Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
POWER LINE COMMUNICATION DETECTION
Document Type and Number:
WIPO Patent Application WO/2019/186184
Kind Code:
A1
Abstract:
An apparatus (31) for detecting a power line communication. The apparatus includes a receiver (34) arranged to wirelessly detect an electromagnetic signal emitted from a power line communication. The apparatus also includes processing circuitry (32, 33). The processing circuitry is configured to perform time or frequency domain analysis of the electromagnetic signal detected by the receiver to determine time or frequency components of the electromagnetic signal;compare the determined time or frequency components of the received electromagnetic signal to an expected pattern of time or frequency components for a power line communication; and determine, from the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, a likelihood of when the electromagnetic signal has been emitted from a power line communication.

Inventors:
MARTINOVIC, Ivan (Buxton Court3 West Way, Oxford OX2 0JB, OX2 0JB, GB)
BAKER, Richard (Buxton Court3 West Way, Oxford Oxfordshire OX2 0JB, OX2 0JB, GB)
Application Number:
GB2019/050908
Publication Date:
October 03, 2019
Filing Date:
March 28, 2019
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
OXFORD UNIVERSITY INNOVATION LIMITED (Buxton Court, 3 West Way, Oxford OX2 0JB, OX2 0JB, GB)
International Classes:
H04B3/54; H04B3/487
Other References:
INTAN SARI ARENI ET AL: "Packet size optimization of PPS based radiation detection for AEE-PLC", POWER LINE COMMUNICATIONS AND ITS APPLICATIONS (ISPLC), 2012 16TH IEEE INTERNATIONAL SYMPOSIUM ON, IEEE, 27 March 2012 (2012-03-27), pages 47 - 51, XP032181505, ISBN: 978-1-4673-0359-0, DOI: 10.1109/ISPLC.2012.6201313
Attorney, Agent or Firm:
DEHNS (St Bride's House, 10 Salisbury Square, London EC4Y 8JD, EC4Y 8JD, GB)
Download PDF:
Claims:
Claims

1. An apparatus for detecting a power line communication, the apparatus comprising:

a receiver arranged to wirelessly detect an electromagnetic signal emitted from a power line communication; and

processing circuitry configured to:

perform time or frequency domain analysis of the electromagnetic signal detected by the receiver to determine time or frequency components of the electromagnetic signal;

compare the determined time or frequency components of the received electromagnetic signal to an expected pattern of time or frequency components for a power line communication; and

determine, from the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, a likelihood of when the electromagnetic signal has been emitted from a power line communication. 2. The apparatus as claimed in claim 1 , wherein the processing circuitry is arranged to compare the time and/or frequency components to an expected pattern of time and/or frequency components respectively for a power line communication standard. 3. The apparatus as claimed in claim 1 or 2, wherein the expected pattern of the frequency components comprises an expected spectrum of frequency components of an electromagnetic signal transmitted over a power line

communication. 4. The apparatus as claimed in claim 1 , 2 or 3, wherein the expected pattern of the time components comprises a communication protocol used by a power line communication when transmitting a data signal or the expected pattern of the time components comprises the duration of an electromagnetic signal transmitted over a power line communication.

5. The apparatus as claimed in any one of the preceding claims, wherein the processing circuitry is configured to compute a score representative of the likelihood that the electromagnetic signal was emitted by a power line

communication.

6. The apparatus as claimed in claim 5, wherein processing circuitry is configured to apply a threshold to the computed score to determine when the electromagnetic signal has been emitted from a power line communication.

7. The apparatus as claimed in any one of the preceding claims, wherein the apparatus comprises a time domain unit configured to perform time domain analysis of the electromagnetic signal detected by the receiver to determine time components of the electromagnetic signal.

8. The apparatus as claimed in claim 7, wherein the time domain unit is arranged to compare a preamble section of the detected electromagnetic signal to an expected pattern of a preamble section.

9. The apparatus as claimed in claim 7 or 8, wherein the time domain unit comprises a signal power module arranged to calculate the power of the electromagnetic signal.

10. The apparatus as claimed in claim 7, 8 or 9, wherein the time domain unit comprises a low-pass filter arranged to reduce noise from the detected electromagnetic signal.

11. The apparatus as claimed in any one of claims 7 to 10, wherein the time domain unit comprises a threshold module arranged to impose a threshold on the electromagnetic signal such that baseline noise is excluded.

12. The apparatus as claimed in any one of claims 7 to 11 , wherein the time domain unit comprises a matched filter or a cross-correlation module arranged to match the electromagnetic signal to an expected pattern of time components of an electromagnetic signal transmitted over a power line communication.

13. The apparatus as claimed in any one of claims 7 to 12, wherein the time domain unit comprises a peak detection module arranged to detect peaks in the electromagnetic signal.

14. The apparatus as claimed in any one of claims 7 to 13, wherein the time domain unit comprises an autocorrelation function module arranged to apply an autocorrelation function to the electromagnetic signal.

15. The apparatus as claimed in any one of claims 7 to 14, wherein the time domain unit comprises a testing module arranged to determine, from the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, when the electromagnetic signal has been emitted from a power line communication.

16. The apparatus as claimed in any one of claims 7 to 15, wherein the time domain unit is arranged to measure the duration of the detected electromagnetic signal and to compare the measured duration to an expected duration of an electromagnetic signal.

17. The apparatus as claimed in claim 16, wherein the time domain unit comprises a timing module arranged to measure the duration of the detected electromagnetic signal.

18. The apparatus as claimed in claim 16 or 17, wherein the time domain unit comprises a subtraction module arranged to remove the duration of any preamble and/or header information, and/or any fixed size elements from the measured duration of the detected electromagnetic signal.

19. The apparatus as claimed in claim 16, 17 or 18, wherein the time domain unit comprises a division module arranged to divide the duration of the

electromagnetic signal by the expected duration for an electromagnetic signal transmitted by a power line communication.

20. The apparatus as claimed in any one of claims 16 to 19, wherein the time domain unit comprises a minimum module arranged to determine the minimum deviation of the measured duration of the electromagnetic signal from the expected duration for an electromagnetic signal transmitted by a power line communication.

21. The apparatus as claimed in claim 20, wherein the time domain unit comprises a threshold module arranged to apply a threshold to the minimum deviation determined by the minimum module.

22. The apparatus as claimed in any one of the preceding claims, wherein the apparatus comprises a frequency domain unit configured to perform frequency domain analysis of the electromagnetic signal detected by the receiver to determine frequency components of the electromagnetic signal.

23. The apparatus as claimed in claim 22, wherein the frequency domain unit is arranged to detect the presence of a spectral mask in the frequency components of the electromagnetic signal.

24. The apparatus as claimed in claim 22 or 23, wherein the frequency domain unit comprises a band pass filter arranged to pass the frequencies of the electromagnetic signal corresponding to those used by a power line communication standard.

25. The apparatus as claimed in claim 22, 23 or 24, wherein the frequency domain unit comprises a short-term Fourier Transform unit arranged to compute the short-term Fourier Transform of the electromagnetic signal.

26. The apparatus as claimed in any one of claims 22 to 25, wherein the frequency domain unit comprises a signal power module arranged to calculate the power of the electromagnetic signal.

27. The apparatus as claimed in any one of claims 22 to 26, wherein the frequency domain unit comprises a windowing module arranged to split the electromagnetic signal into multiple windows.

28. The apparatus as claimed in any one of claims 22 to 27, wherein the frequency domain unit comprises a point-biserial correlation module arranged to calculate a point-biserial correlation coefficient of the electromagnetic signal.

29. The apparatus as claimed in claim 28, wherein the frequency domain unit comprises an aggregation module arranged to calculate an aggregation of the correlation coefficients output from the point-biserial correlation module.

30. The apparatus as claimed in claim 29, wherein the frequency domain unit comprises a threshold module arranged to apply a threshold to the aggregation calculated by the aggregation module.

31. The apparatus as claimed in any one of the preceding claims, wherein the processing circuitry is configured to perform multiple time and/or frequency domain analyses of the detected electromagnetic signal to determine multiple likelihoods that the electromagnetic signal has been emitted from a power line communication, and wherein the processing circuitry is configured to combine the likelihoods determined by the multiple analyses to determine an overall likelihood of when the electromagnetic signal has been emitted from a power line communication.

32. The apparatus as claimed in any one of the preceding claims, wherein the processing circuitry is configured to recover one or more messages from the detected electromagnetic signal.

