Characterizing intrusions using spatial reuse parameters

By detecting and characterizing malicious AP intrusions and utilizing spatial reuse parameters to select defensive postures, the performance degradation caused by malicious APs in wireless LANs is resolved, thereby improving network performance.

CN115443672BActive Publication Date: 2026-06-19CISCO TECHNOLOGY INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CISCO TECHNOLOGY INC
Filing Date
2021-04-23
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In wireless LANs, intrusions by malicious access points can degrade network performance, and existing technologies struggle to effectively detect and respond to such intrusions.

Method used

By examining the spatial reuse parameters in the control frames sent by malicious APs, the nature and severity of the intrusion can be characterized, and an appropriate defense posture can be selected based on this, including adjusting BSS colors, channels, or enhancing the sensitivity threshold of SRGs to mitigate the impact of the intrusion.

Benefits of technology

Effective detection and response to malicious AP intrusions improves wireless network performance and reduces interference and performance degradation to known BSSs.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115443672B_ABST
    Figure CN115443672B_ABST
Patent Text Reader

Abstract

The aspects described herein include a method for an access point (AP). This method includes examining a control frame received from a malicious AP, characterizing the intrusion of the malicious AP using one or more spatial reuse parameters included in the control frame, and selecting a defensive posture for the AP based on the characterization.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The embodiments presented in this disclosure generally relate to wireless network devices, and more specifically, to improving wireless network performance during space reuse operations. Background Technology

[0002] With the proliferation of Wireless Local Area Networks (WLANs), overlapping of multiple WLANs within a given area is becoming increasingly common. Conventional channel access mechanisms, such as Carrier-Sense Multiple Access (CSMA), are designed to support only a limited number of competing devices, which typically leads to a decline in network performance as the number of devices increases. To improve WLAN performance, several technologies have recently been introduced in the IEEE 802.11 networking standard, such as channel bonding, Orthogonal Frequency Division Multiple Access (OFDMA), Downlink / Uplink Multiple-User Multiple-Input Multiple-Output (DL / UL MU-MIMO), and Spatial Reuse (SR) operations. Attached Figure Description

[0003] As a way to understand the above-described features of this disclosure in detail, the disclosure briefly summarized above can be described in more detail by referring to embodiments, some of which are illustrated in the accompanying drawings. However, it should be noted that the drawings only show typical embodiments and should not be considered limiting; other equally effective embodiments are conceivable.

[0004] Figure 1 An exemplary system with a rogue access point (AP) is shown according to one or more embodiments.

[0005] Figure 2 An exemplary set of space reuse parameters for a control frame according to one or more embodiments is shown.

[0006] Figure 3 This is an exemplary method for an AP according to one or more embodiments.

[0007] Figure 4A This paper illustrates the use of a known AP to detect intrusions by a malicious AP according to one or more embodiments.

[0008] Figure 4B This paper illustrates the use of adjacent APs to detect intrusions by malicious APs according to one or more embodiments.

[0009] Figure 4C The invention illustrates the use of a sensor device to detect intrusions of a malicious access point (AP) according to one or more embodiments.

[0010] Figure 5 This is an exemplary method for selecting a defensive posture for an AP according to one or more embodiments.

[0011] Figure 6 This is an exemplary method for characterizing a malicious application based on one or more embodiments.

[0012] For ease of understanding, the same reference numerals are used to designate common elements in the accompanying drawings, where possible. It is contemplated that elements disclosed in one embodiment may be advantageously used in other embodiments without requiring specific description. Detailed Implementation

[0013] Overview

[0014] One embodiment of this disclosure is a method for use by an access point (AP). The method includes examining a control frame received from a malicious AP, characterizing the intrusion of the malicious AP using one or more spatial reuse parameters included in the control frame, and selecting a defensive posture for the AP based on the characterization.

[0015] Another embodiment of this disclosure is an access point (AP) including one or more computer processors configured to detect intrusions by a malicious AP, characterize the intrusions using one or more spatial reuse parameters included in control frames sent by the malicious AP, and select a defensive posture for the AP based on the characterization.

[0016] Another embodiment of this disclosure is a computer program product including a computer-readable storage medium having computer-readable program code therein. The computer-readable program code can be executed by one or more computer processors to perform operations including: detecting intrusion at a malicious access point (AP), and characterizing the intrusion using one or more spatial reuse parameters included in a control frame sent by the malicious AP. The characterization of the intrusion is used to select a defensive posture for a known AP.

[0017] Example Implementation

[0018] Spatial Reuse Groups (SRGs) were introduced by the IEEE 802.11ax standard and allow overlapping Basic Service Sets (OBSSs) of different Access Points (APs) to operate more efficiently by selectively adopting a more aggressive channel access posture. Members in an SRG are typically controlled by a Radio Resource Management (RRM) algorithm that advertises a set of one or more BSS "colors" associated with the SRG. Therefore, if a BSS color exists in the receiver's SRG member list, a packet can be identified as belonging to the receiver's SRG.

