HK1241590B - Methods, apparatuses, and systems for network analysis - Google Patents

Description

Method, device and system for network analysis

Technical Field

Example embodiments of the present invention generally relate to detection and management of network devices, and more particularly to a network analysis device for detection, management, troubleshooting, and optimization of a network.

Background Art

The applicant has discovered that there are several problems with current methods, systems, and apparatus for managing network devices. Through effort, creativity, and innovation, the applicant has solved many of these recognized problems by developing the solution embodied in the present invention, which is described in detail below.

Summary of the Invention

Methods, apparatus, and computer program products provide a network analysis device for monitoring, managing, and troubleshooting a network. The network analysis device is capable of detecting the presence of devices on a wireless network by monitoring wireless network traffic. Detected devices can be presented via a graphical user interface to provide an interface for displaying the presence of detected devices, optimizing the performance of detected devices, troubleshooting errors associated with detected devices, and the like. Embodiments can also assist in managing device warranties and insurance plans and registering devices for such warranties and insurance plans. Still other embodiments can take certain actions when a specific device is detected, such as generating a notification when an unauthorized device is detected. In some embodiments, a rules engine can take specific actions when a device is detected. For example, a user can utilize a device detection feature of a digital concierge to detect the entry and exit of specific users and record the times of these entries and exits. Some example embodiments can utilize additional or alternative device detection features, such as a barcode scanner, a receipt reader, a stock keeping unit (SKU) reader, and the like.

An embodiment includes a system for providing computer network analysis. The system includes at least one satellite device configured to monitor wireless network traffic to determine at least one network communication event between a first network device and a second network device external to the satellite device, generate an event message based on the at least one network communication event, and transmit the event message. The system also includes a controller device configured to receive the event message, determine the identity of at least one device that communicated during the network communication event, determine a network status based at least in part on the identity of the at least one device, and provide the network status via a management interface.

The event message may include a signal strength for the network communication event, and the controller device may be further configured to determine the location of the at least one device based, at least in part, on the signal strength. The event message may include a protocol identifier. The controller device may be further configured to identify the device type of the at least one device based, at least in part, on the event message. The at least one satellite device may be further configured to monitor wireless network traffic by detecting network transmissions between a first network device and a second network device, where the first network device and the second network device may be devices different from the at least one satellite device and the controller device. The event message may include a packet header for the network communication event. The clocks of the at least one satellite device and the controller device may be synchronized with each other. The event message may include a timestamp derived from a reading of the clock of the at least one satellite device. The network communication event may be a network message transmitted according to the 802.11 protocol, the ZigBee protocol, or the Bluetooth protocol.

Embodiments also include a method for providing a network analysis system. The method includes: receiving, at a controller device, a first event message from a first satellite device, the first event message including content based on a first network communication event between the first network device and a second network device; receiving, at the controller device, a second event message from a second satellite device, the second event message including content based on a second network communication event between a third network device and a fourth network device; and processing, by the controller device, the first and second event messages to determine a network status, wherein the network status includes an indicator of the presence of each of the first, second, third, and fourth network devices. The first event message may include a signal strength of the first network communication event, and the controller device may be further configured to determine a location of the first network device based, at least in part, on the signal strength. The first event message may include a protocol identifier. The controller device may be further configured to identify a device type of each of the first and second network devices based, at least in part, on the first event message. The at least one satellite device may be further configured to monitor wireless network traffic by detecting network transmissions between the first and second network devices, the first and second network devices being devices different from the at least one satellite device and the controller device. The event message may include a packet header of the network communication event. The method may include synchronizing a clock of at least the first satellite device and a clock of the controller device.The event message may include a timestamp derived based on a reading from the clock of the at least one satellite device.

Embodiments also include an apparatus for providing computer network analysis, comprising a processor coupled to a memory. The apparatus is configured to: receive an event message based on at least one network communication event monitored by a satellite device; determine an identity of at least one device that communicated during the network communication event; determine a network status based at least in part on the identity of the at least one device; and provide the network status via a management interface.

The event message may include a signal strength of the network communication event, and the apparatus may be further configured to determine a location of the at least one device based at least in part on the signal strength. The event message may include a protocol identifier. The apparatus may be further configured to identify a device type of the at least one device based at least in part on the event message.

Embodiments also include a method for deduplicating event messages during a network analysis operation. The method includes: in response to receiving a first event message, receiving a first event message including a sequence identifier from a first satellite device; opening an event window having a predefined duration; before closing the event window, receiving at least one second event message including the sequence identifier from a second satellite device; determining that a time period corresponding to the event window has elapsed; closing the event window; combining the first event message and the at least one second event message to generate an aggregate message; and processing the aggregate message to determine a network status.

The method may also include: receiving a third event message including a sequence identifier, the third event message received after closing the event window; processing the aggregate message to determine a network status; and discarding the third event message. The method may include: determining a predefined duration by generating a calibration message; transmitting the calibration message to a first satellite device and a second satellite device; receiving calibration responses from two or more satellite devices, the calibration responses including a transmission timestamp; determining a latency for each of the first and second satellite devices based at least in part on the transmission timestamp; and selecting the predefined duration based at least in part on a longest latency between the latency of the first and second satellite devices. The method may include: generating, by a controller device, at least one time synchronization message, and transmitting the at least one time synchronization message to the first and second satellite devices. The method may include: receiving an additional event message during a time when the event window is open; determining that the additional event message is associated with a sequence identifier other than the sequence identifier of the first event message; and opening an additional event window for the additional event message, the additional event window being associated with a sequence identifier other than the sequence identifier of the first event message. Each of the first event message and the second event message may be generated based on the same network communication event between at least two network devices other than the first satellite device and the second satellite device. The aggregate message may include a first signal strength from the first event message and a second signal strength from the second event message. The method may also include determining a location of a transmitter of the network communication event based at least in part on the first signal strength and the second signal strength included in the aggregate message.

An embodiment further includes an apparatus for providing network analysis, comprising a processor coupled to a memory. The apparatus is configured to: in response to receiving a first event message, receive, via a controller, a first event message including a sequence identifier from a first satellite device; open an event window having a predefined duration; before closing the event window, receive at least one second event message including the sequence identifier from a second satellite device; determine that a time period corresponding to the event window has elapsed; close the event window; combine the first event message and the at least one second event message to generate an aggregate message; and process the aggregate message to determine a network status.

The apparatus may be further configured to: receive a third event message including a sequence identifier, the third event message being received after closing the event window; process the aggregated message to determine a network status; and discard the third event message. The apparatus may be further configured to: generate a calibration message; transmit the calibration message to the first and second satellite devices; receive calibration responses from two or more satellite devices, the calibration responses including a transmission timestamp; determine a latency for each of the first and second satellite devices based at least in part on the transmission timestamp; and select a predefined duration based at least in part on a longest latency between the latency of the first and second satellite devices. The apparatus may be further configured to: generate, via a controller device, at least one time synchronization message; and transmit the at least one time synchronization message to the first and second satellite devices. The apparatus may be further configured to: receive an additional event message during the time when the event window is open; determine that the additional event message is associated with a sequence identifier other than the sequence identifier of the first event message; and open an additional event window for the additional event message, the additional event window being associated with a sequence identifier other than the sequence identifier of the first event message. Each of the first event message and the second event message may be generated based on the same network communication event between at least two network devices other than the first satellite device and the second satellite device. The aggregate message may include a first signal strength from the first event message and a second signal strength from the second event message.

The device may be further configured to determine a location of a transmitting party of the network communication event based on the first signal strength and the second signal strength included in the aggregate message.

An embodiment also includes a non-transitory computer-readable storage medium including program instructions that, when executed by a processor, cause the processor to de-duplicate event messages during a network analysis operation by at least: receiving, in response to receiving a first event message, a first event message including a sequence identifier from a first satellite device; opening an event window having a predefined duration; before closing the event window, receiving at least one second event message including the sequence identifier from a second satellite device; determining that a time period corresponding to the event window has elapsed; closing the event window; combining the first event message and the at least one second event message to generate an aggregate message; and processing the aggregate message to determine a network status.

The instructions may further cause the processor to: receive a third event message including a sequence identifier, the third event message being received after the closing event window; process the aggregated message to determine a network status; and discard the third event message. In some embodiments, the instructions may further cause the processor to: generate a calibration message; transmit the calibration message to the first satellite device and the second satellite device; receive calibration responses from two or more satellite devices, the calibration responses including a transmission timestamp; determine a latency for each of the first satellite device and the second satellite device based at least in part on the transmission timestamp; and select a predefined duration based at least in part on a longest latency between the latency of the first satellite device and the second satellite device. In some embodiments, the instructions may further cause the processor, via the controller device, to generate at least one time synchronization message; and transmit the at least one time synchronization message to the first satellite device and the second satellite device.

Another embodiment includes a method for providing network security in a network analysis system. The method includes detecting a loss of primary power in a satellite device of the network analysis system; activating a backup power supply for the satellite device in response to the loss of primary power; and deactivating a visual indicator of a power status coupled to the satellite device in response to activating the backup power supply.

Another embodiment includes a method for providing a network analysis system. The method includes: receiving, at a controller, an event message from a satellite device, the event message including content based on a first network communication event between a first network device and a second network device; processing, by a network analysis component of the controller, the event message to determine a network status, wherein the network status includes an indicator of the presence of each of the first network device and the second network device; determining, by a rules engine component of the controller, that the second network device is unauthorized; generating, by the rules engine component, a notification in response to determining that the second network device is unauthorized; and causing the notification to be displayed via a management interface.

Yet another embodiment includes an apparatus for providing a network analysis system. The apparatus includes a network analysis circuit component configured to receive an event message from a satellite device, the event message including content based on a first network communication event between a first network device and a second network device; and process the event message to determine a network status, wherein the network status includes an indicator of the presence of each of the first network device and the second network device. The apparatus also includes a device management circuit component configured to determine that the second network device is unauthorized and, in response to determining that the second network device is unauthorized, generate a notification; and a remote management circuit component configured to cause the notification to be displayed via a management interface.

