Data security inspection mechanism for serial networks
First Claim
Patent Images
1. A method, comprising:
- tracking, by a device in a serial network that is a controller area network (CAN) bus network, timing information associated with an inter-arrival time and a number of frames from each device in the serial network in a database;
determining, by the device in the serial network, that a suspicious event has occurred in the serial network, wherein the suspicious event is identified based on whether the inter-arrival time of one or more frames from a particular device in the serial network is within an expected range;
assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the serial network that precede the suspicious event, wherein the sequence of events a) specify an order of events that are expected to precede an event for the particular device and b) is determined based on a first-order analysis of data in the CAN bus network; and
causing, by the device, a mitigation action to be performed in the serial network when the suspicious event is deemed malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a serial network determines that a suspicious event has occurred in the network. The suspicious event is identified based on timing information for one or more frames in the serial network. The device assesses whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event. The device causes a mitigation action to be performed in the network when the suspicious event is deemed malicious.
12 Citations
17 Claims
-
1. A method, comprising:
-
tracking, by a device in a serial network that is a controller area network (CAN) bus network, timing information associated with an inter-arrival time and a number of frames from each device in the serial network in a database; determining, by the device in the serial network, that a suspicious event has occurred in the serial network, wherein the suspicious event is identified based on whether the inter-arrival time of one or more frames from a particular device in the serial network is within an expected range; assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the serial network that precede the suspicious event, wherein the sequence of events a) specify an order of events that are expected to precede an event for the particular device and b) is determined based on a first-order analysis of data in the CAN bus network; and causing, by the device, a mitigation action to be performed in the serial network when the suspicious event is deemed malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
one or more network interfaces to communicate with a serial network that is a controller area network (CAN) bus network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed configured to; track timing information associated with an inter-arrival time and a number of frames from each device in the serial network in a database; determine that a suspicious event has occurred in the serial network, wherein the suspicious event is identified based on whether the inter-arrival time of one or more frames from a particular device in the serial network is within an expected range; assess whether the suspicious event is malicious by evaluating a sequence of events in the serial network that precede the suspicious event, wherein the sequence of events specify a) an order of events that are expected to precede an event for the particular device and b) is determined based on a first-order analysis of data in the CAN bus network; and cause a mitigation action to be performed in the serial network when the suspicious event is deemed malicious. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A tangible, non-transitory, computer-readable medium storing program instructions that, when executed by a device in a serial network that is a controller area network (CAN) bus network, cause the device to perform a process comprising:
-
tracking, by the device, timing information associated with an inter-arrival time and a number of frames from each device in the serial network in a database; determining, by the device, that a suspicious event has occurred in the serial network, wherein the suspicious event is identified based on whether the inter-arrival time of one or more frames from a particular device in the serial network is within an expected range; assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the serial network that precede the suspicious event, wherein the sequence of events a) specify an order of events that are expected to precede an event for the particular device and b) is determined based on a first-order analysis of data in the CAN bus network; and causing, by the device, a mitigation action to be performed in the serial network when the suspicious event is deemed malicious. - View Dependent Claims (16, 17)
-
Specification