Cyber warning receiver
First Claim
1. A cyber warning receiver (CWR) comprising:
- a bus sensing circuit to sense traffic on a vehicle communications bus over time, and passively monitors the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus;
an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior, wherein the anomaly detectors employ a first neural network trained to identify and detect anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus;
a data fusing engine to fuse the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior;
a decision making circuit, wherein the decision making circuit is a second neural network trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and
a behavior logging circuit to log the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification,wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for cyber warning. One technique includes a cyber warning receiver (CWR). The CWR includes a bus sensing circuit to sense traffic on a communications bus over time, an anomaly detecting circuit to detect anomalous behavior in the sensed bus traffic, a data fusing circuit to fuse the detected anomalous behavior into groups having similar characteristics, a decision making circuit to decide if the fused anomalous behavior is normal or abnormal, and a behavior logging circuit to log the detected anomalous behavior on an electronic storage device. In one embodiment, the CWR further includes a behavior alerting circuit to alert an operator to the fused anomalous behavior identified as abnormal. In one embodiment, the communications bus is an embedded communications bus, such as a MIL-STD-1553 bus, and the CWR is a standalone device configured to connect to the MIL-STD-1553 bus as a bus monitor.
19 Citations
16 Claims
-
1. A cyber warning receiver (CWR) comprising:
-
a bus sensing circuit to sense traffic on a vehicle communications bus over time, and passively monitors the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus; an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior, wherein the anomaly detectors employ a first neural network trained to identify and detect anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus; a data fusing engine to fuse the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior; a decision making circuit, wherein the decision making circuit is a second neural network trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and a behavior logging circuit to log the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification, wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented method of cyber warning, the method comprising:
-
sensing, by a bus sensing circuit, traffic on a vehicle communications bus over time and passively monitoring the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus; detecting, by an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior in the sensed bus traffic, wherein a first neural network is trained to identify and detect the anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus; fusing, by a data fusing engine, the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior; deciding, by a decision making circuit, if the fused detected anomalous behavior is normal or abnormal, wherein the decision making circuit is a second neural network independent of the first neural network and is trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, and wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and logging, by a behavior logging circuit, the detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification, wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor. - View Dependent Claims (10, 11, 12)
-
-
13. A computer program product including one or more non-transitory machine-readable mediums encoded with instructions that when executed by one or more processors of a cyber warning receiver, cause a computer-implemented process to be carried out for cyber warning, the process comprising:
-
sensing, by a bus sensing circuit, traffic on a vehicle communications bus over time and passively monitoring the traffic on the vehicle communications bus but does not receive the traffic, wherein the vehicle communications bus is an embedded serial bus or optical bus; detecting, by an anomaly detecting circuit comprising a plurality of anomaly detectors to detect anomalous behavior in the sensed bus traffic, wherein a first neural network is trained to identify and detect the anomalous behavior in the sensed bus traffic, and wherein the anomaly detectors employ rules with characteristics of the vehicle communications bus; fusing, by a data fusing engine, the detected anomalous behavior of the sensed bus traffic into groups having similar characteristics that share common temporal or behavioral patterns, wherein the data fusing engine applies non-parametric learning to produce fused detected anomalous behavior; deciding, by a decision making circuit, if the fused detected anomalous behavior is normal or abnormal, wherein a second neural network independent of the first neural network and is trained using both the anomalous behavior and the fused detected anomalous behavior to decide if there is a cyberattack, and wherein the decision making circuit uses a partially observable Markov decisions process (POMDP); and logging, by a behavior logging circuit, the fused detected anomalous behavior on an electronic storage device and providing real-time cyberattack notification, wherein the cyber warning receiver is a standalone device configured to connect to the vehicle communications bus as a bus monitor. - View Dependent Claims (14, 15, 16)
-
Specification