[0019] Each AP can send control frames (also known as "management frames") that publish the AP's SRG members along with one or more sensitivity thresholds for the SRG. For example, an AP can send a Space Reuse Parameter Set (SRPS) element that includes configurable SRG OBSS / PD (packet detection) thresholds (min and max) that control the aggressiveness of a particular BSS relative to one or more other BSSs within the SRG.

[0020] A "malicious" AP managed by another management entity (e.g., another RRM algorithm) can compromise a "known" BSS of a "known" AP by adding the known BSS to the malicious AP's SRG list. The malicious AP can configure its space reuse parameters to make the malicious AP and any client devices aggressive towards the known BSS, causing a significant performance degradation of the known BSS. This intrusion by the malicious AP can be intentional (e.g., specifically targeting the known BSS) or unintentional (e.g., another BSS on the malicious AP's managed network happens to use the same color as the known BSS).

[0021] In one exemplary method described herein, a known AP (or another device within a known BSS, such as a neighboring AP or sensor device) examines control frames received from a malicious AP and uses one or more spatial reuse parameters included in the control frames to characterize the intrusion by the malicious AP. The known AP selects a defensive posture based on the characterization of the intrusion, which can mitigate the impact of the intrusion on the performance of the known BSS.

[0022] In some embodiments, characterizing an intrusion includes characterizing a malicious AP (e.g., characterizing the intent of the intrusion) and / or calculating the severity of the intrusion. A known AP can adopt different defensive postures based on the characterization of the intrusion. For example, if a malicious AP is characterized as "benign" (e.g., the intrusion was unintentional), the known AP can change the color of a known BSS, change the channel of a known BSS, or do nothing (e.g., remain unchanged), etc. If a malicious AP is characterized as "malicious" (e.g., the intrusion was intentional), the known AP can choose to enhance or strengthen its defensive posture to further mitigate the impact of the intrusion. For example, the known AP can add a malicious BSS to its SRG and adjust the sensitivity threshold of the SRG to make the known AP more aggressive against malicious BSSs. In some cases, the magnitude of the adjustment can be based on the severity of the intrusion.

[0023] Figure 1An exemplary system 100 with a malicious AP 145 according to one or more embodiments is illustrated. More specifically, system 100 includes a known AP 105 managed by a first management entity, while the malicious AP 145 is managed by a second management entity different from the first management entity. A known BSS 140 associated with the known AP 105 may specify physical layer media access characteristics shared by the known AP 105, one or more client devices 130, one or more sensor devices 135, and / or one or more neighboring APs (not shown). Generally, the known AP 105 operates as a redistribution point for communication between one or more client devices 130, one or more sensor devices 135, one or more neighboring APs, etc.

[0024] AP 105 is known to include one or more computer processors 110 (also referred to herein as "processor 110") and memory 115. The one or more computer processors 110 may be implemented in any suitable form, such as a general-purpose microprocessor, a controller, an application-specific integrated circuit (ASIC), etc. Memory 115 may include various computer-readable media selected according to their size, relative performance, or other functions: volatile and / or non-volatile media, removable and / or non-removable media, etc.

[0025] Memory 115 may include one or more modules for performing the various functions described herein. In one embodiment, each module includes program code executable by one or more computer processors 110. However, other embodiments of system 100 may include modules implemented partially or entirely in other hardware (i.e., circuitry) or firmware, such as hardware or firmware included in one or more client devices 130, one or more sensor devices 135, one or more adjacent APs, etc. In other words, the overall functionality of one or more modules may be distributed across other devices of system 100. As shown, memory 115 includes an intrusion characterization module 125, which characterizes an intrusion by malicious AP 145 using one or more space reuse parameters 165 included in a control frame 160 sent by malicious AP 145. Intrusion characterization module 125 may have additional functions, such as inspecting control frame 160 and detecting intrusions, selecting a defensive posture for known AP 105, etc.

[0026] Memory 115 also includes Space Reuse Group (SRG) information 120, which defines and / or controls members in the SRG. In some embodiments compatible with the IEEE 802.11ax standard, SRG information 120 includes a BSS color bitmap of SRPS elements, which stores different BSS colors for BSSs included in a particular SRG. AP 105 is known to maintain the BSS color bitmap and notify one or more client devices 130, one or more sensor devices 135, and / or one or more neighboring APs of any changes to the BSS color bitmap.

[0027] Although not described in detail herein, a malicious AP 145 may include hardware similar to that of a known AP 105, such as one or more computer processors and memory. The malicious AP 145 includes SRG information 150, which includes a known BSS 140, enabling the malicious AP 145 to compromise the known BSS 140. For example, the malicious AP 145 may maintain a separate BSS color bitmap and may include BSS colors assigned to the known BSS 140.

[0028] During the intrusion of malicious AP 145, malicious AP 145 sends multiple frames 155, which are received by one or more devices of known BSS 140. The multiple frames 155 include control frames 160, which include one or more spatial reuse parameters 165 indicating the aggressiveness (or intrusiveness) level of malicious AP 145. As described above, and will be further discussed, intrusion characterization module 125 characterizes the intrusion using one or more spatial reuse parameters 165 and selects a defensive posture for known AP 105 based on the characterization.

