Systems and methods for identifying suspicious controller area network messages

US 10,326,788 B1
Filed: 05/05/2017
Issued: 06/18/2019
Est. Priority Date: 05/05/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying suspicious controller area network messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device;

observing, in the messages, a set of corresponding patterns that comprises;

a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and

an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages;

detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and

determining that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for identifying suspicious controller area network messages may include (i) monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device, (ii) observing, in the messages, a set of corresponding patterns that each comprise a content pattern and a timing pattern, (v) detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns, and (vi) determining that the message is suspicious based at least in part on content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for identifying suspicious controller area network messages, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- monitoring, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device;
  
  observing, in the messages, a set of corresponding patterns that comprises;
  
  a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and
  
  an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages;
  
  detecting a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and
  
  determining that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising performing a security action in response to determining that the message is suspicious.
  - 3. The computer-implemented method of claim 2, wherein performing the security action comprises blocking the message.
  - 4. The computer-implemented method of claim 1, wherein:
    - the first pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent at regular intervals; and
      
      the additional pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent outside of the regular intervals.
  - 5. The computer-implemented method of claim 1, wherein:
    - the first pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent during an active state of the controller area network device; and
      
      the additional pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent during an inactive state of the controller area network device.
  - 6. The computer-implemented method of claim 1, wherein detecting the message that comprises the controller area network identifier, wherein the content pattern of the message and the timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns comprises:
    - creating a set of rules by creating, for each pair of corresponding patterns in the set of corresponding patterns, a rule that identifies messages that comprise the pair of corresponding patterns; and
      
      detecting that the message does not adhere to any rule within the set of rules.
  - 7. The computer-implemented method of claim 1, wherein the controller area network device monitors at least one sensor of a motor vehicle.
  - 8. The computer-implemented method of claim 1, wherein:
    - each message within the messages comprises a series of bits;
      
      observing, in the messages, the set of corresponding patterns comprises creating a mask that masks out bits in the series of bits; and
      
      detecting the message with the content pattern and the timing pattern that do not match any pair of corresponding patterns in the set of corresponding patterns comprises monitoring, for each message, only bits in the series of bits that are not the bits masked out by the mask.

9. A system for identifying suspicious controller area network messages, the system comprising:
- a monitoring module, stored in memory, that monitors, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device;
  
  an observation module, stored in memory, that observes, in the messages, a set of corresponding patterns that comprises;
  
  a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and
  
  an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages;
  
  a detection module, stored in memory, that detects a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns;
  
  a determination module, stored in memory, that determines that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns; and
  
  at least one physical processor configured to execute the monitoring module, the observation module, the detection module, and the determination module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further where the determination module performs a security action in response to determining that the message is suspicious.
  - 11. The system of claim 10, wherein the determination module performs the security action by blocking the message.
  - 12. The system of claim 9, wherein:
    - the first pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent at regular intervals; and
      
      the additional pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent outside of the regular intervals.
  - 13. The system of claim 9, wherein:
    - the first pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent during an active state of the controller area network device; and
      
      the additional pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent during an inactive state of the controller area network device.
  - 14. The system of claim 9, wherein the detection module detects the message that comprises the controller area network identifier, wherein the content pattern of the message and the timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns, by:
    - creating a set of rules by creating, for each pair of corresponding patterns in the set of corresponding patterns, a rule that identifies messages that comprise the pair of corresponding patterns; and
      
      detecting that the message does not adhere to any rule within the set of rules.
  - 15. The system of claim 9, wherein the controller area network device monitors at least one sensor of a motor vehicle.
  - 16. The system of claim 9, wherein:
    - each message within the messages comprises a series of bits;
      
      the observation module observes, in the messages, the set of corresponding patterns by creating a mask that masks out bits in the series of bits; and
      
      the detection module detects the message with the content pattern and the timing pattern that do not match any pair of corresponding patterns in the set of corresponding patterns by monitoring, for each message, only bits in the series of bits that are not the bits masked out by the mask.

17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- monitor, for a predetermined period of time, messages sent by an electronic control unit that comprise a controller area network identifier for at least one controller area network device;
  
  observe, in the messages, a set of corresponding patterns that comprises;
  
  a first pair of corresponding patterns that comprises a first content pattern in the messages that corresponds to a first timing pattern of the messages; and
  
  an additional pair of corresponding patterns that is different from the first pair of corresponding patterns and that comprises an additional content pattern in the messages that corresponds to an additional timing pattern of the messages;
  
  detect a message that comprises the controller area network identifier, wherein a content pattern of the message and a timing pattern of the message do not match any pair of corresponding patterns in the set of corresponding patterns; and
  
  determine that the message is suspicious based at least in part on the content pattern of the message and the timing pattern of the message not matching any pair of corresponding patterns in the set of corresponding patterns.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to perform a security action in response to determining that the message is suspicious.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the one or more computer-readable instructions cause the computing device to perform the security action by blocking the message.
  - 20. The non-transitory computer-readable medium of claim 17, wherein:
    - the first pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent at regular intervals; and
      
      the additional pair of corresponding patterns comprises a pair of corresponding patterns that occur in messages sent outside of the regular intervals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bajpai, Vishal, Pukish, Michael, Chakravarthy, Venkatesh
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/587,762
Time in Patent Office

774 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 12/40   Bus networks

H04L 2012/40215   Controller Area Network CAN

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Systems and methods for identifying suspicious controller area network messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying suspicious controller area network messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links