Yet another embodiment includes an apparatus for providing a network analysis system. The apparatus includes a network analysis circuit component configured to receive an event message from a satellite device, the event message including content based on a first network communication event between a first network device and a second network device; process the event message to determine a network status, wherein the network status includes an indicator of the presence of each of the first network device and the second network device; and determine a location of a transmitter of the first network communication event based at least in part on the event message. The apparatus also includes a device management circuit component configured to: determine that the second network device is unauthorized; and in response to determining that the second network device is unauthorized, generate a notification to a camera device, wherein the notification includes instructions to direct the camera device to the location of the transmitter of the first network communication event and transmit the notification to the camera device.

The above summary of the invention is provided only to summarize some example embodiments to provide a basic understanding of some aspects of the present invention. Therefore, it should be understood that the above embodiments are merely examples and should not be construed as limiting the scope or spirit of the present invention in any way. It should be understood that the scope of the present invention encompasses many possible embodiments in addition to the embodiments summarized here, some of which will be further described below.

BRIEF DESCRIPTION OF THE DRAWINGS

Having thus generally described certain example embodiments of the present disclosure, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and in which:

FIG1 illustrates an example network in which embodiments of the present invention may operate;

FIG2 shows a block diagram depicting an example of a controller device for implementing a network analysis system using dedicated circuitry according to some example embodiments of the present invention;

FIG3 shows a block diagram depicting an example of a satellite device for implementing a network analysis system using dedicated circuitry according to some example embodiments of the present invention;

FIG4 illustrates an example of interconnectivity between components of a network analysis system and a home network according to some embodiments of the present invention;

FIG5 illustrates an example of a network architecture using a network analysis system according to some embodiments of the present invention;

FIG6 illustrates an example of a premises map according to some embodiments of the present invention;

FIG7 illustrates an example of data flow interactions between components of a network analysis system according to some embodiments of the present invention;

FIG8 illustrates an example of interaction between logical components of a controller device according to some embodiments of the present invention;

FIG9 illustrates an example of an interface for interacting with a network analysis system according to some embodiments of the present invention;

FIG10 shows a flow chart depicting an example of a method for monitoring network communications using a satellite device according to some embodiments of the present invention;

FIG11 shows a flow chart depicting an example of a method for initializing a satellite device using a network analysis system according to some embodiments of the present invention;

FIG12 shows a flow chart depicting an example of a method for receiving network communication events from a satellite device according to some embodiments of the present invention;

FIG13 shows a flow chart depicting an example of a method for generating a premises map using a network analysis system according to some embodiments of the present invention;

FIG14 shows a flow chart depicting an example of a method for generating network metadata using a network analysis system according to some embodiments of the present invention;

15 shows a flow chart depicting an example of a method for generating notifications using a rules engine using a network analysis system according to an embodiment of the present invention;

FIG16 shows a flow chart depicting an example of a method for using tamper-resistant security for a satellite device according to some embodiments of the present invention; and

17 shows a flow chart depicting an example of a method for using a network analysis system with a camera device according to an embodiment of the present invention.

DETAILED DESCRIPTION

Overview

Various embodiments of the present invention relate to improved apparatus, methods, and computer-readable media for providing a network analysis system. In this regard, embodiments can electronically detect the presence of devices on a home network and perform monitoring and management functions associated with the detected devices. The monitoring functions can include monitoring the type and amount of network traffic to each device, monitoring the manner in which each device is connected to the network, monitoring when a particular device is connected to or disconnected from the network, and the like. The management functions can include enabling or disabling a device's connection to the network, providing a user with recommendations regarding device configuration changes, alerting a user that a new device has been connected, detecting and evaluating the network topology to recommend configuration changes, evaluating router security settings, and the like.

It should be readily understood that embodiments of the methods, systems, apparatus, and devices for providing a network analysis system may be configured in a variety of additional alternative ways to provide monitoring and management of a home network as described herein.

Technical basis and implementation of exemplary embodiments

As home networks become more common, more and more devices are able to communicate on these networks. It is increasingly common for a given home network to contain multiple devices that communicate with each other via wired and wireless communication mechanisms. Such devices may include not only common network connectivity components such as routers and switches, but also "smart" TVs, home theater systems, printers, laptops, wearable devices, desktops, tablets, smartphones, and more. However, as more and more devices are connected to a given network, the detection and management of such devices can become increasingly complex. A user may not always be able to easily determine whether a given connected device is authorized, or whether the device is a malicious device that has evaded network security features. To address these issues, the inventors have developed techniques, systems, and devices for detecting, monitoring, and managing devices connected to a home network via a digital concierge device.

Furthermore, the inventors have recognized that even devices that are not fully "connected" (e.g., receive an assigned Internet Protocol address) to a network can still be detected by identifying connection requests and resource requests performed by such devices. The inventors have determined that it is possible to use this data and other network data to perform management and logging functions to notify users of various events. For example, embodiments of the present invention can detect the presence of unauthorized devices near a network and alert the user to the presence of the devices. Other embodiments can record when authorized devices connect to and disconnect from the network to provide information about when children come home after curfew. Still other embodiments can identify when an authorized device connects at or approximately the same time as an unauthorized device, indicating that someone other than the user of the authorized device is present.

To this end, embodiments of the present invention can continuously monitor network activity to detect new devices entering communication with the home network. This monitoring can be performed through various wired and wireless interfaces. For example, embodiments of the present invention can include a wireless antenna for monitoring wireless communications and a wired network connection for monitoring data transmitted via the wired network. In some embodiments, a digital concierge can be located in the network topology, between the router and the rest of the network, or between the router and the Internet, to monitor traffic flowing into or out of the router.

Embodiments may monitor the connectivity of devices on a network and the performance of the devices to determine whether each device is communicating optimally with the other devices and with the Internet.

Some embodiments may triangulate the performance from multiple devices to determine the optimal network speed to support each device, such as by automatically implementing network quality of service (QoS) settings or by suggesting changes to the network topology to the user. Embodiments may further detect wired and wireless topologies (e.g., the connection infrastructure that devices use to communicate with each other), evaluate the topologies to determine possible performance optimizations, and suggest possible performance optimizations to the user. In some embodiments, the digital concierge may automatically perform these optimizations by changing configuration settings on the various devices coupled to the network. Embodiments may also interrogate the home router to determine whether the home router is configured with the correct security state and whether the router is properly updated with the latest software and firmware.

Some embodiments can implement device detection perimeters (e.g., "geofencing") by detecting the presence of any device attempting to communicate with the home network. These detections can be performed at a low network layer (such as the Open Systems Interconnection model Layer 2 "Data Link" layer) by listening devices that come within range of a wireless router and generate network requests, such as Dynamic Host Configuration Protocol (DHCP) requests or Internet Protocol Version 6 (IPv6) router discovery packets. Embodiments can detect devices and change the administrators of these detected devices, and monitor the activities of such devices, as long as such devices are detectable on the home network. It should be understood that embodiments may not require such devices to collect routable (e.g., IP) addresses on the network and can monitor such activities based solely on lower-level communications, such as the OSI Layer 2 communications described above. Device detection in this manner can be used to support a variety of use cases, including, but not limited to, detecting when a user enters or leaves a room in the home, detecting when a user returns home from work, school, or a night out, detecting unauthorized devices at unusual times (e.g., after 2 a.m.), and the like. These use cases can be used, for example, to track when children come home after curfew, determine when visitors to a child's room remain for more than a threshold amount of time, detect intruders after dark, etc. Various actions can be taken in response to detecting these scenarios, including notifying specific users or administrators, activating a home security system, and the like.

Some embodiments may provide a small, low-cost device that acquires network traffic and relays it to a central location for processing and analysis. For example, some embodiments may include a "Raspberry Pi" (mini computer) device. In some embodiments, removing power may disable the device's onboard light-emitting diodes (LEDs) but allow the device to continue operating on battery power. In some embodiments, multiple such devices may be used to triangulate the location of a particular network device, or such devices may be deployed in parallel to provide redundancy in the event of a system failure or intentional disconnection while attempting to defend against the system.

Embodiments may also identify when a known device (e.g., a previously detected device) has been off the network for a period of time. In these cases, embodiments may generate a notification, allowing the user to indicate that the device has been sold, taken out of service, damaged, etc. In some cases, embodiments may identify the resale value of a device that has not been connected for a period of time and assist the user in reselling the unused device, such as by providing an interface to facilitate shipping the device to storage and paying the user the price of the device.

Embodiments may also provide systems and techniques for managing device warranty information. For example, embodiments may provide an interface for a user to indicate which detected devices the user owns, when such devices were purchased, and when the device warranty expires. Embodiments may also allow the user to specify the circumstances surrounding the purchase of the device (e.g., whether a specific credit card was used, or whether the user purchased an extended warranty plan) and automatically update warranty information. For example, embodiments may detect that a user purchased a device using a credit card that offers a double warranty (e.g., by monitoring user transaction data, such as through an online banking or financial services aggregation system, or by allowing the user to select which credit card they used) and automatically update the device's warranty information to reflect the double warranty. Embodiments may also notify the user of a mechanism for submitting a warranty claim (e.g., by providing a phone number or contact information) or provide a customer service representative interface for submitting a claim. Embodiments may also notify the user of events such as product recalls, free services, and/or other services available for devices detected on the network (e.g., a wiring protection plan that provides protection for any device connected to a covered device).

Some embodiments may allow for the transfer of information about attached devices to facilitate the provision of warranty or service plans. For example, information about devices connected to a user's home network may be collected and transferred to a warranty or insurance provider to provide the user with a warranty or insurance package covering one or more of the detected devices. In some embodiments, a discount may be offered to the user based on the number of devices or types of devices covered by the warranty or insurance provided.

To implement the improved system described herein, the inventors have identified a variety of data sources and processing techniques and algorithms that can be used to support the detection, monitoring and management of devices on a home network. To this end, the inventors have conceived a variety of communication technologies, application programming interfaces and data interfaces for obtaining this data. By using these improved technologies, the inventors have reduced the processing overhead, number of applications and man-hours required to implement these systems. Therefore, example embodiments of the present invention provide technical benefits of a flexible, simplified system for evaluating, managing and monitoring home networks and attached devices. The inventors have also developed systems, methods and devices for network traffic monitoring and generating network analysis results. These systems, methods and devices can be used to improve network performance by identifying network bottlenecks, monitoring network security violations and proposing and/or implementing connectivity changes to the network.

