactive blocking attack comprises a proactive Denial of Service (DoS) attack, and the preventing comprises: preventing the attacking terminal, which performs the intrusion, from accessing the wireless network via the proactive DoS attack; extracting a Media Access Control (MAC) address of the attacking terminal, and adding the extracted MAC address to a blacklist; and preventing the attacking terminal from accessing the wireless network by continuously monitoring the wireless network with reference to the blacklist.
5. The method of claim 1, wherein the intrusion comprises attack signature information which includes all harmful actions to the wireless network or components of the wireless network, and the database comprises a wireless vulnerability database which includes an abnormal traffic database, a detailed wireless LAN intrusion detection database, and a detailed Bluetooth intrusion detection database.
6. A computer-readable recording medium storing a program for implementing the method according to any one of claims 1 through 5.
7. A proactive wireless intrusion preventing system comprising: a collection unit periodically collecting attack signature information which is included in a frame for Bluetooth equipment, a wireless terminal, and an access point corresponding to components of a wireless network; a database storing the collected attack signature information; a search unit searching the database to check whether the frame corresponds to an attacking frame; a comparison unit comparing the attack signature information, which is stored in the database, and information associated with the frame; a guide unit guiding the frame, which is determined as the attacking frame, to a wireless honeypot; a processing unit preventing a wireless terminal from accessing the wireless network by transmitting a proactive blocking frame to the wireless terminal which transmits the attacking frame; a reporting unit reporting information associated with the attacking frame to a network manager terminal of the wireless network via an email and/or a Short Message Service (SMS) message; and a storage unit storing information about the intrusion associated with the attacking frame, and information about an additional intrusion, which is not stored in the database, to provide additional attack signature information.
PCT/KR2006/003005 2006-06-26 2006-07-31 Method for proactively preventing wireless attacks and apparatus thereof WO2008001972A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2006-0057554 2006-06-26
KR20060057554 2006-06-26

Publications (1)

Publication Number Publication Date
WO2008001972A1 true WO2008001972A1 (en) 2008-01-03

Family

ID=38845718

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/003005 WO2008001972A1 (en) 2006-06-26 2006-07-31 Method for proactively preventing wireless attacks and apparatus thereof

Country Status (1)

Country Link
WO (1) WO2008001972A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8705407B2 (en) 2010-08-25 2014-04-22 University Of Florida Research Foundation, Inc. Efficient protocols against sophisticated reactive jamming attacks
WO2014172063A1 (en) * 2013-04-19 2014-10-23 Lastline, Inc. Methods and systems for reciprocal generation of watch-lists and malware signatures
US9231964B2 (en) 2009-04-14 2016-01-05 Microsoft Corporation Vulnerability detection based on aggregated primitives
US9280369B1 (en) 2013-07-12 2016-03-08 The Boeing Company Systems and methods of analyzing a software component
US9336025B2 (en) 2013-07-12 2016-05-10 The Boeing Company Systems and methods of analyzing a software component
US9396082B2 (en) 2013-07-12 2016-07-19 The Boeing Company Systems and methods of analyzing a software component
US9479521B2 (en) 2013-09-30 2016-10-25 The Boeing Company Software network behavior analysis and identification system
WO2017093724A1 (en) * 2015-12-01 2017-06-08 Qatar Foundation For Education, Science And Community Development System and method for detection and isolation of network activity
US9852290B1 (en) 2013-07-12 2017-12-26 The Boeing Company Systems and methods of analyzing a software component
EP3428827A1 (en) * 2017-07-11 2019-01-16 The Boeing Company Cyber security system with adaptive machine learning features
CN114025357A (en) * 2021-11-04 2022-02-08 中国工商银行股份有限公司 Wi-Fi near-source attack capturing method and apparatus, device, medium, and program product
EP3852346A4 (en) * 2018-09-14 2022-06-08 Kabushiki Kaisha Toshiba Communication control device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030236990A1 (en) * 2002-05-20 2003-12-25 Scott Hrastar Systems and methods for network security
US20040128543A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for morphing honeypot with computer security incident correlation
US20050166072A1 (en) * 2002-12-31 2005-07-28 Converse Vikki K. Method and system for wireless morphing honeypot
US7042852B2 (en) * 2002-05-20 2006-05-09 Airdefense, Inc. System and method for wireless LAN dynamic channel change with honeypot trap
US7058796B2 (en) * 2002-05-20 2006-06-06 Airdefense, Inc. Method and system for actively defending a wireless LAN against attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030236990A1 (en) * 2002-05-20 2003-12-25 Scott Hrastar Systems and methods for network security
US7042852B2 (en) * 2002-05-20 2006-05-09 Airdefense, Inc. System and method for wireless LAN dynamic channel change with honeypot trap
US7058796B2 (en) * 2002-05-20 2006-06-06 Airdefense, Inc. Method and system for actively defending a wireless LAN against attacks
US20040128543A1 (en) * 2002-12-31 2004-07-01 International Business Machines Corporation Method and system for morphing honeypot with computer security incident correlation
US20050166072A1 (en) * 2002-12-31 2005-07-28 Converse Vikki K. Method and system for wireless morphing honeypot

