PATROLL Winning Submission

U.S. Patent 7,224,678

Claim 51 of the patent-at-issue, U.S. Patent 7,224,678 (“Stingray”), which was filed on
August 12, 2002 and claims the same as a priority date, is generally directed to a wireless local
area network (WLAN) or metropolitan area network for intrusion detection. More specifically, the
WLAN includes a plurality of stations for transmitting data using a media access layer (MAC).
Each of the stations is associated with a respective MAC address. The WLAN may also include a
policing station for detecting intrusions into the wireless network by monitoring transmissions
among the plurality of stations to detect frame check sequence (FCS) errors from a MAC address.
The policing station is also for generating an intrusion alert based upon detecting a number of FCS
errors for the MAC address exceeding a threshold. The policing station may further detect
intrusions based upon one or more of failed MAC address authentications, illegal network
allocation vector (NAV) values, and unexpected contention or contention-free operation.

The primary reference, U.S. Patent 7,058,796 (“AirDefense”), which was filed on June 3,
2002 and claims a May 20, 2002 priority date, is directed to a system and method for actively
defending a wireless LAN against attacks. Specifically, the system includes a system data store for
storing network default and configuration data. The system also includes a wireless transmitter for
transmitting communications over a wireless computer network. The system further includes a
system processor. The system processor is configured to receive an active defense request signal.
The request signal includes an indicator corresponding to a potentially compromised access point
in the wireless computer network. The system processor is also configure to, responsive to the
received request signal, trigger one or more of a transmission of a signal to jam communications
targeted at the potentially compromised access point, the transmission of a signal to corrupt
communications targeted at the potentially compromised access point by introducing CRC errors,
a transmission of a signal to increase difficulty associated with breaking of encryption associated
with the wireless computer network and the potentially compromised access point, or a
transmission of a channel change request communication to the potentially compromised access
point.

The secondary reference, U.S. Patent 5,850,515 (“GlobalFoundries”), which was filed on
April 10, 1997, is directed to intrusion control in repeater based networks. Specifically, a method
for securing a local area network having a plurality of nodes, a plurality of end stations is provided.
Each end station has an end station address, and a repeater. The repeater has a plurality of ports.
The method includes receiving a data packet, the data packet including a source address. The
method also includes utilizing a plurality of intruder control circuits, with one intruder control
circuit per port of the repeater, for comparing the source address to at least one of the plurality of
end station addresses. The method further includes disabling, on an individual basis via the
plurality of intruder control circuits, each of the plurality of ports on the repeater based on the
comparison between the source address and at least one of the plurality of end station addresses.

A sample claim chart comparing claim 51 of Stingray to AirDefense and GlobalFoundries

is provided below.

1

US7224678 (“Stingray”)
51. (pre) An intrusion detection method
for a wireless local or metropolitan
area network comprising a plurality of
stations, the method comprising:
A. US7058796 (“AirDefense”)
B. US5850515A (“GlobalFoundries”)
A. US7058796
“. . . systems and methods for enhancing network security.
One preferred embodiment according to the present invention
includes a system data store (SDS), a system processor and one
or more interfaces to one or more communications channels
which may include one or more interfaces to wireless and/or
encrypted communications network over which electronic
communications are transmitted and received. The SDS
stores data needed to provide the desired system functionality
and may include, for example, received communications,
data associated with such communications, information
related to known security risks and predetermined
responses to the identification of particular security risks
and situations.” AirDefense at 5:3-15.
“The intrusion detection system (IDS) engine listens to
wireless network traffic.” AirDefense at 22: 24-25.
“Identify every access point in the wireless computer
network. Obtain or determine for each its MAC address,
Extended Service Set name, manufacturer, supported
transmission rates, authentication modes, and whether or not it
is configured to run Wired Equivalent Privacy (WEP) and
wireless administrative management. In addition, identify
every workstation equipped with a wireless network
interface card, and record the MAC address of each
device.” AirDefense at 21:20-27.
“One preferred embodiment of such a screen or menu,
automatically detects all stations within the footprint of the
access point's Basic Service Set (BSS) and enters their MAC
addresses in an Observed column. Such stations can be
indicated as an authorized member of the BSS by selecting
them in the Observed column and designating them as Valid.
Designated stations are moved to a Valid column. (Stations
can, in some embodiments, be designated as invalid by
selecting and marking them in the Valid column.) Stations
not auto-detected can be manually entered by specifying its
MAC address in a Enter New Station input field and
triggering an Add Station feature.” AirDefense at 12:37-48.
See also FIG. 4:
2
(cont.)
51. (pre) An intrusion detection method
for a wireless local or metropolitan
area network comprising a plurality of
stations, the method comprising:

B. US5850515A
“A method for securing a local area network, the local area
network having a plurality of nodes, a plurality of end
stations, each end station having an end station address,
and a repeater, the repeater having a plurality of ports, the
method comprising: . . . .” GlobalFoundries at Claim 1.