Furthermore, the inventors have created new interfaces, methods, and techniques for accessing home network data and managing the home network and attached devices in a simple and flexible manner. These improved interfaces can reduce the amount of user input required to view and manage the home network by organizing information in novel ways. Thus, embodiments of the present invention also provide the technical benefits of improved displays and user interfaces for detecting devices communicating with a home network and for managing and monitoring the home network and/or attached devices.

System Architecture

The methods, apparatus, and computer program products of the present invention may be implemented by any of a variety of devices. For example, the methods, apparatus, and computer program products of example embodiments may be implemented by a networked device, such as a server or other network entity, configured to communicate with one or more devices, such as one or more client devices. Additionally or alternatively, the computing device may comprise a stationary computing device, such as a personal computer or a computer workstation. Furthermore, example embodiments may be implemented by any of a variety of mobile terminals, such as a portable digital assistant (PDA), a mobile phone, a smartphone, a laptop, a tablet computer, or any combination thereof.

In this regard, FIG1 discloses an example computing system in which embodiments of the present invention may operate. A home network 104 may include multiple satellite devices 108 and multiple network devices 110, which communicate via the network 104 (e.g., a home network with one or more routers). A controller device 102 may also communicate with the network 104 to detect, monitor, and manage the network devices. Satellite devices 108 may notify the controller 102 of network events, such as a new network device 110 joining the network, communicating on the network, leaving the network, and so on. While the present example embodiment is described with respect to a system incorporating both satellite devices and a controller device, it should be understood that in some embodiments, some or all of the functionality of the satellite devices may be integrated within the controller device. For example, the controller device 102 may monitor network communication events in the same manner as described herein with respect to the satellite devices 108. In embodiments where monitoring is limited to a physical area (e.g., an apartment), full coverage of monitoring network communications may be achieved without the use of satellite devices. Router 106 may facilitate connection of the controller 102 and network devices 110 to the Internet. Although FIG. 1 depicts controller 102 and router 106 as communicating with the network separately, it should be appreciated that some embodiments may feature router 106 connected through controller 102 to facilitate monitoring of traffic on the network through controller 102 .

In some embodiments, one or more of the network devices 110 can communicate with the controller 102 to receive data about the network 104 and the connected devices 102, 106, 108. For example, an "app" executing on a user's smartphone can interface with the controller 102 to provide the user with information about connected devices, network topology, proposed optimizations, etc. The app can also provide the user with an interface to control the operation of the controller 102 (e.g., configuration settings for managing device detection, monitoring, and management), characteristics of the network (e.g., QoS settings, subnet configuration, address allocation settings), or other network devices 110.

Examples of controller devices for implementing embodiments of the present invention

The controller device 102 can be implemented by one or more computing systems (such as the device 200 depicted in Figure 2). As shown in Figure 2, the device 200 can include a processor 202, a memory 204, an input/output circuit 206, a communication circuit 208, a network analysis circuit 210, a device management circuit 212, and a remote management circuit 214. The device 200 can be configured to perform the operations described above with respect to Figure 1. Although these components 202-214 are described with respect to functional limitations, it should be understood that a particular embodiment necessarily includes the use of specific hardware. It should also be understood that some of these components 202-214 can include similar or common hardware. For example, two groups of circuits can utilize the same processor, network interface, storage media, etc. to perform their related functions, so that each group of circuits does not require duplicate hardware. The use of the term "circuit" used herein with respect to device components should therefore be understood to include specific hardware configured to perform the functions associated with the specific circuits described herein.

The term "circuitry" should be broadly interpreted to include hardware and, in some embodiments, software used to configure the hardware. For example, in some embodiments, "circuitry" may include processing circuitry, storage media, network interfaces, input/output devices, and the like. In some embodiments, other components of device 200 may provide or supplement the functionality of a particular circuit. For example, processor 202 may provide processing functionality, memory 204 may provide storage functionality, communication circuitry 208 may provide network interface functionality, and so on.

In some embodiments, the processor 202 (and/or a coprocessor or any other processing circuitry assisting the processor or otherwise associated with the processor) can communicate with the memory 204 via a bus that is used to transfer information between components of the device. The memory 204 can be a non-transitory memory and can include (for example) one or more volatile and/or non-volatile memories. In other words, for example, the memory can be an electronic storage device (e.g., a computer-readable storage medium). The memory 204 can be configured to store information, data, content, applications, instructions, etc. for enabling the device to perform various functions according to example embodiments of the present invention.

The processor 202 can be implemented in a variety of different ways and may, for example, include one or more processing devices configured to operate independently. Additionally or alternatively, the processor may include one or more processors configured in series via a bus to enable independent instruction execution, pipeline processing, and/or multi-threaded processing. The use of the term "processing circuitry" may be understood to include a single-core processor, a multi-core processor, multiple processors within a device, and/or a remote or "cloud" processor.

In an example embodiment, the processor 202 may be configured to execute instructions stored in the memory 204 or otherwise accessible to the processor. Alternatively or additionally, the processor may be configured to perform hard-coded functionality. Thus, whether configured by hardware or software methods, or by a combination thereof, a processor can represent an entity (e.g., physically embodied in circuitry) capable of performing operations according to an embodiment of the present invention while being configured accordingly. Alternatively, as another example, when the processor is embodied as an executor of software instructions, the instructions may specifically configure the processor to perform the algorithms and/or operations described herein when executing the instructions.

In some embodiments, the device 200 may include input/output circuitry 206, which may in turn communicate with the processor 202 to provide output to a user and, in some embodiments, receive user input indications. The input/output circuitry 206 may include a user interface and may include a display and may include a web user interface, a mobile application, a client device, a kiosk, and the like. In some embodiments, the input/output circuitry 206 may also include a keyboard, a mouse, a joystick, a touch screen, a touch area, soft keys, a microphone, a speaker, or other input/output mechanisms. The processor and/or user interface circuitry including the processor may be configured to control one or more functions of one or more user interface elements via computer program instructions (e.g., software and/or firmware) stored in a memory accessible to the processor (e.g., memory 204, etc.).

The communication circuitry 208 can be any device, such as a device or circuit embodied in hardware or a combination of hardware and software, that is configured to receive data from a network and/or any other device, circuit, or module in communication with the device 200 and/or transmit data to a network and/or any other device, circuit, or module in communication with the device 200. In this regard, the communication circuitry 208 can include, for example, a network interface for enabling communication with a wired or wireless communication network. For example, the communication circuitry 208 can include one or more network interface cards, antennas, buses, switches, routers, modems, and supporting hardware and/or software, or any other device suitable for enabling communication via a network. Additionally or alternatively, the communication interface can include circuitry for interacting with an antenna to enable transmission of signals via the antenna and processing reception of signals received via the antenna.

Network analysis circuitry 210 comprises hardware configured to detect devices on a network and monitor network conditions. For example, network analysis circuitry 210 can interface with communication circuitry 208 to detect specific network packets received on a home network. For example, devices can be detected by analyzing network data to detect DHCP requests, IPv6 router discovery packets, Address Resolution Protocol (ARP) data, and the like. Network analysis circuitry 210 can also detect and monitor network bandwidth, network connection and disconnection events, IP conflicts, and the presence of certain types and quantities of data packets. In some embodiments, network analysis circuitry 210 can detect network data in a "promiscuous" manner, receiving and analyzing all packets even if the concierge device is not necessarily the intended recipient. These network packets can be obtained directly from communication circuitry 208 or stored on device 200 (such as via memory 204) prior to analysis. The operations of identifying devices from network packet data and analyzing the network can be performed by processing circuitry such as processor 202, and the detected devices can be stored in electronic format in memory 204. In some embodiments, the network analysis circuitry 210 may generate electronic messages that notify the device management circuitry 212 of newly detected devices, devices that have disconnected, connection durations, current network status, and the like.

It should also be understood that in some embodiments, in addition to the processor 202, the network analysis circuit 210 may also include a separate processor, a specially configured field programmable gate array (FPGA), or an application specific interface circuit (ASIC) to detect devices on the network. The network analysis circuit 210 is thus implemented using hardware components of the device that are configured through hardware or software to implement these planned functions.

Device management circuitry 212 comprises hardware configured to manage devices detected on the network and take appropriate actions in response to certain criteria. To this end, device management circuitry 212 may include a processor or processing circuitry, such as processor 202, to implement a rules engine or other application to take certain actions in response to the detection of certain criteria. For example, device management circuitry 212 may be responsible for taking certain actions in response to network conditions detected by network analysis circuitry 210. For example, device management circuitry 212 may provide notifications to a user via a user interface provided by device 200 (e.g., via communication circuitry 208 or input/output circuitry 206). Device management circuitry 212 may also determine network characteristics based on data received from network analysis circuitry 210 and provide the user with recommended optimization or troubleshooting measures to address any detected issues, improve performance, and so on. In this regard, device management circuitry 212 may implement a rules engine or other decision-making component to take appropriate actions in response to specific network conditions. An example of such a rules engine component is further described below with respect to FIG. Device management circuitry 212 may also identify device types based on observed network traffic data. For example, the device management circuitry 212 may identify protocol types, device identifiers, and other device information included within network traffic headers of data sent to or from those devices to attempt to match network traffic data with known device types. Thus, the device management circuitry 212 may, for example, determine whether a particular device is a smartphone, a tablet, a wireless speaker, a wireless mouse, a "smart" appliance (e.g., a refrigerator, washer, or dryer with network connectivity), or other device types.

The device management circuitry 212 may also maintain a data structure indicating which devices have been detected. Device information may be stored within the data structure to indicate the device type, various network metrics associated with the device (e.g., bandwidth used, security logs, etc.), and whether the device is known and/or authorized. For example, when a new device is detected, an interface may be presented to the user (e.g., provided by the remote management circuitry 214) to name the device, indicate the device type, and/or indicate that the newly detected device is authorized.

In still other embodiments, the device management circuitry 212 may be operable to detect when an unauthorized device has entered the network, detect when a device has failed to connect by a specified time (e.g., a teenager's smartphone has not connected to the home network by a specified time associated with curfew), and the like. While the processor 202 may be used to perform device management, it should also be understood that in some embodiments, the device management circuitry 212 may include a separate processor, a specially configured field programmable gate array (FPGA), or an application specific interface circuit (ASIC) to perform these tasks. The device management circuitry 212 is thus implemented using hardware components of the device that are configured through hardware or software to perform these intended functions.