33. The apparatus as claimed in any one of the preceding claims, wherein the processing circuitry is configured to extract one or more identifiers from the detected electromagnetic signal or a recovered message.

34. The apparatus as claimed in any one of the preceding claims, wherein the processing circuitry is configured to determine when the detected electromagnetic signal has been emitted from a known or expected network or communication station.

35. A method of detecting a power line communication, the method comprising: detecting wirelessly an electromagnetic signal; performing time or frequency domain analysis of the detected

electromagnetic signal to determine time or frequency components of at least a portion of the signal;

comparing the determined time or frequency components of the detected electromagnetic signal to an expected pattern of time or frequency components for a power line communication; and

determining, using the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, a likelihood of when the electromagnetic signal has been emitted from a power line communication.

Description:
Power Line Communication Detection

This invention relates to an apparatus for detecting a power line communication and a method of detecting a power line communication, in particular to detecting an electromagnetic signal from a power line network using time or frequency domain analysis.

Power line communication (e.g. power line networks) may be set up using electrical wiring (i.e. a power line) to carry both data and electrical power. This enables an existing electrical distribution network, e.g. in a building, to be used to carry data signals as well as electrical power. A local area network can therefore be established without having to install a purpose built data network. A power line is able to carry data via a superposition of a low energy data signal on the existing power wave. The data is generally transmitted at a different frequency (e.g. greater than 3 kHz) so that it does not interfere with the power wave, which is typically carried at 50 or 60 Hz. Power lines, as well as permitting legitimate users to network devices together which are connected to the power lines, may also enable malicious users to construct data networks that could go unnoticed in buildings which are increasingly populated by small, anonymous, electronic devices. For example, an attacker may be able to establish a free, unmonitored data network on a power line circuit simply by installing a rogue station (e.g. a device such as an adaptor, modem, interface or network interface controller) that taps into the existing electrical circuitry. Such a power line network may then enable the attacker to establish two-way connectivity to a target host or network, e.g. for data exfiltration, traffic monitoring or as a platform for further attacks.

Wired data networks may be segregated and physically protected. Wireless networks may be policed for rogue access points and access from beyond a secure perimeter. However, such security considerations have not yet been applied to power line networks which are relatively open and thus present an easy target for a potential attacker. There exists a need to develop a way of detecting power line networks that have been installed (e.g. covertly) on existing electrical wiring circuits. This would enable security sweeps of a building to be performed to detect the presence of such (e.g. rogue) power line networks.

When viewed from a first aspect the invention provides an apparatus for detecting a power line communication, the apparatus comprising:

a receiver arranged to wirelessly detect an electromagnetic signal emitted from a power line communication; and

processing circuitry configured to:

perform time or frequency domain analysis of the electromagnetic signal detected by the receiver to determine time or frequency components of the electromagnetic signal;

compare the determined time or frequency components of the received electromagnetic signal to an expected pattern of time or frequency components for a power line communication; and

determine, from the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, a likelihood of when the electromagnetic signal has been emitted from a power line communication.

When viewed from a second aspect the invention provides a method of detecting a power line communication, the method comprising:

detecting wirelessly an electromagnetic signal;

performing time or frequency domain analysis of the detected

electromagnetic signal to determine time or frequency components of at least a portion of the signal;

comparing the determined time or frequency components of the detected electromagnetic signal to an expected pattern of time or frequency components for a power line communication; and

determining, using the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, a likelihood of when the electromagnetic signal has been emitted from a power line communication. The present invention therefore provides an apparatus for and a method of detecting a power line communication (e.g. network) wirelessly. The apparatus includes a receiver that is arranged to detect wirelessly an electromagnetic signal that has been emitted from a power line (data) communication. The apparatus also includes processing circuitry that is configured to analyse the electromagnetic signal that has been detected.

Time or frequency domain analysis is first performed on the detected

electromagnetic signal to determine its time or frequency components. These components are then compared to a pattern that would be expected for the time or frequency components of an electromagnetic signal transmitted over a power line communication operating, e.g. according to a (e.g. known) standard. This comparison enables it to be determined whether or not the detected

electromagnetic signal has come from a power line communication. For example, if the determined time or frequency components correlate highly with the expected pattern, it is likely that the detected electromagnetic signal was emitted by a power line communication operating. On the other hand, if the determined time or frequency components do not correlate well with the expected pattern, it is unlikely that the detected electromagnetic signal came from a power line communication (that is operating to carry data signals).

It can be seen that at least preferred embodiments of the present invention enable the detection of a power line (data) communication that is being operated on an electrical distribution network, from the wireless detection of an electromagnetic signal emitted by the power line communication. This helps to allow the detection of rogue devices that may have been installed to set up a power line communication, thus helping to provide security testing and on-going monitoring of premises by the individual or organisation operating there.

The Applicant has appreciated that power lines are primarily designed for low frequency power waves (for electrical distribution) and not higher frequency communications (e.g. data signals) owing to them being unshielded, filled with impedance variations and mismatches, and subject to regular alteration (e.g. by the connection or removal of an electrical device). This means that when higher frequency data signals are transmitted along power lines, they leak from the power lines thus enabling their detection.

Furthermore, the leaked data signals have distinctive signatures in the time and/or frequency domains. This is because power line (data) communications generally operate according to known standards which use particular communication designs and protocols, e.g. using predetermined spectral masks and/or preambles when transmitting data signals. This allows, following the detection of an electromagnetic signal emitted by a power line communication, these signatures to be used to identify the detected electromagnetic signals as having been emitted by a power line communication.

As the apparatus and method of the present invention detects the electromagnetic signals emitted from the power line communication wirelessly, it does not require a physical connection to the power line. This means that the operation of a power line communication (e.g. located the other side of a wall, floor or ceiling) may be detected without requiring direct access to the power line network. The wireless operation also enables multiple (e.g. independent) power lines to be interrogated (e.g. simultaneously) for the presence of one or more power line communication.

The receiver, which is arranged to wirelessly detect an electromagnetic signal emitted from a power line communication, may be any suitable and desired receiver. In a preferred embodiment the receiver comprises an antenna.

Preferably the receiver comprises an (e.g. low-noise) amplifier (e.g. connected to the antenna) arranged to amplify the detected electromagnetic signal.

The receiver preferably comprises an automatic gain control (AGC), e.g. having a long time constant. This may be provided instead of an amplifier. Preferably the AGC is connected to the antenna (e.g. via the amplifier) and arranged to receive the detected electromagnetic signal from the antenna. The AGC provides a consistent level of signal for further processing, irrespective of the received signal amplitude. The processing circuitry may comprise a time domain unit and/or a frequency domain unit, each of which are configured to perform the various steps of the present invention (in the respective time and frequency domains). Thus preferably the time domain unit is configured to perform time domain analysis of the electromagnetic signal detected by the receiver to determine time components of the electromagnetic signal. By extracting the time components from the

electromagnetic signal, this helps to allow these time components to be compared to the expected time components of (e.g. part of) a signal that has been transmitted over a power line network, e.g. according to a standard.

Similarly, preferably the frequency domain unit is configured to perform frequency domain analysis of the electromagnetic signal detected by the receiver to determine frequency components of the electromagnetic signal. By extracting the frequency components from the electromagnetic signal, this helps to allow these frequency components to be compared to the expected frequency components of (e.g. part of) a signal that has been transmitted over a power line network.

The time domain analysis which is performed on the detected electromagnetic signal preferably permits insight into the protocol and/or the signalling that is being used by the power line network. For example, a preamble section may be included at the start of every signal (e.g. physical protocol data unit (PPDU)) that is transmitted over a power line (e.g. HomePlug, IEEE 1901 , ITU-T G.9960 or G.hn) network. Such a preamble is designed to have a reliable structure which enables it to be recognised, even in adverse conditions. Thus preferably the time domain unit is arranged to compare the preamble section of the detected electromagnetic signal to an expected pattern of a preamble section, e.g. according to a standard.

Preferably the time domain analysis runs continuously on the detected

electromagnetic signal. The time domain analysis may be used directly or combined (with the results of the frequency-domain analysis) to obtain synchronous results.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a signal power module (e.g. connected to, and arranged to receive an output from, the (e.g. AGC of the) receiver). The signal power module is arranged to calculate the power of the electromagnetic signal (e.g. as received from the AGC). Preferably the processing circuitry (e.g. of the time domain unit) comprises a (e.g. moving average) low-pass filter (e.g. connected to, and arranged to receive an output from, the signal power module). The low-pass filter is arranged to reduce noise from the detected electromagnetic signal. It will be appreciated that in some embodiments it may not be necessary to provide a low-pass filter, e.g. if the noise levels were very low or if it is acceptable for a greater number of spurious signals to be processed. Thus, in one embodiment the filtering configuration may be varied, including down to no effect, e.g. when the (noise) conditions permit. For example, when using a moving average, the length of the moving average may be varied.