“A method and apparatus for securing a network from

access by unauthorized end stations. A port in a multiport
repeater can be disabled automatically upon detection of an
unknown source address in a data packet. In addition, an
interrupt signal is provided to the indicate the detection of
an intruder. Further, the disabling of the port can be done
substantially immediately to interrupt the re-transmission of a
single packet. Alternatively, the disabling of a port can be done
programmably after a predetermined number of intruder
packets have been detected, or after the verification of packet
integrity.” GlobalFoundries at Abstract.

3
transmitting data between the plurality
of stations using a media access layer
(MAC), each of the stations having a
respective MAC address associated
therewith;
A. US7058796
“. . . systems and methods for enhancing network security.
One preferred embodiment according to the present invention
includes a system data store (SDS), a system processor and one
or more interfaces to one or more communications channels
which may include one or more interfaces to wireless
and/or encrypted communications network over which
electronic communications are transmitted and received.
The SDS stores data needed to provide the desired system
functionality and may include, for example, received
communications, data associated with such
communications, information related to known security
risks and predetermined responses to the identification of
particular security risks and situations.” AirDefense at 5:3-
15.
“One preferred embodiment of such a screen or menu,
automatically detects all stations within the footprint of the
access point's Basic Service Set (BSS) and enters their MAC
addresses in an Observed column. Such stations can be
indicated as an authorized member of the BSS by selecting
them in the Observed column and designating them as Valid.
Designated stations are moved to a Valid column. (Stations
can, in some embodiments, be designated as invalid by
selecting and marking them in the Valid column.) Stations not
auto-detected can be manually entered by specifying its
MAC address in a Enter New Station input field and
triggering an Add Station feature.” AirDefense at 12:37-48.
B. US5850515A
“An intrusion control system for a secure repeater, the
repeater having a plurality of ports and used in a network
to route data packets between end stations, each data
packet having a destination address and a source address,
the system comprising:
means for storing one or more preferred source addresses
for the plurality of ports in the repeater; means for
comparing a source address of an incoming data packet
received at a first port of the plurality of ports to the stored
preferred source addresses;
means for indicating detection of a predetermined number of
mismatches between the stored preferred source addresses and
the incoming source address;
means for individually disabling the reception by the first port
after detection of the predetermined number of mismatches;
and means for storing the incoming source address causing the
4
(cont.)
transmitting data between the plurality
of stations using a media access layer
(MAC), each of the stations having a
respective MAC address associated
therewith;
predetermined number of mismatches.” GlobalFoundries at
Claim 27.
“The source address field is supplied by the transmitting
MAC. The transmitting MAC inserts a sender's node
address into the SA field as the frame is transmitted to
indicate the node as the originating station of the packet.
The receiving MAC is not required to take action based on the
SA field.
As mentioned above, the repeater in a network repeats data
to all nodes on a network. Although data should only be
received by the individual destination node addressed in the
data packet, unauthorized end stations can imitate a node on a
network to receive data subversively. Imitating a node can be
accomplished by connecting an unauthorized end station onto a
network, listening to data traffic to determine valid node
addresses, and pretending to be a valid address on the network.
There exists a need to ensure that an unauthorized end station
in a multiport repeater-based network does not connect onto
the network. Accordingly, a further need exists to prevent
reception of data transmitted from an unauthorized end station
by an authorized end station. The present invention addresses
these needs.” GlobalFoundries at 3:19-38.
“A method for securing a local area network, the local area
network having a plurality of nodes, a plurality of end
stations, each end station having an end station address,
and a repeater, the repeater having a plurality of ports, the
method comprising:
(a) receiving a data packet, the data packet including a source
address;
(b) utilizing a plurality of intruder control circuits, with one
intruder control circuit per port of the repeater, for comparing
the source address to at least one of the plurality of end station
addresses; and
(c) disabling, on an individual basis via the plurality of intruder
control circuits, each of the plurality of ports on the repeater
based on the comparison between the source address and at
least one of the plurality of end station addresses.”
GlobalFoundries at Claim 1.
“The present invention provides a method and apparatus
for detecting and preventing intrusion of unauthorized end
stations on a network. The present invention utilizes a
5
(cont.)
transmitting data between the plurality
of stations using a media access layer
(MAC), each of the stations having a