[0029] One or more client devices 130 may include any suitable computing device. For example, one or more client devices 130 may include desktop computing devices, mobile computing devices (e.g., smartphones, tablets), wearable computing devices, and other electronic devices (e.g., printers, smart TVs, smart appliances).

[0030] One or more sensor devices 135 may have any suitable implementation. In some embodiments, one or more sensor devices 135 include one or more computer processors that perform monitoring and / or testing to determine network performance. In some embodiments, one or more sensor devices 135 receive control frames 160 from a malicious AP 145.

[0031] Figure 2An exemplary SRPS element 200 of a control frame according to one or more embodiments is shown. In general, SRPS element 200 provides information for performing OBSS / PD-based SR operations in an 802.11ax-compatible WLAN. Figure 2 The features shown can be used in conjunction with other embodiments discussed herein. For example, certain types of control frames (e.g., beacon, probe response, and (re)association response) sent by a malicious AP 145 and / or a known AP 105 can be formatted to include SRPS element 200.

[0032] SRPS element 200 includes space reuse parameters arranged as multiple fields: element ID 205, length 210, element ID extension 215, SR control field 220, maximum offset of non-SRG OBSS / PD 225, minimum offset of SRG OBSS / PD 230, maximum offset of SRG OBSS / PD 235, SRG BSS color bitmap 240, and SRG portion BSSID bitmap 245. Each field can have an appropriate size and format.

[0033] Element ID 205, length 210, and element ID extension 215 can have any suitable values. The maximum offset 225 for non-SRG OBSS / PD includes an integer value to produce the maximum non-SRG OBSS / PD threshold. The minimum offset 230 for SRG OBSS / PD includes an integer value to produce the minimum SRG OBSS / PD threshold, and the maximum offset 235 for SRG OBSS / PD includes an integer value to produce the maximum SRG OBSS / PD threshold. The SRG BSS color bitmap 240 indicates which BSS color values ​​are used by members of the SRG. The SRG partial BSSID bitmap 245 indicates which partial BSSID values ​​are used by members of the SRG.

[0034] The SR control field 220 includes the following parameters: Parameterized Spatial Reuse (PSR) Not Allowed 250, Non-SRG OBSS / PDSR Not Allowed 255, Non-SRG Offset Present 260, SRG Information Present 265, HE-SIGA Spatial Reuse Value 15 Allowed 270, and Reserved 275. PSR Not Allowed 250 indicates whether PSR-based SR transmission is allowed at non-AP stations associated with the transmitting AP, while Non-SRG OBSS / PD SR Not Allowed 255 indicates whether non-SRG OBSS / PD SR transmission is allowed at non-AP stations. Non-SRG Offset Present 260 indicates the presence of a maximum non-SRG OBSS / PD offset 225, while SRG Information Present 265 indicates the presence of a minimum SRG OBSS / PD offset 230, a maximum SRG OBSS / PD offset 235, an SRG BSS color bitmap 240, and an SRG portion BSSID bitmap 245. HE-SIG-A space reuse value 15 allows 270, indicating whether a non-AP station can set the TXVECTOR parameter SPATIAL REUSE to restrict PSR-based SR transmissions and non-SRG OBSS PD-based SR transmissions from being transmitted through their packets.

[0035] As described above, intrusions by a malicious AP can be detected by examining control frames received from the malicious AP. For example, the SRG BSS color bitmap 240 can be examined to determine if a BSS color associated with a known AP is included. In some cases, the SRG portion BSSID bitmap 245 can also be used to identify whether the malicious AP has added the BSSID of a known AP to its own SRG list. Intrusions can also be characterized using one or more spatial reuse parameters included in the control frame. For example, the value of the SRG OBSS / PD maximum offset 235 can be used to calculate the severity of the intrusion, indicating the aggressiveness (or intrusiveness) of the malicious AP 145 against a known BSS. The severity of the intrusion can be further calculated based on one or more other characteristics of the frames received from the malicious AP.

[0036] Figure 3 This is an exemplary method 300 for an AP according to one or more embodiments. Method 300 can be used with other embodiments discussed herein (e.g., using...). Figure 1 (The intrusion characterization module 125 is used in conjunction with the embodiment)

[0037] Method 300 begins at block 305, where a control frame is received from and inspected from a malicious AP. At block 315, intrusion into the malicious AP is detected. In some embodiments, intrusion detection includes identifying the BSS of a known AP within the SRG of the malicious AP. For example, the BSS of a known AP can be identified using one or more spatial reuse parameters (e.g., the BSS color bitmap and / or BSSID bitmap of the malicious AP) included in the control frame.

[0038] In box 325, the intrusion is characterized using one or more space reuse parameters included in the control frame. In some embodiments, characterizing the intrusion includes one or both characterizing the malicious AP (box 330) and calculating the severity of the intrusion (box 332). This will be discussed below. Figure 6 Exemplary methods for characterizing malicious access points (APs) are provided. Exemplary techniques for calculating the severity of intrusions will also be discussed below. In box 335, a defensive posture is selected for a known AP based on the characterization of the intrusion. This will be discussed below. Figure 5 An exemplary method for selecting a defensive posture for a known AP is provided. Method 300 ends after box 335 is completed.

