Specially programmed computing systems with associated devices configured to implement secure communication lockdowns and methods of use thereof

US 9,866,563 B2
Filed: 04/12/2017
Issued: 01/09/2018
Est. Priority Date: 04/12/2016
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

wherein the device is located within a vehicle;

wherein the device is an intermediary for a plurality of communication networks of the vehicle so that the device receives all electronic messages transmitted between the plurality of communication networks;

wherein the plurality of communication networks of the vehicle comprises a plurality of electronic control units (ECUs);

wherein the device comprises at least one secure communication lockdown component;

wherein the at least one secure communication lockdown component is configured such that the device securely separates each respective source of each respective electronic message from each respective destination to which each respective electronic message has been directed;

wherein each respective ECU of the plurality of ECUs is either each respective source or each respective destination;

wherein the at least one secure communication lockdown component comprises;

at least one processor programmed to execute at least one secure communication lockdown procedure andat least one non-volatile memory component, at least storing;

i) at least one pre-defined communication schema, andii) at least one software instruction for the at least one secure communication lockdown procedure;

wherein the at least one pre-defined communication schema comprises;

i) at least one pre-defined approved message dictionary, andii) at least one finite state machine;

wherein the at least one finite state machine comprises;

i) a plurality of states for at least one component of the vehicle, andii) a plurality of state transitions for each state of the plurality of states;

wherein each state is associated with at least one state vector;

wherein the at least one state vector comprises data representative of at least one of the following;

i) at least one general parameter associated with at least one of;

1) an overall operation of the vehicle and2) an overall condition of the vehicle,ii) at least one component-specific parameter associated with at least one operational state of the at least one component of the vehicle,iii) at least one ECU-specific parameter associated with at least one operational state of at least one ECU of the vehicle, andiv) at least one communication-specific parameter associated with at least one communication process that is associated with the vehicle;

wherein the at least one state transition comprises data that is representative of a change in at least on state vector corresponding to the at least one state of the plurality of states;

wherein the at least one processor of the at least one secure communication lockdown component is configured, at runtime, to execute the at least one software instruction of the at least one secure communication lockdown procedure that is configured to;

receive each respective electronic message;

verify at least one portion of each respective electronic message against;

i) the at least one pre-defined approved message dictionary andii) the at least one finite state machine;

determine, based on the verification of the at least one portion of each respective electronic message, that each respective electronic message is;

i) an unauthorized electronic message in accordance with the at least one pre-defined communication schema orii) an approved electronic message in accordance with the at least one pre-defined communication schema; and

perform one of;

i) executing at least one administrative action with the unauthorized electronic message orii) one of;

1) transmitting the approved electronic message to each respective destination or2) modifying the approved electronic message with at least one pre-defined change to generate a changed approved electronic message and transmitting the changed approved electronic message to each respective destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the present invention provides for an exemplary inventive device which includes at least the following components: a secure lockdown component that is operationally associated with at least one electronic control unit (ECU) of at least one network; where the secure lockdown component is configured such that the device physically separates at least one of: i) the at least one network from any other network, ii) the at least one network from external inputs directed to the at least one network, iii) the at least one ECU from at least one other ECU, iv) the at least one ECU from external inputs directed to the at least one ECU, v) at least one memory component within the at least one ECU from at least one processing unit within the at least one ECU, and vi) any combination thereof.

86 Citations

View as Search Results

30 Claims

1. A device, comprising:
- wherein the device is located within a vehicle;
  
  wherein the device is an intermediary for a plurality of communication networks of the vehicle so that the device receives all electronic messages transmitted between the plurality of communication networks;
  
  wherein the plurality of communication networks of the vehicle comprises a plurality of electronic control units (ECUs);
  
  wherein the device comprises at least one secure communication lockdown component;
  
  wherein the at least one secure communication lockdown component is configured such that the device securely separates each respective source of each respective electronic message from each respective destination to which each respective electronic message has been directed;
  
  wherein each respective ECU of the plurality of ECUs is either each respective source or each respective destination;
  
  wherein the at least one secure communication lockdown component comprises;
  
  at least one processor programmed to execute at least one secure communication lockdown procedure andat least one non-volatile memory component, at least storing;
  
  i) at least one pre-defined communication schema, andii) at least one software instruction for the at least one secure communication lockdown procedure;
  
  wherein the at least one pre-defined communication schema comprises;
  
  i) at least one pre-defined approved message dictionary, andii) at least one finite state machine;
  
  wherein the at least one finite state machine comprises;
  
  i) a plurality of states for at least one component of the vehicle, andii) a plurality of state transitions for each state of the plurality of states;
  
  wherein each state is associated with at least one state vector;
  
  wherein the at least one state vector comprises data representative of at least one of the following;
  
  i) at least one general parameter associated with at least one of;
  
