USOO6957067B1
`
`(12) United States Patent
`Iyer et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,957,067 B1
`Oct. 18, 2005
`
`(54) SYSTEM AND METHOD FOR MONITORING
`AND ENFORCING POLICY WITHINA
`WIRELESS NETWORK
`
`(75) Inventors: Pradeep J. Iyer, San Jose, CA (US);
`Partha Narasimhan, Santa Clara, CA
`(US)
`
`(73) Assignee: Aruba Networks, Sunnyvale, CA (US)
`
`( c: ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 381 days.
`(21) Appl. No.: 10/254,125
`(22) Filed:
`Sep. 24, 2002
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`6,493.698 B1
`12/2002 Bevlin ........................... 707/1
`2002.069278 A . E. Ew. - - - 702.
`2002/0099503 A1
`7/2002 Mishra et al. .............. 701/213
`2002/O159418 A1 10/2002 Rudnick et al. ......
`... 370/338
`2003/0017826 A1
`1/2003 Fishman et al. ......
`... 455/426
`2003/OO1876O A1
`1/2003 Putzou et al. ........
`... 709/223
`2003/0O23711 A1
`1/2003 Parmar et al. ....
`... 709/233
`2003/0031151 A1
`2/2003 Sharma et al. .............. 370/338
`* cited by examiner
`Primary Examiner-Stephen M. D’Agosta
`(74) Attorney, Agent, or Firm-Blakely Sokoloff Taylor &
`Zafman
`
`(57)
`
`ABSTRACT
`
`(51) Int. Cl." ................................................ H04Q 7/20
`
`(52) U.S. Cl. ............................... 455/435.1; 455/426.1;
`455/432.1; 455/435.2; 709/225; 370/338
`
`(58) Field of Search .......................... 455/422.1,426.1,
`455/435.1; 707/1; 709/223, 225; 370/338;
`435/432.1, 435.2
`
`In general, one embodiment of the invention is a air monitor
`adapted to a wireleSS network. The air monitor enforces
`policies followed by the wireless network even though it is
`not involved in the exchange of data between wireleSS
`devices of the wireleSS network Such as acceSS points and
`Wireless stations.
`12 Claims, 10 Drawing Sheets
`
`
`
`
`
`Management
`Server
`120
`
`Wireless
`Station
`(STA)
`
`WireleSS
`Station
`(STA)
`
`Wireless
`Station
`(STA)
`
`Wireless
`Station
`(STA)
`
`140-140
`
`Hewlett Packard Exhibit 1004, Page 1 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`Oct. 18, 2005
`
`Sheet 1 of 10
`
`US 6,957,067 B1
`
`
`
`
`
`I ommãi.{
`
`Hewlett Packard Exhibit 1004, Page 2 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`Hewlett Packard Exhibit 1004, Page 3 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`Hewlett Packard Exhibit 1004, Page 4 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`Oct. 18, 2005
`
`Sheet 4 of 10
`
`US 6,957,067 B1
`
`CIISSEI
`SS@THOIGTV
`
`VS
`
`
`
`Hewlett Packard Exhibit 1004, Page 5 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`Hewlett Packard Exhibit 1004, Page 6 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`Oct. 18, 2005
`
`Sheet 6 of 10
`
`US 6,957,067 B1
`
`§ 3.1m8?I
`
`
`
`
`
`
`
`6 om mãi.{
`
`Hewlett Packard Exhibit 1004, Page 7 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`Oct. 18, 2005
`
`Sheet 7 of 10
`
`US 6,957,067 B1
`
`0I 0,1m81. I
`
`
`
`
`
`006 GITI?IVL
`
`WV/AV
`
`
`
`00Z GITIGTVIL AV0 1 0 [
`
`Hewlett Packard Exhibit 1004, Page 8 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`Hewlett Packard Exhibit 1004, Page 9 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`C
`
`eN?
