Method and system for reflectometry based communication network monitoring, intrusion detection, and message authentication

US 9,578,047 B2
Filed: 01/13/2015
Issued: 02/21/2017
Est. Priority Date: 01/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring and detecting intrusions on an communications network, comprising:

monitoring, with a reflectometer, a plurality of communication channels on the communication network, the communication channels each transmitting a plurality of signals between an electronic control module and a remote electronic control module;

extracting a reflectometry feature set from each of the plurality of signals transmitted over each of the communication channels;

comparing the extracted reflectometry feature sets to a repository of predetermined communication network feature sets to generate a mismatch value;

determining that an authenticated event has occurred when the mismatch value is within a predetermined threshold range and continuing to monitor the plurality of communication channels;

determining that a flagged event has occurred when the mismatch value is outside the predetermined threshold range; and

recording the flagged event in a memory module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for monitoring and detecting intrusions and authenticating messages on a communication network of a vehicle. A plurality of signals transmitted over communications network between an electronic control module and a remote electronic module are monitored. Reflectometry feature sets are extracted from the plurality of signals and compared to a repository of predetermined communication network feature sets to generate a mismatch value. The mismatch value is compared to a predetermined threshold range and an authenticated event occurs when the mismatch value is within the predetermined threshold range. When the mismatch value is outside the predetermined threshold range, a flagged event occurs and is recorded.

Citations

20 Claims

1. A method of monitoring and detecting intrusions on an communications network, comprising:
- monitoring, with a reflectometer, a plurality of communication channels on the communication network, the communication channels each transmitting a plurality of signals between an electronic control module and a remote electronic control module;
  
  extracting a reflectometry feature set from each of the plurality of signals transmitted over each of the communication channels;
  
  comparing the extracted reflectometry feature sets to a repository of predetermined communication network feature sets to generate a mismatch value;
  
  determining that an authenticated event has occurred when the mismatch value is within a predetermined threshold range and continuing to monitor the plurality of communication channels;
  
  determining that a flagged event has occurred when the mismatch value is outside the predetermined threshold range; and
  
  recording the flagged event in a memory module.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - sending the extracted reflectometry feature sets to a cyber security anomaly detection module when the flagged event has occurred; and
      
      determining, with the cyber security anomaly detection module, that an intrusion has occurred based on at least one extracted reflectometry feature set.
  - 3. The method of claim 2, further comprising:
    - storing, by the cyber security anomaly detection module, a history of flagged events and corresponding extracted reflectometry feature sets; and
      
      determining, with the cyber security anomaly detection module, that the intrusion has occurred based on the history of flagged events and corresponding extracted reflectometry feature sets.
  - 4. The method of claim 1, further comprising establishing the repository of predetermined communication network feature sets based on an initial communications network baseline.
  - 5. The method of claim 1, further comprising recalibrating the repository of predetermined communication network feature sets based on a recalibration event.
  - 6. The method of claim 1, further comprising:
    - identifying the remote electronic control module associated with the signal corresponding to the authenticated event;
      
      comparing a content of the signal corresponding to the authenticated event to a command repository of a plurality of commands associated with the remote electronic control module;
      
      confirming that the authenticated event has occurred when the content of the signal corresponding to the authenticated event matches at least one command in the command repository and continuing to monitor the plurality of communication channels;
      
      determining that the flagged event has occurred when the content of the signal corresponding to the authenticated event does not match at least one command in the command repository; and
      
      recording the flagged event in a memory module.

7. A system for monitoring and detecting intrusions on a communications network, comprising:
- an electronic control module having a first processor module and a first memory module, the electronic control module configured to send and receive a plurality of signals on a plurality of communication channels of the communications network;
  
  a remote electronic control module configured to send and receive the plurality of signals from the electronic control module over the communication channels;
  
