Method for filtering and processing data in a packet-switched communication network

US 8,942,131 B2
Filed: 06/08/2011
Issued: 01/27/2015
Est. Priority Date: 06/30/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing data in a packet-switched communication network, including a wireless communication network, having a plurality of network nodes between which data packets are transmitted, which method comprises the steps of:

extracting, at least partially, information contained in at least one received data packet received in at least one network node;

ascertaining at least one physical transmission parameter of the received data packet, the physical transmission parameter specifying or being dependent on at least one characteristic of a physical transmission of the received data packet;

filtering the received data packet on a basis of a set of rules that take at least a part of the information extracted and at least a part of the physical transmission parameter into account and processed further in dependence on a filtering process; and

wherein the data packets received in the at least one network node include confiquration-data packets transmitted within a scope of a predefined configuration process, with the at least one network node being configured through the predefined configuration process, with a measure of confidence therein being ascertained on a basis of the at least one physical transmission parameter of the configuration-data packets received, the measure of confidence indicating a confidence that the configuration-data packets received belong to the predefined configuration process, with the predefined configuration process being canceled or interrupted if the measure of confidence represents a degree of confidence that is less than or less than or equal to a predefined minimum confidence.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method processes data in a packet-switched communication network having a plurality of network nodes, between which data packets are transmitted. Information contained in one data packet is extracted therefrom, the packet being received in a network node. One physical transmission parameter of the received data packet is ascertained, the physical transmission parameter specifies or is dependent on one property of the physical transmission of the received data packet. The received data packet is filtered based on a rule set, taking into account some of the extracted information and part of the physical transmission parameter, and further processed dependant on the filtering. An application of the method is “bootstrapping”, wherein network nodes are configured, cryptographic information being transmitted in the context of the configuration. A plausibility test of physical transmission parameters of the data packets that are transmitted during bootstrapping can ascertain whether an attacker is manipulating the bootstrapping process.

9 Citations

View as Search Results

22 Claims

1. A method for processing data in a packet-switched communication network, including a wireless communication network, having a plurality of network nodes between which data packets are transmitted, which method comprises the steps of:
- extracting, at least partially, information contained in at least one received data packet received in at least one network node;
  
  ascertaining at least one physical transmission parameter of the received data packet, the physical transmission parameter specifying or being dependent on at least one characteristic of a physical transmission of the received data packet;
  
  filtering the received data packet on a basis of a set of rules that take at least a part of the information extracted and at least a part of the physical transmission parameter into account and processed further in dependence on a filtering process; and
  
  wherein the data packets received in the at least one network node include confiquration-data packets transmitted within a scope of a predefined configuration process, with the at least one network node being configured through the predefined configuration process, with a measure of confidence therein being ascertained on a basis of the at least one physical transmission parameter of the configuration-data packets received, the measure of confidence indicating a confidence that the configuration-data packets received belong to the predefined configuration process, with the predefined configuration process being canceled or interrupted if the measure of confidence represents a degree of confidence that is less than or less than or equal to a predefined minimum confidence.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method according to claim 1, wherein the information includes at least one of the following items:
    - at least one of addresses or port numbers of a source-network node in which the received data packet originates;
      
      at least one of addresses or port numbers of a destination-network node for which the received data packet is intended; and
      
      at least one transmission protocol employed for transmitting the received data packet.
  - 3. The method according to claim 1, wherein the information extracted originates in at least one of layer 2, layer 3 or a higher layer of an open system interconnection reference model.
  - 4. The method according to claim 1, which further comprises forming the physical transmission parameter to include at least one of the following parameters:
    - at least one of a signal strength or signal-to-noise ratio with which the received data packet is received;
      
      at least one parameter of a demodulation unit that is adaptively matched to the transmission of the received data packet and by means of which the received data packet is demodulated;
      
      demodulation methods employed for the received data packet;
      
      directional characteristic of the received data packet;
      
      a transmission rate of the received data packet; and
      
      a measure of errors specifying errors occurring during transmission of the received data packet.
  - 5. The method according to claim 1, wherein the received data packet will as a function of the filtering be processed further in at least one of following ways:
    - the received data packet will be rejected;
      
      the received data packet will be forwarded to the at least one network node;
      
      the received data packet will be classified; and
      
      the information about the received data packet will be fed out to a user on a user interface.
  - 6. The method according to claim 1, wherein after the received data packet is through the filtering, performing the further steps of:
    - assigning the received data packet to categories in dependence on the information; and
      