`
`laer)
`
`dV
`
`CIETRIÍTOEISN ÍT
`
`
`
`‘=(HEIA RICHS|TEINNVHOdTW CIETRITORISNQ
`
`
`
`2JLNEVNEHOVNV JN|HO YHTEIHIJLNGHCIIQ g | I ------------------O
`
`
`
`#O
`
`US 6,957,067 B1
`
`00$ I
`
`en
`N
`Q)
`SN
`
`S s
`
`is S
`a w
`
`
`
`
`
`GIOVSSTIWN GIOIA HEISTHOTTVINGICI
`
`Hewlett Packard Exhibit 1004, Page 10 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`U.S. Patent
`
`Oct. 18, 2005
`
`Sheet 10 0f 10
`
`US 6,957,067 B1
`
`gI 3.1m81,
`
`+----
`
`JLRIVILS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Hewlett Packard Exhibit 1004, Page 11 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`US 6,957,067 B1
`
`1
`SYSTEMAND METHOD FOR MONITORING
`AND ENFORCING POLICY WITHINA
`WIRELESS NETWORK
`
`FIELD
`
`Embodiments of the invention relate to the field of
`wireleSS communications, in particular, to a mechanism that
`monitors and enforces policy within a wireleSS network.
`
`GENERAL BACKGROUND
`
`Over the last decade or So, for most businesses, it has
`become a necessity for employees to share data over an
`enterprise network featuring one or more local area net
`WorkS. To improve efficiency, enhancements have added to
`a local area network Such as remote wireleSS access. This
`enhancement provides an important extension in forming a
`wireless local area network.
`Typically, a WLAN supports communications between
`wireless stations and Access Points (APs). In general, each
`AP operates as a relay Station by Supporting communications
`with both wireleSS Stations being part of a wireleSS network
`and resources of a wired network.
`In addition to APS and corresponding wireleSS Stations,
`conventional WLANs feature passive monitoring Systems.
`These Systems are configured to Simply Scan traffic on the
`WLAN and to conduct performance tasks based on recog
`nized behavior. For example, one performance task may
`involve measuring Signal Strength. Another performance
`task may involve determining whether an AP detected within
`a wireless coverage area is unauthorized.
`If any problems are detected, conventional monitoring
`Systems do not have any capability to correct Such problems.
`Instead, a notification is Sent by the System to an adminis
`trator. For instance, upon detection of an unauthorized AP,
`the passive monitoring System currently sends a notification
`to an administrator to prevent wireleSS Stations in the area
`from accessing the unauthorized AP. This inability of moni
`toring Systems to automatically handle problems and enforce
`policy followed by the network may cause undesirable
`latency in correcting problems and increased overall admin
`istrative costs. In addition, mere notification adversely
`effects overall Security of the network by increasing its
`exposure to hackers.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The invention may best be understood by referring to the
`following description and accompanying drawings that are
`used to illustrate embodiments of the invention.
`FIG. 1 is an exemplary embodiment of an enterprise
`network featuring a wireleSS network in accordance with the
`invention.
`FIG. 2 is an exemplary embodiment of an Access Point of
`the WLAN of FIG. 1 in communication with a wireless
`Station.
`FIG. 3 is an exemplary embodiment of the registration
`process by an Air Monitor with a Management Server.
`FIG. 4 is an exemplary embodiment of an Air Monitor of
`FIG. 1.
`FIG. 5A is an exemplary embodiment of a Beacon frame
`detected by the Air Monitor of FIG. 4.
`FIG. 5B is an exemplary embodiment of an IEEE 802.11
`data frame detected by the Air Monitor of FIG. 4.
`
`2
`FIG. 6 is an exemplary embodiment of a data structure
`(referred to as a “Station Table') continuously updated and
`stored by the Air Monitor of FIG. 4.
`FIG. 7 is an exemplary embodiment of a data structure
`(referred to as an “APTable”) maintained and stored by the
`Management Server of FIG. 1.
`FIG. 8 is an exemplary embodiment of a data structure
`(referred to as an “AM Table”) maintained and stored by the
`Management Server of FIG. 1.
`FIG. 9 is an exemplary embodiment of a data structure
`(referred to as an “AP/AM Table”) maintained and stored by
`the Management Server of FIG. 1.
