Intrusion detection mechanism

US 9,380,070 B1
Filed: 01/20/2015
Issued: 06/28/2016
Est. Priority Date: 01/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented on a node connected to a network bus, said method comprising:

storing one or more message identifiers, said one or more identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;

monitoring network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and

alerting a processor of said node when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier,wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus;

said storing further comprises storing an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;

said method further comprising determining a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and

said alerting comprises alerting a processor of said node when said determined present delta time is different from said stored expected delta time;

wherein a previously determined delta time is used as said stored expected delta time;

wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method implemented on a node connected to a network bus includes: storing one or more message identifiers, the one or more identifiers comprising at least one message identifier identifying the node, the at least one message identifier being included in a message at a time when the message is sent by the node onto the network bus; monitoring network bus traffic, the network bus traffic comprising messages transmitted by the node and by other nodes connected to the network bus; and alerting a processor of the node if a message transmitted on the network bus by at least one of the other nodes is identified as having a message identifier corresponding to the at least one message identifier.

37 Citations

View as Search Results

16 Claims

1. A method implemented on a node connected to a network bus, said method comprising:
- storing one or more message identifiers, said one or more identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;
  
  monitoring network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and
  
  alerting a processor of said node when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier,wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus;
  
  said storing further comprises storing an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;
  
  said method further comprising determining a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and
  
  said alerting comprises alerting a processor of said node when said determined present delta time is different from said stored expected delta time;
  
  wherein a previously determined delta time is used as said stored expected delta time;
  
  wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said stored expected delta time comprises a maximum delta time and a minimum delta time;
    - and said alerting comprises alerting the processor of said node when said determined present delta time is more than said maximum delta time or is less than said minimum delta time.
  - 3. The method of claim 1, wherein said stored expected delta time comprises a maximum delta time, a minimum delta time and a previously determined delta time;
    - and said alerting comprises alerting the processor of said node when one or more of the following conditions is met;
      
      said determined delta time is more than said maximum delta time;
      
      said determined delta time is less than said minimum delta time;
      
      a difference, in absolute value, between said determined present delta time and a previously determined delta time exceeds a predefined threshold.
  - 4. The method of claim 1, wherein said determining comprises:
    - retrieving a first time value from a counter of said node, said first time value corresponding to a time at which said present message is observed on said network bus;
      
      retrieving a second time value from a memory of said node, said second time value corresponding to a time at which said last message was observed on said network bus; and
      
      determining a present delta time by computing a time difference between said first and second time values.
  - 5. The method of claim 4, further comprising:
    - after said retrieving a second time value, storing said first time value in said memory in place of said second time value.
  - 6. The method of claim 1, wherein said determining comprises:
    - providing one or more counters at said node, each counter being associated with a single message identifier;
      
      retrieving a time value from a counter associated with said at least one message identifier, said time value corresponding to a time at which said present message is observed on said network bus; and
      
      determining a present delta time by using said retrieved time value.
  - 7. The method of claim 6, further comprising:
    - resetting said counter to zero after having determined said present delta time.
  - 8. The method of claim 1, wherein said alerting further comprises:
    - generating an alarm signal when said determined delta time is different from said expected delta time; and
      
      sending said generated alarm signal to said processor of said node.
  - 9. The method of claim 8, wherein said alarm signal is generated and sent to said processor whenever said determined delta time is different from said expected delta time.
  - 10. The method of claim 8, wherein said alarm signal is generated and sent to said processor when a certain number of determined delta times for a certain number of messages having said at least one message identifier are different from said expected delta time.
  - 11. The method of claim 8, wherein said alarm signal is generated and sent to said processor when a certain number of determined delta times for messages having said at least one message identifier are different from said expected delta time during a predefined period of time.
  - 12. The method of claim 8, wherein said alarm signal comprises an interrupt signal associated with additional information, said additional information indicating a type of detected anomaly.
  - 13. The method of claim 8, wherein:
    - said generating comprises;
      
      retrieving said present message; and
      
      inserting additional bits in said retrieved present message, said additional bits indicating to said processor a type of detected anomaly; and
      
      said sending comprises sending said retrieved present message including said inserted additional bits to said processor of said node.

14. A node connected to a network bus, said node comprising:
- a network interface;
  
  a processor; and
  
  a controller;
  
  wherein said controller further comprises an intrusion detection component operable to;
  
  store one or more message identifiers, said one or more message identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;
  
  monitor network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and
  
  alert said processor when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier,wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus; and
  
  said intrusion detection component being further operable to;
  
  store an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;
  
  determine a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and
  
  alert said processor when said determined present delta time is different from said stored expected delta time;
  
  wherein a previously determined delta time is used as said stored expected delta time;
  
  wherein said alerting comprises alerting the processor of said node when a difference, in absolute value, between said determined present delta time and said previously determined delta time exceeds a predefined threshold.
- View Dependent Claims (15, 16)
- - 15. The node of claim 14, wherein said intrusion detection component is further operable to extract said at least one message identifier from a message received from said processor of said node that is to be transmitted onto said network bus.
  - 16. The node of claim 14, wherein said expected delta time is provided by said processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wende, David, Cain, Harel, Sella, Yaron, Devir, Michal
Primary Examiner(s)
Ho, Dao

Application Number

US14/600,129
Publication Number

US 20160212162A1
Time in Patent Office

525 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 12/40   Bus networks

H04L 12/4625   Single bridge functionality...

H04L 2012/40215   Controller Area Network CAN

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/12   specially adapted for propr...

Intrusion detection mechanism

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection mechanism

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links