4 min read

Building a Home Network Intelligence Platform

Building a Home Network Intelligence Platform

As an IT professional, I've seen how information silos create massive blind spots in security analysis and fault detection. Recently, I've been working on a project to tear down these barriers by centralizing data into a unified intelligence platform. What started as professional curiosity turned into a real eye-opener about what my home network was actually doing

The Architecture

I started by spinning up an ELK stack (Elasticsearch, Logstash, Kibana) running on containers in my Docker lab. This is the backbone of my data intelligence platform it can ingest, process, and visualize tons of network telemetry.

Modern home networks are insane when you think about it. Beyond the usual computers and phones, my network hosts everything from internet-connected washing machines and tumble dryers to smart air conditioners. Each device has its own network chatter, and I wanted to listen in on all of it, and i share how you can too on git

Data Collection and Processing

Running open-source firmware on my home router, I configured IPTables to log all network traffic and forward it to my Logstash collector. Complete visibility into every packet entering or leaving my network, pretty sweet setup.

The raw data goes through several transformation stages:

Data Normalization

Using Logstash, I normalized the syslog messages, transforming unstructured log entries into searchable fields within Elasticsearch indices. This standardization is crucial for complex queries and correlations across different data sources.

Geographic Enrichment

I implemented GeoIP enrichment directly in Logstash, mapping IP addresses to geographic locations. Processing this early in the pipeline reduces computational overhead and enables real-time geographic visualization.

Threat Intelligence Integration

Here's where it gets interesting. I built a Python Fast API for VirusTotal and another for AbuseIPDB that both queries for IP reputation and threat assessment.
Enriching my full network visibility with added Threat information proved valuable.

Mustard dots = Risky Inbound attempts, Pink = Risky Outbound



To handle the query volume efficiently, I implemented a Redis cache layer, critical optimization that prevents API rate limiting while maintaining sub-second response times.

A risky outbound connection is i.e my daughter particiating in a discord chat where a link to a "Roblox mod with a backdoor" was sent in the chat, or me browsing the internet where one of the ads in the ad-rotation on a webpage contains malware. Threat intel is really stunning these days, giving you the abillity to discover if your internet connected washing machine is part of a DDOS network or a surveilance device (Such devices are perfect sleepers for professionals)

From a Discord Chat where this Roblox Mod with Malware / Backdoor was posted

Visualization and Discovery

With Kibana as my presentation layer, I've created an interactive network map using OpenStreetMap. This isn't just simple traffic visualization it's a multi-layered intelligence dashboard where I can:

  • View aggregated traffic patterns over time
  • Highlight risky connections based on threat intel from industry leading providers.
  • Monitor unusual port activity.
  • Track individual device behaviors (yes, even the washing machine).
  • Abillity to identify "Slow and Stealthy" probers or attackers.

What I Actually Found

The initial results were pretty disturbing, honestly. Within hours of analyzing the data, I discovered something about my Samsung TV that made me want to throw it out the window. The default configuration was scanning whatever was displayed on screen and transmitting this information over the internet. Samsung's Automatic Content Recognition (ACR) service, apparently. This level of data collection, happening completely silently in the background, prompted me to yank the TV off my network immediately.. All smart TV´s do this, someone needs to write about the topic giving it more attention.

Samsung TV Last 3 Days. The square means more than 10k connections
This really drove home a point: we have absolutely no clue what our "smart" devices are sharing about us.
My washing machine's internet chatter might seem harmless, but without visibility, how can we be sure? we can't.

The Value of Long-term Analysis

Collecting detailed network telemetry over extended periods reveals patterns you'd never catch with spot checks. It's not just about security it's about understanding:

  • How we actually use the internet vs. how we think we use it
  • Which devices are chattiest when we're not even using them
  • What services our IoT devices are really connecting to
  • Where in the world our data is traveling (and trust me, it goes places)

What's Next

I've wrapped up the network monitoring component, but next I'm diving deeper into analysis of individual computers and containers. The goal is comprehensive security posture assessment spanning from network traffic to system-level events.

This project started as a technical exercise but turned into a real privacy wake-up call. In an age where every appliance wants internet access, understanding what they're saying about us isn't just interesting it's absolutely essential.

Ever wondered what your smart devices are really up to when you're not looking? The tools to find out are more accessible than you'd think. Sometimes ignorance isn't bliss, it's just another vulnerability waiting to bite you

Kai Thorsrud