Method and device for defending against attacks to systems comprising a plug and play function

US 8,418,248 B2
Filed: 02/25/2009
Issued: 04/09/2013
Est. Priority Date: 03/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method for recognizing attacks on at least one interface of an automated self-service machine, to which at least one peripheral device of the automated self-service machine is connected, the method comprising:

monitoring of the interface to detect changes at the interface;

if changes occur, calculating a probability of an unauthorized attack on the interface based on the type of change;

wherein one or more of the following events is taken into consideration in calculating the probability;

a reliability of a serial number of the at least one peripheral device connected to the interface;

a reliability of a maker/product combination for the at least one peripheral device;

a reliability of a device class of the at least one peripheral device;

a reliable number of devices from a device class of the at least one peripheral device;

a time interval between removing a device from and connecting a device to the interface;

a device path or type of connection;

a time of day at which a device is connected to or removed from the interface; and

a mode for the automated self-service machine when a device is connected to or removed from the interface, including a customer operation mode or a service mode;

and wherein if the probability is beyond a defined threshold, defensive measures are introduced.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for recognizing attacks to at least one interface of a computer system, in particular an automated self-service machine, comprising: monitoring the interface in order to determine changes at the interface; if changes occur, the change is used to determine the probability that an unallowed attack is occurring at the interface; if the probability is beyond a defined threshold, defensive maneuvers are introduced.

Citations

17 Claims

1. A method for recognizing attacks on at least one interface of an automated self-service machine, to which at least one peripheral device of the automated self-service machine is connected, the method comprising:
- monitoring of the interface to detect changes at the interface;
  
  if changes occur, calculating a probability of an unauthorized attack on the interface based on the type of change;
  
  wherein one or more of the following events is taken into consideration in calculating the probability;
  
  a reliability of a serial number of the at least one peripheral device connected to the interface;
  
  a reliability of a maker/product combination for the at least one peripheral device;
  
  a reliability of a device class of the at least one peripheral device;
  
  a reliable number of devices from a device class of the at least one peripheral device;
  
  a time interval between removing a device from and connecting a device to the interface;
  
  a device path or type of connection;
  
  a time of day at which a device is connected to or removed from the interface; and
  
  a mode for the automated self-service machine when a device is connected to or removed from the interface, including a customer operation mode or a service mode;
  
  and wherein if the probability is beyond a defined threshold, defensive measures are introduced.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method from claim 1, wherein the defensive measures comprise one or more of the following procedures:
    - creating a log entry, automatic shutdown of the computer system, sending a warning message to a target system or a target person, deactivating the interface, deactivating a recently connected device, switching to a security mode.
  - 3. The method from claim 1, wherein a preferably adjustable point value is assigned to each event, and the events are totaled so that a check can be made based on the total whether a threshold was exceeded in order to then introduce a defensive measure.
  - 4. The method from claim 1, wherein the automated self-service machine is an automated bank machine and/or an automated bottle vending machine.
  - 5. The method from claim 4, wherein the self-service machine allows customer operation and maintenance operation, where one or more thresholds and/or probabilities are different depending on the type of operation.
  - 6. The method from claim 1, wherein the interface is one or more of the following:
    - serial interface, parallel interface, serial bus interface, parallel bus interface, networks, wireless network interface, optical network interface, cable network interface, IEEE 1394, FireWire, IEEE 1284, LAN, WLAN, Bluetooth, PS/2, RS232.
  - 7. The method from claim 6, wherein the interface has a plug-and-play function that triggers an automatic action on the computer system.
  - 8. The method from claim 1, wherein the method, or parts of the method, is implemented by a driver for the interface that possesses one or more of the following properties:
    - replacement of the standard interface driver by a modified driver that, in addition to the existing functionality, implements the functionality of the method or parts thereof;
      
      additional driver that is arranged logically below the standard driver so that the information that reaches the standard driver is forwarded after being filtered;
      
      additional driver that is arranged logically above a standard driver so that information is forwarded to the system after being filtered.
  - 9. The method from claim 1, wherein a software process continuously monitors the traffic on the interface in order to detect an unauthorized attack.

10. An automated self-service machine having at least one interface, to which at least one peripheral device of the automated self-service machine is connected, comprising an ALU for monitoring the at least one interface to determine changes at the at least one interface;
- in the event that changes occur, the ALU determines a probability of an unauthorized attack on the at least one interface based on the type of change;
  
  wherein the ALU takes into consideration one or more of the following events in calculating the probability;
  
  a reliability of a serial number of the at least one peripheral device connected to the interface;
  
  a reliability of a maker/product combination of the at least one peripheral device;
  
  a reliability of a device class of the at least one peripheral device;
  
  a reliable number of devices from a device class of the at least one peripheral device;
  
  a device path or type of connection;
  
  a time interval between removal of a device from and connection to the interface;
  
  a time of day at which a device is connected to or removed from the interface; and
  
  a mode for the automated self-service machine when connecting a device to or removing a device from the interface, including a customer operation mode or a service mode;
  
  and wherein if the probability is beyond a defined threshold, defensive measures are introduced through the ALU.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The automated self-service machine from claim 10, wherein defensive measures are introduced through the ALU that comprise one or more of the following procedures:
    - creating a log entry on a data carrier, shutting down the computer system automatically, sending a warning message to a target system or a target person over a network, deactivating the interface, deactivating a recently connected device, switching to a security mode.
  - 12. The automated self-service machine from claim 10, wherein a preferably adjustable point value is assigned to each event, said value can be filed on a storage system and the ALU (arithmetic logic unit) totals the events so that a check can be made based on the total whether a threshold was exceeded in order to introduce a defensive measure.
  - 13. The automated self-service machine from claim 10, wherein the automated self-service machine is an automated bank machine or an automated bottle vending machine.
  - 14. The automated self-service machine from claim 13, wherein the ALU switches to customer operation and to maintenance operation each of which concerns a measure of security, wherein one or more thresholds and/or probabilities are different depending on the type of operation.
  - 15. The automated self-service machine from claim 10, wherein the interface is one or more of the following, including technical successors:
    - serial interface, parallel interface, serial bus interface, parallel bus interface, network interface, wireless network interface, optical network interface, cable network interface, IEEE 1394, FireWire, IEEE 1284, LAN, WLAN, Bluetooth, PS/2, RS232.
  - 16. The automated self-service machine from claim 10, comprising a driver for the interface that possesses one or more of the following properties:
    - replacement of the standard interface driver by a modified driver that, in addition to the existing functionality, implements the functionality of the method or parts thereof;
      
      additional driver that is arranged logically below the standard driver so that the information that reaches the standard driver is forwarded after being filtered;
      
      additional driver that is arranged logically above the standard driver so that information is forwarded to the system after being filtered.
  - 17. The automated self-service machine from claim 10, comprising a device that comprises a software process that continuously monitors the traffic on the interface in order to detect an unauthorized attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Diebold Nixdorf Systems GmbH (Diebold Nixdorf, Incorporated)
Original Assignee
Wincor Nixdorf International GmbH (Diebold Nixdorf, Incorporated)
Inventors
Von Der Lippe, Carsten, Richter, Bernd
Primary Examiner(s)
McNally, Michael S

Application Number

US12/919,620
Publication Number

US 20100333202A1
Time in Patent Office

1,504 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

Method and device for defending against attacks to systems comprising a plug and play function

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for defending against attacks to systems comprising a plug and play function

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links