Reporting and processing controller security information

US 10,382,460 B2
Filed: 06/19/2018
Issued: 08/13/2019
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A method for providing security on externally connected electronic control units (ECUs), the method comprising:

receiving, at a reporting agent that is part of a security middleware layer operating on an ECU, an indication that a process has been blocked;

obtaining, by the reporting agent, trace information for the blocked process;

determining, by the reporting agent, a code portion in an operating system of the ECU that served as an exploit for the blocked process;

obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process;

determining, by the reporting agent, a current context of the ECU;

generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, (iii) the copy of the malware, and (iv) information identifying the current context of the ECU; and

providing, by the reporting agent, the alert to a network interface on the ECU for immediate transmission to a backend computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, a method for providing security on externally connected controllers includes receiving, at a reporting agent that is part of a security middleware layer operating on a controller, an indication that a process has been blocked; obtaining, by the reporting agent, trace information for the blocked process; determining, by the reporting agent, a code portion in an operating system of the controller that served as an exploit for the blocked process; obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process; generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, and (iii) the copy of the malware; and providing, by the reporting agent, the alert to a network interface on the controller for immediate transmission to a backend computer system.

Citations

18 Claims

1. A method for providing security on externally connected electronic control units (ECUs), the method comprising:
- receiving, at a reporting agent that is part of a security middleware layer operating on an ECU, an indication that a process has been blocked;
  
  obtaining, by the reporting agent, trace information for the blocked process;
  
  determining, by the reporting agent, a code portion in an operating system of the ECU that served as an exploit for the blocked process;
  
  obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process;
  
  determining, by the reporting agent, a current context of the ECU;
  
  generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, (iii) the copy of the malware, and (iv) information identifying the current context of the ECU; and
  
  providing, by the reporting agent, the alert to a network interface on the ECU for immediate transmission to a backend computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - determining, by the reporting agent, a current status of the ECU, wherein information identifying the current status is additionally included in the alert.
  - 3. The method of claim 2, wherein the current status includes current levels of use for one or more resources on the ECU.
  - 4. The method of claim 3, wherein the one or more resources include a processor, memory, and networking transmission capacity through the network interface.
  - 5. The method of claim 2, wherein the current status includes current network connections that are established for the ECU through the network interface.
  - 6. The method of claim 2, wherein the current status includes a snapshot of a software stack that identifies current process calls on the ECU.
  - 7. The method of claim 1, wherein the current context includes a geographic location where the ECU is currently located.
  - 8. The method of claim 1, wherein the current context includes a current operational state for a device or system of which the ECU is a part.
  - 9. The method of claim 8, wherein the ECU is in data communication with other ECUs in a vehicle.
  - 10. The method of claim 1, wherein the security middleware layer further comprises (i) a custom security policy defining permitted operations on the ECU and (ii) one or more security agents that operate at a kernel-level on the ECU to enforce the security policy.

11. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing security on externally connected electronic control units (ECUs), the operations comprising:
- receiving, at a reporting agent that is part of a security middleware layer operating on an ECU, an indication that a process has been blocked;
  
  obtaining, by the reporting agent, trace information for the blocked process;
  
  determining, by the reporting agent, a code portion in an operating system of the ECU that served as an exploit for the blocked process;
  
  obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process;
  
  determining, by the reporting agent, a current context of the ECU;
  
  generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, (iii) the copy of the malware, and (iv) information identifying the current context of the ECU; and
  
  providing, by the reporting agent, the alert to a network interface on the ECU for immediate transmission to a backend computer system.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory computer readable medium of claim 11, further comprising:
    - determining, by the reporting agent, a current status of the ECU, wherein information identifying the current status is additionally included in the alert.
  - 13. The non-transitory computer readable medium of claim 12, wherein the current status includes current levels of use for one or more resources on the ECU.
  - 14. The non-transitory computer readable medium of claim 13, wherein the one or more resources include a processor, memory, and networking transmission capacity through the network interface.
  - 15. The non-transitory computer readable medium of claim 12, wherein the current status includes current network connections that are established for the ECU through the network interface.
  - 16. The non-transitory computer readable medium of claim 12, wherein the current status includes a snapshot of a software stack that identifies current process calls on the ECU.
  - 17. The non-transitory computer readable medium of claim 12, wherein the current context includes a geographic location where the ECU is currently located.
  - 18. The non-transitory computer readable medium of claim 12, wherein the current context includes a current operational state for a device or system of which the ECU is a part.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Karamba Security Ltd.
Original Assignee
Karamba Security Ltd.
Inventors
David, Tal Efraim Ben, Harel, Assaf, Dotan, Amiram, Barzilai, David
Primary Examiner(s)
Lewis, Lisa C

Application Number

US16/012,206
Publication Number

US 20180316699A1
Time in Patent Office

420 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 2209/84   Vehicles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04W 12/128   Anti-malware arrangements, ...

H04W 4/02   Services making use of loca...

H04W 4/40   for vehicles, e.g. vehicle-...

Reporting and processing controller security information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Reporting and processing controller security information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links