SYSTEM AND METHOD FOR TIME BASED ANOMALY DETECTION IN AN IN-VEHICLE COMMUNICATION NETWORK

US 20160381068A1
Filed: 06/29/2016
Published: 12/29/2016
Est. Priority Date: 06/29/2015
Status: Active Grant

First Claim

Patent Images

1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform timing-based cyber-security operations, the operations including:

maintaining a timing model of an expected behavior of data communications over an in-vehicle communication network;

receiving a plurality of messages communicated over the network;

determining, based on the timing model and based on timing attributes of the plurality of messages, whether or not at least one of the messages complies with the timing model; and

if at least one message does not comply with the timing model then performing, by the processor, at least one action related to the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security to a network may include maintaining, by a processor, a model of an expected behavior of data communications over the in-vehicle communication network; receiving, by the processor, a message sent over the network; determining, by the processor, based on the model and based on a timing attribute of the message, whether or not the message complies with the model; and if the message does not comply with the model then performing, by the processor, at least one action related to the message.

68 Citations

View as Search Results

20 Claims

1. A system including a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform timing-based cyber-security operations, the operations including:
- maintaining a timing model of an expected behavior of data communications over an in-vehicle communication network;
  
  receiving a plurality of messages communicated over the network;
  
  determining, based on the timing model and based on timing attributes of the plurality of messages, whether or not at least one of the messages complies with the timing model; and
  
  if at least one message does not comply with the timing model then performing, by the processor, at least one action related to the message.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein determining whether or not at least one of the messages complies with the timing model includes determining that at least one of first and second messages is related to an anomaly by:
    - receiving first and a second messages sent over the in-vehicle communication network, the first and second messages including the same ID value; and
      
      if the time lapse between receptions of the first and second messages is less than a time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 3. The system of claim 1, wherein determining whether or not at least one of the messages complies with the timing model includes determining that at least one of first and second messages is related to an anomaly by:
    - if the time lapse between receptions of first and second messages that include the same ID value is greater than a time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 4. The system of claim 1, wherein determining whether or not at least one of the messages complies with the timing model includes determining that at least one of first and second messages is related to an anomaly by:
    - if the time lapse between receptions of first and second messages is greater than a threshold then increasing a counter, andif the counter is greater than a counter threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 5. The system of claim 4, wherein the processor is further configured to reset the counter to a predefined value if a predefined number of consecutive valid messages are identified.
  - 6. The system of claim 1, wherein the processor is further configured to dynamically modify a time lapse threshold included in the timing model.
  - 8. The system of claim 1, wherein the processor is further configured to:
    - identify an event related to at least one of;
      
      the vehicle, the network, and a node connected to the network; and
      
      determine a message is related to an anomaly based on the event.
  - 9. The system of claim 1, wherein the at least one action related to the message includes isolating a portion of the network from the rest of the in-vehicle communication network in order to isolate a source of a message related to an anomaly.
  - 10. The system of claim 1, wherein the processor is further configured to:
    - determine a component connected to an in-vehicle communication network is malfunctioning based on one or more messages; and
      
      generate an indication related to the malfunctioning component.
  - 11. The system of claim 1, wherein if at least one message does not comply with the timing model then performing, by the processor, at least one action related to the message comprises:
    - calculating a confidence level of a message being related to an anomaly; and
      
      performing an action based on the confidence level.
  - 12. The system of claim 1, wherein an action related to the message is at least one of:
    - disabling a component connected to the network, activating a component connected to the network, blocking a message, delaying a message, limiting a frequency of a message type, logging a message and alerting.
  - 13. The system of claim 1, wherein determining whether or not at least one of the messages complies with the timing model includes:
    - comparing a time lapse between receptions of first and second messages to at least two time lapse thresholds; and
      
      determining at least one of the messages does not comply with the timing model if at least one of the time lapse thresholds is breached.

7. The system of 1 claim, wherein the processor is further configured to:
- determine a context related to at least one of;
  
  the vehicle, the network, and a node connected to the network; and
  
  determine whether or not a message is related to an anomaly based on the context.

14. A method comprising:
- maintaining, by a processor, a timing model of an expected behavior of data communications over the in-vehicle communication network;
  
  receiving, by the processor, a plurality of messages sent over the network;
  
  determining, by the processor, based on the timing model and based on timing attributes of the plurality of messages, whether or not at least one of the messages complies with the timing model; and
  
  if the message does not comply with the timing model then performing, by the processor, at least one action related to the message.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, comprising:
    - receiving first and a second messages sent over the in-vehicle communication network, the first and second messages including the same ID value; and
      
      if the time lapse between receptions of the first and second messages is less than a time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 16. The method of claim 14, comprising:
    - if the time lapse between receptions first and second messages including the same ID value is greater than a time lapse threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 17. The method of claim 14, comprising:
    - if a time lapse between receptions of first and second messages is less than a threshold then increasing a counter, andif the counter is greater than a counter threshold then determining that at least one of the first and second messages is related to an anomaly.
  - 18. The method of claim 17, comprising resetting the counter to a predefined value if a predefined number of consecutive valid messages are identified.
  - 19. The method of claim 14, comprising dynamically modifying a time lapse threshold included in the timing model.

20. A method for enforcing security in a communication network, the method comprising:
- maintaining, by a processor, a timing model related to messages communicated on the network;
  
  receiving first message and a second message communicated on the network;
  
  determining, based on the timing model and based on a time interval between the first and second messages, whether or not at least one of the first and second messages is related to an anomaly; and
  
  if at least one of the first and second messages is related to an anomaly then performing at least one action related to the messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Argus Cyber Security Ltd. (Continental AG)
Original Assignee
Argus Cyber Security Ltd. (Continental AG)
Inventors
GALULA, Yaron, BEN-NOON, Ofer, LAVI, Oron

Granted Patent

US 10,298,612 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

B60R 16/0231   Circuits relating to the dr...

B60R 16/0232   for measuring vehicle param...

B60R 2021/01197   Warning devices

B60R 21/01   Electrical circuits for tri...

B60R 25/10   actuating a signalling device

B60R 25/30   Detection related to theft ...

G07C 5/0816   Indicating performance data...

G07C 5/0841   Registering performance dat...

H04L 63/02   for separating internal fro...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/61   Time-dependent

H04W 12/67   Risk-dependent, e.g. select...

H04W 12/68   Gesture-dependent or behavi...

SYSTEM AND METHOD FOR TIME BASED ANOMALY DETECTION IN AN IN-VEHICLE COMMUNICATION NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR TIME BASED ANOMALY DETECTION IN AN IN-VEHICLE COMMUNICATION NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links