Detecting Medium Access Control (MAC) address spoofing in Wi-Fi networks using channel correlation

文档序号：1786407 发布日期：2019-12-06 浏览：12次中文

阅读说明：本技术 使用信道相关性检测Wi-Fi网络中的媒体存取控制(MAC)地址欺骗 (Detecting Medium Access Control (MAC) address spoofing in Wi-Fi networks using channel correlation ) 是由 S·南德哈·普雷姆纳特 S·A·艾哈迈扎德 S·M·达斯于 2018-02-21 设计创作，主要内容包括：各种实施例包含通过无线通信装置确定在网络中是否存在媒体存取控制MAC地址欺骗的系统及方法。所述无线通信装置的处理器可以基于从接入点所接收的信标帧来确定预期相干间隔。所述处理器可以调度主动扫描请求,且可以确定在所述预期相干间隔内是否接收到对应于所述经调度的主动请求的响应帧。所述处理器可响应于在所述预期相干间隔内接收到所述响应帧而计算第一相关系数且可在所述第一相关系数大于第一预定阈值时确定所述网络中不存在MAC地址欺骗。(Various embodiments include systems and methods of determining, by a wireless communication device, whether there is medium access control, MAC, address spoofing in a network. The processor of the wireless communication device may determine an expected coherence interval based on a beacon frame received from an access point. The processor may schedule an active scan request and may determine whether a response frame corresponding to the scheduled active request is received within the expected coherence interval. The processor may calculate a first correlation coefficient in response to receiving the response frame within the expected coherence interval and may determine that MAC address spoofing is not present in the network when the first correlation coefficient is greater than a first predetermined threshold.)

1. A method of determining whether there is medium access control, MAC, address spoofing in a wireless communication network, comprising:

Transmitting, by the wireless communication device, an active scanning request in response to receiving the beacon frame;

determining, by a processor of the wireless communication device, whether a response frame corresponding to the active scanning request is received within an expected coherence interval after receiving the beacon frame;

Determining, by the processor, a first correlation coefficient in response to determining that the response frame is received within the expected coherence interval; and

Determining that MAC address spoofing is not present in the wireless communication network when the first correlation coefficient is greater than a first predetermined threshold.

2. The method of claim 1, further comprising:

determining, by the processor, the expected coherence interval based on at least one of a speed of the wireless communication device and a frequency band in which the beacon frame is transmitted.

3. The method of claim 1, further comprising:

Measuring, by the processor, a signal characteristic of the beacon frame; and

measuring, by the processor, a signal characteristic of the response frame,

Wherein determining the first correlation coefficient comprises: determining, by the processor, the first correlation coefficient based on the measured signal characteristic of the response frame and the measured signal characteristic of the beacon frame.

4. the method of claim 3, wherein the measured signal characteristic of the response frame or the beacon frame is based on at least one of a Received Signal Strength Indicator (RSSI), a channel impulse response, a channel frequency response, and an angle of arrival.

5. The method of claim 1, further comprising:

determining, by the processor, that MAC address spoofing is present in the wireless communication network in response to determining that the first correlation coefficient is less than the first predetermined threshold; and

initiating, by the processor, a countermeasure in response to determining that MAC address spoofing exists in the wireless communication network.

6. the method of claim 5, wherein the countermeasures include at least one of sleep deprivation attack countermeasures, deauthentication attack countermeasures, and disassociation attack countermeasures.

7. the method of claim 1, further comprising:

Determining, by the processor, whether one or more additional frames are received within the expected coherence interval in response to determining that MAC address spoofing exists in the wireless communication network;

determining, by the processor, a frame type for each of the one or more additional frames received within the expected coherence interval;

Determining, by the processor, a second correlation number for each frame type of the one or more additional frames received within the expected coherence interval; and

Initiating, by the processor, a first countermeasure in response to determining that the second number of correlations for each frame type is less than a second predetermined threshold.

8. The method of claim 7, further comprising:

Initiating, by the processor, a second countermeasure in response to determining that the second number of correlations for each frame type is greater than the second predetermined threshold.

9. The method of claim 7, wherein determining a second correlation number for each frame type of the one or more additional frames received within the expected coherence interval comprises: determining, by the processor, the second correlation coefficient based on a measured signal characteristic of the response frame, a measured signal characteristic of the beacon frame, and a measured signal characteristic of one of the one or more additional frames received within the expected coherence interval.

10. The method of claim 1, further comprising:

Receiving, by the processor, measured signal characteristics corresponding to each frame received at one or more internet of things (IoT) devices within the expected coherence interval; and

determining, by the processor, whether there is MAC address spoofing in the wireless communication network based on the measured signal characteristics corresponding to each frame received at the one or more Internet of things (IoT) devices within the expected coherence interval.

11. A wireless communication device, comprising:

a Radio Frequency (RF) resource; and

A processor coupled to the RF resource and configured with processor-executable instructions to:

Transmitting an active scanning request in response to receiving the beacon frame;

Determining whether a response frame corresponding to the active scan request is received within an expected coherence interval after receiving the beacon frame;

in response to determining that the response frame is received within the expected coherence interval, determining a first correlation coefficient; and

Determining that MAC address spoofing is not present in the wireless communication network when the first correlation coefficient is greater than a first predetermined threshold.

12. The wireless communication device of claim 11, wherein the processor is further configured with processor-executable instructions to:

Determining the expected coherence interval based on at least one of a speed of the wireless communication device and a frequency band in which the beacon frame is transmitted.

13. the wireless communication device of claim 11, wherein the processor is further configured with processor-executable instructions to:

Measuring a signal characteristic of the beacon frame; and

Measuring a signal characteristic of the response frame,

Wherein the processor is further configured with processor-executable instructions to: determining the first correlation coefficient based on the measured signal characteristic of the response frame and the measured signal characteristic of the beacon frame.

14. The wireless communication device of claim 13, wherein the processor is further configured with processor-executable instructions to: measuring the signal characteristic of the response frame or the beacon frame based on at least one of a Received Signal Strength Indicator (RSSI), a channel impulse response, a channel frequency response, and an angle of arrival.

15. The wireless communication device of claim 11, wherein the processor is further configured with processor-executable instructions to:

determining that MAC address spoofing is present in the wireless communication network in response to determining that the first correlation coefficient is less than the first predetermined threshold; and

initiating a countermeasure in response to determining that MAC address spoofing exists in the wireless communication network.

16. The wireless communication device of claim 15, wherein the countermeasures include at least one of sleep deprivation attack countermeasures, deauthentication attack countermeasures, and disassociation attack countermeasures.

17. the wireless communication device of claim 11, wherein the processor is further configured with processor-executable instructions to:

determining whether one or more additional frames are received within the expected coherence interval in response to determining that MAC address spoofing exists in the wireless communication network;

determining a frame type for each of the one or more additional frames received within the expected coherence interval;

Determining a second correlation number for each frame type of the one or more additional frames received within the expected coherence interval; and

In response to determining that the second number of correlations for each frame type is less than a second predetermined threshold, initiating a first countermeasure.

18. The wireless communication device of claim 17, wherein the processor is further configured with processor-executable instructions to:

Initiating a second countermeasure in response to determining that the second number of correlations for each frame type is greater than the second predetermined threshold.

19. the wireless communication device of claim 17, wherein the processor is further configured with processor-executable instructions to: determining the second correlation coefficient based on a measured signal characteristic of the response frame, a measured signal characteristic of the beacon frame, and a measured signal characteristic of one of the one or more additional frames received within the expected coherence interval.