Preferably the moving average is short relative to the length of the electromagnetic signal (e.g. short relative to the preamble length), such that it does not have a large impact on the structure of the detected electromagnetic signal. Preferably the processing circuitry (e.g. of the time domain unit) comprises a threshold module (e.g. connected to, and arranged to receive an output from, the low-pass filter). The threshold module is arranged to impose a threshold on the electromagnetic signal such that baseline noise is excluded (from further processing of the signal). In one embodiment, the threshold module may comprise a“debounce” capability. This may enable the threshold module to implement the low-pass filter as well as imposing the threshold.

In another embodiment the time domain unit is arranged to measure the duration of (e.g. a portion of) the detected electromagnetic signal and to compare the measured duration to an expected duration of (e.g. a portion of) an electromagnetic signal, e.g. according to a standard. For example, valid timings for the targeted technology (e.g. PPDUs for the standard under investigation) are known. In some embodiments preamble and/or header information may be removed from the detected electromagnetic signal before its duration is measured.

Thus in one set of embodiments the processing circuitry (e.g. of the time domain unit) comprises a timing module (e.g. connected to, and arranged to receive an output from, the threshold module) arranged to measure the duration of (e.g. at least a portion of) the detected electromagnetic signal. The processing circuitry (e.g. of the time domain unit) may also comprise a subtraction module (e.g. connected to, and arranged to receive an output from, the timing module) arranged to remove the duration of any preamble and/or header information, and/or any fixed size elements from the measured duration of the detected electromagnetic signal.

The frequency domain analysis which is performed on the detected electromagnetic signal preferably enables the presence of a spectral mask (e.g. the Tone Mask used by HomePlug adaptors) to be detected. Thus preferably the processing circuitry (e.g. of the frequency domain unit) is arranged to detect the presence of a spectral mask in the frequency components of the electromagnetic signal.

For example, in some standards (e.g. the IEEE1901 and ITU G.9960 standards), the use of a spectral mask is mandated, with such a spectral mask being defined and used (e.g. worldwide). Such a spectral mask may be implemented by disabling a set of subcarriers from being used for signalling (e.g. when the underlying technology is orthogonal frequency-division multiplexing) or avoiding transmission on a masked carrier frequency, creating gaps in the spectral usage in either case. These gaps (or“notches”) in the spectrum correspond, for example, to amateur radio bands (e.g. as defined by the International Amateur Radio Union (IARU)). These known gaps produce a recognisable signature in the spectrum of signals transmitted over power line networks.

Preferably the spectral mask to be used is hardcoded into a power line station (e.g. an adaptor, modem, interface, network interface controller or any suitable device that could be used to enable connection to a power line communication network) to be used to establish a power line network. Removing the gaps at known positions in the spectrum is difficult without making significant modifications to the hardware being used on the power line network.

Preferably the frequency domain analysis operates on a short time period, using the detected electromagnetic signal collected by the receiver across that period.

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a band pass filter (e.g. connected to, and arranged to receive an output from, the (e.g. AGC of the) receiver). The band pass filter is arranged to pass the frequencies of the electromagnetic signal corresponding to those used by the power line network standards (e.g. 2 MHz to 28 MHz).

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a short-term Fourier Transform (STFT) unit (e.g. connected to, and arranged to receive an output from, the band pass filter). The STFT unit is arranged to compute the STFT of the (e.g. filtered) electromagnetic signal, e.g. at regular intervals (e.g. corresponding to the time period at which the frequency domain analysis operates). This helps to provide an approximation of the power spectral density across multiple frequency bins.

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a signal power module (e.g. connected to, and arranged to receive an output from, the STFT unit). The signal power module is arranged to calculate the power of the electromagnetic signal (e.g. of the filtered and transformed signal).

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a windowing module (e.g. connected to, and arranged to receive an output from, the signal power module). The windowing module is arranged to split the (e.g. filtered bandwidth of the) electromagnetic signal into multiple windows. This helps to compensate for variable radiation levels across the measured bandwidth. As will be appreciated, a spectral mask may be detected using local variations in the spectrum and thus variations across the whole bandwidth are less important.

Once the time and/or frequency components have been extracted from the electromagnetic signal, they can be compared to an expected pattern of such components from a power line network operating, e.g. according to a standard. This allows it to be determined whether or not the detected electromagnetic signal has been emitted by a power line network.

In a preferred embodiment the time and/or frequency components are compared to an expected pattern of such components for a power line network standard.

However, it will be appreciated that a (e.g. malicious) party may set up a power line communication not using a known standard. In this instance, the power line network will still be a superposition of a data signal on an existing power wave. The party setting up the power line network controls the data signals transmitted on the network and so there is likely to be a characteristic fingerprint of these data signal which may be expected and thus detected.

Thus, in some embodiments the time and/or frequency components are compared to an expected pattern of such components for a power line network, wherein the expected pattern of the time and/or frequency components comprises a previously observed pattern of time and/or frequency components of electromagnetic signals detected from a power line network operating.

The expected pattern may be any suitable and desired (e.g. distinctive) pattern in the frequency or time components that is expected to be found in an

electromagnetic signal emitted by a power line network, e.g. operating according to a standard. Preferably the expected pattern of the frequency components comprises an expected spectrum of frequency components of an electromagnetic signal transmitted over a power line network, e.g. corresponding to a spectral mask applied to a data signal transmitted over the power line network (e.g. according to a standard).

In one embodiment the expected pattern of the time components comprises a communication protocol used by a power line network when transmitting a data signal (e.g. a physical protocol data unit (PPDU)) over the power line network. Preferably the communication protocol comprises the preamble of a data signal (e.g. a preamble of a PPDU).

In one embodiment the expected pattern of the time components comprises the duration of (e.g. at least a portion) an electromagnetic (data) signal (e.g. a physical protocol data unit (PPDU)) transmitted over the power line communication. This approach makes use of the predictable (e.g. PHY layer) timing structure of the data signals transmitted. At its simplest, in this embodiment the apparatus and the method measure for how long there is a transmission on the communication medium and determine whether that duration matches the constraints of a valid transmission, e.g. within some error tolerance. Preferably the processing circuitry (e.g. of the time domain unit) comprises a matched (e.g. finite impulse response (FIR)) filter (e.g. connected to, and arranged to receive an output from, the threshold module, e.g. when the electromagnetic signal exceeds the threshold). In another embodiment the processing circuitry (e.g. of the time domain unit) comprises a cross-correlation module (e.g. connected to, and arranged to receive an output from, the threshold module, e.g. when the electromagnetic signal exceeds the threshold). A cross-correlation module may be used instead of a matched filter.

The matched filter or the cross-correlation module is arranged to match the electromagnetic signal to an expected pattern of time components of an

electromagnetic signal transmitted over a power line network. The matched filter preferably matches the electromagnetic signal to a time-reversed copy of an expected pattern of time components of an electromagnetic signal transmitted over a power line network. The cross-correlation module preferably matches the electromagnetic signal to a forward time copy of an expected pattern of time components of an electromagnetic signal transmitted over a power line network. The matched filter or the cross-correlation module helps to separate a known signal from white noise and thus helps to make a signal which has been generated by a power line network more distinct from the background. This helps to make the electromagnetic signal easier to classify as having come from a power line network or not.

Preferably the expected pattern comprises a pre-loaded template of an

electromagnetic signal transmitted over a power line network, e.g. according to a standard. Preferably the expected pattern comprises the expected pattern of a preamble signal (e.g. physical protocol data unit (PPDU)) transmitted over a power line network, e.g. according to a standard.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a peak detection module (e.g. connected to, and arranged to receive an output from, the matched filter). The peak detection module is arranged to detect peaks in the electromagnetic signal, e.g. as output from the matched filter, such that potential expected (e.g. preamble) patterns may be found. Preferably the processing circuitry (e.g. of the time domain unit) comprises an autocorrelation function module (e.g. connected to, and arranged to receive an output from, the peak detection module). The autocorrelation function module is arranged to apply an autocorrelation function to the electromagnetic signal (e.g. for each peak detected by the peak detection module).

