WO2013026486A1 - Embedded network node - Google Patents
Embedded network node Download PDFInfo
- Publication number
- WO2013026486A1 WO2013026486A1 PCT/EP2011/064612 EP2011064612W WO2013026486A1 WO 2013026486 A1 WO2013026486 A1 WO 2013026486A1 EP 2011064612 W EP2011064612 W EP 2011064612W WO 2013026486 A1 WO2013026486 A1 WO 2013026486A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- network
- rules
- embedded
- traffic
- Prior art date
Links
- 238000004891 communication Methods 0.000 claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims description 18
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000001914 filtration Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
- H04L67/5651—Reducing the amount or size of exchanged application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/12—Protocol engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Definitions
- the invention relates to a network node for a communication network, an industrial machine with an embedded network node, use of a network node in an industrial machine, as well as a method of protecting an embedded network node from unwanted network traffic.
- Factories and other industrial sites may have local control networks for controlling and monitoring machines and process parameters.
- Such control networks may have network nodes embedded in e.g. machines and other equipment.
- the network may be protected from hacking etc. by a network embracing firewall.
- a network node for a communication network comprising a rule generating module adapted to, independently of other nodes of the network, generate and maintain a set of rules specifying messages sent within the network to be received by the node and messages sent within the network to be rejected by the node, wherein the node is adapted to be an embedded system.
- an industrial machine with a network node according to the above aspect of the invention, wherein the network node is an embedded system in the industrial machine.
- the network node is an embedded system in the industrial machine.
- a method of protecting an embedded network node from being overwhelmed by more network traffic than it is configured to handle comprising the node, independently of other nodes of the network: optionally analysing the network traffic to a processing unit of the node; generating a set of rules specifying messages sent within the network to be processed by the node and messages sent within the network to be rejected by the node, optionally based on the analysing of the network traffic to the node; and optionally updating the set of rules, based on the analysing of the network traffic to the node.
- an industrial control network comprising: a network node according to any one of the preceding claims 1-6, wherein the network node is an embedded system in an industrial machine; and a central control unit adapted for communication with the network node.
- the rules may be adapted specifically to said node, as well as to the current network traffic.
- the network may thus be more flexible compared with if a general set of rules is set at a higher level of the network for said node and possibly also other nodes which would then all have the same set of rules regardless of individual properties of the nodes.
- the network may also be more flexible in the respect that the amount of network traffic to a node may vary over time, and by means of the present invention, the rules may be adjusted accordingly without affecting corresponding rules of other nodes.
- the rules may thus be optimised in respect of each node as well as in respect of the specific conditions present at each time.
- Fig 1 is a schematic diagram of an embodiment of a network node of the present invention.
- Fig 2 is a schematic diagram of an embodiment of an industrial machine of the present invention.
- Fig 3 is a schematic diagram of an embodiment of an industrial control network of the present invention.
- Fig 4 is a schematic flow chart of an embodiment of a method of the present invention.
- the communication network may be any wired or wireless network or communication system, such as a wireless network e.g. a sensor network or industrial control network.
- the network may e.g. be a wired or wireless local area network (LAN), using e.g.
- the network may comprise a central control unit, but networks without a central control unit are also contemplated.
- the node may be any type of node, such as a control node or sensor node.
- a sensor node may e.g. include a sensing unit (a.k.a. a sensor) a processing unit, such as a low power processor, a storage unit, such as a memory, and a wireless communication module comprising a receiver, a transmitter and an antenna.
- a control node may e.g. include a processing unit, such as a low power processor, a storage unit, such as a memory, and a wireless communication module comprising a receiver, a transmitter and an antenna.
- the node may also comprise a node server. All the different parts of the node are also part of the network since the node is part of the network.
- any communications within the node such as communication between the processing unit and other parts of the node are also part of the communication traffic within the network.
- An objective of the present invention is to avoid overwhelming the node with network traffic. It is conceivable that different parts of the node stand the risk of being overwhelmed, but there may specifically be a risk that the processing unit is
- the traffic at risk of overwhelming the processing unit, or other part of the node may thus be both communication messages sent from or via other nodes of the network and communication messages sent within the node.
- these messages may very well be internal, e.g. from one part of the node to another part of the node such as a processing unit of the node.
- embedded and “embedded system” relate to an electronic or computer system designed to perform dedicated and/ or specific functions in a larger device, such as an electrical and/ or mechanical machine in which the system is embedded.
- An embedded system is in contrast to a general purpose computer.