20. The wireless communication device of claim 11, wherein the processor is further configured with processor-executable instructions to:

Receiving measured signal characteristics corresponding to each frame received at one or more internet of things (IoT) devices within the expected coherence interval; and

Determining whether there is MAC address spoofing in the wireless communication network based on the measured signal characteristics corresponding to each frame received at the one or more Internet of things (IoT) devices within the expected coherence interval.

21. A wireless communication device, comprising:

means for receiving a beacon frame;

Means for transmitting an active scan request in response to receiving a beacon frame;

Means for determining whether a response frame corresponding to the active scan request is received within an expected coherence interval after receiving the beacon frame;

Means for determining a first correlation coefficient in response to determining that the response frame is received within the expected coherence interval; and

Means for determining that MAC address spoofing is not present in the wireless communication network when the first correlation coefficient is greater than a first predetermined threshold.

22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a wireless communication device to perform operations comprising:

Transmitting an active scanning request in response to receiving the beacon frame;

Determining whether a response frame corresponding to the active scan request is received within an expected coherence interval after receiving the beacon frame;

In response to determining that the response frame is received within the expected coherence interval, determining a first correlation coefficient; and

Determining that MAC address spoofing is not present in the wireless communication network when the first correlation coefficient is greater than a first predetermined threshold.

23. the non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

Determining the expected coherence interval based on at least one of a speed of the wireless communication device and a frequency band in which the beacon frame is transmitted.

24. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

Measuring a signal characteristic of the beacon frame; and

Measuring a signal characteristic of the response frame,

Wherein determining the first correlation coefficient comprises: determining the first correlation coefficient based on the measured signal characteristic of the response frame and the measured signal characteristic of the beacon frame.

25. The non-transitory processor-readable storage medium of claim 24, wherein measuring the signal characteristic of the response frame or the beacon frame comprises measuring the signal characteristic based on at least one of a Received Signal Strength Indicator (RSSI), a channel impulse response, a channel frequency response, and an angle of arrival.

26. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

initiating a countermeasure in response to determining that MAC address spoofing exists in the wireless communication network.

27. the non-transitory processor-readable storage medium of claim 26, wherein the countermeasures include at least one of sleep deprivation attack countermeasures, deauthentication attack countermeasures, and disassociation attack countermeasures.

28. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

Determining whether one or more additional frames are received within the expected coherence interval in response to determining that MAC address spoofing exists in the wireless communication network;

Determining a frame type for each of the one or more additional frames received within the expected coherence interval;

Determining a second correlation number for each frame type of the one or more additional frames received within the expected coherence interval; and

In response to determining that the second number of correlations for each frame type is less than a second predetermined threshold, initiating a first countermeasure.

29. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

Initiating a second countermeasure in response to determining that the second number of correlations for each frame type is greater than the second predetermined threshold.

30. the non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor of the wireless communication device to perform operations further comprising:

Receiving measured signal characteristics corresponding to each frame received at one or more internet of things (IoT) devices within the expected coherence interval; and

Background

A Media Access Control (MAC) address is an identifier initially assigned by the device manufacturer. After hard-coding and storage, the MAC address is used for device identification and communication within the communication network.

in some forms of network attack, an unauthorized device may obscure an initially assigned MAC address in order to emulate another device within the (impersonate) communication network. For example, a "rogue access point" may simulate a benign or authorized access point in a wireless communication network by spoofing the MAC address of an authorized access point. Rogue access points may use spoofed MAC addresses to launch various types of attacks within the network.

Reducing or preventing attacks by rogue access points within a wireless communication network presents various challenges. For example, devices within a wireless communication network establish or maintain communication between the wireless communication device and an access point using a MAC address broadcast by the access point. Since the network device cannot distinguish between authorized access points and rogue access points based solely on MAC addresses, any identification of rogue access points relies on additional system resources and/or introduces undesirable delays or service interruptions.

For example, profiles of known benign access points (i.e., access point whitelists) may be updated and stored at various network nodes, including wireless communication devices, benign access points, and/or servers within the network. When a wireless communication device or benign access point receives a communication from an access point, the MAC address is extracted from the communication and compared to the profile of known benign access points. If the MAC address matches a known benign access point, then normal operation based on the MAC address is allowed. However, if after the profile is established, the MAC address of the benign access point is known to have been spoofed by a rogue access point, then a spoofing attack cannot be detected until the wireless communication device attempts to establish communication with the rogue access point or the benign access point initiates a de-authentication or disassociation procedure with the wireless communication device based on communications transmitted using the spoofed MAC address. Thus, a device-initiated attack using a fake MAC address can only be thwarted if the first attack was successful and the stored profile of the benign access point is updated to reflect that the previously benign MAC address has been simulated.

disclosure of Invention

Various embodiments include methods, and wireless communication devices having processors that implement methods of determining whether MAC address spoofing is present in a wireless communication network. Various embodiments may include transmitting, by a wireless communication device, an active scan request in response to receiving a beacon frame, determining whether a response frame corresponding to a valid scan request is received within an expected coherence interval after receiving the beacon frame, determining a first correlation coefficient in response to determining that the response frame is received within the expected coherence interval; and determining that there is no MAC address spoofing in the network when the first correlation coefficient is greater than a first predetermined threshold.

Some embodiments may further include determining the expected coherence interval based on at least one of a speed of the wireless communication device and a frequency band in which the beacon frame is transmitted. Some embodiments may further include measuring a signal characteristic of the beacon frame, and measuring a signal characteristic of the response frame, wherein determining the first correlation coefficient comprises determining the first correlation coefficient based on the measured signal characteristic of the response frame and the measured signal characteristic of the beacon frame. In such embodiments, the measured signal characteristics of the response frame or beacon frame may be based on at least one of a Received Signal Strength Indicator (RSSI), a channel impulse response, a channel frequency response, and an angle of arrival.

Some embodiments may further include determining that MAC address spoofing is present in the network in response to determining that the first correlation coefficient is less than the first predetermined threshold, and initiating a countermeasure in response to determining that MAC address spoofing is present in the network. In such implementations, the countermeasure can include at least one of a sleep deprivation attack countermeasure, a de-authentication attack countermeasure, and a de-association attack countermeasure.

some embodiments may further include determining whether one or more additional frames are received within an expected coherence interval in response to determining that MAC address spoofing is present in the network, determining a frame type for each of the one or more additional frames received within the expected coherence interval, determining a second correlation coefficient for each frame type of the one or more additional frames received within the expected coherence interval, and initiating a first countermeasure in response to determining that the second correlation coefficient for each frame type is less than a second predetermined threshold. Some embodiments may further include initiating a second countermeasure in response to determining that the second number of correlations for each frame type is greater than the second predetermined threshold. In some embodiments, determining the second correlation number for each frame type of the one or more additional frames received within the expected coherence interval may include determining the second correlation number based on the measured signal characteristic of the response frame, the measured signal characteristic of the beacon frame, and the measured signal characteristic of one of the one or more additional frames received within the expected coherence interval.

Some embodiments may further include receiving measured signal characteristics corresponding to each frame received at one or more internet of things (IoT) devices within the expected coherence interval, and determining whether MAC address spoofing is present in the network based on the measured signal characteristics corresponding to each frame received at the one or more IoT devices within the expected coherence interval.