Remote management circuitry 214 includes hardware configured to provide a remote "dashboard" type interface for visually displaying data generated by device management circuitry 212 and network analysis circuitry 210. In this manner, remote management circuitry 214 can provide data via a local server application executing on device 200, or can provide data to a remote computer (e.g., a local router or cloud-based implementation) to allow viewing of data generated by device 200. This information can include, for example, data related to devices connected to the network, including device identification, network configuration settings, troubleshooting data, warranty data (e.g., where device serial numbers are accessible via the network), and the like. Remote management circuitry 214 can also include hardware configured to receive input from the remote interface, such as configuration of one or more rules and notifications associated with the rule engine.

In some embodiments, remote management circuitry 214 may also provide an interface that allows for the entry of warranty data. For example, remote management circuitry 214 may provide an interface that allows a user to enter warranty information for one or more devices connected to the network. Example warranty information may include whether a particular device is owned by the user, where the user purchased the device, the amount paid for the device, the payment method used to purchase the device, the brand or offers associated with the credit card used to purchase the device, and so forth. In some embodiments, this warranty information may be provided by the user via a barcode scanner, by scanning a receipt, by allowing the user to enter a SKU, and so forth. Additionally or alternatively, in some embodiments, remote management circuitry 214 may determine warranty information directly from one or more devices detected by network analysis circuitry 210.

In some embodiments, remote management circuitry 214 may register the detected device with its manufacturer to obtain warranty coverage, or provide the user with an interface to do so. In some embodiments, remote management circuitry 214 may offer the user the ability to purchase new or additional warranty coverage based on which devices are detected. In some embodiments, warranty coverage may be provided in a "bundle" format, providing coverage across multiple devices connected to the network detected by network analysis circuitry 210. Some embodiments of the present invention may facilitate determining the value of one or more networked devices and display those determined values via an interface. For example, an embodiment may determine the model of a particular device, assess the condition of the particular device, and use the model and condition to determine the value of the particular device based on a database lookup. Some embodiments may allow these devices to be sold or exchanged based on the determined value. Some embodiments may allow one or more devices to be traded in for warranty coverage on other networked devices. For example, a user's smartphone may have an identified value of $80, and an embodiment may programmably facilitate device trade-in in exchange for warranty coverage on, for example, another smartphone, a television, and a tablet identified on the home network.

In some embodiments, remote management circuitry 214 may provide an interface for sending or initiating a claim for a device under warranty. For example, remote management circuitry 214 may include an interface that allows a user to provide information to a customer service representative. In some embodiments, this information is automatically collected and/or generated by device 200, eliminating the need for a user to enter this information into the interface.

Remote management circuitry 214 may utilize processing circuitry such as processor 202 to perform these functions. While processor 202 may be used to perform remote management functions, it should also be understood that in some embodiments, remote management circuitry 214 may include a separate processor, a specially configured field programmable gate array (FPGA), or an application specific interface circuit (ASIC) to perform these tasks. Remote management circuitry 214 is thus implemented using hardware components of the device that are configured through hardware or software to implement these intended functions.

As will be appreciated, any of these computer program instructions and/or other types of code may be loaded onto the circuitry of a computer, processor, or other programmable device to produce a machine, such that the computer, processor, or other programmable circuitry executing the code on the machine forms an apparatus for performing various functions, including those described herein.

It should also be noted that all or some of the information presented by the example interfaces described herein may be based on data received, generated, and/or maintained by one or more components of device 200. In some embodiments, one or more external systems (such as remote cloud computing and/or data storage systems) may also be utilized to provide at least some of the functionality discussed herein.

Examples of Satellite Equipment for Implementing Embodiments of the Invention

Satellite device 108 may be implemented by one or more computing systems, such as device 300 depicted in FIG3 . As described above, a satellite device may be one of a plurality of devices dispersed over a physical area to collect data about a network for reporting to a controller. In this manner, a satellite device may be configured to passively listen for network traffic on various frequency bands (e.g., the 802.11 protocol suite, Bluetooth, ZigBee, and other wireless protocols) and detect communication events occurring on the network. Communication events may be reported to a controller, such as the controller described above with respect to FIG1 and FIG2 . As shown in FIG3 , device 300 may include a processor 302, memory 304, input/output circuitry 306, communication circuitry 308, network monitoring circuitry 310, controller interface circuitry 312, and power management circuitry 314.

While these components 302-314 are described with respect to functional limitations, it should be understood that specific implementations necessarily include the use of specific hardware. It should also be understood that some of these components 302-314 may include similar or common hardware. For example, both sets of circuits can utilize the same processor, network interface, storage media, etc. to perform their related functions, such that each set of circuits does not require duplicate hardware. The use of the term "circuitry" as used herein with respect to device components should therefore be understood to include specific hardware configured to perform the functions associated with the specific circuits described herein.

The processor 302 , memory 304 , and input/output circuitry 306 may be configured in a manner similar to that described above with respect to FIG. 2 , and are not described again for the sake of brevity.

The implementation of the communication circuit 308 of the device 300 may also be similar to the communication circuit 208 of the device 200. However, it should be understood that in some embodiments, the communication circuit 308 may include additional or alternative hardware configured to detect radio frequency transmissions according to various wireless protocols on various frequency bands. Such hardware may be configured to detect communication events occurring in the vicinity of the device 300 and notify the network monitoring circuit 310.

The network monitoring circuit 310 includes hardware configured to identify network communication events. These network communication events can be detected using the communication circuit 308 and then forwarded to the controller interface circuit 312 to manage transmissions to the controller device. Network communication events can include any transmission detected by the device 300. For example, the device 300 can detect transmissions from a device that notifies all nearby devices of its presence, a device that joins (or attempts to join) a wireless network, a device that requests and receives an Internet Protocol address, a device that communicates with each other (e.g., transmits data packets), and the like. In some embodiments, the network monitoring circuit 310 can forward all received network communication events to the controller, while in other embodiments, the network monitoring circuit 310 can remove the message data payload to reduce the amount of bandwidth consumed when transmitting the network communication event to the controller. For example, an event message sent to the controller to notify the controller of a network communication event can contain only the header of the detected network communication event.

Controller interface circuitry 312 includes hardware configured to notify the controller of network communication events by transmitting event messages. Controller interface circuitry 312 may also perform other communications with the controller, such as initial pairing between the controller and device 300. In some embodiments, controller interface circuitry 312 may communicate with the controller via various wireless network protocols, including but not limited to the 802.11 family, Bluetooth, ZigBee, and the like. Controller interface circuitry 312 may construct event messages based on network communication events detected by network monitoring circuitry 310. An example of the generated processing is further described below with respect to FIG. 7. Controller interface circuitry 312 may utilize components of communication circuitry 308 to implement the transmission of event messages to the controller. However, it should be understood that in some embodiments, controller interface circuitry 312, network monitoring circuitry 310, and communication circuitry 308 may each include independent hardware. For example, antennas, transceivers, and the like, different from the hardware used for communication between device 300 and the controller, may be used to monitor various types of network traffic to identify network communication events occurring between various devices on the network.

Power management circuitry 314 includes hardware configured to manage the process of providing power to device 300. Specifically, power management circuitry 314 includes hardware configured to enable a primary power source (e.g., alternating current (AC) power) and a backup power source (e.g., a backup battery). Because network analysis systems such as device 300 that incorporate satellite devices may often be used for security purposes (e.g., to detect the presence of unauthorized devices and/or unauthorized network use), the satellite device may be subject to attempts to disable its functionality by removing the power source (e.g., unplugging it from a wall outlet). To ensure that the device continues to function even when unplugged, power management circuitry 314 can facilitate failover to a backup power source, such as a battery. In some embodiments, device 300 can be designed as a low-power device capable of operating on battery power for extended periods of time (e.g., 24 hours). After transferring to the backup battery, power management circuitry 314 can disable an external power indicator (e.g., a light-emitting diode (LED) or other visual power indicator) so that device 300 appears to be powered off. Disabling these external power indicators may lead a criminal to believe that the device is disabled and also provides the benefit of reducing power consumption when the device is operating on battery power.

As will be appreciated, any of these computer program instructions and/or other types of code may be loaded onto the circuitry of a computer, processor, or other programmable device to produce a machine, such that the computer, processor, or other programmable circuitry that executes the code on the machine forms an apparatus for implementing various functions, including those described herein with respect to device 200 and device 300.

As described above and as will be appreciated based on this disclosure, embodiments of the present invention can be configured as methods, mobile devices, backend network devices, and the like. Thus, embodiments can include various devices, entirely comprising hardware or comprising any combination of software and hardware. Furthermore, embodiments can take the form of a computer program product on at least one non-transitory computer-readable storage medium having computer-readable program instructions (e.g., computer software) embodied on the storage medium. Any suitable computer-readable storage medium can be utilized, including a non-transitory hard disk, CD-ROM, flash memory, optical storage device, or magnetic storage device.

Having now described devices configured to implement and/or support implementations of various example embodiments, features of several example embodiments will now be described. It should be understood that the following features are non-limiting examples of features provided by some example embodiments. Furthermore, it should be understood that embodiments implementing various subsets or combinations of the features further described herein are contemplated within the scope of the disclosure. Thus, it should be understood that some example embodiments may omit one or more of the following features and/or implement variations of one or more of the following features.

Exemplary Network Architecture

FIG4 depicts an exemplary embodiment of a network architecture 400, highlighting the communication between components of a network analysis system according to an embodiment of the present invention. Network architecture 400 includes a gateway router 410 that communicates with a controller 402, a plurality of satellite devices 404-408, and a plurality of network devices 412-420. Each of satellite devices 404-408 can be configured to detect network communication events within a specific physical area. For example, first satellite device 404 can have a first detection area 422, second satellite device 406 can have a second detection area 424, and third satellite device can have a third detection area 426. While only satellite devices 404-408 are shown as having detection areas, it should be understood that in some embodiments, controller 402 can also have detection areas for detecting network devices.