- the embedded network node may have limited processing resources why it may be easily, or at least occasionally, overwhelmed by deliberate or accidental network traffic exceeding its capacity for handling network traffic.
- the network traffic may e.g. be messages specifically addressed to or directed to the embedded network node, messages generally addressed to or directed to the embedded network node as well as to other parts/nodes of the communication network, or other messages communicated through the network but not directed to the embedded node but which may still, more or less unintentionally, be received and processed by the embedded node.
- the filtering could be called limiting or throttling the traffic, or traffic shaping.
- Illegitimate traffic may e.g. be spam messages, accidental messages or other messages of the communication network which are not relevant to this specific embedded node.
- the legitimate traffic may itself be large enough to overwhelm the node.
- this set of rules is specific for this node, and it may also be advantageous that the set of rules may be modified over time depending on the type and amount of traffic to the node and how it changes over time.
- the processing resources of the node may be constant over time, but it is conceivable that the processing capabilities of the node may vary over time, in which case this may also be considered when the set of rules is generated, maintained and updated.
- the set of rules may be regularly or continuously updated by the node.
- the updating may be based on regular or continuous analysis of the network traffic to the node, or to a processing unit of the node (if the network traffic or at least part of it is internal to the node, such as messages sent between a server of the node and the processing unit of the node).
- the node may regularly or continuously analyse the network traffic to the node and based on these analyses update the set of rules.
- the node may consequently comprise an analysis module adapted to analyse the messages sent via the network. Since the set of rules are conveniently adapted to the specific conditions of the specific embedded node, it may be advantageous for the node itself to be allowed and able to generate the set of rules by it self.
- the node may thus be equipped with functions to analyse the network traffic to the node and to generate a set of rules for limiting the amount of traffic allowed to be let through to be processed by the node.
- the node may also be equipped with a function to update the set of rules, depending on e.g. whether the old rules were insufficient such as by not rejecting the right messages or letting too many or too few message through to be received and processed by the node, and/ or whether the traffic to the node has changed such as increased, decreased, including new types of legitimate or illegitimate messages.
- the node may be adapted to generate, maintain and/ or update the set of rules while the device is on-line (on the fly).
- the node is adapted to be an embedded system and adapted to, autonomously and independently of the rest of the network and other nodes thereon, generate and maintain the set of rules for limiting the traffic received and processed by the node.
- the set or list of rules may be regarded as firewall rules or quality of service (QoS) rules.
- QoS quality of service
- the set of rules may primarily be designed to identify wanted messages and allow them to be received and processed by the node, instead of identifying unwanted messages which is what a firewall is often associated with.
- the set of rules may also be generated autonomously in the respect that they may be generated and maintained without human or operator intervention. This may be done without incurring additional tools or engineering cost.
- the set of rules may always be used by and for the node when the node is on-line, or the set of rules may be inactivated or disregarded if the network traffic is not high enough to risk overwhelming the node if the set of rules is not used. If the set of rules is not used for a time, the updating of the rules may be stopped during that time to save processing power. It may, however, be convenient to proceed with analysing the network traffic in order to detect if and when the set of rules may be needed to be used.
- the node may conveniently be embedded in, or be adapted to be embedded in, an industrial machine, such as a robot, conveyor or tool. It may be convenient to use embedded network nodes in industrial machines to allow control of the machines and/ or to detect or measure parameters or properties of the machines and the process with which the machines are involved. For similar reasons, the communication network which comprises the embedded node may be local network of an industrial plant or factory.
- the network may be wired or wireless, but it may be convenient, e.g. at an industrial plant, to use a wireless communication network in order to facilitate mobility and reduce wiring which may be in the way of the operation of the plant and running of plant process and machines.
- the node may be adapted to generate the set of rules such that the set of rules specifies which messages, said messages being specifically or generally addressed to the node, should be received or rejected by the node. This means that the set of rules may not only be generated to reject messages which are not intended for the node.
- a list of n entries which contains IP,PORT,MAC and a corresponding credit.
- Every node the system communicates with is given 1 credit when a frame of data is transmitted from the local node to the external node.
- the credit system is designed to prevent introduction of false elements into the list, and stay current.
- the rules could be complemented with other high level information from a management or configuration tool or information about the device from the vendor.
- the present invention may be combined with Simple Network Management Protocol (SNMP) or other network management software, whereby the embedded node may be allowed to remotely update e.g. a managed switch with a current set of rules for the node, allowing the network switch to perform the throttling of the traffic to the node. In such case, the set of rules is still generated by the node, but the node instructs the switch how to throttle the traffic.
