CENTRALIZED CONTROLLER MANAGEMENT AND ANOMALY DETECTION

US 20180316698A1
Filed: 06/19/2018
Published: 11/01/2018
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A system for providing security on externally connected electronic control units (ECUs) of automobiles, the system comprising:

a processor and computer-readable memory, the computer-readable memory comprising instructions that, when executed by the processor, cause the processor to perform operations comprising;

receiving, at a server system, operation information for a plurality of instances of a ECU, the plurality of instances being installed across a plurality of devices, the operation information comprises malware reports that identify malware on the plurality of instances of the ECU;

statistically analyzing, by the server system, the operation information;

identifying, by the server system, one or more anomalous ECU behaviors based on the statistical analysis; and

providing, by the server system, information regarding the one or more anomalous ECU behaviors on the ECU as potential security threats.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, a method for providing security on externally connected controllers includes receiving, at a server system, operation information for a plurality of instances of a controller, the plurality of instances being installed across a plurality of devices; statistically analyzing, by the server system, the operation information; identifying, by the server system, one or more anomalous controller behaviors based on the statistical analysis; and providing, by the server system, information regarding the one or more anomalous controller behaviors on the controller as potential security threats.

16 Citations

View as Search Results

25 Claims

1. A system for providing security on externally connected electronic control units (ECUs) of automobiles, the system comprising:
- a processor and computer-readable memory, the computer-readable memory comprising instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  receiving, at a server system, operation information for a plurality of instances of a ECU, the plurality of instances being installed across a plurality of devices, the operation information comprises malware reports that identify malware on the plurality of instances of the ECU;
  
  statistically analyzing, by the server system, the operation information;
  
  identifying, by the server system, one or more anomalous ECU behaviors based on the statistical analysis; and
  
  providing, by the server system, information regarding the one or more anomalous ECU behaviors on the ECU as potential security threats.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising:
    - updating, by the server system, one or more security policies to exclude performance of the one or more anomalous ECU behaviors in response to the information; and
      
      pushing out the updated one or more security policies to the plurality of devices.
  - 3. The system of claim 2, wherein the plurality of instances of the ECU block the one or more anomalous ECU behaviors from being performed on the ECU using the updated one or more security policies.
  - 4. The system of claim 3, wherein:
    - the plurality of instances of the ECU include a security middleware layer that is incorporated into operating systems on the plurality of instances of the ECU, andthe security middleware layer is positioned to restrict one or more kernel processes of the operating system to operations that are permitted according to the updated one or more security policies.
  - 5. The system of claim 4, wherein:
    - updating the one or more security policies comprises removing information corresponding to the one or more anomalous ECU behaviors from one or more whitelists that are part of the one or more security policies, andthe one or more whitelists define the operations that are permitted.
  - 6. The system of claim 5, wherein:
    - the one or more anomalous ECU behaviors comprise a particular sequence of function calls, andthe information removed from the one or more whitelists comprises function mappings outlining the particular sequence of function calls.
  - 7. The system of claim 5, wherein:
    - the one or more anomalous ECU behaviors comprise receipt or transmission of a particular network packet, andthe information removed from the one or more whitelists comprises one or more of;
      
      an IP address specified in the particular network packet, a network port specified in the particular network packet, and a payload content type for the particular network packet.
  - 8. The system of claim 5, wherein:
    - the one or more anomalous ECU behaviors comprise execution of a particular process, andthe information removed from the one or more whitelists comprises information identifying the particular process.
  - 9. The system of claim 1, wherein the ECU is an automotive ECU and the device is a vehicle.
  - 10. The system of claim 1, wherein the malware reports including copies of the blocked malware.

11. A method for providing security on externally connected electronic control units (ECUs) of automobiles, the method comprising:
- receiving, at a server system, operation information for a plurality of instances of a ECU, the plurality of instances being installed across a plurality of devices, the operation information comprises malware reports that identify malware on the plurality of instances of the ECU;
  
  statistically analyzing, by the server system, the operation information;
  
  identifying, by the server system, one or more anomalous ECU behaviors based on the statistical analysis; and
  
  providing, by the server system, information regarding the one or more anomalous ECU behaviors on the ECU as potential security threats.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising:
    - updating, by the server system, one or more security policies to exclude performance of the one or more anomalous ECU behaviors in response to the information; and
      
      pushing out the updated one or more security policies to the plurality of devices.
  - 13. The method of claim 12, wherein the plurality of instances of the ECU block the one or more anomalous ECU behaviors from being performed on the ECU using the updated one or more security policies.
  - 14. The method of claim 13, wherein:
    - the plurality of instances of the ECU include a security middleware layer that is incorporated into operating systems on the plurality of instances of the ECU, andthe security middleware layer is positioned to restrict one or more kernel processes of the operating system to operations that are permitted according to the updated one or more security policies.
  - 15. The method of claim 14, wherein:
    - updating the one or more security policies comprises removing information corresponding to the one or more anomalous ECU behaviors from one or more whitelists that are part of the one or more security policies, andthe one or more whitelists define the operations that are permitted.
  - 16. The method of claim 15, wherein:
    - the one or more anomalous ECU behaviors comprise a particular sequence of function calls, andthe information removed from the one or more whitelists comprises function mappings outlining the particular sequence of function calls.
  - 17. The method of claim 15, wherein:
    - the one or more anomalous ECU behaviors comprise receipt or transmission of a particular network packet, andthe information removed from the one or more whitelists comprises one or more of;
      
      an IP address specified in the particular network packet, a network port specified in the particular network packet, and a payload content type for the particular network packet.
  - 18. The method of claim 15, wherein:
    - the one or more anomalous ECU behaviors comprise execution of a particular process, andthe information removed from the one or more whitelists comprises information identifying the particular process.
  - 19. The method of claim 11, wherein the ECU is an automotive ECU and the device is a vehicle.
  - 20. The method of claim 11, wherein the malware reports including copies of the blocked malware.

21. A method for providing security on externally connected ECUs of automobiles, the method comprising:
- receiving, at a server system, real-time information identifying malware blocked by a security middleware layer running on a ECU that is part of a device;
  
  aggregating, by the server system, the real-time information with real-time information from other ECUs;
  
  determining, by the server system, aggregate information related to the blocked malware on the ECU;
  
  generating, by the server system, a report that includes information identifying the blocked malware on the ECU and the aggregate information; and
  
  transmitting, by the server system and in real-time, the report to a client computing device for a user who is associated with the ECU.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein:
    - the real-time information comprises a malware report that identify the malware, a portion of an operating system on the controlled that was exploited by the malware, and a copy of the malware, andthe report includes information identifying the malware, the exploited portion of the operating system, and the copy of the malware.
  - 23. The method of claim 21, wherein the aggregate information includes information regarding a current status of other instances of the ECU running on other devices.
  - 24. The method of claim 21, wherein the aggregate information includes information regarding other instances of the malware identfied on other ECUs.
  - 25. The method of claim 21, wherein the ECU is an automotive ECU and the device is a vehicle.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Karamba Security Ltd.
Original Assignee
Karamba Security
Inventors
David, Tal Efraim Ben, Harel, Assaf, Dotan, Amiram, Barzilai, David

Granted Patent

US 10,375,092 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

H04L 12/40   Bus networks

H04L 2012/40215   Controller Area Network CAN

H04L 2209/84   Vehicles

H04L 43/06   Generation of reports

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/128   Anti-malware arrangements, ...

CENTRALIZED CONTROLLER MANAGEMENT AND ANOMALY DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

CENTRALIZED CONTROLLER MANAGEMENT AND ANOMALY DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links