Preferably, for each peak detected by the peak detection module, a section of the electromagnetic signal (e.g. the length of a preamble) is passed through the autocorrelation function module. Owing to repetitions, e.g. of equal length, in electromagnetic signals (e.g. preambles) that have been generated by a power line network, the autocorrelation function applied helps to identify expected patterns in electromagnetic signals that have come from power line networks.

Preferably the autocorrelation function module is arranged to test the

electromagnetic signal against a copy of itself, e.g. shifted by a period equal to the expected repetition interval of the (e.g. preamble of the) electromagnetic signal and/or shifted by a period equal to half the expected repetition interval of the (e.g. preamble of the) electromagnetic signal. An electromagnetic signal from a power line network (e.g. having a genuine preamble) will generally display a positive correlation to a copy of itself shifted by the expected repetition interval and a negative correlation to a copy of itself shifted by half the interval.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a division module (e.g. connected to, and arranged to receive an output from, the timing or subtraction module) arranged to divide the duration of the electromagnetic signal by the expected duration for an electromagnetic signal transmitted by a power line communication. This helps to compare the detected electromagnetic signal with characteristics expected for an electromagnetic signal transmitted by a power line communication. The division module may be arranged to test the measured duration of the electromagnetic signal against multiple different possible durations of electromagnetic signals that may be transmitted by a power line communication, e.g. according to a standard which may define these durations. Preferably the division module is arranged to calculate the remainder of the division of the duration of the electromagnetic signal by the expected duration for an electromagnetic signal transmitted by a power line communication.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a minimum module (e.g. connected to, and arranged to receive an output from, the division module) arranged to determine the minimum deviation of the measured duration of the electromagnetic signal from the expected duration for an

electromagnetic signal transmitted by a power line communication (e.g. for each of the possible expected durations), e.g. using the remainder calculated by the division module. When the deviation (e.g. the remainder) is below a minimum threshold, this may indicate that the measured electromagnetic signal was transmitted by a power line communication.

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a point-biserial correlation module (e.g. connected to, and arranged to receive an output (e.g. per window) from, the windowing module). The point-biserial correlation module is arranged to calculate a point-biserial correlation coefficient of the electromagnetic signal (e.g. in each window). This helps to compare the

electromagnetic signal to the expected pattern (e.g. of the spectral mask).

Following the comparison of the time or frequency components with the respective expected pattern, the result of the comparison can be used to determine the likelihood of whether (or not) the electromagnetic signal has been emitted from a power line network.

The likelihood of whether or not the electromagnetic signal has been emitted from a power line network may be determined in any suitable and desired way. At its simplest the method determines either the similarity of the detected frequency components to the expected frequency components (e.g.“was the spectrum enough like the template in this period?”, in preferred embodiments) when analysing the frequency components or the similarity of the detected time components to the expected time components (e.g.“does the signal currently look like a preamble?”, in preferred embodiments) when analysing the frequency components, and this may be converted into an output in any suitable and desired way.

In one embodiment the determination is a binary decision, e.g. the method comprises determining when the electromagnetic signal has been emitted from a power line network. Such a (e.g. thresholded) yes/no decision helps to provide a simple evaluation of whether or not a power line communication is in operation on an electrical distribution network.

Alternatively, the method and the apparatus could make a non-binary determination of the likelihood of when the electromagnetic signal has been emitted from a power line network. For example, the determination could have three or more options for the likelihood, e.g. a traffic light representation: yes, the detected electromagnetic signal came from a power line network; no, it did not; or maybe it did, we cannot be sure either way.

In some embodiments, e.g. for the step of determining the likelihood, the processing circuitry is configured to (and the method comprises) compute a score (e.g. based on the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern) representative of the likelihood that the electromagnetic signal was emitted by a power line network. The score may be discrete (e.g. binary or traffic light) or continuous (e.g. a probability).

Preferably the processing circuitry is configured to (and the method comprises) apply a threshold to the computed score to determine when the electromagnetic signal has been emitted from a power line network. Applying a threshold helps to provide a binary (i.e. yes/no) determination of whether or not the electromagnetic signal was emitted by a power line network. For example, when the computed score is greater than the threshold this may indicate that the time or frequency components of the electromagnetic signal correlate well with the expected pattern (and so the electromagnetic signal is determined to have been emitted by a power line network); vice versa, when the computed score is less than the threshold this may indicate that the time or frequency components of the electromagnetic signal do not correlate well with the expected pattern (and so the electromagnetic signal is determined not to have been emitted by a power line network). Alternatively, the score may be used for a multiply discrete (e.g. traffic light) or continuous determination of the likelihood.

The step of determining the likelihood of when the electromagnetic signal has been emitted from a power line network may use the analysis of a single detected electromagnetic signal (e.g. a single data packet). However, in one set of embodiments the step of determining the likelihood uses the analysis of a plurality of detected electromagnetic signals (e.g. emitted from the same power line network). This may be achieved, for example, by aggregating the output (e.g. the scores) over a longer time-period (e.g. by post-processing the output from the analysis of the electromagnetic signals) or by combining the output with other information. This may help to achieve lower false-positive and false-negative rates, e.g. at the expense of the response time of the method and apparatus.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a testing module (e.g. connected to, and arranged to receive an output from, the

autocorrelation module). The testing module is arranged to determine, from the comparison of the time or frequency components of the detected electromagnetic signal with the expected pattern, when the electromagnetic signal has been emitted from a power line network.

Preferably the testing module is arranged to determine from the positive and negative correlations output from the autocorrelation function (e.g. when the electromagnetic signal is tested against a copy of itself, e.g. shifted by a period or half a period), when the electromagnetic signal has been emitted from a power line network. For example, when the autocorrelation function module outputs positive and negative values when expected (e.g. positive when the electromagnetic signal is shifted by a known interval and negative when the electromagnetic signal is shifted by half a known interval), then the time domain unit may conclude that (e.g. a preamble of) an electromagnetic signal has been detected.

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises an aggregation module (e.g. connected to, and arranged to receive an output (e.g. per window) from, the point-biserial correlation module). The aggregation module is arranged to calculate an aggregation (e.g. the mean) of the correlation coefficients output (e.g. from each window) from the point-biserial correlation module. This helps to provide a score for the electromagnetic signal having been emitted by a power line network.

Preferably the processing circuitry (e.g. of the frequency domain unit) comprises a threshold module (e.g. connected to, and arranged to receive an output (e.g. per window) from, the aggregation module). The threshold module is arranged to apply a threshold to the aggregation (e.g. mean) calculated by the aggregation module. An aggregation (e.g. mean) above a particular threshold is preferably taken as indicating that the electromagnetic signal is sufficiently similar to the expected spectral mask and therefore came from a power line network. Again, however, the final score (e.g. aggregation) could be used to determine a multiply discrete (e.g. traffic light) or continuous output for determination of the likelihood.

Preferably the processing circuitry (e.g. of the time domain unit) comprises a threshold module (e.g. connected to, and arranged to receive an output from, the division or minimum module). The threshold module is arranged to apply a threshold to the deviation or the remainder calculated by the division module or on the output from the minimum module. A deviation or remainder below a particular threshold is preferably taken as indicating that the duration of the electromagnetic signal is sufficiently similar to the expected duration and therefore came from a power line network. Again, however, the final score (e.g. deviation or remainder) could be used to determine a multiply discrete (e.g. traffic light) or continuous output for determination of the likelihood.

As outlined above, the apparatus may perform both frequency and time domain analysis of the detected electromagnetic signal and may thus include both a frequency domain unit and a time domain unit. Furthermore, the time domain analysis (and unit) may be arranged to both detect a characteristic preamble structure in an electromagnetic signal and to measure the duration of (e.g. a portion of) the detected electromagnetic signal (in some embodiments the apparatus may comprise two separate time domain units to perform these two different functions respectively). Thus, in an embodiment, the processing circuitry is configured to perform multiple time and/or frequency domain analyses of the detected electromagnetic signal to determine multiple likelihoods of when the

electromagnetic signal has been emitted from a power line communication.

When the apparatus performs multiple frequency and/or time domain analyses of the detected electromagnetic signal (and may thus comprises multiple (time and/or frequency domain) units that are each analysing the detected electromagnetic signal) to determine multiple likelihoods that the electromagnetic signal has been emitted from a power line communication, in one embodiment (e.g. a combining module of) the processing circuitry is configured to combine the likelihoods determined by the multiple analyses (e.g. by the time and/or frequency domain units) to determine an overall likelihood of when the electromagnetic signal has been emitted from a power line communication.