  1) an overall operation of the vehicle and2) an overall condition of the vehicle,ii) at least one component-specific parameter associated with at least one operational state of the at least one component of the vehicle,iii) at least one ECU-specific parameter associated with at least one operational state of at least one ECU of the vehicle, andiv) at least one communication-specific parameter associated with at least one communication process that is associated with the vehicle;
  
  wherein the at least one state transition comprises data that is representative of a change in at least on state vector corresponding to the at least one state of the plurality of states;
  
  wherein the at least one processor of the at least one secure communication lockdown component is configured, at runtime, to execute the at least one software instruction of the at least one secure communication lockdown procedure that is configured to;
  
  receive each respective electronic message;
  
  verify at least one portion of each respective electronic message against;
  
  i) the at least one pre-defined approved message dictionary andii) the at least one finite state machine;
  
  determine, based on the verification of the at least one portion of each respective electronic message, that each respective electronic message is;
  
  i) an unauthorized electronic message in accordance with the at least one pre-defined communication schema orii) an approved electronic message in accordance with the at least one pre-defined communication schema; and
  
  perform one of;
  
  i) executing at least one administrative action with the unauthorized electronic message orii) one of;
  
  1) transmitting the approved electronic message to each respective destination or2) modifying the approved electronic message with at least one pre-defined change to generate a changed approved electronic message and transmitting the changed approved electronic message to each respective destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The device of claim 1, wherein a source of at least one electronic message of all electronic messages received by the device or at least one destination of the at least one electronic message is located outside of the vehicle.
  - 3. The device of claim 1, wherein the device physically separates at least one source of at least one electronic message of all electronic messages received by the device from at least one destination to which the at least one message has been directed.
  - 4. The device of claim 1, wherein the at least one pre-defined approved message dictionary that comprises at least one of:
    - 1) all pre-defined electronic messages that can be generated within the vehicle during all possible state transitions within the plurality of states,2) a maximal rate at which each electronic message is allowed to be sent,3) a minimal rate at which each electronic message is allowed to be sent,4) all pre-defined source-destination messaging pairs associated with the plurality of states.
  - 5. The device of claim 1, wherein the determination that each respective electronic message is the unauthorized electronic message comprises:
    - querying the at least one pre-defined approved message dictionary based at least in part in on data from the at least one portion of each respective electronic message; and
      
      determining that the data is;
      
