US2011271345A1PendingUtilityA1

Detection of rogue wireless devices from dynamic host control protocol requests

47
Assignee: MICROSOFT CORPPriority: Jun 26, 2006Filed: Jul 8, 2011Published: Nov 3, 2011
Est. expiryJun 26, 2026(expired)· nominal 20-yr term from priority
H04L 63/1408H04W 88/08H04W 12/122
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method to determine if a rogue device is connected to a specific wired network from dynamic host control protocol (DHCP) requests on the wired network. These DHCP requests are analyzed to determine the type of device issuing the request. Once the type of device has been determined, it can be checked against a list of authorized device types. If the device issuing the DHCP request is not an authorized device type, then it can be determined that the suspect device is a rogue that is connected to the specific wired network. Additionally, even if the system of the present invention determines that it is an authorized device type, if the device is not one of the few authorized devices of this type, e.g. because its MAC address is not recognized as that of one of the authorized devices, the system can flag the suspect as a rogue.

Claims

exact text as granted — not AI-modified
1 . A method of detecting a connection of a rogue wireless device to a wired network, the method comprising the steps of:
 detecting a dynamic host control protocol (DHCP) request message that is issued by a DHCP client device to the wired network to request an Internet Protocol (IP) address, the DHCP request message comprising a DHCP options field including a DHCP parameter request list of options requested by the DHCP client device;   examining the DHCP parameter request list included in the DHCP options field within the DHCP request message;   determining a DHCP fingerprint for the DHCP client device based on which options are within the DHCP parameter request list and how the options within the DHCP parameter request list are ordered, wherein:
 the options within the DHCP parameter request list include a limited number of options chosen by an implementer of the DHCP client device from all options supported by the DHCP protocol, and 
 the options chosen by the implementer of the DHCP client are ordered in the DHCP parameter request list by the implementer of the DHCP client device; 
   inferring a device type of the DHCP client device based on the DHCP fingerprint for the DHCP client device; and   indicating that the DHCP client device is a rogue wireless device when the device type of the DHCP client device inferred from the DHCP fingerprint for the DHCP client device does not match any device types authorized on the wired network.   
     
     
         2 . The method of  claim 1 , wherein a vendor class identifier option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         3 . The method of  claim 1 , wherein a host name option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         4 . The method of  claim 1 , further comprising:
 determining a media access control (MAC) address of the DHCP client device that issued the DHCP request message when the device type of the DHCP client inferred from the DHCP fingerprint for the DHCP client device matches a device type authorized on the wired network;   checking a listing of legitimate MAC addresses for the device type authorized on the wired network; and   indicating that the DHCP client device is a rogue wireless device when the MAC address of DHCP client device is not on the listing of legitimate MAC addresses.   
     
     
         5 . The method of  claim 1 , further comprising testing for a false positive by:
 detecting an observed Service Set Identifier (SSID) broadcast by the DHCP client device;   comparing the observed SSID with a listing of authorized SSIDs to check whether the observed SSID broadcast by the DHCP client device is authorized; and   indicating that the DHCP client device is a rogue wireless device when the observed SSID broadcast by the DHCP client device does not appear in the listing of authorized SSIDs.   
     
     
         6 . The method of  claim 1 , further comprising testing for a false positive by:
 detecting an observed Basic Service Set Identifier (BSSID) broadcast by the DHCP client device;   comparing the observed BSSID with a listing of authorized BSSIDs to check whether the observed BSSID broadcast by the DHCP client device is authorized; and   indicating that the DHCP client device is a rogue wireless device when the observed SSID broadcast by the DHCP client device does not appear in the listing of authorized BSSIDs.   
     
     
         7 . The method of  claim 1 , further comprising testing for a false positive by:
 attempting to associate with the DHCP client device;   attempting to communicate with an entity on the wired network when the step of attempting to associate is successful; and   indicating that the DHCP client device is a rogue wireless device when the step of attempting to communicate with the entity on the wired network is successful.   
     
     
         8 . The method of  claim 1 , further comprising testing for a false positive by:
 detecting at least one packet broadcast from the DHCP client device;   extracting at least one of a source or destination address of the at least one packet;   indicating that the DHCP client device is a rogue wireless device when the at least one of the source or destination address of the at least one packet is from or to an entity on the wired network.   
     
     
         9 . The method of  claim 1 , further comprising testing for a false positive by:
 listening for packets on a wireless network;   playing back at least one of the packets;   monitoring the wired network; and   indicating that the device is a rogue wireless device when the step of monitoring identifies at least one instance of the at least one packet from the step of playing back.   
     
