Systems and methods for detecting suspicious microcontroller messages
First Claim
1. A computer-implemented method for detecting suspicious microcontroller messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- observing a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time;
identifying a message sent over the network by the microcontroller;
determining that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval;
categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and
performing a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting suspicious microcontroller messages may include (1) observing a typical interval at which messages are sent over a network by a microcontroller, (2) identifying a message sent over the network by the microcontroller, (3) determining that the interval between the message and the previous message sent by the microcontroller does not comprise the typical interval, and (4) categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval. Various other methods, systems, and computer-readable media are also disclosed.
70 Citations
20 Claims
-
1. A computer-implemented method for detecting suspicious microcontroller messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
observing a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time; identifying a message sent over the network by the microcontroller; determining that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval; categorizing the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and performing a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for detecting suspicious microcontroller messages, the system comprising:
-
an observation module, stored in memory, that observes a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time; an identification module, stored in memory, that identifies a message sent over the network by the microcontroller; a determination module, stored in memory, that determines that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval; a categorization module, stored in memory, that categorizes the message as a suspicious message in response to determining that the interval does not comprise the typical interval, wherein the categorization module further performs a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at a computing device in communication with the network utilized by the microcontroller, wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller; and at least one physical processor configured to execute the observation module, the identification module, the determination module, and the categorization module. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
observe a typical interval at which messages are sent over a network by a microcontroller, the messages being sent over the network at a target time and a delay time after the target time, wherein the typical interval for new messages sent over the network immediately following the messages sent after the target time comprises the target time shortened by the delay time; identify a message sent over the network by the microcontroller; determine that an interval between the message and a previous message sent by the microcontroller does not comprise the typical interval; categorize the message as a suspicious message in response to determining that the interval does not comprise the typical interval; and perform a security action in response to categorizing the message as suspicious, the security action comprising holding the suspicious message until an arrival of an additional message at the computing device, wherein the computing device is in communication with the network utilized by the microcontroller and wherein the additional message is determined not to be suspicious, and discarding the suspicious message to prevent an attacker from gaining control of one or more systems that are part of a motor vehicle and that are associated with operating the motor vehicle, wherein the suspicious message comprises a spoofed message that does not originate from the microcontroller despite appearing to originate from the microcontroller. - View Dependent Claims (20)
-
Specification