Systems and methods for in-vehicle network intrusion detection

US 10,498,749 B2
Filed: 09/11/2017
Issued: 12/03/2019
Est. Priority Date: 09/11/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an anomaly detection circuit configured to;

obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and

detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by determining whether a given network message associated with a given event is visible on a network of the vehicle, andwherein the anomaly detection circuit is configured to detect an anomaly when the network message is determined to be visible on the network of the vehicle;

a resident log generation circuit configured to;

obtain the detected anomaly event data; and

generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and

a transmitted log generation circuit configured to;

obtain the one or more resident incident logs;

generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and

transmit the one or more transmitted incident logs to a computer system remote from the vehicle.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for in-vehicle network intrusion detection includes: (i) an anomaly detection module configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data; (ii) a resident log generation module configured to generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and (iii) a transmitted log generation module configured to generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log.

9 Citations

View as Search Results

21 Claims

1. A system comprising:
- an anomaly detection circuit configured to;
  
  obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by determining whether a given network message associated with a given event is visible on a network of the vehicle, andwherein the anomaly detection circuit is configured to detect an anomaly when the network message is determined to be visible on the network of the vehicle;
  
  a resident log generation circuit configured to;
  
  obtain the detected anomaly event data; and
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  a transmitted log generation circuit configured to;
  
  obtain the one or more resident incident logs;
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  transmit the one or more transmitted incident logs to a computer system remote from the vehicle.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, further comprising:
    - an electronic control unit (ECU) comprising memory, wherein the memory comprises at least some of the one or more resident incident logs.
  - 3. The system of claim 2, wherein the ECU is configured to:
    - obtain a log control command from the computer system remote from the vehicle; and
      
      in response to obtaining the log control command, perform at least one of the following;
      
      erase at least one resident incident log of the one or more resident incident logs; and
      
      adjust a memory allocation for at least one of the one or more resident incident logs.
  - 4. The system of claim 1, wherein the transmitted log generation circuit is further configured to:
    - obtain a log control command from the computer system remote from the vehicle; and
      
      in response to obtaining the log control command, perform at least one of the following;
      
      transmit at least one of the one or more resident incident logs to the computer system remote from the vehicle;
      
      adjust content of at least one of the one or more resident incident logs prior to transmission;
      
      adjust a log transmission rate associated with the transmitted log generation circuit, wherein the log transmission rate describes a frequency at which transmitted incident logs are transmitted from the transmitted log generation circuit to the computer system remote from the vehicle; and
      
      restrict a data size of the one or more transmitted incident logs.
  - 5. The system of claim 1, further comprising a remedial action circuit configured to:
    - obtain an intrusion response command from the computer system remote from the vehicle; and
      
      in response to obtaining the intrusion response command, perform at least one of the following;
      
      restrict communications from at least one of the one or more communication buses; and
      
      illuminate a malfunction indicator light (MIL) of the vehicle.
  - 6. The system of claim 1, wherein each resident incident log of the one or more resident incident logs comprises a manifest and one or more incident log entries, wherein each incident log entry of the one or more incident log entries corresponds to a violation of one or more of the predefined rules.
  - 7. The system of claim 6, wherein the manifest comprises:
    - a soft-part reference number identifying a rule set of the predefined rules to which a given resident incident log corresponds; and
      
      a total rule violations summary describing a total number of incidents logged for all rule violations within a given rule set defined by the soft-part reference number.
  - 8. The system of claim 6, wherein each of the one or more incident log entries includes one or more of the following:
    - the predefined rule that was violated;
      
      a number of times that the predefined rule was violated;
      
      a timeframe during which the predefined rule was violated;
      
      the network message that violated the predefined rule; and
      
      historical data concerning the incident, wherein the historical data comprises one or more of a timestamp describing a specific time that the predefined rule was violated and a state of the vehicle at the time that the predefined rule was violated.
  - 9. The system of claim 1, wherein the one or more network messages comprise at least one of:
    - controller area network (CAN) messages from one or more CAN buses of the vehicle; and
      
      ethernet messages from one or more ethernet buses of the vehicle.
  - 10. The system of claim 1, wherein the predefined rules are based, at least in part, on operating state parameters of the vehicle.
  - 11. The system of claim 10, wherein the operating state parameters of the vehicle comprise at least some of the following parameters:
    - speed of the vehicle;
      
