Monitoring a secure network using a network tap device
By adding network splitter devices to a secure network, obtaining keys and addresses, and monitoring and decrypting encrypted data, the problem of insufficient data collection in existing technologies is solved, enabling comprehensive monitoring and analysis of the secure network and improving the accuracy of network security and debugging.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- LANDIS GYR TECH INC
- Filing Date
- 2022-01-18
- Publication Date
- 2026-06-23
AI Technical Summary
In existing network eavesdropping mechanisms, network splitter devices can only access unencrypted data, limiting the amount and type of data that can be collected, resulting in many security and network issues going undetected.
By adding network splitter devices to a secure network, obtaining security keys and network addresses, listening to and decrypting encrypted data, collecting network traffic including both encrypted and unencrypted data, and sending it to a monitoring workstation for analysis via a secure channel.
It enables comprehensive data collection and analysis of secure networks, improves network security and debugging accuracy, reduces the impact of network splitter devices on the network, and supports their controllable management and maintenance.
Smart Images

Figure CN117203936B_ABST
Abstract
Description
Technical Field
[0001] This disclosure generally relates to network communication surveillance, and more specifically to the use of network splitter devices that are integrated into a secure network as part of the network for surveillance of the secure network. Background Technology
[0002] Monitoring data communications occurring on a network is useful in many applications, including network security and debugging. Data transmitted over a network can be collected and analyzed to identify network-related problems. For example, by analyzing data transmitted over a network, attacks targeting one or more devices on the network can be identified, or improper configurations causing communication problems between network devices can be discovered.
[0003] To collect communication data, network splitter devices can be deployed on a network to monitor communications occurring on the network. However, existing network eavesdropping mechanisms use network splitter devices placed near network devices on the monitored network but not as part of the network itself. As a result, for secure networks, network splitter devices in existing eavesdropping mechanisms can only access unencrypted data, which significantly limits the amount and type of data that can be collected. Therefore, analysis based on limited communication data results in many security issues and other network problems remaining undetected. Summary of the Invention
[0004] Systems and methods for monitoring a secure network by adding a network splitter device to the secure network to collect data are disclosed. In one example, the system includes a headend system configured to manage network devices in the monitored network and an access point configured to manage communication between a subset of network devices in the monitored network, as well as a network splitter device. The subset of network devices includes network nodes and the network splitter device. The network splitter device is connected to the access point via the monitored network and is managed by both the access point and the headend system. The network splitter device is configured to join the monitored network as a network device of the monitored network. Joining the monitored network includes communicating with the access point to obtain a security key for the monitored network, and communicating with the access point to obtain a network address for the network splitter device. The network splitter device is also configured to collect network data for the monitored network, including detecting network traffic on the monitored network comprising encrypted and unencrypted data, decrypting the encrypted data in the network traffic using the security key to generate decrypted data, and adding the decrypted and unencrypted data to the network data. The network splitter device is also configured to connect to the monitoring workstation via a data transmission network different from the network being monitored; and to send collected network data to the monitoring workstation via the data transmission network.
[0005] In another example, the network splitter device includes a transceiver configured to communicate between a monitored network and a data transmission network different from the monitored network. The network splitter device is configured to join the monitored network as a leaf node, including communicating with the network manager to obtain a security key for the monitored network and communicating with the network manager to obtain a network address for the network splitter device. The network splitter device is also configured to collect network data for the monitored network, including: detecting network traffic comprising encrypted and unencrypted data on the monitored network; decrypting the encrypted data in the network traffic using the security key to generate decrypted data; and adding the decrypted and unencrypted data to the network data. The network splitter device is also configured to transmit the collected network data to a monitoring workstation via the data transmission network.
[0006] In yet another example, the method performed by the network splitter device includes joining the monitored network as a leaf node of the monitored network, including: communicating with the network manager of the monitored network to obtain a security key for the monitored network, and communicating with the network manager to obtain a network address for the network splitter device. The method also includes collecting network data for the monitored network, including: detecting network traffic on the monitored network, the network traffic including encrypted and unencrypted data, decrypting the encrypted data in the network traffic using the security key to generate decrypted data, and adding the decrypted and unencrypted data to the network data. The method also includes connecting to a monitoring workstation via a data transmission network different from the monitored network, and sending the collected network data to the monitoring workstation via the data transmission network.
[0007] These illustrative aspects and features are not intended to limit or define the invention, but rather to provide examples to aid in understanding the inventive concepts disclosed herein. Other aspects, advantages, and features of the invention will become apparent upon reading the entire application. Attached Figure Description
[0008] These and other features, aspects, and advantages of this disclosure can be better understood when the following detailed description is read with reference to the accompanying drawings, wherein:
[0009] Figure 1 This is a diagram illustrating an example of monitoring the operating environment of a secure network by adding a network splitter device to the secure network, according to certain aspects of this disclosure;
[0010] Figure 2 This is a flowchart illustrating an example of a process for monitoring a secure network by adding a network splitter device to the secure network, according to certain aspects of this disclosure;
[0011] Figure 3 This is a flowchart illustrating an example of a process for adding a network splitter device to a monitored secure network according to certain embodiments of the present disclosure;
[0012] Figure 4 A signal flow diagram illustrating an example of a process for adding a network splitter device to a monitored secure network according to certain embodiments of the present disclosure; and
[0013] Figure 5 This is a diagram illustrating examples of network splitter devices suitable for implementing various aspects of the technologies and techniques presented in this article. Detailed Implementation
[0014] Systems and methods are provided for monitoring secure networks by adding network splitter devices to the secure network to collect data. The network splitter device can be deployed to the location to be monitored and also joins the secure network as a network device by following the network's normal joining process. Therefore, the network splitter device can obtain network keys and certificates. The network splitter device can thus listen to both encrypted and unencrypted traffic data on the secure network. The network splitter device can use the network key to decrypt encrypted traffic and verify the integrity of network traffic. The collected traffic data can be sent to a monitoring workstation for further analysis. During monitoring, the network splitter device can be managed by a central or headend system of the secure network, allowing or disabling the network splitter device from the secure network.
