Intrusion detection mechanism
First Claim
1. A method implemented on a node connected to a network bus, said method comprising:
- storing one or more message identifiers, said one or more identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;
monitoring network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and
alerting a processor of said node when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier,wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus;
said storing further comprises storing an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;
said method further comprising determining a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and
said alerting comprises alerting a processor of said node when said determined present delta time is different from said stored expected delta time;
wherein a previously determined delta time is used as said stored expected delta time;
wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a method implemented on a node connected to a network bus includes: storing one or more message identifiers, the one or more identifiers comprising at least one message identifier identifying the node, the at least one message identifier being included in a message at a time when the message is sent by the node onto the network bus; monitoring network bus traffic, the network bus traffic comprising messages transmitted by the node and by other nodes connected to the network bus; and alerting a processor of the node if a message transmitted on the network bus by at least one of the other nodes is identified as having a message identifier corresponding to the at least one message identifier.
37 Citations
16 Claims
-
1. A method implemented on a node connected to a network bus, said method comprising:
-
storing one or more message identifiers, said one or more identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus; monitoring network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and alerting a processor of said node when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier, wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus; said storing further comprises storing an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus; said method further comprising determining a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and said alerting comprises alerting a processor of said node when said determined present delta time is different from said stored expected delta time; wherein a previously determined delta time is used as said stored expected delta time; wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A node connected to a network bus, said node comprising:
-
a network interface; a processor; and a controller; wherein said controller further comprises an intrusion detection component operable to; store one or more message identifiers, said one or more message identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus; monitor network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and alert said processor when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier, wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus; and said intrusion detection component being further operable to; store an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus; determine a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and alert said processor when said determined present delta time is different from said stored expected delta time; wherein a previously determined delta time is used as said stored expected delta time; wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold. - View Dependent Claims (15, 16)
-
Specification