- SNMP Simple Network Management Protocol
- the node 1 comprises a receiver 2 and a transmitter 3 for communication via the communication network of which the communication node 1 is a node.
- the node 1 may be adapted for wireless
- the node 1 may additionally comprise an antenna (not shown) either as a separate unit or included in the receiver 2 and/ or the transmitter 3.
- the node further comprises the rule generating module 4 adapted to generate and maintain the set of rules for limiting the network traffic to the node 1.
- the node 1 comprises the analysis module 5 adapted to analyse the network traffic to the node 1.
- the devices 4 and 5 may be configured to cooperate to, while the node is on-line, continuously analyse and update the set of rules.
- the analysis module 5 may continuously or regularly analyse the network traffic to the node 1 to obtain traffic information.
- the traffic information may then be transferred to the rule generating module 4 which may use the information as basis for generating the set of rules and continuously or regularly updating the set of rules.
- the node 1 may also comprise a processing unit 14 which may e.g. process the traffic information from the analysis module 5 in cooperation with the rule generating module 4 or before the information is transferred to the rule generating module 4.
- the node 1 may also comprise e.g. a memory (not shown) and possibly a sensor circuit (not shown) if the node is a sensor node.
- FIG 2 is a schematic illustration of an embodiment of an industrial machine 6 according to the present invention.
- the machine 6 comprises a network node 1 as discussed in respect of figure 1 as an embedded system in the machine 6.
- the node 1 may e.g. be used for remote control of the machine via the communication network comprising the node 1, and/ or for transmitting readings and measurements of properties of the machine or the industrial process which the machine is involved with.
- Figure 3 is a schematic illustration of an embodiment of a communication network 7, such as an industrial control network.
- the network 7 comprises a central control unit 8 and two embedded network nodes la and lb.
- the central control unit 8 may be arranged to issue instructions to the plurality of embedded nodes 1 as well as receive acknowledgements, measurements etc. from the nodes 1.
- the central control unit 8 may communicate with any number of embedded nodes 1, as well as any other nodes of the network 7.
- the central control unit 8 may also be adapted for interaction with an operator, such as a human operator, which may control the industrial machines 6a and 6b in which the nodes la and lb, respectively, are embedded and the industrial process which the machines 6 are involved with, via the control unit 8.
- the control unit 8 may also be arranged to present readings and measurements transmitted by the nodes 1, as well as any other nodes of the network 7, to the operator.
- the communication between the central control unit 8 and the nodes 1 is wireless, as indicated by the double-headed dashed arrows in the figure.
- the machines 6 may not be part of the network 7, except for the nodes 1.
- the network 7 as well as the machines 6 are part of an industrial plant or factory 9.
- FIG 4 is a schematic illustration of an embodiment of a method 10 of the present invention.
- the method 10 is for protecting an embedded network node 1 from being overwhelmed by more network traffic than the network node 1 is configured to be able to receive and process at any time.
- the network traffic to the node 1 is analysed (step 11), e.g. by means of an analysing device 5.
- the node 1 generates (step 12) the set of rules for limiting traffic to the node 1 based on the analysis made in step 11. It is also conceivable to first generate (step 12) the set of rules before analysing (step 11) the network traffic.
- the set of rules may then be some sort of standard rules, possibly preprogrammed into the node 1.
- the analysing 11 may then continue at regular intervals, according to a pre-determined schedule, as needed and/or continuously during the period the node 1 is on-line. This analysing 11 may then be form at least part of the basis for updating (step 13) the set of rules.
- the updating 13 is an optional alternative of the method of the present invention and may also be performed at regular intervals, according to a pre-determined schedule, as needed and/or continuously during the period the node 1 is on-line. If there for a period of time is no need of filtering the traffic to the node 1, the set of rules may not be used and the updating 13 may be suspended during that time. This updating 13 may be one way of maintaining the set of rules of the node 1.
- the maintaining of the set of rules may additionally or alternatively comprise keeping (conserving) and/ or enforcing the set of rules, possibly indefinitely (e.g. according to an embodiment of the method where the set of rules is not updated 13) or until the set of rules is updated, suspended and/ or the node is no longer on-line.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a network node (1) for a communication network (7), the node (1) comprising a rule generating module adapted to, independently of other nodes of the network (7), generate and maintain a set of rules specifying messages sent within the network (7) to be processed by the node (1) and messages sent within the network (7) to be rejected by the node (1), wherein the node (1) is adapted to be an embedded system. The invention further relates to an industrial machine (6) with a such a network node (1) embedded, to an industrial control network (7) comprising such a network node (1), to a use of such a network node (1) as an embedded system in an industrial machine (6), as well as to a method of protecting an embedded network node (1) from being overwhelmed by more network traffic than it is configured to handle.
