System and method for time based anomaly detection in an in-vehicle communication network
First Claim
1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one hardware processor, cause the at least one hardware processor to perform timing-based cyber-security operations, the operations including:
- maintaining a model of an expected timing behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value;
receiving first and second messages communicated over the in-vehicle communication network, wherein the first and second messages include the same message ID value;
if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter;
if the value in the counter is greater than the counter threshold value then determining at least one of the messages is anomalous; and
if at least one of the first and second messages is anomalous then performing, by the processor, at least one action related to the anomalous message.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for providing security to a network may include maintaining, by a processor, a model of an expected behavior of data communications over the in-vehicle communication network; receiving, by the processor, a message sent over the network; determining, by the processor, based on the model and based on a timing attribute of the message, whether or not the message complies with the model; and if the message does not comply with the model then performing, by the processor, at least one action related to the message.
-
Citations
19 Claims
-
1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one hardware processor, cause the at least one hardware processor to perform timing-based cyber-security operations, the operations including:
-
maintaining a model of an expected timing behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value; receiving first and second messages communicated over the in-vehicle communication network, wherein the first and second messages include the same message ID value; if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter; if the value in the counter is greater than the counter threshold value then determining at least one of the messages is anomalous; and if at least one of the first and second messages is anomalous then performing, by the processor, at least one action related to the anomalous message. - View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 11, 12)
-
-
6. The system of 1 claim, wherein the processor is further configured to:
-
determine a context related to at least one of;
the vehicle, the network, and a node connected to the network; anddetermine whether or not a message is related to an anomaly based on the context.
-
-
13. A method comprising:
-
maintaining, by a hardware processor, a model of an expected behavior of data communications over an in-vehicle communication network, the model including a counter threshold value and a time laps threshold value; receiving, by the processor, first and second messages sent over the in-vehicle communication network, wherein the first and second messages include the same message ID value; if the time lapse between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter; if the value in the counter is greater than the counter threshold value then determining, by the processor, least one of the messages is anomalous; and if at least one of the messages is anomalous then performing, by the processor, at least one action related to the message. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method for enforcing security in a communication network, the method comprising:
-
maintaining, by a hardware processor, a model related to messages communicated on an in-vehicle data communication network, the model including a counter threshold value and a time laps threshold value; receiving first message and second message communicated on the in-vehicle data communication network, wherein the first and second messages include the same message ID value; if the time interval between receptions of the first and second messages is greater than the time laps threshold value then increasing a value in a counter; if the value in the counter is greater than the counter threshold value then determining, whether or not at least one of the first and second messages is related to an anomaly; and if at least one of the first and second messages is related to an anomaly then performing at least one action related to the messages.
-
Specification