      operational mode of the vehicle;
      
      power mode of the vehicle;
      
      state of a transmission gear selector of the vehicle; and
      
      presence of a test tool in connection with the vehicle.
  - 12. The system of claim 1, further comprising the computer system remote from the vehicle.
  - 13. The system of claim 12, wherein the computer system remote from the vehicle is configured to:
    - generate an acknowledgement signal in response to receiving a transmitted incident log from the transmitted log generation circuit; and
      
      transmit the acknowledgment signal to the vehicle over a wireless communication channel.
  - 14. The system of claim 1, wherein the anomaly detection circuit is configured to:
    - detect the absence of an anomaly when the network message is determined not to be visible on the network of the vehicle.
  - 15. The system of claim 1, wherein each of the one or more network messages are associated with respective message IDs, and wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by:
    - determining whether any of the predefined rules correspond to a given message ID; and
      
      in response to determining that a predefined rule corresponds to the given message ID, comparing an allowed state associated with the predefined rule with a current state of the vehicle.
  - 16. The system of claim 15, wherein the anomaly detection circuit is configured to:
    - detect an anomaly when the current state of the vehicle does not correspond to the allowed state of the predefined rule.
  - 17. The system of claim 15, wherein the anomaly detection circuit is configured to:
    - detect the absence of an anomaly when the current state of the vehicle corresponds to the allowed state of the predefined rule.
  - 18. The system of claim 1, wherein each of the one or more transmitted incident logs comprises less metadata than its corresponding resident incident log.

19. A system comprising:
- an anomaly detection circuit configured to;
  
  obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,a resident log generation circuit configured to;
  
  obtain the detected anomaly event data; and
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events;
  
  a transmitted log generation circuit configured to;
  
  obtain the one or more resident incident logs;
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  transmit the one or more transmitted incident logs to a computer system remote from the vehicle; and
  
  an electronic control unit (ECU) comprising memory, wherein the memory comprises at least some of the one or more resident incident logs, wherein the ECU is configured to;
  
  obtain a log control command from the computer system remote from the vehicle; and
  
  in response to obtaining the log control command, perform at least one of the following;
  
  erase at least one resident incident log of the one or more resident incident logs; and
  
  adjust a memory allocation for at least one of the one or more resident incident logs.

20. A system comprising:
- an anomaly detection circuit configured to;
  
  obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,a resident log generation circuit configured to;
  
  obtain the detected anomaly event data; and
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  a transmitted log generation circuit configured to;
  
  obtain the one or more resident incident logs;
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  transmit the one or more transmitted incident logs to a computer system remote from the vehicle,wherein each resident incident log of the one or more resident incident logs comprises a manifest and one or more incident log entries, wherein each incident log entry of the one or more incident log entries corresponds to a violation of one or more of the predefined rules, andwherein the manifest comprises;
  
  a soft-part reference number identifying a rule set of the predefined rules to which a given resident incident log corresponds; and
  
  a total rule violations summary describing a total number of incidents logged for all rule violations within a given rule set defined by the soft-part reference number.

21. A system comprising:
- an anomaly detection circuit configured to;
  
  obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; and
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data,a resident log generation circuit configured to;
  
  obtain the detected anomaly event data; and
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  a transmitted log generation circuit configured to;
  
  obtain the one or more resident incident logs;
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  transmit the one or more transmitted incident logs to a computer system remote from the vehicle,wherein each of the one or more network messages are associated with respective message IDs, and wherein the anomaly detection circuit is configured to detect whether at least some of the one or more events constitute an anomaly based on the predefined rules by;
  
  determining whether any of the predefined rules correspond to a given message ID; and
  
  in response to determining that a predefined rule corresponds to the given message ID, comparing an allowed state associated with the predefined rule with a current state of the vehicle.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Kupfer, Samuel B., Ploucha, Joseph E., Shockley, Abigail C.
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/700,725
Publication Number

US 20190081960A1
Time in Patent Office

813 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/40   Bus networks

H04L 12/40202   by using a plurality of mas...

H04L 12/4625   Single bridge functionality...

H04L 2012/40215   Controller Area Network CAN

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

H04W 12/12   Detection or prevention of ...

Systems and methods for in-vehicle network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for in-vehicle network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links