The combined likelihood may be determined in any suitable and desired way. In one embodiment the (e.g. combining module of the) processing circuitry is configured to monitor (e.g. over a (particular) period of time) the likelihoods determined (e.g. by the time and/or frequency domain units) and to use the (e.g. first) likelihood determined as the combined likelihood. When the likelihood is determined as a binary determination or using a threshold (e.g. applied to a computed score), the (e.g. combining module of the) processing circuitry is configured to monitor binary (or thresholded) likelihoods determined and to use the (e.g. first) positive determination that the electromagnetic signal has been emitted from a power line communication as the combined likelihood (or, vice versa, the absence of any positive determinations as the combined likelihood).

In one embodiment the combined likelihood is determined by combining the multiple likelihoods determined (e.g. in the form of binary decisions or (e.g.

thresholded) computed scores). This may be done in any suitable and desired way. For example, an average (e.g. over a period of time) of the multiple likelihoods may be determined. This may be time-averaged, e.g. by counting the positive determinations that the electromagnetic signal has been emitted from a power line communication in a (defined) time period, and returning a positive determination for the combined likelihood when the number of individual positive determinations in the time period is greater than (or equal to) a threshold. Another way to determine the combined likelihood may be to take each of the multiple (e.g. binary (or thresholded)) likelihoods determined and to use the majority (e.g. binary option) determination of the likelihood as the combined likelihood.

In one embodiment (e.g. a message recovery module of) the processing circuitry is configured to recover one or more messages (e.g. PPDUs) from the detected electromagnetic signal, e.g. once the processing circuitry has determined the likelihood that the electromagnetic signal has been emitted from a power line communication (preferably when a positive determination has been made).

Recovering message(s) from the detected electromagnetic signal helps to allow a particular power line network to be identified, e.g. through extraction of identifier(s) as outlined below.

The messages may be recovered from the detected electromagnetic signal in any suitable and desired way. The Applicant has appreciated that when the detected electromagnetic signal is an orthogonal frequency-division multiplexing (OFDM) signal (e.g. for a HomePlug or IEEE 1901 network), and therefore composed of a collection of sinusoids, the electromagnetic signal is not transformed during wireless radiation. This may enable the receiver of the apparatus to collect and then the processing circuitry to process the electromagnetic signal for this purpose.

In one embodiment the (e.g. message recovery module of the) processing circuitry is configured to digitally filter the detected electromagnetic signal to suppress interference. Preferably the (e.g. message recovery module of the) processing circuitry is configured to identify a message the detected electromagnetic signal using a power detector and correlation (e.g. a double sliding-window power detector, a delay-and-correlate algorithm or an autocorrelation method) of the preamble of the detected electromagnetic signal against a known preamble structure.

Preferably the (e.g. message recovery module of the) processing circuitry is configured to identify a message by one or more (preferably all) of: synchronising the receiver (and, e.g., the message recovery module) to (e.g. the frame control and payload) section of the message (e.g. PPDU), processing symbols in the messages and demodulating the signal. The step of processing symbols may use one or more (preferably all) channel estimation, frequency offset correction and sample clock offset correction. Once the message has been recovered, the (e.g. message recovery module of the) processing circuitry may process the message using turbo code error correction and/or cyclic-error redundancy check checksums to reduce errors.

In one embodiment (e.g. an identifier extraction module of) the processing circuitry is configured to extract one or more identifiers from the detected electromagnetic signal or a recovered message, e.g. once the processing circuitry has determined the likelihood that the electromagnetic signal has been emitted from a power line communication (preferably when a positive determination has been made) and, e.g., once a message has been recovered from the detected electromagnetic signal. This enables identifiers for networks or individual communication stations to be extracted. This helps to allow a particular power line network or individual communication station to be identified, e.g. through being able to distinguish between two different networks owing, for example, to the use of different identifiers (for the network or station), encryption keys and transmission characteristics (e.g. from individual communicating parties).

The extracted identifiers may, for example, be values in known data fields, the results of message processing or values arising from the detection and message recovery processes outlined above. Such extractable identifiers include, for example, a network ID (e.g. present in network Beacon messages), a short network ID (e.g. present on all messages) and a station MAC address (which helps to identify stations individually).

The (e.g. identifier extraction module of the) processing circuitry may extract the identifiers (e.g. from the messages) in any suitable and desired way, e.g. depending on the type of identifier(s) to be extracted. In one embodiment the (e.g. identifier extraction module of the) processing circuitry is configured to read one or more identifiers from the data fields of the messages. Preferably the (e.g. identifier extraction module of the) processing circuitry uses a stored (e.g. configured) list of data fields that may be present in the messages and thus from which the identifiers may be read. Preferably the (e.g. identifier extraction module of the) processing circuitry is configured to test the decryption of messages using a known network key. Success indicates membership of the network; failure indicates a new network. Preferably the (e.g. identifier extraction module of the) processing circuitry is configured to extract (e.g. compute) physical-layer features (and thus identifiers) from the message recovery process that vary between transmitters but do not vary with channel (e.g. carrier frequency offset, sample clock offset). This helps to identify communication stations of the network individually, e.g. from which the detected electromagnetic signal was transmitted.

In one embodiment (e.g. a verification module of) the processing circuitry is configured to determine when the detected electromagnetic signal (e.g. having been determined to have been emitted from a power line communication) has been emitted from a known or expected network or communication station (or whether the network or communication station is unknown and thus potentially malicious). The detected electromagnetic signal may be determined to have been emitted from a known or expected network or communication station in any suitable and desired way.

In one embodiment the (e.g. verification module of the) processing circuitry is configured to compare one or more identifiers (e.g. extracted as outlined above, e.g. by the identifier extraction module) from the detected electromagnetic signal against a set of known identifiers (e.g. associated with benign networks or stations). The known identifiers may be stored by the apparatus for the purposes of the comparison. These may either be input by an operator with knowledge a priori, or detected using the steps outlined above and marked as benign post hoc.

Preferably the (e.g. verification module of the) processing circuitry is configured to cause the apparatus to produce an output (e.g. an alert or an alarm) when the detected electromagnetic signal has been determined to have been emitted from an unknown or unexpected network or communication station. This helps to indicate when a potentially malicious power line network has been established and, e.g., action may be needed to be taken to secure against it and/or disable it. The apparatus may be implemented in any suitable and desired type(s) of hardware and/or software. In one embodiment the apparatus is portable, e.g. handheld. In another embodiment the apparatus is static (e.g. a“sentinel”) device which may be mounted (e.g. to a wall) in the location (e.g. building) being monitored for the presence of a power line communication.

Preferably the apparatus (e.g. the processing circuitry) comprises an analogue front end and an analogue-to-digital converter (ADC). One implementation of this may be a (e.g. Universal Software Radio Peripheral (USRP)) software defined radio (SDR), e.g. which implements the various units and/or modules described herein.

Preferably the processing circuitry comprises a digital signal processing system, e.g. which implements the various units and/or modules described herein. This may be implemented by a GNU Radio flowgraph, e.g. which implements the various units and/or modules described herein.

The apparatus may be implemented and the captured signals processed using hardware and/or software, as is suitable and desired. For example, the apparatus may be fully realised using hardware or at least some parts (e.g. modules or units) may be implemented using software (on an appropriate platform). The various hardware and software modules and units may be integrated in the same (physical) apparatus. Alternatively, they may form part of a distributed system. For example, the detection of the electromagnetic signal may be performed by one or more devices (e.g. each including a receiver and processing circuitry (e.g. implementing software defined radios) performing time or frequency domain analysis and, e.g., the recovery of messages and extraction of identifiers) and then the verification of the detected electromagnetic signals may be performed by centralised processing circuitry.