Description
EMBEDDED NETWORK NODE
TECHNICAL FIELD
The invention relates to a network node for a communication network, an industrial machine with an embedded network node, use of a network node in an industrial machine, as well as a method of protecting an embedded network node from unwanted network traffic.
BACKGROUND
Factories and other industrial sites may have local control networks for controlling and monitoring machines and process parameters. Such control networks may have network nodes embedded in e.g. machines and other equipment. The network may be protected from hacking etc. by a network embracing firewall.
SUMMARY
It has been realised that individual embedded nodes in a network, such as a local network of an industrial plant stand the risk of being overwhelmed by the traffic of the network, even by network traffic generally or specifically directed to the nodes. The traffic overwhelming the nodes may thus not be spam but may be legitimate traffic of the network. However, since an embedded network node may have a limited capacity for receiving and processing network traffic, it may still be overwhelmed, at least occasionally. According to an aspect of the present invention, there is thus provided a network node for a communication network, the node comprising a rule generating module adapted to, independently of other nodes of the network, generate and maintain a set of rules specifying messages sent within the network to be received by the node and messages sent within the network to be rejected by the node, wherein the node is adapted to be an embedded system.
According to another aspect of the present invention, there is provided an industrial machine with a network node according to the above aspect of the invention, wherein the network node is an embedded system in the industrial machine.
According to another aspect of the present invention, there is provided a use of a network node according to the above aspect of the invention as an embedded system in an industrial machine.
According to another aspect of the present invention, there is provided a method of protecting an embedded network node from being overwhelmed by more network traffic than it is configured to handle, the method comprising the node, independently of other nodes of the network: optionally analysing the network traffic to a processing unit of the node; generating a set of rules specifying messages sent within the network to be processed by the node and messages sent within the network to be rejected by the node, optionally based on the analysing of the network traffic to the node; and optionally updating the set of rules, based on the analysing of the network traffic to the node.
According to another aspect of the present invention, there is provided an industrial control network comprising: a network node according to any one of the preceding claims 1-6, wherein the network node is an embedded system in an industrial machine; and a central control unit adapted for communication with the network node.
Discussions above and below relating to any of the above aspects of the present invention are also in applicable parts relevant to any of the other aspects.
By allowing the network node to independently set, maintain and/ or update a set of rules for which network messages it should receive and which it should reject, the rules may be adapted specifically to said node, as well as to the current network traffic. The network may thus be more flexible compared with if a general set of rules is set at a higher level of the network for said node and possibly also other nodes which would then all have the same set of rules regardless of individual properties of the nodes. The network may also be more flexible in the respect that the amount of network traffic to a node may vary over time, and by means of the present invention, the rules may be adjusted accordingly without affecting corresponding rules of other nodes. The rules may thus be optimised in respect of each node as well as in respect of the specific conditions present at each time. In this way, overwhelming of the node may be avoided, while the full capacity of the node to receive and process network messages may be used for receiving and processing the messages deemed, by means of the set of rules, to be
more important for the node to receive and process. By means of the present invention with the embedded network node, increased network robustness at low cost may be achieved. The embedded node may not require user configuration or additional engineering tools, which are needed with an external firewall. Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention is now described, by way of example, with reference to the accompanying drawings, in which:
Fig 1 is a schematic diagram of an embodiment of a network node of the present invention.
Fig 2 is a schematic diagram of an embodiment of an industrial machine of the present invention.
Fig 3 is a schematic diagram of an embodiment of an industrial control network of the present invention. Fig 4 is a schematic flow chart of an embodiment of a method of the present invention. DETAILED DESCRIPTION
The invention will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout the description.
The communication network may be any wired or wireless network or communication system, such as a wireless network e.g. a sensor network or industrial control network. The network may e.g. be a wired or wireless local area network (LAN), using e.g.
Ethernet, Bluetooth, Wireless HART, Wi-Fi and/or Zigbee. The network may comprise a central control unit, but networks without a central control unit are also contemplated.
The term "industrial plant" is intended to be interpreted in a broad sense, comprising any industrial or similar facility.