      i) not found in the at least one pre-defined approved message dictionary, orii) invalid.
  - 6. The device of claim 4, wherein, for each of the all pre-defined electronic messages, the at least one pre-defined approved message dictionary further comprises:
    - at least one pre-defined message structure definition andat least one pre-defined value of each message parameter.
  - 7. The device of claim 1, wherein the at least one finite state machine further comprises the at least one pre-defined approved message dictionary.
  - 8. The device of claim 1, wherein the at least one administrative action is at least one of:
    - 1) dropping the unauthorized electronic message,2) erasing the unauthorized electronic message, and3) logging the unauthorized electronic message.
  - 9. The device of claim 8, wherein the at least one secure lockdown component is configured to execute the at least one administrative action at one of:
    - hardware,at least one location along a software stack, orboth.
  - 10. The device of claim 1, wherein the unauthorized electronic message is a message that:
    - 1) has no a corresponding state transition of the at least one finite state machine,2) is configured to cause at least one unapproved change in at least one corresponding state vector of the at least one finite state machine, or3) both.
  - 11. The device of claim 1, wherein the at least one pre-defined communication schema further comprises at least one of:
    - i) all pre-defined communication sequences for all electronic messages that are pre-defined based at least in part on the at least one finite state machine, andii) all pre-defined communication protocols for all electronic messages that are pre-defined based at least in part on the at least one finite state machine.
  - 12. The device of claim 4, wherein the at least one secure communication lockdown component is configured so that the at least one pre-defined communication schema is programmed in the form, comprising:
    - 1) a data logical layer that represents all pre-defined electronic messages of the at least one pre-defined approved message dictionary,2) a routing logical layer that represents all pre-defined source-destination messaging pairs of the at least one pre-defined approved message dictionary, and3) a context logical layer that represents all pre-defined communication sequences.
  - 13. The device of claim 1, wherein the at least one pre-defined communication schema is pre-defined at least in part based, at least in part, on at least one of a vehicle specification of a vehicle manufacturer and an ECU specification of an ECU manufacturer of each respective ECU.
  - 14. The device of claim 13, wherein the at least one secure communication lockdown component is further configured to perform at least one of:
    - electronically obtain the at least one portion of the at least one pre-defined communication schema from at least one trusted electronic source, anddynamically generate, based at least in part on the vehicle specification, the at least one portion of the at least one pre-defined communication schema.
  - 15. The device of claim 1, wherein the unauthorized electronic message is based, at least in part, on at least one cyber threat.
  - 16. The device of claim 1, wherein the at least one secure communication lockdown procedure is further configured to generate at least one indication of the unauthorized electronic message, wherein the at least one indication is configured to identify at least one of:
    - 1) each respective electronic message as being the unauthorized electronic message, and2at least one reason why each respective electronic message has been determined to be the unauthorized electronic message.
  - 17. The device of claim 16, wherein the at least one secure communication lockdown procedure is further configured to perform at least one of:
    - log the at least one indication of the unauthorized electronic message, andtransmit the at least one indication of the unauthorized electronic message to at least one external electronic destination that is located outside of the device.
  - 18. The device of claim 1, wherein the modifying the approved electronic message with at least one pre-defined change to generate a changed approved electronic message comprises:
    - adding metadata to the approved electronic message, wherein the metadata is configured so that the approved electronic message is recognized as being approved by the device.
  - 19. The device of claim 1, wherein the at least one secure communication lockdown procedure is further configured to generate at least one indication of the at least one administrative action performed with the unauthorized electronic message.
  - 20. The device of claim 19, wherein the at least one secure communication lockdown procedure is further configured to perform at least one of:
    - log the at least one indication of the at least one administrative action performed with the unauthorized electronic message, andtransmit the at least one indication of the at least one administrative action to at least one external electronic destination that is located outside of the device.
  - 21. The device of claim 1, wherein the at least one secure communication lockdown procedure is further configured to perform at least one of:
    - generate at least one indication of the approved electronic message;
      
      log the approved electronic message, the at least one indication, or both;
      
      andtransmit the at least one indication of the approved electronic message to at least one external electronic destination that is outside of the device.

22. A method, comprising:
- incorporating, into a vehicle, a device so that the device is located within a vehicle;
  
  wherein the device is an intermediary for a plurality of communication networks of the vehicle so that the device receives all electronic messages transmitted between the plurality of communication networks;
  
  wherein the plurality of communication networks of the vehicle comprises a plurality of electronic control units (ECUs);
  
  wherein the device comprises at least one secure communication lockdown component;
  
  wherein the device comprises at least one secure communication lockdown component;
  
  wherein the at least one secure communication lockdown component is configured such that the device securely separates each respective source of each respective electronic message from each respective destination to which each respective electronic message has been directed;
  
  wherein each respective ECU of the plurality of ECUs is either each respective source or each respective destination;
  
  wherein the at least one secure communication lockdown component comprises;
  
  at least one processor programmed to execute at least one secure communication lockdown procedure andat least one non-volatile memory component, at least storing;
  
  i) at least one pre-defined communication schema, andii) at least one software instruction for the at least one secure communication lockdown procedure;
  
  wherein the at least one pre-defined communication schema comprises;
  
  1) at least one finite state machine,2) at least one pre-defined approved message dictionary, and3) at least one of;
  
  i) all pre-defined communication sequences for all electronic messages that are pre-defined based at least in part on the at least one finite state machine, and
  
  ii) all pre-defined communication protocols for all electronic messages that are pre-defined based at least in part on the at least one finite state machine;
  
  wherein the at least one finite state machine comprises;
  
  i) a plurality of states for at least one component of the vehicle, andii) a plurality of state transitions for each state of the plurality of states;
  
  wherein each state is associated with at least one state vector;
  
  wherein the at least one state vector comprises data representative of at least one of the following;
  
  i) at least one general parameter associated with at least one of;
  