[0015] In one example, the system includes a headend system configured to manage network devices in a secure network, which comprises multiple network devices communicating with each other over the secure network. To monitor the secure network, one or more network splitter devices are deployed at different locations within the secure network. Each of the network splitter devices is configured to join the monitored network by communicating with a corresponding access point of the secure network to obtain a security key and security credentials for the monitored network. The network splitter device also communicates with the access point to exchange routing information and obtain a network address for the network splitter device.
[0016] Once joined to a secure network, each network splitter device operates as a passive leaf node on the secure network and does not participate in network operations within the monitored network, such as network routing. The network splitter device also minimizes its own transmission and focuses on listening to network traffic data on the monitored network at its location. This network traffic data can include both encrypted and unencrypted data. For encrypted data, the network splitter device uses a security key to decrypt the encrypted data to generate decrypted data. Both decrypted and unencrypted data are included in the collected network data.
[0017] To transmit collected network data, each network splitter device joins a data transmission network different from the monitored network, and establishes a secure channel between the monitoring workstation and the network splitter device within the data transmission network. When network data from the secure network is collected at a network splitter device, each network splitter device transmits the collected data to the monitoring workstation via the corresponding secure channel in the data transmission network. The monitoring workstation can analyze the received network data to identify problems or characteristics associated with the secure network for purposes such as debugging or network security. Based on the analysis results, the monitoring workstation can recommend or instruct the headend system to modify the secure network to improve network performance, security, or other aspects, for example, by moving some network devices to different locations, removing some network devices from the network, adding new network devices to the network, or reconfiguring network devices in the network.
[0018] As described in this article, certain aspects offer improvements to network monitoring. Secure and authenticated joining of network splitter devices to secure networks allows the network splitter devices to decrypt and verify the authentication of network traffic. This provides more comprehensive data in the collected network data, enabling more accurate analysis of secure networks. Because the network splitter device joins the monitored network as a passive leaf node, it does not participate in routing or network control traffic, thus having minimal impact on the network. Joining the network splitter device as a node on the secure network also allows for management of the network splitter device through the headend system, ensuring controlled joining, tracking, and removal of the network splitter device, thereby reducing security risks posed by the network splitter device, and also facilitates maintenance of the network splitter device, such as firmware updates, without requiring local access to these devices.
[0019] These illustrative examples are intended to introduce the general topics discussed herein and are not intended to limit the scope of the concepts disclosed. The following sections describe various additional aspects and examples with reference to the accompanying drawings, wherein the same reference numerals indicate the same elements.
[0020] The features discussed herein are not limited to any particular hardware architecture or configuration. A computing device may include any suitable arrangement of components that provide a result conditioned on one or more inputs. Suitable computing devices include multipurpose microprocessor-based computer systems that access stored software that programs or configures the computing system from a general-purpose computing device to a specialized computing device for implementing one or more aspects of this subject. Any suitable programming, scripting, or other type of language or combination of languages may be used to implement the teachings contained herein, and the software used to program or configure the computing device.
[0021] Exemplary operating environment
[0022] Figure 1 An illustrative operating environment 100 is shown for monitoring a secure network by adding a network splitter device to the secure network to collect data. The operating environment 100 includes a secure network 140 monitored by the network splitter device, also referred to as "the monitored network 140". Figure 1 The monitored network 140 shown includes multiple nodes 160A-160N (which may be individually referred to as node 160 or collectively as node 160 herein). The monitored network 140 may be a radio frequency (RF) mesh network (such as an IEEE 802.15.4 network), a Wi-Fi network, a cellular network, Ethernet, a power line carrier network, or any other wired or wireless network. Correspondingly, network nodes 160 may be RF radios, computers, mobile devices, power line network devices, or other types of devices that can communicate directly with other devices on the monitored network 140.
[0023] In an example where the monitored network 140 is a mesh network, the nodes 160 in the mesh network may include measurement nodes for collecting data from the respective deployment locations of the nodes, processing nodes for processing the data available to the nodes, router nodes for forwarding data received from one node in the monitored network 140 to another node, or nodes configured to perform a combination of these functions. The nodes 160 are also configured to communicate with each other, such that data packets containing messages or other data can be exchanged between the nodes 160.
[0024] In one example, the monitored network 140 may be associated with a resource allocation network, such as a utility network, to deliver measurement data acquired within the resource allocation network. In this example, node 160 may include meters such as electricity meters, gas meters, water meters, steam meters, etc., and may be deployed at various locations within the resource allocation network to deliver measurement data acquired at those locations. Node 160 may be implemented to measure various operational characteristics of the resource allocation network, such as characteristics of resource consumption. In an electricity distribution network, example characteristics include, but are not limited to, average or total power consumption, peak voltage of electrical signals, power surges, and load variations. Node 160 transmits the collected data via the monitored network 140 to, for example, a corresponding root node 114A or root node 114B (which may be individually referred to herein as root node 114 or collectively as root node 114).