      subsequently performing a check to determine whether the at least one physical transmission parameter of the received data packet meets at least one reference criteria of a respective category to which the received data packet has been assigned.
  - 7. The method according to claim 6, which further comprises evaluating a measure of a change in the at least one physical transmission parameter for a plurality of received data packets based on a reference criterion/criteria, with the reference criterion/criteria having been met in particular if the measure of the change is less than or less than or equal to a predefined threshold, with the received data packet not meeting the reference criterion/criteria preferably being rejected.
  - 8. The method according to claim 7, which further comprises performing one of fixing the reference criterion/criteria or matching the reference criterion/criteria to the at least one physical transmission parameter of the received data packet.
  - 9. The method according to claim 1, which further comprises performing the method at least partially in the network node in which the received data packet is received.
  - 10. The method according to claim 1, which further comprises performing the method, for data packets received in a plurality of predefined network nodes, at least partially in a central network node assigned to the plurality of predefined network nodes.
  - 11. The method according to claim 1, wherein cryptographic information is exchanged during the predefined configuration process.
  - 12. The method according to claim 11, wherein the measure of confidence represents a degree of confidence, wherein the degree of confidence is high if few changes in the at least one physical transmission parameter occur for a plurality of received data packets and the degree of confidence is low if many changes in the at least one physical transmission packet occur for the plurality of received data packet.
  - 13. The method according to claim 11, which further comprises feeding out the measure of confidence to a user on a user interface if the predefined configuration process is interrupted, with the user being able to specify resuming or canceling the predefined configuration process via the user interface.
  - 14. The method according to claim 11, wherein the configuration-data packets will not be assigned to the predefined configuration process unless the at least one physical transmission parameter of the configuration-data packets are within at least one predefined value range.
  - 15. The method according to claim 11, wherein the predefined configuration process is initiated by first configuration-data packets transmitted having a first signal strength by the at least one network node, with network nodes, that receive the first configuration-data packets not launching any further configuration processes.
  - 16. The method according to claim 15, which further comprises performing the predefined configuration process using at least one second configuration-data packet transmitted having a second signal strength less than the first signal strength by the at least one network node.
  - 17. The method according to claim 1, which further comprises performing the method in a communication network of an automation system.
  - 18. The method according to claim 4, wherein the at least one parameter of the demodulation unit is for at least one of a MIMO or a RAKE receiver.
  - 19. The method according to claim 14, wherein the at least one physical transmission parameter is signal strength.

20. A packet-switched communication network, comprising:
- a plurality of network nodes between which data packets are transmitted while the packet-switched communication network is operating, with the packet-switched communication network programmed to perform a method for processing data in the packet-switched communication network, which method comprises the steps of;
  
  extracting, at least partially, information contained in the data packets received in the network nodes;
  
  ascertaining physical transmission parameters of the data packets, the physical transmission parameters specifying or being dependent on at least one characteristic of a physical transmission of the data packets;
  
  filtering the data packets on a basis of a set of rules that take at least a part of the information extracted and at least a part of the physical transmission parameters into account and processed further in dependence on a filtering process; and
  
  wherein the data packets received in the network nodes include configuration-data packets transmitted within a scope of a predefined configuration process, with the network nodes being configured through the predefined configuration process, with a measure of confidence therein being ascertained on a basis of the at least one physical transmission parameter of the configuration-data packets received, the measure of confidence indicating a confidence that the configuration-data packets received belong to the predefined configuration process, with the predefined configuration process being canceled or interrupted if the measure of confidence represents a degree of confidence that is less than or less than or equal to a predefined minimum confidence.
- View Dependent Claims (21)
- - 21. The packet-switched communication network according to claim 20, wherein the packet-switched communication network is a wireless communication network.

22. A network node for use in a communication network, the network node comprising:
- a radio receiver;
  
  a filter connected to said radio receiver;
  
  a processing unit connected to said filter;
  
  the network node programmed to;
  
  extract information contained in data packets received in the network node in the communication network from the data packets while the network node is operating;
  
  ascertain at least one physical transmission parameter of the data packets while the network node is operating, with the physical transmission parameter specifying or being dependent on at least one characteristics of a physical transmission of the data packets;
  
  filter the data packets on a basis of a set of rules taking account of at least a part of the information extracted and at least a part of the physical transmission parameter while the network node is operating and processed further in dependence on a filtering process; and
  
  wherein the data packets received in the network node include configuration-data packets transmitted within a scope of a predefined configuration process, with the network node being configured through the predefined configuration process, with a measure of confidence therein being ascertained on a basis of the at least one physical transmission parameter of the configuration-data packets received, the measure of confidence indicating a confidence that the configuration-data packets received belong to the predefined configuration process, with the predefined configuration process being canceled or interrupted if the measure of confidence represents a degree of confidence that is less than or less than or equal to a predefined minimum confidence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Falk, Rainer
Primary Examiner(s)
Rinehart, Mark
Assistant Examiner(s)
KHIRODHAR, MAHARISHI V

Application Number

US13/807,761
Publication Number

US 20130100848A1
Time in Patent Office

1,329 Days
Field of Search

370/252
US Class Current

370/252
CPC Class Codes

H04L 43/028   by filtering

H04L 47/19   at layers above the network...

H04L 47/22   Traffic shaping

H04L 63/0227   Filtering policies mail mes...

H04W 12/00   Security arrangements; Auth...

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/79   Radio fingerprint

H04W 28/02   Traffic management, e.g. fl...

H04W 8/04   Registration at HLR or HSS ...

Method for filtering and processing data in a packet-switched communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method for filtering and processing data in a packet-switched communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links