Systems and methods for in-vehicle network intrusion detection
First Claim
1. A system comprising:
- a first microcontroller arranged in a vehicle comprising;
a first core configured to obtain one or more network messages from one or more communication buses of the vehicle, wherein the one or more network messages describe one or more events associated with the vehicle;
memory connected to the first core and configured to store the one or more network messages obtained by the first core; and
a second core connected to the memory and configured to;
read the one or more network messages from the memory;
detect whether at least some of the one or more events constitute an anomaly based on predefined rules;
generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and
generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and
a second microcontroller arranged in the vehicle, wherein the second microcontroller is connected to the first core of the first microcontroller, and wherein the second microcontroller is configured to;
obtain the one or more transmitted incident logs from the first core of the first microcontroller; and
transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter;
wherein the second microcontroller comprises a network stack configured to facilitate wireless transmission of the one or more transmitted incident logs via the wireless transmitter; and
wherein the second core of the first microcontroller does not possess direct access to the network stack.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for in-vehicle network intrusion detection includes a microcontroller having first and second cores and memory. The first core may be configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle. The memory may be configured to store the one or more network messages obtained by the first core. The second core may be configured to: (i) read the one or more network messages from the memory; (ii) detect whether at least some of the one or more events constitute an anomaly based on predefined rules; (iii) generate one or more resident incident logs including metadata associated with one or more detected anomalous events based on the detected anomaly event data; and (iv) generate one or more transmitted incident logs based on the one or more resident incident logs.
16 Citations
17 Claims
-
1. A system comprising:
-
a first microcontroller arranged in a vehicle comprising; a first core configured to obtain one or more network messages from one or more communication buses of the vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; memory connected to the first core and configured to store the one or more network messages obtained by the first core; and a second core connected to the memory and configured to; read the one or more network messages from the memory; detect whether at least some of the one or more events constitute an anomaly based on predefined rules; generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and a second microcontroller arranged in the vehicle, wherein the second microcontroller is connected to the first core of the first microcontroller, and wherein the second microcontroller is configured to; obtain the one or more transmitted incident logs from the first core of the first microcontroller; and transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter; wherein the second microcontroller comprises a network stack configured to facilitate wireless transmission of the one or more transmitted incident logs via the wireless transmitter; and wherein the second core of the first microcontroller does not possess direct access to the network stack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a first microcontroller comprising; a first core configured to obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; memory connected to the first core and configured to store the one or more network messages obtained by the first core; and a second core connected to the memory and configured to; read the one or more network messages from the memory; detect whether at least some of the one or more events constitute an anomaly based on predefined rules; generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and a second microcontroller connected to the first core of the first microcontroller, wherein the second microcontroller is configured to; obtain the one or more transmitted incident logs from the first core of the first microcontroller; and transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter; wherein the remote computing system is configured to; obtain the one or more transmitted incident logs from the second microcontroller via the wireless transmitter; generate at least one of the following commands based on the one or more transmitted incident logs; a log control command; and an intrusion response command; and transmit the log control command to the second microcontroller via the wireless transmitter, and wherein the log control command instructs the first microcontroller to perform at least one of the following; erase at least one resident incident log of the one or more resident incident logs; adjust a memory allocation for at least one of the one or more resident incident logs; transmit at least one of the one or more resident incident logs to the remote computing system; adjust content of at least one of the one or more resident incident logs prior to transmission; adjust a log transmission rate associated, wherein the log transmission rate describes a frequency at which transmitted incident logs are transmitted from the first microcontroller to the remote computing system; and restrict a data size of the one or more transmitted incident logs. - View Dependent Claims (14)
-
-
15. A system comprising:
-
a first microcontroller comprising; a first core configured to obtain one or more network messages from one or more communication buses of a vehicle, wherein the one or more network messages describe one or more events associated with the vehicle; memory connected to the first core and configured to store the one or more network messages obtained by the first core; and a second core connected to the memory and configured to; read the one or more network messages from the memory; detect whether at least some of the one or more events constitute an anomaly based on predefined rules; generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log; and a second microcontroller connected to the first core of the first microcontroller, wherein the second microcontroller is configured to; obtain the one or more transmitted incident logs from the first core of the first microcontroller; and transmit the one or more transmitted incident logs to a remote computing system via a wireless transmitter; wherein the remote computing system is further configured to; generate at least one of the following commands based on the one or more transmitted incident logs; a log control command; and an intrusion response command; generate an acknowledgment signal in response to obtaining the one or more transmitted incident logs; and transmit the acknowledgement signal to the second microcontroller via the wireless transmitter. - View Dependent Claims (16, 17)
-
Specification