Each of the satellite devices 404-408 is operable to detect network communication events to and from network devices within its corresponding detection area by monitoring wireless communications. Upon detecting a network communication event, the satellite devices 404-408 may notify the controller 402 of the network communication event via the network. The satellite devices 404-408 may transmit the network communication event to the controller using the same network used by the network devices to communicate, which is the network provided by the gateway router 410. Alternatively, in some embodiments, the satellite devices 404-408 may transmit the network communication event to the controller 402 via an alternative network that exists separately from the network provided by the gateway router (e.g., a mesh network including the satellite devices and the controller).

As described above, each of satellite devices 404-408 can detect wireless network communication events occurring to and from network devices 412-420 located within its detection area. For example, as depicted in FIG4 , satellite device 404 for a first detection area (referred to as “Area 1”) 422 can detect network communication events associated with network devices 412, 414, and 416. Satellite device 406 for a second detection area (referred to as “Area 2”) 424 can detect network communication events associated with network devices 414, 416, and 418. Satellite device 408 for a third detection area (referred to as “Area 3”) 426 can detect network communication events associated with network device 420.

The satellite devices 404-408 can be configured to listen "promiscuously," such that they can identify local wireless traffic in their physical area even for devices not associated with the network the satellite devices 404-408 use to communicate with the controller 402 and/or the gateway router 410. For example, the satellite devices 404-408 can listen for a variety of transmissions, including communications via other networks (e.g., cellular networks, Bluetooth, other Wi-Fi networks). For example, the satellite devices 404-408 can listen for initial connection requests, device identification signals, and other transmissions other than communications occurring on the same network the satellite devices 404-408 use to communicate with the controller 402 and/or the gateway router 410.

Because network devices 414 and 416 are located within two detection zones, embodiments may attempt to triangulate the locations of those devices by providing signal strength data associated with each device to controller 402 and using a received signal strength indicator (RSSI) location detection technique. It should also be appreciated that even devices within only a single detection zone may be able to determine location based on RSSI techniques, but receiving more data points from overlapping detection zones may improve the accuracy of the location measurement.

The gateway router 410 can be any device that is configured to enable network communications between multiple network devices. Although the present example is generally described with respect to wireless devices, it should be understood that some embodiments may involve wired devices that communicate via a network, and various network analysis services may also be used for these wired devices, but it should also be understood that certain functions of the present embodiment (such as RSSI-based location tracking) are based on the use of wireless devices. The gateway router 410 thus includes hardware that may be configured to provide wired and/or wireless communications. In some embodiments, the gateway router 410 provides network communications between the satellite devices 404-408 and the controller 402, while in other embodiments, the satellite devices 404-408 can communicate directly with the controller. In some embodiments, the functionality of the controller 402 can be integrated with the functionality of the gateway router 410 so that a single physical device can both enable network communications between devices of the network and perform the network analysis functions described herein with respect to various embodiments of the present invention.

5 depicts an example of an additional embodiment of a network architecture 500 in which a controller 502 is physically disposed between a gateway router 510 and the Internet or other wide area network (WAN) 514. As described above, one or more network devices 512 can establish network communications via the gateway router 510, and a set of satellite devices 504-508 can detect network communication events and transmit those network communication events to the controller 502.

The controller 502 is positioned between the gateway router 510 and the Internet/WAN 514, such that network traffic from the gateway router 510 to the computing nodes located on the Internet/WAN 514 passes through the controller 502. Generally, this can be accomplished using a physical cable between the controller 502 and the gateway router 510 and another cable between the controller 502 and a modem, fiber optic endpoint, or other Internet/WAN access device, but in some embodiments, this pass-through can be implemented in software (e.g., by using a routing table) or wirelessly (e.g., in the form of a wireless repeater).

Positioning controller 502 in this manner advantageously ensures that network traffic from each network device 512 can be monitored and analyzed by controller 502, even if the traffic occurs via a wired connection that does not necessarily interact with a satellite device.

Alternatively, in some embodiments, a device other than controller 502 may be positioned between gateway router 510 and Internet/WAN 514. For example, a specially configured satellite device may include a port for implementing a physical cable pass-through as described above, and the specially configured satellite device may detect network communication events and report event messages to controller 502 in a manner similar to the other satellite devices described above.

Example Station Map

FIG6 illustrates an example use of a network analysis system to generate a premises map 600, according to some embodiments of the present invention. By placing a series of satellite devices 604 in a home, it is possible to generate a map of all the network devices in the premises, taking into account the corresponding detection area of each satellite device and the network devices that those satellite devices can see. Premises map 600 depicts a controller 602, a series of satellite devices 604, a gateway router 606, and a plurality of network devices 608 and 610. Premises map 600 further depicts a floor plan of a building (such as a home, office, etc.).

To generate the premises map 600, embodiments may receive location data for each satellite assembly 604 during initial setup and/or calibration of the satellite assembly. For example, a user may utilize the interface to draw a simple floor plan and indicate the location of each satellite assembly (e.g., by placing a drag-and-drop icon) at a location on the drawn floor plan that corresponds to the location of each satellite assembly in the building.

Premises map 600 may also illustrate detected relationships between network devices. For example, premises map 600 may include icons, animations, or other visual displays to indicate network connections of specific devices to specific routers or access points (e.g., in a scenario where a user has multiple wireless access points), or to display wired connections between network devices detected by satellite devices, or data provided through direct communication with network routers.

Example data flow between components of a network analysis system

FIG7 depicts an example of a data flow 700 between components of a network analysis system according to some embodiments of the present invention. Specifically, data flow 700 illustrates how one or more satellites 704 may monitor network devices 706 to identify network communication events 708 associated with network devices 706. Satellites 704 may generate one or more event messages 710 based on the network communication events and transmit the event messages to controller 702. Controller 702 may analyze received event messages 710 to determine network status information 712. Controller 702 may provide network status information 712 to a management interface 714, such as a "dashboard"-style interface displaying the status of each device connected to the network, troubleshooting information for those devices, warranty information for those devices, the location of each device, and so forth. Management interface 714 may further provide controller configuration data 716 to controller 702 to configure various functions of the controller. This functionality is further described below with respect to FIG8.

As described above, satellite 704 monitors network traffic in its vicinity. In some embodiments where satellite 704 includes both a wired interface and a wireless interface, satellite 704 may also monitor network traffic occurring on the wired interface. Network traffic detected by satellite 704 is monitored and used to generate a series of event messages describing the traffic. For example, in some embodiments, a corresponding event message is generated using each detected network packet or network request. This network traffic may include, but is not necessarily limited to, Internet Protocol (IP) messages, Bonjour messages, Server Message Block (SMB) messages, and the like. It should be understood that any type of message protocol that can be detected by the wired or wireless interface of satellite 704 may be used as the basis for generating event messages.

Event message 710 may include various individual fields. For example, event message 710 may include a signal strength field 718, a MAC address field 720, an event type field 722, a timestamp field 724, and an event payload field 726. Signal strength field 718 may include the measured signal strength of the radio frequency transmission carrying the message. By including the signal strength field in event message 710, controller 702 may be able to determine the distance between the satellite 704 reporting the event message and the network device 706 from which the message originated. In the case of wired communication, signal strength field 718 may be left blank or otherwise include a token or value (e.g., 0) to indicate that the message was not received wirelessly.

The MAC address field 720 may include the MAC address of the originating device. By including the MAC address of the originating device, the event message 710 may indicate to the controller 702 the originating network device of the network communication event.

The event type field 722 may include information describing a specific protocol or a specific protocol subset associated with the network communication event. For example, the event type field 722 may indicate that the network communication event is an IP message, or more specifically, an IP Address Resolution Protocol (ARP) message or a Dynamic Host Configuration Protocol (DHCP) message, etc.

The timestamp field 724 may contain a sequence number or other timestamp of when the message was received by the satellite 704. The timestamp applied by the satellite 704 may be synchronized with the controller and/or other satellites to ensure that the internal clocks of each component device of the network analysis system (i.e., at least the satellite and the controller) are synchronized with each other. In this way, the timestamps may be used to identify duplicate messages and determine the order of detection between multiple satellites.

The event payload field 726 may contain additional data about the event, such as a copy of the data packet associated with the network communication event. In some embodiments, the event payload field 726 may not contain the entire data packet, but rather only the packet header or another reduced subset of all data contained in the packet, in order to conserve network bandwidth.

The event message 710 is provided to the controller 702 , where the controller 702 processes the event message 710 to generate network status information 712 for output.

Example data flow for event message processing

FIG8 depicts an example of processing event messages to generate network status data using an instance of a controller 800 according to an embodiment of the present invention. Controller 800 may be the device 200 described above with respect to FIG2 , or it may be configured similarly to device 200. Controller 800 includes a message aggregator component 802, a network analyzer component 804, a message metadata storage component 805, a rules engine component 806, a resident mapper component 808, and a management interface 810.

The message aggregator component 802 includes services for receiving event messages from one or more satellite devices, as described above. The message aggregator component 802 can serve as a centralized source for asynchronously receiving event messages, deduplicating received events, summarizing received event messages, and transmitting the summarized messages to the network analyzer component 804 for processing. To support this functionality, the message aggregator component 802 includes a high-speed processing queue to support real-time message entry and transmission. The message aggregator component 802 can also implement a message receive window for received event messages to assist with message deduplication and synchronization between satellite devices. An example of a process for managing this message receive window is further described below with respect to Figures 11-12. The message aggregator component 802 can also calibrate timing mechanisms between satellite devices using the time clock maintained by the controller 800 to ensure consistent timestamp information across all components of the network analysis system.

After the message aggregator component 802 receives the event messages and removes duplicates from the event messages, it can provide these aggregated event messages to the network analyzer component 804 for processing. The network analyzer component 804 can examine the aggregated event messages to determine the protocol of the event messages and any specific message types. During processing, the aggregated event messages can be translated from the native protocol into a meta-language that generally describes the message, the purpose of the message (e.g., by mapping the message type to a known message protocol), the sending device, the signal strength of the message, the intended recipient device, any message payload, etc. The messages translated into the meta-language can be stored in a collection of message metadata 805 (e.g., a database or data table). The message metadata collection 805 can be used for various network analyses and/or metrics. For example, the message metadata 805 can be used as input to the rule engine component 806 to generate notifications or take other actions based on specific state information about the network derived from the message metadata 805.