Various embodiments may further include a wireless communication device having a Radio Frequency (RF) resource, and a processor coupled to the RF resource and configured with processor-executable instructions to perform operations of the method outlined above. Various embodiments include a wireless communication device having means for performing the functions of the method outlined above. Various embodiments include a non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a wireless communication device to perform the operations of the method outlined above.

Drawings

The accompanying drawings, which are incorporated herein and constitute part of this specification, illustrate exemplary embodiments and, together with the general description given above and the detailed description given below, serve to explain the features of the various embodiments.

Fig. 1 is a component block diagram of a communication system suitable for use in various embodiments.

fig. 2 is a component block diagram of a wireless communication device, according to various embodiments.

Fig. 3 is a signal flow diagram illustrating communication flows in a system according to various embodiments.

Fig. 4 is a graph illustrating an exemplary coherence interval, in accordance with various embodiments.

fig. 5A and 5B are scatter plots of signal characteristic correlations according to various embodiments.

fig. 6 is a process flow diagram illustrating a method of determining whether MAC address spoofing is present in a network in accordance with various embodiments.

Fig. 7 is a process flow diagram illustrating another method of determining whether MAC address spoofing is present in a network in accordance with various embodiments.

fig. 8 is a process flow diagram illustrating another method of determining whether MAC address spoofing is present in a network in accordance with various embodiments.

fig. 9 is a component block diagram of a wireless communication device, according to various embodiments.

Fig. 10 is a component block diagram of another wireless communication device, according to various embodiments.

Detailed Description

Various embodiments will be described in detail with reference to the accompanying drawings. The same reference numbers will be used throughout the drawings to refer to the same or like parts wherever possible. References to specific examples and embodiments are for illustrative purposes, and are not intended to limit the scope of various embodiments or the claims.

various embodiments include methods configured for determining whether there is MAC address spoofing in a wireless communication network and computing devices configured to implement the methods. In various embodiments, a processor of a wireless communication device may determine whether MAC address spoofing is present in a communication network based on calculated or determined correlation coefficients.

the term "wireless communication device" is used herein to refer to any device that may communicate with another device using Radio Frequency (RF) communication, e.g., as a participant in a wireless communication network.

A wireless communication device implementing the various embodiments may include any or all of the following: mobile computing devices, laptop computers, tablet computers, cellular telephones, smart phones, personal or mobile multimedia players, Personal Data Assistants (PDAs), smartbooks, palmtop computers, wireless email receivers, multimedia internet enabled cellular telephones, wireless gaming systems, and controllers, smart appliances (including televisions, set-top boxes, kitchen appliances, lights, and lighting systems), smart meters, air conditioning/HVAC systems, thermostats, building security systems (including door and window locks), vehicle entertainment systems, vehicle diagnostic and monitoring systems, unmanned and/or semi-automatic aircraft, automobiles, sensors, machine-to-machine devices, and the like including programmable processors, memories, and/or circuits for establishing wireless communication paths and transmitting/receiving data over wireless communication networks. The various embodiments may be particularly useful in mobile computing and mobile communication devices, such as smart phones, tablet computers, and other portable computing platforms that are easily transported to a potentially hidden location for rogue access points.

The term "rogue access point" is used herein to refer to any access point that transmits communications using a forged or spoofed MAC address.

As used herein, the terms "component," "module," "system," and the like are intended to encompass a computer-related entity, such as, but not limited to, hardware, firmware, a combination of hardware and software, or software in execution, that is configured to perform a particular operation or function. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a communication device and the communication device can be referred to as a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one processor or core and/or distributed between two or more processors or cores. Additionally, these components can execute from various non-transitory computer readable media having various instructions and/or data structures stored thereon. The components may communicate by way of local and/or remote processes, function or program calls, electronic signals, data packets, memory reads/writes, and other known computer, processor, and/or process related communication methods.

a rogue access point may launch various types of attacks on wireless communication devices in a wireless communication network by using spoofed MAC addresses. For example, a rogue access point may launch a sleep deprivation attack, a de-authentication attack, a disassociation attack, or any other denial of service attack by spoofing the MAC address of a legitimate access point providing the wireless communication network.

Different types of attacks by rogue access points may undesirably affect the performance of a wireless communication device associated with a wireless communication network or the coverage and/or capabilities of a wireless communication network. For example, during a sleep deprivation attack, a rogue access point may transmit beacon frames using a forged MAC address of an authorized access point that provides a wireless communication network. By continuously receiving beacon frames, the wireless communication device may be prevented from entering a sleep or idle state, which may quickly drain the battery of the wireless communication device.

de-authentication and de-association attacks by rogue access points disrupt communication between a wireless communication device and an authorized access point providing a wireless communication network. For example, a rogue access point may broadcast a deauthentication frame or a disassociation frame using a forged MAC address. A wireless communication device receiving such a frame may disassociate with an authorized access point, which may undesirably interrupt communication between the wireless communication device and the wireless communication network. To re-establish communication with a wireless communication network, the wireless communication device must first initiate subsequent authentication and/or association procedures, which may introduce undesirable delays and/or service interruptions.

detecting MAC address spoofing attacks by rogue access points presents challenges in conventional communication systems. This is particularly true for mobile wireless communication devices that may encounter signals from a rogue access point in a new location without a priori knowledge of the characteristics or profile information of the legitimate access points hosting the local wireless communication network.

various embodiments include methods, which may be implemented on a wireless communication device, for determining whether MAC address spoofing exists if a legitimate access point supports a wireless communication network. In various embodiments, a processor of a wireless communication device may determine whether MAC address spoofing is present based on one or more wireless signal characteristics sampled during active and passive scans of a wireless communication network performed by the wireless communication device. The one or more sampled signal characteristics may be used to calculate coefficients to determine correlations between sampled signal characteristics associated with beacon frames and sampled signal characteristics associated with response frames received from legitimate access points and rogue access points (if any). Thus, the various embodiments enable a wireless communication device to dynamically determine or recognize whether there is MAC address spoofing in an area including a wireless communication network based only on sampled wireless signal characteristics and without relying on previously stored profile information for known benign or legitimate access points.

When a wireless signal (e.g., a radio wave) is transmitted from an antenna of a transmitting wireless access point, the wireless signal may travel along multiple paths before reaching a receiving device. This multipath propagation may be caused by reflection, refraction, diffraction, atmospheric wave guides, ionospheric reflections, etc. Multipath propagation may result in variations in the received signal at the receiving device, depending on the number and characteristics of the different signal propagation paths.

For example, a wireless signal transmitted by a first access point may propagate along a first path, a second path, and a third path before reaching a wireless communication device. As the wireless signal propagates on the first path, the wireless signal may reflect off of the first intermediate object, thereby introducing a unique change to the transmitted wireless signal. Likewise, when the wireless signal propagates on the second path, the wireless signal may reflect from the second intermediate object, thereby introducing another unique change to the transmitted wireless signal.

