BUS WATCHMAN

US 20150191135A1
Filed: 01/06/2015
Published: 07/09/2015
Est. Priority Date: 01/06/2014
Status: Active Grant

First Claim

Patent Images

1. A module for providing security to an in-vehicle communication network having a bus and at least one node connected to the bus, the module comprising:

a memory having software comprising data characterizing messages that the at least one node transmits and receives via the bus during normal operation of the node;

a communication port via which the module receives and transmits messages, the port being configured to be connected to a portion of the in-vehicle network; and

a processor that processes, responsive to the software in the memory, messages received via the port from the portion of the in-vehicle network to;

identify an anomalous message in the received messages indicative of exposure of the in-vehicle network to damage from a cyber attack; and

cause the module to transmit at least one signal via the port to the portion of the in-vehicle network that alters the anomalous message so that the at least one node will discard it.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module for providing security to an in-vehicle communication network having a bus and at least one node connected to the bus, the module comprising: a memory having software comprising data characterizing messages that the at least one node transmits and receives via the bus during normal operation of the node; a communication port via which the module receives and transmits messages configured to be connected to a portion of the in-vehicle network; and a processor that processes messages received via the port from the portion of the in-vehicle network responsive to the software in the memory to: identify an anomalous message in the received messages indicative of exposure of the in-vehicle network to damage from a cyber attack; and cause the module to transmit at least one signal via the port to the portion of the in-vehicle network that alters the anomalous message so that the at least one node will discard it.

86 Citations

View as Search Results

16 Claims

1. A module for providing security to an in-vehicle communication network having a bus and at least one node connected to the bus, the module comprising:
- a memory having software comprising data characterizing messages that the at least one node transmits and receives via the bus during normal operation of the node;
  
  a communication port via which the module receives and transmits messages, the port being configured to be connected to a portion of the in-vehicle network; and
  
  a processor that processes, responsive to the software in the memory, messages received via the port from the portion of the in-vehicle network to;
  
  identify an anomalous message in the received messages indicative of exposure of the in-vehicle network to damage from a cyber attack; and
  
  cause the module to transmit at least one signal via the port to the portion of the in-vehicle network that alters the anomalous message so that the at least one node will discard it.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The module according to claim 1 wherein the in-vehicle network is a CAN in-vehicle network and the received messages are control area network (CAN) messages comprising an arbitration ID, a data portion, and a cyclic redundancy check (CRC) code.
  - 3. The module according to claim 2 wherein the at least one signal that the module transmits comprises at least one CAN dominant bit.
  - 4. The module according to claim 3 wherein the at least one CAN dominant bit comprises at least six consecutive dominant bits transmitted during propagation of the anomalous message in the portion of the in-vehicle network.
  - 5. The module according to claim 3 wherein the at least one CAN dominant bit comprises at least one dominant bit transmitted during propagation of the CRC code during propagation of the anomalous message in the portion of the in-vehicle network.
  - 6. The module according to claim 1 wherein the software in the memory comprises:
    - a menu of response actions that may be undertaken in response to identifying the anomalous message; and
      
      a set of matching rules that may be used as, or in establishing, a criterion for determining a response action in the menu;
      
      wherein the menu of response actions includes transmitting at least one signal via the port to the portion of the in-vehicle network that alters the anomalous message so that the at least one node will discard it.
  - 7. The module according to claim 6 wherein the matching rules and response actions are configured in a decision tree having branches.
  - 8. The module according to claim 7 wherein the processor is configured to traverse the decision tree responsive to features of the anomalous message and navigate along a branch of the decision tree that ends at the action to be undertaken by the module in response to the anomalous message.
  - 9. The module according to claim 1 wherein the module is a hardware module comprising a physical port configured to be connected to the portion of the in-vehicle network.
  - 10. The module according to claim 1 wherein the module is a software module that may be integrated with software of the at least one node of the in-vehicle network.
  - 11. The module according to claim 1 and comprising a communication interface configured to support communication with entities outside of the module.
  - 12. A system for providing security to an in-vehicle communication network, the system comprising:
    - a data monitoring and processing hub; and
      
      at least one module according to claim 11 that communicates with the hub to transmit data responsive to the anomalous message for processing by the hub via the communication interface.

13. A method of providing security to an in-vehicle communication network having a bus and at least one node connected to the bus, the method comprising:
- monitoring messages in communication traffic propagating in a portion of the in-vehicle network;
  
  identifying an anomalous message in the monitored messages indicative of exposure of the in-vehicle network to damage from a cyber attack; and
  
  transmitting at least one signal to the portion of the in-vehicle network that alters the anomalous message so that the at least one node will discard it.
- View Dependent Claims (14, 15, 16)
- - 14. The method according to claim 13 wherein the in-vehicle network is a CAN in-vehicle network and the received messages are CAN messages comprising an arbitration ID, a data portion, and a cyclic redundancy check (CRC) code and wherein the at least one signal comprises at least one CAN dominant bit.
  - 15. The method according to claim 14 wherein the at least one CAN dominant bit comprises at least six consecutive dominant bits transmitted during propagation of the anomalous message in the portion of the in-vehicle network.
  - 16. The method according to claim 14 wherein the at least one CAN dominant bit comprises at least one dominant bit transmitted during propagation of the CRC code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Argus Cyber Security Ltd. (Continental AG)
Original Assignee
Argus Cyber Security Ltd. (Continental AG)
Inventors
BEN NOON, Ofer, GALULA, Yaron, LAVI, Oron

Granted Patent

US 9,840,212 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

B60R 16/023   for transmission of signals...

B60R 25/00   Fittings or systems for pre...

G06F 11/30   Monitoring

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/606   by securing the transmissio...

G06F 21/6281   at program execution time, ...

H04L 12/4625   Single bridge functionality...

H04L 2012/40215   Controller Area Network CAN

H04L 2012/40273   the transportation system b...

H04L 63/0227   Filtering policies mail mes...

H04L 63/123   received data contents, e.g...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

BUS WATCHMAN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

BUS WATCHMAN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links