`FIG. 10 is an exemplary embodiment of a communication
`protocol for AP classification between the Air Monitor and
`the Management Server of FIG. 1.
`FIG. 11 is an exemplary embodiment of a communication
`protocol for Rogue AP classification between the Air Moni
`tor and the Management Server of FIG. 1.
`FIG. 12 is an exemplary embodiment of a communication
`protocol for deactivating an Unsecured AP.
`FIG. 13 is an exemplary flowchart of operations for
`enforcement of policy within a wireless network of the
`invention.
`
`15
`
`25
`
`DETAILED DESCRIPTION
`
`Embodiments of the invention relate to a System and
`method for monitoring and enforcing policy within a wire
`leSS network without being an active participant in the
`wireleSS network. In other words, monitoring and enforce
`ment of policy is conducted by a device that is not involved
`in the establishment of connectivity and exchange of data
`between Access Points and their corresponding wireleSS
`Stations. AS one illustrative embodiment, policy enforce
`ment within the wireless network is conducted by an Air
`Monitor and a Management Server, which are described
`below.
`Herein, the invention may be applicable to a variety of
`wireleSS networkS Such as a wireleSS local area network
`(WLAN) or wireless personal area network (WPAN). The
`WLAN may be configured in accordance with any Institute
`of Electrical and Electronics Engineers (IEEE) 802.11 stan
`dard Such as an IEEE 802.11b standard entitled “Wireless
`LAN Medium Access Control (MAC) and Physical Layer
`(PHY) specifications: Higher-Speed Physical Layer Exten
`sion in the 2.4 GHz Band” (IEEE 802.11b, 1999), an IEEE
`802.11a standard entitled “Wireless LAN Medium Access
`Control (MAC) and Physical Layer (PHY) specifications:
`High-Speed Physical Layer in the 5 GHz Band” (IEEE
`802.11a, 1999) or a revised IEEE 802.11 standard “Wireless
`LAN Medium Access Control (MAC) and Physical Layer
`(PHY) specifications” (IEEE 802.11, 1999). Of course, the
`invention may be compliant with Systems configured in
`accordance with High Performance Radio Local Area Net
`works (HiperLAN) or subsequently published specifica
`tions.
`Certain details are set forth below in order to provide a
`thorough understanding of various embodiments of the
`invention, albeit the invention may be practiced through
`many embodiments other that those illustrated. Well-known
`logic and operations are not set forth in detail in order to
`avoid unnecessarily obscuring this description.
`In the following description, certain terminology is used
`to describe features of the invention. For example, a “com
`ponent” includes hardware and/or Software module(s) that
`are configured to perform one or more functions. For
`instance, a “processor' is logic that processes information.
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Hewlett Packard Exhibit 1004, Page 12 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`US 6,957,067 B1
`
`3
`Examples of a processor include a microprocessor, an appli
`cation Specific integrated circuit, a digital signal processor,
`a micro-controller, a finite State machine, or even combina
`torial logic.
`
`4
`wireless network 100. Such resources may include devices
`220 for data Storage, which are coupled to physical medium
`200.
`STA 140 includes a removable, wireless network inter
`face card (NIC) 230 that is separate from or employed within
`a wireless device 240 that processes information (e.g.,
`computer, personal digital assistant "PDA', telephone,
`alphanumeric pager, etc.). Normally, NIC 230 comprises a
`wireleSS transceiver, although it is contemplated that NIC
`230 may feature only receive (RX) or transmit (TX) func
`tionality Such that only a receiver or transmitter is imple
`mented.
`STA 140 communicates with and accesses information
`from AP 130 over the air 250 in accordance with IEEE
`802.11 communications protocol or another wireleSS net
`working protocol. Hence, AP 130 generally operates as a
`transparent bridge connecting both a wireleSS network fea
`turing STA 140 with wired network 210.