Various embodiments of the present invention will now be described by way of example only and with reference to the accompanying drawings, in which:

Figures 1a and 1b show a device used to set up a power line network;

Figure 2 shows an expected spectrum usage for a standards-compliant power line network;

Figure 3 shows an apparatus for wirelessly detecting the presence of a power line network, according to an embodiment of the present invention; Figures 4 and 5 are flow charts showing operation of the apparatus shown in Figure 3;

Figures 6 and 7 show use of an apparatus for wirelessly detecting the presence of a power line network, according to embodiments of the present invention;

Figures 8a and 8b show exemplary frequency spectra of electromagnetic signals emitted by a power line network for different power line network adaptors;

Figure 9 shows an apparatus for wirelessly detecting the presence of a power line network, according to another embodiment of the present invention;

Figure 10 is a flow chart showing operation of the apparatus shown in Figure 9;

Figure 11 shows an apparatus for wirelessly detecting the presence of a power line network, according to another embodiment of the present invention;

Figure 12 is a flow chart showing operation of the apparatus shown in Figure 11 ;

Figure 13 shows the components of the wireless power line communication receiver shown in Figure 11 ;

Figures 14 and 15 show embodiments of the identifier extraction module shown in Figure 11.

Power line networks use electrical wiring to carry both data and electrical power. As well as such power lines permitting legitimate users to network devices connected to the power lines, they may also enable malicious users to construct networks that could go unnoticed in buildings which are increasingly populated by small, anonymous, electronic devices. For example, an attacker may be able to establish a free, unmonitored network on a power line circuit simply by installing a rogue adaptor that taps into the existing electrical circuitry.

As will now be described, embodiments of the present invention provide an apparatus for detecting the operation of power line networks so that any such networks which have been installed illegitimately may be detected and the appropriate remedial action taken.

Figures 1a and 1b show a device 1 that may be installed and used to set up a (e.g. unauthorised) power line network. Figure 1a shows the components that the device 1 comprises. The device 1 is a single board power line networking implementation and includes a Technomate TM-200 HP power line adaptor 2 which is attached to the two lines of a power cable 4 (the“power lines”) via short leads 6 and insulation piercing crimp connectors 8 that are rated for mains voltages and wire sizes.

The adaptor 2 is also connected, from its RJ45 port, to a section of category-5 (cat- 5) computer network cable 10 via a cat-5 punchdown jack 12. This is done by removing the outer sheath of the cat-5 cable 10 to reveal the data wires 13 and punching down the data wires 13 into the jack 12.

Figure 1b shows the device 1 installed within a section of cable trunking 14, e.g. as an attacker may do to set up a power line network on an existing power line. The cable trunking 14 has been undipped to reveal the power lines 4 and the data wires 13 of the data (cat-5) cable 10. The data wires 13 of the cat-5 cable 10 and the power lines 4 are tapped into as shown in Figure 1a, though in Figure 1 b the two power lines 4 are already separated.

To conceal the device 1 having been installed, the cover of the cable trunking 14 may be replaced such that the device 1 is hidden in the cable cavity. As will be appreciated, with proper installation, there may be no interruption in either the data or the power connections, such that a user of these services could be unaware of the device 1 having been installed. The device 1 shown in Figures 1a and 1 b is a relatively advanced way of covertly setting up a power line network. It will be appreciated that a similar power line network may also be established on an existing power line simply by plugging an adaptor into a mains socket, e.g. in a hidden location.

Once installed, the device 1 is powered from the mains connection through the power lines 4 and is able to provide passive monitoring of data traffic in the cat-5 data cable 10, which may be forwarded via the power line network that has been set up, in perpetuity. A similar device, e.g. connected to a data logger or a transmitter, may then be connected to a different part of the power line circuit in order to record or transmit the data traffic. The dominant standardised broadband local area network power line

communication technologies are the HomePlug and G.hn families, which were ratified in the IEEE1901 and ITU G.9960 standards respectively. Such standards employ a power spectral density mask, as shown in Figure 2.

Figure 2 shows the expected spectrum usage for a standards-compliant power line network. This spectral mask 21 (the standard mask defined in the HomePlug specification and IEEE1901 standard) is hardcoded into power line adaptors (e.g. such as the adaptor 2 shown in Figures 1a and 1b). The spectral mask 21 creates gaps in the spectral usage corresponding to amateur radio bands. It is this spectral mask 21 that is a signature of the operation of a power line network and should be visible in the emissions spectrum from a power line network.

Figure 3 shows schematically an apparatus 31 for wirelessly detecting the presence of a power line network, according to an embodiment of the present invention. Two variants of the apparatus 31 are shown, a unit 32 for operating in the frequency domain and a unit 33 for operating in the time domain. An apparatus 31 according to an embodiment of the present invention may include either or both of these units 32, 33.

The apparatus 31 shown in Figure 3 may, for example, be implemented in one of the two ways shown in Figures 6 and 7. Figures 6 and 7 show use of an apparatus for wirelessly detecting the presence of a power line network, according to embodiments of the present invention. Figure 6 shows the apparatus 31 embodied as a portable device which can be held by a user 71. In this embodiment the user 71 can carry the apparatus 31 around a room or a building to investigate the presence of a power line data communication which may be operating on the electrical distribution network.

Figure 7 shows the apparatus 31 embodied as a wall mounted“sentinel” device. In this embodiment the apparatus 31 acts passively to detect the presence of a power line data communication which may be operating on the electrical distribution network in the room or building. ln each of the embodiments shown in Figures 6 and 7, the apparatus 31 includes the components shown schematically in Figures 3 and/or 9. Operation of the apparatus 31 using the frequency domain unit 32 shown in Figure 3 will be described with reference to the flow chart of Figure 4.

As shown in Figure 3, the apparatus 31 includes an electrically short, unmatched, wire antenna 34 arranged to detect an electromagnetic emission (e.g. from the power line network) at short range in a normal office environment (step 101 , Figure 4).

The antenna 34 is connected to an automatic gain control (AGO) circuit 36 with a long time constant. This provides a consistent level for processing irrespective of the received signal amplitude. The AGC circuit 36 is connected to both (or either) of the frequency domain unit 32 and the time domain unit 33, which are each arranged to process the received signals.

The antenna 34 and the AGC circuit 36 (i.e. the analogue front end and analogue- to-digital converter blocks) are implemented using a Universal Software Radio Peripheral (USRP) software defined radio (SDR) which includes a UBX

daughterboard that permits it to be tuned to the low frequencies required. The SDR is tuned to a centre frequency 16.68 MHz, with the electromagnetic signals being collected with a bandwidth of 33.3 MHz. These values were chosen to collect frequencies in the range 2 MHz to 28 MHz, as used in the HomePlug AV standard.

It should be noted that different standards will define their own range of signalling frequencies. When the apparatus 31 is used to collect data for different standards, a different range of frequencies will need to be detected. The apparatus 31 simply needs to collect the whole of the bandwidth used for the signalling frequencies for the relevant standard.

The signals collected by the antenna 34 are pre-amplified before entering the frequency and time domain units 32, 33 by means of a low-noise amplifier (which can be performed by the AGC circuit 36 alone or by a separate amplifier). The frequency and time domain units 32, 33 are implemented using a GNU Radio flowgraph. This forms a digital signal processor to process the captured signals (using software in the GNU Radio flowgraph). Alternatively, the processing of the captured signals could be implemented fully or partially in hardware.

The frequency domain unit 32 is arranged to detect the presence of the distinctive spectral mask 21 (e.g. as shown in Figure 2), which is implemented by a standards- compliant power line adaptor. As will be described, the frequency domain unit 32 is arranged to analyse the signal detected by the apparatus 31 over a short time period, using signals collected across that period. The analysis performed by the frequency domain unit 32 computes a score which indicates the presence or absence of a power line network.

The time domain unit 33 is arranged to detect a preamble section which is included at the start of every PPDU transmitted over a standards-compliant power line network. The preamble is designed to have a particular structure and thus is likely to be detectable even in adverse (e.g. high noise) conditions. The preamble structure has, for example, either nine or ten repetitions of equal, known length. As will be described, the time domain unit 33 is arranged to analyse the signal detected by the apparatus 31 continuously. The results may be used directly, or combined over the same time period to obtain synchronous results. As with the frequency domain analysis, the analysis performed by the time domain unit 33 computes a score which indicates the presence or absence of a power line network.

The frequency domain unit 32 implements a band pass filter 38 (e.g. operating at 2 - 28 MHz) which is arranged to pass the frequencies (e.g. 2 - 28 MHz) used by the power line network standards. The output of the band pass filter 38 is passed to a short term Fourier transform (STFT) 40 arranged to compute the STFT of the filtered signal over a brief period (t = 1/F, where F is the STFT frame rate in Hz) at regular intervals (step 102, Figure 4). The STFT rate is, e.g., 120 Hz, with peaks being tracked over a period of, e.g., 1 s. The STFT has a width of, e.g., 16,384 frequency bins, with the band pass filter rejecting bins that were outside the

HomePlug AV bandwidth (970 bins below 2 MHz and 2,622 above 28 MHz). The remaining bins are passed along the processing chain of the frequency domain unit 32. The STFT provides an approximation of the power spectral density across multiple frequency bins. A signal power module 42 is arranged to calculate the power of the filtered and transformed signal (step 103, Figure 4).