[0039] Figure 4A This illustration demonstrates the use of a known AP to detect intrusion by a malicious AP according to one or more embodiments. In Figure 400, a known AP 405 ( Figure 1 A known AP 105 (an example of a known AP 105) is associated with a known BSS 410 (an example of a known BSS 140). A malicious AP 415 (an example of a malicious AP 145) is associated with a malicious BSS 420. In some embodiments, the known BSS 410 is associated with a first BSS color (e.g., blue), while the malicious BSS 420 is associated with a second BSS color (e.g., green).

[0040] The coverage area of ​​the malicious BSS 420 is shown to partially overlap with the coverage area of ​​the known BSS 410. The SRG associated with the malicious BSS 420 includes the first BSS color, indicating that the malicious BSS 420 is compromising the known BSS 410.

[0041] In Figure 400, a known AP 405 is shown as being within the coverage area of ​​a malicious BSS 420. Therefore, the known AP 405 is capable of directly receiving control frames sent by the malicious AP 415. In some embodiments, the known AP 405 examines the SRPS element of the control frame to determine whether the known BSS 410 is included in the SRG associated with the malicious BSS 420.

[0042] In some embodiments, the known AP 405 examines frames sent by the malicious AP 415 (which may include SRPS elements of control frames) to characterize the intrusion of the malicious BSS 420. For example, the known AP 405 may examine the minimum and / or maximum values ​​of the SRG OBSS / PD to determine the aggressiveness (or intrusiveness) of the malicious BSS against the known BSS 410.

[0043] Figure 4B This illustration demonstrates the use of neighboring APs to detect intrusion by a malicious AP according to one or more embodiments. Figure 425 includes a known AP 405 and a malicious AP 415, a neighboring AP 430 associated with a neighboring BSS 435, and a client device 440 within the known BSS 410. Figure 1 (An example of one or more client devices 130). In some embodiments, a neighboring AP 430 is associated with a third BSS color (e.g., red) that is different from the first BSS color and the second BSS color.

[0044] It is known that the coverage areas of BSS 410 and the adjacent BSS 435 partially overlap. The coverage area of ​​malicious BSS 420 partially overlaps with the coverage area of ​​known BSS 410 and the coverage area of ​​adjacent BSS 435. The SRG associated with malicious BSS 420 includes the first BSS color, indicating that malicious BSS 420 is infiltrating known BSS 410.

[0045] In Figure 425, the known AP 405 is located outside the coverage area of ​​the malicious BSS 420, meaning that the known AP 405 cannot directly receive control frames sent by the malicious AP 415. However, the coverage area of ​​the malicious BSS 420 includes the adjacent AP 430 and client device 440, which means that the intrusion could affect the known BSS 410.

[0046] In this scenario, the neighboring AP 430 can receive control frames sent by the malicious AP 415 and can examine these frames to identify whether the known BSS 410 (e.g., the BSS of the neighboring AP, relative to the neighboring AP 430) is in the SRG of the malicious AP 415. In this way, the neighboring AP 430 can detect the intrusion of the malicious AP 415. The neighboring AP 430 can then send an intrusion signal to the known AP 405, or further characterize the intrusion and / or select a defensive posture for the known AP 405.

[0047] Figure 4C A sensor device 450 is shown according to one or more embodiments. Figure 1One or more sensor devices 135 (an example) are used to detect intrusion of a malicious AP. Figure 445 includes a known AP 405, a malicious AP 415, a client device 440, and a sensor device 450 within a known BSS 410.

[0048] In Figure 445, the known AP 405 is located outside the coverage area of ​​the malicious BSS 420, meaning that the known AP 405 cannot directly receive control frames sent by the malicious AP 415. However, the coverage area of ​​the malicious BSS 420 includes client device 440 and sensor device 450, which means that the intrusion could affect the known BSS 410.

[0049] In this scenario, sensor device 450 can receive control frames sent by malicious AP 415 and examine these frames to identify whether a known BSS 410 (e.g., the BSS of a neighboring AP relative to neighboring AP 430) is in the SRG of malicious AP 415. In this way, sensor device 450 can detect intrusion by malicious AP 415. Sensor device 450 can then signal the intrusion to known AP 405, or further characterize the intrusion and / or select a defensive posture for known AP 405.

[0050] Figure 5 This is an exemplary method 500 for selecting a defensive posture for an AP according to one or more embodiments. Method 500 can be used with other embodiments (e.g., using...) Figure 1 This is used in conjunction with the intrusion characterization module 125 (in some embodiments). In some embodiments, method 500 is used as... Figure 3 A portion of box 335 is executed.

[0051] Method 500 begins at block 505, where intrusion characterization module 125 determines whether the intrusion by the malicious AP is a first-time intrusion—that is, the malicious AP has never previously attempted to intrude into a known BSS. In some embodiments, determining whether an intrusion is a first-time intrusion corresponds to a predefined time period after the intrusion is detected.

