Cyber warning receiver

US 10,728,265 B2
Filed: 06/15/2017
Issued: 07/28/2020
Est. Priority Date: 06/15/2017
Status: Active Grant

First Claim

Patent Images

1. A cyber warning receiver (CWR) comprising:

a bus sensing circuit to sense traffic on a vehicle communications bus over time, and passively monitors the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus;

an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior, wherein the anomaly detectors employ a first neural network trained to identify and detect anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus;

a data fusing engine to fuse the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior;

a decision making circuit, wherein the decision making circuit is a second neural network trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and

a behavior logging circuit to log the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification,wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for cyber warning. One technique includes a cyber warning receiver (CWR). The CWR includes a bus sensing circuit to sense traffic on a communications bus over time, an anomaly detecting circuit to detect anomalous behavior in the sensed bus traffic, a data fusing circuit to fuse the detected anomalous behavior into groups having similar characteristics, a decision making circuit to decide if the fused anomalous behavior is normal or abnormal, and a behavior logging circuit to log the detected anomalous behavior on an electronic storage device. In one embodiment, the CWR further includes a behavior alerting circuit to alert an operator to the fused anomalous behavior identified as abnormal. In one embodiment, the communications bus is an embedded communications bus, such as a MIL-STD-1553 bus, and the CWR is a standalone device configured to connect to the MIL-STD-1553 bus as a bus monitor.

19 Citations

View as Search Results

16 Claims

1. A cyber warning receiver (CWR) comprising:
- a bus sensing circuit to sense traffic on a vehicle communications bus over time, and passively monitors the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus;
  
  an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior, wherein the anomaly detectors employ a first neural network trained to identify and detect anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus;
  
  a data fusing engine to fuse the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior;
  
  a decision making circuit, wherein the decision making circuit is a second neural network trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and
  
  a behavior logging circuit to log the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification,wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The CWR of claim 1, further comprising a behavior alerting circuit to alert an operator to the fused detected anomalous behavior identified as abnormal.
  - 3. The CWR of claim 2, wherein the behavior alerting circuit is configured to not alert the operator to the fused detected anomalous behavior identified as normal.
  - 4. The CWR of claim 1, wherein the vehicle communications bus is a MIL-STD-1553 bus.
  - 5. The CWR of claim 4, wherein the CWR is a configured to connect to the MIL-STD-1553 bus.
  - 6. The CWR of claim 1, wherein the anomaly detecting detectors are configured to detect a corresponding plurality of different anomalous behavior in the sensed bus traffic.
  - 7. The CWR of claim 1, wherein the data fusing circuit is configured to fuse the detected anomalous behavior into groups having similar sensing times in their corresponding sensed bus traffic.
  - 8. The CWR of claim 1, wherein the CWR employs training periods that characterizes traffic patterns and models a range of normal system behaviors to establish the groups having similar characteristics.

9. A computer-implemented method of cyber warning, the method comprising:
- sensing, by a bus sensing circuit, traffic on a vehicle communications bus over time and passively monitoring the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus;
  
  detecting, by an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior in the sensed bus traffic, wherein a first neural network is trained to identify and detect the anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus;
  
  fusing, by a data fusing engine, the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior;
  
  deciding, by a decision making circuit, if the fused detected anomalous behavior is normal or abnormal, wherein the decision making circuit is a second neural network independent of the first neural network and is trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, and wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and
  
  logging, by a behavior logging circuit, the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification,wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, further comprising alerting, by, a behavior alerting circuit, an operator to the fused detected anomalous behavior identified as abnormal.
  - 11. The method of claim 10, further comprising not alerting, by the, behavior alerting circuit, the operator to the fused detected anomalous behavior identified as normal.
  - 12. The method of claim 11, wherein the fusing comprises fusing the detected anomalous behavior into groups having similar sensing times in their corresponding sensed bus traffic.

13. A computer program product including one or more non-transitory machine-readable mediums encoded with instructions that when executed by one or more processors of a cyber warning receiver, cause a computer-implemented process to be carried out for cyber warning, the process comprising:
- sensing, by a bus sensing circuit, traffic on a vehicle communications bus over time and passively monitoring the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus;
  
  detecting, by an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior in the sensed bus traffic, wherein a first neural network is trained to identify and detect the anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus;
  
  fusing, by a data fusing engine, the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior;
  
  deciding, by a decision making circuit, if the fused detected anomalous behavior is normal or abnormal, wherein a second neural network independent of the first neural network and is trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, and wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and
  
  logging, by a behavior logging circuit, the fused detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification,wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13, wherein the process further comprises alerting an operator to the fused detected anomalous behavior identified as abnormal.
  - 15. The computer program product of claim 14, wherein the process further comprises not alerting the operator to the fused detected anomalous behavior identified as normal.
  - 16. The computer program product of claim 13, wherein the fusing comprises fusing the detected anomalous behavior into groups having similar sensing times in their corresponding sensed bus traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Original Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Inventors
Hayden, Patrick M., Jeong, Jeong-O., Le, Vu T., Rappa, Christopher C., Ray, Sumit, Sobolewski, Katherine D., Woolrich, Jr., David K.
Primary Examiner(s)
Ho, Dao Q

Application Number

US15/624,444
Publication Number

US 20180367553A1
Time in Patent Office

1,139 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/10   using kernel methods, e.g. ...

G06N 3/084   Backpropagation, e.g. using...

G06N 7/01   Probabilistic graphical mod...

G06N 7/08   using chaos models or non-l...

H04L 63/1425   Traffic logging, e.g. anoma...

Cyber warning receiver

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber warning receiver

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links