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9231964B2 (en) 2009-04-14 2016-01-05 Microsoft Corporation Vulnerability detection based on aggregated primitives
US8705407B2 (en) 2010-08-25 2014-04-22 University Of Florida Research Foundation, Inc. Efficient protocols against sophisticated reactive jamming attacks
WO2014172063A1 (en) * 2013-04-19 2014-10-23 Lastline, Inc. Methods and systems for reciprocal generation of watch-lists and malware signatures
US8910285B2 (en) 2013-04-19 2014-12-09 Lastline, Inc. Methods and systems for reciprocal generation of watch-lists and malware signatures
US9852290B1 (en) 2013-07-12 2017-12-26 The Boeing Company Systems and methods of analyzing a software component
US9280369B1 (en) 2013-07-12 2016-03-08 The Boeing Company Systems and methods of analyzing a software component
US9336025B2 (en) 2013-07-12 2016-05-10 The Boeing Company Systems and methods of analyzing a software component
US9396082B2 (en) 2013-07-12 2016-07-19 The Boeing Company Systems and methods of analyzing a software component
US9479521B2 (en) 2013-09-30 2016-10-25 The Boeing Company Software network behavior analysis and identification system
WO2017093724A1 (en) * 2015-12-01 2017-06-08 Qatar Foundation For Education, Science And Community Development System and method for detection and isolation of network activity
EP3428827A1 (en) * 2017-07-11 2019-01-16 The Boeing Company Cyber security system with adaptive machine learning features
CN109246072A (en) * 2017-07-11 2019-01-18 波音公司 Network safety system with adaptive machine learning feature
US10419468B2 (en) 2017-07-11 2019-09-17 The Boeing Company Cyber security system with adaptive machine learning features
EP3852346A4 (en) * 2018-09-14 2022-06-08 Kabushiki Kaisha Toshiba Communication control device
CN114025357A (en) * 2021-11-04 2022-02-08 中国工商银行股份有限公司 Wi-Fi near-source attack capturing method and apparatus, device, medium, and program product
CN114025357B (en) * 2021-11-04 2024-02-02 中国工商银行股份有限公司 Wi-Fi near-source attack capturing method and device, equipment, medium and program product

Similar Documents

Publication Publication Date Title
WO2008001972A1 (en) Method for proactively preventing wireless attacks and apparatus thereof
JP5682083B2 (en) Suspicious wireless access point detection
Cheng et al. Smartsiren: virus detection and alert for smartphones
EP1999925B1 (en) A method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor
KR101217647B1 (en) Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
KR101038387B1 (en) Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
US20160232349A1 (en) Mobile malware detection and user notification
EP2471292B1 (en) Method and arrangement for detecting fraud in telecommunication networks.
US9124617B2 (en) Social network protection system
CN107197456B (en) Detection method and detection device for identifying pseudo AP (access point) based on client
WO2003084122A1 (en) System and method of intrusion detection employing broad-scope monitoring
KR20080026122A (en) Method for defending against denial of service attacks in ip networks by target victim self-identification and control
Chen et al. An intelligent WLAN intrusion prevention system based on signature detection and plan recognition
Sharma et al. Multi-layer defense against malware attacks on smartphone wi-fi access channel
Agrawal et al. The performance analysis of honeypot based intrusion detection system for wireless network
Agrawal et al. Wireless rogue access point detection using shadow honeynet
Lovinger et al. Detection of wireless fake access points
JP2005134972A (en) Firewall device
Patel et al. A Snort-based secure edge router for smart home
KR101186873B1 (en) Wireless intrusion protecting system based on signature
KR101747144B1 (en) Method and system for preventing rogue access point
KR100977827B1 (en) Apparatus and method detecting connection mailcious web server system
CN113328976B (en) Security threat event identification method, device and equipment
Hsu et al. A passive user‐side solution for evil twin access point detection at public hotspots
CN114465746B (en) Network attack control method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06783464

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06783464

Country of ref document: EP

Kind code of ref document: A1