`Referring back to FIG. 1, Air Monitor (AM) 110 com
`prises a policy enforcement component implemented within
`a device that also features components enabling wireleSS
`communications (e.g., wireless NIC). The policy enforce
`ment component may be one or more Software modules
`executed by a processor within the device. For this embodi
`ment, AM 110 constantly scans different frequency channels
`and maintains information about all APS 130-130 and
`STAS 140-140 in wireless network 100. Generally, AM
`110 monitors wireless network 100 to extract information
`from wireless frames as described in FIGS. 4, 5A & 5B
`described below. Examples of wireless frames include, but
`are limited or restricted to IEEE 802.11 data frames, Beacon
`frames, HiperLAN frames or the like. This information may
`be used to influence the behavior of wireless network 100.
`Upon start-up, AM 110 registers with Management Server
`120. According to one embodiment, as shown in FIG.3, AM
`110 registers by sending an AM REGISTRATION 300 to
`Management Server 120 over interconnect 305.
`AM REGISTRATION message 300 comprises at least a
`unique address 310 (e.g., Internet Protocol “IP address,
`internal network address, etc.) and a Media Access Control
`(MAC) address 320 for AM 110. Of course, other optional
`information may include a location 330 of AM 110 and
`Status information 340 (e.g., active or inactive).
`Referring to FIG. 4, an exemplary embodiment of AM
`110 of FIG. 1 is shown. AM 110 comprises a transceiver
`component 400, a processor component 430 and a memory
`component 460. Processor 430 and memory 460 are used to
`extract information from Signals transmitted to/from APS
`130-130 of FIG. 1, to measure signal strength, and to
`maintain one or more data structures that can be used to
`influence the behavior of wireless network 100.
`As shown in this embodiment, transceiver component 400
`comprises an antenna 405, a RX interface 410, a TX
`interface 415 and a converter 420. Converter 420 may be
`implemented as a component that can perform both analog
`to-digital Signal conversion as well as digital-to-analog
`Signal conversion. Of course, it is contemplated that con
`verter 420 may include analog-to-digital converter and/or
`digital-to-analog converter. Where both converters are pro
`Vided, they are separate components.
`More specifically, as shown in FIG. 4, antenna 405
`receives an incoming data Stream 406. In one embodiment,
`data stream 406 includes one or more wireless frames Such
`as a Beacon frame 500 of FIG. 5A and an IEEE 802.11 data
`frame 550 of FIG. 5B. The information within these frames
`is encoded and carried within a frequency channel that is
`located within a carrier frequency band. For ths embodi
`
`15
`
`35
`
`40
`
`25
`
`A “Software module' is executable code Such as an
`operating System, an application, an applet or even a routine.
`Software modules may be Stored in any type of memory,
`namely Suitable Storage medium Such as a programmable
`electronic circuit, a Semiconductor memory device, a vola
`tile memory (e.g., random access memory, etc.), a non
`volatile memory (e.g., read-only memory, flash memory,
`etc.), a floppy diskette, an optical disk (e.g., compact disk or
`digital versatile disc “DVD"), a hard drive disk, tape, or any
`kind of interconnect (defined below).
`An "interconnect' is generally defined as an information
`carrying medium that establishes a communication pathway.
`Examples of the medium include a physical medium (e.g.,
`electrical wire, optical fiber, cable, bus traces, etc.) or a
`wireless medium (e.g., air in combination with wireless
`Signaling technology).
`“Information' is defined as data, address, control or any
`combination thereof. For transmission, information may be
`transmitted as a message, namely a collection of bits in a
`predetermined format. One particular type of message is a
`frame including a header and a payload, each having a
`predetermined number of bits of information.
`I. General Architecture
`Referring to FIG. 1, an exemplary embodiment of an
`enterprise network featuring a wireless network 100 in
`accordance with the invention is illustrated. Herein, wireleSS
`network 100 comprises an Air Monitor 110, a Management
`Server 120, one or more Access Points (APs) 130-130
`(N21), and one or more wireless stations (STAS)
`140-140 (M21), which are in communication with APS
`130-130. Of course, it is contemplated that more than one
`Air Monitor may be positioned within wireless network 100.