The frequency domain unit 32 includes a windowing module 44 arranged to split the filtered bandwidth into multiple windows (step 104, Figure 4). This combats the effects of highly-variable radiation across the full bandwidth. The window size is taken as the smallest size for which the spectral mask used by the standard has a change of amplitude in every window. The windowed output in then passed, per window, to a point-biserial correlation module 46. This calculates the point-biserial correlation coefficient within each window (step 105, Figure 4). This is a correlation measure specifically designed for comparing continuous values (here, the signal powers) against binary classifications (here, the two expected signal levels in the spectral mask).

A mean module 48 then calculates the mean of the correlation coefficients output from the point-biserial correlation module 46 (step 106, Figure 4). The mean is used as a score for the presence of a power line adaptor. A threshold module 50 then applies a threshold, a (step 107, Figure 4), with a mean above the threshold taken to indicate that the detected signal is sufficiently similar to the template of the spectral mask (step 108, Figure 4). This is then considered to be a positive detection of a power line adaptor. The threshold module 50, here implemented in software, thus acts as a microprocessor to make this final decision. When a positive detection of a power line adaptor has been made, an alarm may be activated (step 109, Figure 4).

Operation of the apparatus 31 using the time domain unit 33 shown in Figure 3 will be described with reference to the flow chart of Figure 5.

Additionally or alternatively to the analysis performed by the frequency domain unit 32, the time domain unit 33, after receiving the detected electromagnetic signal (step 111 , Figure 5), implements a signal power module 52 which is arranged to calculate the power of the signal received from the AGO circuit 36 (step 112, Figure 5). The signal is then passed through a moving average low-pass filter 54 to reduce noise from the detected electromagnetic signal (step 113, Figure 5). The moving average used is short relative to the preamble length, such that it does not have a large impact on the structure of the signal.

The signal is then passed to a threshold module 56 which applies a threshold to the signal to exclude baseline noise (step 114, Figure 5). When the signal exceeds the threshold applied by the threshold module 56, the remaining signal is passed to a finite impulse response (FIR) filter 58 which acts as a matched filter (this is because the FIR filter 58 has an impulse response that matches a time-reversed copy of the expected preamble from a pre-loaded template) (step 115, Figure 5). A matched filter is good at separating a known signal from white noise. This serves to make preambles far more distinct from the background and therefore easier to classify, thus helping to pull weak radiated emissions out of the noise, for example.

A peak detection module 60 runs a peak detection algorithm on the output from the FIR filter 58 to find potential preambles (step 116, Figure 5). For each peak detected, a section of the signal the length of a preamble is passed through an autocorrelation function module 62 which applies an autocorrelation function (step 117, Figure 5). The autocorrelation function module 62 uses a, e.g., 900 sample maximum lag for the autocorrelation function and searches for, e.g., 4 pairs of peaks and troughs in the output from the peak detection module 60. Again, the values used here are configurable depending on the standard being targeted.

The preamble structure has, e.g., nine or ten repetitions of equal, known length.

The result of the autocorrelation function is tested at these known intervals by a testing module 64. The testing module 64, here implemented in software, thus acts as a microprocessor to make this final decision.

A genuine preamble displays a strong correlation to a copy of itself shifted by the known interval and a strong negative correlation to a copy of itself shifted by half the interval. If the output from the autocorrelation function displays positive and negative values at these points (step 118, Figure 5), then the time domain unit 33 can conclude with confidence that a preamble has been detected. When a positive detection of a preamble (and thus a power line adaptor has been made), an alarm may be activated (step 119, Figure 5). Figure 8a shows an exemplary frequency spectrum of an electromagnetic signal emitted by a power line network (using a TP-Link TL-PA511 power line adaptor) and detected (e.g. at short range in a normal office environment) using the apparatus 31 shown in Figure 3. This shows the distinctive emissions of the power line network as detected. Contrasting Figure 8a with Figure 2 shows the

comparative weakness of lower-frequency signals and particular drops around 11 MHz, from 14-18 MHz and around 22.5 MHz.

Figure 8b shows exemplary smoothed frequency spectra of electromagnetic signal emitted by a power line network implemented by different power line network adaptors. The spectra are shown for the TP-Link TLPA511 , TP-Link TL-WPA281 and Technomate TM-200 HP adaptors (all HomePlug AV adaptors), and the Sumvision SVW1000 (Home-Plug AV2) adaptor. This shows that the emission spectra are fairly consistent between adaptors with little difference in their patterns, showing that the apparatus 31 is able to determine the presence of a power line network regardless of the type of adaptor being used to set up the network (owing to the common spectral mask or communication protocol used according to a standard).

It should be noted that the spectra shown in Figures 8a and 8b are the results from only a single deployment of each power line adaptor and do not necessarily characterise such adaptors. Even with the same adaptors the spectra may be different in a different environment, e.g. owing to different building wiring, etc..

Figure 9 shows schematically an apparatus 131 for wirelessly detecting the presence of a power line network, according to another embodiment of the present invention. As with the time domain unit shown in Figure 3, the apparatus 131 shown in the embodiment of Figure 9 operates in the time domain. Operation of the apparatus 131 using the time domain unit shown in Figure 9 will be described with reference to the flow chart of Figure 10.

In a similar manner to the apparatus shown in Figure 3, the apparatus 31 shown in Figure 9 includes an electrically short, unmatched, wire antenna 134 arranged to detect an electromagnetic emission (e.g. from the power line network) at short range in a normal office environment (step 171 , Figure 10). The antenna 134 is connected to an automatic gain control (AGC) circuit 136 with a long time constant. The AGC circuit 136 is connected to a time domain unit 133, which are each arranged to process the received signals.

In this embodiment, the time domain unit 133 is arranged to detect the timing structure of the data signals transmitted over the power line network, e.g. of the PPDUs. At its simplest the time domain unit 133 measures how long there is a transmission on the power line network and calculates whether that duration matches the constraints of a valid transmission, within some error tolerance.

Similarly to the time domain unit 31 shown in Figure 3, the time domain unit 133 in the embodiment shown in Figure 9 implements a signal power module 152 which is arranged to calculate the power of the signal received from the AGC circuit 136 (step 172, Figure 10). The signal is then passed through a moving average low- pass filter 154 to reduce noise from the detected electromagnetic signal (step 173, Figure 10). The moving average used is short relative to the preamble length, such that it does not have a large impact on the structure of the signal.

The signal is then passed to a threshold module 156 which applies a threshold to the signal to exclude baseline noise (step 174, Figure 10). When the signal exceeds the threshold applied by the threshold module 156, the remaining signal is passed to a timing module 158 which begins timing (e.g. by way of a real-time clock or by counting samples from the AGC circuit 136 acting as an analogue to digital converter). The timing continues until the power level falls below the threshold of the threshold module 156 (step 175, Figure 10).

Once the timing is complete, the apparatus 131 compares the measured time (A eiapse ) against the valid, known timings for the targeted technology (e.g. PPDUs for the standard under investigation). The length of the data signal (i.e. of a

transmission unit) measured first has the duration (A deiimiter ) of any preamble and header information removed by a subtraction module 160 (step 176, Figure 10). For example, in the HomePlug AV standard, this is the preamble, the (optional) legacy frame control section and the main HomePlug AV frame control section, along with the duration any fixed size elements (A fixed ) that are known a priori. With these known elements removed, the amount of elapsed time remaining (Available = A eiapse - Adeiimiter - Afixed) for the transmitted data signal detected will depend on the quantity of data being communicated, from zero up to a maximum noted in the standard. The remaining time is divided by the duration of a single symbol, s, by a division module 162. Standards may define more than one possible value for a single symbol, from the set S. The remaining time is divided by each possibility of the single symbol, by the division module 162 (step 177, Figure 10), to produce a set of possible transmission lengths, L: l(s ) = D variable

L = { l(s ): s e S)

Similarly, the division module 162 returns the remainder, r, of each division calculated, which is used to calculate a distance measure, d. Values of this distance measure represent how much the timing over-runs or under-runs a symbol boundary and thus how closely the measured time matches a transmission of /- many symbols with each symbol having duration s. This is again computed for each value of s, to produce the set D: r(s) D variable mod s

d(s) = min(r(s), |s— r(s) |)

D = {d(s): s e S)

These distance values in the set D are then compared, by a minimum module 164, which determines the minimum value in the set D (step 178, Figure 10). The minimum value in the set D is then passed to a threshold module 166 which compares the minimum distance to a threshold which represents the minimum deviation from a symbol boundary (owing to measurement error) that is acceptable (step 179, Figure 10). If the minimum distance is below the minimum threshold (step 180, Figure 10), then the threshold module 166 concludes that the signal represents a PPDU data signal with length / (or / plus the number of symbols in the fixed size elements, if any exist) and symbol time s. When a positive detection of a PPDU data signal has been made, an alarm may be activated (step 181 , Figure 10). If no distance is below the threshold then the measurement is determined to not represent a power line network communication and is discarded.