Multipath signal propagation characteristics may vary over time and/or space due to the location and/or mobility of the transmitting device, the location and/or mobility of the receiving device, the mobility of intermediate objects, environmental factors, and so forth. The variations introduced into the wireless signal during propagation produce unique signal characteristics that can be measured by the receiving device.

however, two different wireless signals propagating between the same pair of transmitting and receiving devices over a predictable time interval (referred to herein as a coherence interval) may encounter the same or substantially similar factors that cause the wireless signals to vary uniquely. For example, because each wireless signal within the coherence interval may encounter the same or substantially similar factors affecting signal propagation, the resulting variations of each wireless signal may be similar. Thus, the signal characteristics measured by the receiving apparatus on the channel associated with the first wireless signal may be the same as or substantially similar to the signal characteristics measured by the receiving apparatus on the channel associated with the second wireless signal. When the signal characteristics corresponding to two different wireless signals are the same or substantially similar, the two signal characteristics may be considered to have a high correlation with respect to each other.

Conversely, when a receiving device transmits two different devices from different locations to receive wireless signals, the signal characteristics of each wireless signal will typically differ to a measurable degree due to different propagation paths and the effects encountered by the different wireless signals. Thus, the signal characteristics (e.g., legitimate access points) measured on the channel associated with the first wireless signal received from the first transmitting device will be completely different from, and thus uncorrelated with (i.e., exhibit low correlation with) the signal characteristics measured on the channel associated with the second wireless signal received from the second transmitting device (e.g., rogue access points). If the distance between the two transmitters is greater than a decorrelation distance dependent on the wavelength of the signal, then it can be determined that the signal characteristic measurements from the two transmitters are not correlated with the receiver device.

In various embodiments, a wireless communication device may infer the presence of a malicious access point performing MAC address spoofing in a wireless communication network based on a reduced correlation of wireless channel samples between active and passive scans by the wireless communication device. For example, a wireless communication device can detect the presence of multiple access ends that use the same MAC address (e.g., the presence of a rogue access point) to transmit information by detecting inconsistent channel correlations caused by different propagation paths between active scan response frames transmitted by multiple access points and beacon frames transmitted by one of the access points. In various embodiments, such inconsistent channel correlation may be determined by the wireless communication device based on one or more measured signal characteristics (e.g., RSSI) of the response frame and the beacon frame.

in some embodiments, the wireless communication device may further identify or classify the attack type if the wireless communication device detects MAC address spoofing in the wireless communication network. Classification of different types of attacks (e.g., sleep deprivation attacks, deauthentication attacks, disassociation attacks, etc.) by a wireless communication device may be based on the degree of correlation in channel measurements across one or more beacon frames, active scan response frames, deauthentication frames, disassociation frames, etc. In some embodiments, the wireless communication device may initiate a countermeasure to the attack based on the type of attack detected by the wireless communication device.

in some embodiments, a method for determining whether MAC address spoofing exists in a network may be implemented in a wireless communication network including internet of things (IoT) devices and/or smart home devices. For example, signal channel measurements detected at IoT devices and/or smart home devices may be used to overcome potential interfering adversaries, to obtain a better vantage point to detect rogue access points, and so on.

The various embodiments may be implemented within various communication systems 100, an example of which is illustrated in fig. 1. The communication system 100 may include a wireless communication device 102, a first access point 104 (which in the illustrated example is an unauthorized or rogue access point), a second access point 108, a third access point 106, an evolved packet core 110, an internet of things (IoT) device 120, and a communication network 118.

the first access point 104, the second access point 106, and the third access point 108 may be configured to communicate with the wireless communication device 102. In various embodiments, the first access point 104, the second access point 106, and the third access point 108 may be Wi-Fi access points, macrocell access points, microcell access points, picocell access points, femtocell access points, and the like. Although three access points are illustrated in fig. 1, any number of access points may be implemented within communication system 100. For example, when there is no MAC address spoofing in the communication system 100, the communication system 100 may not include the first (i.e., rogue) access point 104. Additionally, although at least one of the first access point 104, the second access point 106, and the third access point 108 may be a Wi-Fi access point, the communication system 100 does not require a Wi-Fi access point to implement any of the various embodiments.

For purposes of example, the first access point 104 is a rogue access point configured to mimic a benign or authorized access point. For example, the first access point 104 may be a rogue access point that spoofs or spoofs the MAC address of a benign access point 106 or 108. The first access point 104 may be a stand-alone device or the first access point 104 may be integrated into another device. In some cases, the first access point 104 may also have obtained unauthorized access to communicate with the communication network 118 or separately communicate with the internet in order to support wide area network communications to appear legitimate while conducting network attacks.

The second access point 106 may be configured to communicate with the evolved packet core 110 via a wired or wireless communication link, which may include a twisted pair backhaul link, a fiber optic backhaul link, a microwave backhaul link, a cellular data network, and other suitable communication links.

The third access point 108 can be a benign access point authorized by the communication system 100 such that the third access point 108 communicates with the communication network 118. In some embodiments, the third access point 108 may be a Wireless Local Area Network (WLAN) access point, such as a Wi-Fi "hotspot.

Evolved packet core 110 may be configured to facilitate communication of control and user information between communication network 118 and wireless communication device 102. Although the evolved packet core 110 illustrated in fig. 1 is described based on a 3GPP architecture, the evolved packet core 110 may use any communication protocol and may include various devices configured to facilitate communication of control and user information between the communication network 118 and the wireless communication device 102.

In various embodiments, evolved packet core 110 may include a mobility management entity/serving gateway (MME/SGW) device 112 and a Packet Data Network (PDN) gateway (PDN-GW) 114. Fig. 1 illustrates the MME/SGW device 112 as a combination of MME and SGW devices. However, the MME and SGW may be implemented as separate devices within evolved packet core 110. The MME may be a control node that handles signaling between the wireless communication device 102 and the evolved packet core 110. In general, the MME may provide bearer and connection management. The MME may be responsible for idle mode tracking and paging of the wireless communication device 102, bearer activation and deactivation, and SGW selection of the wireless communication device. The MME can additionally authenticate the wireless communication device 102 and implement non-access stratum (NAS) signaling with the wireless communication device 102. All Internet Protocol (IP) packets addressed to the wireless communication device 102 may be communicated through the SGW, which may be connected to the PDN-GW 114. The SGW may reside in the user plane and act as a mobility anchor for inter-access node handovers and handovers between different technologies. PDN-GW 114 may provide connectivity to communication network 118. The PDN-GW 114 may provide IP address allocation as well as other functionality to the wireless communication device 102.

in various embodiments, the second access point 106 and the third access point 108 may provide the wireless communication device 102 with access to the communication network 118 via the evolved packet core 110 using different Radio Access Technologies (RATs). For example, the second access point 106 may provide the wireless communication device 102 with access to the communication network 118 using a Long Term Evolution (LTE) access technology, and the third access point 108 may provide the wireless communication device 102 with access to the communication network 118 using a WLAN access technology defined by an Institute of Electrical and Electronics Engineers (IEEE)802.11 standard.

In some embodiments, the second access point 106 may directly access the evolved packet core 110 by communicating with the MME/SGW device 112. Third access point 108 may access evolved packet core 110 through wireless gateway 116.