The node may be any type of node, such as a control node or sensor node. A sensor node may e.g. include a sensing unit (a.k.a. a sensor) a processing unit, such as a low power processor, a storage unit, such as a memory, and a wireless communication module comprising a receiver, a transmitter and an antenna. A control node may e.g. include a processing unit, such as a low power processor, a storage unit, such as a memory, and a wireless communication module comprising a receiver, a transmitter and an antenna. The node may also comprise a node server. All the different parts of the node are also part of the network since the node is part of the network. This means that any communications within the node, such as communication between the processing unit and other parts of the node are also part of the communication traffic within the network. An objective of the present invention is to avoid overwhelming the node with network traffic. It is conceivable that different parts of the node stand the risk of being overwhelmed, but there may specifically be a risk that the processing unit is
overwhelmed. The traffic at risk of overwhelming the processing unit, or other part of the node, may thus be both communication messages sent from or via other nodes of the network and communication messages sent within the node. When it is below discussed about messages to the node, it should be understood that these messages may very well be internal, e.g. from one part of the node to another part of the node such as a processing unit of the node.
The terms "embedded" and "embedded system" relate to an electronic or computer system designed to perform dedicated and/ or specific functions in a larger device, such as an electrical and/ or mechanical machine in which the system is embedded. An embedded system is in contrast to a general purpose computer.
The embedded network node may have limited processing resources why it may be easily, or at least occasionally, overwhelmed by deliberate or accidental network traffic exceeding its capacity for handling network traffic. The network traffic may e.g. be messages specifically addressed to or directed to the embedded network node, messages generally addressed to or directed to the embedded network node as well as to other parts/nodes of the communication network, or other messages communicated through the network but not directed to the embedded node but which may still, more or less unintentionally, be received and processed by the embedded node. It may thus be advantageous to be able to filter message packets coming to the node in order to limit or filter the traffic down to a level where the node processing resources are sufficient to handle the amount of network traffic which passes the filter. The filtering could be called limiting or throttling the traffic, or traffic shaping. By means of the filtering, legitimate traffic may be allowed to pass the filter and be received by the embedded node, whereas illegitimate traffic may be rejected. Illegitimate traffic may e.g. be spam messages, accidental messages or other messages of the communication network which are not relevant to this specific embedded node. Depending on the amount of legitimate traffic to the node, the legitimate traffic may itself be large enough to overwhelm the node. It may thus also be convenient to be able to limit/ throttle the legitimate traffic, only allowing the more relevant legitimate traffic to be received and processed by the node, at least during periods of high legitimate traffic. In accordance with this discussion it is advantageous to be able to set up a set of rules for filtering traffic to the node, it is furthermore advantageous that this set of rules is specific for this node, and it may also be advantageous that the set of rules may be modified over time depending on the type and amount of traffic to the node and how it changes over time. The processing resources of the node may be constant over time, but it is conceivable that the processing capabilities of the node may vary over time, in which case this may also be considered when the set of rules is generated, maintained and updated. The set of rules may be regularly or continuously updated by the node. The updating may be based on regular or continuous analysis of the network traffic to the node, or to a processing unit of the node (if the network traffic or at least part of it is internal to the node, such as messages sent between a server of the node and the processing unit of the node). Thus, the node may regularly or continuously analyse the network traffic to the node and based on these analyses update the set of rules. The node may consequently comprise an analysis module adapted to analyse the messages sent via the network.
Since the set of rules are conveniently adapted to the specific conditions of the specific embedded node, it may be advantageous for the node itself to be allowed and able to generate the set of rules by it self. The node may thus be equipped with functions to analyse the network traffic to the node and to generate a set of rules for limiting the amount of traffic allowed to be let through to be processed by the node. The node may also be equipped with a function to update the set of rules, depending on e.g. whether the old rules were insufficient such as by not rejecting the right messages or letting too many or too few message through to be received and processed by the node, and/ or whether the traffic to the node has changed such as increased, decreased, including new types of legitimate or illegitimate messages. The node may be adapted to generate, maintain and/ or update the set of rules while the device is on-line (on the fly).
In accordance with the present invention, and in accordance with the above discussion, the node is adapted to be an embedded system and adapted to, autonomously and independently of the rest of the network and other nodes thereon, generate and maintain the set of rules for limiting the traffic received and processed by the node. The set or list of rules may be regarded as firewall rules or quality of service (QoS) rules. The set of rules may primarily be designed to identify wanted messages and allow them to be received and processed by the node, instead of identifying unwanted messages which is what a firewall is often associated with. The set of rules may also be generated autonomously in the respect that they may be generated and maintained without human or operator intervention. This may be done without incurring additional tools or engineering cost.
