Systems and methods for detecting suspicious microcontroller messages

US 10,193,903 B1
Filed: 04/29/2016
Issued: 01/29/2019
Est. Priority Date: 04/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting suspicious microcontroller messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

observing a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time;

identifying a message sent over the network by the microcontroller;

determining that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval;

categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and

performing a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting suspicious microcontroller messages may include (1) observing a typical interval at which messages are sent over a network by a microcontroller, (2) identifying a message sent over the network by the microcontroller, (3) determining that the interval between the message and the previous message sent by the microcontroller does not comprise the typical interval, and (4) categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval. Various other methods, systems, and computer-readable media are also disclosed.

70 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting suspicious microcontroller messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- observing a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time;
  
  identifying a message sent over the network by the microcontroller;
  
  determining that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval;
  
  categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and
  
  performing a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein observing the typical interval comprises observing a typical variation from the typical interval.
  - 3. The computer-implemented method of claim 1, wherein:
    - identifying the message comprises identifying both a first message and a second message sent over the network by the microcontroller;
      
      determining that the interval between the message and the previous message does not comprise the typical interval comprises determining that an interval between the second message and the previous message is closer to the typical interval than an interval between the first message and the previous message;
      
      categorizing the message as the suspicious message comprises categorizing the first message as the suspicious message in response to determining that the interval between the second message and the previous message is closer to the typical interval than the interval between the first message and the previous message.
  - 4. The computer-implemented method of claim 1, wherein:
    - identifying the message comprises identifying both a first message and a second message sent over the network by the microcontroller;
      
      determining that the interval between the message and the previous message does not comprise the typical interval comprises;
      
      determining that both an interval between the first message and the previous message and an interval between the second message and the previous message fall within a predetermined threshold of closeness to the typical interval;
      
      identifying an additional message sent over the network by the microcontroller after the first message and the second message;
      
      determining that an interval between the second message and the additional message is closer to the typical interval than an interval between the first message and the additional message;
      
      categorizing the message as the suspicious message comprises categorizing the first message as the suspicious message in response to determining that an interval between the second message and the additional message is closer to the typical interval than an interval between the first message and the additional message.
  - 5. The computer-implemented method of claim 1, wherein identifying the message sent over the network by the microcontroller comprises determining that the message comprises a microcontroller identifier of the microcontroller.
  - 6. The computer-implemented method of claim 1, wherein the microcontroller comprises an electronic control unit.
  - 7. The computer-implemented method of claim 1, wherein the network comprises a controller area network.
  - 8. The computer-implemented method of claim 1, wherein the microcontroller sends the messages to a system that is part of a motor vehicle.
  - 9. The computer-implemented method of claim 1, wherein the spoofed message comprises a message labeled with a controller area network identifier.

10. A system for detecting suspicious microcontroller messages, the system comprising:
- an observation module, stored in memory, that observes a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time;
  
  an identification module, stored in memory, that identifies a message sent over the network by the microcontroller;
  
  a determination module, stored in memory, that determines that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval;
  
  a categorization module, stored in memory, that categorizes the message as a suspicious message in response to determining that the interval does not comprise the typical interval, wherein the categorization module further performs a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at a computing device in communication with the network utilized by the microcontroller, wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller; and
  
  at least one physical processor configured to execute the observation module, the identification module, the determination module, and the categorization module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the observation module observes the typical interval by observing a typical variation from the typical interval.
  - 12. The system of claim 10, wherein:
    - the identification module identifies the message by identifying both a first message and a second message sent over the network by the microcontroller;
      
      the determination module determines that the interval between the message and the previous message does not comprise the typical interval by determining that an interval between the second message and the previous message is closer to the typical interval than an interval between the first message and the previous message;
      
      the categorization module categorized the message as the suspicious message by categorizing the first message as the suspicious message in response to determining that the interval between the second message and the previous message is closer to the typical interval than the interval between the first message and the previous message.
  - 13. The system of claim 10, wherein:
    - the identification module identifies the message by identifying both a first message and a second message sent over the network by the microcontroller;
      
      the determination module determines that the interval between the message and the previous message does not comprise the typical interval by;
      
      determining that both an interval between the first message and the previous message and an interval between the second message and the previous message fall within a predetermined threshold of closeness to the typical interval;
      
      identifying an additional message sent over the network by the microcontroller after the first message and the second message;
      
      determining that an interval between the second message and the additional message is closer to the typical interval than an interval between the first message and the additional message;
      
      the categorization module categorizes the message as the suspicious message by categorizing the first message as the suspicious message in response to determining that an interval between the second message and the additional message is closer to the typical interval than an interval between the first message and the additional message.
  - 14. The system of claim 10, wherein the identification module identifies the message sent over the network by the microcontroller by determining that the message comprises a microcontroller identifier of the microcontroller.
  - 15. The system of claim 10, wherein the microcontroller comprises an electronic control unit.
  - 16. The system of claim 10, wherein the network comprises a controller area network.
  - 17. The system of claim 10, wherein the microcontroller sends the messages to a system that is part of a motor vehicle.
  - 18. The system of claim 10, wherein the spoofed message comprises a message labeled with a controller area network identifier.

19. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- observe a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time;
  
  identify a message sent over the network by the microcontroller;
  
  determine that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval;
  
  categorize the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and
  
  perform a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the spoofed message comprises a message labeled with a controller area network identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bajpai, Vishal, Agarwal, Preeti
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Doan, Huan V

Application Number

US15/143,284
Time in Patent Office

1,005 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Systems and methods for detecting suspicious microcontroller messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting suspicious microcontroller messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links