  a repository of predetermined communication network feature sets; and
  
  a reflectometer having a second processor module and a second memory module, the reflectometer configured to extract a reflectometry feature set from each of the plurality of signals transmitted over the communication channels and calculate a mismatch value corresponding to the difference between the reflectometry feature set and the corresponding communication network feature set,wherein an authenticated event occurs when the mismatch value is within a predetermined threshold range and a flagged event occurs when the mismatch value is outside the predetermined threshold range, the flagged event recorded in at least one of the first memory module and the second memory module.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, further comprising a cyber security anomaly detection module having a third processor module and a third memory module, the cyber security anomaly detection module configured to receive the reflectometry feature sets when a flagged event has occurred and determine that an intrusion has occurred based on at least one reflectometry feature set.
  - 9. The system of claim 8, wherein the cyber security anomaly detection module is configured to determine that the intrusion has occurred based on a history of flagged events and corresponding extracted reflectometry feature sets.
  - 10. The system of claim 7, wherein the repository of predetermined communication network feature sets is established based on an initial communications network baseline.
  - 11. The system of claim 7, wherein the repository of predetermined communication network feature sets is recalibrated based on a recalibration event.
  - 12. The system of claim 7, further comprising:
    - a command repository of a plurality of commands each corresponding to one of the at least one remote electronic control module,wherein the electronic control module is configured to identify the remote electronic control module associated with the signal corresponding to the authenticated event and compare a content of the signal to the command corresponding to the identified remote electronic control module, and the authenticated event is confirmed when the content of the signal matches the command from the command repository and the flagged event occurs when the content of the signal does not match the command in the command repository, the flagged event recorded in at least one of the electronic control module and the reflectometer.
  - 13. The system of claim 7, further comprising:
    - a repository of predetermined signal signatures each corresponding to one of the at least one remote electronic control module,wherein the reflectometer is configured to extract a signal signature corresponding to each signal received by the electronic control module and calculate a signature mismatch value corresponding to the difference between the signal signature and the predetermined signal signature, and the authenticated event occurs when signature mismatch value is within a predetermined signature range and the flagged event occurs when the signature mismatch value is outside the predetermined signature range, the flagged event recorded in at least one of the electronic control module and the reflectometer.

14. A vehicle, comprising:
- a communications network; and
  
  a system for monitoring and detecting intrusions on the communications network, the system comprising;
  
  an electronic control module having a first processor module and a first memory module, the electronic control module configured to send and receive a plurality of signals on a plurality of communication channels of the communications network;
  
  a remote electronic control module configured to send and receive the plurality of signals from the electronic control module over the communication channels;
  
  a repository of predetermined communication network feature sets; and
  
  a reflectometer having a second processor module and a second memory module, the reflectometer configured to extract a reflectometry feature set from each of the plurality of signals transmitted over the communication channels and calculate a mismatch value corresponding to the difference between the reflectometry feature set and the corresponding communication network feature set,wherein an authenticated event occurs when the mismatch value is within a predetermined threshold range and a flagged event occurs when the mismatch value is outside the predetermined threshold range, the flagged event recorded in at least one of the first memory module and the second memory module.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The vehicle of claim 14, further comprising a cyber security anomaly detection module having a third processor module and a third memory module, the cyber security anomaly detection module configured to receive the reflectometry feature sets when a flagged event has occurred and determine that an intrusion has occurred based on at least one reflectometry feature set.
  - 16. The vehicle of claim 15, further comprising a history of flagged events and the corresponding reflectometry feature sets, wherein the cyber security anomaly detection module is configured to determine that the intrusion has occurred based on the history of flagged events and corresponding extracted reflectometry feature sets.
  - 17. The vehicle of claim 14, wherein the repository of predetermined communication network feature sets is established based on an initial communications network baseline.
  - 18. The system of claim 14, wherein the repository of predetermined communication network feature sets is recalibrated based on a recalibration event.
  - 19. The vehicle of claim 14, further comprising:
    - a command repository of a plurality of commands each corresponding to one of the at least one remote electronic control module,wherein the electronic control module is configured to identify the remote electronic control module associated with the signal corresponding to the authenticated event and compare a content of the signal to the command corresponding to the identified remote electronic control module, and the authenticated event is confirmed when the content of the signal matches the command from the command repository and the flagged event occurs when the content of the signal does not match the command in the command repository, the flagged event recorded in at least one of the electronic control module and the reflectometer.
  - 20. The vehicle of claim 14, further comprising:
    - a repository of predetermined signal signatures each corresponding to one of the at least one remote electronic control module,wherein the reflectometer is configured to extract a signal signature corresponding to each signal received by the electronic control module and calculate a signature mismatch value corresponding to the difference between the signal signature and the predetermined signal signature, and the authenticated event occurs when signature mismatch value is within a predetermined signature range and the flagged event occurs when the signature mismatch value is outside the predetermined signature range, the flagged event recorded in at least one of the electronic control module and the reflectometer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Polevoy, Yuval, Cohen, Omer, Laifenfeld, Moshe, Julson, Timothy D., Baltes, Kevin M.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US14/595,584
Publication Number

US 20160205117A1
Time in Patent Office

770 Days
Field of Search

726/23, 726/25
US Class Current

1/1
CPC Class Codes

H04B 1/3822   specially adapted for use i...

H04B 10/071   using a reflected signal, e...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/12   specially adapted for propr...

Method and system for reflectometry based communication network monitoring, intrusion detection, and message authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reflectometry based communication network monitoring, intrusion detection, and message authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links