[0025] The root node 114 of the monitored network 140 can be configured to communicate with node 160 to perform operations such as managing node 160, collecting data from node 160, and forwarding data to headend system 104. Root node 114 can also be configured to act as a node to measure and process the data itself. Root node 114 can be a Personal Area Network (PAN) coordinator, gateway, or any other device capable of communicating with headend system 104. Root node 114 ultimately sends the generated and collected data to headend system 104 via another network 170 (such as the Internet, intranet, or any other data communication network). Headend system 104 can be used as a central processing system that receives data streams or messages from root node 114. Headend system 104, or another system associated with a utility company, can process or analyze the collected data for various purposes, such as billing, performance analysis, or troubleshooting.
[0026] Headend system 104 is also configured to manage the monitored network 140, such as authenticating nodes 160 in the monitored network 140, authorizing network keys and credentials, granting or deleting nodes 160, etc. In some examples, the monitored network 140 may also include an access point configured to manage the monitored network 140 under the authorization of headend system 104. As described herein, the access point may be root node 114, a router, or other device on network 140 capable of managing the monitored network 140. The access point may maintain security credentials for network devices (e.g., node 160) on the monitored network 140, and manage network keys used in the monitored network 140. The access point may also be configured to perform various security operations, such as issuing security credentials and network keys to network devices, authenticating network devices when they join the monitored network 140, updating and revoking security credentials and network keys as needed, removing network devices from the network 140, etc. In some implementations, the access point may communicate with headend system 104 when authenticating newly joined network devices. The access point can also remove network devices from the monitored network 140 upon request from the headend system 104.
[0027] Access points can also be configured to manage network traffic routing. For example, when a new network device joins the monitored network 140, the access point can communicate with the new network device to establish routing information and assign a network address to the new network device, enabling the monitored network 140 to route network traffic to the new network device, such as an IP address or LAN address.
[0028] To monitor communications on the monitored network 140, one or more network splitter devices 150A-150C (which may be individually referred to herein as network splitter device 150 or collectively as network splitter device 150) may be deployed near the node 160 to be monitored. Network splitter device 150 may be a standalone network splitter device or part of an existing network setup. For example, one of the radios in a multi-radio gateway or multi-radio takeout point (sometimes referred to as a collector) may be dedicated as network splitter device 150. In the example, if the communication behavior of a group of nodes 160 exhibits anomalies, network splitter device 150 may be deployed to the geographic location of that group of nodes 160 to troubleshoot the group of nodes 160 or detect security issues associated with that group of nodes. In some cases, where coverage of a large geographic area is required, more than one network splitter device 150 may be deployed to that area, each covering a specific region within that geographic area. When the network splitter device 150 is part of an existing network device, the deployment of the network splitter device 150 may not be as flexible as that of a standalone network splitter device 150.
[0029] To capture comprehensive data on the monitored network 140, the network splitter device 150 is configured to join the monitored network 140 and become a network device on the monitored network 140. The joining process may include, for example, the network splitter device 150 initially joining the network, enabling it to communicate with its neighbors. The joining process may also include authenticating the network splitter device 150, giving it the appropriate keys and credentials to decrypt encrypted traffic on the monitored network 140, and associating the network splitter device 150 with the network 140, making it addressable and manageable from the headend system 104. (See below for more information.) Figure 3 and Figure 4 Additional details about the network splitter device 150 joining the monitored network 140 are provided in the content.
[0030] After network splitter device 150 joins the monitored network 140, it can listen to or collect any network traffic that can be detected by it, including encrypted or unencrypted network traffic directed to or from network splitter device 150 or other nodes 160. Here, "network traffic," "network communication," and "network data" are used interchangeably to refer to data sent from one network device (sending device) to another network device (receiving device) through the monitored network 140. The sending and receiving devices may or may not include network splitter device 150. In other words, network splitter device 150 can collect network communication even if it does not originate from or target network splitter device 150, as long as it can detect it. As described in more detail below, network splitter device 150 operates as a leaf node and does not route any packets or advertise itself as a network node. It is configured to participate in the monitored network 140 with minimal involvement, such as providing basic-level configuration mechanisms, allowing firmware downloads, or answering Internet Control Message Protocol (ICMP) pings, etc. Therefore, in some examples, the transmissions performed by the network splitter device 150 are limited to those necessary to maintain the functionality of the network splitter device 150 and keep it within the monitored network 140, such as responding to networking requests for the network splitter device 150, basic network hygiene traffic to maintain the network presence of the network splitter device 150, and application traffic specific to the network splitter device 150.
[0031] If the detected network traffic is encrypted, the network splitter device 150 can use its network key to decrypt the network traffic, thereby providing the raw data of the pure network interactions in the collected data 122. The network splitter device 150 can also use the network key to verify integrity checks on received network traffic. The network splitter device 150 can also collect physical information associated with the detected communication data, such as the signal strength of messages in the detected data, the symbol rate of the detected communication data, or both. Physical information associated with the detected traffic data, whether unencrypted or decrypted, can be included in the collected data 122. Additional details regarding the data collected by the network splitter device 150 on the monitored network 140 will be provided below. Figure 2 Provided in the content.