The rules engine component 806 may comprise a series of processes, threads, applications, and the like that monitor event messages and/or message metadata collections to determine whether those event messages and/or message metadata collections meet specific rule criteria. When rule criteria are met, specific actions may be taken. For example, when a new unknown device is detected, a rule may generate a notification via email, as a mobile push notification, via an audio output device in the home, or via various other notification technologies. For example, when a previously unknown wireless device queries a network router to identify itself, a satellite device may generate an event message regarding the network interaction, notify the controller 800, and a message processing the message event may be stored in the message metadata collection 805 to indicate the query. The rules engine component 806 may maintain a list of known or previously authorized devices and initiate a rule to generate a notification when a new query occurs from a device not on the list of previously authorized devices.

A rule can be generally viewed as comprising a set of criteria and one or more actions to be taken in response to meeting the criteria. The rule engine component 806 can allow for the utilization of various criteria, both individually and in conjunction with one another. Examples of rule criteria include, but are not limited to, detecting a previously known device via satellite, detecting Internet communications via a particular device, detecting a signal bit rate exceeding or falling below a particular threshold, detecting both known and unknown devices, detecting a device in a particular location (e.g., in a particular room), detecting an outdated communication protocol or other indication that a particular device requires a software update, detecting a previously known device leaving the network for a threshold amount of time, detecting a device warranty expiration (e.g., where the device serial number is detected and compared to an external warranty management system), and the like.

Example actions that can be taken in response to compliance with rule criteria include, but are not limited to, generating notifications to various external systems and/or devices (e.g., speakers, televisions, smartphones, router management interfaces, etc.), initiating traffic monitoring operations between two or more devices, blocking a particular device (e.g., by notifying a router to block the device, such as through an application programming interface), triggering a camera to be directed to a particular location (e.g., in response to detecting an unknown device near an entrance or exit based on location data), triggering an offer for a user to purchase an obsolete or unused device (e.g., where the device was previously known but not detected for a certain period of time), triggering a notification that a certain device is incompatible or suboptimal based on the current network configuration, etc. These actions can take the form of notifications generated by the rules engine component 806, which are transmitted to the various network devices as described above.

The rule engine component 806 may also include a rule authoring component that allows for the specification of specific rule criteria and for actions to be taken in response to those rule criteria. These rules may be defined through the management interface 810.

The premises mapper component 808 is configured to generate a visual display of the local physical area monitored by the controller 800 and the attached satellite devices, and to illustrate how network devices are positioned and interacting with the local physical area. The premises mapper component 808 receives a premises data set and combines it with device location data generated by the network analyzer component 804 (e.g., by using RSSI readings) to generate the visual display.

In some embodiments, the site mapper component 808 can cooperate with one or more user devices to perform site mapping operations. For example, the site mapper can instruct a user to move around their home while executing a mapping application on a smartphone to collect signal strength data for various static devices (e.g., devices that are unlikely to move, such as routers or network-enabled lights) as the user moves around the home. In some embodiments, the user can provide a floor plan or other physical data to guide the mapping operation. In some embodiments, the site mapper component 808 can recommend specific locations for placing satellite devices based on the results of the mapping operation.

The site mapper component 808 can include an interface that allows a user to define a physical area (e.g., perimeters and interior walls). The interface can also allow a user to select a location within the physical area and perform signal strength measurements for one or more access points (e.g., routers, range extenders, etc.) or satellite devices. In some embodiments, if the signal strength received from one or more satellites fails to exceed a minimum threshold, a notification can be provided via the interface suggesting that a satellite device be placed in a location with low signal strength. In some embodiments, the interface can recommend placing satellite devices at specific intervals (e.g., every 10 feet, 25 feet, or 50 feet).

In some embodiments, a list of discovered devices derived by the network analyzer component 804 can be provided for the user to place within the interface. This placement can be designed to correspond to the physical location of each detected device, which can be used within the visual display to illustrate the known location of the device and calibrate the signal strength reading. In some embodiments, during the mapping operation, a signal can be sent to satellite devices and/or other components of the network analysis system to cause those devices to broadcast a specific signal (e.g., a "home" signal).

By detecting signal strength at various locations and providing the detected signals to the premises mapper component 808, a set of reference ranges may be detected for use in future RSSI device location operations.

After the mapping operation is complete, the visual display can also be updated to indicate the presence of "weak" signal coverage areas. This information can also be used in subsequent troubleshooting operations to troubleshoot device performance through network analysis components.

The management interface 810 can provide an interface, such as a graphical user interface (GUI), that allows a user to view the status of the network derived by the network analyzer component 804, the map of the premises derived by the premises mapper component 808, and notifications generated by the rules engine component 806. As described above, the management interface 810 can also provide configuration data for controlling the operation of the controller 800, including, but not limited to, rule definitions, network device identification, and the like. The management interface 810 can, for example, provide a "dashboard" that displays the speed at which each device of the network is communicating on the network, which devices are communicating with specific cloud services, which devices are communicating with other external computing nodes, and the like. In conjunction with the rules engine, this network analysis data can be used, for example, to identify specific devices consuming large amounts of bandwidth at night (e.g., children using streaming video services on their smartphones after bedtime), or unauthorized or undesirable usage as defined within a set of confirmed rule criteria.

Embodiments may also be used to implement a geo-fencing system to detect and record when a particular device (such as a child's smartphone) enters and leaves the satellite's detection range.

Example of the network analysis dashboard interface

FIG9 depicts an example of a dashboard interface 900 for displaying network analysis data and other output generated by a controller, according to an embodiment of the present invention. Interface 900 includes icon representations of various devices detected on a home network. Selecting a particular device (e.g., by touching or clicking an icon) displays network metrics and statistics related to the device. Interface 900 may also include a series of interface controls to facilitate device discovery, editing device data (e.g., to provide the name or type of each detected device), and accessing user accounts. In some embodiments, a user account may include local credentials for accessing the controller, while in other embodiments, the user account may provide the user with access to a remote server that receives data from the controller. This remote server may also provide an interface for accessing various other data related to the device, such as managing device warranties (e.g., by identifying warranty duration) by interfacing with manufacturer systems, providing the user with the ability to purchase accessories, products, service plans, etc. for the identified device through third-party services, providing troubleshooting services, and the like.

Interface 900 may be displayed, for example, on an "app" executing on a user device such as a smartphone or tablet, through a server application executing on the controller, or through a web interface hosted on a remote server external to the user's network. In some cases, accessing interface 900 may require direct access to the user's network (e.g., as an attached device), while in other cases, interface 900 may be provided through an Internet-routable system (e.g., through a web server executing on the controller, or through an externally hosted website provided by the controller's manufacturer).

Example of a process for implementing a network analysis system

Figures 10 to 17 illustrate exemplary processes that a controller device and/or satellite device may use to implement the functionality of a network analysis system according to embodiments of the present invention. These and other processes may be performed, for example, by the device 200 described above with respect to Figure 2 and/or the device 300 described above with respect to Figure 3, in conjunction with the data flows and device interactions illustrated in Figures 4 to 8.

10 shows a flow chart depicting an example of a process 1000 for detecting network communication events and transmitting event messages to a controller according to an embodiment of the present invention. Process 1000 serves as an example of a technique for detecting events using a satellite device and causing the events to be transmitted to a controller for network analysis operations according to an embodiment of the present invention.

At act 1002, network traffic on one or more frequency bands is monitored. While this example is provided with respect to monitoring wireless frequency bands, it should be understood that embodiments may also include monitoring wired connections. At act 1004, a network communication event is detected on the monitored frequency band. As described above, a network communication event can be any network communication that occurs in a manner detectable by a satellite device. In some embodiments, different satellite devices have different monitoring capabilities. For example, a given satellite device may be configured with a radio capable of detecting one or more of Bluetooth, ZigBee, 802.11a/b/g/n/ac, etc., while another satellite device may not have one or more of those capabilities. In this way, users can select which satellite devices are best suited for their own home network configuration, particularly in scenarios where unnecessary additional features would result in higher hardware costs.

At act 1006, an event sequence number is generated for the detected event. The event sequence number may be generated due to, or in conjunction with, the timestamp value of the event. As described above, embodiments may synchronize clocks between the controller and the satellite devices such that each device clock is expected to be within a specific threshold time (e.g., <1 ms) of each other. The sequence number may thus be the timestamp of the message, or some combination of message characteristics (e.g., message type, message payload, etc.) and the timestamp.

At action 1008, an event message is generated for the received network communication event. As described above with respect to FIG7, the event message may include various characteristics of the message along with a sequence number. At action 1010, the generated event message is transmitted to a controller device for further processing.

FIG11 shows a flow chart depicting an example of a process 1100 for initializing satellite devices using a controller device so that the satellite devices and the controller device can perform network analysis operations, according to an embodiment of the present invention. Process 1100 can be performed, for example, when the controller and satellite devices are first initialized together to establish a pairing between each satellite and the controller. Alternatively, process 1100 can be performed when a new satellite is added to a previously configured system. Initiating the process can include, for example, pressing a physical button on each device to initiate the pairing operation, thereby ensuring that only devices belonging to a specific user are paired with the controller to maintain user privacy. Thus, the controller can perform process 1100 to establish an event window to account for signal attenuation, reflections, and propagation delays between different satellite devices when performing message deduplication on messages received from multiple satellite devices, as well as to account for slight differences in each device's internal clock. In some embodiments, process 1100 can be performed at specific intervals to ensure synchronization between the controller and the satellite devices.

At act 1102, one or more local satellite devices are identified. As described above, local satellites can be identified by physically pressing a button, flipping a switch, or otherwise interacting with the satellites to place them in initialization mode for pairing. Alternatively, the satellite devices can automatically begin searching for a controller when first powered on, or the satellite devices can enter pairing mode based on programming instructions transmitted wirelessly to the device or through a direct connection.

At act 1104, the clocks between the detected satellites are synchronized with each other and/or with the controller. Synchronization can be performed according to various time synchronization protocols, including but not limited to the Network Time Protocol, the Precision Time Protocol, Clock Sample Inter-Network Synchronization, or any other protocol sufficient for synchronizing clocks between multiple devices.

At action 1106, a satellite calibration operation is initiated. The satellite calibration operation may cause the satellite devices to transmit calibration signals including event messages to the controller at known, expected intervals. For example, after synchronizing the clocks, the controller may notify the satellites to begin transmitting event messages at a specific start time and then at specific intervals.

