Anomaly detection in chain-of-custody information

US 9,336,248 B2
Filed: 04/24/2013
Issued: 05/10/2016
Est. Priority Date: 04/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a processor of an audit system, first vehicle log data related to modification of a first software part at a first vehicle;

receiving, at the processor, first ground log data of a first ground system, the first ground log data indicating first chain-of-custody information regarding the first software part;

analyzing, at the processor, the first vehicle log data and the first ground log data based on baseline data to detect an anomaly, wherein the baseline data includes baseline log data that corresponds to a modification of a second software part without any detected anomalies, wherein the anomaly indicates at least one of a gap between the first chain-of-custody information and second chain-of-custody information received from a second ground system, that the first software part was received out-of-order by the first ground system, or that the first software part was forwarded out-of-order by the first ground system, and wherein said analyzing further comprises;

synchronizing the first vehicle log data and the first ground log data based on a common event that is included within each of the first vehicle log data and the first ground log data, a first timestamp of the first vehicle log data, and a second timestamp of the first ground log data to generate synchronized first vehicle log data and synchronized first ground log data, wherein the first timestamp and the second timestamp are associated with the common event,performing a comparison of the synchronized first vehicle log data and the synchronized first ground log data, andgenerating a first dataset based on the comparison; and

sending, from the processor, a notification in response to detecting the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving first vehicle log data related to modification of a first software part at a first vehicle. The method also includes receiving first ground log data of a first ground system. The first ground log data indicates first chain-of-custody information regarding the first software part. The method further includes analyzing the first vehicle log data and the first ground log data based on baseline data to detect an anomaly. The method also includes sending a notification in response to detecting the anomaly.

Citations

19 Claims

1. A method comprising:
- receiving, at a processor of an audit system, first vehicle log data related to modification of a first software part at a first vehicle;
  
  receiving, at the processor, first ground log data of a first ground system, the first ground log data indicating first chain-of-custody information regarding the first software part;
  
  analyzing, at the processor, the first vehicle log data and the first ground log data based on baseline data to detect an anomaly, wherein the baseline data includes baseline log data that corresponds to a modification of a second software part without any detected anomalies, wherein the anomaly indicates at least one of a gap between the first chain-of-custody information and second chain-of-custody information received from a second ground system, that the first software part was received out-of-order by the first ground system, or that the first software part was forwarded out-of-order by the first ground system, and wherein said analyzing further comprises;
  
  synchronizing the first vehicle log data and the first ground log data based on a common event that is included within each of the first vehicle log data and the first ground log data, a first timestamp of the first vehicle log data, and a second timestamp of the first ground log data to generate synchronized first vehicle log data and synchronized first ground log data, wherein the first timestamp and the second timestamp are associated with the common event,performing a comparison of the synchronized first vehicle log data and the synchronized first ground log data, andgenerating a first dataset based on the comparison; and
  
  sending, from the processor, a notification in response to detecting the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first chain-of-custody information includes at least one of a timestamp associated with an event and an identifier associated with an event.
  - 3. The method of claim 2, wherein the event includes at least one of the first ground system receiving the first software part from a first device or the first ground system forwarding the first software part to a second device.
  - 4. The method of claim 2, wherein the identifier includes at least one of an event identifier, a device identifier, a software part identifier, a hardware part identifier, a user identifier, a maintenance computer identifier, a vehicle identifier, or a ground system identifier.
  - 5. The method of claim 1, further comprising:
    - identifying a first event of the synchronized first vehicle log data, wherein the first event is associated with a first identifier; and
      
      identifying a second event of the synchronized first ground log data, wherein the second event is associated with the first identifier,wherein the first dataset is generated to indicate a time duration indicating a difference between a first event timestamp associated with the first event and a second event timestamp associated with the second event.
  - 6. The method of claim 5, further comprising determining a status of the first vehicle at a time of the first event based on the synchronized first vehicle log data, wherein the first dataset indicates the status.
  - 7. The method of claim 1, further comprising detecting the anomaly based on a comparison of the first dataset to a corresponding second dataset of the baseline data.
  - 8. The method of claim 7, wherein the anomaly is detected in response to the comparison of the first dataset to the second dataset indicating that a first time duration of the first dataset exceeds a corresponding second time duration of the second dataset.
  - 9. The method of claim 8, wherein the first time duration indicates a time difference between the first ground system sending the first software part to the first vehicle and the first vehicle receiving the first software part from the first ground system and wherein the second time duration indicates a threshold duration.
  - 10. The method of claim 7, wherein the anomaly is detected in response to the comparison of the first dataset to the second dataset indicating that a first state value of the first dataset does not correspond to a second state value of the second data set and wherein the first state value indicates a status of the first vehicle at a time of a first event.
  - 11. The method of claim 10, wherein the first vehicle includes an aircraft, wherein the first state value indicates a first weight-on-wheels status of the first vehicle, and wherein the second state value indicates a second weight-on-wheels status.
  - 12. The method of claim 1, further comprising aggregating audit data to generate aggregated audit data, wherein the aggregated audit data includes data regarding the anomaly.
  - 13. The method of claim 1, further comprising, in response to detecting the anomaly, modifying the baseline data based on the anomaly.