The wireless communication device 102 may detect and attempt to associate with the first access point 104 via the first communication link 122, the second access point 106 via the second communication link 124, and the third access point 108 via the third communication link 126. Although the first, second, and third communication links 122, 124, 126 are each illustrated as a single link, each of the first, second, and third communication links 122, 124, 126 may include: a plurality of carrier signals, frequencies or frequency bands, each carrier signal, frequency or frequency band may include a plurality of logical channels. Further, each of the communication links 122, 124, and 126 may correspond to a set of multipath components. For example, the illustrated communication link 126 includes three multipath components 132, 134, and 136. Multipath component 134 represents a line-of-sight path between wireless communication device 102 and access point 108; multipath components 132 and 136 are formed by the reflection of signals in the environment at reflective surfaces 128 and 130, respectively. The first communication link 122 and the third communication link 126 may use relatively short range wireless communication protocols, such as Wi-Fi, ZigBee, Bluetooth, IEEE 802.11, and others. The second communication link 124 may comprise a cellular communication link using the following techniques: 3GPP Long Term Evolution (LTE), Global System for Mobile (GSM), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Worldwide Interoperability for Microwave Access (WiMAX), Time Division Multiple Access (TDMA), and other mobile phone communication technologies. Additionally, the first communication link 122, the second communication link 124, and/or the third communication link 126 may utilize more than one Radio Access Technology (RAT).

In some embodiments, the IoT or smart-home device 120 may be a wireless communication device configured to communicate with one or more devices within the system 100 (including the wireless communication device 102) using RF communication. The additional communication may include communication with another wireless device, a base station (including cellular communication network base stations and IoT base stations), an access point (including IoT access points), or other wireless devices. However, the communication system 100 does not require the IoT device 120 to perform the various embodiments.

In various embodiments, the wireless communication device 102 may determine whether MAC address spoofing is present in the communication system 100 based on a correlation coefficient between the beacon and the response signal calculated by the wireless communication device 102. For example, if the first access point 104 spoofs the MAC address of the second access point 106 or the third access point 108, the wireless communication device 102 can recognize the existence of MAC address spoofing because the correlation coefficient between the beacon and the response signal, as calculated by the wireless communication device 102, will be less than a predetermined correlation threshold.

fig. 2 illustrates a component block diagram of an example of a wireless communication device 200 suitable for various embodiments. Referring to fig. 1 and 2, the wireless communication device 200 may be similar to the wireless communication device 102 and/or the IoT device 120.

The wireless communication device 200 may include at least one controller, such as a processor 202. The processor 202 may be a processor that may be configured with processor-executable instructions to perform the operations of the various embodiments, a specialized processor (e.g., a modem processor) that may be configured with processor-executable instructions to perform the operations of the various embodiments in addition to the primary function, dedicated hardware (i.e., "firmware") circuitry configured to perform the operations of the various embodiments, or a combination of dedicated hardware/firmware and programmable processors.

The processor 202 may be coupled to a memory 204, and the memory 204 may be a non-transitory computer-readable storage medium that stores processor-executable instructions. Memory 204 may store an operating system, as well as user application software and executable instructions. Memory 204 may also store application data, such as array data structures. Memory 204 may include one or more of cache memory, Read Only Memory (ROM), Random Access Memory (RAM), electrically erasable programmable ROM (eeprom), static RAM (sram), dynamic RAM (dram), or other types of memory. Processor 202 may read information from memory 204 and write information to memory 204. Memory 204 may also store instructions associated with one or more protocol stacks. The protocol stack typically contains processor-executable instructions to communicate using a radio access protocol or a communications protocol.

the wireless communication device 200 may further include a communication interface 216 for connecting the wireless communication device 200 to a communication network, such as the communication network 118. Communication interface 216 may include physical layer components that may perform various encoding, signal transmission, and/or data transmission and reception functions. For example, the communication interface 216 may include one or more transceivers 218 and a baseband processor 220 for carrying out various functions of the communication interface 216. Communication interface 216 may include one or more wireless antennas, such as wireless antennas 222, 224, and 226, to support wireless communication between wireless communication device 200 and other devices. Each of the transceivers 218 may be configured to provide communications using one or more frequency bands associated with one or more RATs. The number of wireless antennas in wireless communication device 200 is not limited to three as illustrated in fig. 2, but may include any number of antennas. Additionally, although not illustrated in fig. 2, the communication interface 216 may further include one or more ports configured to provide wired interfacing connections to a network, such as ethernet connections, fiber optic connections, broadband cable intercepts, phone line connections, or other types of wired communication connections.

processor 202 may be coupled to a machine access control layer 214. The machine access control layer 214 may provide addressing and channel access control mechanisms between the I/O interface 208, the communication interface 216, and/or the processor 202 to allow the wireless communication device 200 to communicate with other devices, such as the first access point 104, the second access point 106, the third access point 108, the IoT devices 120, and/or other wireless communication devices.

The wireless communication device 200 may further include a signal characteristics component 206 configured to sample or determine one or more signal characteristics corresponding to communications received at the communication interface 216 from other devices. In various embodiments, the signal characteristics component 206 may further process, measure, or derive channel behavior from the sampled signal characteristics. Signal characteristics component 206 may sample or determine one or more different types of signal characteristics associated with signal frequencies, signal strengths, Round Trip Times (RTTs), amplitudes, etc. of multipath components. Although not an exhaustive list, some sampled or determined signal characteristics may include one or more of a Received Signal Strength Indicator (RSSI) value, a Received Channel Power Indicator (RCPI) value, a channel impulse response, a channel frequency response, an angle of arrival, and the like. These signal characteristics may be used to determine a correlation coefficient metric in various embodiments.

In various embodiments, the signal characteristics component 206 may be embodied as software, firmware, hardware, or some combination of software, firmware, and hardware. The signal characteristics component 206 is illustrated as a separate component coupled to the processor 202; however, at least a portion of the signal characteristics component 206 may be incorporated into the communication interface 216 and/or the processor 202.

In some embodiments, the wireless communication device 200 may further include one or more sensors 228 and/or input/output (I/O) interfaces 208. The one or more sensors 228 may be configured to measure various characteristics associated with the wireless communication device 200. For example, the one or more sensors 228 may include one or more of a camera, a proximity sensor, an ambient light sensor, an accelerometer, a near field communication sensor, a gyroscope, a magnetometer, a temperature sensor, a barometric pressure, a color sensor, an ultraviolet sensor, a Global Positioning System (GPS) sensor, and/or the like. I/O interface 208 can be configured to allow, enable, or provide one or more inputs and/or outputs at wireless communication device 200. For example, the I/O interface 208 may include or be coupled to an input component 210 (e.g., one or more of a speaker, a light, a switch, etc.), and an output component 212 (e.g., one or more of a display, a touch screen, a keypad, a keyboard, a button, a microphone, etc.).

Although not illustrated in fig. 2, the wireless communication device 200 may also include a bus for connecting various components of the wireless communication device 200 together, as well as a hardware or software interface to enable communication among the various components. The wireless communication device 200 may also include various other components not illustrated in fig. 2. For example, the wireless communication device 200 may further include various connection ports, additional processors or integrated circuits, and many other components.

Fig. 3 illustrates an example of signal flow in a communication system in accordance with various embodiments. Referring to fig. 1-3, the wireless communication device 102 may perform active and passive scanning for suitable access points. During passive scanning of the network, the wireless communication device 102 receives beacon frames broadcast from the wireless access points 104, 108, etc. During active scanning of the network, the wireless communication device 102 may transmit a predetermined active scanning request (e.g., an "active scanning request") according to an expected coherence interval. In response to receiving the active scan request, both the rogue access point 104 and the legitimate access point 108 will transmit response frames (e.g., "responses").

Fig. 4 is a graph 400 illustrating an exemplary coherence interval, in accordance with various embodiments. Referring to fig. 1-4, a graph 400 illustrates a correlation between a coherence interval and a speed of a wireless communication device 102 via two different frequency bands (e.g., 2.4GHz and 5.5 GHz).

