Systems and methods for identifying message payload bit fields in electronic communications

US 9,906,545 B1
Filed: 11/22/2016
Issued: 02/27/2018
Est. Priority Date: 11/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying message payload bit fields in electronic communications, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

monitoring, at the computing device, messages transmitted via a network;

selecting, at the computing device, a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload;

determining, at the computing device, for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages;

identifying, at the computing device, at least one continuous bit field based on bit flip rate values in the payload;

identifying, at the computing device, at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values, wherein identifying the near-random/periodic bit field comprises identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 1 and wherein identifying the constant bit field comprise identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 0;

detecting, at the computing device, at least one additional message of the specified message type transmitted via the network; and

identifying, at the computing device, at least one anomaly in at least one of the at least one of the near-random/periodic bit field and the constant bit field of the at least one additional message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for identifying message payload bit fields in electronic communications may include (i) monitoring messages transmitted via a network, (ii) selecting a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload, (iii) determining for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages, and (iv) identifying at least one of a near-random bit field, a periodic bit field, and a constant bit field within the specified message type based on the determined quasi-entropy values. Various other methods, systems, and computer-readable media are also disclosed.

62 Citations

View as Search Results

20 Claims

1. A computer-implemented method for identifying message payload bit fields in electronic communications, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- monitoring, at the computing device, messages transmitted via a network;
  
  selecting, at the computing device, a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload;
  
  determining, at the computing device, for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages;
  
  identifying, at the computing device, at least one continuous bit field based on bit flip rate values in the payload;
  
  identifying, at the computing device, at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values, wherein identifying the near-random/periodic bit field comprises identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 1 and wherein identifying the constant bit field comprise identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 0;
  
  detecting, at the computing device, at least one additional message of the specified message type transmitted via the network; and
  
  identifying, at the computing device, at least one anomaly in at least one of the at least one of the near-random/periodic bit field and the constant bit field of the at least one additional message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1,wherein, for each bit position of a plurality of bit positions in the payload of the specified message type, the bit flip rate values are determined based on the occurrences of the first bit value and the occurrences of second bit value at each corresponding bit position in the plurality of messages,wherein the bit flip rate values are for bit positions that are not located within the near-random/periodic bit field or the constant bit field.
  - 3. The method of claim 1, wherein identifying the at least one continuous bit field comprises identifying a boundary of a continuous bit field by detecting an increase in a bit flip rate at a bit position in comparison with an adjacent bit position.
  - 4. The method of claim 3, wherein the bit position at which the increase in the bit flip rate is identified comprises a bit position following the adjacent bit position when proceeding bit-wise from a least significant bit position to a most significant bit position, wherein the least significant bit position comprises the continuous bit field located directly adjacent to the near-random/periodic bit field, and wherein the most significant bit position comprises the continuous bit field located non-adjacent to the near-random/periodic bit field.
  - 5. The method of claim 1, wherein identifying the at least one continuous bit field comprises identifying a boundary of a continuous bit field that is adjacent to the at least one of the near-random/periodic bit field and the constant bit field.
  - 6. The method of claim 1, further comprising generating, at the computing device, a model based on the at least one continuous bit field and the at least one of the near-random/periodic bit field and the constant bit field.
  - 7. The method of claim 6, further comprising:
    - determining, at the computing device, based on the model, whether the at least one additional message includes the at least one anomaly.
  - 8. The method of claim 6, further comprising performing a security action in response to determining that the at least one additional message includes at least one anomaly.
  - 9. The method of claim 6, further comprising:
    - updating, at the computing device, the model based on the at least one additional message.
  - 10. The method of claim 9, further comprising changing, at the computing device, a boundary of at least one of the at least one continuous bit field and the at least one of the near-random/periodic bit field and the constant bit field based on the at least one additional message.
  - 11. The method of claim 1, further comprising:
    - identifying, at the computing device, the at least one of the near-random/periodic bit field and the constant bit field within the at least one additional message.
  - 12. The method of claim 1, wherein the network comprises a controller area network bus.
  - 13. The method of claim 12, wherein the message identifier corresponding to the specified message type comprises a controller area network identifier.
  - 14. The method of claim 1, wherein determining, for each bit position in the payload of the specified message type, the quasi-entropy value further comprises multiplying a relative proportion of the first bit value at each corresponding bit position in the plurality of messages by a relative proportion of the second bit value at each corresponding bit position in the plurality of messages.
  - 15. The method of claim 1, wherein determining, for each bit position in the payload of the specified message type, the quasi-entropy value further comprises calculating the quasi-entropy value according to the following Equation (1):
    - QE=K×
      
      (p₀×
      
      p₁)²
      
      (1)where;
      
      QE is the quasi-entropy value;
      
      K is a constant value;
      
      p₀is a ratio of the total number of occurrences of the first bit value to the total number of messages of the plurality of messages; and
      
      p₁is a ratio of the total number of occurrences of the second bit value to the total number of messages of the plurality of messages.
  - 16. The method of claim 1, wherein identifying at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values further comprises identifying two or more consecutive bit fields having a quasi-entropy value that is greater than or equal to a threshold value.
  - 17. The method of claim 1, wherein identifying at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values further comprises identifying two or more consecutive bit fields having a quasi-entropy value that is equal to zero.

18. A system for identifying message payload bit fields in electronic communications, the system comprising:
- a monitoring module, stored in memory, that monitors, at a computing device, messages transmitted via a network;
  
  a selecting module, stored in memory, that selects, at the computing device, a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload;
  
  a determining module, stored in memory, that determines, at the computing device, for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages;
  
  an identifying module, stored in memory, that;
  
  identifies, at the computing device, at least one continuous bit field based on bit flip rate values in the payload;
  
  identifies, at the computing device, at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values, wherein identifying the near-random/periodic bit field comprises identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 1 and wherein identifying the constant bit field comprise identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 0;
  
  detects, at the computing device, at least one additional message of the specified message type transmitted via the network; and
  
  identifies, at the computing device, an anomaly in at least one of the at least one of the near-random/periodic bit field and the constant bit field of the at least one additional message; and
  
  at least one physical processor that executes the monitoring module, the selecting module, the determining module, and the identifying module.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein, for each bit position of a plurality of bit positions in the payload of the specified message type, the bit flip rate values are determined based on the occurrences of the first bit value and the occurrences of second bit value at each corresponding bit position in the plurality of messages, wherein the bit flip rate values are for bit positions that are not located within the near-random/periodic bit field or the constant bit field.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- monitor messages transmitted via a network;
  
  select a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload;
  
  determine, for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages;
  
  identify at least one continuous bit field based on bit flip rate values in the payload;
  
  identify at least one of a near-random/periodic bit field and a constant bit field within the specified message type based on the determined quasi-entropy values, wherein identifying the near-random/periodic bit field comprises identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 1 and wherein identifying the constant bit field comprise identifying a bit field comprising a plurality of adjacent bit positions each having a quasi-entropy value of 0;
  
  detect at least one additional message of the specified message type transmitted via the network; and
  
  identify an anomaly in at least one of the at least one of the near-random/periodic bit field and the constant bit field of the at least one additional message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Zhao, Zhipeng, Pukish, Michael, Zhu, Chaopin, Agarwal, Preeti
Primary Examiner(s)
Shaw, Peter

Application Number

US15/359,076
Time in Patent Office

462 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/12   specially adapted for propr...

Systems and methods for identifying message payload bit fields in electronic communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for identifying message payload bit fields in electronic communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others