[0052] When the intrusion is the first intrusion (“YES”), the known AP selects a first defensive posture 515. Method 500 proceeds from block 505 to block 525, where the intrusion characterization module 125 determines whether a BSS color is available to change the color of the known AP's BSS. In some embodiments, determining whether a BSS color is available includes determining that the BSS color is (i) not included in the SRG of the malicious AP and (ii) not used by a neighboring AP managed by the same management entity as the known AP.

[0053] When a BSS color is available ("YES"), method 500 proceeds to block 535, and the BSS color is changed. When no BSS color is available ("NO"), method 500 proceeds to block 530, and the intrusion characterization module 125 changes the BSS channel. Overall, changing the BSS color is likely preferable to changing the channel because changing the BSS color tends to cause less interference to the managed network.

[0054] In some alternative embodiments, the first defensive posture 515 does nothing (e.g., maintains the status quo) in response to determining that the intrusion is the first intrusion. In some alternative embodiments, the method 500 proceeds to block 510 in response to detecting the intrusion.

[0055] When the intrusion is not the first intrusion within a predefined time window (“NO”), the intrusion characterization module 125 can determine that the malicious AP will continue to actively target the known BSS, even if the BSS color or channel has been changed in the first defense posture 515. When the intrusion is not the first intrusion (“NO”), method 500 proceeds to block 510, where the intrusion characterization module 125 characterizes the malicious AP (e.g., characterizes the intent to intrude). In some embodiments, the intrusion characterization module 125 characterizes the malicious AP as one of two characterizations (as shown, “benign” or “malicious”). However, different characterizations and / or different numbers of characterizations are also conceivable. This will be discussed below. Figure 6 An exemplary method for characterizing malicious application attacks is provided.

[0056] When a malicious AP is characterized as benign (“BENIGN”), the known AP selects a first defensive posture 515. When a malicious AP is characterized as malicious (“MALICIOUS”), the known AP selects a second defensive posture 520. Method 500 proceeds to block 540, where the intrusion characterization module 125 adds the BSS of the malicious AP to the SRG of the known AP. In block 545, the intrusion characterization module 125 adjusts the sensitivity threshold of the SRG. The intrusion characterization module 125 may change the minimum and / or maximum SRG OBSS / PD of the known BSS to make the BSS of the known AP more aggressive against the BSS of the malicious AP. In some embodiments, increasing the maximum and / or minimum SRG OBSS / PD makes the BSS of the known AP more aggressive against the BSS of the malicious AP. For example, the maximum and minimum SRG OBSS / PD may be set to reflect the values ​​used by the malicious AP against the known AP, for example, after accessing the values ​​in the SRPS element of the malicious AP. Such a configuration makes the known AP as aggressive against the malicious AP as aggressive against the known AP.

[0057] In some embodiments, the intrusion characterization module 125 adjusts the sensitivity threshold of the SRG in response to the calculated severity of the intrusion. In one example, the intrusion characterization module 125 executes box 545 only when the severity of the intrusion exceeds the threshold. When the severity of the intrusion is less than the threshold, the intrusion characterization module 125 may take no action or execute another action. In another example, the intrusion characterization module 125 selects a value for the sensitivity threshold of the SRG based on the severity of the intrusion. Method 500 ends after completing one of boxes 530, 535, and 545.

[0058] Figure 6 This is an exemplary method 600 for characterizing a malicious application (AP) according to one or more embodiments. Method 600 can be used with other embodiments (e.g., those using...). Figure 1 This is used in conjunction with the intrusion characterization module 125 (in some embodiments). In some embodiments, method 600 is used as... Figure 3 A portion of box 330 is executed. Method 600 represents a heuristic approach in which several network metrics are evaluated to generate a score indicating the likelihood that the intrusion into the malicious BSS was intentional.

[0059] Method 600 begins at box 605, where the intrusion characterization module 125 calculates the frequency of adding a known BSS to a malicious AP / BSS's SRG within a predefined time period. At box 610, the intrusion characterization module 125 determines whether this frequency exceeds a threshold. When the frequency does not exceed the threshold ("NO"), method 600 proceeds to box 635, and the malicious AP is characterized as "benign." When the frequency exceeds the threshold ("YES"), method 600 proceeds to box 615, where the intrusion characterization module 125 determines whether the media access control (MAC) addresses of the malicious APs are identical. In this way, the intrusion characterization module 125 can check whether a malicious AP with the same MAC address has been previously detected (e.g., an early attack on a known BSS). When the MAC addresses are identical ("YES"), method 600 proceeds to box 630, and the malicious AP is characterized as "malicious."

[0060] When the MAC addresses are different (“NO”), method 600 proceeds to block 620, and intrusion characterization module 125 determines the transmission characteristics of the malicious AP. In some embodiments, intrusion characterization module 125 determines at least one of the following transmission characteristics of the malicious AP: carrier frequency offset, sampling frequency offset, power amplifier characteristics, and out-of-band power. At block 625, intrusion characterization module 125 determines whether the radio signature of the malicious BSS is “close” based on the transmission characteristics. In some embodiments, the radio signature of the malicious BSS is determined to be close when multiple transmission characteristics of the malicious BSS are highly correlated with the transmission characteristics of a previous “attacker.” For example, the correlation may exceed a threshold.