  1) an overall operation of the vehicle and2) an overall condition of the vehicle,ii) at least one component-specific parameter associated with at least one operational state of the at least one component of the vehicle,iii) at least one ECU-specific parameter associated with at least one operational state of at least one ECU of the vehicle, andiv) at least one communication-specific parameter associated with at least one communication process that is associated with the vehicle;
  
  wherein the at least one state transition comprises data that is representative of a change in at least on state vector corresponding to the at least one state of the plurality of states;
  
  wherein the at least one pre-defined approved message dictionary that comprises at least one of;
  
  1) all pre-defined electronic messages that can be generated within the vehicle during all possible state transitions within the plurality of states,2) a maximal rate at which each electronic message is allowed to be sent,3) a minimal rate at which each electronic message is allowed to be sent,4) all pre-defined source-destination messaging pairs associated with the plurality of states;
  
  receiving, by the device, each respective electronic message; and
  
  executing, by the device, the at least one secure communication lockdown procedure, by at least;
  
  verifying at least one portion of each respective electronic message against;
  
  i) the at least one pre-defined approved message dictionary andii) the at least one finite state machine;
  
  determining, based on the verification of the at least one portion of each respective electronic message, that each respective electronic message is;
  
  i) an unauthorized electronic message in accordance with the at least one pre-defined communication schema orii) an approved electronic message in accordance with the at least one pre-defined communication schema; and
  
  performing one of;
  
  i) executing at least one administrative action with the unauthorized electronic message orii) one of;
  
  1) transmitting the approved electronic message to each respective destination or2) modifying the approved electronic message with at least one pre-defined change to generate a changed approved electronic message and transmitting the changed approved electronic message to each respective destination.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The method of claim 22, wherein a source of at least one electronic message of all electronic messages received by the device or at least one destination of the at least one electronic message of all electronic messages received by the device is located outside of the vehicle.
  - 24. The method of claim 22, wherein the at least one finite state machine further comprises the at least one pre-defined approved message dictionary.
  - 25. The method of claim 22, wherein the at least one administrative action is at least one of:
    - 1) dropping the unauthorized electronic message,2) erasing the unauthorized electronic message, and3) logging the unauthorized electronic message.
  - 26. The method of claim 22,wherein the unauthorized electronic message is a message that:
    - 1) has no a corresponding state transition of the at least one finite state machine,2) is configured to cause at least one unapproved change in at least one corresponding state vector of the at least one finite state machine, or3) both; and
      
      wherein the determination that each respective electronic message is the unauthorized electronic message comprises;
      
      querying the at least one pre-defined approved message dictionary based at least in part in on data from the at least one portion of each respective electronic message; and
      
      determining that the data is no found in the at least one pre-defined approved message dictionary or is invalid.
  - 27. The method of claim 22, wherein, for each of the all pre-defined electronic messages, the at least one pre-defined approved message dictionary further comprises:
    - at least one pre-defined message structure definition andat least one pre-defined value of each message parameter.
  - 28. The method of claim 22, wherein the at least one secure communication lockdown component is configured so that the at least one pre-defined communication schema is programmed in the form, comprising:
    - 1) a data logical layer that represents all pre-defined electronic messages of the at least one pre-defined approved message dictionary,2) a routing logical layer that represents all pre-defined source-destination messaging pairs of the at least one pre-defined approved message dictionary, and3) a context logical layer that represents all pre-defined communication sequences.
  - 29. The method of claim 22,wherein the at least one pre-defined communication schema is pre-defined at least in part based, at least in part, on at least one of:
    - a vehicle specification of a vehicle manufacturer andan ECU specification of an ECU manufacturer of each respective ECU; and
      
      performing at least one of;
      
      electronically obtaining the at least one portion of the at least one pre-defined communication schema from at least one trusted electronic source, anddynamically generating, based at least in part on the vehicle specification, the at least one portion of the at least one pre-defined communication schema.
  - 30. The method of claim 22, wherein the unauthorized electronic message is based, at least in part, on at least one cyber threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardknox Cyber Technologies Ltd.
Original Assignee
Guardknox Cyber Technologies Ltd.
Inventors
Teshler, Dionis, Shlisel, Moshe, Nadav, Idan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/486,055
Publication Number

US 20170295182A1
Time in Patent Office

272 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 67/34   involving the movement of s...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 4/40   for vehicles, e.g. vehicle-...

Specially programmed computing systems with associated devices configured to implement secure communication lockdowns and methods of use thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Specially programmed computing systems with associated devices configured to implement secure communication lockdowns and methods of use thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others