`Air Monitor (AM) 110 detects any AP within its signal
`coverage area 150, including both valid APs as well as
`unauthorized APs. A “Valid’ AP is an authorized AP coupled
`to and resident of a wired portion of the enterprise network.
`An unauthorized AP can be classified into one or a Selected
`number of classes. For this embodiment, there are three
`classes for unauthorized APS; namely, “Rogue”, “Unse
`cured', and “Interfering”.
`A “Rogue AP or “RAP is an initial class set by
`Management Server
`120 upon receipt
`of
`a
`NEW ACCESS POINT message by Air Monitor 110 as
`described in FIG. 10. An “Unsecured AP is an AP that is
`unknowingly or maliciously installed within the enterprise
`network itself. This allows clients to illegally acceSS
`resources within the enterprise network. An “Interfering AP
`is an AP that is installed on another network, but is within
`a coverage area of the enterprise network. This is a common
`55
`Scenario in multi-tenancy environments where APS from
`other networks are visible to each other.
`As shown in FIG. 2, each AP130, ..., or 130 supports
`bi-directional communications by (i) receiving data frames
`and transmitting data from these frames onto a physical
`medium 200 that forms part of a wired network 210 and (ii)
`receiving data from wired network 210 and transmitting data
`frames to one or more targeted STAS 140,..., 140. Wired
`network 210 can be of any type of wired network, including
`but not limited or restricted to Ethernet, Token Ring, Asyn
`chronous Transfer Mode (ATM) or the like. Moreover, wired
`network 210 features resources that are available for users of
`
`45
`
`50
`
`60
`
`65
`
`Hewlett Packard Exhibit 1004, Page 13 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`US 6,957,067 B1
`
`15
`
`25
`
`S
`ment, the carrier frequency band is located within typical
`radio frequency (RF) band of frequencies. For example, the
`RF band may generally fall within an approximate range of
`2.4-2.5 GHz or perhaps an approximate range of 5-5.25
`GHz. It is contemplated, though, that the invention may be
`applied to any frequency range.
`The RX interface 410 is configured to isolate the fre
`quency channel on which data is carried from all the other
`frequencies received on antenna 405. This may be accom
`plished through a tunable filter tuned to a center frequency
`of a channel of interest. The data channel undergoes a
`frequency shifting from the carrier band to baseband and a
`resulting analog radio signal 411, which is routed to con
`verter 420.
`In one embodiment, converter 420 samples baseband
`analog radio signal 411, which results in a Series of digital
`samples 425. Processor 430 performs a demodulation opera
`tion on the digitally Sampled baseband Signal 425 to recover
`information from the wireless frames. Typically, a fixed
`number of demodulation protocols may be Stored in memory
`460. For instance, AM 110 may support one of more of IEEE
`802.11, 802.11a and 802.11b demodulation protocols as well
`as other protocol types.
`The type of information recovered by AM 110 enables a
`variety of policies to be enforced. For example, Such infor
`mation may enable an AP to be effectively turned off if
`classified as an Unsecured AP. Other examples are set forth
`in the policy extension Section described below.
`For one embodiment, as shown in FIGS. 5A and 5B, the
`information may be recovered from Beacon frame 500 and
`IEEE 802.11 data frame 550. After recovery, the information
`may be stored internally within memory 460 or transmitted
`to memory within Management Server 120.
`For instance, a Service Set Identity (SSID) 510 and a
`channel number 520 may be recovered from a frame body
`530 of Beacon frame 500. Additionally, values of to DS bit
`560 and FromDS bit 565 may be recovered from a frame
`control portion 570 of data frame 550. An identifier (e.g.,
`Basic Service Set Identifier “BSSID) 580 of a detected AP
`may be recovered from an address field 585 of data frame
`40
`550. The signal strength perceived by AM 110 for data frame
`550 may be measured by AM 110 and such value stored.