[0061] If the radio signature is close (“YES”), then method 600 proceeds from box 625 to box 630, and the malicious AP is characterized as “malicious”. If the radio signature is not close (“NO”), then method 600 proceeds from box 625 to box 635, and the malicious AP is characterized as benign. After completing either box 630 or 635, method 600 terminates.

[0062] Other techniques for characterizing malicious access points (APs) are also conceivable. In some embodiments, machine learning models can be used to characterize malicious APs. For example, a deep neural network (DNN) may include one or more inputs, one or more outputs, and multiple hidden layers between the inputs and outputs. In some embodiments, one or more inputs include one or more of the following: the BSS color of a malicious AP during multiple time instances, the BSS color of a known AP during multiple time instances, the location of the malicious AP, the Received Signal Strength Indication (RSSI) value, and the transmission characteristics of the malicious AP. One or more outputs include the probability that the malicious AP is malicious (or intentional).

[0063] In some embodiments, the DNN is trained using a semi-supervised learning scheme. To determine the initial weights for multiple hidden layers, one or more attackers can be simulated offline, and input parameters can be determined for the labeled data. In some embodiments, the number of hidden layers can be increased in response to determining that the desired accuracy has not been achieved. In this way, the DNN may be less prone to overfitting to the labeled data.

[0064] While the network is running, it can predict malicious access points (APs) that have intruded based on input parameters. Weights can be adjusted concurrently based on unlabeled data. In some embodiments, unlabeled data can be labeled based on predictions made by the DNN during its offline training. Newly labeled data can be added to previously labeled data, and the DNN can be retrained. In this way, error is minimized while weights are adaptively adjusted.

[0065] As described above, the intrusion characterization module 125 can calculate the severity of the intrusion as part of characterizing the intrusion. The calculated severity can be used to determine the defense posture of a known AP. In some embodiments, the calculated severity is a function of multiple characteristics of a frame received from a malicious AP. The calculated severity can be the product of linearized functions performed on each of the multiple characteristics. In a non-limiting example, the calculated severity can be calculated according to the following formula:

[0066]

[0067] Where RR represents the RSSI of frames received from a malicious AP, SRG-OBSS-PD-min and SRG-OBSS-PD-max represent the minimum and maximum SRG OBSS / PD values ​​of control frames received from a malicious AP (where higher values ​​generally indicate a more aggressive malicious AP), SRG-QBSS represents the channel load value (more specifically, the Quality of Service BSS (QBSS) load reported in beacon signals received from a malicious AP), and ATTACK_HOPS represents the proximity of the known AP, neighboring APs, or sensor devices detecting the intrusion. A linearization function is applied to each of RR, SRG-OBSS-PD-min, SRG-OBSS-PD-max, SRG-QBSS, and ATTACK_HOPS.

[0068] In some embodiments, QBSS load indicates channel load as a percentage. To increase the accuracy of representing load specifically caused by a malicious AP, sensor devices or monitoring / assistive radios on a known AP can directly measure the load they receive from the malicious AP. This can replace the SRG-QBSS value in severity calculations, or it can be used in combination with the SRG-QBSS value.

[0069] In some embodiments, ATTACK_HOPS is measured in RF neighbor hop counts. For example, if an attack by a known AP is directly detected by a known BSS, ATTACK_HOPS will be set to a value of "1". If the detection is detected by a neighboring AP or sensor device, ATTACK_HOPS will be set to the RF hop count from the known BSS plus 1.

[0070] The embodiments presented in this disclosure have been mentioned in the foregoing. However, the scope of this disclosure is not limited to the specifically described embodiments. Rather, any combination of the described features and elements, whether or not they relate to different embodiments, is contemplated for implementing and carrying out the contemplated embodiments. Furthermore, while the embodiments disclosed herein may achieve advantages over other possible solutions or prior art, whether a given embodiment achieves a particular advantage does not limit the scope of this disclosure. Therefore, unless expressly mentioned in one or more claims, the aspects, features, embodiments, and advantages described above are merely illustrative and should not be considered elements or limitations of the appended claims.

[0071] Various aspects of this disclosure are described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It will be understood that each block in the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the function / action specified by one or more blocks in the flowchart illustrations and / or block diagrams.

[0072] These computer program instructions may also be stored in a computer-readable medium that can instruct a computer, other programmable data processing apparatus or other device to operate in a particular manner, thereby causing the instructions stored in the computer-readable medium to produce an article of art including instructions that implement the functions / behaviors specified in one or more boxes of a flowchart and / or block diagram.

[0073] Computer program instructions may also be loaded onto a computer, other programmable data processing apparatus or other equipment to cause a series of operational steps to be performed on the computer, other programmable apparatus or other equipment to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide a process for implementing the function / action specified in one or more boxes in a flowchart and / or block diagram.