The set of rules may always be used by and for the node when the node is on-line, or the set of rules may be inactivated or disregarded if the network traffic is not high enough to risk overwhelming the node if the set of rules is not used. If the set of rules is not used for a time, the updating of the rules may be stopped during that time to save processing power. It may, however, be convenient to proceed with analysing the network traffic in order to detect if and when the set of rules may be needed to be used.
The node may conveniently be embedded in, or be adapted to be embedded in, an industrial machine, such as a robot, conveyor or tool. It may be convenient to use embedded network nodes in industrial machines to allow control of the machines and/ or to detect or measure parameters or properties of the machines and the process
with which the machines are involved. For similar reasons, the communication network which comprises the embedded node may be local network of an industrial plant or factory.
The network may be wired or wireless, but it may be convenient, e.g. at an industrial plant, to use a wireless communication network in order to facilitate mobility and reduce wiring which may be in the way of the operation of the plant and running of plant process and machines.
As discussed above, also the amount of legitimate traffic to the node, e.g. messages addressed to the node, may be too high and risk overwhelming the node. Thus, the node may be adapted to generate the set of rules such that the set of rules specifies which messages, said messages being specifically or generally addressed to the node, should be received or rejected by the node. This means that the set of rules may not only be generated to reject messages which are not intended for the node.
As an example of an algorithm for autonomous generation of a set of rules for an embedded network node is:
1. A list of n entries which contains IP,PORT,MAC and a corresponding credit.
2. Every node the system communicates with is given 1 credit when a frame of data is transmitted from the local node to the external node.
3. For every t time unit, the list is traversed and 1 credit is removed or the credit is halved.
The credit system is designed to prevent introduction of false elements into the list, and stay current. The rules could be complemented with other high level information from a management or configuration tool or information about the device from the vendor.
The present invention may be combined with Simple Network Management Protocol (SNMP) or other network management software, whereby the embedded node may be allowed to remotely update e.g. a managed switch with a current set of rules for the node, allowing the network switch to perform the throttling of the traffic to the node. In such case, the set of rules is still generated by the node, but the node instructs the switch how to throttle the traffic. Referring now to figure 1, an embodiment of a network node 1 according to the present invention is schematically illustrated. The node 1 comprises a receiver 2 and a
transmitter 3 for communication via the communication network of which the communication node 1 is a node. The node 1 may be adapted for wireless
communication, in which case the node 1 may additionally comprise an antenna (not shown) either as a separate unit or included in the receiver 2 and/ or the transmitter 3. The node further comprises the rule generating module 4 adapted to generate and maintain the set of rules for limiting the network traffic to the node 1. Also, the node 1 comprises the analysis module 5 adapted to analyse the network traffic to the node 1. The devices 4 and 5 may be configured to cooperate to, while the node is on-line, continuously analyse and update the set of rules. Thus, the analysis module 5 may continuously or regularly analyse the network traffic to the node 1 to obtain traffic information. The traffic information may then be transferred to the rule generating module 4 which may use the information as basis for generating the set of rules and continuously or regularly updating the set of rules. The node 1 may also comprise a processing unit 14 which may e.g. process the traffic information from the analysis module 5 in cooperation with the rule generating module 4 or before the information is transferred to the rule generating module 4. The node 1 may also comprise e.g. a memory (not shown) and possibly a sensor circuit (not shown) if the node is a sensor node.
Figure 2 is a schematic illustration of an embodiment of an industrial machine 6 according to the present invention. The machine 6 comprises a network node 1 as discussed in respect of figure 1 as an embedded system in the machine 6. The node 1 may e.g. be used for remote control of the machine via the communication network comprising the node 1, and/ or for transmitting readings and measurements of properties of the machine or the industrial process which the machine is involved with. Figure 3 is a schematic illustration of an embodiment of a communication network 7, such as an industrial control network. The network 7 comprises a central control unit 8 and two embedded network nodes la and lb. The central control unit 8 may be arranged to issue instructions to the plurality of embedded nodes 1 as well as receive acknowledgements, measurements etc. from the nodes 1. The central control unit 8 may communicate with any number of embedded nodes 1, as well as any other nodes of the network 7. The central control unit 8 may also be adapted for interaction with an operator, such as a human operator, which may control the industrial machines 6a and
6b in which the nodes la and lb, respectively, are embedded and the industrial process which the machines 6 are involved with, via the control unit 8. The control unit 8 may also be arranged to present readings and measurements transmitted by the nodes 1, as well as any other nodes of the network 7, to the operator. According to the embodiment shown in figure 3, the communication between the central control unit 8 and the nodes 1 is wireless, as indicated by the double-headed dashed arrows in the figure. The machines 6 may not be part of the network 7, except for the nodes 1. The network 7 as well as the machines 6 are part of an industrial plant or factory 9.