`Referring back to FIG. 1, Management Server 120 is
`Software running on a central management System that
`manages each and every AM installed in the enterprise
`network. Each Air Monitor (e.g., AM 110) is configured with
`a server address and registers with Management Server 120
`at start-up as described in FIG. 3. Of course, for small scale
`deployment, functionality of Management Server 120 can be
`merged into AM 110.
`Referring to FIG. 6, an exemplary embodiment of a data
`structure 600 (referred to as a “Station Table') continuously
`updated and stored by AM 110 of FIG. 4 is shown. Station
`Table 600 maintains information associated with all APS
`being monitored by an Air Monitor (e.g., AM 110). Such
`information is recovered from wireless frames received by
`or output from any of the monitored APs.
`As shown in this embodiment, each entry 610 of Station
`Table 600 comprises a plurality of fields. A first field is
`configured to contain an identifier 620 of an AP being
`monitored by the Air Monitor (referred to as “AP identi
`fier”). AP identifier 620 may include the BSSID of the
`monitored AP A Second field is configured to contain a
`MAC address 630 corresponding to either a destination
`address or Source address contained in the wireleSS frame.
`Station Table 600 further comprises a third field that
`contains information 640 to indicate whether a Source
`
`6
`address or destination address in the wireleSS frame is a
`“wireless MAC address’ or a “wired MAC address'. More
`Specifically, the Air Monitor constantly classifies Source and
`destination addresses in the wireleSS frames. The destination
`address (DA) is deemed to be a “wireless MAC address” and
`the Source address is deemed to be a "wired MAC address'
`if the frame transfer occurs from the AP to one of its STAS.
`Similarly, DA is deemed to be a “wired MAC address” and
`the Source address is deemed to be a “wireless MAC
`address' if the frame transfer occurs from one of the STAS
`to the AP
`In general, this classification can accomplished by ana
`lyzing from DS and to DS bits within a header of the wireless
`frame. If from DS bit is set and to DS bit is not set, SA is a
`wireless MAC address and DA is a wired MAC address. If
`to DS bit is set and from DS bit is not set, SA is a wired MAC
`address and DA is a wireless MAC address.
`Referring to FIG. 7, an exemplary embodiment of a data
`structure maintained and stored by Management Server 120
`of FIG. 1 is shown. This data structure, referred to as an AP
`Table 700, maintains baseline information for all APS
`installed in the wireless network. This information can be
`manually input by an administrator or automatically popu
`lated by placing all Air Monitors of the wireless network into
`a LEARN mode. In LEARN mode, each Air Monitor
`collects information associated with the APS that are within
`its coverage range and routes Such information to update AP
`Table 700.
`As shown, each entry 710 of AP Table 700 contains
`information associated with an AP of the wireless network.
`As one embodiment, at least one entry 715 includes AP
`identifier 620, a channel number 730, an AP class type value
`740 and a Status value 750. AP identifier 720 is the unique
`value that identifies a specific, monitored AP. An example of
`AP identifier 720 is equivalent to the BSSID 620 concur
`rently stored in Station Table 600 of FIG. 6. Channel number
`730 indicates the particular channel over which the wireless
`frames associated with the particular AP AP class type value
`740 indicates the current classification of the particular AP
`Such as Valid, Rogue, Unsecured or Interfering. Status value
`750 is a Boolean value (0,1) that merely indicates whether
`the AP is active (1) or inactive (0). As an optional feature,
`entry 715 may further include a network identifier 760 (e.g.,
`SSID).
`Referring now to FIG. 8, an exemplary embodiment of a
`data structure 800 (referred to as an “AM Table”) maintained
`and stored by Management Server 120 is shown. AM Table
`800 contains all Air Monitors registered by Management
`Server 120. Each entry of AM table 800 is associated with
`a different Air Monitor. For instance, a first entry comprises
`a first field to contain unique address 810 for one of the Air
`Monitors (e.g., Internet Protocol “IP address, internal net
`work address, etc.) and a second field to contain Media
`Access Control (MAC) address 820 of that Air Monitor.
`Optionally, AM Table 800 further comprises a field to
`contain information 830 indicating a location of the Air
`Monitor and a field to contain status information 840 as to
`whether the Air Monitor is active or inactive.
