Systems and methods for in-vehicle network intrusion detection
First Claim
1. A system comprising:
- an anomaly detection circuit configured to;
obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and
detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by determining whether a given network message associated with a given event is visible on a network of the vehicle, andwherein the anomaly detection circuit is configured to detect an anomaly when the network message is determined to be visible on the network of the vehicle;
a resident log generation circuit configured to;
obtain the detected anomaly event data; and
generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
a transmitted log generation circuit configured to;
obtain the one or more resident incident logs;
generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
transmit the one or more transmitted incident logs to a computer system remote from the vehicle.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for in-vehicle network intrusion detection includes: (i) an anomaly detection module configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data; (ii) a resident log generation module configured to generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and (iii) a transmitted log generation module configured to generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log.
9 Citations
21 Claims
-
1. A system comprising:
-
an anomaly detection circuit configured to; obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data, wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by determining whether a given network message associated with a given event is visible on a network of the vehicle, and wherein the anomaly detection circuit is configured to detect an anomaly when the network message is determined to be visible on the network of the vehicle; a resident log generation circuit configured to; obtain the detected anomaly event data; and generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and a transmitted log generation circuit configured to; obtain the one or more resident incident logs; generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and transmit the one or more transmitted incident logs to a computer system remote from the vehicle. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system comprising:
-
an anomaly detection circuit configured to; obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data, a resident log generation circuit configured to; obtain the detected anomaly event data; and generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; a transmitted log generation circuit configured to; obtain the one or more resident incident logs; generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and transmit the one or more transmitted incident logs to a computer system remote from the vehicle; and an electronic control unit (ECU) comprising memory, wherein the memory comprises at least some of the one or more resident incident logs, wherein the ECU is configured to; obtain a log control command from the computer system remote from the vehicle; and in response to obtaining the log control command, perform at least one of the following; erase at least one resident incident log of the one or more resident incident logs; and adjust a memory allocation for at least one of the one or more resident incident logs.
-
-
20. A system comprising:
-
an anomaly detection circuit configured to; obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data, a resident log generation circuit configured to; obtain the detected anomaly event data; and generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and a transmitted log generation circuit configured to; obtain the one or more resident incident logs; generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and transmit the one or more transmitted incident logs to a computer system remote from the vehicle, wherein each resident incident log of the one or more resident incident logs comprises a manifest and one or more incident log entries, wherein each incident log entry of the one or more incident log entries corresponds to a violation of one or more of the predefined rules, and wherein the manifest comprises; a soft-part reference number identifying a rule set of the predefined rules to which a given resident incident log corresponds; and a total rule violations summary describing a total number of incidents logged for all rule violations within a given rule set defined by the soft-part reference number.
-
-
21. A system comprising:
-
an anomaly detection circuit configured to; obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data, a resident log generation circuit configured to; obtain the detected anomaly event data; and generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and a transmitted log generation circuit configured to; obtain the one or more resident incident logs; generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and transmit the one or more transmitted incident logs to a computer system remote from the vehicle, wherein each of the one or more network messages are associated with respective message IDs, and wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by; determining whether any of the predefined rules correspond to a given message ID; and in response to determining that a predefined rule corresponds to the given message ID, comparing an allowed state associated with the predefined rule with a current state of the vehicle.
-
Specification