PATROLL Winning Submission

U.S. Patent 7,409,715

Claim 1 of the patent-at-issue, U.S. Patent 7,409,715 (“WSOU”), which was filed on Dec.
10, 2003, and without an earlier claimed priority date, is directed to a method for detecting
impersonation based attacks on a wireless network. The method includes connecting a wireless
node with an intrusion detection module and providing the intrusion detection module a copy of
the original data frames transmitted by the wireless node, detecting at the intrusion detection
module incoming data frames received over the wireless interface, comparing at the intrusion
detection module the information in the copy with information in incoming data frames, and
recognizing an impersonating attack when the intrusion detection module determines the
information in the copy differs from the information in incoming data frames.

The primary reference, U.S. Patent Publication 20030237000 (“IBM”), which was filed
on Jun. 19, 2002, and without an earlier claimed priority date, is directed to a method and system
for detecting intrusion of a wireless network. Specifically, a data stream received by a wireless
network is monitored, and a validity deviation is determined by comparing the data stream to a
valid data stream.

The secondary reference, International Publication WO 03/084255 (“AIRMAGNET”),

which was published on Oct. 9, 2003, filed on Mar. 28, 2003, and with a claimed priority date of
Mar. 20, 2002, is directed to detecting a counterfeit access point in a wireless network.
Specifically, a detector in the wireless network is configured to receive beacon frames
transmitted over the wireless network and analyze them and/or compare them to previously
received beacon frames to detect a counterfeit access point.

A sample claim chart comparing claim 1 of WSOU to IBM and AIRMAGNET is provided
below. Tertiary reference, U.S. Patent Publication 20030084321 (“HP”) filed on Oct. 31, 2001,
and without an earlier claimed priority date, has also been mapped against claim 1 of WSOU.

1

US7409715 (“WSOU”)
1. A method for detecting
impersonation based attacks at a
wireless node of a wireless
communication network, comprising
the steps of:
a) operatively connecting the wireless
node with an intrusion detection
module and providing the intrusion
detection module with a copy of
original data frames transmitted by
the wireless node over a wireless
interface;
A. US20030237000 (“IBM”)
B. WO03084255 (“AIRMAGNET”)
C. US20030084321 (“HP”)
A. US20030237000
“In general, the present invention provides a method, system
and program product for detecting intrusion of a wireless
network. Specifically, under the present invention, a data
stream received by a wireless network is detected (i.e.,
monitored for).” IBM at page 2, [0019].
[See FIG. 2 for “nodes.”]
B. WO03084255
“1. A method of detecting a counterfeit access point in a
wireless local area network comprising: receiving beacon
frames at a detector in the wireless local area network,
wherein the beacon frames are transmitted over the wireless
local area network by one or more access points; and
analyzing the received beacon frames at the detector to detect a
counterfeit access point in the wireless local area network.”
AIRMAGNET at claim 1.
C. US20030084321
“In FIG. 2, there is illustrated a comprehensive intrusion
prevention system employing network-based and hybrid
host-based/node-based intrusion detection technologies
according to an embodiment of the invention.” HP at page 4,
[0026].
A. US20030237000
“Under the present invention, a monitoring system 18 having
detection system 20 can be provided. As will be further
described below, detection system 20 will detect (i.e., monitor
for) and analyze data streams to and from server 12 to detect
intrusion by hacker 16” IBM at page 2, [0023].
“Moreover, detection system 20 can detect and analyze
individual data packets, or a sequence of multiple data
packets (i.e., a data stream as detected and analyzed hereunder
could include one or more data packets).” IBM at page 2,
[0023].
“Database 32 may provide storage for information necessary
to carry out the present invention. Such information could
include, among other things, data streams received by server
2
(cont.)
a) operatively connecting the wireless
node with an intrusion detection
module and providing the intrusion
detection module with a copy of
original data frames transmitted by
the wireless node over a wireless
interface;
12, a library (i.e., set of) of valid data streams, a library (i.e.,
set of) of known intrusion data streams, thresholds, etc.” IBM
at page 2, [0027].
B. WO03084255
“In step 602 (Fig. 6), detector 506 measures the rate at
which frames are received to determine a measured frame
rate. For example, in one configuration, detector 506 can
count the number of beacon frames received during a period of
time. For the sake of example, assume that detector 506
counts a total of 100 beacon frames, which in the exemplary
scenario depicted in Fig. 5 would include beacon frames 400
and 504, during a 5 second interval. As such, in this example,
the measured beacon frame rate is 20 frames per second.”
AIRMAGNET at page 8, [0034].
“In step 604 (Fig. 6), detector 506 compares the measured
frame rate to the stated frame rate. As described above, the
stated frame rate can be obtained from the information
provided in the frame itself. In the present example, assume
that the stated beacon frame rate in beacon frame 400 is 10
frames per second.” AIRMAGNET at page 8, [0035].
“If the sender MAC address of the received beacon frame
matches the sender MAC address of an authorized AP, detector
506 compares the sequence number of the received beacon
frame to the sequence number of a previously received
beacon frame from the same authorized AP, which was
stored earlier.” AIRMAGNET at page 9, [0039].
“Generally, beacon frames 400 can include information
such as frame type, beacon frame interval/rate, sequence
number, timestamp, capability information, SSID,
supported rates, one or more PHY parameter sets, direct
sequence (DS) parameter set, frequency hopping (FH)
parameter set, and the like.” AIRMAGNET at page 6, [0026].
C. US20030084321
“In view of the above-noted deficiencies of network-based
intrusion prevention systems, a hybrid host-based and node-
based intrusion prevention system is preferably
implemented within each of the various nodes, such as
servers 270A-270N (also referred to herein as “nodes”), of
Ethernet networks 55 and 56 in the secured network 100.” HP
at page 4, [0027].
“Additionally, each node 270A-270F may respectively
3
(cont.)
a) operatively connecting the wireless
node with an intrusion detection
module and providing the intrusion
detection module with a copy of
original data frames transmitted by
the wireless node over a wireless
interface;
b) detecting at the intrusion
detection module incoming data
frames received over the wireless
interface;
employ a local file system for archiving intrusion-related
events, generating intrusion-related reports, and storing
signature files against which local network frames and/or
packets are examined.” HP at page 4, [0027].
A. US20030237000
“Once stored, data stream system 36 can optionally monitor
for and detect any key indicator flags in the data stream. In
general, key indicator flags help identify data streams that are
viewed as inherently intrusive or invalid.” IBM at page 3,
[0029].
“Referring now to FIG. 3, a method flow diagram 100
according to the present invention is shown. As depicted, first
step 102 in the method is to detect a data stream received by
a wireless network. Once detected, the data stream is
analyzed.” IBM at page 4, [0035].
B. WO03084255
“In step 700 (Fig. 7) of the present exemplary process,
detector 506 receives frames from APs having transmission
ranges that include detector 506. As such, in the exemplary
scenario depicted in Fig. 5, detector 506 receives beacon
frames 400 and 504 from authorized AP 202 and
unauthorized counterfeit AP 500. . . .” AIRMAGNET at page
11, [0051].
C. US20030084321
“A server application may also run on mobile device 355 or
may alternatively be run on network 300, for example by SS
306, and engage in wireless communication with mobile
device 355 for facilitating operation of the client
application of IPS application 91, for example to provide
mobile device 355 with machine-readable signature files
utilized by IPS application 91 to detect intrusion related
events at mobile device 355.” HP at page 7, [0044].
“5. The mobile device according to claim 3, wherein the
intrusion detection application identifies a correspondence
between the signature file and a data packet, a
determination that the data packet is intrusion-related
4