     
         10 . The method of  claim 9 , wherein the step of playing back comprises at least one of playing back at least one of the packets for a predetermined number of times and playing back at least one of the packets for a predetermined time period. 
     
     
         11 . The method of  claim 1 , further comprising testing for a false positive by:
 monitoring first packets transmitted on a wireless network from or to the DHCP client device;   monitoring second packets transmitted on the wired network;   correlating the first packets with the second packets; and   indicating that the device is a rogue wireless device when the step of correlating is successful.   
     
     
         12 . The method of  claim 11 , wherein the step of correlating comprises:
 comparing length of the first and second packets; and   comparing time at which the first and second packets were sent.   
     
     
         13 . A computing device comprising a processor for executing computer-executable instructions and memory storing computer-executable instructions that, when executed, cause the computing device to perform a method of detecting a connection of a rogue wireless device to a wired network, the method comprising the steps of:
 detecting a dynamic host control protocol (DHCP) request message that is issued by a DHCP client device to the wired network to request an Internet Protocol (IP) address, the DHCP request message comprising a DHCP options field including a DHCP parameter request list of options requested by the DHCP client device;   examining the DHCP parameter request list included in the DHCP options field within the DHCP request message;   determining a DHCP fingerprint for the DHCP client device based on which options are within the DHCP parameter request list and how the options within the DHCP parameter request list are ordered, wherein:
 the options within the DHCP parameter request list include a limited number of options chosen by an implementer of the DHCP client device from all options supported by the DHCP protocol, and 
 the options chosen by the implementer of the DHCP client are ordered in the DHCP parameter request list by the implementer of the DHCP client device; 
   inferring a device type of the DHCP client device based on the DHCP fingerprint for the DHCP client device; and   indicating that the DHCP client device is a rogue wireless device when the device type of the DHCP client device inferred from the DHCP fingerprint for the DHCP client device does not match any device types authorized on the wired network.   
     
     
         14 . The computing device of  claim 13 , wherein a vendor class identifier option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         15 . The computing device of  claim 13 , wherein a host name option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         16 . The computing device of  claim 13 , wherein the method further comprises the steps of:
 determining a media access control (MAC) address of the DHCP client device that issued the DHCP request message when the device type of the DHCP client inferred from the DHCP fingerprint for the DHCP client device matches a device type authorized on the wired network;   checking a listing of legitimate MAC addresses for the device type authorized on the wired network; and   indicating that the DHCP client device is a rogue wireless device when the MAC address of DHCP client device is not on the listing of legitimate MAC addresses.   
     
     
         17 . A tangible computer-readable storage medium that does not consist of a signal, said computer-readable storage medium storing computer-executable instructions that, when executed, cause a computing device to perform a method of detecting a connection of a rogue wireless device to a wired network, the method comprising the steps of:
 detecting a dynamic host control protocol (DHCP) request message that is issued by a DHCP client device to the wired network to request an Internet Protocol (IP) address, the DHCP request message comprising a DHCP options field including a DHCP parameter request list of options requested by the DHCP client device;   examining the DHCP parameter request list included in the DHCP options field within the DHCP request message;   determining a DHCP fingerprint for the DHCP client device based on which options are within the DHCP parameter request list and how the options within the DHCP parameter request list are ordered, wherein:
 the options within the DHCP parameter request list include a limited number of options chosen by an implementer of the DHCP client device from all options supported by the DHCP protocol, and 
 the options chosen by the implementer of the DHCP client are ordered in the DHCP parameter request list by the implementer of the DHCP client device; 
   inferring a device type of the DHCP client device based on the DHCP fingerprint for the DHCP client device; and   indicating that the DHCP client device is a rogue wireless device when the device type of the DHCP client device inferred from the DHCP fingerprint for the DHCP client device does not match any device types authorized on the wired network.   
     
     
         18 . The tangible computer-readable storage medium of  claim 17 , wherein a vendor class identifier option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         19 . The tangible computer-readable storage medium of  claim 17 , wherein a host name option included in the DHCP options field within the DHCP request message is included in the DHCP fingerprint for the DHCP client device. 
     
     
         20 . The tangible computer-readable storage medium of  claim 17 , wherein the method further comprises the steps of:
 determining a media access control (MAC) address of the DHCP client device that issued the DHCP request message when the device type of the DHCP client inferred from the DHCP fingerprint for the DHCP client device matches a device type authorized on the wired network;   checking a listing of legitimate MAC addresses for the device type authorized on the wired network; and   indicating that the DHCP client device is a rogue wireless device when the MAC address of DHCP client device is not on the listing of legitimate MAC addresses.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.