[0032] It should be noted that in some examples, network splitter device 150 loosely joins the monitored network 140 and participates in the monitored network 140 with minimal involvement. Network splitter device 150 may maintain time and configuration to ensure it can adequately remain joined to listen to all traffic on the monitored network 140. For example, network splitter device 150 may synchronize itself with node 160 on the monitored network 140 and perform channel hopping according to the channel hopping sequence of network 140 to listen to traffic on different channels. Network splitter device 150 may receive some basic level network traffic and respond as appropriate. This may include, for example, routing information that allows data to be routed to network splitter device 150, network configuration, and management traffic such as Ping commands, key revocation, and key update mechanisms. Network splitter device 150 is configured to operate as a leaf node and does not provide routing for network traffic data. Therefore, the access point or network manager of the monitored network 140 can keep the nodes 160 on the monitored network 140 unaware of the network splitter device 150, except that the parent node of the network splitter device 150 is used for routing purposes. Furthermore, the network splitter device 150 is configured to minimize its transmission, allowing it to detect as much traffic data as possible. For example, the network splitter is configured to generate as little traffic as possible to maintain connectivity to the network / access point.
[0033] like Figure 1As shown, network splitter device 150 can be configured to send collected data 122 to monitoring workstation 102. The transmission of collected data 122 can be performed via data transmission network 120. Network splitter device 150 may have different radios for monitoring the monitored network 140 and for sending data to the workstation via data transmission network 120. Data transmission network 120 can be Ethernet, fiber optic network, cellular network, power line carrier, or any network other than the monitored network 140 that can be used to send collected data 122 to monitoring workstation 102. In some embodiments, the communication channel between network splitter device 150 and monitoring workstation 102 is a secure channel, allowing collected data 122 containing decrypted traffic data to be securely sent to monitoring workstation 102. This secure channel can be established, for example, via Virtual Private Network (VPN), Transport Layer Security (TLS), IPsec, or any combination thereof. In other embodiments, the link between network splitter device 150 and monitoring workstation 102 can be a physically isolated or protected network link. Using the data transmission network 120 to send the collected data 122 to the monitoring workstation 102 can limit interference to the monitored network 140, because the collected data 122 may contain large datasets, which would affect the throughput of the monitored network 140 if they were sent via the monitored network 140.
[0034] In the example, network splitter device 150 streams collected data 122 to monitoring workstation 102. For example, when the collected data 122 is received at network splitter device 150, it can be transmitted using a file transfer protocol or a bulk output protocol. Network splitter device 150 can also be configured to throttle or batch the collected data 122 in the event of data loss due to network connectivity issues in data transmission network 120. Depending on the application and purpose for which network splitter device 150 is deployed to the monitored network 140, monitoring workstation 102 can perform various analyses on the collected data 122 to identify problems or discover characteristics of the monitored network 140. For example, if the location of network splitter device 150 is known to monitoring workstation 102, monitoring workstation 102 can use triangulation based on the collected data 122 to detect whether node 160 has moved. In another example, monitoring workstation 102 can use the collected data 122 to detect hidden node problems in the monitored network 140. For example, data 122 collected from multiple network splitter devices 150 may show that two nodes 160 are simultaneously communicating with a third node 160, causing a communication conflict, so the third node 160 cannot receive communication data from either of the two nodes 160. The monitoring workstation 102 can use any existing tools, such as security incident and event management tools, to perform analysis on the collected data 122.
[0035] In some implementations, monitoring workstation 102 and headend system 104 are independent systems, and the analysis performed at monitoring workstation 102 does not affect the operation of headend system 104. In other implementations, monitoring workstation 102 is part of headend system 104 or otherwise communicates with headend system 104. Analysis results can be provided to headend system 104 to better manage the monitored network 140. For example, monitoring workstation 102 may provide analysis results to headend system 104 to show that network splitter device 150 is not properly deployed and that communication between certain nodes 160 is not being collected. In this case, headend system 104 can instruct network splitter device 150 to be relocated within the monitored network 140 and manage network splitter device 150 by removing and rejoining it to facilitate relocation. Analysis results can also help headend system 104 better understand the communication between nodes 160 in the monitored network 140 and reconfigure these nodes 160 as needed.
[0036] Figure 2 A flowchart illustrating an example of a process 200 for monitoring a secure network 140 by adding a network splitter device 150 to the secure network 140 according to certain embodiments of the present disclosure is provided. One or more devices (e.g., network splitter device 150) implement this by executing appropriate program code. Figure 2 The operations depicted in the figure are described. For illustrative purposes, process 200 is described with reference to certain examples depicted in the figure. However, other embodiments are also possible.
[0037] At box 202, process 200 involves network splitter device 150 joining network 140 as a leaf node. This joining may follow normal operation and communication as defined by the network protocols implemented in the monitored network 140, including, for example, network advertising, network node authentication, network key exchange, network node association, etc. Figure 3 An example of the process by which a network splitter device 150 joins a monitored network 140 is illustrated. Unlike other nodes 160 in the monitored network 140, the network splitter device 150 joins the monitored network 140 as a network splitter device identified by, for example, its identifier, its device name, or certificate. As will be discussed in detail below with respect to box 206, as a network splitter device 150, the network splitter device 150 will participate in the network 140 with minimal involvement and will focus more on network data listening. After joining the monitored network 140, the network splitter device 150 possesses network keys and credentials, thus enabling it to decrypt the traffic data it receives from the monitored network 140.
[0038] At box 204, process 200 involves network splitter device 150 establishing a secure channel with monitoring workstation 102 via data transmission network 120. For example, network splitter device 150 may employ network security mechanisms (such as VPN, TLS, IPsec, or any combination thereof) to establish a secure channel with monitoring workstation 102. In other embodiments, the link between network splitter device 150 and monitoring workstation 102 may be a physically isolated or protected network link. In these scenarios, the link itself is secure, and it is not necessary to establish an additional secure channel on the link; this box can be skipped.