Figure 4 is a schematic illustration of an embodiment of a method 10 of the present invention. The method 10 is for protecting an embedded network node 1 from being overwhelmed by more network traffic than the network node 1 is configured to be able to receive and process at any time. The network traffic to the node 1 is analysed (step 11), e.g. by means of an analysing device 5. The node 1 generates (step 12) the set of rules for limiting traffic to the node 1 based on the analysis made in step 11. It is also conceivable to first generate (step 12) the set of rules before analysing (step 11) the network traffic. The set of rules may then be some sort of standard rules, possibly preprogrammed into the node 1. The analysing 11 may then continue at regular intervals, according to a pre-determined schedule, as needed and/or continuously during the period the node 1 is on-line. This analysing 11 may then be form at least part of the basis for updating (step 13) the set of rules. The updating 13 is an optional alternative of the method of the present invention and may also be performed at regular intervals, according to a pre-determined schedule, as needed and/or continuously during the period the node 1 is on-line. If there for a period of time is no need of filtering the traffic to the node 1, the set of rules may not be used and the updating 13 may be suspended during that time. This updating 13 may be one way of maintaining the set of rules of the node 1. However, the maintaining of the set of rules may additionally or alternatively comprise keeping (conserving) and/ or enforcing the set of rules, possibly indefinitely (e.g. according to an embodiment of the method where the set of rules is not updated 13) or until the set of rules is updated, suspended and/ or the node is no longer on-line.
The invention has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments
than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims.
Claims
1. A network node (1) for a communication network (7), the node (1) comprising a rule generating module (4) adapted to, independently of other nodes of the network (7), generate (12) and maintain (13) a set of rules specifying messages sent within the network (7) to be processed by the node (1) and messages sent within the network (7) to be rejected by the node (1), wherein the node (1) is adapted to be an embedded system.
2. The node (1) of claim 1, wherein the node (1) is adapted to be embedded in an industrial machine (6) .
3. The node (1) of any preceding claim, wherein the network (7) is a local network of an industrial plant (9) .
4. The node (1) of any preceding claim, wherein the network (7) is a wireless communication network.
5. The node (1) of any preceding claim, wherein the set of rules specifies which messages, said messages being specifically or generally addressed to the node (1), should be received or rejected by the node (1) .
6. The node (1) of any preceding claim, further comprising an analysis module (5) adapted to analyse the messages sent within the network (7) .
7. An industrial machine (6) with a network node (1) according to any preceding claim, wherein the network node (1) is an embedded system in the industrial machine (6) .
8. An industrial control network (7) comprising: a network node (1) according to any one of the preceding claims 1-6, wherein the network node (1) is an embedded system in an industrial machine (6); and a central control (8) unit adapted for communication with the network node (1) .
9. Use of a network node (1) according to any one of the claims 1-6 as an embedded system in an industrial machine (6) .
10. A method (10) of protecting an embedded network node (1) from being overwhelmed by more network traffic than it is configured to handle, the method comprising the node (1), independently of other nodes of the network (7): generating (12) a set of rules specifying messages sent within the network (7) to be processed by the node (1) and messages sent within the network (7) to be rejected by the node (1).
11. The method (10) of claim 10, further comprising: analysing (11) network traffic to a processing unit (14) of the node (1); and basing the generating (12) on said analysing (11).