respective MAC address associated
therewith;
monitoring transmissions among the
plurality of stations to detect failed
attempts to authenticate MAC
addresses; and
comparison between a source address of an incoming data
packet and stored end station addresses for the network to
disable an unauthorized end station from participating in
the network.
In one aspect of the present invention, a method for
securing a local area network includes the steps of
receiving a data packet including a source address,
comparing the source address to one or more end station
addresses, and disabling a receive port based on the
comparison between the source address and the end station
addresses for the node.” GlobalFoundries at 3:41-55.
“The source address field is supplied by the transmitting
MAC. The transmitting MAC inserts a sender's node
address into the SA field as the frame is transmitted to
indicate the node as the originating station of the packet.
The receiving MAC is not required to take action based on the
SA field.” GlobalFoundries at 3:19-24.
A. US7058796
“[i]n step 410, configuration information is received. As
before, this is typically done through reading system
configuration files, monitoring the network and/or
interactive entry at the outset of the process. This
information typically includes network default data and
risk criteria such as access point configuration data (MAC
Address of the access point, Access Point Name, etc.), station
configuration data and various thresholds values.”
AirDefense at 24:12-20.
“AirDefense Mobile detects when a hacker pretends to be
an Access point and broadcasts a “de-authenticate” message.”
AirDefense at 25:33-34.
“AirDefense Mobile detects a Station whose MAC address is
not on its Valid list.” AirDefense at 25:48-49.
“AirDefense Mobile detects, during any minute, when any
Station associates with an access point more times than
provided by a specified threshold.” AirDefense at 26:49-52.
“If no attack signature is identified, the frame information is
passed through a protocol violation engine to determine if the
protocol used in the frame is authorized in step 330.
6
(cont.)
monitoring transmissions among the
plurality of stations to detect failed
attempts to authenticate MAC
addresses; and
Protocol analysis examines whether or not protocol usage is
legitimate. For example, emitting a large number of
association or disassociation requests in a short interval is
not a legitimate use of the proto” AirDefense at 22:49-55.
“The information within the frame is interrogated to
determine if a known attack signature has been identified
in step 325. Signatures encode datalink layer attack patters
as combinations of packet sequences and state. For example,
active probing emits a pattern or sequence of network
requests.” AirDefense at 22:40-45.
“In the case that an attack has been detected in 530,
processing is passed to step 540 to activate the honeypot
trap. A trap thread is started in step 580; the thread initializes
itself with the identity of the monitored access point
believed to be attacked. This identity typically includes the
MAC address, Service Set Identifier, encryption mode,
network mode and transmission modes. Once initialized, the
thread moves to step 590, the Trap Intruder process. This
process is designed to logically fool the identifier attacker into
believing communication is still occurring with the original
access point. This is accomplished through complete emulation
of the original access point's identity and behavior. By
maintaining communication with the attacker, a trap is created
such that the attacker's physical proximity is assured as long as
communication continues.” AirDefense at 29:31-45.
B. US5850515A
“An intrusion control system for a secure repeater, the
repeater having a plurality of ports and used in a network
to route data packets between end stations, each data
packet having a destination address and a source address,
the system comprising:
means for storing one or more preferred source addresses
for the plurality of ports in the repeater; means for
comparing a source address of an incoming data packet
received at a first port of the plurality of ports to the stored
preferred source addresses;
means for indicating detection of a predetermined number
of mismatches between the stored preferred source
addresses and the incoming source address;
means for individually disabling the reception by the first port
after detection of the predetermined number of mismatches;
and
7
(cont.)
monitoring transmissions among the
plurality of stations to detect failed
attempts to authenticate MAC
addresses; and
means for storing the incoming source address causing the
predetermined number of mismatches.” GlobalFoundries at
Claim 27.
“Using a last source address and a preferred source
address, the present invention determines if a mismatch
occurs between the stored addresses and a source address
for a current packet. For example, a mismatch could occur
due to an unauthorized attempt to access the network.
Consequently, the present invention provides a control circuit
that can isolate a port from the network to disable receipt and
retransmission of the packet and also can provide an interrupt
that informs the host processor that the source address on the
port is invalid.” GlobalFoundries at 5:18-27.
“Alternatively, the controller can be implemented to delay
assertion of the CARRIER signal until the end of the
packet. Although delaying the assertion delays the
disabling of the port and allows one packet to be received