[0039] At box 206, process 200 relates to network splitter device 150 collecting communication data on a monitored network 140. Network splitter device 150 may include any data detectable on the monitored network 140 in the collected data 122. For example, collected data 122 may include raw data of each communication it captures on the monitored network 140. Raw data may include, but is not limited to, synchronization packets used to synchronize the receiver with the transmitter at the start of a transmission, acknowledgment or negative acknowledgment packets for each transmission, data packets retransmitted if the transmitter does not receive an acknowledgment packet, or other data being transmitted through the monitored network 140.
[0040] Depending on the type of the monitored network 140, nodes 160 on the monitored network 140 can perform communication by periodically switching channels according to a channel hopping sequence. In this scenario, since the network splitter device 150 is part of the monitored network 140, the network splitter device 150 is aware of the channel hopping sequence. Therefore, the network splitter device 150 can hop to different channels according to the channel hopping sequence to detect network traffic on the monitored network 140. If different channel hopping sequences are used for different pairs of nodes 160, the network splitter device 150 can be configured to sample paired communications. For example, the network splitter device 150 can switch to a first channel for a period of time according to the channel hopping sequence between nodes A and B to detect traffic data between nodes A and B. Then, the network splitter device 150 can switch to a second channel for a period of time according to the channel hopping sequence between nodes C and D to detect traffic data between these two nodes. In this way, the network splitter device 150 can sample the communication between pairs of nodes 160, even if these nodes 160 are communicating on different channels.
[0041] In some examples, network splitter device 150 is also configured to verify the integrity of network traffic it receives from the monitored network 140 and decrypt the traffic data. If verification or decryption fails, network splitter device 150 may also include an indication of verification or decryption error in the collected data 122, allowing monitoring workstation 102 to analyze the problems causing these errors. In some implementations, network splitter device 150 may also collect physical information associated with the detected communication data. For example, network splitter device 150 may be configured to measure the signal strength of messages (such as Received Signal Strength Indicator (RSSI)) in the detected traffic data and include this signal strength information in the collected data 122. Network splitter device 150 may also be configured to measure the symbol rate of the detected traffic data and include such information in the collected data 122.
[0042] Network splitter device 150 can receive some basic-level network traffic and is configured to respond as appropriate. For example, if network splitter device 150 receives a synchronization message, it will use the synchronization message to synchronize its clock with the network, allowing it to continue receiving network traffic. Furthermore, if a network protocol requires each node on network 140 to send a certain type of message (such as a Destination Advertisement Object (DAO) message in a routing protocol for Low Power and Lossy Networks (RPL)) to the root node 114, network splitter device 150 is configured to comply with such a requirement and send the necessary messages at the required time intervals. Further examples of basic-level network traffic received by network splitter device 150 may include routing information that allows data to be routed to network splitter device 150, network configuration and management traffic, such as Ping commands, key revocation, and key update mechanisms. Network splitter device 150 is configured to operate as a leaf node, which does not provide routing for network traffic data. Network splitter device 150 also does not advertise the existence of the network and therefore has no child nodes. Network splitter device 150 does not participate in broadcasting and does not accept broadcast updates. In this way, the access point or network manager of the monitored network 140 can keep the nodes 160 on the monitored network 140 unaware of network splitter device 150, except for the parent node of network splitter device 150 used for routing purposes. Furthermore, network splitter device 150 is configured to minimize its transmission, allowing it to detect as much traffic data as possible.
[0043] At block 208, process 200 involves network splitter device 150 sending collected data 122 to monitoring workstation 102 via data transmission network 120. In this example, network splitter device 150 streams the collected data 122 to monitoring workstation 102. For example, when the collected data 122 is received at network splitter device 150, it can be transmitted using a file transfer protocol or a bulk output protocol. Network splitter device 150 can also be configured to throttle or batch the collected data 122 in the event of data loss due to network connectivity issues in data transmission network 120. For example, if data loss occurs in data transmission network 120, network splitter device 150 can be configured to store the collected data 122 in a queue and resume transmission when network conditions improve. To conserve queue memory space, network splitter device 150 can be configured to implement algorithms to selectively store the collected data 122, such as storing data from the last hour or the most time-sensitive data. In a further example, the network splitter device 150 may be configured to process the collected data 122 before sending it to the monitoring workstation 102, for example, to detect patterns (e.g., attack patterns) or anomalies and to mark the detected patterns or anomalies in the collected data 122.
[0044] At box 210, process 200 involves network splitter device 150 determining whether to stop monitoring and stop collecting network traffic data. Network splitter device 150 can determine to stop monitoring when headend system 104 instructs it to pause or remove network splitter device 150 from the monitored network 140. For example, headend system 104 may determine that monitoring is no longer needed because debugging has been completed or security issues in the network have been resolved. In other examples, headend system 104 may determine to pause or remove network splitter device 150 because the collected data 122 cannot be used to identify problems associated with the monitored network 140, and network splitter device 150 should be moved to a different location within the monitored network 140. Other reasons may cause headend system 104 to determine to pause or remove network splitter device 150 from the monitored network 140. If it is determined that monitoring should be stopped, process 200 ends; otherwise, network splitter device 150 continues to collect network traffic data at box 206 and sends the collected data 122 to monitoring workstation 102 at box 208.
