Systems and methods for in-vehicle network intrusion detection

US 10,686,815 B2
Filed: 09/11/2017
Issued: 06/16/2020
Est. Priority Date: 09/11/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first microcontroller arranged in a vehicle comprising;

a first core configured to obtain one or more network messages from one or more communication buses of the vehicle, wherein the one or more network messages describe one or more events associated with the vehicle;

memory connected to the first core and configured to store the one or more network messages obtained by the first core; and

a second core connected to the memory and configured to;

read the one or more network messages from the memory;

detect whether at least some of the one or more events constitute an anomaly based on predefined rules;

generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and

generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and

a second microcontroller arranged in the vehicle, wherein the second microcontroller is connected to the first core of the first microcontroller, and wherein the second microcontroller is configured to;

obtain the one or more transmitted incident logs from the first core of the first microcontroller; and

transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter;

wherein the second microcontroller comprises a network stack configured to facilitate wireless transmission of the one or more transmitted incident logs via the wireless transmitter; and

wherein the second core of the first microcontroller does not possess direct access to the network stack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for in-vehicle network intrusion detection includes a microcontroller having first and second cores and memory. The first core may be configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle. The memory may be configured to store the one or more network messages obtained by the first core. The second core may be configured to: (i) read the one or more network messages from the memory; (ii) detect whether at least some of the one or more events constitute an anomaly based on predefined rules; (iii) generate one or more resident incident logs including metadata associated with one or more detected anomalous events based on the detected anomaly event data; and (iv) generate one or more transmitted incident logs based on the one or more resident incident logs.

16 Citations

View as Search Results

17 Claims

1. A system comprising:
- a first microcontroller arranged in a vehicle comprising;
  
  a first core configured to obtain one or more network messages from one or more communication buses of the vehicle, wherein the one or more network messages describe one or more events associated with the vehicle;
  
  memory connected to the first core and configured to store the one or more network messages obtained by the first core; and
  
  a second core connected to the memory and configured to;
  
  read the one or more network messages from the memory;
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules;
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  a second microcontroller arranged in the vehicle, wherein the second microcontroller is connected to the first core of the first microcontroller, and wherein the second microcontroller is configured to;
  
  obtain the one or more transmitted incident logs from the first core of the first microcontroller; and
  
  transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter;
  
  wherein the second microcontroller comprises a network stack configured to facilitate wireless transmission of the one or more transmitted incident logs via the wireless transmitter; and
  
  wherein the second core of the first microcontroller does not possess direct access to the network stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the second microcontroller is further configured to:
    - generate an acknowledgement signal in response to obtaining the one or more transmitted incident logs; and
      
      transmit the acknowledgment signal to the first microcontroller.
  - 3. The system of claim 1, further comprising the remote computing system, wherein the remote computing system is configured to:
    - obtain the one or more transmitted incident logs from the second microcontroller via the wireless transmitter; and
      
      generate at least one of the following commands based on the one or more transmitted incident logs;
      
      a log control command; and
      
      an intrusion response command.
  - 4. The system of claim 1, wherein the one or more network messages comprise at least one of:
    - controller area network (CAN) messages from one or more CAN buses of the vehicle; and
      
      Ethernet messages from one or more Ethernet buses of the vehicle.
  - 5. The system of claim 1, wherein the memory comprises shared memory that is only directly accessible by the first core and the second core of the first microcontroller.
  - 6. The system of claim 1, wherein the second core of the first microcontroller is further configured to write the one or more resident incident logs and the one or more transmitted incident logs to the memory.
  - 7. The system of claim 6, wherein the memory comprises secured random access (RAM) memory.
  - 8. The system of claim 6, wherein the memory comprises secured non-volatile memory (NVM).
  - 9. The system of claim 1, wherein the second core of the first microcontroller is configured to write the one or more resident incident logs and the one or more transmitted incident logs to the secured non-volatile memory prior to the memory losing power.
  - 10. The system of claim 1, wherein the first core of the first microcontroller is further configured to write the one or more network messages obtained from the one or more communication buses to the memory.
  - 11. The system of claim 1, wherein the predefined rules are based, at least in part, on operating state parameters of the vehicle.
  - 12. The system of claim 1, wherein each of the one or more transmitted incident logs comprises less metadata than its corresponding resident incident log.

