Systems and methods for identifying suspicious controller area network messages
First Claim
1. A computer-implemented method for identifying suspicious controller area network messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device;
observing, in the messages, a set of corresponding patterns that comprises;
a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and
an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages;
detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and
determining that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for identifying suspicious controller area network messages may include (i) monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device, (ii) observing, in the messages, a set of corresponding patterns that each comprise a content pattern and a timing pattern, (v) detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns, and (vi) determining that the message is suspicious based at least in part on content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for identifying suspicious controller area network messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device; observing, in the messages, a set of corresponding patterns that comprises; a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages; detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and determining that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for identifying suspicious controller area network messages, the system comprising:
-
a monitoring module, stored in memory, that monitors, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device; an observation module, stored in memory, that observes, in the messages, a set of corresponding patterns that comprises; a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages; a detection module, stored in memory, that detects a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; a determination module, stored in memory, that determines that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns; and at least one physical processor configured to execute the monitoring module, the observation module, the detection module, and the determination module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
monitor, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device; observe, in the messages, a set of corresponding patterns that comprises; a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages; detect a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and determine that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns. - View Dependent Claims (18, 19, 20)
-
Specification