c) comparing at the intrusion
detection module the information in
the copy with the information in the
incoming data frames; and
made upon identification of the correspondence.” HP at
claim 5.
A. US20030237000
“In any event, once data stream system 36 has completed its
detection function(s), validity deviation system 38 will
determine a validity deviation of the data stream. In
general, the validity deviation is determined by comparing
the data stream to a library of one or more valid data
streams (e.g., as stored in database 32).” IBM at page 3,
[0031].
“Referring now to FIG. 3...the method is to detect a data
stream received by a wireless network. Once detected, the
data stream is analyzed. Specifically, second step 104 is to
determine a validity deviation by comparing the data
stream to a (at least one) valid data stream.” IBM at page 4,
[0035].
B. WO03084255
“In step 606 (Fig. 6), detector 506 determines if a counterfeit
AP is detected based on the comparison of the measured
frame rate to the stated frame rate. Again, in the present
example, the measured frame rate is 20 frames per second
and the stated frame rate is 10 frames per second.”
AIRMAGNET at page 8, [0035].
“In step 704 (Fig. 7), detector 506 determines if a couterfeit
AP is detected based on the comparison of the sequence
number of the received frame to the sequence number of a
previously received frame.” AIRMAGNET at page 9, [0039].
C. US20030084321
“An operator of management node 85 may input one or more
text-files 277A-277N via input device 281. Each text-file
277A-277N may define a network-based exploit and
comprise a logical description of an attack signature as well
as IPS directives, such as instructions for IPS application 91 to
log the identified packet and/or frame into a database,
instructions to drop the identified packet and/or frame,
and/or directions for other security measures to be executed
upon an IPS evaluation of an intrusion-related event
associated with the described attack signature.” HP at page 6,
[0036].
5
d) recognizing an impersonating
attack when the intrusion detection
module determines that the
information in the copy differs from
the information in the incoming data
frames.
A. US20030237000
“If the validity deviation is greater than a validity
threshold, an intrusion deviation will be calculated.
Specifically, some amount of validity deviation (e.g., 1)
could be within tolerable limits. However, if the tolerable
limits were exceeded, the data stream could be too deviant
from valid data streams and should be examined more
closely. In such a case, intrusion deviation system 40 will then
compare the protocols of the received data stream to those of
one or more known intrusion data streams (e.g., stored as a
library of known intrusion streams in database 32).” IBM at
page 3, [0032].
B. WO03084255
“Now assume that detector 506 receives a beacon frame 504
from counterfeit AP 500, which is unauthorized and
attempting to pose as authorized AP 202. Also assume that
counterfeit AP 500 has sent beacon frame 504 using the
sender MAC address of authorized AP 202. However, assume
that the sequence number for beacon frame 504 sent by
counterfeit AP 500 is 50. Accordingly, when detector 506
compares the sequence number of the received beacon
frame, which in this example is 50, to the sequence number
of the previously received beacon frame, which in this
example is 100, they are not consistent. As such, detector
506 determines that a counterfeit AP 500 has been
detected.” AIRMAGNET at page 10, [0044].
C. US20030084321
“Network-based IPS appliances 80 and 81 may respectively
comprise (or alternatively be connected to) a database 80A and
81A of known attack signatures, or rules, against which
network frames captured thereby may be compared.” HP
at page 6, [0026].
“5. The mobile device according to claim 3, wherein the
intrusion detection application identifies a correspondence
between the signature file and a data packet, a
determination that the data packet is intrusion-related
made upon identification of the correspondence.” HP at
claim 5.