[0045] Figure 3 A flowchart illustrating an example of a process 300 for adding a network splitter device to a monitored network according to certain embodiments of the present disclosure is shown. One or more devices (e.g., network splitter device 150, access point of the monitored network 140, or headend system 104) implement this by executing appropriate programming code. Figure 3The operations depicted in the figure are described. For illustrative purposes, process 300 is described with reference to some examples depicted in the figure. However, other implementations are also possible.
[0046] At box 302, process 300 involves network splitter device 150 initially joining the monitored network 140. Depending on the protocol implemented by the monitored network 140, the network manager (such as an access point) of the monitored network 140 advertises the monitored network 140 to the network splitter device 150, or the network splitter device 150 advertises itself to the monitored network 140. After discovering the monitored network 140 through advertising, the network splitter device 150 may attempt to join the network. When the authentication server of the monitored network 140 (such as headend system 104) detects that the network splitter device 150 is attempting to join the monitored network 140, the authentication server may authenticate the network splitter device 150 to determine whether to allow the network splitter device 150 to join the monitored network 140.
[0047] Authentication can be based on information associated with network splitter device 150. For example, network splitter device 150 may have an identifier indicating the device type, such as a network splitter device. In this way, the authentication server can authenticate network splitter device 150 by comparing its identifier with a list of network splitter devices 150 allowed to join the monitored network 140. Alternatively or additionally, the authentication server can authenticate network splitter device 150 based on its name. The name of network splitter device 150 may have a common prefix indicating that these devices are network splitter devices. In some types of networks, network devices have associated certificates, and fields in those certificates can be used to indicate whether the associated device is a network splitter device. The authentication server can check the certificate of network splitter device 150 to determine if it is a network splitter device 150 allowed to join the monitored network 140.
[0048] Once the authentication server authenticates the network splitter device 150, the network splitter device 150 is allowed to join the network and associate with the monitored network 140. At this point, the network splitter device 150 can communicate with its neighboring devices on the network. However, the network splitter device 150 does not have the security key and credentials of network 140, so it cannot communicate with the other devices on the monitored network 140.
[0049] At box 304, process 300 involves authenticating network splitter device 150, enabling it to obtain network keys and credentials. The monitored network 140, or more specifically, the network manager of the monitored network 140, can implement any network protocol used for authenticating normal network devices (such as node 160) to authenticate network splitter device 150 and issue network keys and credentials to it. Authentication can be performed using authentication protocols such as Extensible Authentication Protocol (EAP), certificates, shared secrets, or both. After network splitter device 150 is authenticated and obtains network keys and credentials, it becomes a trusted device on the monitored network 140. Network splitter device 150 can listen to both unencrypted and encrypted data on the monitored network 140 and use the network key to verify data integrity and decrypt encrypted data. However, at this stage, network splitter device 150 is not a routable device and cannot be found by routing on the monitored network 140.
[0050] At box 306, the process involves associating network splitter device 150 with the monitored network 140. In this box, network splitter device 150 sends and receives a series of request and configuration messages to obtain routing information and a network address. Depending on the type of the monitored network 140, network splitter device 150 may obtain an IP address. At this stage, network splitter device 150 completes the joining process and becomes a network device on the monitored network 140. Network splitter device 150 can be reached via its network address and is managed by headend system 104.
[0051] Figure 4 A schematic diagram of the signal flow is depicted, illustrating an example of a process for joining a network splitter device 150 to a monitored network 140 according to certain aspects of this disclosure. In this example, the monitored network 140 implements the Wi-SUN protocol managed by IEEE 802.15.4g. The process 400 includes four phases: an initial joining phase 402, an authentication phase 404, and an association phase 406. In the initial joining phase 402, the network splitter device 150 joins the network 140 by following normal operation and communication as defined by the network protocol implemented in the network 140. This phase includes exchanging advertising messages between the network splitter device 150 and the access point 410, enabling the network splitter device 150 to identify the correct network to join. The network splitter device 150 and the authentication server 412 of the monitored network 140 further exchange messages for authenticating the network splitter device 150 based on, for example, an identifier, name, certificate, or other information associated with the network splitter device 150. The network splitter device 150 further communicates with the access point 410 to associate the network splitter device 150 with the network 140.
[0052] After the network splitter device 150 initially joins the network 140, process 400 proceeds to the authentication phase 404. In this phase, the network splitter device 150 communicates with the access point 410 to authenticate itself. If authentication is successful, the access point 410, authorized by the headend system 104, can provide the network splitter device 150 with network keys and credentials. Figure 4 In the example shown, network splitter device 150 and access point 410 exchange information by following the EAP Transport Layer Security (TLS) authentication protocol to authenticate network splitter device 150 and publish and install a pair master key (PMK) on network splitter device 150. The PMK can be a shared key for one or more communication sessions and can be used to derive other types of keys in these sessions.
[0053] Network splitter device 150 and access point 410 further communicate EAPOL (EAP over LANs) key frames to exchange keys between them. For example, network splitter device 150 and access point 410 may participate in a four-way handshake process to establish a pairwise temporary key (PTK) and a group temporary key (GTK). The PTK is used to encrypt communication between the two network devices, such as between network splitter device 150 and its parent node or between network splitter device 150 and its neighboring node. The GTK is used to decrypt multicast and broadcast traffic. These keys may include a common key shared by multiple devices on the monitored network 140 or a unique key used by network splitter device 150. Once the keys are established and installed on network splitter device 150, network splitter device 150 can listen to and decrypt network traffic, even if it is encrypted.
