System and method for time based anomaly detection in an in-vehicle communication network

US 10,298,612 B2
Filed: 06/29/2016
Issued: 05/21/2019
Est. Priority Date: 06/29/2015
Status: Active Grant

First Claim

Patent Images

1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one hardware processor, cause the at least one hardware processor to perform timing-based cyber-security operations, the operations including:

maintaining a model of an expected timing behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value;

receiving first and second messages communicated over the in-vehicle communication network, wherein the first and second messages include the same message ID value;

if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter;

if the value in the counter is greater than the counter threshold value then determining at least one of the messages is anomalous; and

if at least one of the first and second messages is anomalous then performing, by the processor, at least one action related to the anomalous message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security to a network may include maintaining, by a processor, a model of an expected behavior of data communications over the in-vehicle communication network; receiving, by the processor, a message sent over the network; determining, by the processor, based on the model and based on a timing attribute of the message, whether or not the message complies with the model; and if the message does not comply with the model then performing, by the processor, at least one action related to the message.

Citations

19 Claims

1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one hardware processor, cause the at least one hardware processor to perform timing-based cyber-security operations, the operations including:
- maintaining a model of an expected timing behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value;
  
  receiving first and second messages communicated over the in-vehicle communication network, wherein the first and second messages include the same message ID value;
  
  if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter;
  
  if the value in the counter is greater than the counter threshold value then determining at least one of the messages is anomalous; and
  
  if at least one of the first and second messages is anomalous then performing, by the processor, at least one action related to the anomalous message.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, whereinif the time lapse between receptions of the first and second messages is less than a time lapse threshold included in the model then determining that at least one of the first and second messages is related to an anomaly.
  - 3. The system of claim 1, whereinif the time lapse between receptions of the first and second messages is greater than the time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 4. The system of claim 1, wherein the processor is further configured to reset the counter to a predefined value if a predefined number of consecutive valid messages are identified.
  - 5. The system of claim 1, wherein the processor is further configured to dynamically modify the time lapse threshold value.
  - 7. The system of claim 1, wherein the processor is further configured to:
    - identify an event related to at least one of;
      
      the vehicle, the network, and a node connected to the network; and
      
      determine a message is related to an anomaly based on the event.
  - 8. The system of claim 1, wherein the at least one action related to the message includes isolating a portion of the network from the rest of the in-vehicle communication network in order to isolate a source of a message related to an anomaly.
  - 9. The system of claim 1, wherein the processor is further configured to:
    - determine a component connected to an in-vehicle communication network is malfunctioning based on one or more messages; and
      
      generate an indication related to the malfunctioning component.
  - 10. The system of claim 1, wherein if at least one message does not comply with the model then performing, by the processor, at least one action related to the message comprises:
    - calculating a confidence level of a message being related to an anomaly; and
      
      performing an action based on the confidence level.
  - 11. The system of claim 1, wherein an action related to the message is at least one of:
    - disabling a component connected to the network, activating a component connected to the network, blocking a message, delaying a message, limiting a frequency of a message type, logging a message and alerting.
  - 12. The system of claim 1, wherein the hardware processor is further configured to:
    - determine whether or not at least one of the messages complies with the model by;
      
      comparing a time lapse between receptions of first and second messages to at least two time lapse thresholds; and
      
      determining at least one of the messages does not comply with the model if at least one of the time lapse thresholds is breached.

6. The system of 1 claim, wherein the processor is further configured to:
- determine a context related to at least one of;
  
  the vehicle, the network, and a node connected to the network; and
  
  determine whether or not a message is related to an anomaly based on the context.

13. A method comprising:
- maintaining, by a hardware processor, a model of an expected behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value;
  
  receiving, by the processor, first and second messages sent over the in-vehicle communication network, wherein the first and second messages include the same message ID value;
  
  if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter;
  
  if the value in the counter is greater than the counter threshold value then determining, by the processor, least one of the messages is anomalous; and
  
  if at least one of the messages is anomalous then performing, by the processor, at least one action related to the message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, comprising:
    - if the time lapse between receptions of the first and second messages is less than a time lapse threshold included in the model then determining that at least one of the first and second messages is related to an anomaly.
  - 15. The method of claim 13, comprising:
    - if the time lapse between receptions the first and second messages greater than the time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 16. The method of claim 13, comprising:
    - if a time lapse between receptions of the first and second messages is less than a threshold value included in the model then increasing a counter, andif the counter is greater than a counter threshold value included in the model then determining that at least one of the first and second messages is related to an anomaly.
  - 17. The method of claim 16, comprising resetting the counter to a predefined value if a predefined number of consecutive valid messages are identified.
  - 18. The method of claim 13, comprising dynamically modifying the counter threshold value.

19. A method for enforcing security in a communication network, the method comprising:
- maintaining, by a hardware processor, a model related to messages communicated on an in-vehicle data communication network, the model including a counter threshold value and a time laps threshold value;
  
  receiving first message and second message communicated on the in-vehicle data communication network, wherein the first and second messages include the same message ID value;
  
  if the time interval between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter;
  
  if the value in the counter is greater than the counter threshold value then determining, whether or not at least one of the first and second messages is related to an anomaly; and
  
  if at least one of the first and second messages is related to an anomaly then performing at least one action related to the messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Argus Cyber Security Ltd. (Continental AG)
Original Assignee
Argus Cyber Security Ltd. (Continental AG)
Inventors
Galula, Yaron, Ben-Noon, Ofer, Lavi, Oron
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/196,301
Publication Number

US 20160381068A1
Time in Patent Office

1,056 Days
Field of Search
US Class Current
CPC Class Codes

B60R 16/0231   Circuits relating to the dr...

B60R 16/0232   for measuring vehicle param...

B60R 2021/01197   Warning devices

B60R 21/01   Electrical circuits for tri...

B60R 25/10   actuating a signalling device

B60R 25/30   Detection related to theft ...

G07C 5/0816   Indicating performance data...

G07C 5/0841   Registering performance dat...

H04L 63/02   for separating internal fro...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/61   Time-dependent

H04W 12/67   Risk-dependent, e.g. select...

H04W 12/68   Gesture-dependent or behavi...

System and method for time based anomaly detection in an in-vehicle communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for time based anomaly detection in an in-vehicle communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links