Figure 11 shows schematically an apparatus 201 for wirelessly detecting the presence of a power line network, according to another embodiment of the present invention. The apparatus 201 includes an antenna 202 and a (e.g. software defined) radio 203 which implements various units and modules, e.g. as described in relation to Figures 3 and 9.

The apparatus 201 includes a detection unit 204 for detecting the presence of a power line communication. This detection unit 204 includes a number of time or frequency domain units, e.g. a frequency domain unit 205 (such as shown in Figure 3), a first time domain unit 206 (such as shown in Figure 3) and a second time domain unit 207 (such as shown in Figure 9), as well as other units 208 that performs other methods of detecting the power line communication.

These units 205-208 may each output their own detection of a power line communication. The detection unit 204 also includes a combining module 209 for combining the detection of a power line communication from each of the individual units 205-208. The combining module 209 may therefore output a combined determination of a detection of a power line communication, using the

determinations of the detections of a power line communication by the individual units 205-208.

The apparatus 201 also includes a reception unit 210 that is arranged to recover messages and to extract identifiers from detected electromagnetic signals that have been determined to have been emitted by a power line communication. The reception unit 210 includes a wireless power line communication receiver 211.

The wireless power line communication receiver 211 includes a message recovery module that is arranged to recover messages (e.g. PPDUs) from the detected electromagnetic signal. This will be described in more detail with reference to Figure 13. The reception unit 210 also includes an identifier extraction module 212 that is arranged to extract identifiers from the messages that have been recovered. This will be described in more detail with reference to Figures 14 and 15. The messages recovered and the extracted identifiers may be output by the reception unit 210.

The apparatus 201 also includes a verification module 213 that is arranged to determine whether the messages recovered and the extracted identifiers are from a known or expected power line network or communication station. The verification module 213 stores a set of known (valid) identifiers 214, and compares these against the identifiers extracted by the identifier extraction module 212 to determine whether or not the extracted identifiers are associated with a known or expected power line network or communication station.

A management interface 234 selects the identifiers to be extracted and edits the list of known identifiers 213 (for networks or individual stations) that are considered “safe”.

The determination of whether or not the extracted identifiers are associated with a known or expected power line network or communication station may be output by the verification module 213.

Operation of the apparatus 201 shown in Figure 11 will now be described with reference to Figure 12. Figure 12 shows a flow chart detailing the main steps of operation of the apparatus 201 shown in Figure 11.

First, a detected electromagnetic signal is received (step 301 , Figure 12) and the time or frequency domain methods (e.g. outlined above with respect to Figures 2-9) are applied by the various time and frequency domain modules 205-208 to determine whether the electromagnetic signal has been emitted by a power line communication (step 302, Figure 12). At this stage, the result of these methods (e.g. the likelihood of the detected electromagnetic signal having been emitted by a power line communication) may be output.

Using the likelihoods determined by the various time and frequency domain modules 205-208, these results can be combined, using the combining module 209, to produce a combined likelihood that the electromagnetic signal has been emitted by a power line communication (step 303, Figure 12). This combined likelihood may be output.

The combined likelihood is then used to make a decision as to whether the detected electromagnetic signal has been emitted by a power line communication (step 304, Figure 12). If the detected electromagnetic signal has determined to have been emitted by a power line communication, the detected electromagnetic signal is processed by the message recovery module of the wireless power line communication receiver 211 to recover messages (e.g. PPDUs) from the detected electromagnetic signal (step 305, Figure 12). This will be described in more detail with reference to Figure 13. The recovered messages may be output.

The recovered messages are used by the identifier extraction module 212 to extract identifiers (step 306, Figure 12). This will be described in more detail with reference to Figures 14 and 15. The extracted identifiers may be output.

Any identifiers extracted are compared, by the verification module 213, to known, valid identifiers associated with known or expected power line networks or communication stations (step 307, Figure 12). This allows the verification module 213 to determine whether the identifiers are valid and thus whether the messages recovered and the extracted identifiers are from a known or expected power line network or communication station (step 308, Figure 12). The determination of the validity of the extracted identifiers may be output. When the determination indicates that the identifiers are not from a known or expected power line network or communication station, an alarm is activated (step 309, Figure 12).

Figure 13 shows the components of the wireless power line communication receiver 211 , including a message recovery module, shown in Figure 11. The raw signals are first collected by an electromagnetic antenna 215 (e.g. the same antenna 202 as shown in Figure 11). The signals may be amplified if necessary and are then filtered to the band of interest and digitised.

A frame detection module 216 detects the PPDUs, which can be performed by a variety of methods, including naive power detectors, a double sliding-window power detector, a delay-and-correlate algorithm and the autocorrelation method outlined above with reference to Figure 3. A time sync module 217 correlates the preamble of the PPDUs against the known structure of that preamble, providing sample- accurate alignment.

A CPO, SCO and channel estimation module 218 corrects for the carrier phase offset (CPO) and the sampling clock offset (SCO), and performs channel estimation, assessing the gain and phase alterations that have been experienced by the signal owing to the propagation environment.

A CP and FFT module 219 removes the cyclic prefix (CP) for the symbol and correction for the channel effects at each subcarrier, and then performs a fast Fourier transform (FFT). A demodulation (“demod”) module 220 uses the FFT to demodulate the signal in the frequency domain.

The demodulated signal may then be post-processed. First, a de-interleave module 221 combines demodulated soft bits where redundancy schemes are being used. They are then rearranged in read-by-row-write-by-column fashion to undo the channel interleaving process. An FEC module 222 applies FEC decoding to produce hard decisions about the bit values, producing codewords and then recovering the original transmitted bits from the codewords. Finally, an unscramble module 223 unscrambles the bits by XORing with the same generator polynomial used in the transmitter to recover the original sequence. This then allows the recovered message 224 to be output (e.g. in either a raw or decrypted format).

Figure 14 shows one embodiment of the identifier extraction module 212 shown in Figure 11. The identifier extraction module 212 receives a message 224 (e.g. recovered from the detected electromagnetic signal by the wireless power line communication receiver 211). The identifier extraction module 212 the consults a stored configured list of fields 225 (e.g. that contain useful identifiers to extract) and then extracts the identifiers 227 by reading the identifiers from the fields in the message 224 (step 226).

Figure 15 shows another embodiment of the identifier extraction module 212 shown in Figure 11. The identifier extraction module 212 receives a message 224 (e.g. recovered from the detected electromagnetic signal by the wireless power line communication receiver 211) or the detected electromagnetic signal 228 itself.

Using an identifier extraction process from a configured list of identifier extraction processes 229, the identifier extraction module 212 applies the process (step 230) to compute an identifier 231. One such process is to attempt to decrypt the message using a known encryption key; success or not tells you whether it was part of the network that encryption key belongs to. Another process is to compute the identifier by running tests on the properties of the detected electromagnetic signal 228, e.g. to compute a carrier phase offset (CPO) value from the process of recovering the message. This allows an inference to be made as to which transmitter the electromagnetic signal was sent from.

With the approaches outlined in Figures 14 and 15, the approaches could be configured (e.g. by using a different field or applying a different process) based on the network specification, for example.

It will be seen from the above that in at least preferred embodiments, the present invention provides an apparatus for and a method of detecting a power line network which is able to detect the power line network wirelessly by comparing an electromagnetic signal emitted by the power line network to an expected pattern in the frequency or time domain components of the signal. This helps to allow the detection of rogue devices that may have been installed to set up a power line network, thus helping to provide security testing and on-going monitoring of premises by the individual or organisation operating there.