[0054] At association phase 406, routing information for network splitter device 150 is exchanged, and a data link is established between network splitter device 150 and the monitored network 140. During this phase, network splitter device 150 sends message 416 to request network configuration information from access point 410. Access point 410 responds with network configuration information 418, ensuring that network splitter device 150 is correctly configured on the network. Access point 410 also sends an RPL (IPv6 Routing Protocol for Low Power and Lossy Networks) DIO (Destination-Oriented Acyclic Graph Information Object) message 420 to network splitter device 150 to remind it to periodically advertise itself on the monitored network 140.
[0055] In response, network splitter device 150 sends an RPL Destination Advertisement Object (DAO) message 422 to access point 410 to propagate its destination information (e.g., the address of network splitter device 150) to the monitored network 140. This allows other nodes or devices on the monitored network 140, primarily the parent node of network splitter device 150, to know the current address of network splitter device 150 and determine the route to it. Sending the destination information to access point 410 allows access point 410 to maintain the routing information. After determining the routing information, network splitter device 150 can communicate on the monitored network 140.
[0056] Network splitter device 150 also requests an IP address from access point 410 via Dynamic Host Configuration Protocol version 6 (DHCPv6) request message 424, and access point 410 responds with the assigned IP address using DHCPv6 reply message 414. Once network splitter device 150 is assigned an IP address, it interconnects with other network devices on the monitored network 140 and becomes IP addressable. Network splitter device 150 can operate similarly to other network devices, except that it is configured to minimize its transmission and focus on receiving traffic data from the monitored network 140.
[0057] It should be understood that while the description of process 400 focuses on the Wi-SUN protocol used in mesh networks, similar processes can be applied to other types of networks and network protocols. Depending on the type of network and the network protocol used, the messages transmitted in communication between the network splitter device 150, access point 410, and authentication server 412 may differ. Furthermore, although the above discussion focuses on the scenario where the network splitter device 150 operates within an IP network, similar processes can also be applied to scenarios where the network splitter device 150 operates outside an IP network and is configured to communicate with MAC layer messages.
[0058] Reference Figure 5 This illustration shows a schematic diagram depicting an example of a network splitter device 150 adapted to implement aspects of the techniques and skills presented herein. The network splitter device 150 may include a processor 502. Non-limiting examples of the processor 502 include a microprocessor, an application-specific integrated circuit (ASIC), a state machine, a field-programmable gate array (FPGA), or other suitable processing devices. The processor 502 may include any number of processing devices, including one. The processor 502 may be communicatively coupled to a non-transitory computer-readable medium, such as a memory device 504. The processor 502 may execute computer-executable program instructions and / or access information stored in the memory device 504.
[0059] Memory device 504 may store instructions that, when executed by processor 502, cause processor 502 to perform the operations described herein. Memory device 504 may be a computer-readable medium, such as (but not limited to) an electronic storage device, optical storage device, magnetic storage device, or other storage device capable of providing computer-readable instructions to a processor. Non-limiting examples of such optical storage devices, magnetic storage devices, or other storage devices include read-only (“ROM”) devices, random access memory (“RAM”) devices, disks, magnetic tapes or other magnetic storage, memory chips, ASICs, configured processors, optical storage devices, or any other medium from which instructions can be read by a computer processor. Instructions may include processor-specific instructions generated by a compiler and / or interpreter from code written in any suitable computer programming language. Non-limiting examples of suitable computer programming languages include C, C++, C#, Visual Basic, Java, Python, Perl, JavaScript, ActionScript, etc.
[0060] The network splitter device 150 may also include a bus 506. The bus 506 can communicatively couple one or more components within the network splitter device 150. Although the processor 502, memory device 504, and bus 506 are... Figure 5 While each component is depicted as a separate entity communicating with the others, other implementations are possible. For example, the processor 502, memory device 504, and bus 506 may be corresponding components of a printed circuit board or other suitable device arranged within the network splitter device 150 to store and execute programming code.
[0061] The network splitter device 150 may also include a transceiver device 520 communicatively coupled to the processor 502 and the memory device 504 via a bus 506. Non-limiting examples of the transceiver device 520 include RF transceivers and other transceivers for wirelessly transmitting and receiving signals. The transceiver device 520 is capable of communicating with the monitored network 140 and the data transmission network 120 via antennas 508 and 510, respectively.
[0062] General considerations
[0063] While this subject matter has been described in detail in its specific aspects, it will be understood that those skilled in the art, upon understanding the foregoing, can readily generate modifications, variations, and equivalents in these aspects. Therefore, it should be understood that this disclosure is presented for illustrative purposes and not for limitation, and does not exclude modifications, variations, and / or additions to the subject matter, as these modifications, variations, and / or additions will be apparent to those skilled in the art. For example, although a metrological embodiment has been used for illustrative purposes, the invention can be extended to any type of network terminal, including communication modules and second modules separate from the communication module.
Claims
1. A system comprising: The headend system is configured to manage network devices in the monitored network. An access point, configured to manage communication between a subset of network devices in the monitored network, the subset of network devices including network nodes and network splitter devices; and The network splitter device is connected to the access point via the monitored network and is managed by the access point and the headend system. The network splitter device is configured to: Joining the monitored network as a network device within the monitored network includes: Communicate with the access point to obtain the security key of the monitored network, and Communicate with the access point to obtain the network address for the network splitter device; Collect network data for the monitored network, including: Detecting network traffic on the monitored network, the network traffic including encrypted and unencrypted data. The encrypted data in the network traffic is decrypted using the security key to generate decrypted data, and Add the decrypted and unencrypted data to the network data; Connected to the monitoring workstation via a data transmission network different from the network being monitored; and The collected network data is sent to the monitoring workstation via the data transmission network.