At act 1108, the controller receives the calibration signal and stores the time at which the calibration signal was received. At act 1110, the time difference between the expected arrival time of the calibration signal and the actual arrival time of the calibration signal is used to determine the expected latency of the message transmission time from the satellite device to the controller. This latency can be used to calculate the event window time based on the satellite device with the longest latency. For example, if a latency of 5 ms is measured for three satellite devices and a latency of 10 ms is measured for the fourth device (most likely because the fourth device is farther away from the controller), the event window for a given message sequence number would be set to 10 ms to allow sufficient time for the event message measured by the fourth device to be sent back to the controller. Some embodiments may use alternative techniques or estimates to calculate the latency, such as doubling the latency to account for the fact that the calibration signal was transmitted before a response to the calibration signal was received to send an instruction to the satellite.

FIG12 shows a flow chart depicting an example of a process 1200 for processing event messages received from satellite devices using event windows according to an embodiment of the present invention. Process 1200 illustrates a technique used by a message aggregator component (such as message aggregator component 802 described above with respect to FIG8 ) to first receive and aggregate messages and then forward those messages to a network analyzer component for further processing.

At act 1202, a first event message is received. In response to receiving the first event message, a determination is made as to whether the event message is "new," such as whether the event message has a new sequence number. If the event message is new, an event window is opened at act 1204. As described above with respect to FIG. 11 , the duration of the event window can be determined based on the signal propagation delay from the longest-latency satellite device used within the network analysis system.

At action 1206, a subsequent event message with the same content (e.g., the same sequence number) is received, and at action 1208, the event window closes after the allotted time has elapsed. In the event that multiple event messages are received, it is possible to determine the signal strength associated with each satellite device that detected the message. In such cases, RSSI location identification techniques can be used to determine the approximate location of the device that originated the message.

At act 1210, event messages with identical content are summarized into a single event message with a single set of common data (e.g., message type and other data common between all instances of the message) and a unique set of content specific to each satellite device (e.g., the signal strength measured by each satellite device). At act 1212, the summarized event message is provided as a single event for processing, such as by the network analyzer component 804 described above with respect to FIG.

At act 1214, an additional event message is received with the same event content (e.g., the same sequence number). However, since the event window has already closed, the additional event message is discarded at act 1216 because the event message with that sequence number has already been forwarded for processing. In this way, embodiments can avoid repeated processing of the same event message while still allowing multiple satellite devices to report the same event message. In some embodiments, repeated receipt of event messages after the event window has closed may trigger a recalculation of the event window to reduce the likelihood of event messages arriving after the window has closed, while in other cases, if messages are received only very infrequently near the end of the event window, the event window may be shortened to increase the speed with which messages are summarized and provided for further processing.

FIG13 shows a flow chart depicting a process 1300 for generating a visual display of a group of network devices according to some embodiments. Process 1300 is used to generate a visual display of multiple devices on an interface that corresponds to the physical layout of a home or other building. The location of the devices within the building can be determined based on signal strength measured relative to satellite devices, based on network topology determined through communication with one or more networked devices, or through various other network analysis techniques according to embodiments described herein.

At act 1302, location data is received. As described above with respect to FIG. 6 , the location data may include a floor plan of a building, a drawing drawn on an interface provided for that purpose, or any other data that lays out the physical area corresponding to one or more network devices and/or satellite devices and a controller. At act 1304, the location of one or more devices is determined based, at least in part, on event messages received by the satellite devices. For example, the event messages may indicate the relative signal strength measured by each satellite device, and it may be possible to triangulate the location of the sending mobile device based on those measured signals. At act 1306, a location map is generated using the device locations and the location data. At act 1308, the location map is provided via an administrative interface, such as via a user's smartphone, on a computer display, or the like.

FIG14 shows a flow chart depicting an example of a process 1400 for processing event messages received from a message aggregator component according to some embodiments of the present invention. As described above, the message aggregator component can be used to receive event messages from satellite devices and combine duplicate event messages for further processing. However, to ensure fast performance of the queue of event messages monitored by the message aggregator component, the message aggregator component can offload the processing of those aggregated messages to the network analysis component of the controller. Process 1400 illustrates one example of a method for performing processing of the network analysis component.

At action 1402, an aggregate event message is received. It should be understood that in this context, the term "aggregate" refers only to event messages that have been processed by the message aggregator component, and that an aggregate event message may only contain a single event message. At action 1404, an event protocol for the aggregate event message is determined. At action 1406, the aggregate event message is processed according to the event protocol. For example, processing the aggregate event message may include determining the context and purpose of the message based on the message type and the accompanying protocol (e.g., whether the message is part of joining a network, transmitting data on a network, receiving data on a network, etc.). Processing the message may include converting the message into a protocol-agnostic metalanguage. The metalanguage representation of the message may be stored in a message metadata collection at action 1408 for use in generating network status data, determining compliance with rule criteria, and supporting various other functions of the network analysis system.

FIG15 shows a flow chart depicting an example of a process 1500 for implementing a rule engine component according to some embodiments of the present invention. As described above with respect to FIG8 , a rule engine can be used to determine whether network state data and/or message metadata generated by a network analyzer component satisfies specific rule criteria. If the rule criteria are met, the rule engine can take certain actions corresponding to the rule whose criteria are met.

At action 1502, rule configuration data is received. The rule configuration data may include a set of rule criteria and a set of actions to be performed in response to satisfying the rule criteria. Some embodiments may include editing tools and an editing language for specifying rule criteria and appropriate actions, while other embodiments may provide a list of eligible rules from which a user may select.

At act 1504, a message metadata set is received, such as from the network analyzer component described above. The message metadata may include processed event messages indicating when the device joins the network, leaves the network, comes within proximity of one or more satellite devices, transmits data to another device on the network, and so on.

At act 1506, a rule status criterion is determined based on the message metadata to determine whether the criterion is met. If the criterion is met, an action associated with the rule is initiated. For example, many rules may include generating a notification to a management interface, a user device, an audio output device, a video output device, etc. At act 1508, a notification is generated, and at act 1510, the notification is transmitted to the notification target device.

FIG16 shows a flow chart depicting a process 1600 for performing power management on a satellite device in a manner that maintains network security, according to an embodiment of the present invention. As described above, the network analysis system implemented by the controller and satellite device provides numerous novel applications, many of which relate to the detection of security violations and unauthorized devices. Therefore, it is conceivable that a malicious user might want to disable one or more components of the network analysis system to subvert these security applications. One way a malicious user with physical access to a satellite device could attempt to do so is simply to unplug the satellite device from its AC power source. However, process 1600 illustrates a mechanism for maintaining home security that can be used to deter such malicious users.

At act 1602, process 1600 detects a loss of primary power to the satellite device. In response, at act 1604, the satellite device switches to backup battery power. However, because it is possible that the device was intentionally powered down to allow a malicious user to add an unauthorized device to the network, the switch to battery power at act 1604 may be accompanied by the deactivation of an external indicator of power at act 1606. For example, if the satellite device includes an LED indicator to indicate that the satellite device is powered, the LED indicator may be deactivated in response to the switch to battery power. At act 1608, a notification may be transmitted to the controller for forwarding to a management interface to notify a user or other administrator of the device power loss. In this way, the satellite device can continue to provide network security operations while misleading a potential malicious user into believing they have compromised the network security, thereby increasing the likelihood that the intrusion will be noticed.

17 shows a flow chart depicting an example of a process 1700 for providing improved home security using a rules engine according to some embodiments of the present invention. Process 1700 illustrates how location data derived from signal strength readings performed by a satellite device can generate a notification that configures a camera to view a location corresponding to an unknown device.

At act 1702, process 1700 detects an unknown device based on an event message received from a satellite device. At act 1704, the location of the unknown device is determined, such as based on the RSSI location determination technique described above. In response to determining the location of the unknown device, at act 1706, a notification can be generated to the pan-tilt-zoom camera to direct the camera toward the identified location. In this way, the camera system can be automatically programmed to be directed toward unknown entities, thereby improving the user's home security system. For example, this system can be used to identify someone approaching the user's home from an unusual direction (e.g., not from the front door) with an unknown device, or to focus the camera on the front door without manually opening the door.

Embodiments of the present invention have been described above with reference to block diagrams and flowchart illustrations of methods, apparatus, systems, and computer program products. It should be understood that each block of the circuit diagrams and process flowcharts, and combinations of blocks of the circuit diagrams and process flowcharts, respectively, can be implemented by various means comprising computer program instructions. These computer program instructions can be loaded onto a general-purpose computer, a special-purpose computer, or other programmable data processing device to produce a machine, such that the computer program product comprises instructions that, when executed on the computer or other programmable data processing device, create means for implementing the functions specified in the flowchart blocks.

These computer program instructions may also be stored in a computer-readable storage device that can direct a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable storage device produce an article of manufacture containing computer-readable instructions for implementing the functions discussed herein. The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus, thereby producing a computer-implemented process, such that the instructions executed on the computer or other programmable apparatus cause the steps to be performed and thereby implement the functions discussed herein.

Therefore, the blocks of the block diagrams support combinations of means for performing the specified functions, combinations of steps for performing the specified functions, and program instruction means for performing the specified functions. It should also be understood that each block of the circuit diagrams and process flow diagrams, and combinations of blocks in the circuit diagrams and process flow diagrams, can be implemented by a computer system based on dedicated hardware or a combination of dedicated hardware and computer instructions that performs the specified functions or steps.

Some additional embodiments may allow consumers to manage their devices and networks through an app or web portal. Embodiments may also include a call center component, providing valuable insights to CSRs to provide targeted help and advice on troubleshooting, diagnostics, and recommendations. Embodiments can help manage multiple devices even without knowing the manufacturer, device type, operating system, and network. Embodiments may enable troubleshooting with simple device guides and a dashboard showing network connections and device failures. If human help is needed, 24/7 live support may be just a phone call, text, chat, or email away.

Embodiments can also block intruders and monitor the network for malware. Other embodiments can register and track warranties, extended service contracts, credit card offers, manufacturer double warranties, and retail store offers. Embodiments can also provide available services (such as free cleanings), software upgrade notifications, relevant new peripherals, and product recall reminders. Some embodiments can remind users of upcoming rights and product recalls. Embodiments can also provide easy access to manuals.

