ANOMALY DETECTION FOR VEHICULAR NETWORKS FOR INTRUSION AND MALFUNCTION DETECTION

US 20160188876A1
Filed: 09/17/2015
Published: 06/30/2016
Est. Priority Date: 12/30/2014
Status: Active Grant

First Claim

Patent Images

1. A Support Vector Machine (SVM) classifier training device comprising:

a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel to perform security monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including;

receiving a training set comprising vectors with associated times representing CAN bus messages;

calculating a hyperplane curvature parameter γ

functionally dependent on message density in time; and

training the SVM one-class classifier on the training set using the calculated γ

.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security monitoring system for a Controller Area Network (CAN) comprises an Electronic Control Unit (ECU) operatively connected to the CAN bus. The ECU is programmed to classify a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel. The classifying includes computing a hyperplane curvature parameter γ of the RBF kernel as γ=ƒ(D) where ƒ( ) denotes a function and D denotes CAN bus message density as a function of time. In some such embodiments γ=ƒ(Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time. The security monitoring system may be installed in a vehicle (e.g. automobile, truck, watercraft, aircraft) including a vehicle CAN bus, with the ECU operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus. By not relying on any proprietary knowledge of arbitration IDs from manufacturers through their dbc files, this anomaly detector truly functions as a zero knowledge detector.

43 Citations

View as Search Results

23 Claims

1. A Support Vector Machine (SVM) classifier training device comprising:
- a computer programmed to train a Support Vector Machine (SVM) one-class classifier using a Radial Basis Function (RBF) kernel to perform security monitoring of a controller area network (CAN) bus employing a message-based communication protocol by operations including;
  
  receiving a training set comprising vectors with associated times representing CAN bus messages;
  
  calculating a hyperplane curvature parameter γ
  
  functionally dependent on message density in time; and
  
  training the SVM one-class classifier on the training set using the calculated γ
  
  .
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The SVM classifier training system of claim 1 wherein the operations further include:
    - determining a hyperplane granularity parameter ε
      
      by repeating the training for a grid of candidate ε
      
      values using a grid search.
  - 3. The SVM classifier training system of claim 1 wherein the computer comprises a cloud-based computing resource, a parallel processor system, or a cluster computer.
  - 4. The SVM classifier training system of claim 1 wherein the SVM kernel is a kernel K calculated using the equation:
    - K(x_i−
      
      x_j)=e^{−
      
      γ
      
      ∥
      
      (x}ⁱ^-x^j^)∥²where xε
      
      and γ
      
      >
      
      0where is the set of all real numbers, γ
      
      represents the curvature of the hyperplane, and x_iand x_jare features of the training set.
  - 5. The SVM classifier training system of claim 4 wherein γ
    - is calculated using the equation;
  - 6. The SVM classifier training system of claim 1 wherein γ
    - =ƒ
      
      (D) where where ƒ
      
      ( ) denotes a function and D denotes message density in time.
  - 7. The SVM classifier training system of claim 1 wherein γ
    - =ƒ
      
      (Var(D)) where ƒ
      
      ( ) denotes a function and D denotes message density in time and Var(D) denotes variance of the message density in time.
  - 8. The SVM classifier training system of claim 1 wherein the data set contains only normal messages of a CAN bus and the training comprises training the SVM one-class classifier to minimize one of (i) false positives and (ii) false negatives.
  - 9. The SVM classifier training system of claim 1 wherein the operations further comprise:
    - setting a tuning parameter ν
      
      specifying a minimum number of Support Vectors to 520.
  - 10. The SVM classifier training system of claim 1 wherein the computer is further programmed to:
    - receive at least one additional training subset; and
      
      repeat the operations performed on the training set on the at least one additional training subset.
  - 11. The SVM classifier training system of claim 1 wherein the training set comprises CAN bus messages acquired over at least one time interval from a vehicle, and the computer is further programmed to:
    - generate an SVM-based anomaly detector configured to execute on a vehicle-grade Electronic Control Unit (ECU) based on the trained SVM one-class classifier.
  - 12. The SVM classifier training system of claim 11 wherein the operation of generating the SVM-based anomaly detector configured to execute on a vehicle-grade ECU comprises:
    - replacing the calculated high precision hyperplane curvature parameter γ
      