Fig. 5A and 5B are exemplary scatter plots of signal characteristic correlations according to various embodiments. Referring to fig. 1 through 5B, the differences in channel correlation based on sampled signal characteristics are illustrated in a scattered-point diagram. For example, the graph 500 in fig. 5A is a scatter plot illustrating high channel correlation between sampled RSSI values associated with response frames (e.g., "rssieresponse") and sampled RSSI values associated with beacon frames (e.g., "RSSIbeacon"), as both response frames and beacon frames transmit only one access point (e.g., 108). In contrast, graph 502 in fig. 5B is a scatter plot illustrating low channel correlation between sampled RSSI values associated with beacon frames (e.g., "RSSIbeacon") and sampled RSSI values associated with response frames (e.g., "rssureresponse") when the wireless communication device 102 receives a mixture of beacon frames and/or response frames from both a rogue access point (e.g., 104) and a legitimate access point (e.g., 108). In some embodiments, the processor may determine that MAC address spoofing is present in the network when the correlation between the sampled signal characteristics is less than a low threshold. Alternatively or additionally, in some embodiments, the processor may determine that MAC address spoofing is not present in the network when a correlation between sampled signal characteristics is greater than a high threshold.

Fig. 6 is a process flow diagram illustrating a method 600 of determining whether MAC address spoofing exists in a network in accordance with various embodiments. Referring to fig. 1-6, the method 600 may be implemented by one or more processors (e.g., 202) of a wireless communication device (e.g., 102, 200).

in block 601, the wireless communication device 102 receives a beacon frame from an access point. For clarity and ease of explanation, it is assumed that the received beacon frame was transmitted by a benign access point, such as access point 108. However, the beacon frame may be transmitted by a benign access point (e.g., 108) or a rogue access point (e.g., 102). The processor of the wireless communication device extracts the MAC address contained in the first beacon frame. In addition, the processor may sample one or more signal characteristics on a channel associated with the first beacon frame.

In block 602, the processor may determine an expected coherence interval. The expected coherence interval can be determined by the processor in various ways, including a look-up table, one or more algorithms or equations, models, etc. In addition, the expected coherence interval can be determined based on at least one of a speed of the wireless communication device and a frequency band in which the first beacon frame is transmitted.

in some embodiments, the processor may use the speed of the wireless communication device 102 and the measured signal wavelength (λ) associated with the first beacon frame to calculate the expected coherence interval (e.g., coherence time) in block 602. Alternatively, a model (e.g., the model illustrated in fig. 4) may be used to determine the expected coherence interval, which correlates the coherence interval to the speed of wireless communication device 102 via two different frequency bands (e.g., 2.4GHz and 5.5 GHz). In a typical stationary setting (i.e., when the wireless communication device 102 remains substantially stationary and does not move relative to the access point 108), it may be determined that the coherence interval is significantly greater than 100 ms. For example, using the model illustrated in fig. 4, the processor may determine that the expected coherence interval is greater than 800ms when the speed of the wireless communication device 102 communicating using the 5.5GHz band is close to 0. When the speed of the wireless communication device 102 communicating using the 2.4GHz band is 2.5mph, for example, the processor may determine that the expected coherence interval is approximately 50 ms. In some embodiments, it is feasible for the wireless communication device 102 to schedule the active scan request and receive the response frame within a coherence interval associated with the periodically transmitted beacon frame.

In block 604, the processor may initiate transmission of an active scan request. For example, the processor may schedule an active scan request to occur during the expected coherence interval determined in block 602, where the active scan request is generated by the processor and transmitted from the wireless communication device 200 via the transceiver (e.g., 218). An active scan request may be generated to include the MAC address extracted from the first beacon frame.

Note that since the processing of the received active scan request is based on the MAC address contained in the active scan request transmitted by the wireless communication device 102, if there is no rogue access point 104 or the rogue access point 104 is spoofing a MAC address of an access point that is different from the third access point 108, then only the third access point 108 will process a valid scan request transmitted from the wireless communication device 102.

During the passive scan of the wireless network, the wireless communication device 102 continues to detect beacon frames as illustrated in fig. 3. Thus, in response to receiving second beacon frames (e.g., "beacons") from the first access node 104 and/or the third access node 108, the wireless communication device 102 samples or measures one or more signal characteristics associated with each second beacon frame.

In determination block 606, the processor may determine whether a response frame was received within the expected coherence interval. For example, the processor may determine whether at least one of a response frame received from the first access point 104 and a response frame received from the second access point 108 was received during an expected coherence interval.

in response to determining that no response frame is received within the expected coherence interval (i.e., determining that block 606 is no), the processor may return to block 601 to receive a subsequent beacon frame and determine a new expected coherence interval.

In response to determining that the response frame is received within the expected coherence interval (i.e., determining that block 606 is yes), the processor may calculate a first correlation coefficient in block 608. In various embodiments, given a set of signal characteristics (e.g., channel measurements) associated with the beacon frame and the response frame, the processor may determine whether a MAC address spoofing attack has occurred based on the correlation coefficients determined in block 608. For example, the first correlation coefficient may be calculated based on signal characteristics associated with a beacon frame (e.g., a first beacon frame or a second beacon frame) and a response frame. For example, the first correlation coefficient ("Corr Coeff (X, Y)") may be calculated using the following equation:

where X represents a sample of the signal characteristic associated with the beacon frame, Y represents a sample of the signal characteristic associated with the response frame, μ X represents an average of the samples of the signal characteristic associated with the beacon frame, and μ Y represents an average of the samples of the signal characteristic associated with the response frame.

In various embodiments, the signal characteristics evaluated by the processor in determining the correlation coefficients may include one or more of RSSI values, RCPI values, channel impulse responses, channel frequency responses, angle of arrival, and the like.

In determination block 610, the processor may determine whether the calculated first correlation coefficient is equal to, exceeds, or is less than a threshold. In some embodiments, the threshold may be a correlation coefficient value (i.e., a low correlation number threshold) indicating the presence of MAC address spoofing. In some embodiments, the threshold may be a correlation coefficient value (i.e., a high correlation coefficient threshold) indicating that there is no MAC address spoofing. For example, the processor may determine whether the calculated first correlation coefficient is greater than or less than a first predetermined threshold or parameter θ 1.

In some embodiments, the first predetermined threshold or parameter θ 1 may be determined using machine learning. For example, the first parameter θ 1 may be learned from a training data set corresponding to one or more known communication systems. The first parameter θ 1 may be determined prior to initiating the methods of various embodiments. Further, the first parameter θ 1 may be updated at discrete times or at predetermined intervals.

In response to determining that the calculated first correlation coefficient is greater than or equal to the threshold indicating no MAC address spoofing (i.e., determination block 610 is "yes"), the processor may determine that no MAC address spoofing was detected in block 612 and return to block 601 to receive a subsequent beacon frame and determine a new expected coherence interval.

in response to determining that the calculated first correlation coefficient is less than the threshold value indicative of MAC address spoofing (i.e., determining that block 610 is "no"), the processor may determine that MAC address spoofing is detected in block 614.

in some embodiments, in response to determining that MAC address spoofing is present in block 614, the processor may perform additional operations. For example, in some embodiments, the processor may classify the type of spoofing attack in block 616 and/or initiate countermeasures in block 618. Alternatively or additionally, the processor may stop the active scan using the MAC address extracted from the first beacon frame indefinitely or for a predetermined amount of time.

fig. 7 illustrates a method 700 for classifying a MAC address spoofing attack, in accordance with some embodiments. Referring to fig. 1-7, method 700 includes an example of operations that may be performed by a processor in blocks 616 and 618 of method 600. The method 700 may be implemented by one or more processors (e.g., 202) of a wireless communication device (e.g., 102, 200).

in determination block 702, the processor may determine whether one or more additional frames are received within an expected coherence interval. For example, after a processor of the wireless communication device determines that MAC address spoofing is present, the processor may determine whether one or more additional frames are received from a rogue access point (e.g., 104) and/or a legitimate access point (e.g., 108).