from the port, the delay allows the packet to be analyzed to
determine whether the packet is a good packet, i.e.,
whether the packet is uncorrupted. The analysis prevents
false shut offs for situations that could cause the source address
to be corrupted, e.g. in the case of a noise hit on the data in the
source address field. If the data is uncorrupted, as can be
verified by the received FCS field, the port is shut off after
the one packet. Alternatively, a predetermined number of
packets can be analyzed before shutting off a port. For
example, it may be advisable to determine if a mismatch
for multiple packets is being caused by the same source
address or if the source address is changing to cause the
mismatches. By way of example, a source address may
continually change when a more sophisticated attempt is
being made by an unauthorized source to enter a network.”
GlobalFoundries at 9:3-21.
8
(cont.)
monitoring transmissions among the
plurality of stations to detect failed
attempts to authenticate MAC
addresses; and
generating an intrusion alert based
upon detecting a number of failed
attempts to authenticate a MAC
address.
See also FIG. 4:
A. US7058796
“AirDefense Mobile detects a Station whose MAC address is
not on its Valid list.” AirDefense at 25:48-49.
“If no attack signature is identified, the frame information is
passed through a protocol violation engine to determine if the
protocol used in the frame is authorized in step 330.
Protocol analysis examines whether or not protocol usage is
legitimate. For example, emitting a large number of
association or disassociation requests in a short interval is
not a legitimate use of the proto If the protocol used in the
frame is outside of the authorized protocol set, the intrusion
detection system signals an alarm manager to deliver an
alert to the administrator in step 345.” AirDefense at 22:49-
58.
“Systems and methods according to the present invention
generate alerts if network traffic that exceeds thresholds is
detected.” AirDefense at 12:52-54.
“Some embodiments further include the mapping of the
identification of the intruder's node and/or the mapping of
the location of the intruder's node within the wireless network.
In some instances, a notification of the triggering of the
active defense can be sent to an administrator; some such
notifications may include an identification and/or location of
the node associated with the intruder in embodiments that
9
(cont.)
generating an intrusion alert based
upon detecting a number of failed
attempts to authenticate a MAC
address.
include node identification and location mapping.” AirDefense
at 6:15-23.
“The information within the frame is interrogated to
determine if a known attack signature has been identified
in step 325. Signatures encode datalink layer attack patters
as combinations of packet sequences and state. For example,
active probing emits a pattern or sequence of network
requests. This sequence can be recognized by its packet
sequence signature. If the attack signature is identified, the
intrusion detection system signals an alarm manager to
deliver an alert to the administrator in step 345.”
AirDefense at 22:40-48.
B. US5850515A
“An apparatus for securing a local area network having a
plurality of nodes and end stations, each end station having an
end station address, the apparatus comprising:
a controller means;
a memory comparison means coupled to the controller
means for storing the end station addresses and performing
a comparison on at least one of the stored end station
addresses and a source address of a data packet; and a
plurality of intrusion control means coupled to the memory
comparison means and the controller means, each one of
the plurality of intrusion control means coupled to one of a
plurality of ports for disabling each port on a port-by-port basis
based upon a comparison between the source address and the
stored end station addresses.” GlobalFoundries at Claim 9.
“An apparatus as recited in claim 9 wherein the intrusion
control means further outputs an interrupt signal.”
GlobalFoundries at Claim 17.
“Using a last source address and a preferred source
address, the present invention determines if a mismatch
occurs between the stored addresses and a source address
for a current packet. For example, a mismatch could occur
due to an unauthorized attempt to access the network.
Consequently, the present invention provides a control
circuit that can isolate a port from the network to disable
receipt and retransmission of the packet and also can
provide an interrupt that informs the host processor that
the source address on the port is invalid.” GlobalFoundries
at 5:18-27.
10
(cont.)
generating an intrusion alert based
upon detecting a number of failed
attempts to authenticate a MAC
address.
“The deassertion of the IC signal is further suitable for use
as an interrupt signal. Software control upon receipt of the
interrupt signal is typically dependent on individual design
needs. As an example, a control sequence executed upon
receipt of an interrupt signal could be used in a count
circuit until a predetermined number of mismatches have
occurred.” GlobalFoundries at 9:28-39.
“With the method and apparatus of the present invention,
a network can be secured from unauthorized end stations.
A port in a multiport repeater can be disabled
automatically upon detection of an unknown source
address in a data packet. In addition, an interrupt signal is
provided upon detection of an intruder.” GlobalFoundries
at 4:14-19.
11