METHOD AND DEVICE FOR DEFENDING AGAINST ATTACKS TO SYSTEMS COMPRISING A PLUG & PLAY FUNCTION

US 20100333202A1
Filed: 02/25/2009
Published: 12/30/2010
Est. Priority Date: 03/11/2008
Status: Active Grant

First Claim

Patent Images

1. Method for recognizing attacks on at least one interface of a computer system, specifically an automated self-service machine, comprising:

monitoring of the interface to detect changes at the interface;

if changes occur, the probability of an unauthorized attack on the interface is determined based on the type of change;

if the probability is beyond a defined threshold, defensive measures are introduced.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for recognizing attacks to at least one interface of a computer system, in particular an automated self-service machine, comprising: monitoring the interface in order to determine changes at the interface; if changes occur, the change is used to determine the probability that an unallowed attack is occurring at the interface; if the probability is beyond a defined threshold, defensive maneuvers are introduced.

Citations

19 Claims

1. Method for recognizing attacks on at least one interface of a computer system, specifically an automated self-service machine, comprising:
- monitoring of the interface to detect changes at the interface;
  
  if changes occur, the probability of an unauthorized attack on the interface is determined based on the type of change;
  
  if the probability is beyond a defined threshold, defensive measures are introduced.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method from claim 1, wherein the defensive measures comprise one or more of the following procedures:
    - creating a log entry, automatic shutdown of the computer system, sending a warning message to a target system or a target person, deactivating the interface, deactivating a recently connected device, switching to a security mode.
  - 3. The method from claim 1, wherein one or more of the following events is taken into consideration in calculating the probability:
    - reliability of the serial number of the device connected to the interface;
      
      reliability of the maker/product combination for the attached device;
      
      reliability of the device class;
      
      reliable number of devices from one device class;
      
      device path or type of connection;
      
      time interval between removing a device from and connecting a device to the interface;
      
      time of day at which a device is connected to or removed from the interface;
      
      mode for the computer system when a device is connected to or removed from the interface, such as customer operation or service mode.
  - 4. The method from claim 3, wherein a preferably adjustable point value is assigned to each event, and the events are totaled so that a check can be made based on the total whether a threshold was exceeded in order to then introduce a defensive measure.
  - 5. The method from claim 1, wherein the computer system is a self-service system, specifically an automated bank machine and/or an automated bottle vending machine.
  - 6. The method from claim 5, wherein the self-service system allows customer operation and maintenance operation, where one or more thresholds and/or probabilities are different depending on the type of operation.
  - 7. The method from claim 1, wherein the interface is one or more of the following:
    - serial interface, parallel interface, serial bus interface, parallel bus interface, networks, wireless network interface, optical network interface, cable network interface, IEEE 1394, FireWire, IEEE 1284, LAN, WLAN, Bluetooth, PS/2, RS232.
  - 8. The method from claim 7, wherein the interface has a plug-and-play function that triggers an automatic action on the computer system.
  - 9. The method from claim 1, wherein the method, or parts of the method, is implemented by a driver for the interface that possesses one or more of the following properties;
    - replacement of the standard interface driver by a modified driver that, in addition to the existing functionality, implements the functionality of the method or parts thereof;
      
      additional driver that is arranged logically below the standard driver so that the information that reaches the standard driver is forwarded after being filtered;
      
      additional driver that is arranged logically above a standard driver so that information is forwarded to the system after being filtered.
  - 10. The method from claim 1, wherein a software process continuously monitors the traffic on the interface in order to detect an unauthorized attack.

11. Computer system, specifically an automated self-service machine having at least one interface, comprising means for monitoring the interface to determine changes at the interface;
- in the event that changes occur, an ALU determines the probability of an unauthorized attack on the interface based on the type of change;
  
  if the probability is beyond a defined threshold, defensive measures are introduced through additional means.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer system from claim 11, wherein defensive measures are introduced through the additional means that comprise one or more of the following procedures:
    - creating a log entry on a data carrier, shutting down the computer system automatically, sending a warning message to a target system or a target person over a network, deactivating the interface, deactivating a recently connected device, switching to a security mode.
  - 13. The computer system from claim 11, wherein the ALU should take into consideration one or more of the following events in calculating the probability:
    - reliability of the serial number of the device connected to the interface;
      
      reliability of the maker/product combination of the attached device;
      
      reliability of the device class;
      
      reliable number of devices from one device class;
      
      device path or type of connection;
      
      time interval between removal of a device from and connection to the interface;
      
      time of day at which a device is connected to or removed from the interface;
      
      the computer system mode when connecting a device to or removing said device from the interface, such as customer operation or service mode.
  - 14. The computer system from claim 13, wherein a preferably adjustable point value is assigned to each event, said value can be filed on a storage system and the ALU (arithmetic logic unit) totals the events so that a check can be made based on the total whether a threshold was exceeded in order to introduce a defensive measure.
  - 15. The computer system from claim 11, wherein the computer system is a self-service system, specifically an automated bank machine or an automated bottle vending machine.
  - 16. The computer system from claim 15, wherein the self-service system has means to switch to customer operation and to maintenance operation each of which concerns a measure of security, wherein one or more thresholds and/or probabilities are different depending on the type of operation.
  - 17. The computer system from claim 11, wherein the interface is one or more of the following, including technical successors:
    - serial interface, parallel interface, serial bus interface, parallel bus interface, network interface, wireless network interface, optical network interface, cable network interface, IEEE 1394, FireWire, IEEE 1284, LAN, WLAN, Bluetooth, PS/2, RS232.
  - 18. The computer system from claim 11, comprising a driver for the interface that possesses one or more of the following properties:
    - replacement of the standard interface driver by a modified driver that, in addition to the existing functionality, implements the functionality of the method or parts thereof;
      
      additional driver that is arranged logically below the standard driver so that the information that reaches the standard driver is forwarded after being filtered;
      
      additional driver that is arranged logically above the standard driver so that information is forwarded to the system after being filtered.
  - 19. The computer system from claim 11, comprising a device that comprises a software process that continuously monitors the traffic on the interface in order to detect an unauthorized attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Diebold Nixdorf Systems GmbH (Diebold Nixdorf, Incorporated)
Original Assignee
Wincor Nixdorf International GmbH (Diebold Nixdorf, Incorporated)
Inventors
RICHTER, Bernd, Von Der Lippe, Carsten

Granted Patent

US 8,418,248 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

METHOD AND DEVICE FOR DEFENDING AGAINST ATTACKS TO SYSTEMS COMPRISING A PLUG & PLAY FUNCTION

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR DEFENDING AGAINST ATTACKS TO SYSTEMS COMPRISING A PLUG & PLAY FUNCTION

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links