In response to determining that no additional frames have been received within the expected coherence interval (i.e., determining that block 702 is no), the processor may initiate a default countermeasure in block 712.

In response to determining that one or more additional frames are received within the expected coherence interval (i.e., determining that block 702 is "yes"), the processor may determine a frame type for each of the additional frames received within the expected coherence interval in block 704. For example, the processor may identify the frame type of each additional frame as one of a beacon frame, an active scan response frame, a deauthentication frame, a disassociation frame, a clear-to-send (CTS) frame, an Acknowledgement (ACK) message associated with the data frame, and the like. Although not illustrated, the processor of the wireless communication device may also sample or measure one or more signal characteristics associated with each additional frame received within an expected coherence interval.

in block 706, the processor may calculate a second correlation coefficient for each frame type identified in additional frames received within the expected coherence interval. For example, the second correlation number may correspond to the type of frame received, and thus the type of MAC address spoofing attack that occurred in the network.

In some embodiments, when the processor determines that the additional frames received within the expected coherence interval include one or more de-authentication frames, the processor may determine the second correlation number using the following equation:

Where X ∈ { Channelbeacon, channellactive _ scan _ response }, Channelde _ auth _ frame represents one or more signal characteristics sampled on a channel associated with a de-authentication frame, Channelbeacon represents one or more signal characteristics sampled on a channel associated with a beacon frame, and channellactive _ scan _ response represents one or more signal characteristics sampled on a channel associated with an active scanning response frame.

In various embodiments, when the additional frames received within the expected coherence interval include one or more disassociated frames, the processor may determine the second correlation number using the following equation:

where Y ∈ { Channelbeacon, Channelactive _ scan _ response } }, channelsessiationjframe represents one or more signal characteristics sampled on a channel associated with a disassociation frame, Channelbeacon represents one or more signal characteristics sampled on a channel associated with a beacon frame, and Channelactive _ scan _ response represents one or more signal characteristics sampled on a channel associated with an active scanning response frame.

In determination block 708, the processor may determine whether the calculated second number of correlations is within a threshold value indicative of a particular type of attack. For example, the processor may determine whether the calculated second correlation coefficient is greater than or less than a second predetermined threshold or parameter θ 2 related to a particular form of attack that utilizes MAC address spoofing.

In some embodiments, the second predetermined threshold or parameter θ 2 may be the same as or different from the first predetermined threshold parameter θ 1 evaluated in the determination block 610 of the method 600. Machine learning may be used to determine the second predetermined threshold or parameter θ 2. For example, the second parameter θ 2 may be learned from a training data set corresponding to one or more known systems. The second parameter θ 2 may be determined prior to initiating the method 700. In addition, the second parameter θ 2 may be updated at discrete times or at predetermined intervals.

In response to determining that the second correlation coefficient is within a threshold value associated with a particular form of attack that utilizes MAC address spoofing (i.e., determining that block 708 is "yes"), the processor may initiate a particular countermeasure in block 710. In some embodiments, the particular counter-measure initiated may be based on the frame type used to determine the second coefficient. For example, when the second correlation coefficient is calculated based on the deauthentication frame and the second correlation number is determined to be less than the second predetermined parameter θ 2, the processor may determine that a deauthentication attack has occurred and initiate countermeasures to the deauthentication attack, which may include dynamically reconfiguring software stored in the wireless communication device such that the wireless communication device ignores the deauthentication frame corresponding to the spoofed MAC address. Additionally or alternatively, the wireless communication device 102 may instruct a legitimate third access point (e.g., 108) to ignore the deauthentication frame corresponding to the spoofed MAC address. In some embodiments, the wireless communication device may ignore deauthentication frames corresponding to forged MAC addresses indefinitely. In some embodiments, the wireless communication device may ignore the deauthentication frame for a period of time such that after expiration of the period of time, the wireless device no longer ignores the deauthentication frame corresponding to the MAC address.

in some embodiments, when the processor classifies a MAC address spoofing attack as a disassociation attack, the processor may ignore disassociation frames corresponding to forged MAC addresses. Additionally or alternatively, the wireless communication device may instruct a legitimate access point (e.g., 108) to ignore disassociation frames corresponding to spoofed MAC addresses. In some embodiments, the wireless communication device may ignore disassociation frames corresponding to forged MAC addresses indefinitely. In some embodiments, the wireless communication device may ignore the deauthentication frame for a period of time such that, after expiration of the period of time, the wireless device 102 no longer ignores the disassociation frame corresponding to the MAC address.

In some embodiments, when the processor classifies a MAC address spoofing attack as a sleep deprivation attack, the processor may ignore beacon frames corresponding to forged MAC addresses. Additionally or alternatively, the processor may update an access point whitelist (e.g., a list of approved access points available to initiate communications) with the access points associated with the spoofed MAC address removed. When an access point associated with a spoofed MAC address is removed from the whitelist, the wireless communication device will no longer attempt to initiate communication with the removed access point and will ignore any credit frames received from the removed access point. The access point whitelist may be updated in the wireless communication device and/or within a node of the evolved packet core 110.

In response to determining that the calculated second correlation number is not within a threshold value associated with a particular form of attack that utilizes MAC address spoofing (i.e., determining that block 708 is "no"), the processor may initiate a default countermeasure in block 712. For example, the processor may stop scheduling and/or generating any additional active scan requests corresponding to the MAC address being examined.

Fig. 8 illustrates a method 800 for determining whether a MAC address spoofing attack is present in a network including one or more IoT devices, in accordance with some embodiments. Referring to fig. 1-8, the method 800 may be implemented by one or more processors (e.g., 202) of a wireless communication device (e.g., 102, 200) in conjunction with an IoT device (e.g., 120). The operations in blocks 601 through 618 may be performed as described for method 600.

in block 802, a processor may receive information associated with one or more frames received at one or more IoT or smart-home devices. For example, after the wireless communication device transmits an active scan request, the wireless communication device and/or IoT device may be configured to sample channel measurements associated with the active scan request response frame and other frames received during an expected coherence interval. When one or more IoT devices receive a frame during an expected coherence interval, each of the one or more IoT devices may measure one or more signal characteristics associated with each frame received during the expected coherence interval. Each of the one or more IoT devices may transmit to the wireless communication device (e.g., 102) one or more signal characteristics associated with each frame, as well as information associated with each received frame (e.g., information included in the frame, frame type, etc.).

In block 804, the wireless communication device may determine a first correlation coefficient using signal characteristics sampled by the wireless communication device and signal characteristics received from one or more IoT devices.