[0074] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments. In this regard, each box in a flowchart or block diagram may represent a module, segment, or portion of code, which includes one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the boxes may not appear in the order shown in the drawings. For example, two boxes shown consecutively may actually be executed substantially simultaneously, or, depending on the functions involved, these boxes may sometimes be executed in reverse order. It should also be noted that each box in the block diagrams and / or flowcharts, and combinations of boxes in the block diagrams and / or flowcharts, may be implemented by a dedicated hardware system or a combination of dedicated hardware and computer instructions that performs the specified function or action.

[0075] In view of the foregoing, the scope of this disclosure is defined by the appended claims.

[0076] Examples of this disclosure are listed in the following numbered clauses.

[0077] 1. A method for an access point (AP), the method comprising:

[0078] Inspect control frames received from a malicious AP;

[0079] The intrusion of the malicious AP is characterized using one or more spatial reuse parameters included in the control frame; and

[0080] Based on the aforementioned characteristics, a defensive posture is selected for the AP.

[0081] 2. The method described in Clause 1 further includes:

[0082] The intrusion is detected in response to the AP inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG) of the malicious AP.

[0083] 3. The method described in Clause 1 further includes:

[0084] The intrusion is detected in response to a neighboring AP inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG).

[0085] 4. The method described in Clause 1 further includes:

[0086] The intrusion is detected in response to a sensor device inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG) of the malicious AP.

[0087] 5. The method according to Clause 1, wherein characterizing the intrusion includes characterizing the malicious AP as one of the following: benign and malignant.

[0088] 6. The method according to Clause 1, wherein characterizing the intrusion includes determining at least one of the following:

[0089] The carrier frequency offset of the malicious AP;

[0090] The sampling frequency offset of the malicious AP;

[0091] The power amplifier characteristics of the malicious AP; and

[0092] The out-of-band power of the malicious AP.

[0093] 7. The method according to Clause 1, wherein selecting the defensive posture for the AP includes, for the first characteristic of the intrusion:

[0094] Add the basic service set (BSS) of the malicious AP to the space reuse group (SRG) of the AP; and

[0095] Adjust the sensitivity threshold of the SRG.

[0096] 8. The method according to Clause 7, wherein selecting the defensive posture for the AP includes a second characterization that is less severe than the first characterization of the intrusion:

[0097] Change the color or channel of the Basic Service Set (BSS) of the AP.

[0098] 9. The method described in Clause 1 further includes:

[0099] The severity of the intrusion may be calculated using one or more of the following:

[0100] The Received Signal Strength Indication (RSSI) value of the frame received from the Basic Service Set (BSS) of the malicious AP;

[0101] The minimum threshold for detecting the spatial reuse group overlapping basic service set packet (SRG OBSS PD min) in the control frame;

[0102] The maximum (max) threshold of SRG OBSS PD in the control frame;

[0103] The channel load value corresponding to the BSS of the malicious AP; and

[0104] The attack jump value represents the proximity between the AP and the malicious AP.

[0105] 10. An access point (AP), comprising:

[0106] One or more computer processors are configured to:

[0107] Detect malicious access point (AP) intrusions;

[0108] The intrusion is characterized by using one or more spatial reuse parameters included in the control frames sent by the malicious AP, and

[0109] Based on the aforementioned characteristics, a defensive posture is selected for the AP.

[0110] 11. The AP according to Clause 10, wherein the one or more computer processors are further configured to:

[0111] Inspect the control frames from the malicious AP, and

[0112] The detection of the intrusion includes identifying the basic service set (BSS) of the malicious AP within its spatial reuse group (SRG).

[0113] 12. The AP as described in Clause 10, wherein detecting the intrusion includes:

[0114] Receive an indication from one of (i) an adjacent AP and (ii) a sensor device, indicating that the basic service set (BSS) of the AP is included in the spatial reuse group (SRG) of the malicious AP.

[0115] 13. The AP as described in Clause 10, wherein characterizing the intrusion includes characterizing the malicious AP as either benign or malignant.

[0116] 14. The AP as described in Clause 10, wherein characterizing the intrusion includes determining at least one of the following:

[0117] The carrier frequency offset of the malicious AP;

[0118] The sampling frequency offset of the malicious AP;

[0119] The power amplifier characteristics of the malicious AP; and

[0120] The out-of-band power of the malicious AP.

[0121] 15. The AP as described in Clause 10, wherein selecting the defensive posture for the AP includes a first characteristic of the intrusion:

[0122] Add the basic service set (BSS) of the malicious AP to the space reuse group (SRG) of the AP; and

[0123] Adjust the sensitivity threshold of the SRG.

[0124] 16. The AP as described in Clause 15, wherein selecting the defensive posture for the AP includes a second characterization that is less severe than the first characterization of the intrusion:

[0125] Change the color or channel of the Basic Service Set (BSS) of the AP.

[0126] 17. The AP according to Clause 10, wherein the one or more computer processors are further configured to:

[0127] The severity of the intrusion may be calculated using one or more of the following:

[0128] The Received Signal Strength Indication (RSSI) value of the frame received from the Basic Service Set (BSS) of the malicious AP;

[0129] The minimum threshold for detecting the spatial reuse group overlapping basic service set packet (SRG OBSS PD min) in the control frame;

[0130] The maximum (max) threshold of SRG OBSS PD in the control frame;

[0131] The channel load value corresponding to the BSS of the malicious AP; and

[0132] The attack jump value represents the proximity between the AP and the malicious AP.