`Referring to FIG. 9, an exemplary embodiment of a data
`structure 900 (referred to as “AP/AM Table”) maintained
`and stored by Management Server 120 of FIG. 1 is shown.
`This table merely maintains what AP is being monitored by
`which Air Monitor. Each entry of AP/AM Table 900 com
`prises a first field 910 to contain AM address 810 found in
`APTable 800 of FIG. 8 and a second field 920 to contain the
`AP identifier 720 found in AP Table 700 of FIG. 7, which is
`provided to the Management Server by the Air Monitor.
`
`35
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Hewlett Packard Exhibit 1004, Page 14 of 18
`Hewlett Packard Enterprise Company v. Intellectual Ventures II LLC
`IPR2021-01377
`
`

`

`US 6,957,067 B1
`
`50
`
`55
`
`25
`
`7
`II. Communication Protocols
`Referring to FIG. 10, an exemplary embodiment of a
`communication protocol for AP classification between Air
`Monitor (AM) 110 and Management Server 120 of FIG. 1 is
`shown. AM 110 is constantly monitoring the wireless net
`work to detect APS that is active. AM 110 does this by
`extracting (i) BSSID and measuring Signal strength per
`ceived from every wireleSS data frame transmitted or
`received by an AP and (ii) SSID and channel information
`from its Beacon frame. Whenever a new AP is detected, AM
`110 sends a NEW ACCESS POINT message 1000 to
`Management Server 120.
`NEW ACCESS POINT message 1000 comprises a
`plurality of parameters 1010 such as, for example, an AP
`identifier 1020, an optional network identifier 1030, a chan
`15
`nel number 1040, an AP type parameter 1050, an AP class
`parameter 1060 and a status parameter 1070.
`In one embodiment, AP identifier 1020 is a BSSID,
`namely a MAC address that uniquely identifies the new AP.
`Network identifier 1030 is an alphanumeric character string
`that identifies the network to which the new AP is commu
`nicating (e.g., SSID). Channel number 1040 indicates the
`particular channel that the detected frame from/to the new
`AP is received on.
`AP type parameter 1050 indicates a manufacturer, make
`or model of the new AP For example, AP Type parameter
`1050 may indicate that the AP is a software-based AP or may
`indicate that it is manufactured or Sold by a particular
`company Such as Cisco Systems, Inc. of San Jose, Calif.
`AP class parameter 1060 indicates a particular classifica
`tion of the AP such as Valid, Rogue, Unsecured or Interfer
`ing as described above. This information enables Manage
`ment Server 120 to detect if AM 110 has up-to-date AP
`classification. If not, Management Server 120 sends a mes
`35
`sage to AM 110 with the updated AP Classification.
`AP status parameter 1070 simply indicates whether the
`new AP is active or inactive.
`receives
`120
`Server
`When
`Management
`NEW ACCESS POINT message 1000, it compares AP
`40
`identifier 1020 with the baseline maintained in APTable 700
`of FIG. 7. If the new AP is listed in APTable 700 as a “Valid
`AP, the message is ignored. If the new AP is not located in
`AP Table 700, Management Server 120 updates AP Table
`700 with information associated with the new AP and
`45
`initially classes the new AP as a “Rogue” AP by setting AP
`class type parameter to “Rogue”. Management Server 120
`also updates AP/AM Table 900 of FIG. 9 to indicate that the
`new AP is being monitored by AM 110.
`Referring to FIG. 11, an exemplary embodiment of a
`communication protocol for Rogue AP classification
`between AM 110 and Management Server 120 of FIG. 1 is
`shown. When new AP is classified as a Rogue AP, Manage
`ment Server 120 does a query to AP/AM Table 900 of FIG.
`9 to find out all AMs monitoring the new AP Management
`Server
`120
`neXt
`Sends
`RAP CLASSIFICATION START message 1100 to AM
`110. RAP CLASSIFICATION START message 1100
`comprises at least the AP identifier 1020 of the new AP that
`has
`to
`be
`further
`classified.