13. A system comprising:
- a first microcontroller comprising;
  
  a first core configured to obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle;
  
  memory connected to the first core and configured to store the one or more network messages obtained by the first core; and
  
  a second core connected to the memory and configured to;
  
  read the one or more network messages from the memory;
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules;
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  a second microcontroller connected to the first core of the first microcontroller, wherein the second microcontroller is configured to;
  
  obtain the one or more transmitted incident logs from the first core of the first microcontroller; and
  
  transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter;
  
  wherein the remote computing system is configured to;
  
  obtain the one or more transmitted incident logs from the second microcontroller via the wireless transmitter;
  
  generate at least one of the following commands based on the one or more transmitted incident logs;
  
  a log control command; and
  
  an intrusion response command; and
  
  transmit the log control command to the second microcontroller via the wireless transmitter, and wherein the log control command instructs the first microcontroller to perform at least one of the following;
  
  erase at least one resident incident log of the one or more resident incident logs;
  
  adjust a memory allocation for at least one of the one or more resident incident logs;
  
  transmit at least one of the one or more resident incident logs to the remote computing system;
  
  adjust content of at least one of the one or more resident incident logs prior to transmission;
  
  adjust a log transmission rate associated, wherein the log transmission rate describes a frequency at which transmitted incident logs are transmitted from the first microcontroller to the remote computing system; and
  
  restrict a data size of the one or more transmitted incident logs.
- View Dependent Claims (14)
- - 14. The system of claim 13, wherein the remote computing system is further configured to transmit the intrusion response command to the second microcontroller via the wireless transmitter, and wherein the intrusion response command instructs the first microcontroller to perform at least one of the following:
    - restrict communications from at least one of the one or more communication buses; and
      
      illuminate a malfunction indicator light (MIL) of the vehicle.

15. A system comprising:
- a first microcontroller comprising;
  
  a first core configured to obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle;
  
  memory connected to the first core and configured to store the one or more network messages obtained by the first core; and
  
  a second core connected to the memory and configured to;
  
  read the one or more network messages from the memory;
  
  detect whether at least some of the one or more events constitute an anomaly based on predefined rules;
  
  generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
  
  generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
  
  a second microcontroller connected to the first core of the first microcontroller, wherein the second microcontroller is configured to;
  
  obtain the one or more transmitted incident logs from the first core of the first microcontroller; and
  
  transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter;
  
  wherein the remote computing system is further configured to;
  
  generate at least one of the following commands based on the one or more transmitted incident logs;
  
  a log control command; and
  
  an intrusion response command;
  
  generate an acknowledgment signal in response to obtaining the one or more transmitted incident logs; and
  
  transmit the acknowledgement signal to the second microcontroller via the wireless transmitter.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the first core of the first microcontroller is further configured to:
    - obtain the acknowledgement signal from the second microcontroller; and
      
      write the acknowledgment signal to the memory.
  - 17. The system of claim 16, wherein the second core of the first microcontroller is further configured to:
    - read the acknowledgment from the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Ploucha, Joseph E., Kupfer, Samuel B.
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/700,605
Publication Number

US 20190081966A1
Time in Patent Office

1,009 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/40   Bus networks

H04L 2012/40215   Controller Area Network CAN

H04L 2012/40273   the transportation system b...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/025   for remote control or remot...

H04L 67/12   specially adapted for propr...

H04L 67/535   Tracking the activity of th...

H04W 4/44   for communication between v...

Systems and methods for in-vehicle network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for in-vehicle network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links