12. The method (10) of claim 11, further comprising: updating (13) the set of rules, based on the analysing (11).
13. The method (10) of claim 12, wherein the analysing (11) and updating (13) are performed continuously and/ or regularly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2011/064612 WO2013026486A1 (en) | 2011-08-25 | 2011-08-25 | Embedded network node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/EP2011/064612 WO2013026486A1 (en) | 2011-08-25 | 2011-08-25 | Embedded network node |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2013026486A1 true WO2013026486A1 (en) | 2013-02-28 |
Family
ID=44512899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP2011/064612 WO2013026486A1 (en) | 2011-08-25 | 2011-08-25 | Embedded network node |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2013026486A1 (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7107612B1 (en) * | 1999-04-01 | 2006-09-12 | Juniper Networks, Inc. | Method, apparatus and computer program product for a network firewall |
| WO2011000429A1 (en) * | 2009-07-02 | 2011-01-06 | Abb Research Ltd | A method of limiting the amount of network traffic reaching a local node operating according to an industrial ethernet protocol |
-
2011
- 2011-08-25 WO PCT/EP2011/064612 patent/WO2013026486A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7107612B1 (en) * | 1999-04-01 | 2006-09-12 | Juniper Networks, Inc. | Method, apparatus and computer program product for a network firewall |
| WO2011000429A1 (en) * | 2009-07-02 | 2011-01-06 | Abb Research Ltd | A method of limiting the amount of network traffic reaching a local node operating according to an industrial ethernet protocol |
Non-Patent Citations (3)
| Title |
|---|
| ADS-TEC GMBH: "IT Infrastructure Industrial Firewall; DZ-HAND-93010-0/C Prospekt D 02-2010", 27 March 2010 (2010-03-27), Leinfelden-Echterdingen, Germany, XP002682194, Retrieved from the Internet <URL:http://web.archive.org/web/20100327041357/http://www.ads-tec.de/fileadmin/ads-tec/documents/computer_und_netzwerke/produkte/ads_Firewall_D_02_2010_Brosch%C3%BCre.pdf> [retrieved on 20120823] * |
| AGUINALDO B BATISTA ET AL: "Application Filters for TCP/IP Industrial Automation Protocols", 30 September 2009, CRITICAL INFORMATION INFRASTRUCTURES SECURITY, SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 111 - 123, ISBN: 978-3-642-14378-6, XP019146855 * |
| LATURNAS D ET AL: "Dynamic silicon firewall", ELECTRICAL AND COMPUTER ENGINEERING, 2005. CANADIAN CONFERENCE ON SASKATOON, SK, CANADA MAY 1-4, 2005, PISCATAWAY, NJ, USA,IEEE, PISCATAWAY, NJ, USA, 1 May 2005 (2005-05-01), pages 304 - 307, XP010868811, ISBN: 978-0-7803-8885-7, DOI: 10.1109/CCECE.2005.1556933 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101844136B1 (en) | Method, apparatus and computer program for network anomaly detection in distributed software defined networking environment | |
| EP3143744B1 (en) | Voting strategy optimization using distributed classifiers | |
| US9407503B2 (en) | Control apparatus, communication system, communication method, and program | |
| US9887936B2 (en) | Application identification and overlay provisioning as a service | |
| JP2007336512A (en) | Statistical information collecting system, and apparatus thereof | |
| US9548928B2 (en) | Network system, controller, and load distribution method | |
| US9577915B2 (en) | Rate-limiting samples for ETX computation in computer networks | |
| JP7060800B2 (en) | Infection spread attack detection system and method, and program | |
| US20170223756A1 (en) | Dynamically including an active tunnel as a member of a virtual network | |
| JPWO2015052867A1 (en) | Terminal device, terminal device control method, and terminal device control program | |
| EP2982096B1 (en) | Method, apparatus and system for matching devices | |
| WO2007029396A1 (en) | Information system | |
| US9755918B2 (en) | Communication terminal, method of communication and communication system | |
| WO2013026486A1 (en) | Embedded network node | |
| US9942823B2 (en) | Communication terminal, communication method, and communication program | |
| JP6428702B2 (en) | Management device and management system | |
| WO2015120628A1 (en) | Method of transmitting data frames in a wireless communication system and wireless access device | |
| US20170019845A1 (en) | Communication terminal, communication method, and program-containing storage medium | |
| JP6776572B2 (en) | Communication equipment and methods | |
| KR20200078776A (en) | System for managing a plurality of ionizer | |
| JP2012151689A (en) | Traffic information collection device, network control unit, and traffic information collection method | |
| US20230413053A1 (en) | Wireless intrusion prevention | |
| JPWO2015059860A1 (en) | Communication control system, communication control method, and communication control program | |
| RU2656706C1 (en) | Communication device, control device, communication system, method of processing of receiving package, communication device control method and program | |
| JP6896073B2 (en) | Gateway device and network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11748941 Country of ref document: EP Kind code of ref document: A1 |
|
| DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 11748941 Country of ref document: EP Kind code of ref document: A1 |