NETWORK TRAFFIC MONITORING DEVICES AND MONITORING SYSTEMS, AND ASSOCIATED METHODS

US 20100074112A1
Filed: 09/25/2008
Published: 03/25/2010
Est. Priority Date: 09/25/2008
Status: Abandoned Application

First Claim

Patent Images

1. A monitoring device, comprising:

a communication module configured to capture wireless communications of a wireless device within a monitored area; and

processing circuitry coupled with the communication module and configured to;

form a new cluster comprising at least a portion of the captured wireless communications according to at least one specific parameter identified in the at least a portion of the captured wireless communications;

generate at least one rule set relating to the formed new cluster;

combine the at least one rule set to a current rule set representing previous wireless communications to create an updated rule set;

compare the captured wireless communications to the updated rule set to determine a difference from the previous wireless communications; and

generate an alert if the difference is greater than a predetermined threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic monitoring devices and monitoring systems include a communication module for capturing wireless communications of a wireless device. Processing circuitry is coupled with the communications module and configured to form a new cluster or refine an existing cluster from the captured wireless communications, in which the cluster includes wireless communications having one or more relevant parameters. The processing circuitry is also configured to generate/refine at least one rule set relating to the clusters, create an updated rule set by combining the one or more rule sets to current rule sets, and to compare the captured wireless communications to the updated rule set to determine whether the wireless communications pose a potential threat. Methods of monitoring network traffic are also provided.

Citations

25 Claims

1. A monitoring device, comprising:
- a communication module configured to capture wireless communications of a wireless device within a monitored area; and
  
  processing circuitry coupled with the communication module and configured to;
  
  form a new cluster comprising at least a portion of the captured wireless communications according to at least one specific parameter identified in the at least a portion of the captured wireless communications;
  
  generate at least one rule set relating to the formed new cluster;
  
  combine the at least one rule set to a current rule set representing previous wireless communications to create an updated rule set;
  
  compare the captured wireless communications to the updated rule set to determine a difference from the previous wireless communications; and
  
  generate an alert if the difference is greater than a predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The monitoring device of claim 1, wherein the communication module comprises at least one RF detection module configured to capture wireless communications for at least one wireless technology.
  - 3. The monitoring device of claim 2, wherein the RF detection module is configured to capture wireless communications for at least one wireless technology selected from the group consisting of Wi-Fi (IEEE 802.11), Zigbee, IEEE 802.15.4, ISA 100.11a Standard for Wireless Industrial Networks, WirelessHART, Ultra-Wideband (UWB), Certified Wireless USB, WiMAX, WiBro.
  - 4. The monitoring device of claim 1, wherein the communication module is further configured to identify the at least one specific parameter in the captured wireless communications and to provide information to the processing circuitry regarding at least a location of the identified at least one specific parameter in the captured wireless communications.
  - 5. The monitoring device of claim 1, wherein the processing circuitry is further configured to update an existing cluster from at least another portion of the captured wireless communications according to at least one other specific parameter, and refine a rule set relating to the existing cluster.
  - 6. The monitoring device of claim 5, wherein the at least one specific parameter and the at least one other specific parameter are selected from the group of parameters consisting of a source wireless device, a destination wireless device, a targeted port number, a packet size, a profile, a protocol, a frame number, a channel number, a check sum, and a sub-protocol.
  - 7. The monitoring device of claim 1, wherein the processing circuitry is further configured to determine a physical location of the wireless device in the monitored area.
  - 8. The monitoring device of claim 1, further comprising a response and protection framework configured to identify a location of the wireless device generating the wireless communications, isolate the wireless device from further communications and assign a reputation rating to the wireless device.