      with a resource-constrained-hardware-compatible hyperplane curvature parameter γ
      
      .
  - 13. A system comprising:
    - a trained Support Vector Machine (SVM) one-class classifier configured by receiving information from a SVM classifier training system as set forth in claim 1;
      
      an unseen ID unit configured to receive information from an observed ID list; and
      
      an alerting module configured to receive information from the unseen ID unit and the SVM classifier.
  - 14. The system of claim 13, wherein:
    - the unseen ID unit receives a message from an electronic control unit (ECU) transceiver;
      
      if the unseen ID unit determines that the message is not on an observed ID list, the unseen ID unit sends a binary indicator to the alerting module indicating that message is not on the observed ID list; and
      
      if the unseen ID unit determines that the message is on the observed ID list, the unseen ID unit sends the message to the trained SVM one-class classifier.
  - 15. A system as in claim 13 further comprising:
    - a vehicle including a vehicle controller area network (CAN) bus employing a message-based communication protocol; and
      
      an electronic control unit (ECU) installed on the vehicle CAN bus and programmed to execute an anomaly detector comprising the trained SVM one-class classifier, the unseen ID unit, and the alerting module.

16. A security monitoring system for a Controller Area Network (CAN) comprising an Electronic Control Unit (ECU) operatively connected to a CAN bus to read messages communicated on the CAN bus, the ECU programmed to perform a security monitoring method comprising:
- classifying a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel;
  
  wherein the classifying includes computing a hyperplane curvature parameter γ
  
  of the RBF kernel as γ
  
  =ƒ
  
  (D) where ƒ
  
  ( ) denotes a function and D denotes CAN bus message density as a function of time.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The security monitoring system of claim 16 wherein:
    - the classifying includes computing the hyperplane curvature parameter γ
      
      of the RBF kernel as γ
      
      =ƒ
      
      (Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time.
  - 18. The security monitoring system of claim 17 wherein:
    - the classifying includes computing the hyperplane curvature parameter γ
      
      of the RBF kernel as;
  - 19. The security monitoring system of claim 16 wherein the SVM-based classifier with the RBF kernel includes at least ν
    - =520 Support Vectors.
  - 20. The security monitoring system of claim 16 wherein the security monitoring method further comprises:
    - comparing the arbitration identifier (ID) of a message read from the CAN bus against a list of arbitration IDs, wherein the message is either (1) classified as anomalous if the arbitration ID of the message is not contained in the list of arbitration IDs or (2) passed to the classifying operation using the SVM-based classifier with the RBF kernel if the arbitration ID of the message is contained in the list of arbitration IDs.
  - 21. A vehicle comprising:
    - an automobile, truck, watercraft, or aircraft including a vehicle Controller Area Network (CAN) bus; and
      
      a security monitoring system as set forth in claim 16 comprising an Electronic Control Unit (ECU) operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus.

22. A method comprising:
- (1) receiving a first data subset of controller area network bus (CAN bus) messages;
  
  (2) creating a hyperplane based on the first data subset;
  
  (3) receiving an additional data subset of CAN bus messages; and
  
  (4) creating an additional hyperplane based on the additional data subset;
  
  wherein operations (3) and (4) are repeated at least one time.
- View Dependent Claims (23)
- - 23. The method of claim 22 wherein a lowest number of false positives hyperplane is selected from all created hyperplanes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Battelle Memorial Institute
Original Assignee
Battelle Memorial Institute
Inventors
Harris, Brad, Sonalker, Anuja, Mayhew, Kevin

Granted Patent

US 9,792,435 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

ANOMALY DETECTION FOR VEHICULAR NETWORKS FOR INTRUSION AND MALFUNCTION DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALY DETECTION FOR VEHICULAR NETWORKS FOR INTRUSION AND MALFUNCTION DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links