14. A system comprising:
- a processor; and
  
  a memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  receiving first vehicle log data related to modification of a first software part at a first vehicle;
  
  receiving first ground log data of a first ground system, the first ground log data indicating first chain-of-custody information regarding the first software part;
  
  analyzing the first vehicle log data and the first ground log data based on baseline data to detect an anomaly, wherein the baseline data includes baseline log data that corresponds to a modification of a second software part without any detected anomalies, wherein the anomaly indicates at least one of a gap between the first chain-of-custody information and second chain-of-custody information received from a second ground system, that the first software part was received out-of-order by the first ground system, or that the first software part was forwarded out-of-order by the first ground system, and wherein said analyzing further comprises;
  
  synchronizing the first vehicle log data and the first ground log data based on a common event that is included within each of the first vehicle log data and the first ground log data, a first timestamp of the first vehicle log data, and a second timestamp of the first ground log data to generate synchronized first vehicle log data and synchronized first ground log data, wherein the first timestamp and the second timestamp are associated with the common event,performing a comparison of the synchronized first vehicle log data and the synchronized first ground log data, andgenerating a first dataset based on the comparison; and
  
  sending a notification in response to detecting the anomaly.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the operations further comprise:
    - receiving second vehicle log data related to modification of the second software part at a second vehicle;
      
      receiving second ground log data, the second ground log data indicating second chain-of-custody information regarding the second software part;
      
      synchronizing the second vehicle log data and the second ground log data to generate synchronized second vehicle log data and synchronized second ground log data;
      
      performing a comparison of the synchronized second vehicle log data and the synchronized second ground log data;
      
      generating a dataset based on the comparison of the synchronized second vehicle log data and the synchronized second ground log data, wherein the dataset indicates that the modification of the second software part is without a detected anomaly; and
      
      generating the baseline data based on the dataset.
  - 16. The system of claim 15, wherein the operations further comprise determining that the first vehicle and a second vehicle have at least one of a common software module or a common hardware module based on a first vehicle specification of the first vehicle and a second vehicle specification of the second vehicle.
  - 17. The system of claim 15, wherein the operations further comprise:
    - modifying the baseline data to include a threshold time period based on a security requirement; and
      
      modifying the baseline data based on a statistical model.

18. A non-transitory computer-readable storage device storing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving first vehicle log data related to modification of a first software part at a first vehicle;
  
  receiving first ground log data of a first ground system, the first ground log data indicating first chain-of-custody information regarding the first software part;
  
  analyzing the first vehicle log data and the first ground log data based on baseline data to detect an anomaly, wherein the baseline data includes baseline log data that corresponds to a modification of a second software part without any detected anomalies, wherein the anomaly indicates at least one of a gap between the first chain-of-custody information and second chain-of-custody information received from a second ground system, that the first software part was received out-of-order by the first ground system, or that the first software part was forwarded out-of-order by the first ground system, and wherein said analyzing further comprises;
  
  synchronizing the first vehicle log data and the first ground log data based on a common event that is included within each of the first vehicle log data and the first ground log data, a first timestamp of the first vehicle log data, and a second timestamp of the first ground log data to generate synchronized first vehicle log data and synchronized first ground log data, wherein the first timestamp and the second timestamp are associated with the common event,performing a comparison of the synchronized first vehicle log data and the synchronized first ground log data, andgenerating a first dataset based on the comparison; and
  
  sending a notification in response to detecting the anomaly.
- View Dependent Claims (19)
- - 19. The non-transitory computer-readable storage device of claim 18, wherein the first vehicle includes an aircraft.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Li, Mingyan, Benson, Matthew Lee
Primary Examiner(s)
Le, Miranda

Application Number

US13/869,383
Publication Number

US 20140324786A1
Time in Patent Office

1,112 Days
Field of Search

707/690
US Class Current

1/1
CPC Class Codes

G06F 16/215 Improving data quality; Dat...

G07C 5/08 Registering or indicating p...

Anomaly detection in chain-of-custody information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection in chain-of-custody information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links