[0133] 18. A computer program product comprising:

[0134] A computer-readable storage medium embodying computer-readable program code that can be executed by one or more computer processors to perform operations including:

[0135] Detecting intrusions into malicious access points (APs); and

[0136] The intrusion is characterized by one or more spatial reuse parameters included in the control frames sent by the malicious AP, and

[0137] The characterization of the intrusion is used to select a defensive posture for a known AP.

[0138] 19. The computer program product according to Clause 18, wherein selecting the defensive posture for the known AP includes, for a first characteristic of the intrusion:

[0139] Add the Basic Services Set (BSS) of the malicious AP to the Space Reuse Group (SRG) of the known AP; and

[0140] Adjust the sensitivity threshold of the SRG.

[0141] 20. The computer program product according to Clause 18, wherein the operation further comprises:

[0142] The severity of the intrusion may be calculated using one or more of the following:

[0143] The Received Signal Strength Indication (RSSI) value of the frame received from the Basic Service Set (BSS) of the malicious AP;

[0144] The minimum threshold for detecting the spatial reuse group overlapping basic service set packet (SRG OBSS PD min) in the control frame;

[0145] The maximum (max) threshold of SRG OBSS PD in the control frame;

[0146] The channel load value corresponding to the BSS of the malicious AP; and

[0147] The attack hop value represents the proximity between the known AP and the malicious AP.

Claims

1. A computer-implemented method for an access point (AP), the method comprising: Inspect control frames received from a malicious AP; The intrusion of the malicious AP is characterized by using one or more spatial reuse parameters included in the control frame; as well as Based on the aforementioned characteristics, a defensive posture is selected for the AP. The selection of the defense posture for the AP includes a first characteristic of the intrusion: Add the basic service set (BSS) of the malicious AP to the space reuse group (SRG) of the AP; and Adjust the sensitivity threshold of the SRG, and Selecting the defense posture for the AP includes targeting a second characteristic of the intrusion that is less severe than the first characteristic: Change the color or channel of the Basic Service Set (BSS) of the AP.

2. A computer-implemented method for an access point (AP), comprising: Detect intrusions from malicious access points (APs); The intrusion is characterized by one or more spatial reuse parameters included in the control frames sent by the malicious AP; as well as Based on the aforementioned characteristics, a defensive posture is selected for the AP. The selection of the defense posture for the AP includes a first characteristic of the intrusion: Add the basic service set (BSS) of the malicious AP to the space reuse group (SRG) of the AP; and Adjust the sensitivity threshold of the SRG, and Selecting the defense posture for the AP includes targeting a second characteristic of the intrusion that is less severe than the first characteristic: Change the color or channel of the Basic Service Set (BSS) of the AP.

3. The method according to claim 2, further comprising: Inspect the control frames from the malicious AP, and The detection of the intrusion includes identifying the basic service set (BSS) of the malicious AP within its spatial reuse group (SRG).

4. The method according to any one of claims 1 to 3, further comprising: The intrusion is detected in response to the AP inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG) of the malicious AP.

5. The method according to any one of claims 1 to 3, further comprising: The intrusion is detected in response to a neighboring AP inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG).

6. The method according to any one of claims 1 to 3, further comprising: The intrusion is detected in response to a sensor device inspecting the control frame, wherein detecting the intrusion includes identifying the basic service set (BSS) of the malicious AP within the spatial reuse group (SRG) of the malicious AP.

7. The method according to any one of claims 1 to 3, wherein, Characterizing the intrusion includes characterizing the malicious AP as either benign or malignant.

8. The method according to any one of claims 1 to 3, wherein, Characterizing the intrusion includes identifying at least one of the following: The carrier frequency offset of the malicious AP; The sampling frequency offset of the malicious AP; The power amplifier characteristics of the malicious AP; and The out-of-band power of the malicious AP.

9. The method according to any one of claims 1 to 3, further comprising: The severity of the intrusion may be calculated using one or more of the following: The Received Signal Strength Indication (RSSI) value of the frame received from the Basic Service Set (BSS) of the malicious AP; The minimum threshold for detecting the spatial reuse group overlapping basic service set packet (SRGOBSS PD min) in the control frame; The maximum (max) threshold of SRG OBSS PD in the control frame; The channel load value corresponding to the BSS of the malicious AP; as well as The attack jump value represents the proximity between the AP and the malicious AP.

10. The method according to any one of claims 1 to 3, wherein, Detecting the intrusion includes: Receive an indication from one of (i) an adjacent AP and (ii) a sensor device, indicating that the basic service set (BSS) of the AP is included in the spatial reuse group (SRG) of the malicious AP.

11. An access point (AP) comprising one or more computer processors configured to perform the method according to any one of the preceding claims.

12. A computer-readable storage medium embodying computer-readable program code executable by one or more computer processors to perform the method according to any one of claims 1 to 10.