Some embodiments can provide protection against accidental and mechanical damage, loss and theft, low battery damage, etc. across devices, as well as ID theft protection and assist in application registration. Some embodiments provide repair and loan services and help users contact appropriate repair points and/or handle repairs on behalf of consumers.

Some embodiments can provide individuals with purchasing recommendations for their network devices, networks, and routers based on their actual usage needs and history to help ensure interoperability and compatibility. Embodiments can provide contextual assistance and solutions. Some embodiments can make it easy to upgrade from old devices to new devices and networks by offering trade-in value, identifying locations to sell devices, personalized recommendations for new devices and networks, and so on. Some embodiments can also include a points component with additional or increased benefits based on subscription length, number of devices connected to the network, and so on.

Embodiments may provide related functionality through a variety of user interfaces. For example, embodiments may provide a dashboard that provides a high-level overview of the health, connectivity, and performance of devices individually and as a connected network. A "Start" interface may assist users in registering and setting up devices to be monitored and appropriate network configuration.

During device registration, embodiments can collect key information to complete OEM registration and begin tracking benefits (e.g., warranty or trade-in programs). These benefits can include retailer-provided POS discounts (e.g., annual cleaning services), OEM discounts and upgrades, homeowner supplemental insurance/core coverage, or credit card benefits (e.g., double manufacturer warranty, 90-day protection, and other features). Embodiments can also include a user manual or link to a user manual for the registered device in a section.

Some embodiments can provide step-by-step setup instructions, identify compatibility issues, and provide tips and tricks for setting up the device. These tips and tricks can include personalized, timely, and appropriate recommendations for additional products and services that support the device and network.

Embodiments may also provide general maintenance services, such as assistance in diagnosing minor problems before they become major problems later, assisting users in thoroughly troubleshooting problems on their devices, crowdsourcing and real-time technical support, helping to predict future problems such as storage space limitations, battery, and connection issues, monitoring network security, blocking malware and freeloaders, and providing service protection and one-click subscription services. These subscriptions may include subscriptions for services covering loss, accidental damage, mechanical damage, theft/theft, malware, identity theft, etc. Some embodiments may provide personalized information for users, devices, and/or networks.

Some embodiments may provide warnings and/or notifications related to benefits (e.g., expirations, new offers, reminders), device and network issues, announcements specific to the device and network (e.g., upgrades, new solutions to common problems), security/safety issues (e.g., malware detected; freeloaders detected), and/or related assistance related to connected "devices" (e.g., a car warning you that your brake pads are getting thin, sending a warning, and helping to resolve the problem with a nearby, inexpensive repair solution).

Embodiments may also assist with network and device changes/migration (e.g., adding devices and/or networks, retiring devices and/or networks). Embodiments may assist with adding new devices, new networks, and leaving old devices, old networks, and old peripherals.

Some embodiments may provide recommendations based on the digital concierge's monitored user habits, the user's specific needs, and knowledge of the user's existing network and compatibility/interoperability considerations to provide suggestions and guidance on new purchases.

Some embodiments may provide an independent estimate of a device's trade-in value based on the device's condition, including certification of the device's status based on device diagnostics.

Some embodiments can assist in purchasing new devices. Such embodiments can provide location and price guarantees for new product purchases as well as access to used/rebuilt/customized (with all settings and features)/certified devices.

Some embodiments can provide the ability to extend existing protection coverage to a device if coverage already exists for the device and/or network, or to initiate coverage for new purchases. Some embodiments can facilitate data backup and data transfer operations to facilitate migration to a new device. This migration can include providing backup and data transfer. Embodiments can perform this migration by restoring settings, even across platforms or operating systems.

Embodiments may also provide a customer service dashboard and tools. For example, the dashboard may provide insights into a customer's devices and connections, applications, and consumer behavior on the devices. Embodiments may also include a suggestion tool to assist customer service representatives in obtaining information about devices, networks, and peripherals to best resolve customer issues.

Embodiments may also include tracking historical information to assist customer service representatives in anticipating issues. Some embodiments provide a complete view of a consumer's previous activity, including previous tickets, all devices, all connections, and/or all networks. Embodiments may be able to handle cross-selling of insurance products, for example.

Some embodiments may utilize aggregated data to provide device diagnostics, monitoring, and management capabilities. For example, a device may measure device and network performance over time based on how the user uses the device. Embodiments may compare and determine how other devices and networks perform. Some embodiments may identify the trade-in condition of one or more devices and determine how the device is valued/rated based on its age and type of use and true fair market value based on its actual condition.

Embodiments may provide personalized offers based on the type of device connected to the device, the user's network, and the user's behavior with their devices and network. Embodiments may also monitor and facilitate device migration behavior. For example, embodiments may track and facilitate switching behavior, including tracking the brand and model of the device and network; tracking how many months are left until an upgrade; and/or tracking the conservation effectiveness of switching behavior, upgrades, and trade-ins. Embodiments may also provide recommendations based on user behavior, devices, networks, and/or a determined level of "tech knowledge" assigned to the user. Some embodiments may also provide tips and tricks to the user, such as based on situational needs, tech knowledge scores, the presence of specific devices, or the overall state of the network. Some embodiments may include predictive warnings of expected device issues based on known device issues, models, device age, or device behavior prior to the event. Embodiments may also measure performance to identify which devices and networks perform best for whom and in what environments.

Many modifications and other embodiments of the inventions set forth herein will be apparent to those skilled in the art having regard to these embodiments of the invention, having benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it should be understood that the embodiments of the invention are not limited to the specific embodiments disclosed, and modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims (29)

1. A system for providing computer network analysis, comprising: At least one satellite device is configured to: Monitoring wireless network services to determine at least one network communication event between a first network device and a second network device, both of which are devices different from satellite devices; Generate an event message based on the at least one network communication event; and Transmit the event message; and The controller device is configured to: Receive the event message; Identify at least one device that communicated during the network communication event; The network state is determined at least in part based on the identity of the at least one device; Perform a comparison between the network state and the predetermined rule set; The response action is initiated based at least in part on a comparison with the predetermined rule set; and The network status is provided via the management interface. 2. The system of claim 1, wherein the event message includes the signal strength of the network communication event, and wherein the controller device is further configured to determine the location of the at least one device based at least in part on the signal strength. 3. The system according to claim 1, wherein the event message includes a protocol identifier. 4. The system of claim 1, wherein the controller device is further configured to identify the device type of the at least one device based at least in part on the event message. 5. The system of claim 1, wherein the at least one satellite device is further configured to monitor the wireless network service by detecting network transmissions between a first network device and a second network device, wherein the first network device and the second network device are devices different from the at least one satellite device and the controller device. 6. The system of claim 1, wherein the event message includes a packet header of the network communication event. 7. The system of claim 1, wherein the clock of the at least one satellite device and the clock of the controller device are synchronized with each other. 8. The system of claim 7, wherein the event message includes a timestamp derived from a reading of the clock from the at least one satellite device. 9. The system according to claim 1, wherein the network communication event is a network message transmitted according to the 802.11 protocol, the Beehive protocol, or the Bluetooth protocol. 10. The system according to claim 1, The response actions include automatically changing the configuration of the first or second network device and automatically changing the network topology; and The controller is also configured as follows: The management interface provides instructions on the network status and the response actions. 11. The system of claim 10, wherein the response action further includes activating a security system. 12. The system of claim 10, wherein the response action further includes blocking the communication device. 13. The system of claim 10, wherein the response action further includes guiding the camera to a specific position. 14. The system of claim 10, wherein the response action further includes initiating a traffic monitoring operation between at least two communication devices. 15. The system of claim 10, wherein the response action further includes generating a notification to an external system, wherein the external system includes a speaker. 16. The system of claim 1, wherein the at least one satellite device is further configured to determine the network state at least in part based on the at least one network communication event. 17. A method for providing a network analysis system, the method comprising: At the controller device, a first event message is received from the first satellite device. The first event message includes the content of a first network communication event between a first network device and a second network device within the network. The first network device and the second network device are devices that are different from the first satellite device. The controller receives a second event message from the second satellite device, the second event message including the content of a second network communication event based on the third network device and the fourth network device; The controller device processes the first event message and the second event message to determine the network status, wherein the network status includes an indicator of the presence of each of the first, second, third and fourth network devices; Perform a comparison between the network state and the predetermined rule set; The response action is initiated based at least in part on a comparison with the predetermined rule set; and The network status is provided via the management interface. 18. The method of claim 17, wherein the first event message includes the signal strength of the first network communication event, and wherein the controller device is further configured to determine the location of the first network device at least in part based on the signal strength. 19. The method of claim 17, wherein the first event message includes a protocol identifier. 20. The method of claim 17, wherein the controller device is further configured to identify, at least in part, the device type of each of the first network device and the second network device based on the first event message. 21. The method of claim 17, wherein the first satellite device is further configured to monitor wireless network services by detecting network transmissions between the first network device and the second network device, wherein the first network device and the second network device are devices different from the first satellite device and the controller device. 22. The method of claim 17, wherein the first event message includes a packet header of the network communication event. 23. The method of claim 17, further comprising synchronizing the clock of at least the first satellite device and the clock of the controller device. 24. The method of claim 23, wherein the first event message includes a timestamp derived from a reading of the clock from the first satellite device. 25. The method of claim 17, wherein the response action includes automatically changing the configuration of the first network device or the second network device and automatically changing the topology characteristics of the network. 26. An apparatus for providing computer network analysis, comprising a processor coupled to a memory, the apparatus being configured to: Receive event messages, the event messages being based on at least one network communication event monitored by the satellite device; Identify at least one device that communicated during the network communication event; The network state is determined at least in part based on the identity of the at least one device; Perform a comparison between the network state and the predetermined rule set; The response action is initiated based at least in part on a comparison with the predetermined rule set; and The network status is provided via the management interface. 27. The device of claim 26, wherein the event message includes the signal strength of the network communication event, and wherein the device is further configured to determine the location of the at least one means based at least in part on the signal strength. 28. The device of claim 26, further configured to identify the device type of the at least one device based at least in part on the event message. 29. The device according to claim 26, The response actions include automatically changing the configuration of the at least one device and automatically changing the network topology characteristics; and The management interface provides instructions on the network status and the response actions.