9. A system for monitoring network traffic, comprising:
- at least one analysis sensor device comprising;
  
  a communications module configured to capture wireless communications of a wireless device within a monitored area; and
  
  programming configured to;
  
  form a new cluster comprising at least a portion of the captured wireless communications which comprise at least one relevant parameter;
  
  generate at least one rule set relating to the new cluster;
  
  combine the at least one rule set to a current rule set representing previous wireless communications to form an updated rule set; and
  
  compare the at least a portion of the captured wireless communications to the updated rule set to determine whether the captured wireless communications pose a potential threat;
  
  at least one storage media accessible by the programming and configured to store at least the current rule; and
  
  a visualization and control system coupled to the at least one analysis sensor device and configured to generate a visual representation of at least a portion of the captured wireless communications.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the communication module comprises at least one RF detection module configured to capture wireless communications for at least one wireless technology.
  - 11. The system of claim 10, wherein the RF detection module is configured to capture wireless communications for at least one wireless technology selected from the group consisting of Wi-Fi (IEEE 802.11), Zigbee, IEEE 802.15.4, ISA 100.11a Standard for Wireless Industrial Networks, WirelessHART, Ultra-Wideband (UWB), Certified Wireless USB, WiMAX, and WiBro.
  - 12. The system of claim 9, wherein the programming of the at least one analysis sensor device comprises an evaluation framework configured to compare the at least a portion of the captured wireless communications to the updated rule set.
  - 13. The system of claim 9, wherein the visualization and control system comprises:
    - a visualization system configured as a display; and
      
      a control module configured to communicate with the at least one analysis sensor device and to control at least some operations thereof.
  - 14. The system of claim 9, wherein the programming is further configured to update an existing cluster from at least another portion of the captured wireless communications according to at least one other relevant parameter, and to refine a rule set relating to the existing cluster.

15. A method of monitoring network traffic, comprising:
- capturing wireless communications from at least one wireless device;
  
  forming at least one new cluster comprising at least a portion of the captured wireless communications having at least one relevant parameter;
  
  generating at least one rule set from the at least one cluster;
  
  creating an updated rule set comprising a combination of the at least one rule set with a current rule set representing previous wireless communications;
  
  evaluating the difference of the at least one rule set from the updated rule set and deriving a threat level for the captured wireless communications based on the evaluation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, wherein capturing the wireless communications comprises sniffing the wireless communications between at least two wireless devices.
  - 17. The method of claim 15, wherein capturing the wireless communications comprises capturing the wireless communications in a raw packet level.
  - 18. The method of claim 15, wherein forming the at least one new cluster comprises:
    - identifying the at least one relevant parameter in the at least a portion of the captured wireless communications; and
      
      grouping together a plurality of data packets comprising the at least a portion of the captured wireless communications in which the at least one relevant parameter is similar.
  - 19. The method of claim 18, wherein forming the at least one cluster from the captured wireless communications comprises:
    - identifying a plurality of relevant parameters in the at least a portion of the captured wireless communications; and
      
      grouping together a plurality of data packets comprising the at least a portion of the captured wireless communications wherein the plurality of parameters are similar as a whole.
  - 20. The method of claim 15, further comprising:
    - updating an existing cluster with another portion of the captured wireless communications having at least one other relevant parameter; and
      
      refining a rule set relating to the existing cluster.
  - 21. The method of claim 20, wherein the at least one relevant parameter and the at least one other relevant parameter comprise parameters selected from the group consisting of a source wireless device, a destination wireless device, a targeted port number, a packet size, a profile, a protocol, a frame number, a channel number, a check sum, and a sub-protocol.
  - 22. The method of claim 15, further comprising generating at least one visual depiction of information related to the captured wireless communications and displaying the at least one visual depiction to an administrator.
  - 23. The method of claim 15, further comprising communicating the threat level of the captured wireless communications to an administrator.
  - 24. The method of claim 23, further comprising determining if the threat level of the captured wireless communications is accurate, comprising:
    - reviewing the threat level communicated to the administrator; and
      
      reviewing additional information relating to the captured wireless communications.
  - 25. The method of claim 15, further comprising identifying a physical location of the at least one wireless device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Battelle Energy Alliance LLC (Battelle Memorial Institute)
Original Assignee
Battelle Energy Alliance LLC (Battelle Memorial Institute)
Inventors
Derr, Kurt, Manic, Milos

Application Number

US12/238,123
Publication Number

US 20100074112A1
Time in Patent Office

Days
Field of Search
US Class Current

370/232
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 43/16   Threshold monitoring

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04W 24/08   Testing, supervising or mon...

NETWORK TRAFFIC MONITORING DEVICES AND MONITORING SYSTEMS, AND ASSOCIATED METHODS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK TRAFFIC MONITORING DEVICES AND MONITORING SYSTEMS, AND ASSOCIATED METHODS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links