2. The system according to claim 1, wherein The network splitter device is also configured to: Before obtaining the security key for the monitored network, the network splitter device is authenticated by communicating with the headend system via the monitored network; and The headend system is also configured to: The network splitter device is authenticated based on one or more of the network splitter device's identifier, the network splitter device's name, or the network splitter device's certificate.
3. The system of claim 1, wherein the headend system is configured to manage the network splitter device by one or more of the following: Using the network address of the network splitter device, a command is sent to the network splitter device via the monitored network; Receive a response from the network splitter device via the monitored network; and Remove the network splitter device from the monitored network.
4. The system of claim 1, wherein the network splitter device is further configured to: Obtain the channel frequency hopping sequence of the monitored network; and The network traffic on the monitored network is detected by switching to different channels at different times according to the channel frequency hopping sequence.
5. The system of claim 1, wherein collecting the network data for the monitored network further comprises one or more of the following: When decrypting the encrypted data using the security key, identify decryption errors and add an indication of the decryption error to the collected network data; Detect the signal strength of messages in the network traffic and add the signal strength of the messages to the collected network data; or The symbol rate of the network traffic is determined, and the symbol rate is added to the collected network data.
6. The system of claim 1, wherein the network splitter device sends the collected network data to the monitoring workstation by streaming the collected network data via the data transmission network.
7. The system of claim 1, wherein the monitored network is one of a mesh network, a wireless network, or a cellular network associated with a resource allocation network, and the data transmission network is one or more of Ethernet, a cellular network, or power line carrier.
8. The system of claim 1, wherein the network splitter device comprises a radio of a plurality of radios of a multi-radio gateway device in the monitored network, the radios being dedicated to the network splitter device.
9. The system of claim 1, wherein the network splitter device is configured to collect network data for a first region of the monitored network, and the system further includes at least one additional network splitter device configured to collect additional network data for at least another region of the monitored network and transmit the additional network data to the monitoring workstation via the data transmission network.
10. The system of claim 9, further comprising the monitoring workstation configured to: Receive the collected network data and the additional network data; Analyze the collected network data and the additional network data to generate analysis results; and Based on the analysis results, one or more network devices in the monitored network are reconfigured.
11. A network splitter device, comprising: A transceiver is configured to communicate between a monitored network and a data transmission network different from the monitored network. The network splitter device is configured to: Adding a node to the monitored network as a leaf node of the monitored network includes: Communicate with the network manager to obtain the security key of the monitored network, and Communicate with the network manager to obtain the network address for the network splitter device; Collect network data for the monitored network, including: Detecting network traffic on the monitored network, the network traffic including encrypted and unencrypted data. The encrypted data in the network traffic is decrypted using the security key to generate decrypted data, and Add the decrypted and unencrypted data to the network data; and The collected network data is sent to the monitoring workstation via the data transmission network.
12. The network splitter device of claim 11, wherein collecting the network data for the monitored network further comprises one or more of the following: When decrypting the encrypted data using the security key, a decryption error is identified, and an indication of the decryption error is added to the collected network data; Detect the signal strength of messages in the network traffic and add the signal strength of the messages to the collected network data; or The symbol rate of the network traffic is determined, and the symbol rate is added to the collected network data.
13. The network splitter device of claim 11, wherein joining the monitored network comprises: The network communicates with the headend system of the monitored network to authenticate the network splitter device, wherein the headend system is configured to authenticate the network splitter device based on one or more of the network splitter device's identifier, the network splitter device's name, or the network splitter device's certificate.
14. The network splitter device of claim 11, wherein sending the collected network data to the monitoring workstation includes streaming the collected network data via the data transmission network.
15. The network splitter device of claim 11, wherein the transceiver comprises a radio of a plurality of radios of a multi-radio gateway device in the monitored network, the radios being dedicated to the network splitter device.
16. A method performed by a network splitter device, comprising: Joining a monitored network as a leaf node of that monitored network includes: Communicate with the network manager of the monitored network to obtain the security key of the monitored network, and Communicate with the network manager to obtain the network address for the network splitter device; Collect network data for the monitored network, including: Detecting network traffic on the monitored network, the network traffic including encrypted and unencrypted data. The encrypted data in the network traffic is decrypted using the security key to generate decrypted data, and Add the decrypted and unencrypted data to the network data; Connected to the monitoring workstation via a data transmission network different from the network being monitored; and The collected network data is sent to the monitoring workstation via the data transmission network.
17. The method of claim 16, further comprising: The network communicates with the headend system of the monitored network to authenticate the network splitter device, wherein the headend system is configured to authenticate the network splitter device based on one or more of the network splitter device's identifier, the network splitter device's name, or the network splitter device's certificate.
18. The method of claim 16, further comprising: Obtain the channel frequency hopping sequence of the monitored network; as well as The network traffic on the monitored network is detected by switching to different channels at different times according to the channel frequency hopping sequence.
19. The method of claim 16, wherein sending the collected network data to the monitoring workstation comprises streaming the collected network data to the monitoring workstation via the data transmission network.
20. The method of claim 16, wherein the monitored network is a mesh network associated with a resource allocation network, and the data transmission network is one or more of Ethernet, cellular network, or power line carrier.