`Optionally,
`RAP CLASSIFICATION START message 1100 further
`comprises channel number 1040.
`Upon receiving RAP CLASSIFICATION START mes
`sage 1100, AM 110 stops scanning all frequency channels
`Supported by the wireleSS network and tunes to the channel
`65
`that new AP is on. The channel information is known by AM
`110 based on contents of Station Table 600 of FIG. 6 stored
`
`60
`
`8
`by AM 110. Of course, channel information may be included
`in RAP CLASSIFICATION START message 1100 as
`well.
`For a specified period of time, AM 110 performs MAC
`Address Classification to update classifications for all APs
`being monitored. At the end of this time period, AM 110
`sends a RAP CLASSIFICATION RESPONSE message
`1200 to Management Server 120 that provides information
`contained within Station Table 600 of FIG. 6.
`In particular, RAP CLASSIFICATION RESPONSE
`message 1200 comprises a plurality of fields. A first field
`1210 contains the AP identifier of the new AP for which the
`RAP CLASSIFICATION START message 1100 of FIG.
`1 was constructed. A second field 1220 contains a number of
`APS detected by AM 110. In addition, a first series of fields
`1230 includes an AP identifier 1240 of a first AP of the
`detected APs. AP identifier 1240 may include a BSSID.
`Next, a number of wired nodes 1241 (e.g., an enterprise
`Server Such as a file Server, email Server, Web Server con
`nected to the wired network) associated with the particular
`BSSID and MAC addresses 1242 of each of these wired
`nodes is provided. Additional series of fields 1250 are
`provides for each of the detected APs.
`Management Server 120 collects information from the
`RAP CLASSIFICATION RESPONSE message 1200
`from AM 110 and classifies MAC Addresses associated with
`the nodes in two groupings: Valid Wired MAC Addresses
`(VWMAC) grouping and Rogue AP Wired MAC Addresses
`(RAPWMAC) grouping. VWMAC has all wired MAC
`Addresses seen for Valid APs (VWMAC are wired MAC
`addresses associated with Valid APS, So VWMAC are enter
`prise wired MAC Addresses. RAPWMAC includes all wired
`MAC Addresses for Rogue APs.
`If there are common MAC Addresses in these two buck
`ets, the Rogue AP is classified as Unsecured Access Point
`(UAP). Otherwise it is classified as Interfering Access Point
`(IAP). Management Server 120 updates AP Table 700 of
`FIG. 7 with the appropriate new AP Class type parameter.
`Referring now to FIG. 12, an exemplary embodiment of
`a communication protocol for deactivating an Unsecured AP
`is shown. Once a newly detected AP is classified as an
`Unsecured AP, Management Server 120 sends a
`DENIAL OF SERVICE message 1300 to all AMs moni
`toring the new AP. The DENIAL OF SERVICE message
`1300 comprises an identifier 1310 of the Unsecured AP (e.g.,
`BSSID
`of
`Unsecured
`AP).
`Of
`COurSe,
`DENIAL OF SERVICE message 1300 may further
`include a channel number 1320 to which the AMs are
`communicating with the Unsecured AP.
`Upon receiving DENIAL OF SERVICE message
`1300, whenever AM detects a data frame with from DS bit
`set on the Unsecured AP domain, the AM sends a DEAU
`THENTICATION message 1400 to Unsecured AP on behalf
`of a Station that was the destination of the data frame. AS
`shown in FIG. 14, differing from IEEE 802.11 data frames
`as shown in FIG. 5B, DEAUTHENTICATION message
`1400 comprises three address fields 1410, 1420, 1430 in
`which DA field 1410 contains the BSSID of the Unsecured
`AP. A reason code 1440 is loaded into a two-byte body
`portion of DEAUTHENTICATION message 1400 to indi
`cate the reason for deauthentication.
`For clarity sake, presume that AM 110 detects an IEEE
`802.11 data frame with the following attributes: (1) FromDS
`bit is set; ToDS bit is not set;