The method 800 may be useful in the case where a rogue access point acts as an interfering transmitter for the wireless communication device and/or one or more IoT devices during transmission of frames (e.g., beacon frames, response frames, etc.) transmitted from a benign access point (e.g., 108). Due to the well-known hidden terminal problem in wireless networks, a malicious access point may not be able to block all IoT devices in the vicinity at the same time, except for a benign access point (e.g., 108). Because the IoT device may have a better vantage point to receive a combination or mix of measurements from benign and malicious access points, the wireless communication device may utilize information associated with frames received at the IoT device. By including information associated with frames received at the IoT devices in addition to information associated with frames received at the wireless communication device, the diversity of measurements collected in the network may be improved. This may enable the wireless communication device processor to reliably determine a more accurate correlation coefficient in block 804 than may be achievable in this case in block 608 of method 600.

Various embodiments, including but not limited to the embodiments described with reference to fig. 1, 2, 6-8, may be implemented in any of a variety of wireless communication devices, an example 900 of which is illustrated in fig. 9. Referring to fig. 1-8, a wireless communication device 900 (which may, for example, correspond to the wireless communication devices 102 and/or 200 in fig. 1 and 2 and/or the IoT device 120 in fig. 1) may include a processor 902 coupled to a touchscreen controller 904 and an internal memory 906. The processor 902 may be one or more multi-core ICs designed for general or specific processing tasks. The internal memory 906 may be volatile or non-volatile memory, and may also be secure and/or encrypted memory, or unsecure and/or unencrypted memory, or any combination thereof.

The touchscreen controller 904 and the processor 902 may also be coupled to a touchscreen panel 912, such as a resistive-sensing touchscreen, a capacitive-sensing touchscreen, an infrared-sensing touchscreen, and so forth. The wireless communication device 900 may have one or more radio signal transceivers 908 (e.g., Wi-Fi, RF radio) and an antenna 910 coupled to each other and/or to the processor 902 for sending and receiving. The transceiver 908 and antenna 910 may be used with the above-described circuitry to implement various wireless transmission protocol stacks and interfaces. The wireless communication device 900 may include a cellular network wireless modem chip 916 in communication over a cellular network and coupled to the processor. The wireless communication device 900 may include a peripheral device connection interface 918 coupled to the processor 902. The peripheral device connection interface 918 may be configured to accept one type of connection alone, or multiple times to accept various types of physical and communicative connections, common or proprietary, such as USB, FireWire, Thunderbolt, PCIe, or the like. Peripheral device connection interface 918 may also be coupled to a similarly configured peripheral device connection port (not shown). The wireless communication device 900 may also include a speaker 914 for providing audio output. The wireless communication device 900 may also include a housing 920 constructed of plastic, metal, or a combination of materials for housing all or some of the components discussed herein. The wireless communication device 900 may include a power supply 922 coupled to the processor 902, such as a disposable or rechargeable battery. The rechargeable battery may also be coupled to the peripheral device connection port to receive a charging current from a source external to the wireless communication device 900.

Various embodiments, including but not limited to the embodiments described with reference to fig. 1, 2, 6-8, may be implemented within various wireless communication devices, an example 1000 of which is illustrated in fig. 10. Referring to fig. 1-10, a laptop computer 1000 (which may correspond to the wireless communication devices 102, 200 and IoT device 120 in fig. 1 and 2, for example) may include a touchpad touch surface 1017 that serves as a pointing device for the computer, and thus may receive drag, scroll, and flick gestures similar to those implemented on a wireless computing device equipped with a touchscreen display as described. The laptop computer 1000 will typically include a processor 1011 coupled to volatile memory 1012 and a large capacity non-volatile memory, such as a disk drive 1013 for flash memory. The computer 1000 may also include a floppy disk drive 1014 and a Compact Disk (CD) drive 1015 coupled to the processor 1011. The computer 1000 may also include a plurality of connector ports coupled to the processor 1011 for establishing data connections or receiving external memory devices, such as a Universal Serial Bus (USB) or connector receptacle, or other network connection circuitry for coupling the processor 1011 to a network. In the notebook configuration, the computer housing includes a touch panel 1017, a keyboard 1018, and a display 1019 all coupled to the processor 1011. Other configurations of computing devices may include well known computer mice or trackballs coupled to a processor (e.g., via a USB input), which may also be used in conjunction with various embodiments.

1-10, processors 902 and 1011 may be any programmable microprocessor, microcomputer or multiple processor chip or chips that can be configured by software instructions (applications) to perform a variety of functions, including the functions of the various embodiments as described. In some devices, multiple processors may be provided, such as one processor dedicated to wireless communication functions and one processor dedicated to running other applications. Typically, software applications may be stored in the internal memories 906, 1012, and 1013 before they are accessed and loaded into the processors 902 and 1011. The processors 902 and 1011 may include internal memory sufficient to store the application software instructions. In many devices, the internal memory may be volatile or non-volatile memory (e.g., flash memory) or a mixture of both. For the purposes of this description, a general reference to memory refers to memory accessible by the processors 902, 1011, including internal memory or removable memory plugged into the device, and memory within the processors 902 and 1011 themselves.

The foregoing method descriptions and process flow diagrams are provided merely as illustrative examples and are not intended to require or imply that the blocks of the various embodiments must be performed in the order presented. As will be appreciated by those skilled in the art, the order of the blocks in the foregoing embodiments may be performed in any order. Words such as "thereafter," "then," "next," etc. are not intended to limit the order of the blocks; these words are only used to guide the reader in understanding the description of the method.

The terms "a or B," "at least one of a and/or B," or "one or more of a and/or B" may include all possible combinations of items listed together. For example, the terms "a or B," "at least one of a and B," or "at least one of a or B" may indicate all of the following: (1) comprises at least one A, (2) comprises at least one B, and (3) comprises at least one A and at least one B.

The terms "first," "second," and the like, as used herein, may modify various elements regardless of order and/or priority, and are used merely to distinguish one element from another element without limitation. For example, "a first element" and "a second element" may indicate different elements regardless of order or priority. For example, a first element could be termed a second element, and vice-versa, without departing from the scope of the present invention. Furthermore, any reference to claim elements in the singular (for example, using the articles "a," "an," or "the") should not be construed as limiting the element to the singular.

The various illustrative logical blocks, modules, circuits, and algorithm blocks described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and blocks have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. While described functionality may be implemented in varying ways for each particular application by those skilled in the art, such implementation decisions should not be interpreted as causing a departure from the scope of the claims.

The hardware used to implement the various illustrative logics, logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with the aid of the following means: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. Alternatively, some blocks or methods may be performed by circuitry that is specific to a given function.

in various embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored as one or more instructions or code on a non-transitory computer-readable medium or a non-transitory processor-readable medium. The operations of the methods or algorithms disclosed herein may be embodied in processor-executable software modules that may reside on non-transitory computer-readable or processor-readable storage media. A non-transitory computer-readable or processor-readable storage medium may be any storage medium that can be accessed by a computer or a processor. By way of example, and not limitation, such non-transitory computer-readable or processor-readable media can comprise RAM, ROM, EEPROM, flash memory, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of non-transitory computer-readable and processor-readable media. Additionally, the operations of a method or algorithm may reside as one or any combination or set of codes and/or instructions on a non-transitory processor-readable medium and/or computer-readable medium, which may be incorporated into a computer program product.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the claims. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the claims. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the following claims and the principles and novel features disclosed herein.

30页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：来自多个站点的网络安全数据的综合企业视图

Detecting Medium Access Control (MAC) address spoofing in Wi-Fi networks using channel correlation

相关技术

网友询问留言