DATA SECURITY INSPECTION MECHANISM FOR SERIAL NETWORKS

US 20180316700A1
Filed: 04/26/2017
Published: 11/01/2018
Est. Priority Date: 04/26/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a device in a serial network, that a suspicious event has occurred in the network, wherein the suspicious event is identified based on timing information for one or more frames in the serial network;

assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event; and

causing, by the device, a mitigation action to be performed in the network when the suspicious event is deemed malicious.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a serial network determines that a suspicious event has occurred in the network. The suspicious event is identified based on timing information for one or more frames in the serial network. The device assesses whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event. The device causes a mitigation action to be performed in the network when the suspicious event is deemed malicious.

9 Citations

View as Search Results

20 Claims

1. A method comprising:
- determining, by a device in a serial network, that a suspicious event has occurred in the network, wherein the suspicious event is identified based on timing information for one or more frames in the serial network;
  
  assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event; and
  
  causing, by the device, a mitigation action to be performed in the network when the suspicious event is deemed malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein the mitigation action comprises at least one of:
    - generating an alert regarding the suspicious event or blocking one or more frames in the network associated with the suspicious event.
  - 3. The method as in claim 1, wherein determining that the suspicious event has occurred comprises:
    - detecting, by the device, the one or more frames in the serial network; and
      
      computing, by the device, the timing information for the one or more frames in the serial network.
  - 4. The method as in claim 1, wherein determining that the suspicious event has occurred comprises:
    - receiving, at the device, an indication from a gateway in the network that the suspicious event is suspicious.
  - 5. The method as in claim 4, wherein the device is a head unit in a vehicle.
  - 6. The method as in claim 1, wherein the serial network is a CAN Bus network.
  - 7. The method as in claim 1, wherein assessing whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event comprises:
    - using, by the device, a behavioral model to evaluate the sequence of events.
  - 8. The method as in claim 7, wherein the behavioral model is trained to detect frames in the network associated with user activity.

9. An apparatus, comprising:
- one or more network interfaces to communicate with a serial network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store the process executable by the processor, the process when executed configured to;
  
  determine that a suspicious event has occurred in the serial network, wherein the suspicious event is identified based on timing information for one or more frames in the serial network;
  
  assess whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event; and
  
  cause a mitigation action to be performed in the network when the suspicious event is deemed malicious.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as in claim 9, wherein the mitigation action comprises at least one of:
    - generating an alert regarding the suspicious event or blocking one or more frames in the network associated with the suspicious event.
  - 11. The apparatus as in claim 9, wherein the apparatus determines that the suspicious event has occurred by:
    - detecting the one or more frames in the serial network; and
      
      computing the timing information for the one or more frames in the serial network.
  - 12. The apparatus as in claim 9, wherein the apparatus determines that the suspicious event has occurred by:
    - receiving an indication from a gateway in the network that the suspicious event is suspicious.
  - 13. The apparatus as in claim 12, wherein the apparatus is a head unit in a vehicle.
  - 14. The apparatus as in claim 9, wherein the serial network is a CAN Bus network.
  - 15. The apparatus as in claim 9, wherein the process when executed is further configured to:
    - use a behavioral model to evaluate the sequence of events.
  - 16. The apparatus as in claim 15, wherein the behavioral model is trained to detect frames in the network associated with user activity.

17. A tangible, non-transitory, computer-readable medium storing program instructions that, when executed by a device in a serial network, cause the device to perform a process comprising:
- determining, by the device, that a suspicious event has occurred in the network, wherein the suspicious event is identified based on timing information for one or more frames in the serial network;
  
  assessing, by the device, whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event; and
  
  causing, by the device, a mitigation action to be performed in the network when the suspicious event is deemed malicious.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium as in claim 17, wherein determining that the suspicious event has occurred comprises:
    - receiving, at the device, an indication from a gateway in the network that the suspicious event is suspicious.
  - 19. The computer-readable medium as in claim 18, wherein the device is a head unit in a vehicle.
  - 20. The computer-readable medium as in claim 17, wherein the device is a CAN Bus network gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Maluf, David A., Sudhaakar, Raghuram S., Doshi, Sanjiv

Granted Patent

US 10,666,671 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/046   Forward inferencing; Produc...

H04L 12/40   Bus networks

H04L 12/66   Arrangements for connecting...

H04L 2012/40215   Controller Area Network CAN

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

DATA SECURITY INSPECTION MECHANISM FOR SERIAL NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATA SECURITY INSPECTION MECHANISM FOR SERIAL NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links